[go: up one dir, main page]

CN117407898A - Encryption and decryption realization method and system for database fields based on mybatis - Google Patents

Encryption and decryption realization method and system for database fields based on mybatis Download PDF

Info

Publication number
CN117407898A
CN117407898A CN202311392895.3A CN202311392895A CN117407898A CN 117407898 A CN117407898 A CN 117407898A CN 202311392895 A CN202311392895 A CN 202311392895A CN 117407898 A CN117407898 A CN 117407898A
Authority
CN
China
Prior art keywords
encryption
decryption
field
mybatis
password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311392895.3A
Other languages
Chinese (zh)
Inventor
蒋德胜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chongqing Fumin Bank Co Ltd
Original Assignee
Chongqing Fumin Bank Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chongqing Fumin Bank Co Ltd filed Critical Chongqing Fumin Bank Co Ltd
Priority to CN202311392895.3A priority Critical patent/CN117407898A/en
Publication of CN117407898A publication Critical patent/CN117407898A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/242Query formulation
    • G06F16/2433Query languages
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Bioethics (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to the technical field of encryption and decryption processing, in particular to a method for realizing encryption and decryption of database fields based on mybatis, which comprises the following two main processes: field encryption and field decryption, both of which are implemented using @ FieldEncrypt annotation. The annotation contains three key attributes, password, algorithm and encryptor, for specifying the encryption password, encryption scheme, and specific encryption processor, respectively. In addition, the scheme also utilizes the interceptor technology of MyBatis to cooperate with the encrypter to carry out actual encryption and decryption operations. The encrypter encrypts or decrypts the database field value according to algorithm and password specified in the @ field encrypter annotation. The technical scheme of the invention aims at solving the problem of how to globally, flexibly and efficiently encrypt and decrypt sensitive information in a database.

