Comparison of common database encryption technologies

Comparison of common database encryption technologies

Abstract: As a database security technology that has emerged in recent years, database encryption has been paid more and more attention. This protection method based on storage layer encryption not only effectively solves the risk of leakage caused by plaintext storage of the database, but also prevents intrusion and unauthorized access from internal or external sources. From the technical point of view, there are currently three main types of database encryption technology, namely pre-proxy and...

As a database security technology that has emerged in recent years, database encryption has been paid more and more attention. This protection method based on storage layer encryption not only effectively solves the risk of leakage caused by plaintext storage of the database, but also prevents intrusion and unauthorized access from internal or external sources.

From the technical point of view, there are three main types of database encryption technologies today, namely, the pre-proxy and encryption gateway methods, the application-layer encryption methods, and the post-proxy methods. What are the characteristics of these three types of technologies.

Front proxy and encryption gateway technology

This technical idea is to add a Security Proxy service before the database. users accessing the database must pass through the Security Proxy service to implement security policies such as data encryption and decryption and access control; then, the Security Proxy Service implements the final storage of data in the database through the database access interface. The Security Proxy service exists between client applications and the database storage engine. It is responsible for data encryption and decryption in the database, and encrypted data is stored in the Security Proxy service.

This technology also has some problems and restrictions:

1) Because encrypted data needs to be stored in the security enhancement proxy, it is basically impossible to solve the consistency problem with the database storage data.

2) Joint data retrieval: because data exists both inside and outside the database, the joint retrieval of the data will become very difficult, and the full compatibility of SQL syntax is also very difficult.

3) transparent development: Although there are standards in the database protocol, in fact, each different database version will undergo several changes, extensions and enhancements, and users who use these features must undergo transformation. At the same time, it is very difficult to simulate the database communication protocol in the Security Proxy.

4) features such as database optimization, transaction processing, and concurrent processing cannot be used: Query, analysis, optimization, transaction processing, and concurrent processing must be completed in the security booster, the advantages of databases in concurrent processing and query optimization cannot be used. The system performance and stability depend more on security agents;

5) it is also difficult to support the implementation of stored procedures, triggers, functions, and other stored procedures.

In addition, this technology must provide complex database management functions at the Security Proxy service layer, such as SQL Command Parsing, communication services, encrypted data index storage management, and transaction management, therefore, there is a huge development workload and high technical complexity. In addition, there are technical problems that cannot be solved, such as stored procedures and triggers.

Application layer encryption technology

The main technical principle of application layer encryption is that the application system encrypts sensitive data through the encrypted API (JDBC, ODBC, c api, etc.) and stores the encrypted data in the underlying database file; during data retrieval, the client retrieves the ciphertext data and decrypts it. In addition, the application system will manage its own key system.

This solution also has obvious defects. The main disadvantage is that the application must encrypt and decrypt the data, increase programming complexity, and fail to be transparent to the existing system, applications must undergo large-scale transformation. From the perspective of efficiency, this technical solution cannot use the database index mechanism, and the encrypted data retrieval performance will be greatly reduced.

Post-proxy technology based on views and triggers

This technology uses "View", "Trigger", "extended Index", and "external call" to encrypt data and ensure that applications are completely transparent. Its core idea is to make full use of the application customization and expansion capabilities provided by the database itself, the trigger scalability, index scalability, custom function scalability, view and other technologies are used to meet the main requirements of data storage encryption, encrypted data retrieval, and seamless and transparent applications.

The technical principles of this solution are as follows:

(1) Transparent query and processing of encrypted data through views

The database view can filter, project, aggregate, associate, and function operations data in a table. This solution implements transparent access to data based on the database view principle. First, rename the original table and create a view with the same name as the original table; you can call the decryption function for sensitive columns in the view to decrypt the data.

(2) implement data encryption insertion and update through triggers

Triggers in the database can respond to specific actions of data update actions, and triggers for views can be supported in the database. This solution creates an Instead of trigger on the created view, encrypts plaintext data through the Instead of trigger, and inserts encrypted data into the table.

(3) Implement encrypted indexes through the database's extended index interface

Taking Oracle database as an example, the index extension mechanism of Oracle Data Cartridge provides a ready-made framework that allows you to define indexes and implement Operator, compile the code for executing the Create Index, Insert, Delete, Update statements, and Scan Index statements. With this mechanism, you can use custom extended encryption indexes to retrieve encrypted data. This allows you to sort and compare the encrypted data normally, this solves the problem of encrypted data retrieval and greatly improves the efficiency of ciphertext retrieval.

(4) using external interface calls to implement database-Independent Permission control and domestic encryption algorithms

In addition to transparent and encrypted access and efficient index access, another important objective is to call domestic encryption algorithms and control database permissions independently. The key to achieving this goal is external program calls and external communication support. External program calls are supported in the database, as long as the communication interface is defined. In this way, the encryption function and decryption function can be called externally. In this way, not only can the encryption algorithm of Chinese-made encryption devices be called externally, but also the permission verification process can be completed outside the database, this ensures that the superuser permissions are limited.

Currently, the leading database security vendor in China, Anhua gold and database encryption product DBCoffer, use this technology as a typical example.