[go: up one dir, main page]

CN118363986B - Encryption and decryption method and device for secret database - Google Patents

Encryption and decryption method and device for secret database Download PDF

Info

Publication number
CN118363986B
CN118363986B CN202410470688.3A CN202410470688A CN118363986B CN 118363986 B CN118363986 B CN 118363986B CN 202410470688 A CN202410470688 A CN 202410470688A CN 118363986 B CN118363986 B CN 118363986B
Authority
CN
China
Prior art keywords
data
column
name
key
structured query
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410470688.3A
Other languages
Chinese (zh)
Other versions
CN118363986A (en
Inventor
朱贤
张世明
杜剑峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beigemeis Shenzhen Technology Co ltd
Original Assignee
Beigemeis Shenzhen Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beigemeis Shenzhen Technology Co ltd filed Critical Beigemeis Shenzhen Technology Co ltd
Priority to CN202410470688.3A priority Critical patent/CN118363986B/en
Publication of CN118363986A publication Critical patent/CN118363986A/en
Application granted granted Critical
Publication of CN118363986B publication Critical patent/CN118363986B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2453Query optimisation
    • G06F16/24534Query rewriting; Transformation
    • G06F16/24547Optimisations to support specific applications; Extensibility of optimisers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24553Query execution of query operations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The application provides an encryption and decryption method and device for a confidential database, the method comprises the steps of obtaining a first structured query statement acting on a target database, wherein the first structured query statement is a data operation statement, rewriting the first structured query statement to obtain a second structured query statement, wherein data in the second structured query statement is obtained by carrying out order-preserving encryption on the data in the first structured query statement, sending the second structured query statement to the target database so that the target database executes database operation corresponding to the second structured query statement, receiving first operation result data returned after the target database executes the database operation, and carrying out data reduction on the first operation result data to obtain second operation result data corresponding to the first structured query statement. According to the technical scheme, database operations such as sorting, size comparison query and the like can be performed in the secret state database.

Description

Encryption and decryption method and device for secret database
Technical Field
The application relates to the field of a secret database, in particular to an encryption and decryption method and device of the secret database.
Background
The core task of the database is the management of data assets, including classification, organization, encoding, storage, retrieval, and maintenance of data. Today, the explosion of data information is increased, the database bears more and more data processing and analysis responsibilities, and the application innovation is continuously promoted in a data enabling mode, so that the digital development process is assisted.
The encrypted database refers to a database management system for storing and managing encrypted data, the data is stored in the database in an encrypted form, wherein the data storage, calculation, retrieval and management are all completed in a ciphertext form, and the grammar analysis, transaction ACID and other capabilities related to the database management are integrated with the traditional database capabilities. The secret state database is the product of the deep combination of a database system, an encryption technology and a mathematical algorithm. The core task of the secret state database is to protect the safety of the whole life cycle of the data and support the retrieval and calculation of the secret state data. The randomized encryption can ensure the security of the data in the secret state database, but the data after the randomized encryption lose the flexibility of operation and cannot be subjected to database operations such as sequencing, size comparison query and the like.
Disclosure of Invention
The application provides encryption and decryption of a secret database and a device thereof, which are used for solving the technical problems that the data in the secret database cannot be correctly ordered after being randomly encrypted, and database operations such as size comparison query and the like can not be carried out.
In a first aspect, a database operation method is provided, and is applied to a data interaction terminal, and the method includes:
acquiring a first structured query (structured query language, SQL) statement acting on a target database, wherein the first structured query statement is a data operation statement;
Rewriting the first structured query statement to obtain a second structured query statement, wherein data in the second structured query statement is obtained by performing order-preserving encryption on the data in the first structured query statement;
Sending the second structured query statement to the target database, so that the target database executes database operation corresponding to the second structured query statement;
Receiving first operation result data returned after the target database executes the database operation;
and carrying out data reduction on the first operation result data to obtain second operation result data corresponding to the first structured query statement.
In a second aspect, an encryption and decryption device for a secret database is provided, and the encryption and decryption device is applied to a data interaction terminal, and the device comprises:
The acquisition module is used for acquiring a first structured query statement acting on the target database, wherein the first structured query statement is a data operation statement;
The rewriting module is used for rewriting the first structured query statement to obtain a second structured query statement, wherein data in the second structured query statement is obtained by carrying out order-preserving encryption on the data in the first structured query statement;
the sending module is used for sending the second structured query statement to the target database so that the target database executes database operation corresponding to the second structured query statement;
the receiving module is used for receiving first operation result data returned after the target database executes the database operation;
And the restoration module is used for carrying out data restoration on the first operation result data to obtain second operation result data corresponding to the first structured query statement.
In a third aspect, there is provided a computer device comprising a memory and one or more processors, the memory being connected to the one or more processors, the one or more processors being operable to execute one or more computer programs stored in the memory, the one or more processors, when executing the one or more computer programs, causing the computer device to implement the database operating method of the first aspect described above.
In a fourth aspect, a computer readable storage medium is provided, the computer readable storage medium storing a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the database operating method of the first aspect.
The method and the device have the advantages that after a first structured query statement acting on the target database is obtained, the first structured query statement is rewritten to obtain a second structured query statement, data in the second structured query statement is obtained by carrying out order-preserving encryption on the data in the first structured query statement, then the second structured query statement is sent to the target database, so that the target database executes database operation corresponding to the second structured query statement, first operation result data returned after the target database executes the database operation corresponding to the second structured query statement is received, and finally the first operation result data is subjected to data reduction to obtain second operation result data corresponding to the first structured query statement. Because the data in the SQL statement after being rewritten is obtained by carrying out order-preserving encryption on the data in the SQL statement before being rewritten, the order relationship between the encrypted data is the same as the order relationship between the data before being encrypted, thus the database operations such as ordering, size comparison query and the like can be carried out.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments of the present application will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a system architecture of a cryptographic database system according to an embodiment of the present application;
FIG. 2 is a schematic diagram of order preserving encryption according to an embodiment of the present application;
FIG. 3 is a flowchart of a database operation method according to an embodiment of the present application;
FIG. 4 is a flowchart illustrating another database operation method according to an embodiment of the present application;
FIG. 5 is a flowchart of another database operation method according to an embodiment of the present application;
FIG. 6 is a flowchart of another database operation method according to an embodiment of the present application;
Fig. 7 is a schematic structural diagram of an encryption and decryption device for a secret database according to an embodiment of the present application;
Fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
The present application will be described in further detail with reference to the drawings and examples, in order to make the objects, technical solutions and advantages of the present application more apparent. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be noted that, if not in conflict, the features of the embodiments of the present application may be combined with each other, which is within the protection scope of the present application. In addition, while functional block division is performed in a device diagram and logical order is shown in a flowchart, in some cases, the steps shown or described may be performed in a different order than the block division in the device, or in the flowchart. Furthermore, the words "first," "second," "third," and the like as used herein do not limit the order of data and execution, but merely distinguish between identical or similar items that have substantially the same function and effect.
The technical scheme of the application can be applied to a secret database system. Referring to fig. 1, fig. 1 is a schematic diagram of a system architecture of a confidential database system provided by an embodiment of the present application, where, as shown in fig. 1, the confidential database system includes a data interaction terminal 101 and a database 102, the data interaction terminal 101 is a user-oriented interaction terminal, a database client is running on the data interaction terminal 101, a user can issue an SQL statement to the database client, and the database client is used for receiving the SQL statement, performing lexical grammar parsing processing, sending the SQL statement, and receiving a result. The data interaction terminal 101 may also be provided with an encryption subsystem, where the encryption subsystem is used to encrypt and decrypt the SQL statement and the result. The encryption subsystem comprises a searchable encryption algorithm module, a key management module, an encryption table metadata management module, an SQL encryption process (overwriting), a result decryption process and other modules so as to support the related processing of encrypted data. The database 102 is a storage container for storing various data, and the database 102 may execute a database operation corresponding to an SQL statement sent by a database client, and return an execution result obtained by executing the database operation corresponding to the SQL statement to the database client.
For ease of understanding, some of the terms involved in the present application will be first described.
1. SQL statement
SQL statements are database languages that have a variety of functions, such as data manipulation and data definition. The SQL statements include data definition statements (data definition language, DDL) and data manipulation statements (data manipulation language, DML).
The data definition statement is used for defining data objects, and can be used for defining a database, a data table in the database and fields (column names) in the data table, and the DML is used for adding, deleting, modifying, inquiring and the like data in the data table in the database.
2. Master key
In the application, the master key is a key created by the data interaction terminal according to the master key creation command, and the master key is used for encrypting and decrypting the column key.
3. Master key metadata
In the present application, master key metadata refers to some data related to a master key, and the master key metadata mainly includes a master key name, a key store provider name, a key path, and an algorithm name. The master key name in the master key metadata is used to indicate the master key. The key bank provider name in the metadata of the master key is used for indicating the provider of the master key, the provider of the master key can be divided into a local key bank provider and a third party key bank provider, the local key bank provider is a key management module local to the data interaction terminal, the key management module local to the data interaction terminal belongs to an encryption subsystem in the data interaction terminal, and the third party key bank provider is a key management module for managing keys outside the data interaction terminal. The key path in the master key metadata refers to the storage path of the master key. The algorithm name in the master key metadata refers to the name of the encryption and decryption algorithm corresponding to the master key. The encryption and decryption algorithm corresponding to the master key is used for encrypting and decrypting the column key of the application.
4. Column key
In the application, the column key is a key created by the data interaction terminal key according to the column key creation instruction, and the column key is used for encrypting and decrypting the data columns in the data table.
5. Column key metadata
In the present application, column key metadata refers to some data related to a column key, and the column key metadata mainly includes a master key name, a column key name, and an algorithm name. The column key name in the column key metadata is used to indicate the column key. The master key name in the column key metadata is used to indicate the master key employed to encrypt and decrypt the column key. The algorithm name in the column key metadata refers to the name of the encryption and decryption algorithm corresponding to the column key. The encryption and decryption algorithm corresponding to the column key is used for encrypting and decrypting the data columns in the data table. In the present application, the encryption and decryption algorithm corresponding to the column key may include order-preserving symmetric encryption (ope) algorithm and other encryption and decryption algorithms.
6. Encryption column key
In the present application, the encrypted column key refers to a column key obtained by encrypting a column key corresponding to a column key name in column key metadata by using a master key corresponding to a master key name in the column key metadata.
7. Table encryption metadata
In the present application, the table encryption metadata refers to data related to encrypted data. The table encryption metadata includes column encryption information in a data table in the database, and mainly includes a table name, an original column name, a replacement column name, a column key name, an original data type size, and a new data type size. The table name is used for indicating the data table in the database, the original column name is used for indicating one data column in the data table to be encrypted in the unencrypted data table, the replacement column name is used for indicating the encrypted data column in the encrypted data table, and the column key name in the table encryption metadata is used for indicating the column key adopted by the encrypted data column. The original data type size refers to the type and size of the original data in the unencrypted data column, and the new data type size refers to the type and size of the encrypted data in the encrypted data column. Alternatively, the new data type size may not be included in the table encryption metadata, and the new data type size may be obtained directly at the time of processing according to the encryption algorithm of the original data type size and the column key.
8. Ope algorithm
The ope algorithm is used for realizing the purposes of encryption and order preservation by carrying out mathematical transformation on data and is used for supporting numerical and character type comparison operators, namely supporting the retrievability of data type and character type data.
The ope algorithm performs a pseudo-randomization of the plaintext space values through a super-geometric distribution (hyper geometric distribution, HGD) and maps them to the ciphertext space in a certain order. The problem of hiding the frequency distribution of the plaintext can be solved by using pseudo-randomization, namely, the statistical characteristics of the plaintext are hidden by randomization operation. Meanwhile, the sequence mapping maintains the sequence relation of the plaintext, namely, the relative sequence among the plaintext can still be maintained in the encrypted ciphertext.
Pseudo-randomization is implemented based on the HGD and is deterministic in the case of key determination, stateless.
For numerical data, the HGD algorithm, the function x=hgd (D, R, y, cc), is explained as:
The balls are drawn out from a box with R balls, D black balls and R-D white balls are arranged in the box. The y balls are extracted and this function returns the number of black balls x therein. HGD is a function implementing a sampling algorithm, whose output x is a random variable that satisfies the hypergeometric distribution. Upon computer implementation, D, R and y are determined, based on the random number cc, the generated x is a random variable that satisfies the hypergeometric distribution (i.e., a set of x is calculated from all cc, where the probability of x=x is PHGD (x; R, D, y)). cc is a random number calculated by a pseudo random function PRF (k, D, and R may be MAC calculated and then the calculation result is again implemented by AES encryption).
For a plaintext m, the key is k, and the specific encryption steps for solving the ciphertext c are as follows:
(1) And initializing a plaintext domain into a given interval according to the data type, wherein the ciphertext domain is twice as large as the plaintext domain in bit number. If the data type is int type, the plaintext domain interval domain= [0,2 ζ), the ciphertext domain interval= [0,2 ζ), i.e. the plaintext domain size d=2 ζ, the ciphertext domain size r=2 ζ.
(2) Y=r/2, cc=prf (k, D, R), x=hgd (D, R, y, cc) is calculated.
(3) If m < min (domain) +x, domain= [ min (domain), min (domain) +x), range= [ min (range), min (range) +y ], otherwise domain= [ min (domain) +x, max (domain) ], range= [ min (range) +y, max (range) ].
Wherein min (), max () is a function of finding the minimum and maximum values of a given interval, respectively.
(4) Update plaintext domain size and ciphertext domain size d=domain size, r=range size.
(5) If d=1, then step (6) is performed, otherwise, step (2) is performed back.
(6) And calculating a hash value according to the plaintext m, encrypting the hash value by using AES, modeling an encryption result R, and finally taking the result +min (range) of the modeling R as a final ciphertext c.
An example of order preserving encryption can be seen in fig. 2.
Let m=25, the plaintext encryption map for this interval of [0, 100) is mapped into [0,1000).
The method comprises the following specific steps:
The first step is HGD (100, 1000,500, cc) output 44, readjusting domain and range, [0,44 ], [0,500 ], respectively, because 25< 44;
And step two, after the adjustment, continuing to repeat the process. The second HGD (44, 500,250, cc) outputs 23. Because 25>23, domains and ranges are readjusted to [23,44 ], respectively, [250,500 ]. This is repeated for several rounds, with the last 8 th domain being [25,26 ], with the size converging to 1.
And thirdly, finally, calculating the number 301 from the range section [298,305] according to the step (6) in the algorithm to obtain the cipher text with the number 301 as 25.
For ciphertext c, the key is k, and the specific decryption step for solving plaintext m is as follows:
(1) And initializing a plaintext domain into a given interval according to the data type, wherein the ciphertext domain is twice as large as the plaintext domain in bit number. If the data type is int type, the plaintext domain interval domain= [0,2≡32), the ciphertext domain interval= [0,2≡64), i.e. the plaintext domain size d=2≡32, the ciphertext domain size r=2≡64
(2) Y=r/2, cc=prf (k, D, R), x=hgd (D, R, y, cc) is calculated.
(3) If c < min (range) +y, domain= [ min (domain), min (domain) +x), range= [ min (range), min (range) +y ], otherwise domain= [ min (domain) +x, max (domain) ], range= [ min (range) +y, max (range) ].
Where min (), max () is a function of the minimum and maximum values, respectively, of a given interval.
(4) Update plaintext domain size and ciphertext domain size d=domain size, r=range size.
(5) If d=1, then executing step (6) to calculate plaintext, otherwise, returning to executing step to (2).
(6) Calculating a hash value according to min (domain), encrypting the hash value by using AES, then modeling an encryption result R, and finally adding the result of the modeling R to min (range), if the final result is equal to ciphertext c, m=min (domain), otherwise, failing decryption.
The verification process in step (6) can be used to find out the situation that the ciphertext is tampered with. If the ciphertext is tampered, all the processes of hash and AES encryption can be omitted in step (6), and m=min (domain) can be directly obtained.
The general technical idea of the application is that a sequence-preserving algorithm is adopted at a data interaction terminal side to encrypt numerical data and character data, the sequence of ciphertext and plaintext is the same, so as to support execution of various comparison operations on the ciphertext, and simultaneously, the indexing capability of a database is used for directly establishing indexes on the ciphertext. The server does not sense the data encryption characteristic and does not modify the data. Unlike conventional encryption techniques, order preserving encryption can encrypt data without disrupting the order of the data. This means that for application scenarios where queries, ordering or comparisons in data order are required, these functions can be continued to be used in an encrypted state.
The application is described in detail below with respect to (1) the data interaction terminal creating a master key by command. The master key may be stored in a local key management system or a third party key management system of the client, and the data interaction terminal stores the master key metadata in a database. (2) the data interaction terminal creates the column key by a command. The column key is stored in the database after being encrypted by the master key, and column key metadata can also be stored in the database. (3) The data interaction terminal defines the encryption attribute of the column when building the table. The data interaction terminal takes the encryption attributes as table encryption metadata and stores the table encryption metadata into a database. The data interaction terminal performs encryption metadata caching processing and caches column keys, key attribute information, column encryption attributes and the like which are queried from the database at the client. (4) And the data interaction terminal performs SQL statement analysis processing, identifies encryption fields according to the column encryption attribute metadata in the cache, performs encryption processing and performs SQL rewriting. And the data interaction terminal processes the query result, queries the encryption metadata according to the returned result of the database, acquires the column key corresponding to the encryption field, and decrypts the result.
The application can encrypt the data without destroying the data sequence, can ensure the business applications such as database inquiry, comparison and the like while realizing the data security, has stronger application value for the database security, and has high compatibility without modifying the database server software.
The following describes the scheme of the present application in detail.
1. Detailed embodiment of Process (4)
Referring to fig. 3, fig. 3 is a flowchart of a database operation method according to an embodiment of the present application, where the method may be applied to a closed database system, as shown in fig. 3, and the method includes the following steps:
s201, the data interaction terminal acquires a first structured query statement acting on a target database.
Here, the target database may be any one database.
The first structured query statement is a data manipulation statement, namely the DML described above.
The first structured query statement includes a first table name, a first column name, and first data. The first table name is used to indicate a data table (hereinafter referred to as a second data table) acted on by the first structured query statement, and the second data table may be any data table in the target database. The first column name is used to indicate a data column pointed to by the first structured query term (hereinafter referred to as a first data column), where the first structured query term is used to indicate a data column that the first structured query term acts on in the second data table, that is, a data column that the second data table needs to perform one or more operations of adding, deleting, modifying, and querying. The first data belongs to the data column corresponding to the first column name, namely, the first data belongs to the data in the first data column. It should be appreciated that the table names, column names, and data contained in the first structured query statement may all be one or more.
An example of a first structured query statement is insert into t1 (c 1, c 2) values (100, 200), t1 being a first table name, c1 and c2 each being a first column name in a first data table, 100 and 200 being data in column c1 and data in column c2, respectively, in the first data table.
After the first structured query statement is obtained, the data interaction terminal analyzes the first structured query statement to obtain a first column name in the first structured query statement, then queries whether the first column name in the first structured query statement exists in the table encryption metadata corresponding to the target database, if so, indicates that the data in the first data column is encrypted data, and executes step S202, if not, the data in the first data column is not encrypted data, and the data interaction terminal can directly send the first structured query statement to the target database to enable the target database to execute the database operation corresponding to the first structured query statement.
The table encryption metadata corresponding to the target database contains column encryption information corresponding to the data table in the target database, and the specific content of the column encryption information can be referred to the description of the table encryption metadata.
After the first structured query sentence is analyzed, the data interaction terminal can firstly determine whether the first table name in the first structured query sentence exists in the table encryption metadata corresponding to the target database, and then determine whether the first column name in the first structured query sentence exists in the table encryption metadata corresponding to the first table name if the first table name in the first structured query sentence exists in the table encryption metadata corresponding to the target database, and if the first table name in the first structured query sentence does not exist in the table encryption metadata corresponding to the target database, the data interaction terminal can indicate that the first data table does not contain an encrypted data column, and can directly send the first structured query sentence to the target database so that the target database can execute database operation corresponding to the first structured query sentence.
The table encryption metadata corresponding to the target database is stored in the target database by the data interaction terminal through the table encryption metadata generation and storage process, and the generation and storage process of the table encryption metadata will be described in detail in the embodiment corresponding to fig. 4, which will not be described in detail here.
The data interaction terminal can acquire the table encryption metadata corresponding to the target database from the target database, or can buffer the table encryption metadata corresponding to the target database locally after generating the table encryption metadata corresponding to the target database through the table encryption metadata generation and storage process, so that the data interaction terminal can acquire the table encryption metadata corresponding to the target database from the local buffer.
S202, the data interaction terminal rewrites the first structured query statement to obtain a second structured query statement, wherein data in the second structured query statement is obtained by performing order-preserving encryption on the data in the first structured query statement.
The data interaction terminal rewrites the first structured query sentence to obtain a second structured query sentence, namely, replaces a first column name in the first structured query sentence with a column name corresponding to an encrypted data column, performs order-preserving encryption on first data in the first structured query sentence to obtain encrypted data, and replaces the first data in the first structured query sentence with the encrypted data to obtain the second structured query sentence. The order-preserving encryption is to map the values of the plaintext space to the ciphertext space according to a certain order, so that the relative order among the plaintext can still be preserved in the encrypted ciphertext, and the statistical characteristics of the plaintext are hidden when mapping is carried out, thereby ensuring the safety of the algorithm. The step of performing order-preserving encryption on the first data to obtain encrypted data means that the first data is encrypted by adopting the ope algorithm described above.
The data interaction terminal can rewrite the first structured query sentence through the following steps A1-A4 to obtain a second structured query sentence:
a1, determining a first column key name and a second column name corresponding to the first column name according to the table encryption metadata corresponding to the target database.
The data interaction terminal can determine the table encryption metadata corresponding to the first table name in the table encryption metadata corresponding to the target database according to the first table name in the first structured query statement, then determine the column key name in the table encryption metadata corresponding to the first table name as the first column key name corresponding to the first column name, and determine the alternative column name in the table encryption metadata corresponding to the first table name as the second column name corresponding to the first column name.
A2, acquiring a first column key corresponding to the first column name according to the first column key name.
The data interaction terminal may obtain a first column key corresponding to the first column name through the following steps a21-a 24:
A21, acquiring first column key metadata and a first encryption column key corresponding to the first column key name.
Here, the first column key metadata includes a first master key name, a first column key name, and a third algorithm name. The first main key name is the name of a main key used for encrypting and decrypting a first column key corresponding to the first column key name, the third algorithm name is the algorithm name used for encrypting and decrypting a data column corresponding to the first column key by adopting the first column key, and in the application, the third algorithm name can be the name of ope algorithms or the algorithm names of other encryption algorithms, and the first encryption column key is obtained by encrypting the first column key corresponding to the first column key by adopting the main key corresponding to the first main key name.
The column key metadata and the encrypted column key are stored in the target database by the data interaction terminal through the generation and storage processes of the column key and the column key metadata, and the generation and storage processes of the column key and the column key metadata will be described in detail in the following embodiments corresponding to fig. 5, and will not be described too much.
After determining the first column key name, the data interaction terminal may acquire the first column key metadata and the first encrypted column key corresponding to the first column key name from the target database, or after generating the column key metadata and the encrypted column key through the generation and storage processes of the column key and the column encrypted key, the data interaction terminal may save the column key metadata and the encrypted column key locally, so that the data interaction terminal may also acquire the first column key metadata and the first encrypted column key corresponding to the first column key name from the local cache. It should be understood that the column key metadata including the first column key name is the first column key metadata corresponding to the first column key name, and the encrypted column key corresponding to the first column key metadata is the first encrypted column key.
A22, obtaining first master key metadata corresponding to the first master key name.
The first master key metadata includes a first algorithm name and a first key path, the first algorithm name is a name of an encryption and decryption algorithm corresponding to a master key, the encryption and decryption algorithm corresponding to the master key refers to an algorithm name for encrypting and decrypting a first column key by adopting the master key corresponding to the first master key name, the first key path is a storage path corresponding to the master key, and the storage path is a storage path of the master key corresponding to the first master key name. The first master key metadata further includes a first master key name and a master key repository provider name, the master key repository provider name being a name of a key management module of a master key corresponding to the generated first master key name.
The master key metadata is saved by the data interaction terminal to the target database through a master key generation and storage process, which will be described in detail in the embodiment corresponding to fig. 6, which will not be described in detail herein.
After the first master key name is obtained from the first column of key metadata, the data interaction terminal can obtain the first master key metadata corresponding to the first master key name from the target database, or the data interaction terminal can buffer the master key metadata locally after generating the master key metadata through the master key generation and storage process, so that the data interaction terminal can also obtain the first master key metadata corresponding to the first master key name from the buffer memory. It should be understood that the master key metadata including the first master key name is the first master key metadata corresponding to the first master key name.
A23, determining a first master key corresponding to the first master key name according to the first key path and the first master key name.
If the name of the key bank provider in the metadata of the first master key is the name of the local key management module, the local key management module in the data interaction terminal can acquire the first master key according to the first key path and the first master key name.
Optionally, if the name of the key store provider in the first master key metadata is the name of the third party key management module, the data interaction terminal may send the first master key metadata to the third party key management module, and the third party key management module obtains the first master key according to the first key path and the first master key name.
And A24, decrypting the first encrypted column key according to the first master key and an encryption and decryption algorithm corresponding to the first algorithm name to obtain a first column key.
If the name of the key bank provider in the metadata of the first master key is the name of the local key management module, the local key management module in the data interaction terminal can decrypt the first encrypted column key according to the first master key and an encryption and decryption algorithm corresponding to the first algorithm name, and obtain a decrypted column key to obtain the first column key.
Optionally, if the name of the key bank provider in the first master key metadata is the name of the third party key management module, the data interaction terminal may send the first master key metadata and the first encrypted column key to the third party key management module, and after the third party key management module obtains the first master key according to the first key path and the first master key name, the third party key management module decrypts the first encrypted column key by adopting an encryption and decryption algorithm corresponding to the first master key and the first algorithm name to obtain a decrypted column key, and the third party key management module sends the decrypted column key to the data interaction terminal to obtain the first column key.
A3, performing order-preserving encryption on the first data according to a first column key corresponding to the first column name to obtain second data.
Here, performing order-preserving encryption on the first data according to the first column key corresponding to the first column name refers to using the first column key as an encryption key, and encrypting the first data by adopting ope algorithm, and the specific principle of ope algorithm can be referred to the foregoing description of ope algorithm, which is not repeated here.
The specific implementation manner of order-preserving encryption for the first data will be different depending on the data type of the first data, and will be described below.
In the first case, the first data is integer (int) type data.
In this case, the data interaction terminal may calculate a difference between the first data and a second preset negative integer to obtain a first difference, process the first difference as an unsigned integer, and perform order-preserving encryption on the first difference according to a first column key corresponding to the first column name to obtain second data. The second preset negative integer may be determined according to the size of the original data type corresponding to the first column name.
Taking the example that the data in the first data column corresponding to the first column name is a single byte integer, the minimum negative integer of the single byte integer is-128, the second preset negative integer is-128, and for the first data 1 and-1, the difference value between the first data and-128 is calculated to obtain a first difference value of 1- (-128) =129 (binary coding is 1000 0001), 1- (-128) =127 (binary coding is 0111 1111), the first difference value is treated as an unsigned integer, and the order-preserving encryption is carried out according to the first column key, namely ope (1) = ope (10000001), ope (-1) = ope (0111 1111), namely ope (1) = ope (1000 0001) > ope (-1) = ope (0111 1111).
Therefore, for the integer data, the difference value between the integer data and the minimum negative integer is calculated, and then the difference value is subjected to order-preserving encryption, so that the sequency of the data before and after encryption is consistent.
Second case, the first data is floating point (float) data
In this case, if the first data is positive floating point data, the data interaction terminal may store bytes of the first data as an integer obtained by integer processing to obtain a first integer, calculate a difference between the first integer and a minimum code to obtain a code to be encrypted, process the code to be encrypted as an unsigned integer, and perform order-preserving encryption on the code to be encrypted according to a first column key corresponding to a first column name to obtain second data. The minimum code is binary code of the minimum negative integer corresponding to the byte number occupied by the first data. If the first data is a single-precision floating point number, the number of bytes occupied by the first data is 4 bytes, the minimum coding bit number is 32 bits, the minimum coding is 10000 0000 0000 0000 0000 0000 0000 000, and if the first data is a double-precision floating point number, the number of bytes occupied by the first data is 8 bytes, the minimum coding bit number is 64 bits, and the minimum coding bit number is 10000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 000.
Taking the data in the first data column corresponding to the first column name as a single-precision floating point number as an example, assume that the first data is a single-precision floating point number 85.125. Firstly, according to IEEE754 standard, bytes of first data are stored as a first integer 0 1000 0101 01010100 1000 0000 0000000, then the difference value between the first integer and the minimum code is calculated to obtain code to be encrypted, the code to be encrypted is 1 1000 0101 01010100 1000 0000 0000000, the code to be encrypted is treated as an unsigned integer, and ope order-preserving encryption is carried out on the code to be encrypted, namely ope (85.125) = ope (1 1000 0101 01010100 1000 0000 0000000).
If the first data is negative floating point data, the data interaction terminal can calculate a binary complement of a first integer corresponding to the first data to obtain the first complement, the first integer corresponding to the first data is an integer obtained by processing bytes storing the first data as integers, calculate a difference value between the first complement and the minimum code to obtain a code to be encrypted, process the code to be encrypted as an unsigned integer according to a first column key, and encrypt the code to be encrypted in order to obtain the second data. The minimum code is a binary code of a minimum negative integer corresponding to the number of bytes occupied by the first data, and the minimum negative integer corresponding to the number of bytes occupied by the first data can be determined according to the size of the original data type corresponding to the first column name.
Taking the data in the first data column corresponding to the first column name as a single-precision floating point number as an example, assuming that the first data is a single-precision floating point number-85.125, the binary code of the first integer corresponding to the first data is expressed as 1 1000010101010100100000000000000, the first complement code is obtained by solving the first complement code except for sign bits for 1 0111101010101011011111111111111, then carrying out +1 to obtain a first complement code of 10111 101010101011 100000000000000, subtracting the minimum negative integer of 1000000000000 000000000000 0000000 from the first complement code to obtain a value of 0 0111101010101011 100000000000000, and carrying out ope order-preserving encryption on the value, namely ope (-85.125) = ope (0 0111101010101011 100000000000 000).
And preprocessing the positive floating point data and the negative floating point data for the floating point data, and then performing order-preserving encryption, so that the ordering result after order-preserving encryption is identical to the ordering result before encryption.
In the third case, the first data is character type data
In this case, the data interaction terminal may fill a preset character on the right side of the first data to obtain a standard character corresponding to the first data, where the character length of the standard character corresponding to the first data is the preset character length, and process the ASCII code of the standard character corresponding to the first data as an unsigned integer according to the first column key corresponding to the first column name, and perform order-preserving encryption on the ASCII code of the standard character corresponding to the first data to obtain the second data. The preset character length is the maximum character length defined by the data column corresponding to the first column name, and the preset character length is determined by the size of the original data type corresponding to the first column name.
If the first data is fixed-length character data (char), the preset character is an ASCII character of a space, and the space character of the ASCII code 32 may be filled on the right side of the first data until the character length of the first data is the preset character length (i.e., the character field width), to obtain the standard character corresponding to the first data.
For example, the preset character length is 3. For the character 'a', the character length is 1, the ASCII code of the standard character obtained by filling 2 space characters on the right side of the character 'a' is 0x61, the ASCII code of the space character is 0x20, the ASCII code of the standard character is 0x61 20, and then the ASCII code of the standard character is ope order-preserving encryption, namely, op (a) = ope (0 x61 20). For the character string 'abc', the character length is 3, the character string 'abc' is the standard character, the ASCII of a is 0x61, b is 0x62, and c is 0x63, the ASCII code of the standard character is 0x61 62 63, and then the ASCII code of the standard character is ope order-preserving encrypted, namely, op (abc) = ope (0 x61 62 63).
If the first data is variable-length character data (varchar), the preset character is any ASCII character smaller than a space, and characters with ASCII codes smaller than the space can be filled on the right side of the first data until the character length of the first data is equal to the preset character length (namely, the character field width) degree, so that standard characters corresponding to the first data are obtained. For example, the right side of the first data may be filled with invisible characters of ASCII code 31.
Still taking the preset character length of 3 as an example, the ASCII code of the invisible character with ASCII code of 31 is 1F, and for character 'a', the ASCII code corresponding to its corresponding standard character is 0x61 1F.
In the fourth case, the first data is fixed-length numerical (Numeric) type data.
In this case, in a possible implementation manner, the data interaction terminal may subtract a first preset negative number from the first data to obtain a first positive number corresponding to the first data, perform decimal zero padding processing on the first positive number corresponding to the first data to obtain a second positive number, where the decimal number of the second positive number is a preset number, and perform order-preserving encryption on the first positive integer corresponding to the second positive number according to the first column key to obtain the second data, where the first positive integer is an integer obtained by ignoring decimal points in the second positive number, that is, ignoring decimal points in the second positive number, and treating the decimal points as integers. The preset digit is the decimal number defined by the data column corresponding to the first column name, the first preset negative number is any negative number smaller than or equal to the first negative number, and the first negative number is the minimum negative number defined by the data column corresponding to the first column name. The first preset negative number and the preset number of bits are determined by the size of the original data type corresponding to the first column name. For example, the definition of the data column corresponding to the first column name is Numeric (4, 2), that is, all digits are 4 digits, and the decimal number is 2, then the preset digits are 2, the first preset negative number may be-99.99, or the first preset negative number may be-100, or may be-101, etc., and the definition of the data column corresponding to the first column name is Numeric (7, 3), that is, all digits are 7 digits, and the decimal number is 3, then the preset digits are 3, the first preset negative number may be-9999.999, or the first preset negative number may be-10000, etc.
Taking the first data as 10.0 as an example, assume that the definition of the data column corresponding to the first column name is Numeric (4, 2), and the first preset negative number is-99.99. Subtracting the first preset negative number from the first data to obtain a first positive number corresponding to the first data, wherein the first positive number is 109.99, the decimal number of 109.99 is 2, the second positive number is 109.99 because the decimal number is just the preset number, the decimal point in the second positive number is ignored to obtain a first positive integer which is 10999, and then the first positive integer is subjected to order-preserving encryption, namely ope (10.0) = ope (10999).
Taking the first data as 10.0 as an example, assume that the definition of the data column corresponding to the first column name is Numeric (4, 2), and the first preset negative number is-100. Subtracting a first preset negative number from the first data to obtain a first positive number corresponding to the first data, wherein the first positive number is 110.0, the decimal place of 110.0 is 1 bit, the decimal place is less than 2 bits, the decimal zero padding processing is carried out on the first positive number to obtain a second positive number which is 110.00, decimal points in the second positive number are ignored to obtain a first positive integer which is 11000, and then the first positive integer is subjected to order preserving encryption, namely ope (10.0) = ope (11000).
In another possible implementation manner, the data interaction terminal may also perform decimal zero padding processing on the first data to obtain a standard number, where the decimal number of the standard number is a preset number of digits, subtract a first preset negative integer from a second integer corresponding to the standard number to obtain a first positive integer, and ignore the decimal point of the standard number to obtain a second positive integer, and perform order-preserving encryption on the first positive integer according to the first column key to obtain the second data. The preset digit number is the decimal number defined by the data column corresponding to the first column name, the first preset negative integer is any negative integer smaller than or equal to the target negative number, the target negative number is the minimum negative number which can be expressed by all digit digits defined by the data column of the first column name, and the preset digit number and the first preset negative integer are determined by the original data type size corresponding to the first column name. For example, the definition of the data column corresponding to the first column name is Numeric (4, 2), that is, all digits are 4 bits, the decimal number is 2, the preset digits are 2, the first preset negative integer may be-9999, or the first preset negative integer may be-10000, or-10001, or the like, and the definition of the data column corresponding to the first column name is Numeric (7, 3), that is, all digits are 7 bits, the decimal number is 3, the preset digits are 3, the first preset negative integer may be-9999999, or the first preset negative integer may be-10000000, or the like.
Taking the first data 10.0 as an example, assuming that the definition of the data column corresponding to the first column name is Numeric (4, 2), and the first preset negative integer is-9999, performing decimal zero padding processing on the first data to obtain a standard number 10.00, ignoring decimal points in the standard number to obtain a second positive number 1000, subtracting the first preset negative integer-9999 to obtain a first positive integer as 10999, and performing order-preserving encryption on the first positive integer, namely ope (10.0) = ope (10999).
The data interaction terminal can also combine the first positive integers from the lowest position of the first positive integers to obtain a second positive integer in the process of carrying out order-preserving encryption on the first positive integers according to the first column key to obtain second data, and encrypt the second positive integers according to the first column key to obtain the second data. The lower 4 bits of the upper bytes of the adjacent two bytes are used as the upper 4 bits of the combined bytes, the lower 4 bits of the lower bytes are used as the lower 4 bits of the combined bytes, namely, the upper 4 bits of the upper bytes are used as the upper 4 bits of the combined bytes in the adjacent 2 bytes, and the lower 4 bits of the lower bytes are used as the lower 4 bits of the combined bytes, so that the first positive integer is combined, and the second positive integer is obtained.
For example, 11711 is considered as a large integer, and 0×01 0107 0101 is combined and 0×01 1711 is combined. The memory overhead is reduced after combination, and the calculation amount of encryption is also greatly reduced.
If the name of the third algorithm in the first column of key metadata is the name of another encryption algorithm, the first key may be used as an encryption key, and the first data may be encrypted by using the other encryption algorithm.
Optionally, after the first data is encrypted in order according to the first column key corresponding to the first column name to obtain second data, the second data may be further encoded based on an extension encoding mode to obtain third data, where the extension encoding mode is an extension encoding mode based on standard Base64 encoding. The method comprises the steps of encoding second data based on an extension encoding mode to obtain third data, wherein the second data are encoded according to an extension encoding table based on standard Base64 encoding to obtain Base64 extension codes corresponding to the second data, the extension encoding table based on standard Base64 encoding is obtained by randomly taking out 64 visible characters in an ASCII standard and arranging the visible characters according to a value sequence, and ASCII encoding corresponding to the Base64 extension codes is used as the third data.
For example, an extended encoding table based on standard Base64 encoding may be shown in the following table.
For example, the second data is binary codes x and y, x=000000, y= 110100, the Base64 spreading codes are performed on the x and y based on the spreading code table shown in the table to obtain Base64 spreading codes corresponding to the second data, namely Base64_op (x) = +, base64_op (y) =o, and then the ASCII corresponding to the Base64 spreading codes is encoded to serve as third data, the third data corresponding to x is 0x2B, and the third data corresponding to y is 0x6f.
It should be understood that the above description is only one implementation manner of the Base64 coding-based extension coding table provided by the present application, and any extension coding table based on Base64 coding obtained by arbitrarily taking out 64 visible characters in the ASCII standard and arranging the visible characters in order of values is within the protection scope of the present application, for example, "+", in table 1 may be replaced with "(", to obtain a new extension coding table.
When the second data is processed to obtain the third data in the above manner, the data interaction terminal needs to reversely decode the third data after querying the third data from the target database, and restore the queried result to the original second data. For example, the Base64 spreading code corresponding to the third data queried from the target database is "+", and then the second data is 000000 according to the above table.
A4, rewriting a first column name in the first structured query statement into a second column name, and rewriting first data in the first structured query statement into second data to obtain a second structured query statement.
For example, the first structured query term is insert into t1 (c 1, c 2) values (100, 200), and assuming that the c1 column is an encrypted column, the c1 column is a first column name, the corresponding second column name is d1, the encrypted value obtained by performing order-preserving encryption on the value 100 is 78, the second structured query term obtained by overwriting is insert into t1 (d 1, c 2) values (78, 200).
And (C) performing order-preserving encryption on the first data according to a first column key corresponding to the first column name to obtain second data, and then performing encoding on the second data based on an expansion encoding mode to obtain third data, wherein in the process of rewriting the first structured query statement, the first data in the first structured query statement is rewritten into the third data to obtain a second structured query statement, namely, the step A4 is replaced by rewriting the first column name in the first structured query statement into the second column name, and rewriting the first data in the first structured query statement into the third data to obtain the second structured query statement.
S203, the data interaction terminal sends a second structured query statement to the target database, and the target database receives the second structured query statement.
S204, the target database executes database operation corresponding to the second structured query statement to obtain first operation result data.
The first operation result data comprises a second column name and fourth data, and the fourth data is encrypted data.
S205, the target database sends first operation result data to the data interaction terminal, and the data interaction terminal receives the first operation result data.
S206, the data interaction terminal performs data reduction on the first operation result data to obtain second operation result data corresponding to the first structured query statement.
Here, the data interaction terminal performing data restoration on the first operation result data refers to a process of restoring the second column name in the first operation result data to the first column name and decrypting the third data to obtain the original data.
And (3) in the case that the fourth data in the first operation result data is the data subjected to the expansion coding processing, the form of the fourth data is the same as the form of the third data introduced in the step (A3), after the data interaction terminal receives the first operation result data, the data interaction terminal also needs to perform expansion decoding on the fourth data in the first operation result data to obtain the corresponding original operation result data, and then performs data reduction on the original operation result data. The method for performing extended decoding on the fourth data to obtain the corresponding original operation result data can refer to the description of the step A3.
The data interaction terminal may perform data reduction on the first operation result data (may refer to the original operation result data after expansion decoding) through the following steps B1-B4 to obtain second operation result data corresponding to the first structured query statement:
B1, determining a first column name corresponding to the second column name and a first column key name corresponding to the second column name according to the table encryption metadata corresponding to the target database.
The data interaction terminal determines, among the table encryption metadata corresponding to the target database, the table encryption metadata corresponding to the second column name including the second column name, then determines the column key name in the table encryption metadata corresponding to the second column name as the first column key name corresponding to the second column name, and determines the original column name in the table encryption metadata corresponding to the second column name as the first column name corresponding to the second column name.
And B2, the data interaction terminal acquires a first column key corresponding to the second column name according to the first column key name.
Here, the specific implementation principle of the data interaction terminal for obtaining the first column of keys according to the first column of key names may refer to the description of the foregoing steps a21-a24, which is not repeated herein.
And B3, the data interaction terminal decrypts the fourth data according to the first column key corresponding to the second column name to obtain fifth data.
Here, decrypting the third data according to the first column key corresponding to the second column name refers to decrypting the fourth data by using the first column key as a decryption key and adopting ope algorithm, and the specific principle of the ope algorithm can be referred to the foregoing description of the ope algorithm, which is not repeated here.
And B4, the data interaction terminal determines the first column name and the fifth data as second operation result data corresponding to the first structured query statement.
It should be noted that, when the data interaction terminal performs the order-preserving encryption on the data, the order-preserving encryption is performed after the data is processed into the numerical data (see the description of the step A3), so that the fourth data and the fifth data are both numerical data, the original type of the data may be one of the integer type data, the floating point type data, the character type data and the numerical data described in the description, after the fifth data is obtained by decryption, the fifth data is restored to the original data type, and the data is restored to the inverse operation of the four cases that the original data type is the order-preserving encryption described in the step A3.
For example, the original data type corresponding to the fifth data is an integer type, after the fifth data is decrypted, the fifth data is required to be summed with a preset negative integer corresponding to the original data type, and the fifth data is restored to the original integer type data. For another example, if the original data type corresponding to the fourth data is a variable-length character type, the filled character needs to be removed after the fourth data is obtained.
In the technical scheme corresponding to fig. 3, after a first structured query statement acting on a target database is obtained, the first structured query statement is rewritten to obtain a second structured query statement, data in the second structured query statement is obtained by performing order-preserving encryption on the data in the first structured query statement, the second structured query statement is then sent to the target database, so that the target database executes database operation corresponding to the second structured query statement, first operation result data returned after the target database executes the database operation corresponding to the second structured query statement is received, and finally the first operation result data is subjected to data reduction to obtain second operation result data corresponding to the first structured query statement. Because the data in the SQL statement after being rewritten is obtained by carrying out order-preserving encryption on the data in the SQL statement before being rewritten, the order relationship between the encrypted data is the same as the order relationship between the data before being encrypted, thus the database operations such as ordering, size comparison query and the like can be carried out.
2. The detailed implementation of process (3), namely the generation and storage of table encrypted metadata.
Referring to fig. 4, fig. 4 is a flowchart of another database operation method according to an embodiment of the present application, where the method may be applied to a closed database system, as shown in fig. 4, and the method includes the following steps:
s301, the data interaction terminal acquires a third structured query statement acting on the target database, wherein the third structured query statement comprises a third column name.
The third structured query term is an enhanced data definition term, the enhanced data definition term is a data definition term supporting defined encryption, the third structured query term is used for creating a first data table in the target database, the third structured query term comprises a third column name, a data column corresponding to the third column name is an encrypted data column in the first data table, the third structured query term further comprises a second table name and a second column key name corresponding to the third column name, the second table name is a name of the first data table, and the second column key name corresponding to the third column name refers to a name of a column key adopted for encrypting the data column corresponding to the third column name. The enhanced data definition statement is a conventional data definition statement with respect to the standard data definition statement, the enhanced data definition statement defining encryption attributes based on the standard data definition statement.
In the application, the third structured query statement is an enhanced DDL, and the third structured query statement can define encryption attributes of the columns. By enhancing the DDL statement, encryption of one or more columns in the table is specified at the time of table construction. The command parameters include, at the time of column definition, a designation to encrypt the column, and a column encryption key name.
The format of the enhanced DDL is as follows:
in column_constraint of CREATE TABLE, syntax is added:
COLUMN KEY name specifying COLUMN KEY name used to encrypt corresponding COLUMN
One specific example (example 1) of the third structured query statement is as follows:
The example shows the meaning that a data table with a table name of "creditcard _info" is created, a data column with a column name of "name" in the data table is an encrypted data column, and the name of a column key used by the data column with the encrypted column name of "name" is "ImgCEK".
In some possible cases, one data column may also correspond to a plurality of column keys, i.e. a third column name corresponds to a plurality of second column key names, and different column key names may correspond to different encryption algorithms. Another specific example (example 2) of the third structured query statement is as follows:
This example shows the meaning that a data table with a table name of "salary_info" is created, and the column keys used to encrypt the data columns are named "ImgCEK" and "ImgCEK".
S302, the data interaction terminal rewrites the third structured query statement to obtain a fourth structured query statement, and the fourth column names in the fourth structured query statement are obtained by transforming the third column names.
The data interaction terminal can change the name of the third column in the third structured query sentence into the name of the replacement column to obtain a fourth name, and change the original data type in the third structured query sentence into the type of the replacement data to obtain a fourth structured query sentence. The fourth structured query term is a standard data definition term.
For example, for example 1 of the third structured query term in step S301, the fourth structured query term obtained by overwriting is:
CREATE TABLE creditcard_info
{id_number int,
name_cx3579 varchar(268)}
The third structured query term may include a plurality of second column key names, where different second column key names correspond to different encryption algorithms. If the third structured query sentence contains a plurality of second column key names, when the third structured query sentence is rewritten, the third column names in the third structured query sentence are needed, and according to each column key name in the third structured query sentence, a corresponding encryption algorithm is adopted to generate a replacement column name corresponding to each column key name in the third structured query sentence, so that a plurality of fourth names are obtained.
For example, for example 2 of the third structured query term in step S301, the fourth structured query term obtained by overwriting is:
If the data operation statement of the first data table is an insert type data operation statement, replacing column names in the insert type data operation statement with a plurality of fourth column names, respectively encrypting data in the insert type data operation statement by using an encryption algorithm corresponding to each second column key name in the first table encryption metadata to obtain a plurality of encrypted data, and replacing the data in the insert type data operation statement with the plurality of encrypted data. That is, for a target data table (i.e., a data table in which an original data column corresponds to a plurality of alternative columns), when inserting data into such a data table, the data interaction terminal needs to rewrite the original column in the SQL statement into the plurality of alternative columns, and for the value corresponding to the original column, individually encrypt the value by using a plurality of keys according to encryption definition, thereby obtaining a plurality of encrypted values.
For example, for the following SQL statement:
insert into salary_info(id_number,salary)values(101,18010),
It is rewritten as:
insert into salary_info(id_number,salary_cx3579,salary_cx8351)values(101,'U++/7KfGO+==','0x1259e25a152b.....');
If the data operation statement of the first data table is a query type data operation statement, for a first expression in the query type data operation statement, the first expression is a where clause or an expression in a holding clause, if an operator in the first expression is a size comparison type operator supported by an order preserving algorithm, replacing a column name of the first expression in the query type data operation statement with a replacement column name encrypted by the order preserving algorithm, and encrypting data in the first expression in the query type data operation statement using the order preserving algorithm, if an operator in the first expression is an operator supported by other encryption algorithms than the order preserving algorithm, replacing a column name in the first expression in the query type data operation statement with a replacement column name encrypted by the other encryption algorithm, and using the other encryption algorithm for data in the first expression in the query type data operation statement; if the expression in the data operation statement of the query type only contains a column name, replacing the column name in the expression in the data operation statement of the query type with a replacement column name corresponding to the most appropriate second column key name in the encrypted metadata of the first table according to the position of the expression in the data operation statement of the query type, comparing the size of the class operator supported by the order-preserving algorithm if the operator in the corresponding result expression is the operator in the first operation result data returned after the database operation, wherein the result expression is the expression between the select and the from in the select statement, the operation result data returned by the target database is an operation result encrypted by using a sequence preserving algorithm, the operation result encrypted by using the sequence preserving algorithm does not need to be further processed, if an operator in a corresponding result expression is an operator supported by other encryption algorithms, the operation result data returned by the target database is an operation result encrypted by using other encryption algorithms, the operation result encrypted by using other encryption algorithms needs to be decrypted, if the corresponding result expression only comprises a column name, the operation result data returned by the target database is an operation result encrypted by using a column key corresponding to the most suitable second column key name, the operation result encrypted by using a column key corresponding to the most suitable second column key name needs to be decrypted, and the operation result required to be decrypted is decrypted by using a corresponding encryption algorithm and a key. That is, for a data table containing an original data sequence encrypted by a plurality of second column key names to obtain a plurality of alternative column names, for an expression in a query class SQL statement (for example, an expression in a clause such as where, holding, etc. in a select statement), according to an operator in the data table, if the operation is a size comparison class operation supported by order preservation, the column names are replaced by column names encrypted by an order preservation algorithm, corresponding values are encrypted by the order preservation algorithm, if the operation is an operation supported by other algorithms (for example, addition), the column names are replaced by column names encrypted by a corresponding algorithm (for example, an encryption algorithm supporting an addition homomorphism), and the corresponding values are encrypted by the corresponding algorithm (for example, an encryption algorithm supporting the addition homomorphism). If the expression contains only column names (which typically occurs in the select statement between the select and from expressions), then the new column name in the most appropriate algorithmically relevant column key metadata is replaced according to the location of the expression. For example SELECT SALARY from salary_info, the new column name in the column key metadata associated with salary using the order preserving algorithm is replaced, i.e. the overwrite SQL is SELECT SALARY _cx3579 from salary_info. For the target data table (namely, the data table of which the original data column corresponds to a plurality of alternative columns), for the query result in the SQL statement, according to the above processing, according to the expression and operator in the SQL statement, if the operation is the size comparison operation supported by order preservation, the server returns the value of order preservation encryption processing, otherwise, returns the value of other algorithm encryption processing. If the expression contains only a column name, the server returns the most appropriate algorithm-dependent column key encrypted column value. At decryption, decryption is performed using a corresponding algorithm.
If the data operation statement of the first data table is an update type data operation statement, processing of a where clause part in the update type data operation statement is the same as processing of a where clause in the query type data operation statement, and processing of other parts in the update type data operation statement is the same as processing of the insert type data operation statement.
If the data operation statement of the first data table is a data operation statement of a deletion type, the processing of the where clause part in the data operation statement of the deletion type is the same as the processing of the where clause in the data operation statement of the query type.
S303a, the data interaction terminal sends a fourth structured query statement to the target database, and the target database receives the fourth structured query statement.
S303b, the data interaction terminal sends the first table encryption metadata to the target database, and the target database receives the first table encryption metadata.
The first table encryption metadata comprises column encryption information corresponding to a first data table, wherein the column encryption information corresponding to the first data table comprises a third column name, a fourth column name and a second column key name, and the column encryption information corresponding to the first data table further comprises the name of the first data table, the type and the size of original data in a data column corresponding to the third column name, the type and the size of encrypted data in an encrypted data column corresponding to the fourth column name and the like.
S304a, the target database executes a table building operation corresponding to the fourth structured query statement.
S304b, the target database stores the first table encryption metadata.
And the data interaction terminal sends the first table encryption metadata to the target database for storage through the standard structured query statement.
In the technical scheme corresponding to fig. 4, after the data interaction terminal obtains the structured query statement for creating the data table, which acts on the target database, the structured query statement is rewritten, the encryption related definition of the column is removed, and the rewritten structured query statement is sent to the target database, so that the target database performs the table building operation, the target database does not need to perceive the encryption characteristic, the table building is only performed according to the conventional method, and the database server software does not need to be modified. The data interaction terminal also sends the table encryption metadata to the target database for storage, and subsequent data decryption can be facilitated.
3. A detailed implementation of process (2), namely the generation and storage of column keys and column key metadata.
Referring to fig. 5, fig. 5 is a flowchart of yet another database operation method according to an embodiment of the present application, where the method may be applied to a closed database system, as shown in fig. 5, and the method includes the following steps:
s401, the data interaction terminal acquires a fifth structured query statement, wherein the fifth structured query statement comprises a second master key name, a third column key name and an algorithm name corresponding to the third column key name.
Here, the fifth structured query term is an enhanced data definition term, which is a data definition term supporting defined encryption, and is used to create a column key corresponding to the target database, the third column key name is the name of a column key that needs to be created by the fifth structured query term, and the second master key name is the name of a master key that encrypts the column key that needs to be created. The fifth structured query sentence further includes an algorithm name corresponding to the third column key name, where the algorithm name corresponding to the third column key name is a name of an encryption and decryption algorithm corresponding to the column key.
The syntax example of the fifth structured query statement is as follows:
CREATE COLUMN ENCRYPTION KEY key_name
WITH(
COLUMN_MASTER_KEY=column_master_key_name,
ALGORITHM=algorithm_name
)
Wherein, key_name represents the name of the column key, column_master_key_name represents the name of the master key used for encrypting the column key, algorithm_name represents the algorithm name used when the column key encrypts the data, which can be ope algorithm as described above.
S402, the data interaction terminal determines a second encryption column key according to the second master key name and the third column key name.
The second encryption column key is obtained by encrypting a third column key corresponding to a third column key name by adopting a second master key corresponding to a second master key name.
The data interaction terminal may obtain master key metadata corresponding to a second master key name, where the master key metadata corresponding to the second master key name includes the second master key name, a key path, an algorithm name, and a keystore provider name.
If the name of the key bank provider in the main key metadata corresponding to the second main key name is the name of the local key management module, the local key management module in the data interaction terminal can generate a third column key corresponding to the third column key name according to the third column key name, determine the main key corresponding to the second main key name according to the key path in the main key metadata corresponding to the second main key name and the second main key name, and finally encrypt the column key corresponding to the third column key name by adopting an encryption algorithm corresponding to the algorithm name in the main key metadata corresponding to the second main key name and the main key corresponding to the second main key name to obtain a second encrypted column key.
If the name of the key bank provider in the master key metadata corresponding to the second master key name is the name of the third party key management module, the data interaction terminal can send the third column key name and the master key metadata corresponding to the second master key name to the third party management module, the third party management module generates a third column key corresponding to the third column key name according to the third column key name, determines the master key corresponding to the second master key name according to the key path in the master key metadata corresponding to the second master key name and the second master key name, adopts an encryption algorithm corresponding to the algorithm name in the master key metadata corresponding to the second master key name and the master key corresponding to the second master key name, encrypts the column key corresponding to the third column key name to obtain a second encrypted column key, and then returns the second encrypted column key to the data interaction terminal.
S403, the data interaction terminal sends second column key metadata and a second encryption column key to the target database, wherein the second column key metadata comprises a second master key name, a third column key name and an algorithm name corresponding to the third column key name, and the target database receives the second column key metadata and the second encryption column key.
And S404, the target database stores the second column key metadata and the second encryption column key.
And the data interaction terminal sends the second column key metadata and the second encryption column key to the target database for storage through a standard structured query statement.
In the technical scheme corresponding to fig. 5, after the data interaction terminal obtains the structured query statement for creating the column key of the acting target database, the column key is encrypted to obtain an encrypted column key, then the encrypted column key and column key metadata indicating the encryption attribute of the column key are stored in the target database, the metadata is only stored in the database according to the conventional method, and the database server software does not need to be modified.
4. A detailed implementation of process (1), namely the generation and preservation of master keys and master key metadata.
Referring to fig. 6, fig. 6 is a flowchart of yet another database operation method according to an embodiment of the present application, where the method may be applied to a closed database system, as shown in fig. 6, and the method includes the following steps:
s501, the data interaction terminal acquires a sixth structured query statement, wherein the sixth structured query statement comprises second master key metadata.
The sixth structured query term is an enhanced data definition term, the enhanced data definition term is a data definition term supporting defined encryption, the sixth structured query term is used for creating a master key corresponding to the target database, the sixth structured query term includes second master key metadata, the second master key metadata includes a third master key name, a second algorithm name and a second key path, the second algorithm name is a name of an encryption and decryption algorithm corresponding to the master key, the second key path is a storage path corresponding to the master key, and the second master key metadata further includes a key store provider name.
An example of a sixth structured query statement is as follows:
Where key_name represents the name of the master key in the database, key_store_provider_name represents the name of the keystore provider, key_path is used to represent the path of the master key, algorithm represents the algorithm name.
S502, generating a master key corresponding to the third master key name.
The local key management module of the data interaction terminal can generate a master key corresponding to a third master key name according to the second master key metadata, the local key management module can store the master key corresponding to the third master key name according to a second key path, and the data interaction terminal can send the second master key metadata to the third party key management module if the key bank provider name in the second master key metadata is the name of the third party key management module, and the third party key management module can store the master key corresponding to the third master key name according to the second key path.
S503, the data interaction terminal sends second master key metadata to the target database, and the target database receives the second master key metadata.
S504, the target database stores the second master key metadata.
The data interaction terminal can send the second master key metadata to the target database for storage through the standard structured query statement.
In the technical scheme corresponding to fig. 6, after the data interaction terminal obtains the structured query statement for creating the master key, which acts on the target database, the data interaction terminal stores the master key metadata in the target database, and the database server software does not need to be modified only by storing the master key metadata according to a conventional method.
The method of the present application is described above and the apparatus of the present application is described below.
Referring to fig. 7, fig. 7 is a schematic structural diagram of an encryption and decryption device for a secret database according to an embodiment of the present application, which is applied to a data interaction terminal, as shown in fig. 7, the encryption and decryption device 60 for a secret database includes:
An obtaining module 601, configured to obtain a first structured query statement acting on a target database, where the first structured query statement is a data operation statement;
The rewriting module 602 is configured to rewrite the first structured query statement to obtain a second structured query statement, where data in the second structured query statement is obtained by performing order-preserving encryption on data in the first structured query statement;
A sending module 603, configured to send the second structured query statement to the target database, so that the target database executes a database operation corresponding to the second structured query statement;
a receiving module 604, configured to receive first operation result data returned after the target database performs the database operation;
And the restoration module 605 is configured to perform data restoration on the first operation result data to obtain second operation result data corresponding to the first structured query statement.
In one possible design, the first structured query term includes a first column name, the rewrite module 602 is specifically configured to determine, according to table encryption metadata, a first column key name and a second column name corresponding to the first column name, where the table encryption metadata includes column encryption information corresponding to a data table in the target database, where the column encryption information includes column names before and after encryption of an encrypted data column in the data table in the target database and column key names corresponding to the encrypted data column, obtain first column key metadata corresponding to the first column key name and a first encryption column key, where the first column key metadata includes a first master key name and the first column key name, where the first encryption column key is obtained by encrypting a first column key corresponding to the first column name using a master key corresponding to the first master key name, where the first column encryption information includes first master metadata corresponding to the first master key name, where the first column key corresponding to the first column encryption data column name and the first encryption data column name in the data table in the target database, and the first column key name corresponding to the first column key name, obtain a first column key name corresponding to a first cipher algorithm, and a first cipher algorithm, where the first column key metadata corresponding to the first column key name is obtained by encrypting the first column key corresponding to the first column key name, and the first cipher algorithm is obtained by encrypting the first column key corresponding to the first column key name according to the first cipher algorithm, and the first cipher algorithm is obtained by encrypting the first column key corresponding to the first column key name according to the first cipher algorithm, the relative sequence between the plaintext can still be preserved, and the statistical characteristics of the plaintext are hidden to ensure the safety of the algorithm when mapping is carried out, and the first column name in the first structured query statement is rewritten into the second column name, and the first data in the first structured query statement is rewritten into the second data to obtain the second structured query statement.
In one possible design, the above-mentioned rewriting module 602 is specifically configured to calculate a binary complement of a first integer corresponding to the first data to obtain the first complement if the first data is negative floating point type data, where the first integer is an integer obtained by processing bytes storing the first data as an integer, calculate a difference between the first complement and a minimum code to obtain a binary code to be encrypted, where the minimum code is a minimum negative integer corresponding to a byte number occupied by the first data, process the binary code to be encrypted as a unsigned integer according to the first column key to obtain second data, fill a preset character on the right side of the first data if the first data is character type data to obtain standard characters corresponding to the first data, where the character length of the standard characters is a preset character length, where the preset character length is a maximum character length defined by a data column corresponding to the first column name, process the first character as a preset character length, subtract the first character name as a preset character length, and obtain a first space ii if the first character is a preset character length, process the first character name is a preset character length, and obtain a first space ii, where the standard characters corresponding to the first character name is a preset character length, and if the first character name is a preset character name, then obtain a first character ii, and perform a first space ii, and perform a soft-stop encryption on the first character, the method comprises the steps of obtaining a first positive number, obtaining a first data, obtaining a second positive number, obtaining a first negative number, carrying out decimal zero padding processing on the first positive number to obtain a second positive number, wherein the decimal number of the first positive number is a preset digit, the preset digit is a decimal number defined by a data column corresponding to the first column name, starting from the lowest digit of the first positive number, taking the lower 4 digits of the upper bytes in two adjacent bytes as the upper 4 digits of a merging byte, taking the lower 4 digits of the lower bytes as the lower 4 digits of the merging byte, merging the first positive integer to obtain a second positive integer, and encrypting the second positive integer according to the first column key to obtain second data.
In one possible design, the rewriting module 602 is specifically configured to encode the second data based on an extension encoding manner to obtain third data, where the extension encoding manner is an extension encoding manner based on standard Base64 encoding, and rewrite the first data in the first structured query sentence to the third data.
In one possible design, the above-mentioned rewriting module 602 is specifically configured to encode the second data according to an extended encoding table based on standard Base64 encoding, to obtain a Base64 extended code corresponding to the second data, where the extended encoding table based on standard Base64 encoding is obtained by arbitrarily taking out 64 visible characters in an ASCII standard and arranging the visible characters in order of value, and to encode ASCII corresponding to the Base64 extended code as the third data.
In one possible design, the obtaining module 601 is further configured to obtain a third structured query term acting on the target database, where the third structured query term is an enhanced data definition term, the enhanced data definition term is a data definition term supporting defined encryption, the third structured query term is used to create a first data table in the target database, the third structured query term includes a name of the first data table, a third column name, a second column key name corresponding to the third column name, and a type and a size of original data in a data column corresponding to the third column name, a data column corresponding to the third column name is an encrypted data column in the first data table, the second column key name is a name of a second column key corresponding to the encrypted third column name, the rewriting module 602 is further configured to rewrite the third structured query term to obtain a fourth structured query term, the fourth column in the fourth structured query term is a name of the first data table, the fourth column in the fourth structured query term is a name of the fourth structured query term, the fourth column in the fourth structured query term is a data column corresponding to be used to obtain a type of the fourth data column name of the target database, the fourth structured query term is sent to the fourth column name is a data column corresponding to the fourth data column name corresponding to the fourth structured query term, and the fourth column name is sent to the fourth column name of the fourth structured query term is used to be used to obtain the encrypted data column name of the fourth structured query term, and the fourth data is a standard is sent to the fourth column name is a standard data name corresponding to the fourth column name, and the target database stores the first table encryption metadata, wherein the first table encryption metadata comprises column encryption information corresponding to the first data table, and the column encryption information of the first data table comprises the names of the first data table, the third column names, the fourth column names, the second column key names, the types and the sizes of the original data in the data columns corresponding to the third column names and the types of the encrypted data in the encrypted data columns corresponding to the fourth column names.
In one possible design, the above-mentioned rewrite module 602 is specifically configured to replace a column name in a data operation statement of the insertion type with the plurality of fourth column names if the data operation statement of the first data table is an insertion type data operation statement, and to encrypt data in the insertion type data operation statement with an encryption algorithm corresponding to each second column key name in the first table encryption metadata to obtain a plurality of encrypted data, replace data in the insertion type data operation statement with the plurality of encrypted data if the data operation statement of the first data table is an insertion type data operation statement, replace data in the insertion type data operation statement with a plurality of encrypted data by an operator if the data operation statement of the first data table is an insertion type data operation statement, and to replace data in the first data operation statement of the query type with a small expression in the first expression statement if the first expression statement is a large-order-to-hold type data operation statement, and to replace data in the first expression statement with an encryption algorithm of the insertion type data operation statement with a small expression in the first expression statement if the first expression statement is a small expression statement in the insertion type data operation statement is a small expression statement, and to replace data in the first expression statement with another expression operator in the insertion type data operation statement, the method comprises the steps of receiving a first operation result data of a query type, encrypting data in a first expression in the data operation statement of the query type by using other encryption algorithms, replacing the column name in the expression in the data operation statement of the query type with a replacement column name corresponding to the most suitable second column key name in the first table encryption metadata according to the position of the expression in the data operation statement of the query type if the expression in the data operation statement of the query type only contains column names, decrypting the first operation result data returned after database operation by using the first table encryption metadata if an operator in the corresponding result expression is an expression between a select and a from in the select statement, decrypting the operation result data returned by the target database by using the most suitable second column key name in the corresponding result expression if the operation is performed by using the second table encryption algorithm, encrypting the target database by using the most suitable second column key name, encrypting the key name after the operation is performed by using the second table encryption algorithm, encrypting the operation result data returned by the target database if the operation result data returned by using the second table encryption algorithm is an operation result encrypted by using the second operation result after the second key name supported by using the hold algorithm, encrypting the second key name after the operation of the second table is decrypted by using the second key name after the second encryption algorithm is performed by using the second key name corresponding operation name after the encryption algorithm, and decrypting the operation key name after the operation key name is encrypted by using the second key name after the first encryption key name is encrypted by the first encryption key is encrypted by using the first encryption key is encrypted by the encryption key is encrypted after the encryption key is encrypted and the encryption key is encrypted is and the encryption, and if the data operation statement of the first data table is a data operation statement of an update type, processing the wherem the data operation statement of the query type is used is identical to processing the wherem the data operation statement of the update type is used, processing the data operation statement of the insert type and processing the wherem the data operation statement of the query type is used are identical to processing the wherem the data operation statement of the query type is used is identical to processing the wherem the data operation statement of the query type is used.
In one possible design, the obtaining module 601 is further configured to obtain a fifth structured query statement, where the fifth structured query statement is an enhanced data definition statement, and the enhanced data definition statement is a data definition statement supporting encryption, where the fifth structured query statement is used to create a column key corresponding to the target database, the fifth structured query statement includes a second master key name, a third column key name, and an algorithm name corresponding to the third column key name, where the algorithm name corresponding to the third column key name is a name of an encryption algorithm corresponding to a column key, generate a third column key corresponding to the third column key name according to the third column key name, obtain a second master key corresponding to the second master key name according to the second master key name, encrypt the third column key corresponding to the third column key name by using the second master key corresponding to the second master key name, obtain the second encryption column key, and send 603 is further used to store the metadata corresponding to the target database, and the metadata are stored in the metadata.
In one possible design, the obtaining module 601 is further configured to, in the sixth structured query term, obtain a third master key name, a second algorithm name, a second key path, and a key library provider name, where the second algorithm name is a name of an encryption and decryption algorithm corresponding to the master key, the second key path is a storage path corresponding to the master key, generate a master key corresponding to the third master key name, store a master key corresponding to the third master key name according to the second key path, and send the second master key metadata to the target database through the standard structured query term, so that the target database stores the second master key metadata.
It should be noted that, in the embodiment corresponding to fig. 7, the details not mentioned in the foregoing description of the method embodiment may be referred to, and will not be repeated here.
The device comprises a first structural query statement acting on a target database, a second structural query statement obtained by rewriting the first structural query statement after the first structural query statement is obtained, data in the second structural query statement is obtained by carrying out order-preserving encryption on the data in the first structural query statement, the second structural query statement is then sent to the target database so that the target database executes database operation corresponding to the second structural query statement, first operation result data returned after the target database executes the database operation corresponding to the second structural query statement is received, and finally the first operation result data is subjected to data reduction to obtain second operation result data corresponding to the first structural query statement. Because the data in the SQL statement after being rewritten is obtained by carrying out order-preserving encryption on the data in the SQL statement before being rewritten, the order relationship between the encrypted data is the same as the order relationship between the data before being encrypted, thus the database operations such as ordering, size comparison query and the like can be carried out.
Referring to fig. 8, fig. 8 is a schematic structural diagram of a computer device according to an embodiment of the present application, and the computer device 70 includes a processor 701 and a memory 702. The memory 702 is connected to the processor 701, for example by a bus.
The processor 701 is configured to support the computer device 70 to perform the corresponding functions in the methods in the method embodiments described above. The processor 701 may be a central processor (central processing unit, CPU), a network processor (network processor, NP), a hardware chip, or any combination thereof. The hardware chip may be an Application SPECIFIC INTEGRATED Circuit (ASIC), a programmable logic device (programmable logic device, PLD), or a combination thereof. The PLD may be a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (FPGA) GATE ARRAY, generic array logic (GENERIC ARRAY logic, GAL), or any combination thereof.
The memory 702 is used for storing program codes and the like. The memory 702 may include Volatile Memory (VM), such as random access memory (random access memory, RAM), non-volatile memory (NVM), such as read-only memory (ROM), flash memory (flash memory), hard disk (HARD DISK DRIVE, HDD) or solid state disk (solid state disk) (STATE DRIVE, SSD), and the memory 702 may also include a combination of the above types of memory.
When the computer device 70 is an authorized acquisition terminal, the processor 701 may call the program code to:
acquiring a first structured query statement acting on a target database, wherein the first structured query statement is a data operation statement;
Rewriting the first structured query statement to obtain a second structured query statement, wherein data in the second structured query statement is obtained by performing order-preserving encryption on the data in the first structured query statement;
Sending the second structured query statement to the target database, so that the target database executes database operation corresponding to the second structured query statement;
Receiving first operation result data returned after the target database executes the database operation;
and carrying out data reduction on the first operation result data to obtain second operation result data corresponding to the first structured query statement.
Embodiments of the present application also provide a computer-readable storage medium storing a computer program comprising program instructions that, when executed by a computer, cause the computer to perform the method of the previous embodiments.
Those skilled in the art will appreciate that implementing all or part of the above-described methods in the embodiments may be accomplished by computer programs stored in a computer-readable storage medium, which when executed, may include the steps of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only memory (ROM), a random-access memory (Random Access memory, RAM), or the like.
The foregoing disclosure is illustrative of the present application and is not to be construed as limiting the scope of the application, which is defined by the appended claims.

Claims (9)

1.一种密态数据库的加密和解密方法,其特征在于,应用于数据交互终端,所述方法包括:1. A method for encrypting and decrypting a secret database, characterized in that it is applied to a data interaction terminal, and the method comprises: 获取作用于目标数据库的第一结构化查询语句,所述第一结构化查询语句为数据操作语句;Acquire a first structured query statement acting on a target database, wherein the first structured query statement is a data operation statement; 对所述第一结构化查询语句进行重写,得到第二结构化查询语句,所述第二结构化查询语句中的数据为对所述第一结构化查询语句中的数据进行保序加密得到;Rewriting the first structured query statement to obtain a second structured query statement, wherein data in the second structured query statement is obtained by performing order-preserving encryption on the data in the first structured query statement; 向所述目标数据库发送所述第二结构化查询语句,以使所述目标数据库执行所述第二结构化查询语句对应的数据库操作;Sending the second structured query statement to the target database, so that the target database executes the database operation corresponding to the second structured query statement; 接收所述目标数据库执行所述数据库操作后返回的第一操作结果数据;Receiving first operation result data returned by the target database after executing the database operation; 对所述第一操作结果数据进行数据还原,得到所述第一结构化查询语句对应的第二操作结果数据;Performing data restoration on the first operation result data to obtain second operation result data corresponding to the first structured query statement; 所述方法还包括:The method further comprises: 获取作用于目标数据库的第三结构化查询语句,所述第三结构化查询语句为增强数据定义语句,所述增强数据定义语句为支持定义加密的数据定义语句,所述第三结构化查询语句用于在所述目标数据库中创建第一数据表,所述第三结构化查询语句包括所述第一数据表的名称、第三列名称、所述第三列名称对应的第二列密钥名称和所述第三列名称对应的数据列中的原始数据的类型和大小,所述第三列名称对应的数据列为所述第一数据表中的加密数据列,所述第二列密钥名称为加密所述第三列名称对应的数据列的第二列密钥的名称;Obtain a third structured query statement acting on the target database, wherein the third structured query statement is an enhanced data definition statement, and the enhanced data definition statement is a data definition statement that supports definition of encryption. The third structured query statement is used to create a first data table in the target database, and the third structured query statement includes a name of the first data table, a third column name, a second column key name corresponding to the third column name, and a type and size of original data in a data column corresponding to the third column name. The data column corresponding to the third column name is an encrypted data column in the first data table, and the second column key name is a name of a second column key for encrypting the data column corresponding to the third column name. 对所述第三结构化查询语句进行重写,得到第四结构化查询语句,所述第四结构化查询语句中的第四列名称为对所述第三列名称进行变换得到,所述第四结构化查询语句中的第四列名称对应的加密数据列中的加密数据的类型由所述第三列名称对应的数据列中的原始数据的类型变更得到,所述第四结构化查询语句为标准数据定义语句;The third structured query statement is rewritten to obtain a fourth structured query statement, wherein the fourth column name in the fourth structured query statement is obtained by transforming the third column name, the type of encrypted data in the encrypted data column corresponding to the fourth column name in the fourth structured query statement is obtained by changing the type of original data in the data column corresponding to the third column name, and the fourth structured query statement is a standard data definition statement; 向所述目标数据库发送所述第四结构化查询语句,以使所述目标数据库执行所述第四结构化查询语句对应的建表操作;Sending the fourth structured query statement to the target database, so that the target database executes a table creation operation corresponding to the fourth structured query statement; 通过标准结构化查询语句向所述目标数据库发送第一表加密元数据,以使所述目标数据库保存所述第一表加密元数据,所述第一表加密元数据包括所述第一数据表对应的列加密信息,所述第一数据表的列加密信息包括所述第一数据表的名称、所述第三列名称、所述第四列名称、所述第二列密钥名称以及所述第三列名称对应的数据列中的原始数据的类型和大小以及第四列名称对应的加密数据列中的加密数据的类型。The first table encryption metadata is sent to the target database through a standard structured query statement, so that the target database saves the first table encryption metadata, the first table encryption metadata includes column encryption information corresponding to the first data table, and the column encryption information of the first data table includes the name of the first data table, the third column name, the fourth column name, the second column key name, and the type and size of the original data in the data column corresponding to the third column name and the type of encrypted data in the encrypted data column corresponding to the fourth column name. 2.根据权利要求1所述的方法,其特征在于,所述第一结构化查询语句包括第一列名称和第一数据,所述第一数据属于所述第一列名称对应的数据列;2. The method according to claim 1, characterized in that the first structured query statement includes a first column name and first data, and the first data belongs to the data column corresponding to the first column name; 所述对所述第一结构化查询语句进行重写,得到第二结构化查询语句,包括:The rewriting of the first structured query statement to obtain a second structured query statement includes: 根据表加密元数据,确定所述第一列名称对应的第一列密钥名称和第二列名称,所述表加密元数据包括所述目标数据库中的数据表对应的列加密信息,所述列加密信息包括所述目标数据库中的数据表中的加密数据列加密前后的列名称以及所述加密数据列对应的列密钥名称;determining, according to table encryption metadata, a first column key name and a second column name corresponding to the first column name, the table encryption metadata comprising column encryption information corresponding to the data table in the target database, the column encryption information comprising column names of encrypted data columns in the data table in the target database before and after encryption and column key names corresponding to the encrypted data columns; 获取所述第一列密钥名称对应的第一列密钥元数据和第一加密列密钥,所述第一列密钥元数据包括第一主密钥名称和所述第一列密钥名称,所述第一加密列密钥为采用所述第一主密钥名称对应的主密钥对所述第一列名称对应的第一列密钥进行加密得到;Obtaining first column key metadata and a first encrypted column key corresponding to the first column key name, wherein the first column key metadata includes a first master key name and the first column key name, and the first encrypted column key is obtained by encrypting the first column key corresponding to the first column name with the master key corresponding to the first master key name; 获取所述第一主密钥名称对应的第一主密钥元数据,所述第一主密钥元数据包括第一算法名称和第一密钥路径,所述第一算法名称为主密钥对应的加解密算法的名称,所述第一密钥路径为主密钥对应的存储路径;Obtain first master key metadata corresponding to the first master key name, where the first master key metadata includes a first algorithm name and a first key path, where the first algorithm name is the name of the encryption and decryption algorithm corresponding to the master key, and the first key path is a storage path corresponding to the master key; 根据所述第一密钥路径,确定所述第一主密钥名称对应的第一主密钥;Determine, according to the first key path, a first master key corresponding to the first master key name; 根据所述第一主密钥和所述第一算法名称对应的加解密算法,对所述第一加密列密钥进行解密,得到所述第一列密钥;decrypting the first encrypted column key according to the encryption and decryption algorithm corresponding to the first master key and the first algorithm name to obtain the first column key; 根据所述第一列密钥对所述第一数据进行保序加密,得到第二数据,所述保序加密为:将明文空间的值按照一定的顺序映射到密文空间,使得在加密后的密文中,明文之间的相对顺序仍然能够被保留,在进行映射时,明文的统计特征被隐藏,以保证算法的安全性;Performing order-preserving encryption on the first data according to the first column key to obtain second data, wherein the order-preserving encryption is: mapping the values in the plaintext space to the ciphertext space in a certain order, so that in the encrypted ciphertext, the relative order between the plaintexts can still be preserved, and when mapping, the statistical features of the plaintext are hidden to ensure the security of the algorithm; 将所述第一结构化查询语句中的第一列名称重写为所述第二列名称,并将所述第一结构化查询语句中的所述第一数据重写为所述第二数据,得到所述第二结构化查询语句。The first column name in the first structured query statement is rewritten as the second column name, and the first data in the first structured query statement is rewritten as the second data, to obtain the second structured query statement. 3.根据权利要求2所述的方法,其特征在于,所述根据所述第一列密钥对所述第一数据进行保序加密,得到第二数据,包括:3. The method according to claim 2, wherein the step of performing order-preserving encryption on the first data according to the first column key to obtain the second data comprises: 如果所述第一数据为负浮点型数据,计算所述第一数据对应的第一整数的二进制补码,得到第一补码,所述第一整数为将存储所述第一数据的字节作为整数处理所得到的整数;计算所述第一补码与最小编码的差值,得到待加密编码,所述最小编码为所述第一数据所占字节数对应的最小负整数的二进制编码;根据所述第一列密钥,将所述待加密编码作为无符号整数进行处理,对所述待加密编码进行保序加密,得到第二数据;If the first data is negative floating-point data, calculate the binary complement of a first integer corresponding to the first data to obtain a first complement, where the first integer is an integer obtained by treating the bytes storing the first data as integers; calculate the difference between the first complement and a minimum code to obtain a code to be encrypted, where the minimum code is a binary code of a minimum negative integer corresponding to the number of bytes occupied by the first data; according to the first column key, treat the code to be encrypted as an unsigned integer, perform order-preserving encryption on the code to be encrypted, and obtain second data; 如果所述第一数据为字符型数据,在第一数据的右侧填充预设字符,得到所述第一数据对应的标准字符,所述标准字符的字符长度为预设字符长度,其中,所述预设字符长度为所述第一列名称对应的数据列所定义的最大字符长度,如果所述第一数据为定长字符型数据,所述预设字符为空格的ASCII字符,如果所述第一数据为变长字符型数据,所述预设字符为任一小于空格的ASCII字符;根据所述第一列密钥,将所述标准字符的ACII编码作为无符号整数进行处理,对所述标准字符的ACII编码进行保序加密,得到所述第二数据;If the first data is character data, a preset character is filled on the right side of the first data to obtain a standard character corresponding to the first data, and the character length of the standard character is the preset character length, wherein the preset character length is the maximum character length defined by the data column corresponding to the first column name; if the first data is fixed-length character data, the preset character is an ASCII character of a space; if the first data is variable-length character data, the preset character is any ASCII character that is smaller than a space; according to the first column key, the ACII code of the standard character is processed as an unsigned integer, and the ACII code of the standard character is encrypted in an order-preserving manner to obtain the second data; 如果所述第一数据为数值型数据,将所述第一数据减去第一预设负数,得到所述第一数据对应的第一正数,所述第一预设负数为任一小于或等于第一负数的负数,所述第一负数为第一列名称对应的数据列所定义的最小负数;对所述第一正数进行小数补零处理,得到第二正数,所述第二正数的小数位数为预设位数,所述预设位数为所述第一列名称对应的数据列所定义的小数位数;从第一正整数的最低位开始,将相邻两个字节中的高位字节的低4位作为合并字节的高4位,并将低位字节的低4位作为合并字节的低4位,对所述第一正整数进行合并,得到第二正整数,所述第一正整数为忽略所述第二正数中的小数点得到的整数;根据所述第一列密钥,对所述第二正整数进行加密,得到第二数据。If the first data is numerical data, a first preset negative number is subtracted from the first data to obtain a first positive number corresponding to the first data, the first preset negative number is any negative number less than or equal to the first negative number, and the first negative number is the minimum negative number defined by the data column corresponding to the first column name; the first positive number is padded with zeros to obtain a second positive number, and the number of decimal places of the second positive number is a preset number of places, and the preset number of places is the number of decimal places defined by the data column corresponding to the first column name; starting from the lowest bit of the first positive integer, the lower 4 bits of the high-order byte in two adjacent bytes are used as the high 4 bits of the merged byte, and the lower 4 bits of the low-order byte are used as the lower 4 bits of the merged byte, and the first positive integer is merged to obtain a second positive integer, and the first positive integer is an integer obtained by ignoring the decimal point in the second positive number; the second positive integer is encrypted according to the first column key to obtain second data. 4.根据权利要求2所述的方法,其特征在于,所述根据所述第一列密钥对所述第一数据进行保序加密,得到第二数据之后,还包括:4. The method according to claim 2, characterized in that after the first data is encrypted in an order-preserving manner according to the first column key to obtain the second data, the method further comprises: 对所述第二数据进行基于扩展编码方式进行编码,得到第三数据,所述扩展编码方式为基于标准Base64编码的扩展编码方式;Encoding the second data based on an extended encoding method to obtain third data, where the extended encoding method is an extended encoding method based on standard Base64 encoding; 所述将所述第一结构化查询语句中的所述第一数据重写为所述第二数据,包括:The step of rewriting the first data in the first structured query statement into the second data includes: 将所述第一结构化查询语句中的所述第一数据重写为所述第三数据。The first data in the first structured query statement is rewritten into the third data. 5.根据权利要求4所述的方法,其特征在于,所述对所述第二数据进行基于扩展编码方式进行编码,得到第三数据,包括:5. The method according to claim 4, characterized in that encoding the second data based on an extended coding method to obtain the third data comprises: 按基于标准Base64编码的扩展编码表,对所述第二数据进行编码,得到所述第二数据对应的Base64扩展码,所述基于标准Base64编码的扩展编码表为将ASCII标准中的可见字符任意取出64个,并按值大小顺序排列得到;Encode the second data according to an extended coding table based on standard Base64 coding to obtain a Base64 extended code corresponding to the second data, wherein the extended coding table based on standard Base64 coding is obtained by randomly taking out 64 visible characters in the ASCII standard and arranging them in order of value; 将所述Base64扩展码对应的ASCII编码,作为所述第三数据。The ASCII code corresponding to the Base64 extension code is used as the third data. 6.根据权利要求1所述的方法,其特征在于,所述第三列名称对应的第二列密钥名称有多个,不同的第二列密钥名称对应不同的加密算法;6. The method according to claim 1, characterized in that there are multiple second column key names corresponding to the third column name, and different second column key names correspond to different encryption algorithms; 所述对所述第三结构化查询语句进行重写,得到第四结构化查询语句,包括:The rewriting of the third structured query statement to obtain a fourth structured query statement includes: 对所述第三结构化查询语句中的第三列名称,根据所述第三结构化查询语句中的每个第二列密钥名称,生成所述每个第二列密钥名称对应的替换列名称,得到多个第四列名称;For the third column name in the third structured query statement, generating a replacement column name corresponding to each second column key name according to each second column key name in the third structured query statement, to obtain a plurality of fourth column names; 所述方法还包括:The method further comprises: 如果针对所述第一数据表的数据操作语句为插入类型的数据操作语句,将所述插入类型的数据操作语句中的列名称替换为所述多个第四列名称,并将所述插入类型的数据操作语句中的数据使用所述第一表加密元数据中的每个第二列密钥名称对应的加密算法进行分别加密,得到多个加密数据,将所述插入类型的数据操作语句中的数据替换为所述多个加密数据;If the data operation statement for the first data table is an insert-type data operation statement, replace the column name in the insert-type data operation statement with the multiple fourth column names, and encrypt the data in the insert-type data operation statement respectively by using the encryption algorithm corresponding to each second column key name in the first table encryption metadata to obtain multiple encrypted data, and replace the data in the insert-type data operation statement with the multiple encrypted data; 如果针对所述第一数据表的数据操作语句为查询类型的数据操作语句,对于所述查询类型的数据操作语句中的第一表达式,所述第一表达式为where子句或having子句中的表达式,如果所述第一表达式中的运算符为保序算法支持的大小比较类运算符,将所述查询类型的数据操作语句中的所述第一表达式的列名称替换为采用保序算法加密的替换列名称,并对所述查询类型的数据操作语句中的所述第一表达式中的数据使用保序算法加密,如果所述第一表达式中的运算符为除保序算法以外的其他加密算法支持的运算符,将所述查询类型的数据操作语句中的所述第一表达式中的列名称替换为采用所述其他加密算法加密的替换列名称,并对所述查询类型的数据操作语句中的所述第一表达式中的数据使用所述其他加密算法加密;如果所述查询类型的数据操作语句中的表达式仅包含列名称,根据所述查询类型的数据操作语句中的所述表达式的位置,将所述查询类型的数据操作语句中的所述表达式中的列名称替换为采用所述第一表加密元数据中的最合适的第二列密钥名称对应的替换列名称;对于数据库操作后返回的第一操作结果数据,如果其对应结果表达式中的运算符为保序算法支持的大小比较类运算符,所述结果表达式为select语句中的select和from之间的表达式,所述目标数据库返回的操作结果数据为使用保序算法加密后的运算结果,所述使用保序算法加密后的运算结果无需进一步处理,如果其对应结果表达式中的运算符为所述其他加密算法支持的运算符,所述目标数据库返回的操作结果数据为使用所述其他加密算法加密后的运算结果,所述使用所述其他加密算法加密后的运算结果需要进行解密,如果其对应结果表达式仅包含列名称,所述目标数据库返回的操作结果数据为采用所述最合适的第二列密钥名称对应的列密钥加密后的结果,所述采用所述最合适的第二列密钥名称对应的列密钥加密后的结果需要进行解密;对于需要解密的运算结果,采用对应的加密算法和密钥进行解密;If the data operation statement for the first data table is a query-type data operation statement, for the first expression in the query-type data operation statement, the first expression is an expression in a where clause or a having clause, if the operator in the first expression is a size comparison operator supported by the order-preserving algorithm, the column name of the first expression in the query-type data operation statement is replaced with a replacement column name encrypted by the order-preserving algorithm, and the data in the first expression in the query-type data operation statement is encrypted using the order-preserving algorithm; if the operator in the first expression is an operator supported by other encryption algorithms other than the order-preserving algorithm, the column name in the first expression in the query-type data operation statement is replaced with a replacement column name encrypted by the other encryption algorithm, and the data in the first expression in the query-type data operation statement is encrypted using the other encryption algorithm; if the expression in the query-type data operation statement only contains column names, the column name in the expression in the query-type data operation statement is replaced according to the position of the expression in the query-type data operation statement. The replacement is the replacement column name corresponding to the most appropriate second column key name in the first table encryption metadata; for the first operation result data returned after the database operation, if the operator in the corresponding result expression is a size comparison operator supported by the order-preserving algorithm, and the result expression is an expression between select and from in the select statement, the operation result data returned by the target database is the operation result encrypted by the order-preserving algorithm, and the operation result encrypted by the order-preserving algorithm does not need to be further processed; if the operator in the corresponding result expression is an operator supported by the other encryption algorithm, the operation result data returned by the target database is the operation result encrypted by the other encryption algorithm, and the operation result encrypted by the other encryption algorithm needs to be decrypted; if the corresponding result expression only contains the column name, the operation result data returned by the target database is the result encrypted by the column key corresponding to the most appropriate second column key name, and the result encrypted by the column key corresponding to the most appropriate second column key name needs to be decrypted; for the operation result that needs to be decrypted, the corresponding encryption algorithm and key are used for decryption; 如果针对所述第一数据表的数据操作语句为更新类型的数据操作语句,对于所述更新类型的数据操作语句中的where子句部分,与所述查询类型的数据操作语句中的where子句的处理相同,对于所述更新类型的数据操作语句中的其他部分,与所述插入类型的数据操作语句的处理相同;If the data operation statement for the first data table is an update type data operation statement, the where clause part in the update type data operation statement is processed in the same way as the where clause in the query type data operation statement, and the other parts in the update type data operation statement are processed in the same way as the insert type data operation statement; 如果针对所述第一数据表的数据操作语句为删除类型的数据操作语句,对于所述删除类型中的数据操作语句中的where子句部分,与所述查询类型的数据操作语句中的where子句的处理相同。If the data operation statement for the first data table is a delete type data operation statement, the processing of the where clause in the delete type data operation statement is the same as that of the where clause in the query type data operation statement. 7.根据权利要求1所述的方法,其特征在于,所述方法还包括:7. The method according to claim 1, characterized in that the method further comprises: 获取第五结构化查询语句,所述第五结构化查询语句为增强数据定义语句,所述增强数据定义语句为支持定义加密的数据定义语句,所述第五结构化查询语句用于创建所述目标数据库对应的列密钥,所述第五结构化查询语句包括第二主密钥名称和第三列密钥名称以及所述第三列密钥名称对应的算法名称,所述第三列密钥名称对应的算法名称为列密钥对应的加解密算法的名称;Obtaining a fifth structured query statement, wherein the fifth structured query statement is an enhanced data definition statement, wherein the enhanced data definition statement is a data definition statement that supports definition of encryption, wherein the fifth structured query statement is used to create a column key corresponding to the target database, wherein the fifth structured query statement includes a second master key name, a third column key name, and an algorithm name corresponding to the third column key name, wherein the algorithm name corresponding to the third column key name is a name of an encryption and decryption algorithm corresponding to the column key; 根据所述第三列密钥名称,生成所述第三列密钥名称对应的第三列密钥;According to the third column key name, generate a third column key corresponding to the third column key name; 根据所述第二主密钥名称,获取所述第二主密钥名称对应的第二主密钥;According to the second master key name, obtain the second master key corresponding to the second master key name; 采用所述第二主密钥名称对应的第二主密钥,对所述第三列密钥名称对应的第三列密钥进行加密,得到第二加密列密钥;Using the second master key corresponding to the second master key name, encrypt the third column key corresponding to the third column key name to obtain a second encrypted column key; 通过标准结构化查询语句向所述目标数据库发送第二列密钥元数据和所述第二加密列密钥,以使所述目标数据库保存所述第二列密钥元数据和所述第二加密列密钥,所述第二列密钥元数据包括所述第二主密钥名称、所述第三列密钥名称以及所述第三列密钥名称对应的算法名称。The second column key metadata and the second encrypted column key are sent to the target database through a standard structured query statement, so that the target database saves the second column key metadata and the second encrypted column key, wherein the second column key metadata includes the second master key name, the third column key name, and an algorithm name corresponding to the third column key name. 8.根据权利要求7所述的方法,其特征在于,所述方法还包括:8. The method according to claim 7, characterized in that the method further comprises: 获取第六结构化查询语句,所述第六结构化查询语句为增强数据定义语句,所述增强数据定义语句为支持定义加密的数据定义语句,所述第六结构化查询语句用于创建所述目标数据库对应的主密钥,所述第六结构化查询语句包括第二主密钥元数据,所述第二主密钥元数据包括第三主密钥名称、第二算法名称、第二密钥路径和密钥库提供者名称,所述第二算法名称为主密钥对应的加解密算法的名称,所述第二密钥路径为主密钥对应的存储路径;Obtaining a sixth structured query statement, where the sixth structured query statement is an enhanced data definition statement, where the enhanced data definition statement is a data definition statement that supports definition of encryption, where the sixth structured query statement is used to create a master key corresponding to the target database, where the sixth structured query statement includes second master key metadata, where the second master key metadata includes a third master key name, a second algorithm name, a second key path, and a key library provider name, where the second algorithm name is a name of an encryption and decryption algorithm corresponding to the master key, and where the second key path is a storage path corresponding to the master key; 生成所述第三主密钥名称对应的主密钥,通过标准结构化查询语句向所述目标数据库发送所述第二主密钥元数据,以使所述目标数据库保存所述第二主密钥元数据;Generate a master key corresponding to the name of the third master key, and send the second master key metadata to the target database through a standard structured query statement, so that the target database saves the second master key metadata; 按所述第二密钥路径保存所述第三主密钥名称对应的主密钥。The master key corresponding to the third master key name is saved according to the second key path. 9.一种密态数据库的加密和解密装置,其特征在于,应用于数据交互终端,所述装置包括:9. An encryption and decryption device for a secret database, characterized in that it is applied to a data interaction terminal, and the device comprises: 获取模块,用于获取作用于目标数据库的第一结构化查询语句,所述第一结构化查询语句为数据操作语句;An acquisition module, used to acquire a first structured query statement acting on a target database, wherein the first structured query statement is a data operation statement; 重写模块,用于对所述第一结构化查询语句进行重写,得到第二结构化查询语句,所述第二结构化查询语句中的数据为对所述第一结构化查询语句中的数据进行保序加密得到;a rewriting module, configured to rewrite the first structured query statement to obtain a second structured query statement, wherein the data in the second structured query statement is obtained by performing order-preserving encryption on the data in the first structured query statement; 发送模块,用于向所述目标数据库发送所述第二结构化查询语句,以使所述目标数据库执行所述第二结构化查询语句对应的数据库操作;A sending module, configured to send the second structured query statement to the target database, so that the target database executes the database operation corresponding to the second structured query statement; 接收模块,用于接收所述目标数据库执行所述数据库操作后返回的第一操作结果数据;A receiving module, used for receiving first operation result data returned by the target database after executing the database operation; 还原模块,用于对所述第一操作结果数据进行数据还原,得到所述第一结构化查询语句对应的第二操作结果数据;A restoration module, used to restore the first operation result data to obtain second operation result data corresponding to the first structured query statement; 所述获取模块还用于,获取作用于目标数据库的第三结构化查询语句,所述第三结构化查询语句为增强数据定义语句,所述增强数据定义语句为支持定义加密的数据定义语句,所述第三结构化查询语句用于在所述目标数据库中创建第一数据表,所述第三结构化查询语句包括所述第一数据表的名称、第三列名称、所述第三列名称对应的第二列密钥名称和所述第三列名称对应的数据列中的原始数据的类型和大小,所述第三列名称对应的数据列为所述第一数据表中的加密数据列,所述第二列密钥名称为加密所述第三列名称对应的数据列的第二列密钥的名称;The acquisition module is further used to acquire a third structured query statement acting on the target database, wherein the third structured query statement is an enhanced data definition statement, and the enhanced data definition statement is a data definition statement that supports definition of encryption. The third structured query statement is used to create a first data table in the target database, and the third structured query statement includes a name of the first data table, a third column name, a second column key name corresponding to the third column name, and a type and size of original data in a data column corresponding to the third column name, the data column corresponding to the third column name is an encrypted data column in the first data table, and the second column key name is a name of a second column key for encrypting the data column corresponding to the third column name; 所述重写模块还用于,对所述第三结构化查询语句进行重写,得到第四结构化查询语句,所述第四结构化查询语句中的第四列名称为对所述第三列名称进行变换得到,所述第四结构化查询语句中的第四列名称对应的加密数据列中的加密数据的类型由所述第三列名称对应的数据列中的原始数据的类型变更得到,所述第四结构化查询语句为标准数据定义语句;The rewriting module is further used to rewrite the third structured query statement to obtain a fourth structured query statement, wherein the fourth column name in the fourth structured query statement is obtained by transforming the third column name, and the type of encrypted data in the encrypted data column corresponding to the fourth column name in the fourth structured query statement is obtained by changing the type of original data in the data column corresponding to the third column name, and the fourth structured query statement is a standard data definition statement; 所述发送模块还用于,向所述目标数据库发送所述第四结构化查询语句,以使所述目标数据库执行所述第四结构化查询语句对应的建表操作;通过标准结构化查询语句向所述目标数据库发送第一表加密元数据,以使所述目标数据库保存所述第一表加密元数据,所述第一表加密元数据包括所述第一数据表对应的列加密信息,所述第一数据表的列加密信息包括所述第一数据表的名称、所述第三列名称、所述第四列名称、所述第二列密钥名称以及所述第三列名称对应的数据列中的原始数据的类型和大小以及第四列名称对应的加密数据列中的加密数据的类型。The sending module is further used to send the fourth structured query statement to the target database, so that the target database executes the table creation operation corresponding to the fourth structured query statement; send the first table encryption metadata to the target database through a standard structured query statement, so that the target database saves the first table encryption metadata, the first table encryption metadata includes column encryption information corresponding to the first data table, the column encryption information of the first data table includes the name of the first data table, the third column name, the fourth column name, the second column key name, and the type and size of the original data in the data column corresponding to the third column name, and the type of encrypted data in the encrypted data column corresponding to the fourth column name.
CN202410470688.3A 2024-04-18 2024-04-18 Encryption and decryption method and device for secret database Active CN118363986B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410470688.3A CN118363986B (en) 2024-04-18 2024-04-18 Encryption and decryption method and device for secret database

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410470688.3A CN118363986B (en) 2024-04-18 2024-04-18 Encryption and decryption method and device for secret database

Publications (2)

Publication Number Publication Date
CN118363986A CN118363986A (en) 2024-07-19
CN118363986B true CN118363986B (en) 2025-03-04

Family

ID=91882654

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410470688.3A Active CN118363986B (en) 2024-04-18 2024-04-18 Encryption and decryption method and device for secret database

Country Status (1)

Country Link
CN (1) CN118363986B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112800088A (en) * 2021-01-19 2021-05-14 东北大学 Database ciphertext retrieval system and method based on bidirectional security index

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2865127A4 (en) * 2012-06-22 2016-03-09 Commw Scient Ind Res Org HOMOMORPHE ENCRYPTION FOR DATABASE INTERROGATION
US9069987B2 (en) * 2013-06-21 2015-06-30 International Business Machines Corporation Secure data access using SQL query rewrites
US9251355B2 (en) * 2013-07-30 2016-02-02 International Business Machines Corporation Field level database encryption using a transient key
CN105787387B (en) * 2016-03-07 2018-09-14 南京邮电大学 A kind of database encryption method and the encrypting database querying method
CN109815719A (en) * 2019-01-21 2019-05-28 广东电网有限责任公司信息中心 A kind of database security encryption system that can search for
CN113111082B (en) * 2021-03-09 2022-01-14 深圳市教育信息技术中心(深圳市教育装备中心) Structured query statement rewriting method, device, equipment and medium
CN113742362B (en) * 2021-09-03 2024-07-23 西安电子科技大学 Ciphertext query calculation method for secret database
CN113722359A (en) * 2021-09-03 2021-11-30 西安电子科技大学 SQL query rewriting method for dense OLTP task
CN116436682A (en) * 2023-04-23 2023-07-14 浙江网商银行股份有限公司 Data processing method, device and system
CN117763614A (en) * 2023-12-27 2024-03-26 国网河南省电力公司电力科学研究院 SQL statement interception and rewriting method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112800088A (en) * 2021-01-19 2021-05-14 东北大学 Database ciphertext retrieval system and method based on bidirectional security index

Also Published As

Publication number Publication date
CN118363986A (en) 2024-07-19

Similar Documents

Publication Publication Date Title
US11709948B1 (en) Systems and methods for generation of secure indexes for cryptographically-secure queries
US12045361B1 (en) Methods and apparatus for encrypted indexing and searching encrypted data
WO2017142769A1 (en) Searchable encryption of conjunctive sql statements
EP3058678A1 (en) System and method for dynamic, non-interactive, and parallelizable searchable symmetric encryption
US8769302B2 (en) Encrypting data and characterization data that describes valid contents of a column
Dowsley et al. A survey on design and implementation of protected searchable data in the cloud
US11977657B1 (en) Method and system for confidential repository searching and retrieval
Zhan et al. MDOPE: Efficient multi-dimensional data order preserving encryption scheme
CN107995299A (en) A Blind Storage Method Against Access Pattern Leakage in Cloud Environment
Lam et al. Gpu-based private information retrieval for on-device machine learning inference
Almakdi et al. An efficient secure system for fetching data from the outsourced encrypted databases
CN111797425A (en) Secure database with dictionary coding
CN118363986B (en) Encryption and decryption method and device for secret database
US20230315896A1 (en) Systems and methods for end-to end-encryption with encrypted multi-maps
US20230325524A1 (en) Systems and methods for end-to end-encryption with encrypted multi-maps
US11669506B2 (en) Searchable encryption
JPWO2017168798A1 (en) Encrypted search index merge server, encrypted search index merge system, and encrypted search index merge method
Abdelraheem et al. Executing boolean queries on an encrypted bitmap index
CN119089479B (en) Space database encryption method, equipment and medium
US20250068775A1 (en) Systems and methods for data security on a mobile device
CN116996281B (en) Dynamic searchable symmetric encryption method, system and medium supporting ciphertext sharing
Tu et al. Differential privacy enhanced dynamic searchable symmetric encryption for cloud environments
Feng et al. Efficient and non-interactive ciphertext range query based on differential privacy
Geng Enhancing Relation Database Security with Shuffling
Ho et al. Speed up querying encrypted data on outsourced database

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant