CN118363986A - Encryption and decryption method and device for secret database - Google Patents

Abstract

The application provides a method and a device for encrypting and decrypting a secret database, wherein the method comprises the following steps: acquiring a first structured query statement acting on a target database, wherein the first structured query statement is a data operation statement; rewriting the first structured query statement to obtain a second structured query statement, wherein data in the second structured query statement is obtained by performing order-preserving encryption on the data in the first structured query statement; sending the second structured query statement to the target database, so that the target database executes database operation corresponding to the second structured query statement; receiving first operation result data returned after the target database executes the database operation; and carrying out data reduction on the first operation result data to obtain second operation result data corresponding to the first structured query statement. According to the technical scheme, database operations such as sorting, size comparison query and the like can be performed in the secret state database.

Description

Encryption and decryption method and device for secret database

Technical Field

The present application relates to the field of secret databases, and in particular to encryption and decryption methods and devices for secret databases.

Background technique

The core task of a database is the management of data assets, including data classification, organization, coding, storage, retrieval, and maintenance. With the explosive growth of data information today, databases are taking on more and more data processing and analysis responsibilities, continuously promoting application innovation in the form of data empowerment and facilitating the process of digital development.

A secret database refers to a database management system that stores and manages secret data. Data is stored in an encrypted form in the database, where data storage, calculation, retrieval, and management are all completed in ciphertext form, and capabilities such as syntax parsing and transaction ACID related to database management are integrated with traditional database capabilities. A secret database is the product of a deep combination of database systems, encryption technology, and mathematical algorithms. The core task of a secret database is to protect the security of data throughout its life cycle and to support the retrieval and calculation of secret data. Randomized encryption can ensure the security of data in a secret database, but the randomly encrypted data loses the flexibility of calculation and cannot perform database operations such as sorting, size comparison queries, etc.

Summary of the invention

The present application provides encryption and decryption of a secret database and a device to solve the technical problem that after the data in the secret database is randomly encrypted, it is impossible to perform database operations such as correct sorting, size comparison query, etc.

In a first aspect, a database operation method is provided, which is applied to a data interaction terminal, and the method includes:

Obtaining a first structured query language (SQL) statement acting on a target database, wherein the first structured query statement is a data operation statement;

Rewriting the first structured query statement to obtain a second structured query statement, wherein data in the second structured query statement is obtained by performing order-preserving encryption on the data in the first structured query statement;

Sending the second structured query statement to the target database, so that the target database executes the database operation corresponding to the second structured query statement;

Receiving first operation result data returned by the target database after executing the database operation;

The first operation result data is restored to obtain second operation result data corresponding to the first structured query statement.

In a second aspect, a device for encrypting and decrypting a secret database is provided, which is applied to a data interaction terminal, and the device comprises:

An acquisition module, used to acquire a first structured query statement acting on a target database, wherein the first structured query statement is a data operation statement;

A rewriting module, configured to rewrite the first structured query statement to obtain a second structured query statement, wherein the data in the second structured query statement is obtained by performing order-preserving encryption on the data in the first structured query statement;

A sending module, configured to send the second structured query statement to the target database, so that the target database executes the database operation corresponding to the second structured query statement;

A receiving module, used for receiving first operation result data returned by the target database after executing the database operation;

The restoration module is used to restore the first operation result data to obtain the second operation result data corresponding to the first structured query statement.

In a third aspect, a computer device is provided, comprising a memory and one or more processors, wherein the memory is connected to the one or more processors, and the one or more processors are used to execute one or more computer programs stored in the memory, and when the one or more processors execute the one or more computer programs, the computer device implements the database operation method of the first aspect.

In a fourth aspect, a computer-readable storage medium is provided, wherein the computer-readable storage medium stores a computer program, wherein the computer program includes program instructions, and when the program instructions are executed by a processor, the processor executes the database operation method of the first aspect.

The present application can achieve the following technical effects: after obtaining the first structured query statement acting on the target database, the first structured query statement is rewritten to obtain a second structured query statement, the data in the second structured query statement is obtained by encrypting the data in the first structured query statement in order-preserving manner, and then the second structured query statement is sent to the target database so that the target database executes the database operation corresponding to the second structured query statement; then the target database executes the first operation result data returned after the database operation corresponding to the second structured query statement is received; finally, the first operation result data is restored to obtain the second operation result data corresponding to the first structured query statement. Since the SQL statement is rewritten and then sent to the database for execution, encryption and data restoration are both performed on the data interaction terminal side, and the database server only needs to perform conventional database operations without modifying the database server; since the data in the rewritten SQL statement is obtained by encrypting the data in the SQL statement before rewriting in order-preserving manner, the order relationship between the encrypted data is the same as the order relationship between the data before encryption, so database operations such as sorting and size comparison query can be performed.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for use in the description of the embodiments of the present application will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative labor.

FIG1 is a schematic diagram of a system architecture of a confidential database system provided in an embodiment of the present application;

FIG2 is a schematic diagram of an order-preserving encryption provided in an embodiment of the present application;

FIG3 is a schematic diagram of a flow chart of a database operation method provided in an embodiment of the present application;

FIG4 is a flow chart of another database operation method provided in an embodiment of the present application;

FIG5 is a schematic diagram of a flow chart of another database operation method provided in an embodiment of the present application;

FIG6 is a flow chart of another database operation method provided in an embodiment of the present application;

FIG7 is a schematic diagram of the structure of an encryption and decryption device for a secret database provided in an embodiment of the present application;

FIG8 is a schematic diagram of the structure of a computer device provided in an embodiment of the present application.

Detailed ways

In order to make the purpose, technical solutions and advantages of the present application more clearly understood, the present application is further described in detail below in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present application and are not intended to limit the present application. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in the field without making creative work are within the scope of protection of the present application.

It should be noted that, if there is no conflict, the various features in the embodiments of the present application can be combined with each other, all within the scope of protection of the present application. In addition, although the functional module division is performed in the device schematic diagram and the logical order is shown in the flow chart, in some cases, the steps shown or described can be performed in a sequence different from the module division in the device or the flow chart. Furthermore, the words "first", "second", "third", etc. used in this application do not limit the data and execution order, but only distinguish the same items or similar items with basically the same functions and effects.

The technical solution of the present application can be applied to a secret database system. Referring to FIG. 1 , FIG. 1 is a schematic diagram of the system architecture of a secret database system provided by an embodiment of the present application. As shown in FIG. 1 , the secret database system includes a data interaction terminal 101 and a database 102. The data interaction terminal 101 is a user-oriented interaction terminal. A database client is running on the data interaction terminal 101. The user can send SQL statements to the database client. The database client is used to receive SQL statements, perform lexical and grammatical analysis, send SQL statements, and receive results. An encryption subsystem can also be provided in the data interaction terminal 101, and the encryption subsystem is used to perform encryption and decryption processing on SQL statements and results. Among them, the encryption subsystem includes modules such as a searchable encryption algorithm module, a key management module, an encryption table metadata management module, an SQL encryption processing (rewriting), and a result decryption processing module to support the related processing of encrypted data. The database 102 is a storage container for storing various data. The database 102 can execute the database operation corresponding to the SQL statement sent by the database client, and return the execution result obtained by executing the database operation corresponding to the SQL statement to the database client.

To facilitate understanding, some terms involved in this application are first introduced.

1. SQL statements

SQL statements are database languages with multiple functions such as data manipulation and data definition. SQL statements include data definition language (DDL) and data manipulation language (DML).

Among them, data definition statements are used to define data objects, specifically to define databases, data tables in databases, and fields (column names) in data tables; DML is used to add, delete, modify, and query data in data tables in databases.

2. Master Key

In the present application, the master key is a key created by the data interaction terminal according to a master key creation command, and the master key is used to encrypt and decrypt the column key.

3. Master Key Metadata

In this application, master key metadata refers to some data related to the master key, and the master key metadata mainly includes the master key name, key library provider name, key path and algorithm name. The master key name in the master key metadata is used to indicate the master key. The key library provider name in the master key metadata is used to indicate the provider of the master key; in this application, the provider of the master key can be divided into a local key library provider and a third-party key library provider. The local key library provider is a key management module local to the data interaction terminal, and the key management module local to the data interaction terminal belongs to the encryption subsystem in the data interaction terminal; the third-party key library provider refers to other key management modules outside the data interaction terminal. The key path in the master key metadata refers to the storage path of the master key. The algorithm name in the master key metadata refers to the name of the encryption and decryption algorithm corresponding to the master key. The encryption and decryption algorithm corresponding to the master key is used to encrypt and decrypt the column key of this application.

4. Column Key

In the present application, the column key is a key created by the data exchange terminal key according to a column key creation instruction, and the column key is used to encrypt and decrypt data columns in a data table.

5. Column Key Metadata

In this application, column key metadata refers to some data related to the column key, and the column key metadata mainly includes the master key name, column key name and algorithm name. The column key name in the column key metadata is used to indicate the column key. The master key name in the column key metadata is used to indicate the master key used to encrypt and decrypt the column key. The algorithm name in the column key metadata refers to the name of the encryption and decryption algorithm corresponding to the column key. The encryption and decryption algorithm corresponding to the column key is used to encrypt and decrypt the data column in the data table. In this application, the encryption and decryption algorithm corresponding to the column key may include order-preserving symmetric encryption (OPE) algorithm and other encryption and decryption algorithms.

6. Encrypted column keys

In the present application, the encrypted column key refers to a column key obtained by encrypting a column key corresponding to a column key name in the column key metadata using a master key corresponding to a master key name in the column key metadata.

7. Table encryption metadata

In this application, table encryption metadata refers to data related to encrypted data. Table encryption metadata includes column encryption information in a data table in a database. Table encryption metadata mainly includes table name, original column name, replacement column name, column key name, original data type size, and new data type size. The table name is used to indicate a data table in a database; the original column name refers to the name of the data column to be encrypted in a data table, and is used to indicate a data column in an unencrypted data table; the replacement column name refers to the name of the encrypted data column in a data table, and is used to indicate an encrypted data column in an encrypted data table; the column key name in the table encryption metadata refers to the name of the column key used to encrypt the data column. The original data type size refers to the type and size of the original data in an unencrypted data column; the new data type size refers to the type and size of the encrypted data in an encrypted data column. Optionally, the new data type size may not be included in the table encryption metadata, and the new data type size may be directly obtained during processing based on the original data type size and the encryption algorithm of the column key.

8. ope algorithm

The OPE algorithm achieves the purpose of encryption and order preservation by performing mathematical transformation on data. It is used to support comparison operators of numeric and character types, that is, it supports the retrieval of numeric and character data.

The ope algorithm pseudo-randomizes the values in the plaintext space through hyper geometric distribution (HGD) and maps them to the ciphertext space in a certain order. The use of pseudo-randomization can solve the problem of hiding the frequency distribution of plaintext, that is, hiding the statistical characteristics of the plaintext through randomization operations. At the same time, the sequential mapping maintains the order relationship of the plaintext, so that the relative order between the plaintexts can still be retained in the encrypted ciphertext.

Pseudo-randomization is based on HGD and is deterministic and stateless when the key is known.

For numerical data, the HGD algorithm, i.e., the function x=HGD(D, R, y, cc), is interpreted as:

Draw balls from a box with R balls, there are D black balls and R-D white balls in the box. Draw y balls, and this function returns the number of black balls x. HGD is a function that implements a sampling algorithm, and its output x is a random variable that satisfies the hypergeometric distribution. When implemented on a computer, after D, R and y are determined, the generated x is a random variable that satisfies the hypergeometric distribution based on the random number cc (that is, based on all cc, the set of x is calculated, where the probability of x=x* is PHGD(x*; R, D, y)). cc is a random number calculated by the pseudo-random function PRF (k, D and R can be MAC calculated, and then the calculation result can be implemented by AES encryption).

For a plaintext m, the key is k, and the specific encryption steps for the ciphertext c are as follows:

(1) Initialize the plaintext and ciphertext domains to a given interval according to the data type. The ciphertext domain size is twice the number of bits of the plaintext domain size. For example, if the data type is int, the plaintext domain interval domain = [0, 2^32), and the ciphertext domain interval range = [0, 2^64), that is, the plaintext domain size D = 2^32, and the ciphertext domain size R = 2^64.

(2) y = R/2, cc = PRF(k, D, R), calculate x = HGD(D, R, y, cc).

(3) If m<min(domain)+x, then domain=[min(domain),min(domain)+x), range=[min(range),min(range)+y); otherwise, domain= [min(domain)+x,max(domain)], range=[min(range)+y,max(range)].

Among them, min() and max() are functions for finding the minimum and maximum values of a given interval respectively.

(4) Update the plaintext domain size and ciphertext domain size: D = domain size, R = range size.

(5) If D=1, execute step (6); otherwise, return to execute step (2).

(6) Calculate the hash value based on the plaintext m, then use AES to encrypt the hash value, then apply the modulus R to the encrypted result, and finally add min(range) to the result of the modulus R to obtain the final ciphertext c.

An example of order-preserving encryption can be seen in Figure 2.

Assume that m=25, encrypt and map the plaintext in the interval [0,100) to [0,1000).

The specific steps are:

Step 1: HGD(100,1000,500,cc) outputs 44. Since 25<44, the domain and range are readjusted to [0,44) and [0,500) respectively.

Step 2: After adjustment, continue to repeat the above process. The second HGD (44,500,250,cc) outputs 23. Because 25>23, the domain and range are readjusted to [23,44) and [250,500) respectively. This is repeated several times, and finally in step 8, the domain is [25,26), and the size converges to 1.

Step 3: Finally, calculate from the range [298,305] according to step (6) of the above algorithm and obtain the number 301 as the ciphertext of 25.

For ciphertext c, key k, the specific decryption steps for plaintext m are as follows:

(1) Initialize the plaintext and ciphertext domain to a given interval according to the data type. The ciphertext domain size is twice the number of bits of the plaintext domain size. For example, if the data type is int, the plaintext domain interval domain = [0, 2^32), and the ciphertext domain interval range = [0, 2^64), that is, the plaintext domain size D = 2^32, and the ciphertext domain size R = 2^64

(2) y = R/2, cc = PRF(k, D, R), calculate x = HGD(D, R, y, cc).

(3) If c<min(range)+y, then domain=[min(domain),min(domain)+x), range=[min(range),min(range)+y); otherwise, domain= [min(domain)+x,max(domain)], range=[min(range)+y,max(range)].

Among them, min() and max() are functions for finding the minimum and maximum values of a given interval respectively.

(4) Update the plaintext domain size and ciphertext domain size: D = domain size, R = range size.

(5) If D=1, execute step (6) to calculate the plaintext; otherwise, return to step (2).

(6) Calculate the hash value based on min(domain), then use AES to encrypt the hash value, then apply modulo R to the encrypted result, and finally add min(range) to the result of modulo R. If the final result is equal to the ciphertext c, then m = min(domain); otherwise, the decryption fails.

The verification process in step (6) can be used to detect tampering of the ciphertext. If tampering of the ciphertext is not considered, all hashing and AES encryption processes can be omitted in step (6), and m = min(domain) can be directly set.

The overall technical idea of this application is as follows: an order-preserving algorithm is used on the data interaction terminal side to encrypt numerical and character data. The order of the ciphertext is the same as that of the plaintext to support various comparison operations on the ciphertext, and to support the use of the database's indexing capabilities to directly create indexes on the ciphertext. The server is not aware of the data encryption feature and does not make any modifications. Unlike traditional encryption technology, order-preserving encryption can encrypt data without destroying the order of the data. This means that for application scenarios that require querying, sorting, or comparison in data order, these functions can continue to be used in an encrypted state.

This application will then specifically introduce the following process: (1) The data interaction terminal creates a master key through a command. The master key can be saved in the client's local key management system or a third-party key management system, and the data interaction terminal saves the master key metadata in the database. (2) The data interaction terminal creates a column key through a command. The column key is encrypted with the master key and saved in the database, and the column key metadata can also be saved in the database. (3) The data interaction terminal defines the encryption attributes of the column when creating a table. The data interaction terminal saves these encryption attributes as table encryption metadata in the database. The data interaction terminal performs encryption metadata caching and caches the column keys, key attribute information, and column encryption attributes queried from the database on the client. (4) The data interaction terminal performs SQL statement parsing and identifies the encrypted fields based on the column encryption attribute metadata in the cache, performs encryption processing, and performs SQL rewriting. The data interaction terminal processes the query results, queries the encryption metadata based on the return results of the database, obtains the column keys corresponding to the encrypted fields, and decrypts the results.

This application can encrypt data without destroying the data order, and can ensure business applications such as database query and comparison while achieving data security. It has strong application value for database security, and at the same time, there is no need to modify the database server software, and it has high compatibility.

The solution of this application is described in detail below.

1. Detailed implementation plan of process (4)

Referring to FIG. 3 , FIG. 3 is a flow chart of a database operation method provided in an embodiment of the present application. The method can be applied to a secret database system. As shown in FIG. 3 , the method includes the following steps:

S201: The data interaction terminal obtains a first structured query statement acting on a target database.

Here, the target database can be any database.

The first structured query statement is a data operation statement, namely the DML introduced above.

The first structured query statement includes a first table name, a first column name and a first data. The first table name is used to indicate the data table (hereinafter referred to as the second data table) on which the first structured query statement acts, and the second data table can be any data table in the target database. The first column name is used to indicate the data column (hereinafter referred to as the first data column) pointed to by the first structured query statement, and the first data column refers to the data column in the second data table on which the first structured statement acts, that is, the data column in the second data table that needs to perform one or more operations of adding, deleting, modifying and querying. The first data belongs to the data column corresponding to the first column name, that is, the first data belongs to the data in the first data column. It should be understood that the table name, column name and data contained in the first structured query statement can be one or more.

An example of the first structured query statement is as follows: insert into t1(c1, c2) values(100, 200), where t1 is the name of the first table, c1 and c2 are both the names of the first columns in the first data table, and 100 and 200 are the data in the c1 column and the data in the c2 column in the first data table respectively.

After obtaining the first structured query statement, the data interaction terminal parses the first structured query statement to obtain the first column name in the first structured query statement, and then queries whether the first column name in the first structured query statement exists in the table encryption metadata corresponding to the target database; if the first column name exists in the table encryption metadata corresponding to the target database, it means that the data in the first data column is encrypted data, and step S202 is executed; if the first column name does not exist in the table encryption metadata corresponding to the target database, it means that the data in the first data column is not encrypted data, and the data interaction terminal can send the first structured query statement directly to the target database, so that the target database executes the database operation corresponding to the first structured query statement.

The table encryption metadata corresponding to the target database includes the column encryption information corresponding to the data table in the target database. For the specific content of the column encryption information, please refer to the above introduction to the table encryption metadata.

After parsing the first structured query statement, the data interaction terminal can first determine whether the first table name in the first structured query statement exists in the table encryption metadata corresponding to the target database; if the first table name in the first structured query statement exists in the table encryption metadata corresponding to the target database, then determine whether the first column name in the first structured query statement exists in the table encryption metadata corresponding to the first table name; if the first table name in the first structured query statement does not exist in the table encryption metadata corresponding to the target database, it means that the first data table does not contain encrypted data columns, and the data interaction terminal can send the first structured query statement directly to the target database, so that the target database executes the database operation corresponding to the first structured query statement.

The table encryption metadata corresponding to the target database is saved to the target database by the data interaction terminal through the table encryption metadata generation and storage process. The generation and storage process of the table encryption metadata will be described in detail in the embodiment corresponding to Figure 4 later, and no further description will be given here.

Among them, the data interaction terminal can obtain the table encryption metadata corresponding to the target database from the target database; or, after the data interaction terminal generates the table encryption metadata corresponding to the target database through the table encryption metadata generation and storage process, the data interaction terminal can also cache the table encryption metadata corresponding to the target database locally, so that the data interaction terminal can also obtain the table encryption metadata corresponding to the target database from the local cache.

S202: The data interaction terminal rewrites the first structured query statement to obtain a second structured query statement, where the data in the second structured query statement is obtained by performing order-preserving encryption on the data in the first structured query statement.

Here, the data interaction terminal rewrites the first structured query statement to obtain the second structured query statement, which means replacing the first column name in the first structured query statement with the column name corresponding to the encrypted data column, and performing order-preserving encryption on the first data in the first structured query statement to obtain encrypted data, and replacing the first data in the first structured query statement with the encrypted data to obtain the second structured query statement. Order-preserving encryption is: mapping the values of the plaintext space to the ciphertext space in a certain order, so that in the encrypted ciphertext, the relative order between the plaintexts can still be retained, and when mapping, the statistical characteristics of the plaintext are hidden to ensure the security of the algorithm. Performing order-preserving encryption on the first data to obtain encrypted data means encrypting the first data using the ope algorithm introduced above.

The data interaction terminal may rewrite the first structured query statement through the following steps A1-A4 to obtain a second structured query statement:

A1. According to the table encryption metadata corresponding to the target database, determine the first column key name and the second column name corresponding to the first column name.

Among them, the data interaction terminal can determine the table encryption metadata corresponding to the first table name in the table encryption metadata corresponding to the target database according to the first table name in the first structured query statement; then determine the column key name in the table encryption metadata corresponding to the first table name as the first column key name corresponding to the first column name, and determine the replacement column name in the table encryption metadata corresponding to the first table name as the second column name corresponding to the first column name.

A2. According to the key name of the first column, obtain the key of the first column corresponding to the name of the first column.

The data interaction terminal can obtain the first column key corresponding to the first column name through the following steps A21-A24:

A21. Obtain first column key metadata and first encrypted column key corresponding to the first column key name.

Here, the first column key metadata includes the first master key name, the first column key name, and the third algorithm name. The first master key name is the name of the master key used to encrypt and decrypt the first column key corresponding to the first column key name; the third algorithm name is the name of the algorithm that uses the first column key to encrypt and decrypt the data column corresponding to the first column name. In this application, the third algorithm name can be the name of the ope algorithm or the algorithm name of other encryption algorithms; the first encrypted column key is obtained by encrypting the first column key corresponding to the first column name using the master key corresponding to the first master key name.

The column key metadata and encrypted column key are saved to the target database by the data interaction terminal through the generation and storage process of the column key and column key metadata. The generation and storage process of the column key and column key metadata will be described in detail in the subsequent embodiment corresponding to Figure 5, and no further description will be given here.

After determining the first column key name, the data interaction terminal can obtain the first column key metadata and the first encrypted column key corresponding to the first column key name from the target database; or, after generating the column key metadata and the encrypted column key through the generation and storage process of the column key and the column encryption key, the data interaction terminal can also save the column key metadata and the encrypted column key in the local cache, so that the data interaction terminal can also obtain the first column key metadata and the first encrypted column key corresponding to the first column key name from the local cache. It should be understood that the column key metadata containing the first column key name is the first column key metadata corresponding to the first column key name, and the encrypted column key corresponding to the first column key metadata is the first encrypted column key.

A22. Obtain first master key metadata corresponding to the first master key name.

Here, the first master key metadata includes the first algorithm name and the first key path. The first algorithm name is the name of the encryption and decryption algorithm corresponding to the master key. The encryption and decryption algorithm corresponding to the master key here refers to the algorithm name for encrypting and decrypting the first column key using the master key corresponding to the first master key name; the first key path is the storage path corresponding to the master key. The storage path here is the storage path of the master key corresponding to the first master key name. The first master key metadata also includes the first master key name and the master key library provider name. The master key library provider name refers to the name of the key management module of the master key corresponding to the first master key name.

The master key metadata is saved to the target database by the data interaction terminal through the master key generation and storage process. The master key generation and storage process will be described in detail in the embodiment corresponding to Figure 6 later, and will not be described in detail here.

After obtaining the first master key name from the first column key metadata, the data interaction terminal can obtain the first master key metadata corresponding to the first master key name from the target database; or, after generating the master key metadata through the master key generation and storage process, the data interaction terminal can also cache the master key metadata locally, so that the data interaction terminal can also obtain the first master key metadata corresponding to the first master key name from the cache. It should be understood that the master key metadata containing the first master key name is the first master key metadata corresponding to the first master key name.

A23. Determine the first master key corresponding to the first master key name according to the first key path and the first master key name.

If the key library provider name in the first master key metadata is the name of the local key management module, the local key management module in the data interaction terminal can obtain the first master key according to the first key path and the first master key name.

Optionally, if the key library provider name in the first master key metadata is the name of a third-party key management module, the data interaction terminal can send the first master key metadata to the third-party key management module, and the third-party key management module obtains the first master key based on the first key path and the first master key name.

A24. Decrypt the first encrypted column key according to the encryption/decryption algorithm corresponding to the first master key and the first algorithm name to obtain a first column key.

Among them, if the key library provider name in the first master key metadata is the name of the local key management module, the local key management module in the data interaction terminal can decrypt the first encrypted column key according to the encryption and decryption algorithm corresponding to the first master key and the first algorithm name, obtain the decrypted column key, and obtain the first column key.

Optionally, if the key library provider name in the first master key metadata is the name of a third-party key management module, the data interaction terminal may send the first master key metadata and the first encrypted column key to the third-party key management module. After the third-party key management module obtains the first master key according to the first key path and the first master key name, it uses the encryption and decryption algorithm corresponding to the first master key and the first algorithm name to decrypt the first encrypted column key to obtain the decrypted column key; the third-party key management module sends the decrypted column key to the data interaction terminal to obtain the first column key.

A3. Perform order-preserving encryption on the first data according to the first column key corresponding to the first column name to obtain second data.

Here, the first data is encrypted in an order-preserving manner according to the first column key corresponding to the first column name, which means that the first column key is used as the encryption key and the first data is encrypted using the OPE algorithm. For the specific principles of the OPE algorithm, please refer to the aforementioned introduction to the OPE algorithm, which will not be repeated here.

The specific implementation methods of performing order-preserving encryption on the first data may be different depending on the data type of the first data, which are introduced separately below.

The first case: the first data is integer (int) type data.

In this case, the data interaction terminal can calculate the difference between the first data and the second preset negative integer to obtain the first difference; process the first difference as an unsigned integer, and encrypt the first difference in order according to the first column key corresponding to the first column name to obtain the second data. The second preset negative integer can be determined according to the size of the original data type corresponding to the first column name.

Taking the case where the data in the first data column corresponding to the first column name is a single-byte integer, the minimum negative integer of the single-byte integer is -128, and the second preset negative integer is -128. For the first data 1 and -1, the difference between the first data and -128 is calculated to obtain the first difference: 1-(-128)=129 (binary encoding is 1000 0001), -1-(-128)=127 (binary encoding is 0111 1111); the first difference is processed as an unsigned integer and encrypted in order according to the first column key, that is, ope(1)=ope(10000001), ope(-1)=ope(0111 1111); that is, ope(1)=ope(1000 0001)>ope(-1)=ope(0111 1111).

It can be seen that for integer data, by first calculating the difference between the integer data and the smallest negative integer and then encrypting the difference in order, the order of the data before and after encryption can be made consistent.

The second case: the first data is floating point data

In this case, if the first data is positive floating point data, the data exchange terminal can store the bytes of the first data as an integer obtained by integer processing to obtain the first integer; calculate the difference between the first integer and the minimum code to obtain the code to be encrypted; process the code to be encrypted as an unsigned integer, and encrypt the code to be encrypted in order according to the first column key corresponding to the first column name to obtain the second data. Among them, the minimum code is the binary code of the smallest negative integer corresponding to the number of bytes occupied by the first data. If the first data is a single-precision floating-point number, the number of bytes occupied by the first data is 4 bytes, the minimum number of bits of the encoding is 32 bits, and the minimum encoding is: 1 0000 0000 0000 0000 0000 0000 0000 000; if the first data is a double-precision floating-point number, the number of bytes occupied by the first data is 8 bytes, the minimum number of bits of the encoding is 64 bits, and the minimum encoding is: 1 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 00000000 0000 0000 0000 0000 0000 0000.

Taking the data in the first data column corresponding to the first column name as a single-precision floating-point number as an example, assuming that the first data is a single-precision floating-point number 85.125. First, according to the IEEE754 standard, the byte storing the first data is the first integer: 0 10000101 01010100 1000 0000 0000 000; then calculate the difference between the first integer and the minimum code to obtain the code to be encrypted, which is: 1 1000 0101 0101 0100 1000 0000 0000 000; treat the code to be encrypted as an unsigned integer, and perform ope order-preserving encryption on the code to be encrypted, that is, ope(85.125)=ope(1 1000 01010101 0100 1000 0000 0000000).

If the first data is negative floating-point data, the data interaction terminal can calculate the binary complement of the first integer corresponding to the first data to obtain the first complement, and the first integer corresponding to the first data is the integer obtained by treating the bytes storing the first data as integers; calculate the difference between the first complement and the minimum code to obtain the code to be encrypted; according to the first column key, treat the code to be encrypted as an unsigned integer, encrypt the code to be encrypted in order to obtain the second data. The minimum code is the binary code of the smallest negative integer corresponding to the number of bytes occupied by the first data, and the smallest negative integer corresponding to the number of bytes occupied by the first data can be determined according to the size of the original data type corresponding to the first column name.

Still taking the data in the first data column corresponding to the first column name as a single-precision floating-point number as an example, assuming that the first data is a single-precision floating-point number -85.125, the binary code of the first integer corresponding to the first data is: 11000010101010100100000000000000; the inverse code except the sign bit is: 101111010101010101101111111111111, and then adding 1 to get the first complement code: 1 0111 1010 1010 10111000 0000 0000000, subtract the smallest negative integer: 1 0000 0000 0000 0000 0000 0000 0000000, and the value obtained is: 0 01111010 1010 1011 1000 0000 0000 000, perform ope order-preserving encryption on the value, that is, ope(-85.125)=ope(0 01111010 1010 1011 1000 0000 0000 000).

For floating-point data, positive floating-point data and negative floating-point data are preprocessed and then encrypted in an order-preserving manner, so that the sorting result after the order-preserving encryption is the same as the sorting result before encryption.

The third case: the first data is character data

In this case, the data interaction terminal can fill the right side of the first data with preset characters to obtain the standard characters corresponding to the first data, and the character length of the standard characters corresponding to the first data is the preset character length; according to the first column key corresponding to the first column name, the ASCII code of the standard characters corresponding to the first data is processed as an unsigned integer, and the ASCII code of the standard characters corresponding to the first data is encrypted in an order-preserving manner to obtain the second data. The preset character length is the maximum character length defined by the data column corresponding to the first column name, and the preset character length is determined by the size of the original data type corresponding to the first column name.

Among them, if the first data is fixed-length character data (char), and the preset character is an ASCII character of a space, a space character with an ASCII code of 32 can be filled on the right side of the first data until the character length of the first data is the preset character length (i.e., the character field width) to obtain the standard character corresponding to the first data.

For example, the preset character length is 3. For the character ‘a’, its character length is 1. After padding 2 space characters on the right side of the character ‘a’, the standard character obtained is ‘a’. The ASCII code of a is 0x61, and the ASCII code of the space character is 0x20. The ASCII code of the standard character is: 0x61 20 20. Then the ASCII code of the standard character is ope-order-preserving encryption, that is, ope(a)=ope(0x61 20 20). For the string ‘abc’, its character length is 3. The string ‘abc’ is the standard character. The ASCII code of a is 0x61, b is 0x62, and c is 0x63. Then the ASCII code of the standard character is: 0x61 62 63. Then the ASCII code of the standard character is ope-order-preserving encryption, that is, ope(abc)=ope(0x61 62 63).

If the first data is variable-length character data (varchar), and the preset character is any ASCII character that is smaller than a space, characters whose ASCII codes are smaller than a space may be padded on the right side of the first data until the character length of the first data reaches the preset character length (i.e., the character field width), thereby obtaining the standard characters corresponding to the first data. For example, an invisible character whose ASCII code is 31 may be padded on the right side of the first data.

Still taking the preset character length of 3 as an example, the ASCII code of the invisible character with ASCII code 31 is 1F. For the character 'a', the ASCII code corresponding to the standard character is 0x61 1F 1F.

The fourth case: the first data is fixed-length numeric data.

In this case, in a feasible implementation, the data interaction terminal can subtract the first preset negative number from the first data to obtain the first positive number corresponding to the first data; perform zero padding on the first positive number corresponding to the first data to obtain a second positive number, and the number of decimal places of the second positive number is the preset number of places; according to the first column key, the first positive integer corresponding to the second positive number is encrypted in an order-preserving manner to obtain the second data, and the first positive integer is an integer obtained by ignoring the decimal point in the second positive number, that is, the decimal point in the second positive number is ignored and regarded as an integer. The preset number of places is the number of decimal places defined by the data column corresponding to the first column name, the first preset negative number is any negative number less than or equal to the first negative number, and the first negative number is the minimum negative number defined by the data column corresponding to the first column name. The first preset negative number and the preset number of places are determined by the size of the original data type corresponding to the first column name. For example, the definition of the data column corresponding to the first column name is Numeric(4,2), that is, all the digits are 4 digits and the number of decimal places is 2, then the preset number of digits is 2, and the first preset negative number can be -99.99, or the first preset negative number can also be -100, or -101, and so on; for another example, the definition of the data column corresponding to the first column name is Numeric(7,3), that is, all the digits are 7 digits and the number of decimal places is 3, then the preset number of digits is 3, and the first preset negative number can be -9999.999, or the first preset negative number can also be -10000, and so on.

Take the first data 10.0 as an example, assuming that the definition of the data column corresponding to the first column name is Numeric(4,2), and the first preset negative number is -99.99. Subtract the first preset negative number from the first data, and the first positive number corresponding to the first data is: 109.99; since the decimal place of 109.99 is 2, which is exactly the preset place, the second positive number is 109.99; ignore the decimal point in the second positive number, and the first positive integer is 10999; then perform order-preserving encryption on the first positive integer, that is, ope(10.0)=ope(10999).

Take the first data 10.0 as an example, assuming that the definition of the data column corresponding to the first column name is Numeric(4,2), and the first preset negative number is -100. Subtract the first preset negative number from the first data, and the first positive number corresponding to the first data is: 110.0; since the decimal place of 110.0 is 1, and the decimal place is less than 2, the first positive number is padded with zeros, and the second positive number is 110.00; the decimal point in the second positive number is ignored, and the first positive integer is 11000; and the first positive integer is encrypted in order, that is, ope(10.0)=ope(11000).

In another feasible implementation, the data interaction terminal may also perform zero padding on the first data to obtain a standard number, the number of decimal places of the standard number is a preset number of places; the first positive integer is obtained by subtracting the first preset negative integer from the second integer corresponding to the standard number, the second integer corresponding to the standard number is the integer obtained by ignoring the decimal point in the standard number; the first positive integer is encrypted in order according to the first column key to obtain the second data. The preset number of places is the number of decimal places defined by the data column corresponding to the first column name, the first preset negative integer is any negative integer less than or equal to the target negative number, the target negative number is the minimum negative number that can be expressed by all the digits defined by the data column of the first column name, and the preset number of places and the first preset negative integer are determined by the size of the original data type corresponding to the first column name. For example, the definition of the data column corresponding to the first column name is Numeric(4,2), that is, all the digits are 4 digits and the number of decimal places is 2, then the preset number of digits is 2, and the first preset negative integer can be -9999; or, the first preset negative number can also be -10000, or, it can also be -10001, and so on; for another example, the definition of the data column corresponding to the first column name is Numeric(7,3), that is, all the digits are 7 digits and the number of decimal places is 3, then the preset number of digits is 3, and the first preset negative integer can be -9999999, or, the first preset negative integer can also be -10000000, and so on.

Still taking the first data 10.0 as an example, assuming that the definition of the data column corresponding to the first column name is Numeric(4,2), and the first preset negative integer is -9999, the first data is padded with zeros to obtain the standard number 10.00; the decimal point in the standard number is ignored to obtain the second positive number 1000; the first preset negative integer -9999 is subtracted to obtain the first positive integer 10999; and the first positive integer is encrypted in an order-preserving manner, that is, ope(10.0)=ope(10999).

In the process of encrypting the first positive integer in order according to the first column key to obtain the second data, the data interaction terminal can also merge the first positive integer starting from the lowest bit of the first positive integer to obtain the second positive integer; and encrypt the second positive integer according to the first column key to obtain the second data. In the process of encrypting the first positive integer in order according to the first column key to obtain the second data, the data interaction terminal can also merge the first positive integer starting from the lowest bit of the first positive integer to obtain the second positive integer; and encrypt the second positive integer according to the first column key to obtain the second data. In the process of encrypting the first positive integer in order according to the first column key to obtain the second data, the low 4 bits of the high byte of the high byte of the two adjacent bytes can be used as the high 4 bits of the merged byte, and the low 4 bits of the low byte can be used as the low 4 bits of the merged byte, that is, in the adjacent 2 bytes, the high byte is used as the high 4 bits of the merged byte, and the low 4 bits of the low byte are used as the low 4 bits of the merged byte to merge the first positive integer to obtain the second positive integer.

For example, for 11711, it is considered as a large integer, which is 0x01 0107 0101 before merging and 0X011711 after merging. After merging, the storage overhead is reduced and the amount of encryption calculation is also greatly reduced.

It should be noted that if the third algorithm name in the first column of key metadata is the name of another encryption algorithm, the first key can be used as an encryption key, and the other encryption algorithm can be used to encrypt the first data.

Optionally, after the first data is encrypted in order according to the first column key corresponding to the first column name to obtain the second data, the second data can also be encoded based on an extended encoding method to obtain third data, and the extended encoding method is an extended encoding method based on standard Base64 encoding. Among them, encoding the second data based on the extended encoding method to obtain the third data includes: encoding the second data according to an extended encoding table based on standard Base64 encoding to obtain the Base64 extended code corresponding to the second data, and the extended encoding table based on standard Base64 encoding is obtained by randomly taking out 64 visible characters in the ASCII standard and arranging them in order of value size; using the ASCII code corresponding to the Base64 extended code as the third data.

Exemplarily, an extended encoding table based on standard Base64 encoding may be shown in the following table.

For example, the second data is binary code x and y, x=000000, y=110100; based on the extended coding table shown in the table, x and y are Base64 extended encoded to obtain the Base64 extended code corresponding to the second data: base64_ope(x)=+, base64_ope(y)=o; then the ASCII code corresponding to the Base64 extended code is used as the third data, the third data corresponding to x is 0x2B; the third data corresponding to y is 0x6f.

It should be understood that the above is only one of the implementation methods of the extended code table based on Base64 encoding provided by this application; any extended code table based on Base64 encoding obtained by randomly taking out 64 visible characters in the ASCII standard and arranging them in order of value size is within the protection scope of this application. For example, the "+" in Table 1 can also be replaced with "(" to obtain a new extended code table.

It should also be noted that, when the second data is processed in the above manner to obtain the third data, after the data interaction terminal queries the third data from the target database, it is necessary to reversely decode the third data and restore the query result to the original second data. For example, the Base64 extension code corresponding to the third data queried from the target database is "+", and the second data is determined to be 000000 according to the above table.

A4. Rewrite the first column name in the first structured query statement into the second column name, and rewrite the first data in the first structured query statement into the second data, to obtain a second structured query statement.

For example, the first structured query statement is: insert into t1(c1, c2) values(100, 200). Assume that column c1 is an encrypted column, c1 is the name of the first column, and its corresponding second column name is d1. The encrypted value obtained by encrypting the value 100 in an order-preserving manner is 78. Then the rewritten second structured query statement is insert into t1(d1, c2) values(78, 200).

Among them, after the first data is encrypted in an order-preserving manner according to the first column key corresponding to the first column name to obtain the second data, the second data is also encoded based on the extended encoding method to obtain the third data. In the process of rewriting the first structured query statement, the first data in the first structured query statement is rewritten into the third data to obtain the second structured query statement, that is, the above step A4 is replaced by: rewriting the first column name in the first structured query statement into the second column name, and rewriting the first data in the first structured query statement into the third data to obtain the second structured query statement.

S203: The data interaction terminal sends a second structured query statement to the target database, and the target database receives the second structured query statement.

S204: The target database executes the database operation corresponding to the second structured query statement to obtain first operation result data.

The first operation result data includes the second column name and fourth data, and the fourth data is encrypted data.

S205: The target database sends first operation result data to the data interaction terminal, and the data interaction terminal receives the first operation result data.

S206: The data interaction terminal restores the first operation result data to obtain second operation result data corresponding to the first structured query statement.

Here, the data interaction terminal performs data restoration on the first operation result data, which refers to a process of restoring the second column name in the first operation result data to the first column name, and decrypting the third data to obtain the original data.

Wherein, in the case where the fourth data in the first operation result data is data after extended coding processing, the form of the fourth data is the same as the form of the third data introduced in the aforementioned step A3. After receiving the first operation result data, the data interaction terminal needs to perform extended decoding on the fourth data in the first operation result data to obtain the corresponding original operation result data, and then restore the original operation result data. The method of performing extended decoding on the fourth data to obtain the corresponding original operation result data can refer to the relevant description of the aforementioned step A3.

The data interaction terminal may restore the first operation result data (which may refer to the original operation result data after extended decoding) through the following steps B1-B4 to obtain the second operation result data corresponding to the first structured query statement:

B1. Determine the first column name corresponding to the second column name and the first column key name corresponding to the second column name according to the table encryption metadata corresponding to the target database.

Here, the data interaction terminal determines the table encryption metadata corresponding to the second column name in the table encryption metadata corresponding to the target database, and the table encryption metadata corresponding to the second column name includes the second column name; then the column key name in the table encryption metadata corresponding to the second column name is determined as the first column key name corresponding to the second column name, and the original column name in the table encryption metadata corresponding to the second column name is determined as the first column name corresponding to the second column name.

B2. The data interaction terminal obtains the first column key corresponding to the second column name according to the first column key name.

Here, the data interaction terminal obtains the specific implementation principle of the first column key according to the first column key name. Please refer to the description of the above steps A21-A24, which will not be repeated here.

B3. The data interaction terminal decrypts the fourth data according to the first column key corresponding to the second column name to obtain the fifth data.

Here, decrypting the third data according to the first column key corresponding to the second column name means using the first column key as the decryption key and using the OPE algorithm to decrypt the fourth data. For the specific principles of the OPE algorithm, please refer to the aforementioned introduction to the OPE algorithm, which will not be repeated here.

B4. The data interaction terminal determines the first column name and the fifth data as the second operation result data corresponding to the first structured query statement.

It should be noted that, since the data interaction terminal processes the data into numerical data and then performs order-preserving encryption on the data (see the relevant introduction of the aforementioned step A3), the fourth data and the fifth data are both numerical data, and the original type of the data can be one of the integer data, floating-point data, character data and numerical data introduced above. After decrypting the fifth data, the fifth data needs to be restored to its original data type. Restoring the data to its original data type is the inverse operation of the four cases of order-preserving encryption introduced in the aforementioned step A3.

For example, if the original data type corresponding to the fifth data is an integer type, after decrypting and obtaining the fifth data, the fifth data needs to be summed with the preset negative integer corresponding to the original data type to restore the fifth data to the original integer type data. For another example, if the original data type corresponding to the fourth data is a variable-length character type, after obtaining the fourth data, the padding characters need to be removed.

In the technical solution corresponding to the above-mentioned Figure 3, after obtaining the first structured query statement acting on the target database, the first structured query statement is rewritten to obtain a second structured query statement, and the data in the second structured query statement is obtained by encrypting the data in the first structured query statement in order-preserving manner, and then the second structured query statement is sent to the target database so that the target database executes the database operation corresponding to the second structured query statement; then the target database receives the first operation result data returned after the database operation corresponding to the second structured query statement is executed; finally, the first operation result data is restored to obtain the second operation result data corresponding to the first structured query statement. Since the SQL statement is rewritten and then sent to the database for execution, encryption and data restoration are both performed on the data interaction terminal side, and the database server only needs to perform conventional database operations, and the database server software does not need to be modified; since the data in the rewritten SQL statement is obtained by encrypting the data in the SQL statement before rewriting in order-preserving manner, the order relationship between the encrypted data is the same as the order relationship between the data before encryption, so that database operations such as sorting and size comparison query can be performed.

2. Detailed implementation plan of process (3), i.e., the process of generating and storing table encryption metadata.

Referring to FIG. 4 , FIG. 4 is a flow chart of another database operation method provided in an embodiment of the present application. The method can be applied to a secret database system. As shown in FIG. 4 , the method includes the following steps:

S301: The data interaction terminal obtains a third structured query statement acting on a target database, where the third structured query statement includes a third column name.

Here, the third structured query statement is an enhanced data definition statement, which is a data definition statement that supports the definition of encryption. The third structured query statement is used to create a first data table in the target database. The third structured query statement includes a third column name, and the data column corresponding to the third column name is an encrypted data column in the first data table; the third structured query statement also includes a second table name and a second column key name corresponding to the third column name. The second table name is the name of the first data table, and the second column key name corresponding to the third column name refers to the name of the column key used to encrypt the data column corresponding to the third column name. The enhanced data definition statement is relative to the standard data definition statement. The standard data definition statement is a conventional data definition statement. The enhanced data definition statement defines encryption attributes based on the standard data definition statement.

In the present application, the third structured query statement is an enhanced DDL statement, and the third structured query statement can define the encryption attribute of the column. Through the enhanced DDL statement, one or more columns in the table are specified to be encrypted when the table is created. The command parameters include specifying the encryption of the column when defining the column, and the column encryption key name.

The format of the enhanced DDL is as follows:

In the column_constraint of CREATE TABLE, add the following syntax:

COLUMN_ENCRYPTION_KEY: Specifies the column key name used to encrypt the corresponding column

A specific example (Example 1) of the third structured query statement is as follows:

This example means: a data table named "creditcard_info" is created, a data column named "name" in the data table is an encrypted data column, and the name of the column key used by the encrypted data column named "name" is "ImgCEK1".

In some possible cases, a data column may correspond to multiple column keys, that is, there are multiple second column key names corresponding to the third column name, and different column key names may correspond to different encryption algorithms. Another specific example (Example 2) of the third structured query statement is as follows:

This example means: a data table named "salary_info" is created, and the names of the column keys used to encrypt data columns are "ImgCEK1" and "ImgCEK2".

S302: The data interaction terminal rewrites the third structured query statement to obtain a fourth structured query statement, wherein the fourth column name in the fourth structured query statement is obtained by transforming the third column name.

Here, the data interaction terminal can change the third column name in the third structured query statement to the replacement column name to obtain a fourth name; change the original data type in the third structured query statement to the replacement data type to obtain a fourth structured query statement. The fourth structured query statement is a standard data definition statement.

For example, for Example 1 of the third structured query statement in step S301 above, the fourth structured query statement obtained by rewriting is:

CREATE TABLE creditcard_info

{id_number int,

name_cx3579 varchar(268)}

The third structured query statement may include multiple second column key names, and different second column key names correspond to different encryption algorithms. If the third structured query statement includes multiple second column key names, when rewriting the third structured query statement, the third column name in the third structured query statement needs to be generated according to each column key name in the third structured query statement, using its corresponding encryption algorithm, and generating a replacement column name corresponding to each column key name in the third structured query statement, thereby obtaining multiple fourth names.

For example, for Example 2 of the third structured query statement in step S301 above, the fourth structured query statement obtained by rewriting is:

If the data operation statement for the first data table is an insert type data operation statement, the column name in the insert type data operation statement is replaced with multiple fourth column names, and the data in the insert type data operation statement is encrypted separately using the encryption algorithm corresponding to each second column key name in the first table encryption metadata to obtain multiple encrypted data, and the data in the insert type data operation statement is replaced with multiple encrypted data. That is, for the target data table (i.e., the data table where the original data column corresponds to multiple replacement columns), when inserting data into such a data table, the data interaction terminal needs to rewrite the original column in the SQL statement into multiple replacement columns, and for the value corresponding to the original column, according to the encryption definition, use multiple keys to encrypt separately to obtain multiple encrypted values.

For example, for the following SQL statement:

insert into salary_info(id_number,salary)values(101,18010),

Rewrite it as:

insert into salary_info(id_number,salary_cx3579,salary_cx8351)values(101,’U++/7KfGO+===’,’0x1259e25a152b....’);

If the data operation statement for the first data table is a query-type data operation statement, for the first expression in the query-type data operation statement, the first expression is an expression in a where clause or a having clause, if the operator in the first expression is a size comparison operator supported by the order-preserving algorithm, the column name of the first expression in the query-type data operation statement is replaced with a replacement column name encrypted by the order-preserving algorithm, and the data in the first expression in the query-type data operation statement is encrypted using the order-preserving algorithm; if the operator in the first expression is an operator supported by other encryption algorithms other than the order-preserving algorithm, the column name in the first expression in the query-type data operation statement is replaced with a replacement column name encrypted by the other encryption algorithm, and the data in the first expression in the query-type data operation statement is encrypted using the other encryption algorithm; if the expression in the query-type data operation statement only contains column names, the column name in the expression in the query-type data operation statement is replaced according to the position of the expression in the query-type data operation statement. The replacement is referred to as the replacement column name corresponding to the most appropriate second column key name in the first table encryption metadata; for the first operation result data returned after the database operation, if the operator in the corresponding result expression is a size comparison operator supported by the order-preserving algorithm, and the result expression is an expression between select and from in the select statement, the operation result data returned by the target database is the operation result encrypted by the order-preserving algorithm, and the operation result encrypted by the order-preserving algorithm does not need to be further processed; if the operator in the corresponding result expression is an operator supported by the other encryption algorithm, the operation result data returned by the target database is the operation result encrypted by the other encryption algorithm, and the operation result encrypted by the other encryption algorithm needs to be decrypted; if the corresponding result expression only contains the column name, the operation result data returned by the target database is the result encrypted by the column key corresponding to the most appropriate second column key name, and the result encrypted by the column key corresponding to the most appropriate second column key name needs to be decrypted; for the operation result that needs to be decrypted, the corresponding encryption algorithm and key are used for decryption. That is, for a data table containing original data columns encrypted with multiple second column key names to obtain multiple replacement column names, for expressions in query SQL statements (such as expressions in where, having and other clauses in select statements), according to the operators therein, if it is a size comparison operation supported by order preservation, the column name is replaced with the column name encrypted by the order preservation algorithm, and the corresponding value is encrypted using the order preservation algorithm; if it is an operation supported by other algorithms (such as addition), the column name is replaced with the column name encrypted by the corresponding algorithm (such as an encryption algorithm that supports additive homomorphism), and the corresponding value is encrypted using the corresponding algorithm (such as an encryption algorithm that supports additive homomorphism). If the expression only contains column names (this situation usually occurs in the expression between select and from in a select statement), the new column name in the column key metadata related to the most appropriate algorithm is used for replacement according to the position of the expression. For example, select salary from salary_info, and replace salary with the new column name in the column key metadata related to the order preservation algorithm, that is, rewrite the SQL to select salary_cx3579 from salary_info. For the target data table (i.e., the data table where the original data column corresponds to multiple replacement columns), for the query results in the SQL statement, according to the above processing, based on the expression and operator in the SQL statement, if it is a size comparison operation supported by order preservation, the server returns the value processed by order preservation encryption; otherwise, it returns the value processed by other algorithms. If the expression only contains the column name, the server returns the value of the column encrypted with the column key related to the most appropriate algorithm. When decrypting, use the corresponding algorithm for decryption.

If the data operation statement for the first data table is an update type data operation statement, the where clause part in the update type data operation statement is processed in the same way as the where clause in the query type data operation statement, and the other parts in the update type data operation statement are processed in the same way as the insert type data operation statement.

If the data operation statement for the first data table is a delete type data operation statement, the processing of the where clause in the delete type data operation statement is the same as that of the where clause in the query type data operation statement.

S303a, the data interaction terminal sends a fourth structured query statement to the target database, and the target database receives the fourth structured query statement.

S303b, the data interaction terminal sends the first table encrypted metadata to the target database, and the target database receives the first table encrypted metadata.

Among them, the first table encryption metadata includes column encryption information corresponding to the first data table, and the column encryption information corresponding to the first data table includes the third column name, the fourth column name and the second column key name; the column encryption information corresponding to the first data table also includes the name of the first data table, the type and size of the original data in the data column corresponding to the third column name, and the type and size of the encrypted data in the encrypted data column corresponding to the fourth column name, etc.

S304a, the target database executes a table creation operation corresponding to the fourth structured query statement.

S304b, the target database saves the encrypted metadata of the first table.

The data interaction terminal sends the encrypted metadata of the first table to the target database for storage through a standard structured query statement.

In the technical solution corresponding to FIG. 4 above, after obtaining the structured query statement for creating a data table for the target database, the data interaction terminal rewrites the structured query statement, removes the encryption-related definition of the column, and sends the rewritten structured query statement to the target database, so that the target database performs the table creation operation. The target database does not need to perceive the encryption feature, and only needs to create the table according to the conventional method, and the database server software does not need to be modified. The data interaction terminal also sends the table encryption metadata to the target database for storage, which can facilitate the subsequent decryption of the data.

3. Detailed implementation plan of process (2), i.e., the process of generating and storing column keys and column key metadata.

Referring to FIG. 5 , FIG. 5 is a flow chart of another database operation method provided in an embodiment of the present application. The method can be applied to a secret database system. As shown in FIG. 5 , the method includes the following steps:

S401: The data interaction terminal obtains a fifth structured query statement, where the fifth structured query statement includes a second master key name, a third column key name, and an algorithm name corresponding to the third column key name.

Here, the fifth structured query statement is an enhanced data definition statement, which is a data definition statement that supports definition of encryption. The fifth structured query statement is used to create a column key corresponding to the target database. The third column key name is the name of the column key to be created by the fifth structured query statement, and the second master key name is the name of the master key used to encrypt the column key to be created. The fifth structured query statement also includes an algorithm name corresponding to the third column key name, and the algorithm name corresponding to the third column key name is the name of the encryption and decryption algorithm corresponding to the column key.

The syntax example of the fifth structured query statement is as follows:

CREATE COLUMN ENCRYPTION KEY key_name

WITH(

COLUMN_MASTER_KEY=column_master_key_name,

ALGORITHM=algorithm_name

)

Among them, key_name represents the name of the column key, column_master_key_name represents the name of the master key used to encrypt the column key, and algorithm_name represents the name of the algorithm used when the column key encrypts data, which can be the ope algorithm introduced above.

S402: The data interaction terminal determines a second encrypted column key according to the second master key name and the third column key name.

The second encrypted column key is obtained by encrypting the third column key corresponding to the third column key name using the second master key corresponding to the second master key name.

The data interaction terminal can obtain the master key metadata corresponding to the second master key name, and the master key metadata corresponding to the second master key name includes the second master key name, key path, algorithm name and key library provider name.

If the key library provider name in the master key metadata corresponding to the second master key name is the name of the local key management module, the local key management module in the data interaction terminal can generate a third column key corresponding to the third column key name based on the third column key name, and determine the master key corresponding to the second master key name based on the key path and the second master key name in the master key metadata corresponding to the second master key name; finally, the encryption algorithm corresponding to the algorithm name in the master key metadata corresponding to the second master key name and the master key corresponding to the second master key name are used to encrypt the column key corresponding to the third column key name to obtain the second encrypted column key.

If the key library provider name in the master key metadata corresponding to the second master key name is the name of a third-party key management module, the data interaction terminal can send the third column key name and the master key metadata corresponding to the second master key name to the third-party management module, and the third-party management module generates a third column key corresponding to the third column key name based on the third column key name, and determines the master key corresponding to the second master key name based on the key path in the master key metadata corresponding to the second master key name and the second master key name, and uses the encryption algorithm corresponding to the algorithm name in the master key metadata corresponding to the second master key name and the master key corresponding to the second master key name to encrypt the column key corresponding to the third column key name to obtain a second encrypted column key, and then returns the second encrypted column key to the data interaction terminal.

S403, the data interaction terminal sends the second column key metadata and the second encrypted column key to the target database, the second column key metadata includes the second master key name, the third column key name and the algorithm name corresponding to the third column key name, and the target database receives the second column key metadata and the second encrypted column key.

S404: The target database stores the second column key metadata and the second encrypted column key.

The data interaction terminal sends the second column key metadata and the second encrypted column key to the target database for storage through a standard structured query statement.

In the technical solution corresponding to FIG. 5 above, after obtaining the structured query statement for creating a column key of the target database, the data interaction terminal encrypts the column key to obtain an encrypted column key, and then saves the encrypted column key and the column key metadata indicating the encryption attribute of the column key into the target database. The database only needs to save the metadata according to the conventional method, and the database server software does not need to be modified.

4. Detailed implementation plan of process (1), i.e., the process of generating and storing the master key and master key metadata.

Referring to FIG. 6 , FIG. 6 is a flow chart of another database operation method provided in an embodiment of the present application. The method can be applied to a secret database system. As shown in FIG. 6 , the method includes the following steps:

S501: The data interaction terminal obtains a sixth structured query statement, where the sixth structured query statement includes second master key metadata.

Here, the sixth structured query statement is an enhanced data definition statement, which is a data definition statement that supports encryption definition. The sixth structured query statement is used to create a master key corresponding to the target database. The sixth structured query statement includes second master key metadata. The second master key metadata includes the third master key name, the second algorithm name, and the second key path. The second algorithm name is the name of the encryption and decryption algorithm corresponding to the master key, and the second key path is the storage path corresponding to the master key. The second master key metadata also includes the key library provider name.

An example of the sixth structured query statement is as follows:

Among them, key_name indicates the name of the master key in the database, key_store_provider_name indicates the name of the key store provider, key_path is used to indicate the path of the master key, and algorithm indicates the algorithm name.

S502: Generate a master key corresponding to the third master key name.

Among them, if the key library provider name in the second master key metadata is the name of the local key management module in the data interaction terminal, the local key management module of the data interaction terminal can generate a master key corresponding to the third master key name based on the second master key metadata, and the local key management module can save the master key corresponding to the third master key name according to the second master key metadata; if the key library provider name in the second master key metadata is the name of a third-party key management module, the data interaction terminal can send the second master key metadata to the third-party key management module, and the third-party key management module will generate and save the master key corresponding to the third master key name based on the second master key metadata, and the third-party key management module can save the master key corresponding to the third master key name according to the second key path.

S503: The data interaction terminal sends the second master key metadata to the target database, and the target database receives the second master key metadata.

S504: The target database stores the second master key metadata.

The data interaction terminal may send the second master key metadata to the target database for storage through a standard structured query statement.

In the technical solution corresponding to Figure 6 above, after the data interaction terminal obtains the structured query statement for creating the master key of the target database, it saves the master key metadata to the target database. The database only needs to save the master key metadata according to the conventional method, and the database server software does not need to be modified.

The method of the present application is introduced above, and the device of the present application is introduced below.

Referring to FIG. 7 , FIG. 7 is a schematic diagram of the structure of an encryption and decryption device for a secret database provided in an embodiment of the present application, which is applied to a data interaction terminal. As shown in FIG. 7 , the encryption and decryption device 60 for a secret database includes:

The acquisition module 601 is used to acquire a first structured query statement acting on a target database, wherein the first structured query statement is a data operation statement;

A rewriting module 602 is used to rewrite the first structured query statement to obtain a second structured query statement, wherein the data in the second structured query statement is obtained by performing order-preserving encryption on the data in the first structured query statement;

A sending module 603 is used to send the second structured query statement to the target database, so that the target database executes the database operation corresponding to the second structured query statement;

A receiving module 604 is used to receive first operation result data returned by the target database after executing the database operation;

The restoration module 605 is used to restore the first operation result data to obtain the second operation result data corresponding to the first structured query statement.

In a possible design, the first structured query statement includes a first column name; the rewriting module 602 is specifically used to: determine a first column key name and a second column name corresponding to the first column name according to table encryption metadata, the table encryption metadata including column encryption information corresponding to the data table in the target database, the column encryption information including the column name of the encrypted data column in the data table in the target database before and after encryption and the column key name corresponding to the encrypted data column; obtain a first column key metadata and a first encrypted column key corresponding to the first column key name, the first column key metadata including a first master key name and the first column key name, the first encrypted column key being obtained by encrypting the first column key corresponding to the first column name using the master key corresponding to the first master key name; obtain a first master key metadata corresponding to the first master key name, the first master key metadata including a first algorithm name and a first key path, the first algorithm name is the name of the encryption and decryption algorithm corresponding to the master key, and the first key path is the storage path corresponding to the master key; according to the first key path, the first master key corresponding to the first master key name is determined; according to the first master key and the encryption and decryption algorithm corresponding to the first algorithm name, the first encrypted column key is decrypted to obtain the first column key; according to the first column key, the first data is encrypted in an order-preserving manner to obtain the second data, and the order-preserving encryption is: mapping the values of the plaintext space to the ciphertext space in a certain order, so that in the encrypted ciphertext, the relative order between the plaintexts can still be retained, and when mapping, the statistical characteristics of the plaintext are hidden to ensure the security of the algorithm; rewriting the first column name in the first structured query statement into the second column name, and rewriting the first data in the first structured query statement into the second data to obtain the second structured query statement.

In a possible design, the rewrite module 602 is specifically used to: if the first data is negative floating-point data, calculate the binary complement of the first integer corresponding to the first data to obtain the first complement, where the first integer is an integer obtained by treating the bytes storing the first data as integers; calculate the difference between the first complement and the minimum code to obtain the code to be encrypted, where the minimum code is the binary code of the minimum negative integer corresponding to the number of bytes occupied by the first data; according to the first column key, treat the code to be encrypted as an unsigned integer, encrypt the code to be encrypted in an order-preserving manner, and obtain the second data; if the first data is character data, fill the right side of the first data with preset characters to obtain the standard character corresponding to the first data, where the character length of the standard character is the preset character length, wherein the preset character length is the maximum character length defined by the data column corresponding to the first column name; if the first data is fixed-length character data, the preset character is an ASCII character of a space; if the first data is variable-length character data, the preset character is any ASCII character that is less than a space. SCII character; according to the first column key, the ACII code of the standard character is processed as an unsigned integer, and the ACII code of the standard character is encrypted in order to obtain the second data; if the first data is numerical data, the first data is subtracted from a first preset negative number to obtain a first positive number corresponding to the first data, the first preset negative number is any negative number less than or equal to the first negative number, and the first negative number is the minimum negative number defined by the data column corresponding to the first column name; the first positive number is padded with zeros to obtain a second positive number, the number of decimal places of the second positive number is a preset number of places, and the preset number of places is the number of decimal places defined by the data column corresponding to the first column name; starting from the lowest bit of the first positive integer, the lower 4 bits of the high-order byte in the two adjacent bytes are used as the high 4 bits of the merged byte, and the lower 4 bits of the low-order byte are used as the lower 4 bits of the merged byte, and the first positive integer is merged to obtain a second positive integer, the first positive integer is an integer obtained by ignoring the decimal point in the second positive number; according to the first column key, the second positive integer is encrypted to obtain the second data.

In a possible design, the above-mentioned rewriting module 602 is specifically used to: encode the second data based on an extended encoding method to obtain third data, and the extended encoding method is an extended encoding method based on standard Base64 encoding; rewrite the first data in the first structured query statement into the third data.

In one possible design, the above-mentioned rewrite module 602 is specifically used to: encode the second data according to an extended coding table based on standard Base64 encoding to obtain a Base64 extended code corresponding to the second data, wherein the extended coding table based on standard Base64 encoding is obtained by randomly taking out 64 visible characters in the ASCII standard and arranging them in order of value; and use the ASCII code corresponding to the Base64 extended code as the third data.

In a possible design, the acquisition module 601 is further used to acquire a third structured query statement acting on the target database, wherein the third structured query statement is an enhanced data definition statement, wherein the enhanced data definition statement is a data definition statement that supports definition of encryption, and the third structured query statement is used to create a first data table in the target database, wherein the third structured query statement includes the name of the first data table, the name of a third column, the name of a second column key corresponding to the third column name, and the type and size of the original data in the data column corresponding to the third column name, wherein the data column corresponding to the third column name is the encrypted data column in the first data table, and the name of the second column key is the name of the second column key for encrypting the data column corresponding to the third column name; the rewriting module 602 is further used to rewrite the third structured query statement to obtain a fourth structured query statement, wherein the fourth column name in the fourth structured query statement is obtained by transforming the third column name. , the type of encrypted data in the encrypted data column corresponding to the fourth column name in the fourth structured query statement is obtained by changing the type of original data in the data column corresponding to the third column name, and the fourth structured query statement is a standard data definition statement; the sending module 603 is also used to send the fourth structured query statement to the target database, so that the target database executes the table creation operation corresponding to the fourth structured query statement; send the first table encryption metadata to the target database through the standard structured query statement, so that the target database saves the first table encryption metadata, the first table encryption metadata includes the column encryption information corresponding to the first data table, and the column encryption information of the first data table includes the name of the first data table, the third column name, the fourth column name, the second column key name, and the type and size of the original data in the data column corresponding to the third column name and the type of encrypted data in the encrypted data column corresponding to the fourth column name.

In one possible design, there are multiple second column key names corresponding to the third column name, and different second column key names correspond to different encryption algorithms; the above-mentioned rewrite module 602 is specifically used for: if the data operation statement for the first data table is an insert-type data operation statement, the column name in the insert-type data operation statement is replaced with the multiple fourth column names, and the data in the insert-type data operation statement is encrypted separately using the encryption algorithm corresponding to each second column key name in the first table encryption metadata to obtain multiple encrypted data, and the data in the insert-type data operation statement is replaced with the multiple encrypted data; if the data operation statement for the first data table is a query-type data operation statement, for the first expression in the query-type data operation statement, the first expression is an expression in a where clause or a having clause, if the The operator in the first expression is a size comparison operator supported by the order-preserving algorithm, and the column name of the first expression in the data operation statement of the query type is replaced with a replacement column name encrypted by the order-preserving algorithm, and the data in the first expression in the data operation statement of the query type is encrypted using the order-preserving algorithm. If the operator in the first expression is an operator supported by other encryption algorithms except the order-preserving algorithm, the column name in the first expression in the data operation statement of the query type is replaced with a replacement column name encrypted by the other encryption algorithm, and the data in the first expression in the data operation statement of the query type is encrypted using the other encryption algorithm; if the expression in the data operation statement of the query type only contains the column name, according to the position of the expression in the data operation statement of the query type, the column name in the expression in the data operation statement of the query type is replaced with a replacement column name encrypted by the other encryption algorithm, and the data in the first expression in the data operation statement of the query type is encrypted using the other encryption algorithm. The column name is replaced with the replacement column name corresponding to the most appropriate second column key name in the first table encryption metadata; for the first operation result data returned after the database operation, if the operator in the corresponding result expression is a size comparison operator supported by the order-preserving algorithm, the result expression is the expression between select and from in the select statement, the operation result data returned by the target database is the operation result encrypted by the order-preserving algorithm, and the operation result encrypted by the order-preserving algorithm does not need to be further processed; if the operator in the corresponding result expression is an operator supported by the other encryption algorithm, the operation result data returned by the target database is the operation result encrypted by the other encryption algorithm, and the operation result encrypted by the other encryption algorithm needs to be decrypted; if the corresponding result expression only contains the column name, the operation result data returned by the target database The data is a result of encryption using the column key corresponding to the most appropriate second column key name, and the result of encryption using the column key corresponding to the most appropriate second column key name needs to be decrypted; for the calculation result that needs to be decrypted, the corresponding encryption algorithm and key are used for decryption; if the data operation statement for the first data table is an update type data operation statement, the where clause part in the update type data operation statement is processed the same as the where clause in the query type data operation statement, and the other parts in the update type data operation statement are processed the same as the insert type data operation statement; if the data operation statement for the first data table is a delete type data operation statement, the where clause part in the delete type data operation statement is processed the same as the where clause in the query type data operation statement.

In a possible design, the acquisition module 601 is further used to acquire a fifth structured query statement, the fifth structured query statement is an enhanced data definition statement, the enhanced data definition statement is a data definition statement that supports definition of encryption, the fifth structured query statement is used to create a column key corresponding to the target database, the fifth structured query statement includes a second master key name, a third column key name, and an algorithm name corresponding to the third column key name, the algorithm name corresponding to the third column key name is the name of the encryption and decryption algorithm corresponding to the column key; according to the third column key name, a third column key corresponding to the third column key name is generated; according to the second master key name, a second master key corresponding to the second master key name is acquired; the third column key corresponding to the third column key name is encrypted using the second master key corresponding to the second master key name to obtain the second encrypted column key; the sending module 603 is further used to send the second column key metadata and the second encrypted column key to the target database through a standard structured query statement, so that the target database saves the second column key metadata and the second encrypted column key, the second column key metadata includes the second master key name, the third column key name, and the algorithm name corresponding to the third column key name.

In a possible design, the acquisition module 601 is also used to: the sixth structured query statement is an enhanced data definition statement, the enhanced data definition statement is a data definition statement that supports encryption definition, the sixth structured query statement is used to create a master key corresponding to the target database, the sixth structured query statement includes a second master key metadata, the second master key metadata includes a third master key name, a second algorithm name, a second key path and a key library provider name, the second algorithm name is the name of the encryption and decryption algorithm corresponding to the master key, and the second key path is the storage path corresponding to the master key; generate a master key corresponding to the third master key name, and save the master key corresponding to the third master key name according to the second key path; the sending module 603 is also used to send the second master key metadata to the target database through a standard structured query statement, so that the target database saves the second master key metadata.

It should be noted that for the contents not mentioned in the embodiment corresponding to FIG. 7 , reference can be made to the description of the aforementioned method embodiment, which will not be repeated here.

After obtaining the first structured query statement acting on the target database, the above-mentioned device rewrites the first structured query statement to obtain a second structured query statement, the data in the second structured query statement is obtained by encrypting the data in the first structured query statement in order-preserving manner, and then sends the second structured query statement to the target database so that the target database executes the database operation corresponding to the second structured query statement; then receives the first operation result data returned after the target database executes the database operation corresponding to the second structured query statement; finally, restores the first operation result data to obtain the second operation result data corresponding to the first structured query statement. Since the SQL statement is rewritten and then sent to the database for execution, encryption and data restoration are both performed on the data interaction terminal side, and the database server only needs to perform conventional database operations without modifying the database server; since the data in the rewritten SQL statement is obtained by encrypting the data in the SQL statement before rewriting in order-preserving manner, the order relationship between the encrypted data is the same as the order relationship between the data before encryption, so that database operations such as sorting and size comparison query can be performed.

Referring to Fig. 8, Fig. 8 is a schematic diagram of the structure of a computer device provided in an embodiment of the present application, wherein the computer device 70 includes a processor 701 and a memory 702. The memory 702 is connected to the processor 701, for example, via a bus.

The processor 701 is configured to support the computer device 70 to perform the corresponding functions in the method in the above method embodiment. The processor 701 can be a central processing unit (CPU), a network processor (NP), a hardware chip or any combination thereof. The above hardware chip can be an application specific integrated circuit (ASIC), a programmable logic device (PLD) or a combination thereof. The above PLD can be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL) or any combination thereof.

The memory 702 is used to store program codes, etc. The memory 702 may include a volatile memory (VM), such as a random access memory (RAM); the memory 702 may also include a non-volatile memory (NVM), such as a read-only memory (ROM), a flash memory, a hard disk drive (HDD) or a solid-state drive (SSD); the memory 702 may also include a combination of the above-mentioned types of memories.

When the computer device 70 is an authorization acquisition terminal, the processor 701 may call the program code to perform the following operations:

Acquire a first structured query statement acting on a target database, wherein the first structured query statement is a data operation statement;

Rewriting the first structured query statement to obtain a second structured query statement, wherein data in the second structured query statement is obtained by performing order-preserving encryption on the data in the first structured query statement;

Sending the second structured query statement to the target database, so that the target database executes the database operation corresponding to the second structured query statement;

Receiving first operation result data returned by the target database after executing the database operation;

The first operation result data is restored to obtain second operation result data corresponding to the first structured query statement.

An embodiment of the present application further provides a computer-readable storage medium, wherein the computer-readable storage medium stores a computer program, wherein the computer program includes program instructions, and when the program instructions are executed by a computer, the computer executes the method described in the above embodiment.

A person skilled in the art can understand that all or part of the processes in the above-mentioned embodiments can be implemented by instructing the relevant hardware through a computer program, and the program can be stored in a computer-readable storage medium, and when the program is executed, it can include the processes of the embodiments of the above-mentioned methods. The storage medium can be a disk, an optical disk, a read-only memory (ROM) or a random access memory (RAM), etc.

The above disclosure is only the preferred embodiment of the present application, which certainly cannot be used to limit the scope of rights of the present application. Therefore, equivalent changes made according to the claims of the present application are still within the scope covered by the present application.

Claims (10)

1. An encryption and decryption method for a secret database, which is applied to a data interaction terminal, comprises the following steps:

acquiring a first structured query statement acting on a target database, wherein the first structured query statement is a data operation statement;

Rewriting the first structured query statement to obtain a second structured query statement, wherein data in the second structured query statement is obtained by performing order-preserving encryption on the data in the first structured query statement;

sending the second structured query statement to the target database, so that the target database executes database operation corresponding to the second structured query statement;

receiving first operation result data returned after the target database executes the database operation;

And carrying out data reduction on the first operation result data to obtain second operation result data corresponding to the first structured query statement.

2. The method of claim 1, wherein the first structured query statement comprises a first column name and first data, the first data belonging to a data column to which the first column name corresponds;

The rewriting the first structured query statement to obtain a second structured query statement includes:

Determining a first column key name and a second column name corresponding to the first column name according to table encryption metadata, wherein the table encryption metadata comprises column encryption information corresponding to a data table in the target database, and the column encryption information comprises column names before and after encryption of an encrypted data column in the data table in the target database and column key names corresponding to the encrypted data column;

Acquiring first column key metadata and a first encryption column key corresponding to the first column key name, wherein the first column key metadata comprises a first master key name and the first column key name, and the first encryption column key is obtained by encrypting the first column key corresponding to the first column name by adopting the master key corresponding to the first master key name;

Acquiring first master key metadata corresponding to the first master key name, wherein the first master key metadata comprises a first algorithm name and a first key path, the first algorithm name is the name of an encryption and decryption algorithm corresponding to the master key, and the first key path is a storage path corresponding to the master key;

determining a first master key corresponding to the first master key name according to the first key path;

Decrypting the first encrypted column key according to the first master key and an encryption and decryption algorithm corresponding to the first algorithm name to obtain the first column key;

And performing order-preserving encryption on the first data according to the first column key to obtain second data, wherein the order-preserving encryption is as follows: mapping the values of the plaintext space to the ciphertext space according to a certain sequence, so that the relative sequence between the plaintext can still be reserved in the encrypted ciphertext, and the statistical features of the plaintext are hidden when mapping is performed, thereby ensuring the safety of an algorithm;

And rewriting a first column name in the first structured query statement into the second column name, and rewriting the first data in the first structured query statement into the second data to obtain the second structured query statement.

3. The method according to claim 2, wherein said order-preserving encrypting the first data according to the first column key to obtain second data comprises:

If the first data are negative floating point data, calculating a binary complement of a first integer corresponding to the first data to obtain the first complement, wherein the first integer is an integer obtained by processing bytes storing the first data as integers; calculating the difference value between the first complement and the minimum code to obtain a code to be encrypted, wherein the minimum code is a binary code of a minimum negative integer corresponding to the number of bytes occupied by the first data; processing the code to be encrypted as an unsigned integer according to the first column key, and performing order-preserving encryption on the code to be encrypted to obtain second data;

Filling preset characters on the right side of the first data to obtain standard characters corresponding to the first data, wherein the character length of the standard characters is preset character length, the preset character length is the maximum character length defined by a data column corresponding to the first column name, if the first data is fixed-length character type data, the preset characters are ASCII characters of a space, and if the first data is variable-length character type data, the preset characters are ASCII characters smaller than the space; processing ACII codes of the standard characters as unsigned integers according to the first column key, and performing order-preserving encryption on the ACII codes of the standard characters to obtain the second data;

If the first data are numerical data, subtracting a first preset negative number from the first data to obtain a first positive number corresponding to the first data, wherein the first preset negative number is any negative number smaller than or equal to the first negative number, and the first negative number is the minimum negative number defined by a data column corresponding to a first column name; performing decimal zero padding processing on the first positive number to obtain a second positive number, wherein the decimal number of the second positive number is a preset digit, and the preset digit is a decimal number defined by a data column corresponding to the first column name; starting from the lowest bit of a first positive integer, taking the lower 4 bits of the upper byte in two adjacent bytes as the upper 4 bits of the merging byte, taking the lower 4 bits of the lower byte as the lower 4 bits of the merging byte, merging the first positive integer to obtain a second positive integer, wherein the first positive integer is an integer obtained by neglecting decimal points in the second positive integer; and encrypting the second positive integer according to the first column key to obtain second data.

4. The method according to claim 2, wherein after the order-preserving encryption of the first data according to the first column key, further comprises:

Encoding the second data based on an expansion encoding mode to obtain third data, wherein the expansion encoding mode is an expansion encoding mode based on standard Base64 encoding;

The rewriting the first data in the first structured query statement to the second data includes:

And rewriting the first data in the first structured query statement into the third data.

5. The method of claim 4, wherein the encoding the second data based on the extension encoding mode to obtain third data comprises:

coding the second data according to an extension coding table based on standard Base64 coding to obtain a Base64 extension code corresponding to the second data, wherein the extension coding table based on standard Base64 coding is obtained by randomly taking out 64 visible characters in ASCII standard and arranging the visible characters according to the value order;

And encoding ASCII corresponding to the Base64 spreading code as the third data.

6. The method according to claim 1, wherein the method further comprises:

Obtaining a third structured query statement acting on a target database, wherein the third structured query statement is an enhanced data definition statement, the enhanced data definition statement is a data definition statement supporting defined encryption, the third structured query statement is used for creating a first data table in the target database, the third structured query statement comprises a name of the first data table, a third column name, a second column key name corresponding to the third column name and the type and the size of original data in a data column corresponding to the third column name, the data column corresponding to the third column name is an encrypted data column in the first data table, and the second column key name is the name of a second column key encrypting the data column corresponding to the third column name;

The third structured query statement is rewritten to obtain a fourth structured query statement, a fourth column name in the fourth structured query statement is obtained by transforming the third column name, the type of the encrypted data in the encrypted data column corresponding to the fourth column name in the fourth structured query statement is obtained by changing the type of the original data in the data column corresponding to the third column name, and the fourth structured query statement is a standard data definition statement;

sending the fourth structured query statement to the target database, so that the target database executes a table building operation corresponding to the fourth structured query statement;

And sending first table encryption metadata to the target database through a standard structured query statement so that the target database stores the first table encryption metadata, wherein the first table encryption metadata comprises column encryption information corresponding to the first data table, and the column encryption information of the first data table comprises the name of the first data table, the third column name, the fourth column name, the second column key name, the type and the size of original data in a data column corresponding to the third column name and the type of encrypted data in an encrypted data column corresponding to the fourth column name.

7. The method of claim 6, wherein the third column name corresponds to a plurality of second column key names, and different second column key names correspond to different encryption algorithms;

the rewriting the third structured query term to obtain a fourth structured query term, including:

Generating a replacement column name corresponding to each second column key name in the third structured query statement according to each second column key name in the third structured query statement to obtain a plurality of fourth column names;

the method further comprises the steps of:

If the data operation statement of the first data table is an insert type data operation statement, replacing column names in the insert type data operation statement with the fourth column names, respectively encrypting data in the insert type data operation statement by using an encryption algorithm corresponding to each second column key name in the first table encryption metadata to obtain a plurality of encrypted data, and replacing the data in the insert type data operation statement with the encrypted data;

If the data operation statement of the first data table is a query type data operation statement, for a first expression in the query type data operation statement, the first expression is a where clause or an expression in a holding clause, if an operator in the first expression is a size comparison type operator supported by an order preserving algorithm, replacing a column name of the first expression in the query type data operation statement with a replacement column name encrypted by the order preserving algorithm, and encrypting data in the first expression in the query type data operation statement using the order preserving algorithm, if an operator in the first expression is an operator supported by other encryption algorithms than the order preserving algorithm, replacing a column name in the first expression in the query type data operation statement with a replacement column name encrypted by the other encryption algorithm, and using the other encryption algorithm for data in the first expression in the query type data operation statement; if the expression in the data operation statement of the query type only contains a column name, replacing the column name in the expression in the data operation statement of the query type with a replacement column name corresponding to the most suitable second column key name in the encrypted metadata by adopting the first table according to the position of the expression in the data operation statement of the query type; for the first operation result data returned after the database operation, if an operator in a corresponding result expression is an operator of a size comparison class supported by a sequence preserving algorithm, the result expression is an expression between a select and a from in a select statement, the operation result data returned by the target database is an operation result encrypted by using the sequence preserving algorithm, no further processing is needed for the operation result encrypted by using the sequence preserving algorithm, if the operator in the corresponding result expression is an operator supported by the other encryption algorithm, the operation result data returned by the target database is an operation result encrypted by using the other encryption algorithm, decryption is needed for the operation result encrypted by using the other encryption algorithm, and if the corresponding result expression only comprises a column name, the operation result data returned by the target database is an operation result encrypted by using a column key corresponding to the most suitable second column key name, and decryption is needed for the operation result encrypted by using the column key corresponding to the most suitable second column key name; for the operation result to be decrypted, adopting a corresponding encryption algorithm and a key to decrypt;

if the data operation statement of the first data table is an update type data operation statement, processing the wherem the data operation statement is part is identical to the wherem the data operation statement is part of the query type data operation statement is the same, and processing the other parts of the data operation statement is the same as the insert type data operation statement;

If the data operation statement of the first data table is a data operation statement of a deletion type, the processing of the where clause part in the data operation statement of the deletion type is the same as the processing of the where clause in the data operation statement of the query type.

8. The method according to claim 1, wherein the method further comprises:

Obtaining a fifth structured query statement, wherein the fifth structured query statement is an enhanced data definition statement, the enhanced data definition statement is a data definition statement supporting defined encryption, the fifth structured query statement is used for creating a column key corresponding to the target database, the fifth structured query statement comprises a second master key name, a third column key name and an algorithm name corresponding to the third column key name, and the algorithm name corresponding to the third column key name is the name of an encryption and decryption algorithm corresponding to the column key;

generating a third column key corresponding to the third column key name according to the third column key name;

Acquiring a second master key corresponding to the second master key name according to the second master key name;

encrypting a third column key corresponding to the third column key name by adopting a second master key corresponding to the second master key name to obtain the second encrypted column key;

And sending second column key metadata and the second encrypted column key to the target database through a standard structured query statement, so that the target database stores the second column key metadata and the second encrypted column key, wherein the second column key metadata comprises the second master key name, the third column key name and an algorithm name corresponding to the third column key name.

9. The method according to claim 1, wherein the method further comprises:

Obtaining a sixth structured query statement, wherein the sixth structured query statement is an enhanced data definition statement, the enhanced data definition statement is a data definition statement supporting defined encryption, the sixth structured query statement is used for creating a master key corresponding to the target database, the sixth structured query statement comprises second master key metadata, the second master key metadata comprises a third master key name, a second algorithm name, a second key path and a key library provider name, the second algorithm name is a name of an encryption and decryption algorithm corresponding to the master key, and the second key path is a storage path corresponding to the master key;

Generating a master key corresponding to the third master key name, and sending the second master key metadata to the target database through a standard structured query statement so that the target database stores the second master key metadata;

And storing the master key corresponding to the third master key name according to the second key path.

10. An encryption and decryption device for a secret database, applied to a data interaction terminal, the device comprising:

The acquisition module is used for acquiring a first structured query statement acting on the target database, wherein the first structured query statement is a data operation statement;

The rewriting module is used for rewriting the first structured query statement to obtain a second structured query statement, wherein data in the second structured query statement is obtained by carrying out order-preserving encryption on the data in the first structured query statement;

the sending module is used for sending the second structured query statement to the target database so that the target database executes database operation corresponding to the second structured query statement;

The receiving module is used for receiving first operation result data returned after the target database executes the database operation;

And the restoration module is used for carrying out data restoration on the first operation result data to obtain second operation result data corresponding to the first structured query statement.