[go: up one dir, main page]

CN114785498A - A kind of database password protection method, device and equipment - Google Patents

A kind of database password protection method, device and equipment Download PDF

Info

Publication number
CN114785498A
CN114785498A CN202210434269.5A CN202210434269A CN114785498A CN 114785498 A CN114785498 A CN 114785498A CN 202210434269 A CN202210434269 A CN 202210434269A CN 114785498 A CN114785498 A CN 114785498A
Authority
CN
China
Prior art keywords
password
encryption
database
access
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210434269.5A
Other languages
Chinese (zh)
Inventor
谢永贵
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Qianhai Baidi Network Co ltd
Original Assignee
Shenzhen Qianhai Baidi Network Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Qianhai Baidi Network Co ltd filed Critical Shenzhen Qianhai Baidi Network Co ltd
Priority to CN202210434269.5A priority Critical patent/CN114785498A/en
Publication of CN114785498A publication Critical patent/CN114785498A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a method, a device and equipment for protecting database passwords, which comprise the following steps: acquiring an access password query request aiming at a target database, which is sent by an application service; querying an access password of the target database based on the access password query request; encrypting the access password to obtain an encrypted password; and returning the encrypted password to the application service so that the application service calls an encryption and decryption file generated in advance by the password service to decrypt the encrypted password to obtain the access password. Therefore, the password plaintext or the encrypted password ciphertext is prevented from being written into the application program or the configuration file and the environment variable which can be accessed by the application program, the encryption is carried out through the password service, the encryption and decryption file generated by the password service is used for decryption, the security of the database password can be improved, and data leakage is prevented.

Description

一种数据库密码保护方法、装置及设备A kind of database password protection method, device and equipment

技术领域technical field

本申请涉及数据库技术领域,特别涉及一种数据库密码保护方法、装置及设备。The present application relates to the technical field of databases, and in particular, to a method, device and device for password protection of a database.

背景技术Background technique

在服务端程序访问数据库时,通常需要创建连接来与数据库进行交互,而创建数据库连接时需要指定访问数据库的URL、用户名、密码等信息,这些信息通常写入到应用程序可读取的配置文件、环境变量或应用程序代码片段中,在创建数据库连接时,根据这些信息来建立数据库访问通道。但这些信息容易被相关的开发、运维人员或者是攻击者获取,导致数据库密码泄漏,进而导致数据库中存储的数据被非法获取,产生严重的数据安全事故。When the server program accesses the database, it usually needs to create a connection to interact with the database, and when creating a database connection, it needs to specify the URL, user name, password and other information to access the database. These information are usually written to the configuration readable by the application. In files, environment variables or application code fragments, when creating a database connection, a database access channel is established based on this information. However, this information is easily obtained by relevant developers, operation and maintenance personnel, or attackers, resulting in the leakage of database passwords, which in turn leads to the illegal acquisition of data stored in the database, resulting in serious data security incidents.

目前,为了保护数据库密码,现有的解决方案是通过一些加密技术将数据库密码加密之后再写入到配置文件或程序代码中,当应用程序需要建立数据库连接时,读出加密之后的密文,然后使用相同的秘钥和对应的解密算法,解密得到明文的数据库访问密码,然后访问数据库建立连接。但这种方案中,用于加密的秘钥和加密算法本身作为应用程序或其可以访问的配置文件、环境变量的一部分存在于应用服务器上,相关的开发、运维人员或者非法登入应用服务器的攻击者仍然可以通过对应用程序及其配置文件、环境变量等进行分析,得到加密秘钥和加密算法,进而获取到数据库访问密码,仍然存在巨大的安全隐患。At present, in order to protect the database password, the existing solution is to encrypt the database password through some encryption technology and then write it into the configuration file or program code. When the application needs to establish a database connection, the encrypted ciphertext is read out. Then use the same secret key and the corresponding decryption algorithm to decrypt the plaintext database access password, and then access the database to establish a connection. However, in this scheme, the secret key and encryption algorithm used for encryption exist on the application server as part of the application or its accessible configuration files and environment variables. The attacker can still obtain the encryption key and encryption algorithm by analyzing the application program and its configuration files, environment variables, etc., and then obtain the database access password, which still has huge security risks.

发明内容SUMMARY OF THE INVENTION

有鉴于此,本申请的目的在于提供一种数据库密码保护方法、装置及设备,能够提升数据库密码的安全性,从而防止数据泄露。其具体方案如下:In view of this, the purpose of the present application is to provide a database password protection method, device, and device, which can improve the security of database passwords, thereby preventing data leakage. Its specific plan is as follows:

第一方面,本申请公开了一种数据库密码保护方法,应用于密码服务,包括:In the first aspect, the present application discloses a database password protection method, which is applied to a password service, including:

获取应用服务发送的针对目标数据库的访问密码查询请求;Obtain the access password query request sent by the application service for the target database;

基于所述访问密码查询请求查询所述目标数据库的访问密码;Query the access password of the target database based on the access password query request;

对所述访问密码进行加密,得到加密密码;Encrypting the access password to obtain an encrypted password;

将所述加密密码返回至所述应用服务,以便所述应用服务调用所述密码服务预先生成的加解密文件对所述加密密码进行解密,得到所述访问密码。Return the encrypted password to the application service, so that the application service invokes the encryption and decryption file pre-generated by the password service to decrypt the encrypted password to obtain the access password.

可选的,还包括:Optionally, also include:

生成所述应用服务对应的公私钥对,并将所述公私钥对中的私钥添加至所述加解密文件;generating a public-private key pair corresponding to the application service, and adding the private key in the public-private key pair to the encryption/decryption file;

相应的,所述对所述访问密码进行加密,得到加密密码,包括:Correspondingly, encrypting the access password to obtain the encrypted password includes:

利用所述公私钥对中的公钥对所述访问密码进行加密,得到加密密码;Encrypt the access password by using the public key in the public-private key pair to obtain an encrypted password;

并且,所述应用服务用于调用所述加解密文件中的所述私钥对所述加密密码进行解密,得到所述访问密码。In addition, the application service is configured to call the private key in the encryption/decryption file to decrypt the encrypted password to obtain the access password.

可选的,所述访问密码查询请求携带第一密文;所述第一密文为利用所述加解密文件中的目标密钥对请求数据加密得到的密文,所述请求数据包括所述应用服务的标识信息;Optionally, the access password query request carries a first ciphertext; the first ciphertext is a ciphertext obtained by encrypting the request data with the target key in the encryption/decryption file, and the request data includes the Identification information of the application service;

相应的,所述基于所述访问密码查询请求查询所述目标数据库的访问密码,包括:Correspondingly, querying the access password of the target database based on the access password query request includes:

利用所述目标密钥对所述第一密文进行解密,得到第一解密数据;Decrypt the first ciphertext using the target key to obtain first decrypted data;

基于所述第一解密数据中的所述标识信息以及所述访问密码查询请求的来源IP地址查询所述应用服务对应的所述公钥;Query the public key corresponding to the application service based on the identification information in the first decrypted data and the source IP address of the access password query request;

若查询到所述公钥,则查询所述目标数据库的访问密码。If the public key is queried, the access password of the target database is queried.

可选的,所述请求数据还包括第二密文;所述第二密文为利用所述加解密文件中的所述私钥对指定信息进行加密得到的密文,所述指定信息包括所述应用服务的标识信息、访问所述密码服务的出口IP地址以及通过所述加解密文件生成的随机字符串中的至少一种;Optionally, the request data further includes a second ciphertext; the second ciphertext is a ciphertext obtained by encrypting specified information with the private key in the encryption/decryption file, and the specified information includes all the specified information. at least one of the identification information of the application service, the exit IP address for accessing the cryptographic service, and the random character string generated by the encryption and decryption files;

相应的,若查询到所述公钥,还包括:Correspondingly, if the public key is queried, it further includes:

利用所述公钥对所述第二密文进行解密,得到第二解密数据;Decrypt the second ciphertext using the public key to obtain second decrypted data;

对所述第二解密数据进行校验,若所述第二解密数据通过校验,则查询所述目标数据库的访问密码。Verifying the second decrypted data, and querying the access password of the target database if the second decrypted data passes the verification.

可选的,所述对所述第二解密数据进行校验,包括:Optionally, the verifying the second decrypted data includes:

若所述第二解密数据包括所述应用服务的标识信息,则将该标识信息与所述第一解密数据中的标识信息进行比对,若一致,则判定标识信息通过校验;If the second decrypted data includes the identification information of the application service, then compare the identification information with the identification information in the first decrypted data, and if they are consistent, determine that the identification information passes the verification;

若所述第二解密数据包括所述出口IP地址,则将所述出口IP地址与所述访问密码查询请求的来源IP地址进行比对,若一致,则判定所述出口IP地址通过校验;If the second decrypted data includes the egress IP address, compare the egress IP address with the source IP address of the access password query request, and if they are consistent, determine that the egress IP address passes the verification;

若所述第二解密数据包括所述随机字符串,则判断是否为第一次获取到该随机字符串,若为第一次获取到该随机字符串,则判定所述随机字符串通过校验;If the second decrypted data includes the random character string, it is judged whether the random character string is obtained for the first time, and if the random character string is obtained for the first time, it is judged that the random character string has passed the verification ;

当所述第二解密数据中的各项所述指定信息均通过校验,则判定所述第二解密数据通过校验。When all items of the specified information in the second decrypted data pass the verification, it is determined that the second decrypted data passes the verification.

可选的,所述对所述访问密码进行加密,得到加密密码之后,还包括:Optionally, after encrypting the access password to obtain the encrypted password, the method further includes:

利用目标密钥对所述加密密码以及所述应用服务的标识信息进行加密,得到响应密文;Encrypt the encrypted password and the identification information of the application service with the target key to obtain a response ciphertext;

将所述响应密文返回至所述应用服务,以便所述应用服务调用所述加解密文件对所述响应密文进行解密,并将解密得到的标识信息与预存的标识信息比对,若一致,则对所述加密密码进行解密,得到所述访问密码。Return the response ciphertext to the application service, so that the application service calls the encryption/decryption file to decrypt the response ciphertext, and compares the decrypted identification information with the pre-stored identification information, if they are consistent , decrypt the encrypted password to obtain the access password.

可选的,还包括:Optionally, also include:

获取加解密文件生成请求;Get the encryption and decryption file generation request;

判断所述加解密文件生成请求是否为本地请求,若所述加解密文件生成请求为本地请求,则生成所述加解密文件。Determine whether the encryption/decryption file generation request is a local request, and if the encryption/decryption file generation request is a local request, generate the encryption/decryption file.

可选的,还包括:Optionally, also include:

定时确定所述目标数据库的更新密码,并将当前的所述访问密码修改为所述更新密码。The update password of the target database is determined periodically, and the current access password is modified to the update password.

第二方面,本申请公开了一种数据库密码保护装置,应用于密码服务,包括:In the second aspect, the present application discloses a database password protection device, which is applied to a password service, including:

查询请求获取模块,用于获取应用服务发送的针对目标数据库的访问密码查询请求;The query request obtaining module is used to obtain the access password query request sent by the application service for the target database;

访问密码查询模块,用于基于所述访问密码查询请求查询所述目标数据库的访问密码;an access password query module for querying the access password of the target database based on the access password query request;

访问密码加密模块,用于对所述访问密码进行加密,得到加密密码;an access password encryption module for encrypting the access password to obtain an encrypted password;

加密密码返回模块,用于将所述加密密码返回至所述应用服务,以便所述应用服务调用所述密码服务预先生成的加解密文件对所述加密密码进行解密,得到所述访问密码。An encrypted password return module, configured to return the encrypted password to the application service, so that the application service invokes an encryption and decryption file pre-generated by the password service to decrypt the encrypted password to obtain the access password.

第三方面,本申请公开了一种电子设备,包括处理器和存储器;其中,In a third aspect, the present application discloses an electronic device, including a processor and a memory; wherein,

所述存储器,用于保存计算机程序;the memory for storing computer programs;

所述处理器,用于执行所述计算机程序以实现前述的数据库密码保护方法。The processor is configured to execute the computer program to implement the aforementioned database password protection method.

第四方面,本申请公开了一种计算机可读存储介质,用于保存计算机程序,所述计算机程序被处理器执行时实现前述的数据库密码保护方法。In a fourth aspect, the present application discloses a computer-readable storage medium for storing a computer program, which implements the aforementioned database password protection method when the computer program is executed by a processor.

第五方面,本申请公开了一种计算机程序产品,所述计算机程序产品被执行时实现前述的数据库密码保护方法。In a fifth aspect, the present application discloses a computer program product, which implements the aforementioned database password protection method when the computer program product is executed.

可见,本申请先通过密码服务获取应用服务发送的针对目标数据库的访问密码查询请求,然后基于所述访问密码查询请求查询所述目标数据库的访问密码,之后对所述访问密码进行加密,得到加密密码,最后将所述加密密码返回至所述应用服务,以便所述应用服务调用所述密码服务预先生成的加解密文件对所述加密密码进行解密,得到所述访问密码。也即,本申请通过密码服务处理应用服务对目标数据库的访问密码请求,在查询到目标数据库的访问密码后,对密码进行加密得到加密密码,并将加密密码返回至应用服务,应用服务只有调用密码服务预先生成的加解密文件才能对加密密码进行解密,这样,避免了将密码明文或者加密后的密码密文写入应用程序或其可以访问的配置文件、环境变量,通过密码服务进行加密,通过密码服务生成的加解密文件进行解密,能够提升数据库密码的安全性,从而防止数据泄露。It can be seen that the present application first obtains the access password query request for the target database sent by the application service through the password service, then queries the access password of the target database based on the access password query request, and then encrypts the access password to obtain an encrypted password, and finally return the encrypted password to the application service, so that the application service invokes the encryption/decryption file pre-generated by the password service to decrypt the encrypted password to obtain the access password. That is, the present application processes the access password request of the application service to the target database through the password service. After the access password of the target database is queried, the password is encrypted to obtain the encrypted password, and the encrypted password is returned to the application service. The application service only calls Only the encryption and decryption files pre-generated by the password service can decrypt the encrypted password. In this way, it is avoided to write the password plaintext or encrypted password ciphertext into the application or its accessible configuration files and environment variables, and encrypt it through the password service. Decrypting the encrypted and decrypted files generated by the password service can improve the security of the database password and prevent data leakage.

附图说明Description of drawings

为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据提供的附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following briefly introduces the accompanying drawings required for the description of the embodiments or the prior art. Obviously, the drawings in the following description are only It is an embodiment of the present application. For those of ordinary skill in the art, other drawings can also be obtained according to the provided drawings without any creative effort.

图1为本申请公开的一种数据库密码保护方案所采用的系统架构图;Fig. 1 is a system architecture diagram adopted by a database password protection scheme disclosed by the application;

图2为本申请公开的一种数据库密码保护流程图;Fig. 2 is a kind of database password protection flow chart disclosed by the application;

图3为本申请公开的一种具体的加解密文件生成示意图;3 is a schematic diagram of a specific encryption and decryption file generation disclosed in the application;

图4为本申请公开的一种具体的数据库访问密码请求流程图;FIG. 4 is a flowchart of a specific database access password request disclosed by the application;

图5为本申请公开的一种数据库密码保护方案示意图;5 is a schematic diagram of a database password protection scheme disclosed in the application;

图6为本申请公开的一种数据库密码保护装置结构示意图;6 is a schematic structural diagram of a database password protection device disclosed in the application;

图7为本申请公开的一种电子设备结构图。FIG. 7 is a structural diagram of an electronic device disclosed in this application.

具体实施方式Detailed ways

下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

目前,为了保护数据库密码,现有的解决方案是通过一些加密技术将数据库密码加密之后再写入到配置文件或程序代码中,当应用程序需要建立数据库连接时,读出加密之后的密文,然后使用相同的秘钥和对应的解密算法,解密得到明文的数据库访问密码,然后访问数据库建立连接。但这种方案中,用于加密的秘钥和加密算法本身作为应用程序或其可以访问的配置文件、环境变量的一部分存在于应用服务器上,相关的开发、运维人员或者非法登入应用服务器的攻击者仍然可以通过对应用程序及其配置文件、环境变量等进行分析,得到加密秘钥和加密算法,进而获取到数据库访问密码,仍然存在巨大的安全隐患。为此,本申请提供了一种数据库密码保护方案,能够提升数据库密码的安全性,从而防止数据泄露。At present, in order to protect the database password, the existing solution is to encrypt the database password through some encryption technology and then write it into the configuration file or program code. When the application needs to establish a database connection, the encrypted ciphertext is read out. Then use the same secret key and the corresponding decryption algorithm to decrypt the plaintext database access password, and then access the database to establish a connection. However, in this scheme, the secret key and encryption algorithm used for encryption exist on the application server as part of the application or its accessible configuration files and environment variables. The attacker can still obtain the encryption key and encryption algorithm by analyzing the application program and its configuration files, environment variables, etc., and then obtain the database access password, which still has huge security risks. Therefore, the present application provides a database password protection scheme, which can improve the security of the database password, thereby preventing data leakage.

本申请的数据库密码保护中,采用的系统框架具体可以参见图1所示,具体可以包括:第二电子设备101、第一电子设备102、第二电子设备101与第一电子设备102之间通过网络103实现通信连接。其中,第一电子设备和第二电子设备均可以为终端设备或者服务器等。例如,第一电子设备可以为服务器,运行有密码服务,第二电子设备可以为终端设备,运行有应用服务。如图1所示,第二电子设备通过网络向第一电子设备发送针对目标数据库的访问密码查询请求,第一电子设备返回响应数据给第二电子设备。In the database password protection of the present application, the system framework adopted can be referred to as shown in FIG. 1 , which may specifically include: the second electronic device 101 , the first electronic device 102 , and the communication between the second electronic device 101 and the first electronic device 102 . The network 103 implements the communication connection. Wherein, both the first electronic device and the second electronic device may be terminal devices or servers or the like. For example, the first electronic device may be a server, running a cryptographic service, and the second electronic device may be a terminal device, running an application service. As shown in FIG. 1 , the second electronic device sends an access password query request for the target database to the first electronic device through the network, and the first electronic device returns response data to the second electronic device.

参见图2所示,本申请实施例公开了一种数据库密码保护方法,应用于密码服务,包括:Referring to FIG. 2 , an embodiment of the present application discloses a database password protection method, which is applied to a password service, including:

步骤S11:获取应用服务发送的针对目标数据库的访问密码查询请求。Step S11: Obtain an access password query request sent by the application service for the target database.

在具体的实施方式中,本申请实施例可以先获取加解密文件生成请求;判断所述加解密文件生成请求是否为本地请求,若所述加解密文件生成请求为本地请求,则生成所述加解密文件。In a specific implementation manner, the embodiment of the present application may first obtain the encryption and decryption file generation request; determine whether the encryption and decryption file generation request is a local request, and if the encryption and decryption file generation request is a local request, generate the encryption and decryption file generation request. Decrypt files.

需要指出的是,本申请实施例通过密码服务提供数据库访问密码接口,应用服务可以基于数据库访问密码接口获取数据库访问密码,生成加解密文件时也需要调用密码服务提供的相应接口生成加解密文件,为了防止攻击者自行生成加解密文件来伪造数据库访问密码接口请求,密码服务限制生成加解密文件的接口只能基于本地请求访问,应用服务维护者可以将密码服务部署在安全域,并在密码服务部署的机器上手动执行脚本生成加解密文件,这样,只有在密码服务部署的机器上才能生成加解密文件,提升了安全性。It should be pointed out that the embodiment of the present application provides a database access password interface through a password service, and the application service can obtain the database access password based on the database access password interface. When generating an encryption and decryption file, it is also necessary to call the corresponding interface provided by the password service to generate an encryption and decryption file. In order to prevent attackers from generating encryption and decryption files by themselves to forge database access password interface requests, the password service restricts the interface for generating encryption and decryption files to only be accessed based on local requests. Application service maintainers can deploy the password service in the security domain and use the password service Manually execute the script on the deployed machine to generate the encryption and decryption files. In this way, the encryption and decryption files can only be generated on the machine where the password service is deployed, which improves the security.

其中,加解密文件生成请求携带了应用服务的标识信息和访问密码服务的出口IP地址,标识信息可以为应用服务程序包名,出口IP地址为应用服务请求密码服务时绑定的IP地址,当密码服务判定加解密文件生成请求为本地请求,则判断否存在该标识信息以及该访问密码服务对应的已生成的加解密文件,若不存在,则生成应用服务对应的加解密文件,应用服务与加解密文件一一对应,并生成所述应用服务对应的公私钥对,并将所述公私钥对中的私钥添加至所述加解密文件。然后将该应用服务的标识信息、访问密码服务的出口IP地址以及公钥保存至密码服务数据库。Among them, the encryption and decryption file generation request carries the identification information of the application service and the export IP address for accessing the password service. The identification information can be the application service package name, and the export IP address is the IP address bound when the application service requests the password service. The password service determines that the encryption and decryption file generation request is a local request, and determines whether the identification information and the generated encryption and decryption file corresponding to the access password service exist. If not, the encryption and decryption file corresponding to the application service is generated. The encryption and decryption files are in one-to-one correspondence, and a public-private key pair corresponding to the application service is generated, and the private key in the public-private key pair is added to the encryption and decryption file. Then, the identification information of the application service, the exit IP address for accessing the cryptographic service, and the public key are stored in the cryptographic service database.

例如,参见图3所示,本申请实施例公开了一种具体的加解密文件生成示意图。在生成加解密文件时,输入应用服务的应用服务程序包名和访问密码服务的出口IP地址,密码服务判断是否已生成该应用服务程序包名和IP地址对应的加解密文件,如果未生成则生成公私钥对,将公钥和应用服务程序包名、访问密码服务的出口IP地址记录在密码服务数据库中,然后生成加解密文件代码,并将私钥附加到加解密文件代码中,然后使用代码混淆技术对加解密代码进行混淆,最后编译成so文件输出,供应用服务部署调用进行密码服务接口请求的加密和解密操作。加解密文件和应用服务部署实例是一一对应的关系,只有在应用服务程序包名和访问密码服务的出口IP地址与录入密码服务数据库相符的情况下,才能得到正确的加密和解密结果。而且加解密文件只接受输入字符串进行返回加密或解密结果,不会输出其他任何信息。For example, as shown in FIG. 3 , an embodiment of the present application discloses a specific schematic diagram of generating an encryption and decryption file. When generating an encryption/decryption file, enter the application service package name of the application service and the exit IP address for accessing the password service. The encryption service determines whether the encryption/decryption file corresponding to the application service package name and IP address has been generated. Key pair, record the public key, the application service package name, and the exit IP address for accessing the cryptographic service in the cryptographic service database, then generate the encryption and decryption file code, attach the private key to the encryption and decryption file code, and then use code obfuscation The technology confuses the encryption and decryption code, and finally compiles it into a so file for output, which is called by the application service deployment to perform encryption and decryption operations requested by the encryption service interface. There is a one-to-one correspondence between encryption and decryption files and application service deployment instances. Only when the application service package name and the exit IP address for accessing the password service are consistent with those entered in the password service database, the correct encryption and decryption results can be obtained. And the encryption and decryption files only accept the input string to return the encryption or decryption result, and will not output any other information.

步骤S12:基于所述访问密码查询请求查询所述目标数据库的访问密码。Step S12: query the access password of the target database based on the access password query request.

在具体的实施方式中,所述访问密码查询请求携带第一密文;所述第一密文为利用所述加解密文件中目标密钥对请求数据加密得到的密文,所述请求数据包括所述应用服务的标识信息;相应的,本申请实施例可以利用目标密钥对所述第一密文进行解密,得到第一解密数据;基于所述第一解密数据中的所述标识信息以及所述访问密码查询请求的来源IP地址查询所述应用服务对应的所述公钥;若查询到所述公钥,则查询所述目标数据库的访问密码。In a specific embodiment, the access password query request carries a first ciphertext; the first ciphertext is a ciphertext obtained by encrypting the request data with the target key in the encryption/decryption file, and the request data includes identification information of the application service; correspondingly, in this embodiment of the present application, the first ciphertext can be decrypted by using the target key to obtain first decrypted data; based on the identification information in the first decrypted data and The source IP address of the access password query request queries the public key corresponding to the application service; if the public key is queried, the access password of the target database is queried.

其中,目标密钥可以为固定密钥,并且,该固定密钥可以定期修改。并且,若查询不到所述公钥,则返回错误响应。The target key can be a fixed key, and the fixed key can be modified regularly. And, if the public key cannot be queried, an error response is returned.

需要指出的是,本申请实施例可以在密码服务数据库中基于第一解密数据中的标识信息以及访问密码查询请求的来源IP地址查询应用服务对应的公钥,这样,由于密码服务数据库中保存的是访问密码服务的出口IP地址,通过查询标识信息以及访问密码查询请求的来源IP地址来查询,如果查询到一致的标识信息和IP地址,则返回公钥,这样,通过出口IP地址限制只能在指定的机器上也即密码服务所在机器上调用数据库访问密码接口。It should be pointed out that, in this embodiment of the present application, the public key corresponding to the application service may be queried based on the identification information in the first decrypted data and the source IP address of the access cipher query request in the cryptographic service database. It is the exit IP address for accessing the password service. It is queried by querying the identification information and the source IP address of the access password query request. If the same identification information and IP address are queried, the public key will be returned. Call the database access password interface on the specified machine, that is, the machine where the password service is located.

进一步的,所述请求数据还包括第二密文;所述第二密文为利用所述加解密文件中的所述私钥对指定信息进行加密得到的密文,所述指定信息包括所述应用服务的标识信息、访问所述密码服务的出口IP地址以及通过所述加解密文件生成的随机字符串中的至少一种;相应的,若查询到所述公钥,还包括:利用所述公钥对所述第二密文进行解密,得到第二解密数据;对所述第二解密数据进行校验,若所述第二解密数据通过校验,则查询所述目标数据库的访问密码。Further, the request data also includes a second ciphertext; the second ciphertext is a ciphertext obtained by encrypting specified information with the private key in the encryption/decryption file, and the specified information includes the at least one of the identification information of the application service, the exit IP address for accessing the cryptographic service, and the random string generated by the encryption and decryption files; correspondingly, if the public key is queried, it also includes: using the The public key decrypts the second ciphertext to obtain second decrypted data; the second decrypted data is verified, and if the second decrypted data passes the verification, the access password of the target database is queried.

其中,所述对所述第二解密数据进行校验,包括:若所述第二解密数据包括所述应用服务的标识信息,则将该标识信息与所述第一解密数据中的标识信息进行比对,若一致,则判定标识信息通过校验;若所述第二解密数据包括所述出口IP地址,则将所述出口IP地址与所述访问密码查询请求的来源IP地址进行比对,若一致,则判定所述出口IP地址通过校验;若所述第二解密数据包括所述随机字符串,则判断是否为第一次获取到该随机字符串,若为第一次获取到该随机字符串,则判定所述随机字符串通过校验,否则,判定所述随机字符串没有通过校验;当所述第二解密数据中的各项所述指定信息均通过校验,则判定所述第二解密数据通过校验。并且,若所述第二解密数据中的各项所述指定信息中任一项未通过校验,则判定所述第二解密数据没有通过校验,生成错误响应。The verifying the second decrypted data includes: if the second decrypted data includes the identification information of the application service, verifying the identification information with the identification information in the first decrypted data If the comparison is consistent, it is determined that the identification information passes the verification; if the second decrypted data includes the exit IP address, the exit IP address is compared with the source IP address of the access password query request, If they are consistent, it is determined that the egress IP address has passed the verification; if the second decrypted data includes the random character string, it is determined whether the random character string is obtained for the first time, and if the random character string is obtained for the first time If the random string is a random string, it is determined that the random string has passed the verification; otherwise, it is determined that the random string has not passed the verification; when the specified information in the second decrypted data has passed the verification, it is determined that The second decrypted data passes the verification. And, if any one of the specified information in the second decrypted data fails the verification, it is determined that the second decrypted data fails the verification, and an error response is generated.

步骤S13:对所述访问密码进行加密,得到加密密码。Step S13: Encrypt the access password to obtain an encrypted password.

在具体的实施方式中,可以利用所述公私钥对中的公钥对所述访问密码进行加密,得到加密密码。In a specific implementation manner, the access password can be encrypted by using the public key in the public-private key pair to obtain the encrypted password.

步骤S14:将所述加密密码返回至所述应用服务,以便所述应用服务调用所述密码服务预先生成的加解密文件对所述加密密码进行解密,得到所述访问密码。Step S14: Return the encrypted password to the application service, so that the application service calls the encryption/decryption file pre-generated by the password service to decrypt the encrypted password to obtain the access password.

在具体的实施方式中,在所述对所述访问密码进行加密,得到加密密码之后,还包括:利用目标密钥对所述加密密码以及所述应用服务的标识信息进行加密,得到响应密文;然后将所述响应密文返回至所述应用服务,以便所述应用服务调用所述加解密文件对所述响应密文进行解密,并将解密得到的标识信息与预存的标识信息比对,若一致,则对所述加密密码进行解密,得到所述访问密码。In a specific implementation manner, after encrypting the access password to obtain the encrypted password, the method further includes: encrypting the encrypted password and the identification information of the application service with a target key to obtain a response ciphertext Then the response ciphertext is returned to the application service, so that the application service calls the encryption and decryption file to decrypt the response ciphertext, and compares the identification information obtained by decryption with the pre-stored identification information, If they are consistent, decrypt the encrypted password to obtain the access password.

并且,所述加解密文件利用所述私钥对所述加密密码进行解密,得到所述访问密码。In addition, the encrypted and decrypted file decrypts the encrypted password by using the private key to obtain the access password.

例如,参见图4所示,图4为本申请实施例公开的一种具体的数据库访问密码请求流程图。图4中加解密模块为基于加解密文件实现的功能模块,应用服务调用加解密模块对该应用服务的服务包名进行校验,若校验成功,则生成请求串作为指定信息,例如请求串为{“pkg”:”com.xxx”,”ip”:”xxx.xxx.xxx.xx”,”rand”:”dsfetjewotwerweutweojoooifjejlerk”},其中,pkg表示应用服务程序包名,IP为访问密码服务的出口IP地址,rand为生成的随机串。利用私钥对请求串加密得到cip参数,也即第二密文,然后用固定密钥对应用服务程序包名和第二密文加密,生成第一密文,基于第一密文发起请求,若没有校验成功,则生成无效密文,并利用固定密钥对无效密文和应用服务程序包名加密,发起请求。其中,无效密文为利用私钥对错误标识进行加密得到的密文。密码服务收到请求后,先利用固定密钥对请求数据进行解密,并通过网络层获取请求来源IP地址,根据应用服务程序包名以及请求来源IP地址在密码服务数据中查询公钥,若存在,则使用公钥对cip参数解密,得到加解密模块预置的应用服务程序包名,访问密码服务的出口IP地址,随机串,进行校验,通过后,查询数据库的访问密码,先使用公钥对访问密码进行加密,然后使用固定密钥对加密密码和应用程序包名加密,返回响应信息,应用服务收到响应信息,调用加解密模块对响应信息解密,先使用固定密钥解密,然后校验应用包名,校验成功后使用私钥解密,输出数据库的访问密码。若密码服务接收到请求后,用固定密钥解密得到了无效密文,然后利用公钥解密会得到错误标识,无法通过校验,本申请实施例可以记录请求来源IP为存在风险的IP。也即,本申请实施例中,应用服务通过调用密码服务接口获取数据库访问密码,应用服务端使用密码服务调用加解密模块对请求数据进行加密,对密码服务接口返回的响应数据进行解密。从而保护了数据库的访问密码。For example, referring to FIG. 4 , FIG. 4 is a specific flow chart of requesting a password for database access disclosed in an embodiment of the present application. The encryption/decryption module in Fig. 4 is a functional module implemented based on the encryption/decryption file. The application service calls the encryption/decryption module to verify the service package name of the application service. If the verification is successful, a request string is generated as specified information, such as a request string It is {"pkg":"com.xxx","ip":"xxx.xxx.xxx.xx","rand":"dsfetjewotwerweutweojoooifjejlerk"}, where pkg represents the application service package name, and IP is the access password service The egress IP address, rand is a random string generated. Use the private key to encrypt the request string to obtain the cip parameter, that is, the second ciphertext, and then use the fixed key to encrypt the application service package name and the second ciphertext to generate the first ciphertext, and initiate a request based on the first ciphertext. If the verification fails, an invalid ciphertext is generated, and the invalid ciphertext and the application service package name are encrypted with a fixed key to initiate a request. The invalid ciphertext is the ciphertext obtained by encrypting the error identifier with the private key. After the cryptographic service receives the request, it first decrypts the request data with a fixed key, and obtains the request source IP address through the network layer, and queries the public key in the cryptographic service data according to the application service package name and the request source IP address. , then use the public key to decrypt the cip parameter, obtain the application service package name preset by the encryption and decryption module, access the exit IP address of the password service, a random string, and verify it. After passing, query the access password of the database. The key pair access password is encrypted, and then the encrypted password and the application package name are encrypted with the fixed key, and the response information is returned. The application service receives the response information, calls the encryption and decryption module to decrypt the response information, first uses the fixed key to decrypt, then Verify the application package name, decrypt it with the private key after the verification is successful, and output the access password of the database. If the cryptographic service receives the request and decrypts the invalid ciphertext with the fixed key, and then decrypts with the public key to obtain an error identifier, which cannot pass the verification, this embodiment of the present application can record the request source IP as a risky IP. That is, in this embodiment of the present application, the application service obtains the database access password by calling the password service interface, and the application server uses the password service to call the encryption/decryption module to encrypt the request data, and decrypt the response data returned by the password service interface. Thereby protecting the access password of the database.

进一步的,本申请实施例还可以定时确定所述目标数据库的更新密码,并将当前的所述访问密码修改为所述更新密码。Further, in this embodiment of the present application, the update password of the target database may be determined periodically, and the current access password is modified to the update password.

在具体的实施方式中,密码服务可以启动一个定时任务,定时的修改应用数据库的访问密码,并在密码修改之后通知应用系统中相关部分修改之后的密码只能通过合法请求密码服务接口获取,这样,即使攻击者获取到应用数据库的访问密码,也将在一段时间后失效,提高了密码安全性。并且,在动态修改应用数据库密码的定时任务启动前,可以指定初始密码。In a specific implementation, the password service can start a timed task, modify the access password of the application database regularly, and notify the relevant part of the application system after the password is modified that the modified password can only be obtained through the legitimate request password service interface, so that , even if the attacker obtains the access password of the application database, it will be invalid after a period of time, which improves the password security. In addition, before the scheduled task of dynamically modifying the password of the application database is started, the initial password can be specified.

进一步的,参见图5所示,本申请实施例公开了一种数据库密码保护方案示意图。本申请提供的数据库密码保护方案,通过一个限定访问的数据库访问密码服务,给应用服务提供数据库访问密码接口,应用服务基于数据库访问密码接口获取到数据库访问密码,用于创建数据库连接。为了提升密码的安全性,数据库访问密码服务会随机更改数据库的访问密码,而应用服务则通过密码服务调用加解密模块对请求数据进行加密之后调用数据库访问密码接口,将密码接口服务返回的数据进行解密之后得到数据库的访问密码。其中,加解密模块为基于加解密文件实现的功能模块,加解密文件为密码服务生成的文件。Further, referring to FIG. 5 , an embodiment of the present application discloses a schematic diagram of a database password protection scheme. The database password protection solution provided by this application provides an application service with a database access password interface through a limited access database access password service, and the application service obtains the database access password based on the database access password interface for creating a database connection. In order to improve the security of the password, the database access password service will randomly change the access password of the database, and the application service will call the encryption and decryption module through the password service to encrypt the requested data and then call the database access password interface, and the data returned by the password interface service will be encrypted. After decryption, the access password of the database is obtained. The encryption/decryption module is a functional module implemented based on the encryption/decryption file, and the encryption/decryption file is a file generated by a cryptographic service.

可见,本申请实施例先通过密码服务获取应用服务发送的针对目标数据库的访问密码查询请求,然后基于所述访问密码查询请求查询所述目标数据库的访问密码,之后对所述访问密码进行加密,得到加密密码,最后将所述加密密码返回至所述应用服务,以便所述应用服务调用所述密码服务预先生成的加解密文件对所述加密密码进行解密,得到所述访问密码。也即,本申请实施例通过密码服务处理应用服务对目标数据库的访问密码请求,在查询到目标数据库的访问密码后,对密码进行加密得到加密密码,并将加密密码返回至应用服务,应用服务只有调用密码服务预先生成的加解密文件才能对加密密码进行解密,这样,避免了将密码明文或者加密后的密码密文写入应用程序或其可以访问的配置文件、环境变量,通过密码服务进行加密,通过密码服务生成的加解密文件进行解密,能够提升数据库密码的安全性,从而防止数据泄露。It can be seen that the embodiment of the present application first obtains the access password query request for the target database sent by the application service through the password service, then queries the access password of the target database based on the access password query request, and then encrypts the access password, The encrypted password is obtained, and finally the encrypted password is returned to the application service, so that the application service invokes the encryption and decryption files pre-generated by the password service to decrypt the encrypted password to obtain the access password. That is, in this embodiment of the present application, the password service is used to process the access password request of the application service to the target database. After the access password of the target database is queried, the password is encrypted to obtain the encrypted password, and the encrypted password is returned to the application service. The encrypted password can only be decrypted by calling the encryption and decryption files pre-generated by the password service. In this way, it is avoided to write the password plaintext or encrypted password ciphertext into the application or its accessible configuration files and environment variables. Encryption, decrypting the encrypted and decrypted files generated by the password service can improve the security of the database password, thereby preventing data leakage.

参见图6所示,本申请实施例公开了一种数据库密码保护装置,应用于密码服务,包括:Referring to FIG. 6 , an embodiment of the present application discloses a database password protection device, which is applied to a password service, including:

查询请求获取模块11,用于获取应用服务发送的针对目标数据库的访问密码查询请求;The query request obtaining module 11 is used to obtain the access password query request sent by the application service for the target database;

访问密码查询模块12,用于基于所述访问密码查询请求查询所述目标数据库的访问密码;an access password query module 12, configured to query the access password of the target database based on the access password query request;

访问密码加密模块13,用于对所述访问密码进行加密,得到加密密码;an access password encryption module 13, used for encrypting the access password to obtain an encrypted password;

加密密码返回模块14,用于将所述加密密码返回至所述应用服务,以便所述应用服务调用所述密码服务预先生成的加解密文件对所述加密密码进行解密,得到所述访问密码。The encrypted password returning module 14 is configured to return the encrypted password to the application service, so that the application service invokes an encryption and decryption file pre-generated by the password service to decrypt the encrypted password to obtain the access password.

可见,本申请实施例先通过密码服务获取应用服务发送的针对目标数据库的访问密码查询请求,然后基于所述访问密码查询请求查询所述目标数据库的访问密码,之后对所述访问密码进行加密,得到加密密码,最后将所述加密密码返回至所述应用服务,以便所述应用服务调用所述密码服务预先生成的加解密文件对所述加密密码进行解密,得到所述访问密码。也即,本申请实施例通过密码服务处理应用服务对目标数据库的访问密码请求,在查询到目标数据库的访问密码后,对密码进行加密得到加密密码,并将加密密码返回至应用服务,应用服务只有调用密码服务预先生成的加解密文件才能对加密密码进行解密,这样,避免了将密码明文或者加密后的密码密文写入应用程序或其可以访问的配置文件、环境变量,通过密码服务进行加密,通过密码服务生成的加解密文件进行解密,能够提升数据库密码的安全性,从而防止数据泄露。It can be seen that the embodiment of the present application first obtains the access password query request for the target database sent by the application service through the password service, then queries the access password of the target database based on the access password query request, and then encrypts the access password, The encrypted password is obtained, and finally the encrypted password is returned to the application service, so that the application service invokes the encryption and decryption files pre-generated by the password service to decrypt the encrypted password to obtain the access password. That is, in this embodiment of the present application, the password service is used to process the access password request of the application service to the target database. After the access password of the target database is queried, the password is encrypted to obtain the encrypted password, and the encrypted password is returned to the application service. The encrypted password can only be decrypted by calling the encryption and decryption files pre-generated by the password service. In this way, it is avoided to write the password plaintext or encrypted password ciphertext into the application or its accessible configuration files and environment variables. Encryption, decrypting the encrypted and decrypted files generated by the password service can improve the security of the database password, thereby preventing data leakage.

进一步的,所述装置还包括加解密文件生成模块,具体用于:获取加解密文件生成请求;判断所述加解密文件生成请求是否为本地请求,若所述加解密文件生成请求为本地请求,则生成所述加解密文件。Further, the device further includes an encryption/decryption file generation module, which is specifically used for: obtaining an encryption/decryption file generation request; judging whether the encryption/decryption file generation request is a local request, if the encryption/decryption file generation request is a local request, Then the encryption and decryption files are generated.

并且,所述加解密生成模块还用于生成所述应用服务对应的公私钥对,并将所述公私钥对中的私钥添加至所述加解密文件;Moreover, the encryption/decryption generation module is further configured to generate a public/private key pair corresponding to the application service, and add the private key in the public/private key pair to the encryption/decryption file;

相应的,访问密码加密模块13,具体用于利用所述公私钥对中的公钥对所述访问密码进行加密,得到加密密码;并且,应用服务用于调用所述加解密文件中的所述私钥对所述加密密码进行解密,得到所述访问密码。Correspondingly, the access password encryption module 13 is specifically configured to encrypt the access password by using the public key in the public-private key pair to obtain an encrypted password; and the application service is used to call the encryption/decryption file in the The private key decrypts the encrypted password to obtain the access password.

进一步的,所述访问密码查询请求携带第一密文;所述第一密文为利用所述加解密文件中的目标密钥对请求数据加密得到的密文,所述请求数据包括所述应用服务的标识信息;Further, the access password query request carries the first ciphertext; the first ciphertext is the ciphertext obtained by encrypting the request data with the target key in the encryption/decryption file, and the request data includes the application identifying information for the service;

相应的,所述访问密码查询模块12,包括:Correspondingly, the access password query module 12 includes:

第一解密模块,用于利用目标密钥对所述第一密文进行解密,得到第一解密数据;a first decryption module, configured to decrypt the first ciphertext by using the target key to obtain the first decrypted data;

公钥查询模块,用于基于所述第一解密数据中的所述标识信息以及所述访问密码查询请求的来源IP地址查询所述应用服务对应的所述公钥;a public key query module, configured to query the public key corresponding to the application service based on the identification information in the first decrypted data and the source IP address of the access password query request;

密码查询模块,用于若查询到所述公钥,则查询所述目标数据库的访问密码。The password query module is configured to query the access password of the target database if the public key is queried.

进一步的,所述请求数据还包括第二密文;所述第二密文为利用所述加解密文件中的所述私钥对指定信息进行加密得到的密文,所述指定信息包括所述应用服务的标识信息、访问所述密码服务的出口IP地址以及通过所述加解密文件生成的随机字符串中的至少一种;Further, the request data also includes a second ciphertext; the second ciphertext is a ciphertext obtained by encrypting specified information with the private key in the encryption/decryption file, and the specified information includes the At least one of the identification information of the application service, the exit IP address for accessing the password service, and the random string generated by the encryption and decryption files;

相应的,密码查询模块还包括:Correspondingly, the password query module further includes:

第二解密模块,用于若公钥查询模块查询到所述公钥,则利用所述公钥对所述第二密文进行解密,得到第二解密数据;a second decryption module, configured to decrypt the second ciphertext by using the public key to obtain second decrypted data if the public key query module finds the public key;

解密数据校验模块,用于对所述第二解密数据进行校验,若所述第二解密数据通过校验,则查询所述目标数据库的访问密码。A decrypted data verification module, configured to verify the second decrypted data, and query the access password of the target database if the second decrypted data passes the verification.

进一步的,所述解密数据校验模块,具体用于:Further, the decrypted data verification module is specifically used for:

若所述第二解密数据包括所述应用服务的标识信息,则将该标识信息与所述第一解密数据中的标识信息进行比对,若一致,则判定标识信息通过校验;If the second decrypted data includes the identification information of the application service, then compare the identification information with the identification information in the first decrypted data, and if they are consistent, determine that the identification information passes the verification;

若所述第二解密数据包括所述出口IP地址,则将所述出口IP地址与所述访问密码查询请求的来源IP地址进行比对,若一致,则判定所述出口IP地址通过校验;If the second decrypted data includes the egress IP address, compare the egress IP address with the source IP address of the access password query request, and if they are consistent, determine that the egress IP address passes the verification;

若所述第二解密数据包括所述随机字符串,则判断是否为第一次获取到该随机字符串,若为第一次获取到该随机字符串,则判定所述随机字符串通过校验;If the second decrypted data includes the random character string, it is judged whether the random character string is obtained for the first time, and if the random character string is obtained for the first time, it is judged that the random character string has passed the verification ;

当所述第二解密数据中的各项所述指定信息均通过校验,则判定所述第二解密数据通过校验。When all items of the specified information in the second decrypted data pass the verification, it is determined that the second decrypted data passes the verification.

进一步的,所述装置还包括:Further, the device also includes:

加密模块,用于利用目标密钥对所述加密密码以及所述应用服务的标识信息进行加密,得到响应密文;an encryption module, configured to encrypt the encrypted password and the identification information of the application service by using the target key to obtain a response ciphertext;

相应的,加密密码返回模块14,具体用于将所述响应密文返回至所述应用服务,以便所述应用服务调用所述加解密文件对所述响应密文进行解密,并将解密得到的标识信息与预存的标识信息比对,若一致,则对所述加密密码进行解密,得到所述访问密码。Correspondingly, the encryption password return module 14 is specifically configured to return the response ciphertext to the application service, so that the application service calls the encryption/decryption file to decrypt the response ciphertext, and decrypts the obtained ciphertext. The identification information is compared with the pre-stored identification information, and if they are consistent, the encrypted password is decrypted to obtain the access password.

另外,所述装置还包括访问密码更新模块,用于定时确定所述目标数据库的更新密码,并将当前的所述访问密码修改为所述更新密码。In addition, the device further includes an access password update module, configured to periodically determine the update password of the target database, and modify the current access password to the update password.

参见图7所示,本申请实施例公开了一种电子设备20,包括处理器21和存储器22;其中,所述存储器22,用于保存计算机程序;所述处理器21,用于执行所述计算机程序,前述实施例公开的数据库密码保护方法。Referring to FIG. 7 , an embodiment of the present application discloses an electronic device 20, including a processor 21 and a memory 22; wherein, the memory 22 is used to save a computer program; the processor 21 is used to execute the A computer program, the database password protection method disclosed in the foregoing embodiments.

关于上述数据库密码保护方法的具体过程可以参考前述实施例中公开的相应内容,在此不再进行赘述。For the specific process of the above database password protection method, reference may be made to the corresponding content disclosed in the foregoing embodiments, which will not be repeated here.

并且,所述存储器22作为资源存储的载体,可以是只读存储器、随机存储器、磁盘或者光盘等,存储方式可以是短暂存储或者永久存储。In addition, the memory 22, as a carrier for resource storage, may be a read-only memory, a random access memory, a magnetic disk or an optical disk, etc., and the storage method may be short-term storage or permanent storage.

另外,所述电子设备20还包括电源23、通信接口24、输入输出接口25和通信总线26;其中,所述电源23用于为所述电子设备20上的各硬件设备提供工作电压;所述通信接口24能够为所述电子设备20创建与外界设备之间的数据传输通道,其所遵循的通信协议是能够适用于本申请技术方案的任意通信协议,在此不对其进行具体限定;所述输入输出接口25,用于获取外界输入数据或向外界输出数据,其具体的接口类型可以根据具体应用需要进行选取,在此不进行具体限定。In addition, the electronic device 20 further includes a power supply 23, a communication interface 24, an input and output interface 25, and a communication bus 26; wherein, the power supply 23 is used to provide working voltage for each hardware device on the electronic device 20; the The communication interface 24 can create a data transmission channel between the electronic device 20 and external devices, and the communication protocol it follows is any communication protocol applicable to the technical solution of the present application, which is not specifically limited here; the The input and output interface 25 is used for acquiring external input data or outputting data to the external world, and its specific interface type can be selected according to specific application needs, which is not specifically limited here.

进一步的,本申请实施例还公开了一种计算机可读存储介质,用于保存计算机程序,其中,所述计算机程序被处理器执行时实现前述实施例公开的数据库密码保护方法。Further, the embodiments of the present application also disclose a computer-readable storage medium for storing a computer program, wherein the computer program implements the database password protection method disclosed in the foregoing embodiments when the computer program is executed by a processor.

关于上述数据库密码保护方法的具体过程可以参考前述实施例中公开的相应内容,在此不再进行赘述。For the specific process of the above database password protection method, reference may be made to the corresponding content disclosed in the foregoing embodiments, which will not be repeated here.

本申请实施例还公开了一种计算机程序产品,计算机程序产品被执行时实现前述实施例公开的数据库密码保护方法。The embodiments of the present application also disclose a computer program product, which implements the database password protection method disclosed in the foregoing embodiments when the computer program product is executed.

关于上述数据库密码保护方法的具体过程可以参考前述实施例中公开的相应内容,在此不再进行赘述。For the specific process of the above database password protection method, reference may be made to the corresponding content disclosed in the foregoing embodiments, which will not be repeated here.

本说明书中各个实施例采用递进的方式描述,每个实施例重点说明的都是与其它实施例的不同之处,各个实施例之间相同或相似部分互相参见即可。对于实施例公开的装置而言,由于其与实施例公开的方法相对应,所以描述的比较简单,相关之处参见方法部分说明即可。The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same or similar parts between the various embodiments may be referred to each other. As for the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant part can be referred to the description of the method.

结合本文中所公开的实施例描述的方法或算法的步骤可以直接用硬件、处理器执行的软件模块,或者二者的结合来实施。软件模块可以置于随机存储器(RAM)、内存、只读存储器(ROM)、电可编程ROM、电可擦除可编程ROM、寄存器、硬盘、可移动磁盘、CD-ROM、或技术领域内所公知的任意其它形式的存储介质中。The steps of a method or algorithm described in conjunction with the embodiments disclosed herein may be directly implemented in hardware, a software module executed by a processor, or a combination of the two. A software module can be placed in random access memory (RAM), internal memory, read only memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other in the technical field. in any other known form of storage medium.

以上对本申请所提供的一种数据库密码保护方法、装置及设备进行了详细介绍,本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。A database password protection method, device and device provided by the present application have been described in detail above. The principles and implementations of the present application are described with specific examples. The method of the application and its core idea; at the same time, for those skilled in the art, according to the idea of the application, there will be changes in the specific implementation and application scope. In summary, the content of this description should not be understood to limit this application.

Claims (11)

1.一种数据库密码保护方法,其特征在于,应用于密码服务,包括:1. a database password protection method, is characterized in that, is applied to password service, comprises: 获取应用服务发送的针对目标数据库的访问密码查询请求;Obtain the access password query request sent by the application service for the target database; 基于所述访问密码查询请求查询所述目标数据库的访问密码;Query the access password of the target database based on the access password query request; 对所述访问密码进行加密,得到加密密码;Encrypting the access password to obtain an encrypted password; 将所述加密密码返回至所述应用服务,以便所述应用服务调用所述密码服务预先生成的加解密文件对所述加密密码进行解密,得到所述访问密码。Return the encrypted password to the application service, so that the application service invokes the encryption and decryption file pre-generated by the password service to decrypt the encrypted password to obtain the access password. 2.根据权利要求1所述的数据库密码保护方法,其特征在于,还包括:2. database password protection method according to claim 1, is characterized in that, also comprises: 生成所述应用服务对应的公私钥对,并将所述公私钥对中的私钥添加至所述加解密文件;generating a public-private key pair corresponding to the application service, and adding the private key in the public-private key pair to the encryption/decryption file; 相应的,所述对所述访问密码进行加密,得到加密密码,包括:Correspondingly, encrypting the access password to obtain the encrypted password includes: 利用所述公私钥对中的公钥对所述访问密码进行加密,得到加密密码;Encrypt the access password by using the public key in the public-private key pair to obtain an encrypted password; 并且,所述应用服务用于调用所述加解密文件中的所述私钥对所述加密密码进行解密,得到所述访问密码。In addition, the application service is configured to call the private key in the encryption/decryption file to decrypt the encrypted password to obtain the access password. 3.根据权利要求2所述的数据库密码保护方法,其特征在于,所述访问密码查询请求携带第一密文;所述第一密文为利用所述加解密文件中的目标密钥对请求数据加密得到的密文,所述请求数据包括所述应用服务的标识信息;3. The database password protection method according to claim 2, wherein the access password query request carries a first ciphertext; the first ciphertext is a request for using the target key in the encryption and decryption file The ciphertext obtained by data encryption, and the request data includes the identification information of the application service; 相应的,所述基于所述访问密码查询请求查询所述目标数据库的访问密码,包括:Correspondingly, querying the access password of the target database based on the access password query request includes: 利用所述目标密钥对所述第一密文进行解密,得到第一解密数据;Decrypt the first ciphertext using the target key to obtain first decrypted data; 基于所述第一解密数据中的所述标识信息以及所述访问密码查询请求的来源IP地址查询所述应用服务对应的所述公钥;Query the public key corresponding to the application service based on the identification information in the first decrypted data and the source IP address of the access password query request; 若查询到所述公钥,则查询所述目标数据库的访问密码。If the public key is queried, the access password of the target database is queried. 4.根据权利要求3所述的数据库密码保护方法,其特征在于,所述请求数据还包括第二密文;所述第二密文为利用所述加解密文件中的所述私钥对指定信息进行加密得到的密文,所述指定信息包括所述应用服务的标识信息、访问所述密码服务的出口IP地址以及通过所述加解密文件生成的随机字符串中的至少一种;4. The database password protection method according to claim 3, wherein the request data further comprises a second ciphertext; the second ciphertext is specified by using the private key in the encryption/decryption file The ciphertext obtained by encrypting the information, the specified information includes at least one of the identification information of the application service, the exit IP address for accessing the cipher service, and a random character string generated by the encryption and decryption file; 相应的,若查询到所述公钥,还包括:Correspondingly, if the public key is queried, it further includes: 利用所述公钥对所述第二密文进行解密,得到第二解密数据;Decrypt the second ciphertext using the public key to obtain second decrypted data; 对所述第二解密数据进行校验,若所述第二解密数据通过校验,则查询所述目标数据库的访问密码。Verifying the second decrypted data, and querying the access password of the target database if the second decrypted data passes the verification. 5.根据权利要求4所述的数据库密码保护方法,其特征在于,所述对所述第二解密数据进行校验,包括:5. The database password protection method according to claim 4, wherein the verifying the second decrypted data comprises: 若所述第二解密数据包括所述应用服务的标识信息,则将该标识信息与所述第一解密数据中的标识信息进行比对,若一致,则判定标识信息通过校验;If the second decrypted data includes the identification information of the application service, then compare the identification information with the identification information in the first decrypted data, and if they are consistent, determine that the identification information passes the verification; 若所述第二解密数据包括所述出口IP地址,则将所述出口IP地址与所述访问密码查询请求的来源IP地址进行比对,若一致,则判定所述出口IP地址通过校验;If the second decrypted data includes the egress IP address, compare the egress IP address with the source IP address of the access password query request, and if they are consistent, determine that the egress IP address passes the verification; 若所述第二解密数据包括所述随机字符串,则判断是否为第一次获取到该随机字符串,若为第一次获取到该随机字符串,则判定所述随机字符串通过校验;If the second decrypted data includes the random character string, it is judged whether the random character string is obtained for the first time, and if the random character string is obtained for the first time, it is judged that the random character string has passed the verification ; 当所述第二解密数据中的各项所述指定信息均通过校验,则判定所述第二解密数据通过校验。When all items of the specified information in the second decrypted data pass the verification, it is determined that the second decrypted data passes the verification. 6.根据权利要求3所述的数据库密码保护方法,其特征在于,所述对所述访问密码进行加密,得到加密密码之后,还包括:6. database password protection method according to claim 3, is characterized in that, after described access password is encrypted, after obtaining encrypted password, also comprises: 利用目标密钥对所述加密密码以及所述应用服务的标识信息进行加密,得到响应密文;Encrypt the encrypted password and the identification information of the application service with the target key to obtain a response ciphertext; 将所述响应密文返回至所述应用服务,以便所述应用服务调用所述加解密文件对所述响应密文进行解密,并将解密得到的标识信息与预存的标识信息比对,若一致,则对所述加密密码进行解密,得到所述访问密码。Return the response ciphertext to the application service, so that the application service calls the encryption/decryption file to decrypt the response ciphertext, and compares the decrypted identification information with the pre-stored identification information, if they are consistent , decrypt the encrypted password to obtain the access password. 7.根据权利要求1所述的数据库密码保护方法,其特征在于,还包括:7. database password protection method according to claim 1, is characterized in that, also comprises: 获取加解密文件生成请求;Get the encryption and decryption file generation request; 判断所述加解密文件生成请求是否为本地请求,若所述加解密文件生成请求为本地请求,则生成所述加解密文件。Determine whether the encryption/decryption file generation request is a local request, and if the encryption/decryption file generation request is a local request, generate the encryption/decryption file. 8.根据权利要求1至7任一项所述的数据库密码防护方法,其特征在于,还包括:8. The database password protection method according to any one of claims 1 to 7, further comprising: 定时确定所述目标数据库的更新密码,并将当前的所述访问密码修改为所述更新密码。The update password of the target database is determined periodically, and the current access password is modified to the update password. 9.一种数据库密码保护装置,其特征在于,应用于密码服务,包括:9. A database password protection device, characterized in that, applied to a password service, comprising: 查询请求获取模块,用于获取应用服务发送的针对目标数据库的访问密码查询请求;The query request obtaining module is used to obtain the access password query request sent by the application service for the target database; 访问密码查询模块,用于基于所述访问密码查询请求查询所述目标数据库的访问密码;an access password query module for querying the access password of the target database based on the access password query request; 访问密码加密模块,用于对所述访问密码进行加密,得到加密密码;an access password encryption module for encrypting the access password to obtain an encrypted password; 加密密码返回模块,用于将所述加密密码返回至所述应用服务,以便所述应用服务调用所述密码服务预先生成的加解密文件对所述加密密码进行解密,得到所述访问密码。An encrypted password return module, configured to return the encrypted password to the application service, so that the application service invokes an encryption and decryption file pre-generated by the password service to decrypt the encrypted password to obtain the access password. 10.一种电子设备,其特征在于,包括处理器和存储器;其中,10. An electronic device, comprising a processor and a memory; wherein, 所述存储器,用于保存计算机程序;the memory for storing computer programs; 所述处理器,用于执行所述计算机程序以实现如权利要求1至8任一项所述的数据库密码保护方法。The processor is configured to execute the computer program to implement the database password protection method according to any one of claims 1 to 8. 11.一种计算机可读存储介质,其特征在于,用于保存计算机程序,其中,所述计算机程序被处理器执行时实现如权利要求1至8任一项所述的数据库密码保护方法。11. A computer-readable storage medium, characterized in that it is used for storing a computer program, wherein when the computer program is executed by a processor, the database password protection method according to any one of claims 1 to 8 is implemented.
CN202210434269.5A 2022-04-24 2022-04-24 A kind of database password protection method, device and equipment Pending CN114785498A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210434269.5A CN114785498A (en) 2022-04-24 2022-04-24 A kind of database password protection method, device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210434269.5A CN114785498A (en) 2022-04-24 2022-04-24 A kind of database password protection method, device and equipment

Publications (1)

Publication Number Publication Date
CN114785498A true CN114785498A (en) 2022-07-22

Family

ID=82433504

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210434269.5A Pending CN114785498A (en) 2022-04-24 2022-04-24 A kind of database password protection method, device and equipment

Country Status (1)

Country Link
CN (1) CN114785498A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119484129A (en) * 2024-11-20 2025-02-18 杭州安恒信息技术股份有限公司 A database access method, device, equipment and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098225A (en) * 2006-06-29 2008-01-02 中国银联股份有限公司 Secure data transmission method and payment method, payment terminal and payment server
CN107579972A (en) * 2017-09-01 2018-01-12 掌阅科技股份有限公司 Cipher management method, electronic equipment, computer-readable storage medium
CN110740124A (en) * 2019-09-20 2020-01-31 平安普惠企业管理有限公司 Account password distribution method and device, storage medium and computer equipment
CN112637136A (en) * 2020-12-03 2021-04-09 北京北信源软件股份有限公司 Encrypted communication method and system
CN112800448A (en) * 2021-01-28 2021-05-14 杉德银卡通信息服务有限公司 Database secure connection method, proxy server and storage medium

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101098225A (en) * 2006-06-29 2008-01-02 中国银联股份有限公司 Secure data transmission method and payment method, payment terminal and payment server
CN107579972A (en) * 2017-09-01 2018-01-12 掌阅科技股份有限公司 Cipher management method, electronic equipment, computer-readable storage medium
CN110740124A (en) * 2019-09-20 2020-01-31 平安普惠企业管理有限公司 Account password distribution method and device, storage medium and computer equipment
CN112637136A (en) * 2020-12-03 2021-04-09 北京北信源软件股份有限公司 Encrypted communication method and system
CN112800448A (en) * 2021-01-28 2021-05-14 杉德银卡通信息服务有限公司 Database secure connection method, proxy server and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
修文群等: "Intranet实务经典", vol. 1, 31 August 2000, 中国电力出版社, pages: 164 - 167 *
田翠华: "基于GT4的物联网交通信息服务仿真研究", vol. 1, 31 January 2017, 厦门大学出版社, pages: 166 - 170 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119484129A (en) * 2024-11-20 2025-02-18 杭州安恒信息技术股份有限公司 A database access method, device, equipment and storage medium

Similar Documents

Publication Publication Date Title
US9589143B2 (en) Semi-trusted Data-as-a-Service platform
CN108023874B (en) Single sign-on verification device and method and computer readable storage medium
US20220417028A1 (en) Methods, Systems, and Devices for Server Control of Client Authorization Proof of Possession
US8185942B2 (en) Client-server opaque token passing apparatus and method
KR100979576B1 (en) Method and computer readable medium for realizing a new password
CN106850699A (en) A kind of mobile terminal login authentication method and system
US8291227B2 (en) Method and apparatus for secure communication
US8977857B1 (en) System and method for granting access to protected information on a remote server
CN113204772A (en) Data processing method, device, system, terminal, server and storage medium
JP2010514000A (en) Method for securely storing program state data in an electronic device
CN113918967A (en) Data transmission method, system, computer equipment and medium based on security verification
CN112711762A (en) Transparent encryption method for database
WO2025145543A1 (en) Large model inference method and apparatus, and device and storage medium
CN114553557A (en) Key calling method, key calling device, computer equipment and storage medium
CN118118209A (en) Wasm-based universal data encryption method and wasm-based universal data encryption system
CN115118455B (en) Attribute-based encryption access control anti-crawler system and method for webpage security
CN110807210B (en) Information processing method, platform, system and computer storage medium
CA2553081C (en) A method for binding a security element to a mobile device
CN112769560B (en) Key management method and related device
CN114785498A (en) A kind of database password protection method, device and equipment
CN110008727A (en) Processing method, device, computer equipment and storage medium for encrypting sensitive parameters
CN111988330B (en) Information security protection system and method based on white-box encryption in distributed system
CN118797581A (en) A mobile application authorization method and system based on smart door lock and smart door lock
KR101329789B1 (en) Encryption Method of Database of Mobile Communication Device
CN117313115A (en) Method and corresponding device for accessing, acquiring and managing installation package resource file

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination