The necessity of database encryption large database management system platform is typically Windows NT and Unix, these operating system security level is usually C1, C2 level. They have user registration, user identification, Arbitrary access control (DAC), audit and other security functions. Although the DBMS adds a number of security measures based on the OS, such as access control based on permissions, the OS and DBMS still lack effective protection against the database files themselves, and experienced online hackers "bypass" and use OS tools to steal or tamper with the contents of the database files directly. This vulnerability is known as the "covert channel" leading to the DBMS, which is difficult to perceive by the general database user. The analysis and blockage of "covert channels" is considered to be a B2-level security technical measure. Encrypting the sensitive data in the database is an effective way to block the hidden channel. According to the information reported, 80% of the computer crime from within the system. In the traditional database system, the database administrator's power is supreme, he is responsible for various systems management, such as resource allocation, user authorization, system audit, and can query all the information in the database. For this reason, many systems use various means to weaken the system administrator's power. After the database encryption is implemented, the data of each user (or user group) is encrypted by the user's own key, and the information obtained by the database administrator cannot be carried out normally, thus ensuring the security of the user's information. In addition, by encrypting, the backup content of the database becomes ciphertext, which can reduce the loss caused by the theft or loss of the backup media. This shows that the database encryption for enterprise internal security management, but also indispensable. Perhaps some people think that the database encryption will seriously affect the efficiency of the database system, so that the system overwhelmed. That is not the case. If data addition/desorption is performed on the database client, the load on the database server and the system operation are almost unaffected. In general PC, using pure software to achieve DES encryption algorithm speed of more than 200K bytes/sec, if the article on a 10,000 Chinese characters encryption, its plus/off time only need 1/10 seconds, this time delay users almost no sense. At present, the encryption card of the increase/removal speed is generally 1M bit/sec, for small and medium database systems, this speed even on the server side of the data plus/off operation is also feasible, because the general relationship data items are not too long (multimedia data is another matter). For example, at the same time, there are 10 users concurrent queries, each user on average to find 1000 characters of data, the first results of the user delay time is less than 0.02 seconds, the final result of the user only need to wait about 0.16 seconds. Basic requirements according to our research, a good database encryption system should meet the following basic requirements: 1. field encryption under current conditions, the granularity of plus/off is the field data for each record. If you encrypt a file or a listed unit, you will inevitably form a key for repeated use, thereby reducing the encryption systemReliability or due to the extra time is too long to use. Only with the record of the field data to be added/off, to adapt to database operations, while the effective key management and complete the "one time a secret" password operation. 2. There is a complex logic relation between the object of the key dynamic management database, and a logical structure may correspond to the physical objects of several databases, so the database encryption not only has large key quantity, but also the organization and the storage work is complex, need to realize the dynamic management of the key. 3. The proper processing of data includes several aspects. First of all, the data type should be handled properly, otherwise the DBMS will refuse to load because the encrypted data does not conform to the defined data type, secondly, the storage problem of the data needs to be processed, and after the database is encrypted, the space overhead should be basically not increased. In the present condition, the matching fields in the database relational operation, such as the connection code between the tables, the index fields and so on are not suitable to encrypt. Although the literature field is a retrieval field, it should also allow encryption, because the retrieval process of the document field uses the body indexing technique that is different from the relational database index. 4. Operating encryption system without affecting legitimate users the response time should be as short as possible, and the average latency should not exceed 1/10 seconds at this stage. In addition, to the legitimate users of the database, data entry, modification and retrieval operations should be transparent, do not need to consider the data Plus/remove the problem. The implementation of database encryption at different levels we can consider the implementation of encryption of database data at three different levels, which are the OS, the DBMS kernel layer, and the DBMS outer layer respectively. In the OS layer, the data relationship in the database file cannot be recognized, which makes it impossible to generate a reasonable key and can not be used for proper key management. Therefore, in the OS layer of the database file encryption, for large databases, is still difficult to achieve. Implementing encryption in the DBMS kernel layer means that data is added/off before physical access. This approach inevitably causes the interface between the DBMS and the cryptographic device (hardware or software) to be supported by the DBMS developer. The advantage of this encryption is that the encryption function is strong, and the encryption function will hardly affect the functionality of the DBMS. The disadvantage is that the addition/removal operation on the server side increases the load of the database server. This type of encryption is shown in Figure 1. 498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' height=264 src= '/files/uploadimg/20061213/1733480. JPG "width=340 border=0> the practical approach is to make the database encryption system as an outer tool of the DBMS (as shown in Figure 2). In this way, the addition/removal of encryption can be placed on the client, the advantage is not to aggravate the load of the database server and to achieve network transmission encryption, the disadvantage is the encryption workcan be limited. Diagram, the main function of the Define encryption requirements Tool module is to define how to encrypt each database table data. After a database table is created, the table is defined through this tool, and the database application system function is to complete the database definition and operation. The database encryption system will automatically add/remove database data according to encryption requirements. 498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' height=251 src= '/files/uploadimg/20061213/1733481. JPG "width=340 border=0> encryption system problem database encryption system first of all to solve the system itself security and reliability problems, in this respect, you can use the following security measures: 1. Two-level security control when the user enters the system this control can be used in a variety of ways, including setting database username and password, or using IC card reader/fingerprint recognizer for user authentication. 2. Prevent illegal copy for pure software system, can use soft fingerprint technology to prevent illegal copy, of course, if each client installed encryption card and other hard parts, security will be better. In addition, the original security measures of the database should be preserved, such as permission control, backup/recovery and audit control. 3. Secure data extraction provides two ways to unload and load encrypted data in a database: One is the way to unload the cipher, this way of unloading is not out of the secret, unloading the data or ciphertext, in this mode, you can directly use the DBMS provided by unloading/loading tools; The data being unloaded is plaintext, in which case the system-specific tools can be used to convert data, and then use the Unload/load tool provided by the DBMS. The system structure database encryption system is divided into two functional independent main components: one is the cryptographic Dictionary management program, the other is the database Plus/off engine, the architecture is shown in Figure 3. 498) this.width=498 ' OnMouseWheel = ' javascript:return big (This) ' height=155 src= '/files/uploadimg/20061213/1733482. JPG "width=340 border=0> database encryption system the user to the database information specific encryption requirements recorded in the encryption dictionary, encryption dictionary is the basic information of the database encryption system. The Cryptographic Dictionary management program is a utility that manages the cryptographic dictionary and is a tool for database administrators to change the encryption requirements. Encryption dictionary management program through the database Plus/off the engine to achieve the database table encryption, and data conversion and other functions, at this time, itUse the database Plus/remove engine as a special customer. Database Plus/off engine is the core component of database encryption system, which is responsible for the process of adding/removing database information in the background, which is transparent to the application developers and operators. The database encryption system implemented in the above way has many advantages. First, the system is completely transparent to the end-user of the database, and the Data administrator can specify the data to be encrypted and convert the plaintext/ciphertext as needed; second, the system is completely independent of the database application system, without the need to change the database application system can realize the encryption function, At the same time, the system adopts the block encryption method and the two-level key management, and realizes the "one-time secret"; Thirdly, the data Plus/remove encryption operation on the client will not affect the system efficiency of the database server, and the data Plus/off operation is basically without delay feeling. The database encryption system can effectively guarantee the data security, even if the hacker steals the key data, he still has difficulty to obtain the necessary information, because all data is encrypted. In addition, after database encryption, you can set the system administrator does not need to know the content of the data to see the clear text, greatly improve the security of critical data. Responsible Editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) The original text: Database encryption technology Overview Return to network security home
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.