Description

Encryption and decryption realization method and system for database fields based on mybatis
Technical Field
The invention relates to the technical field of encryption and decryption methods, in particular to a method and a system for realizing encryption and decryption of database fields based on mybatis.
Background
In the information society of today, the processing and storage of large data has become an important component of various industries. Many of the data contain sensitive information, such as customer name, identification card number, cell phone number, etc., which needs to be properly encrypted to protect the security of the data and the privacy of the user. However, in actual practice, the prior art solutions do not meet these requirements well.
First, existing encryption techniques typically require processing each field that needs to be encrypted one by one. Such operations are not only time consuming, but also, due to lack of unified management and operation rules, can easily generate a large amount of repetition codes and encryption logic in the system, increasing the complexity of the system and the possibility of errors. In addition, since these encryption operations are not uniformly packaged, the developer needs to manually encrypt each field, which clearly increases the workload and complexity of development and reduces the working efficiency.
Second, current encryption schemes often lack sufficient flexibility. In a practical project, it may be necessary to process multiple data sources, each of which may need to be encrypted differently. For example, some data sources may require the use of an AES encryption scheme, while other data sources may require the use of a Base64 encryption scheme. However, existing solutions typically only support one or a few encryption schemes, and cannot meet the requirement of such flexible switching encryption schemes. To change the encryption scheme, a large number of codes often need to be modified, which undoubtedly increases the difficulty and complexity of maintenance.
Finally, some special encryption algorithms may require the use of a specific "salt" (encryption key) for encryption. However, existing solutions often fail to freely configure these salts, which makes these special encryption algorithms difficult to apply in existing systems.
Disclosure of Invention
The invention aims to provide an encryption and decryption realization method for database fields based on mybatis, so as to solve the problem of how to flexibly and efficiently encrypt and decrypt sensitive information in a database in a global scope.
The basic scheme provided by the invention is as follows: an encryption and decryption implementation method for database fields based on mybatis comprises a process for encrypting the fields and a process for decrypting the fields, wherein the encryption and decryption processes use annotations named @ Fieldencrypt, and the @ Fieldencrypt annotations comprise three attributes, wherein a password is used for specifying an encryption password, algorithm is used for specifying an encryption mode, and an encrypter is used for specifying a specific encryption processor; the method further includes encrypting and decrypting the field values using a MyBatis interceptor and an encrypter, wherein the encrypter encrypts or decrypts the field values according to algorithm and password specified in the @ Fieldencrypter annotation.
The invention has the beneficial effects that: the encryption and decryption implementation method for the database field based on MyBatis effectively enhances the security of the data, and the sensitive information is encrypted to protect the data from being revealed in the transmission or storage process. Meanwhile, as @ Fieldencrypt annotation is used, the system can flexibly switch encryption modes among different fields and even different databases, so as to meet various different encryption requirements. In addition, the encryption and decryption operations are packaged in the interceptor of MyBatis, so that codes can be reused in the whole project, maintainability of the codes is improved, system complexity is reduced, and meanwhile, the encryption and decryption operations and database inquiry are completed in the same database session, so that the improvement of system performance is facilitated. Finally, more encryption algorithms can be supported through the custom encryptor, and powerful expansibility is given to the system.
Further, the field encryption process includes the steps of: step1: calling an update method of MyBatis in DAO; step2: the MyBatis interceptor intercepts update method of the Executor; step3: the interceptor traverses all fields in the parameter object and processes the fields with @ FieldEncrypt notes; step4: for each field with @ Fieldencrypt annotation, corresponding encryption is performed by using the encrypter, algorithm and password of the annotation configuration; step5: setting the encrypted field value into the parameter object; step6: execute the SQL statement.
The beneficial effect of this scheme is: the data is updated by using an update method of MyBatis in the DAO layer, the update method of an Executor is intercepted in a MyBatis interceptor, all fields in a parameter object are traversed, and the fields with @ Fieldencrypt notes are processed. In this way, flexible encryption configuration can be performed at the field level, and different encryption algorithms can be used for different fields according to different requirements, so that encryption operation is more flexible. Then, for each field with @ field encryption annotation, the corresponding encryption is performed using the annotation configured encryptor, algorithm, password, which ensures that each field is encrypted in the desired manner. After encryption is completed, setting the encrypted field value into a parameter object, executing an SQL sentence, and storing the encrypted data into a database, thereby ensuring the security of the data stored in the database. In the whole process, since the encryption operation is performed in a DAO layer (data access layer), the encryption operation is transparent to a business logic layer, so that the complexity of the business logic layer can be reduced, and the code is easier to maintain.
Further, the field decryption process includes the following steps: step1: calling a query method of MyBatis in DAO; step2: the MyBatis interceptor intercepts the handleResultset methods of the ResultSetHandler; step3: executing SQL query sentences to obtain a result set; step4: traversing each record in the result set by the interceptor, and processing all fields of each record; step5: for each field with @ Fieldencrypt annotation, performing corresponding decryption by using an encrypter, algorithm, password of the annotation configuration; step6: setting the decrypted field value into the result object.
The beneficial effect of this scheme is: by calling the MyBatis query method in DAO and intercepting the handleResultset methods of the resultHandler by the MyBatis interceptor, the fields with @ Fieldencrypter annotations are automatically decrypted while the database query results are actually obtained. This annotation-based decryption ensures that only those fields that actually need to be decrypted are decrypted, thereby improving the efficiency of the system. Meanwhile, since the decryption operation is automatically performed, the decryption process of the data is not required to be concerned with for the business logic layer, and only the processing of the decrypted data is required to be concerned with, so that the complexity of the business logic layer is reduced, and the readability and maintainability of codes are improved. Finally, by setting the decrypted field value to the result object, the developer can directly use the decrypted data to perform subsequent processing, which simplifies development work and improves development efficiency.
The invention further provides an encryption and decryption realization system for the database field based on mybatis, which comprises a data source configuration module, an encryption and decryption module, an SQL execution module and a result processing module; the data source configuration module is used for configuring database connection information and metadata information, including types, addresses and access parameters of the database; the encryption and decryption module is used for identifying @ Fieldencrypt annotation and performing encryption and decryption operations according to the attribute of the @ Fieldencrypt annotation; the @ Fieldencrypter annotation contains three attributes, password, algorithm and encrypter, respectively, wherein a password is used to specify an encryption password, algorithm is used to specify an encryption mode, and encrypter is used to specify a specific encryption processor; the SQL execution module is used for executing database operation and processing sensitive fields related to the database operation by matching with the encryption and decryption module; the result processing module is used for processing the results returned by the SQL execution module, including decryption operation on the encrypted field and returning the decrypted results to the user.
The beneficial effect of this scheme is: by optimizing MyBatis, automatic encryption and decryption of the database fields are realized, so that the safety of data is improved. By using @ FieldEncrypt annotation, the fields that need to be encrypted can be easily marked, making the code more clear and understandable. In addition, the scheme can flexibly configure encryption and decryption algorithms and passwords according to different requirements, so that the flexibility and expandability of the system are improved. Finally, the result processing module can ensure that the decrypted data is obtained by the user, so that the privacy information of the user is protected, and meanwhile, the use experience of the user is improved. Therefore, the system can improve the data security, simplify the development work, and improve the code readability, the flexibility and the expandability of the system.
Further, the encryption and decryption module further comprises an encryption sub-module and a decryption sub-module, wherein the encryption sub-module is used for conducting encryption operation on the fields, and the decryption sub-module is used for conducting decryption operation on the fields.
The beneficial effect of this scheme is: the encryption and decryption modules are further refined and divided into an encryption sub-module and a decryption sub-module, so that finer management of database fields is realized. The arrangement of the encryption sub-module and the decryption sub-module clarifies the responsibilities of the encryption operation and the decryption operation, so that the structure of the code is clearer and easy to understand and maintain. Meanwhile, because only the fields needing encryption or decryption can be processed according to actual requirements, unnecessary calculation is avoided, and therefore the efficiency of the system is improved.
Further, the encryption sub-module and the decryption sub-module may encrypt or decrypt field values according to algorithm and password specified in @ Fieldencrypter annotation.
The beneficial effect of this scheme is: by allowing the encryption sub-module and the decryption sub-module to encrypt or decrypt the field values according to algorithm and password specified in @ Fieldencrypter annotation, a highly customized and flexible control of the encryption and decryption process is achieved. Because the encryption algorithm and the password are set through the notes, the method not only ensures that the codes are simpler and easy to understand and maintain, but also is convenient for the use of developers and improves the development efficiency.
Furthermore, the SQL execution module further comprises an interceptor A, wherein the interceptor A is used for intercepting an update method of the Executor and transmitting a field needing encryption to the encryption and decryption module.
The beneficial effect of this scheme is: by intercepting the update method of MyBatis and traversing all fields in the parameter object, the system can automatically identify and process the fields with @ FieldEncrypt annotations without having to write encryption code separately in each Data Access Object (DAO) or business logic. In addition, the encryption mode, the password and the processor are configured through the annotation, so that the system has high flexibility and customization, and different encryption strategies can be selected according to different requirements and environments.
Further, the result processing module further comprises an interceptor B, where the interceptor B is configured to intercept the handleResultSets method of the resultsethandhandler, and transfer the fields to be decrypted to the encryption and decryption module.
The beneficial effect of this scheme is: by intercepting the query result processing method of MyBatis and traversing all fields of each record, the system is able to automatically identify and process fields with @ field encryption notes without having to write decryption code separately in each Data Access Object (DAO) or business logic. The method has the advantages of protecting the safety of data, avoiding the leakage of sensitive data in the system, enabling codes to be clearer, reducing redundant code quantity and improving maintainability and expandability of the codes. In addition, the decryption algorithm, the password and the processor are all configured through the annotation, so that the system has high flexibility and customizability, and different decryption strategies can be selected according to different requirements and environments.
Drawings
FIG. 1 is an encryption flow chart of an encryption and decryption implementation method for database fields based on mybatis in the invention;
FIG. 2 is a decryption flow chart of a method for realizing encryption and decryption of database fields based on mybatis in the invention.
Detailed Description
The following is a further detailed description of the embodiments:
example 1
An encryption and decryption implementation method for database fields based on mybatis comprises a process for encrypting the fields and a process for decrypting the fields, wherein the encryption and decryption processes use annotations named @ FieldEncrypt, the @ FieldEncrypt annotations contain three attributes, a password is used for specifying an encryption password, algoritm is used for specifying an encryption mode, and an encrypter is used for specifying a specific encryption processor; the method further includes encrypting and decrypting the field values using a MyBatis interceptor and an encrypter, wherein the encrypter encrypts or decrypts the field values according to algorithm and password specified in the @ Fieldencrypter annotation.
The process of field encryption as shown in fig. 1 includes the steps of: step1: calling an update method of MyBatis in DAO; step2: the MyBatis interceptor intercepts update method of the Executor; step3: the interceptor traverses all fields in the parameter object and processes the fields with @ FieldEncrypt notes; step4: for each field with @ Fieldencrypt annotation, corresponding encryption is performed by using the encrypter, algorithm and password of the annotation configuration; step5: setting the encrypted field value into the parameter object; step6: and executing the SQL sentence to complete encryption. The following are some noun interpretations involved in the method:
DAO: the data access object (Data Access Object) is a design pattern for packaging code for accessing a database. DAOs typically include methods for creating, reading, updating, and deleting database records.
The update method of MyBatis: this is one method provided by the MyBatis framework for performing SQL update operations, such as INSERT, UPDATE and DELETE.
MyBatis interceptor: myBatis interceptor is an extended mechanism of MyBatis that can intercept and modify MyBatis's SQL operations. In this process, a MyBatis interceptor is used to intercept the update method of the Executor.
Execu Executor: executor is a core interface of MyBatis, defining the core method of database operations. The MyBatis interceptor can intercept the method of the Executor and add custom processing logic.
@ FieldEncrypt annotation: this is a custom Java annotation that marks the fields that need to be encrypted and specifies the encryption scheme and password.
encrypter: this is an attribute of the @ FieldEncrypt annotation that specifies the processor that performs the encryption operation.
algorithm: this is another attribute of the @ FieldEncrypt annotation that specifies the method of encryption, such as AES, DES, RSA.
password: this is another attribute of the @ field encryption annotation that specifies the password used for encryption.
In the encryption process of the present embodiment, first, in a Data Access Object (DAO), a programmer calls the update method of MyBatis. This method is used to perform SQL update operations, such as INSERT, UPDATE and DELETE. When this method is invoked, a parameter object, typically a Java POJO, is provided that contains data for updating the database. After the update method of MyBatis is called, myBatis will execute the actual database operation through the Executor. In this process, the MyBatis interceptor intercepts the update method of the Executor. In this way, custom processing logic can be added before SQL operations are performed. In the interceptor, the program will traverse all fields in the parameter object. If a field has an @ field encryption annotation, then this field requires encryption. This annotation states that the field needs to be encrypted and provides information on how to encrypt. For each field that needs encryption, the program will encrypt using encryptor, algorithm and password provided by the @ FieldEncrypt annotation. The encrypter is an encryption processor that encrypts the original value of the field using an encryption algorithm specified by algoritm and a password specified by password. After encryption is completed, the program sets the encrypted field value back to the parameter object. This field in the parameter object then becomes the encrypted value. Finally, the interceptor can continue to execute the update method of the Executor to finish the actual SQL operation. In performing SQL operations, myBatis will use the field values in the parameter object. Thus, the fields encrypted in the previous step will also be stored in the database in encrypted form.
An annotation is a piece of metadata that provides information about the code, but does not directly affect the execution of the code. In Java, annotations can be used to provide additional information and functionality for the code. For fields that need to be encrypted, only a special annotation (in this embodiment, this annotation is @ FieldEncrypt) needs to be added to the corresponding field in the POJO class. This note tells the system that when processing this field, encryption needs to be done using a specific encryptor, algorithm and password.
Assume that there is a User class, which is a POJO class, with two fields: username and password. The password field stores sensitive information, and encryption needs to be performed on the field. To achieve this goal, only @ FieldEncrypt annotations need to be added to the password field. The relevant configuration of encryption (encryptor, algorithm and password) will be included in this annotation.
In a Data Access Object (DAO), an update method is called in hopes of updating the information of the User object. The MyBatis interceptor intercepts this update operation to encrypt the User object. The interceptor will find a password field with the @ field encrypted annotation in the User object. The interceptor will encrypt the password field as configured in the @ field encrypted annotation (encryptor, algorithm and password). Assuming the original password is "123456", after encryption, a string of unreadable characters may be changed, for example, "U2 fsdgvkx1+qm3pvb7 PZg =". The interceptor sets the encrypted password back into the User object. Finally, the update method in the DAO continues to execute, and the User object is updated to the database. At this point, the password field of the User object is already an encrypted value.
In addition, a salt parameter may be added to the @ FieldEncrypt annotation to define the encrypted salt. The salt may be a fixed value or a dynamic value. For example, username may be used as the salt. The use of salt values may increase the security of encryption because even if two users have the same password, the encrypted ciphertext will be different due to their different usernames (assuming usernames are used as salt values). Thus, even if an attacker knows the encryption algorithm and encryption key, they cannot decrypt the password if they do not know the salt value.
Meanwhile, the method can also realize different encryption modes for tables in different databases in the same engineering.
Assume that there is one Java project that uses MyBatis to connect to two different databases: database a and database B.
In database a, there is a table named "User" with two fields: "username" and "password". In order to protect the sensitive information of the user, it is desirable to encrypt the "password" field. The AES encryption algorithm is selected and a key "myPassword" is set.
In database B, there is a table named "Employee" which also has two fields: "reployeid" and "securynumber". In order to protect employee sensitive information, it is desirable to encrypt the "securityNumber" field. Considering the specificity of this field, a different encryption algorithm DES is selected and a different key "myemployee assword" is set.
In this example, for the User class, the MyBatis interceptor encrypts the pass word field according to the designation of @ FieldEncrypt annotation (using the AES encryptor, AES algorithm, and mypass word key) before updating the User to database A.
For the Employee class, the MyBatis interceptor encrypts the securityNumber field according to the designation of @ FieldEncrypt annotation (using the DES encryptor, the DES algorithm, and the myEmployePasword key) before updating the Employee to database B.
It can also be seen from this example that the item handles two different encryption modes: AES and DES. The two different encryption modes are packaged in different encryptors (encryptors), each implementing the same interface, so that the encryptors can be flexibly switched when needed.
More specifically, for the User class, it is chosen to encrypt the password field using an AES encryptor (for example, possibly a class named aesencrypt). While for the Employee class, the use of a DES encryptor (e.g., possibly a class named DesEncryptor) to add the securityNumber field is chosen.
The architecture makes it convenient to add custom encryption modes. If a new encryption scheme is to be added, only a new encryptor needs to be created, which implements the same interface and within which the selected encryption scheme is implemented. Then, a new encryptor may be specified in the @ FieldEncrypt annotation, as in the AES and DES encryptors in this example.
The process of field decryption as shown in fig. 2 includes the steps of: step1: calling a query method of MyBatis in DAO; step2: the MyBatis interceptor intercepts the handleResultset methods of the ResultSetHandler; step3: executing SQL query sentences to obtain a result set; step4: traversing each record in the result set by the interceptor, and processing all fields of each record; step5: for each field with @ Fieldencrypt annotation, performing corresponding decryption by using an encrypter, algorithm, password of the annotation configuration; step6: setting the decrypted field value into the result object.
In the decryption process of this embodiment, first, in a Data Access Object (DAO), a programmer may call a query method of MyBatis. This method is used to perform SQL query operations, such as SELECT. When this method is invoked, it is necessary to provide query conditions, such as querying information about a particular User. After the query method of MyBatis is called, the MyBatis will execute the actual database operation through the Executor.
In this process, the MyBatis interceptor intercepts the handleResultset set method of the Resultset Handler. In this way, custom processing logic may be added before processing the query results. In the interceptor, the program will traverse each record in the result set and process all fields in each record. If a field has an @ field encryption annotation thereon, then this field requires decryption. This annotation indicates that the field needs to be decrypted and provides information how to decrypt.
For each field that needs to be decrypted, the program will decrypt using encryptor, algorithm and password provided by the @ FieldEncrypt annotation. The encrypter is a decryption processor that decrypts the encrypted value of the field using a decryption algorithm specified by algoritm and a password specified by password. After decryption is completed, the program sets the decrypted field value back to the result object. This field in the result object then becomes the decrypted value.
Finally, the interceptor will continue to execute the handleResultSets method of ResultSetHandler, returning the result object to the DAO. In returning the result object, myBatis will use the field value in the result object. Thus, the field decrypted in the previous step will also be the decrypted value in the result object returned to the DAO. In this way, the programmer can directly use the decrypted field value when processing the query result, without concern for the details of decryption.
In MyBatis, resultSetHandler is a component that processes the result set (ResultSet) returned by an SQL query, the main task being to convert the result set into Java objects. handleResultSets is a key method in ResultSetHandler that functions to process the result set returned by the SQL query.
It is assumed that the password field in the User object is encrypted and stored in the database through the encryption process. Now, it is desirable to query and decrypt the user's information.
First, a query method such as select is called in a Data Access Object (DAO) to acquire information of a User object. In this process, the interceptor of MyBatis intercepts the handleResultset methods of the resultSetHandler, which are used to process the query results. The interceptor will look up the password field in the User object with @ field encrypted, this annotation indicating that the password field is encrypted and therefore needs to be decrypted.
The interceptor will then read the configuration in the @ field encrypter note, which includes an encryptor (encryptor), an encryption algorithm (algorithm), and a password (password), which are all the information required for decryption. The interceptor will then decrypt using these information password fields. Assuming that the encrypted password is "U2 fsdgvkx1+qm3pvb7 PZg =", after decryption, the original password "123456" may be changed back.
After the decryption is completed, the interceptor sets the decrypted password back to the User object, so that the password field of the User object becomes a decrypted value. Finally, the interceptor will call the original implementation of the handleResultSets method of ResultSetHandler, returning the User object to the DAO. At this point, the password field in the User object received by the DAO is already a decrypted value.
Through this flow, the decrypted password can be used directly in processing the query results without processing the details of the decryption elsewhere.
If a salt is used in the @ field encrypt note, the same salt value needs to be used during decryption. The salt value is part of the encryption process, which can increase the complexity of the encryption and increase security. The salt value is typically encrypted along with the user's password to generate a unique encryption result.
During decryption, the correct salt value needs to be known to properly decrypt the password. This is because the encryption process is a reversible process, and the decryption process is actually the inverse of the encryption process. In this reverse process, all inputs used in the encryption process, including the password and the salt value, need to be known to obtain the correct decryption result.
In the above example, assume that username is used as the salt value. When the password field needs to be decrypted, the interceptor will first find the username field in the User object and then use this username as a salt to decrypt the password field as configured in the @ field encrypted annotation.
If the username field or other configuration in the @ field encryption annotation changes, then the correct decryption result cannot be obtained because the input used in the decryption process does not match the input used in the encryption process. Thus, it is necessary to ensure that all inputs used in the decryption process, including the salt, are exactly identical to the inputs used in the encryption process. Only then can the password be decrypted correctly.
In general, the encryption and decryption implementation method for the database fields based on mybatis allows encryption and decryption of sensitive data at a client, and a user only needs to add notes on fields in POJO classes without explicitly calling encryption and decryption functions in codes, so that the encryption and decryption process is greatly simplified. Secondly, sufficient flexibility is provided to support the use of different encryption schemes for tables of different databases in the same project. This means that the most suitable encryption strategy can be selected according to the specific requirements of each table.
In addition, the encrypted salt value can be customized, so that the encryption process is safer, and the encryption result is different as long as the salt value is different even if two users use the same password, which increases the difficulty of cracking. Finally, the tool encapsulates most of encryption modes, such as AES, DES, RSA, and the user can flexibly select the encryption modes according to the requirements. Meanwhile, if the built-in encryption modes can not meet the requirements, a custom encryption mode can be added to meet various complex requirements.
Example two
The embodiment provides an encryption and decryption realization system for database fields based on mybatis, which comprises a data source configuration module, an encryption and decryption module, an SQL execution module and a result processing module; the data source configuration module is used for configuring database connection information and metadata information, including types, addresses and access parameters of the database; the encryption and decryption module is used for identifying @ Fieldencrypt annotation and performing encryption and decryption operations according to the attribute of the @ Fieldencrypt annotation; the @ Fieldencrypter annotation contains three attributes, password, algorithm and encrypter, respectively, wherein a password is used to specify an encryption password, algorithm is used to specify an encryption mode, and encrypter is used to specify a specific encryption processor; the SQL execution module is used for executing database operation and processing sensitive fields related to the database operation by matching with the encryption and decryption module; the result processing module is used for processing the results returned by the SQL execution module, including decryption operation on the encrypted field and returning the decrypted results to the user.
The encryption and decryption module further comprises an encryption sub-module and a decryption sub-module, wherein the encryption sub-module is used for conducting encryption operation on the fields, and the decryption sub-module is used for conducting decryption operation on the fields. Both the encryption sub-module and the decryption sub-module may encrypt or decrypt field values based on algorithm and password specified in the @ Fieldencrypter annotation.
The SQL execution module further comprises an interceptor A, wherein the interceptor A is used for intercepting an update method of the Executor and transmitting fields needing encryption to the encryption and decryption module.
The result processing module further comprises an interceptor B, wherein the interceptor B is used for intercepting a handleResultSets method of a resultsethandhandler and transmitting fields needing to be decrypted to the encryption and decryption module.
In an encryption and decryption implementation system for database fields based on MyBatis, the implementation of an encryption process mainly relates to a data source configuration module, an encryption and decryption module and an SQL execution module.
First, the data source configuration module is responsible for configuring database connections and metadata information. This includes determining the type, address and access parameters of the database so that the system can successfully connect to the target database. Next, the encryption sub-module will perform encryption operations using the password and algoritm attributes in the @ FieldEncrypt annotation. The @ Fieldencrypt annotation will be placed on the field of the POJO class, identifying the field that needs to be encrypted. The password attribute in the annotation is used to specify the encrypted password and the algorithm attribute is used to specify the encryption algorithm used. Furthermore, the encrypter attribute in the @ Fieldencrypter annotation specifies a particular encryption processor, which may be a built-in encryption algorithm such as AES or DES, or may be a custom encryption processor.
The SQL execution module will then execute the database operations. When the update method of MyBatis is invoked in a Data Access Object (DAO), the interceptor in the module intercepts the update method of the Executor. The interceptor will then traverse all of the fields in the parameter object to encrypt the field with the @ Fieldencrypt annotation. The specific encryption process is performed by the encryption sub-module according to algorithm, password and encrypter specified in the @ field encrypter note. Finally, the interceptor sets the encrypted field values back into the parameter objects. Thus, when the SQL execution module executes the update method, the corresponding fields in the database are replaced by the encrypted values.
In general, the encryption and decryption of the database field based on MyBatis realizes the encryption process of the system, so that the encryption operation becomes simpler and more automatic, and the system can automatically perform the encryption operation only by adding proper notes in the code. Meanwhile, due to the use of the interceptor and the annotation, the method provides flexibility and expansibility, and a user can select different encryption algorithms and passwords according to the needs, and even customize an encryption processor.
In an encryption and decryption implementation system based on MyBatis for database fields, the decryption process mainly involves an encryption and decryption module and a result processing module.
First, the decryption sub-module will decrypt the encrypted fields using the password and algoritm attributes in the @ Fieldencrypt annotation. Likewise, the @ Fieldencrypt annotation is placed on the field of the POJO class to identify the field that needs to be decrypted. The password attribute in the annotation is used to specify the password used for decryption and the algorithm attribute is used to specify the decryption algorithm. The encrypter attribute in the @ field encrypter annotation specifies a specific decryption processor, which may be a built-in decryption algorithm such as AES or DES, or may be a user-defined decryption processor.
Thereafter, when the query method of MyBatis is invoked in a Data Access Object (DAO), the interceptor in the results processing module intercepts the handleResultSets method of the ResultSetHandler. The interceptor then executes the SQL query statement, obtaining a result set containing the encrypted fields.
The interceptor will then traverse each record in the result set and decrypt the fields in each record with @ FieldEncrypt notes. The specific decryption process is performed by the decryption sub-module according to algorithm, password and encrypter specified in the @ field encrypter note. Finally, the interceptor sets the decrypted field value back into the result object. Thus, when the result object is returned to the user, the user will receive the result containing the decryption field.
In general, the encryption and decryption of the database field based on MyBatis realizes the decryption process of the system, so that the decryption operation becomes simpler and more automatic, and the system can automatically perform the decryption operation only by adding proper notes in the code. Meanwhile, due to the use of the interceptor and the annotation, the method provides flexibility and expansibility, and a user can select different decryption algorithms and passwords according to the needs, and even customize a decryption processor.
The foregoing is merely exemplary of the present invention, and the specific structures and features well known in the art are not described in any way herein, so that those skilled in the art will be able to ascertain all prior art in the field, and will not be able to ascertain any prior art to which this invention pertains, without the general knowledge of the skilled person in the field, before the application date or the priority date, to practice the present invention, with the ability of these skilled persons to perfect and practice this invention, with the help of the teachings of this application, with some typical known structures or methods not being the obstacle to the practice of this application by those skilled in the art. It should be noted that modifications and improvements can be made by those skilled in the art without departing from the structure of the present invention, and these should also be considered as the scope of the present invention, which does not affect the effect of the implementation of the present invention and the utility of the patent. The protection scope of the present application shall be subject to the content of the claims, and the description of the specific embodiments and the like in the specification can be used for explaining the content of the claims.

Claims (8)

1. An encryption and decryption implementation method for database fields based on mybases is characterized in that the method comprises a process for encrypting the fields and a process for decrypting the fields, wherein the encryption and decryption processes use annotations named @ Fieldencrypt, the @ Fieldencrypt annotations comprise three attributes, a password is used for specifying an encryption password, algorithm is used for specifying an encryption mode, and an encrypter is used for specifying a specific encryption processor; the method further includes encrypting and decrypting the field values using a MyBatis interceptor and an encrypter, wherein the encrypter encrypts or decrypts the field values according to algorithm and password specified in the @ Fieldencrypter annotation.
2. The encryption and decryption implementation method according to claim 1, wherein the field encryption process comprises the following steps:
step1: calling an update method of MyBatis in DAO;
step2: the MyBatis interceptor intercepts update method of the Executor;
step3: the MyBatis interceptor traverses all fields in the parameter object to find the field with @ Fieldencrypt annotation;
step4: for each field with @ Fieldencrypt annotation, corresponding encryption is performed by using the encrypter, algorithm and password of the annotation configuration;
step5: setting the encrypted field value into the parameter object;
step6: and executing SQL update operation to complete encryption.
3. The encryption and decryption implementation method according to claim 1, wherein the field decryption process comprises the following steps:
step1: calling a query method of MyBatis in DAO;
step2: the MyBatis interceptor intercepts the handleResultset methods of the ResultSetHandler;
step3: executing SQL query sentences to obtain a result set;
step4: traversing each record in the result set by the interceptor, and processing all fields of each record;
step5: for each field with @ Fieldencrypt annotation, performing corresponding decryption by using an encrypter, algorithm, password of the annotation configuration;
step6: setting the decrypted field value into the result object.
4. An encryption and decryption realization system for database fields based on mybatis is characterized in that: the system comprises a data source configuration module, an encryption and decryption module, an SQL execution module and a result processing module; the data source configuration module is used for configuring database connection information and metadata information, including types, addresses and access parameters of the database; the encryption and decryption module is used for identifying @ Fieldencrypt annotation and performing encryption and decryption operations according to the attribute of the @ Fieldencrypt annotation; the @ Fieldencrypter annotation contains three attributes, password, algorithm and encrypter, respectively, wherein a password is used to specify an encryption password, algorithm is used to specify an encryption mode, and encrypter is used to specify a specific encryption processor; the SQL execution module is used for executing database operation and processing sensitive fields related to the database operation by matching with the encryption and decryption module; the result processing module is used for processing the results returned by the SQL execution module, including decryption operation on the encrypted field and returning the decrypted results to the user.
5. The encryption and decryption implementation system based on MyBatis for database fields according to claim 4, wherein: the encryption and decryption module further comprises an encryption sub-module and a decryption sub-module, wherein the encryption sub-module is used for conducting encryption operation on the fields, and the decryption sub-module is used for conducting decryption operation on the fields.
6. The encryption and decryption implementation system based on MyBatis for database fields according to claim 5, wherein: the encryption and decryption sub-modules may encrypt or decrypt field values based on algorithm and password specified in the @ Fieldencrypter annotation.
7. The encryption and decryption implementation system based on MyBatis for database fields according to claim 4, wherein: the SQL execution module further comprises an interceptor A, wherein the interceptor A is used for intercepting an update method of the Executor and transmitting fields needing encryption to the encryption and decryption module.
8. The encryption and decryption implementation system based on MyBatis for database fields according to claim 4, wherein: the result processing module further comprises an interceptor B, wherein the interceptor B is used for intercepting a handleResultSets method of a resultsethandhandler and transmitting fields needing to be decrypted to the encryption and decryption module.
CN202311392895.3A 2023-10-25 2023-10-25 Encryption and decryption realization method and system for database fields based on mybatis Pending CN117407898A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311392895.3A CN117407898A (en) 2023-10-25 2023-10-25 Encryption and decryption realization method and system for database fields based on mybatis

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311392895.3A CN117407898A (en) 2023-10-25 2023-10-25 Encryption and decryption realization method and system for database fields based on mybatis

Publications (1)

Publication Number Publication Date
CN117407898A true CN117407898A (en) 2024-01-16

Family

ID=89493984

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311392895.3A Pending CN117407898A (en) 2023-10-25 2023-10-25 Encryption and decryption realization method and system for database fields based on mybatis

Country Status (1)

Country Link
CN (1) CN117407898A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118394279A (en) * 2024-06-20 2024-07-26 杭州玳数科技有限公司 Data processing method, device, storage medium and computer program product based on interceptor

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118394279A (en) * 2024-06-20 2024-07-26 杭州玳数科技有限公司 Data processing method, device, storage medium and computer program product based on interceptor

Similar Documents

Publication Publication Date Title
Antonopoulos et al. Azure SQL database always encrypted
US11362815B2 (en) Trusted data transmission methods, apparatuses, and devices
US11726968B2 (en) Methods, apparatuses, and devices for transferring data assets based on blockchain
CN110223172B (en) Conditional receipt storage method and node combining code labeling and type dimension
CN110264195B (en) Receipt storage method and node combining code marking with transaction and user type
US9866375B2 (en) Multi-level key management
CN1761923B (en) Method and apparatus for encrypting database columns
CN110245490B (en) Conditional receipt storage method and node combining code labeling and type dimension
CN110278193B (en) Receipt storage method and node combining code marking with transaction and event types
CN110264198B (en) Conditional receipt storage method and node combining code labeling and transaction type
CN110263087B (en) Receipt storage method and node based on multi-dimensional information and with conditional restriction
CN110264196B (en) Conditional receipt storage method and node combining code labeling and user type
CN110245503B (en) Receipt storage method and node combining code marking and judging conditions
CN110264197B (en) Receipt storage method and node combining event function type and judgment condition
WO2020233638A1 (en) Receipt storage method and node based on code labeling and transaction type
CN110263088B (en) Conditional receipt storage method and node combining code labeling and event type
WO2020233637A1 (en) Receipt storage method combining code labelling with user type, and node
WO2020233639A1 (en) Receipt storage method and node based on code labeling and event function type
US20240195637A1 (en) Method and device for zero-trust fusion computation of multi-party data
CN117407898A (en) Encryption and decryption realization method and system for database fields based on mybatis
CN110287208A (en) The method and apparatus of database field encryption, storage medium
WO2022068322A1 (en) Software access through heterogeneous encryption
WO2025097962A1 (en) Data processing method and apparatus based on trusted execution environment, and storage medium and program product
Ma et al. BiTDB: Constructing a built-in TEE secure database for embedded systems
CN119357988A (en) A non-intrusive data information security management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination