Database encryption, as an emerging database security technology in recent years, has been paid more and more attention by people. This kind of protection method based on storage layer encryption can not only effectively solve the risk of leaks caused by database plaintext storage, but also can prevent intrusion and unauthorized access behavior from internal or external.
From the technical point of view, the current database encryption technology has three major categories, namely, the pre-agent and Encryption gateway mode, Application layer encryption and post-proxy mode. The characteristics of each of these three types of technology, and the merits of each other, the following detailed introduction.
Front-agent and encryption Gateway technology
The technical idea is to add a security agent service before the database, the user who accesses the database must go through the Security Proxy service, implement the security policy such as data encryption and decryption, access control in this service, then the security Proxy service realizes the final storage of data in the library through the access interface of the database. The security Agent service exists between the client application and the database storage engine, which is responsible for the encryption and decryption of the data in the library, and the encrypted data is stored in the Security Agent service.
There are also some problems and limitations with this technique:
1) Because of the need to store encrypted data in the security enhancement agent, it is basically not possible to resolve the consistency problem with the database storage data.
2) The joint search problem of data: because of the existence of data inside and outside the database, the federated retrieval of the data will become very difficult, and the full compatibility of SQL syntax is very difficult.
3) Development is not transparent problem: Database protocol Although there are standards, but in fact, each different database version will be a number of changes, extensions and enhancements, users who use these features must be modified. At the same time, it is very difficult to simulate the database communication protocol in the security agent.
4) The Database optimization processing, transaction processing, concurrency processing and other characteristics are not used: query analysis, optimization processing, transaction processing, concurrent processing work needs to be done in the security enhancer, the database can not use the concurrency processing and query optimization advantages, the system performance and stability depends more on the security agent;
5) The implementation of stored procedures, triggers, functions and other storage programs support is very difficult.
In addition, the technology needs to provide very complex database management functions in the Security Agent service layer, such as: SQL command parsing, communication service, encrypted data index storage management, transaction management and so on, so there is huge development workload and high technical complexity, and there are some technical problems like stored procedure, trigger, etc. that can't be solved.
Application Layer Encryption Technology
The main technical principle of application layer encryption is that the application system encrypts the sensitive data through the encryption API (JDBC,ODBC,C API, etc.), stores the encrypted data in the underlying file of the database, and retrieves the ciphertext data back to the client and decrypts it when the data is retrieved. In addition, the application system will manage the key system by itself.
The main disadvantage of this scheme is that the application must decrypt the data, increase the complexity of the programming, and not be transparent to the existing system, and the application must be transformed on a large scale. From the efficiency point of view, this technology scheme can not take advantage of the index mechanism of the database, the retrieval performance of encrypted data will have a significant decline.
Post-proxy technology based on views and triggers
This technique enables data encryption using "view" + "trigger" + "Extended index" + "external call", while ensuring that the application is fully transparent. Its core idea is to make full use of the application custom extension capabilities provided by the database itself, using such techniques as trigger expansion, index extension, custom function extension, and view to satisfy the most important requirements such as data storage encryption, encrypted data retrieval, and seamless application transparency.
The technical principle of this scheme mainly has the following four aspects
(1) Transparent query processing for encrypted data through view
The view of a database enables filtering, projection, aggregation, correlation, and function operations of data within a table. This scheme realizes the transparent access to the data through the view principle of the database, firstly renaming the original table, then establishing the view with the same name as the original table, and implementing the decryption function call to the sensitive column in the view to realize the decryption of the data.
(2) Implementation of data encryption insert and update processing via trigger
Triggers in the database can respond to the specific behavior of the data Update action, and the triggers for the view can be supported in the database. This scheme establishes instead of triggers on the established view, encrypts the plaintext data by instead OF triggers, and inserts the encrypted data into the table.
(3) encrypted index via extended index interface of database
In Oracle database, for example, the index extension mechanism in Oracle Data cartridge provides an out-of-the-box framework that allows you to define your own indexes and implement operator, and write your own indexes on the CREATE INDEX, Insert, Delete, UPDATE statement execution, and the corresponding processing code when scan index occurs. Through this mechanism, a custom extended encrypted index can be used so that when the index is used to retrieve the encrypted data, the normal sort and comparison can be done, which solves the problem of data retrieval after encryption, and greatly improves the efficiency of ciphertext retrieval.
(4) Implementation of database-independent permission control and domestic encryption algorithm via external interface call
In addition to transparent encrypted access and efficient index access, another important goal is to implement calls to domestic cryptographic algorithms and database-independent permission control. The key technology for achieving this is external program invocation and external communication support. External program calls are supported in the database, as long as the communication interface is well defined. Then this scheme can make the encryption function and decryption function into external call, so not only can call the encryption algorithm of domestic encryption device, but also can put the permission check process outside the database, to ensure the privilege limit to Superuser.
At present, the leading database security manufacturers, An Huaqin and database encryption products Dbcoffer used is the typical representative of this technology.
This article is from the Database security blog, so be sure to keep this source http://schina.blog.51cto.com/9734953/1674984
Comparison of common database encryption techniques