[go: up one dir, main page]

CN104794410B - A kind of database security protection method based on reliable computing technology - Google Patents

A kind of database security protection method based on reliable computing technology Download PDF

Info

Publication number
CN104794410B
CN104794410B CN201510128903.2A CN201510128903A CN104794410B CN 104794410 B CN104794410 B CN 104794410B CN 201510128903 A CN201510128903 A CN 201510128903A CN 104794410 B CN104794410 B CN 104794410B
Authority
CN
China
Prior art keywords
database
audit
security
management system
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510128903.2A
Other languages
Chinese (zh)
Other versions
CN104794410A (en
Inventor
陈震宇
李�昊
迟佳琳
张敏
张振峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Software of CAS
Original Assignee
Institute of Software of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Software of CAS filed Critical Institute of Software of CAS
Priority to CN201510128903.2A priority Critical patent/CN104794410B/en
Publication of CN104794410A publication Critical patent/CN104794410A/en
Application granted granted Critical
Publication of CN104794410B publication Critical patent/CN104794410B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

本发明公开了一种基于可信计算技术的数据库安全保护方法,将认证、访问控制、审计等数据库安全机制的实施依据——身份信息、授权信息、审计配置信息及审计日志等数据库管理系统的安全相关数据建立在系统环境可信及硬件安全的基础上,阻止敌手通过篡改上述依据进而影响数据库安全机制来达到各类攻击目的的问题。基于该方法,可以建立一个基于安全芯片的存储敏感数据的安全数据库系统,确保数据库安全机制的安全相关数据不会被篡改,进而提高了其中的数据库管理系统的安全机制的安全。

The invention discloses a database security protection method based on trusted computing technology, which uses the basis for the implementation of database security mechanisms such as authentication, access control, and auditing—identity information, authorization information, audit configuration information, and audit logs of database management systems. Security-related data is based on the credibility of the system environment and hardware security, preventing the adversary from tampering with the above basis and then affecting the database security mechanism to achieve various attack purposes. Based on the method, a security chip-based secure database system for storing sensitive data can be established to ensure that the security-related data of the database security mechanism will not be tampered with, thereby improving the security of the security mechanism of the database management system.

Description

一种基于可信计算技术的数据库安全保护方法A database security protection method based on trusted computing technology

技术领域technical field

本发明基于可信计算技术提出一种数据库安全保护方法,属于数据库安全领域。The invention proposes a database security protection method based on trusted computing technology, which belongs to the field of database security.

背景技术Background technique

随着信息化的发展,越来越多的数据被存储在了数据库中,无论是外部的病毒、木马、黑客攻击等威胁,还是内部人员的恶意行为都能够对数据库系统产生严重的影响。为了应对这些威胁,安全数据库使用了各种安全机制如认证、访问控制,审计等。然而,安全数据库对于这些机制的实施的依据并没有提供足够的保护。这些数据库安全相关数据一旦被篡改将会对数据库系统造成极其严重的影响。因此为了应对数据库系统安全机制自身安全防护措施的滞后性带来的数据安全威胁,有必要对数据库中存放的数据库安全相关数据进行安全保护。With the development of informatization, more and more data is stored in the database. Whether it is external threats such as viruses, Trojan horses, hacker attacks, or malicious behavior of internal personnel, it can have a serious impact on the database system. In order to deal with these threats, the security database uses various security mechanisms such as authentication, access control, auditing and so on. However, security databases do not provide sufficient protection against the basis for the implementation of these mechanisms. Once these database security-related data are tampered with, it will have an extremely serious impact on the database system. Therefore, in order to deal with the data security threat brought by the hysteresis of the security protection measures of the database system security mechanism itself, it is necessary to carry out security protection for the database security-related data stored in the database.

然而现有数据库安全技术存在以下两个显著缺陷无法确保这些安全相关数据的安全:其一,安全相关数据的保护没有和环境安全性绑定。传统的数据库安全相关数据的完整性保护措施通常建立在环境相对安全的前提下,例如操作系统中不存在病毒、木马等,而这种假设很难成立。在系统环境已被破坏的情况下,安全数据库即使对安全相关数据进行了完整性保护也无法保证其完整性。这是由于在对安全相关数据在进行完整性度量时缺少对系统环境安全性的检测,导致在非安全环境下安全相关数据产生的完整性度量值自身就是不可信的,而基于该值进行完整性检验就更加不可信了。而且在缺少对系统环境安全性的检测的情况下,完整性度量值的验证结果也可以被篡改,也是不可信的。However, the existing database security technology has the following two significant defects that cannot ensure the security of these security-related data: First, the protection of security-related data is not bound to the security of the environment. Traditional database security-related data integrity protection measures are usually based on the premise that the environment is relatively safe, for example, there are no viruses, Trojan horses, etc. in the operating system, and this assumption is difficult to establish. In the case that the system environment has been destroyed, the security database cannot guarantee the integrity of the security-related data even if the integrity protection is carried out. This is due to the lack of detection of the security of the system environment when measuring the integrity of safety-related data, resulting in the integrity measurement value itself generated by safety-related data in a non-safety environment is not credible, and the integrity measurement based on this value Sex tests are even more unreliable. Moreover, in the absence of detection of the security of the system environment, the verification result of the integrity measurement value can also be tampered with, which is also untrustworthy.

其二,安全相关数据的保护没有建立在硬件基础上。传统的数据库安全相关数据的完整性保护通常建立在软件方式实现的系统可信计算基(Trusted Computer Base,TCB)的安全性基础上。这种软件方式实现的TCB并不能完全阻止攻击者对安全相关数据的篡改,例如能够接触数据库系统的内部人员一旦是恶意的,那么他们能够篡改安全相关数据数据而不被轻易发觉,造成严重的损失。这是缺少硬件支持的安全数据库方案无法解决的问题。Second, the protection of security-related data is not based on hardware. The integrity protection of traditional database security-related data is usually based on the security of the system's Trusted Computing Base (TCB) implemented in software. The TCB implemented by this software cannot completely prevent attackers from tampering with security-related data. For example, once the insiders who can access the database system are malicious, they can tamper with security-related data without being easily detected, causing serious damage. loss. This is a problem that cannot be solved by a secure database solution that lacks hardware support.

总之,目前的安全数据库中尚缺乏一种能够安全存储数据库安全相关数据,并将其安全机制的实施与系统环境、底层硬件安全性绑定的数据库安全保护方法。In short, the current security database still lacks a database security protection method that can safely store database security-related data and bind the implementation of its security mechanism with the security of the system environment and underlying hardware.

发明内容Contents of the invention

针对上述问题,本发明提供了一种基于可信计算技术的数据库安全保护方法,能够确保数据库安全机制实施的依据是可信的,即对身份信息、访问控制授权信息、审计配置信息及审计日志进行完整性保护,并将其完整性与系统环境及底层硬件相绑定,从而能够有效发现远程攻击者或内部人员对这些数据库安全相关数据的篡改。In view of the above problems, the present invention provides a database security protection method based on trusted computing technology, which can ensure that the basis for the implementation of the database security mechanism is credible, that is, identity information, access control authorization information, audit configuration information and audit logs Integrity protection is carried out, and its integrity is bound to the system environment and underlying hardware, so that tampering of these database security-related data by remote attackers or insiders can be effectively discovered.

该技术的基本原理为:利用安全芯片TCM/TPM产生的签名密钥对数据库中存储身份信息、授权信息、审计配置信息及审计日志等安全相关数据的表的完整性度量值进行签名保护,指定使用该签名密钥的安全系统环境。由于该签名密钥受到安全芯片的硬件保护,攻击者无法直接获得该密钥,所以无法伪造签名。同时,由于该签名密钥的使用环境为数据库的安全状态,所以攻击者也无法通过篡改数据库管理系统TCB来使用该签名密钥对篡改后的数据进行签名。The basic principle of this technology is: use the signature key generated by the security chip TCM/TPM to sign and protect the integrity measurement value of the table storing identity information, authorization information, audit configuration information and audit logs and other security-related data in the database. The secure system environment in which this signing key is used. Since the signing key is protected by the hardware of the security chip, the attacker cannot obtain the key directly, so the signature cannot be forged. At the same time, since the use environment of the signature key is the security state of the database, an attacker cannot use the signature key to sign tampered data by tampering with the database management system TCB.

为了实现上述目的,本发明采用以下技术方案:In order to achieve the above object, the present invention adopts the following technical solutions:

一种基于可信计算技术的数据库安全保护方法,在数据库管理系统TCB的基础上,通过安全芯片及可信度量模块实现对数据库的安全保护,该方法具体包括:A database security protection method based on trusted computing technology. On the basis of a database management system TCB, the security protection of the database is realized through a security chip and a trusted measurement module. The method specifically includes:

1)采用该方法的系统基于安全芯片实施安全启动,并构建信任链,所述信任链中包括可信度量模块及数据库管理系统TCB;同时,所述安全芯片产生一个签名密钥,该签名密钥的使用环境指定为此信任链环境;1) The system adopting this method implements secure startup based on a security chip, and builds a chain of trust, which includes a trusted measurement module and a database management system TCB; at the same time, the security chip generates a signature key, and the signature key The use environment of the key is specified as this trust chain environment;

2)在通过安全机制向数据库中写入安全相关数据时,首先通过可信度量模块对当前数据库管理系统TCB的安全状态进行可信度量;若当前数据库管理系统TCB处于安全状态,则利用签名密钥对所述安全相关数据的完整性度量值进行签名,并将该安全相关数据及签名值一起存入数据库中;2) When writing security-related data into the database through the security mechanism, firstly, the security status of the current database management system TCB is credibly measured through the trusted measurement module; if the current database management system TCB is in a secure Sign the integrity measurement value of the security-related data with the key, and store the security-related data and the signature value together in the database;

3)在通过安全机制从数据库中读取所述安全相关数据时,首先通过可信度量模块对当前数据库管理系统TCB的安全状态进行可信度量;若当前数据库管理系统TCB处于安全状态,则对所读取的签名值及安全相关数据的完整性进行验证(即将当前得到的完整性值和步骤2)中的得到的完整性值进行比较,如果一样就证明是安全的)。3) When reading the security-related data from the database through the security mechanism, firstly, the security status of the current database management system TCB is credibly measured by the trusted measurement module; if the current database management system TCB is in a security status, then the Verify the integrity of the read signature value and safety-related data (compare the currently obtained integrity value with the integrity value obtained in step 2, and if they are the same, it is safe).

进一步地,所述安全机制包括:认证机制、访问控制机制及审计机制,所述安全相关数据包括:身份信息、授权信息、审计配置信息及审计日志;所述认证机制负责根据数据库中存储的身份信息进行身份确认;访问控制机制负责根据数据库中存储的授权信息进行访问控制;审计机制负责根据数据库中存储的审计配置信息进行审计。Further, the security mechanism includes: an authentication mechanism, an access control mechanism, and an audit mechanism, and the security-related data includes: identity information, authorization information, audit configuration information, and audit logs; the authentication mechanism is responsible for The information is identified; the access control mechanism is responsible for access control based on the authorization information stored in the database; the audit mechanism is responsible for auditing based on the audit configuration information stored in the database.

进一步地,所述身份信息的写入流程包括以下步骤:Further, the writing process of the identity information includes the following steps:

1-a)通过认证机制获取用户的身份信息,并请求安全芯片的签名密钥;1-a) Obtain the identity information of the user through the authentication mechanism, and request the signature key of the security chip;

1-b)利用可信度量模块对当前数据库管理系统TCB的安全状态进行可信度量;1-b) Use the trusted measurement module to perform trusted measurement on the security status of the current database management system TCB;

1-c)若数据库管理系统TCB处于安全状态,认证机制则利用签名密钥对身份信息的完整性值进行签名,然后将该信息及签名值一起存入数据库中。1-c) If the database management system TCB is in a secure state, the authentication mechanism uses the signature key to sign the integrity value of the identity information, and then stores the information and the signature value together in the database.

进一步地,所述身份信息的读取流程包括以下步骤:Further, the process of reading the identity information includes the following steps:

2-a)认证机制从数据库中读取出身份信息及其签名值;2-a) The authentication mechanism reads the identity information and its signature value from the database;

2-b)认证机制验证签名值及身份信息的完整性。若通过检测,则可以进行后继的认证操作,否则报告验证失败。2-b) The authentication mechanism verifies the integrity of the signature value and identity information. If the detection is passed, the subsequent authentication operation can be performed; otherwise, the authentication failure is reported.

进一步地,所述授权信息的写入流程包括以下步骤:Further, the writing process of the authorization information includes the following steps:

3-a)通过访问控制机制获得安全管理员的授权信息,并请求安全芯片的签名密钥;3-a) Obtain the authorization information of the security administrator through the access control mechanism, and request the signature key of the security chip;

3-b)利用可信度量模块对当前数据库管理系统TCB的安全状态进行可信度量;3-b) Use the trusted measurement module to perform trusted measurement on the security status of the current database management system TCB;

3-c)若数据库管理系统TCB处于安全状态,访问控制机制则利用签名密钥对授权信息的完整性值进行签名,然后将授权信息及签名值一起存入数据库中。3-c) If the database management system TCB is in a secure state, the access control mechanism uses the signature key to sign the integrity value of the authorization information, and then stores the authorization information and the signature value together in the database.

进一步地,所述授权信息的读取流程包括以下步骤:Further, the reading process of the authorization information includes the following steps:

4-a)访问控制机制从数据库中读取出授权信息及其签名值;4-a) The access control mechanism reads the authorization information and its signature value from the database;

4-b)访问控制机制验证签名值及授权信息的完整性。若通过检测,则按照此授权信息进行访问控制,否则报告验证失败。4-b) The access control mechanism verifies the integrity of the signature value and authorization information. If it passes the detection, perform access control according to the authorization information; otherwise, report verification failure.

进一步地,所述审计配置信息的写入流程包括以下步骤:Further, the writing process of the audit configuration information includes the following steps:

5-a)通过审计机制获得审计管理员的审计配置信息,并请求安全芯片的签名密钥;5-a) Obtain the audit configuration information of the audit administrator through the audit mechanism, and request the signature key of the security chip;

5-b)利用可信度量模块会对当前数据库管理系统TCB的安全状态进行可信度量;5-b) Use the trusted measurement module to perform trusted measurement of the security status of the current database management system TCB;

5-c)若数据库管理系统TCB处于安全状态,审计机制则利用签名密钥对审计配置信息的完整性值进行签名,然后将该信息及签名值一起存入数据库中。5-c) If the database management system TCB is in a secure state, the audit mechanism uses the signature key to sign the integrity value of the audit configuration information, and then stores the information and the signature value in the database.

进一步地,所述审计配置信息的读取流程包括以下步骤:Further, the reading process of the audit configuration information includes the following steps:

6-a)审计机制从数据库中读取出配置信息及其签名值;6-a) The audit mechanism reads configuration information and its signature value from the database;

6-b)审计机制验证签名值及配置信息的完整性。若通过检测,则按照此配置信息进行审计,否则报告验证失败。6-b) The audit mechanism verifies the integrity of the signature value and configuration information. If it passes the test, it will be audited according to this configuration information, otherwise it will report verification failure.

进一步地,所述审计日志的写入流程包括以下步骤:Further, the writing process of the audit log includes the following steps:

7-a)审计机制在进行审计记录前,请求安全芯片的签名密钥;7-a) The audit mechanism requests the signature key of the security chip before auditing records;

7-b)利用可信度量模块会对当前数据库管理系统TCB的安全状态进行可信度量;7-b) Use the trusted measurement module to perform trusted measurement of the security status of the current database management system TCB;

7-c)若数据库管理系统TCB处于安全状态,审计机制则利用签名密钥对审计记录的完整性值进行签名,然后将审计记录及签名值一起存入数据库中。7-c) If the database management system TCB is in a secure state, the audit mechanism uses the signature key to sign the integrity value of the audit record, and then stores the audit record and the signature value together in the database.

进一步地,上述步骤还包括:对原有审计日志的格式进行修改,增加两列属性分别用于存储计数值和完整性值,每次产生审计记录时,都由审计机制查询由安全芯片提供的单调计数器的当前的计数值,并利用安全芯片的签名密钥对该记录的完整性值和计数器值一起进行签名并存储。Further, the above steps also include: modifying the format of the original audit log, adding two columns of attributes to store the count value and the integrity value respectively, and each time an audit record is generated, the audit mechanism will query the information provided by the security chip. The current count value of the monotonic counter, and use the signature key of the security chip to sign and store the integrity value of the record together with the counter value.

进一步地,所述审计日志的读取流程包括以下步骤:Further, the reading process of the audit log includes the following steps:

8-a)审计机制从数据库中读取出审计日志及其签名值;8-a) The audit mechanism reads the audit log and its signature value from the database;

8-b)审计机制验证签名值及审计记录的完整性。若通过检测,则可以进行后继的审计查询分析操作,否则报告验证失败。8-b) The audit mechanism verifies the signature value and the integrity of the audit record. If it passes the detection, the subsequent audit query analysis operation can be performed, otherwise, the report verification failure is reported.

本发明的有益效果在于:The beneficial effects of the present invention are:

本发明将认证机制、访问控制机制、审计机制等数据库安全机制的实施依据——身份信息、访问控制授权信息、审计配置信息及审计日志等安全相关数据建立在系统环境可信及硬件安全的基础上,阻止敌手通过篡改上述依据进而影响数据库安全机制来达到各类攻击目的的问题。当需要使用上述安全相关数据时,本发明会对这些数据的完整性进行验证,以确保这些数据没有被非法篡改。在进行完整性验证前,本发明还将利用可信度量技术对系统环境进行检验,确保验证的结果是可信的。此外,安全相关数据的签名密钥也采用了硬件安全芯片进行加密保护,因此实现了基于硬件的安全。从而确保数据库安全机制的安全相关数据不会被篡改,进而提高了其中的数据库管理系统的安全机制的安全。The present invention establishes the implementation basis of database security mechanisms such as authentication mechanism, access control mechanism, and audit mechanism—security-related data such as identity information, access control authorization information, audit configuration information, and audit logs on the basis of system environment credibility and hardware security. Above all, to prevent the adversary from tampering with the above basis and then affecting the database security mechanism to achieve various attack purposes. When the above security-related data needs to be used, the present invention will verify the integrity of these data to ensure that these data have not been illegally tampered with. Before the integrity verification, the present invention will also use the credible measurement technology to check the system environment to ensure that the verification result is credible. In addition, the signing key of security-related data is encrypted and protected by a hardware security chip, thus realizing hardware-based security. Therefore, it is ensured that the security-related data of the database security mechanism will not be tampered with, thereby improving the security of the security mechanism of the database management system.

附图说明Description of drawings

图1是基于可信计算技术的数据库安全保护方法架构示意图。Fig. 1 is a schematic diagram of a database security protection method architecture based on trusted computing technology.

具体实施方式detailed description

下面将对发明内容中所描述的关键技术模块的具体实施做示例性解释,但不以这种解释限制发明的范围。The specific implementation of the key technical modules described in the summary of the invention will be explained below as examples, but the scope of the invention will not be limited by this explanation.

本发明基于可信计算技术的数据库安全保护方法的组成架构参见图1,主要包括安全芯片TCM/TPM、可信度量模块、数据库管理系统TCB中的认证机制、访问控制机制及审计机制。其中,安全芯片负责提供信任根以及签名密钥;可信度量模块负责在系统启动后形成的信任链基础上对系统环境中的进程或文件进行可信度量;认证机制则负责根据数据库中存储的身份信息进行身份确认;访问控制机制则负责根据数据库中存储的授权信息进行访问控制;审计机制则负责根据数据库中存储的审计配置信息进行审计。The structure of the database security protection method based on trusted computing technology in the present invention is shown in FIG. 1 , which mainly includes a security chip TCM/TPM, a trusted measurement module, an authentication mechanism, an access control mechanism and an audit mechanism in the database management system TCB. Among them, the security chip is responsible for providing the root of trust and signature key; the trusted measurement module is responsible for the trusted measurement of processes or files in the system environment based on the trust chain formed after the system starts; the authentication mechanism is responsible for The identity information is used for identity confirmation; the access control mechanism is responsible for access control based on the authorization information stored in the database; the audit mechanism is responsible for auditing based on the audit configuration information stored in the database.

首先介绍一下安全芯片模块、可信度量模块这两个基础性模块,本发明需要利用其提供的部分功能,然而模块自身的实现方式则不在本发明考虑范围内。下面将对本发明涉及到的其功能进行解释。Firstly, introduce the two basic modules, the security chip module and the trusted measurement module. The present invention needs to use some of the functions provided by them, but the implementation of the modules themselves is not within the scope of the present invention. The functions involved in the present invention will be explained below.

1.安全芯片1. Security chip

本发明中需要安全芯片提供的功能或机制主要是度量信任根、密钥保护功能。度量信任根是受安全芯片保护的系统信任链构建的基础。而从该信任根到可信度量模块之间的信任链的构建方式有许多,例如静态度量等。而密钥保护功能则是安全芯片为其产生的密钥提供的安全保护。通常,安全芯片具有一个存储根密钥SRK(Storage Root Key),它在芯片初始化时被建立,并一直保存在芯片中,以防止攻击者获得。SRK能够作为父密钥创建非对称密钥对,并声明此密钥对中私钥的使用环境(通过指定安全芯片中存放的环境度量值实现),并对私钥进行加密,存放在安全芯片外部。在使用这个私钥进行签名或解密时,该私钥必须被载入安全芯片内部使用,即在安全芯片内部由SRK对其解密。从而实现两个目的:第一,密钥的安全性建立在硬件芯片基础上;第二,密钥的使用环境必须符合预期。最后,本发明中提到的安全芯片可以是国产的TCM芯片,也可以是TPM芯片或其他提供了上述功能的软硬件。而本发明内容中提到的安全芯片的存储根密钥是指由安全芯片产生并保护的用于加解密的公私钥对,并不一定特指SRK。同样,前面提到的签名密钥也是指由安全芯片产生并保护的用于签名的公私钥对。The functions or mechanisms that need to be provided by the security chip in the present invention are mainly measurement root of trust and key protection functions. The metric root of trust is the foundation upon which the chain of trust of the system protected by the security chip is built. There are many ways to construct the trust chain from the root of trust to the trusted measurement module, such as static measurement. The key protection function is the security protection provided by the security chip for the key generated by it. Usually, the security chip has a storage root key SRK (Storage Root Key), which is established when the chip is initialized and kept in the chip to prevent attackers from obtaining it. SRK can be used as a parent key to create an asymmetric key pair, and declare the use environment of the private key in this key pair (realized by specifying the environmental measurement value stored in the security chip), and encrypt the private key and store it in the security chip external. When using this private key for signature or decryption, the private key must be loaded into the security chip for use, that is, it will be decrypted by SRK inside the security chip. Two purposes are thus achieved: first, the security of the key is based on the hardware chip; second, the environment in which the key is used must meet expectations. Finally, the security chip mentioned in the present invention may be a domestically produced TCM chip, or a TPM chip or other software and hardware that provide the above-mentioned functions. The storage root key of the security chip mentioned in the content of the present invention refers to the public-private key pair used for encryption and decryption generated and protected by the security chip, and does not necessarily refer to the SRK. Similarly, the signature key mentioned above also refers to the public-private key pair used for signature generated and protected by the security chip.

2.可信度量模块2. Credible measurement module

可信度量模块位于操作系统内核层,在系统启动构建信任链的过程中被度量,所以它位于整个系统的TCB中。本发明需要其提供的对系统环境中启动的任意进程进行完整性度量,并将度量结果扩展到安全芯片中的功能。The trusted measurement module is located in the kernel layer of the operating system and is measured during the process of building the trust chain at system startup, so it is located in the TCB of the entire system. The present invention needs the function provided by it to measure the integrity of any process started in the system environment and extend the measurement result to the security chip.

下面将对本发明的具体实施方式进行阐述:The specific embodiment of the present invention will be set forth below:

基于可信计算技术的数据库安全保护方法的本质是利用可信计算技术对传统的数据库安全功能的增强。具体实施中将涉及原数据库管理系统安全功能的改造:The essence of the database security protection method based on trusted computing technology is to use trusted computing technology to enhance the traditional database security function. The specific implementation will involve the transformation of the security function of the original database management system:

原有认证机制中要加入完整性验证流程,即认证机制在接收到认证请求后,要对系统表中存储的身份信息进行完整性验证后,才能依据身份信息实施认证。身份信息通常只是认证一次后就可能执行多次访问,不会对整个数据库系统的效率造成太多影响,因此可以直接将该完整性验证流程加入认证功能的代码中。An integrity verification process should be added to the original authentication mechanism, that is, after the authentication mechanism receives an authentication request, it must verify the integrity of the identity information stored in the system table before implementing authentication based on the identity information. Identity information is usually only authenticated once, and multiple visits may be performed, which will not have too much impact on the efficiency of the entire database system. Therefore, the integrity verification process can be directly added to the code of the authentication function.

原有访问控制机制中要加入完整性验证流程,即访问控制机制在接收到访问请求后,要对系统表中存储的授权数据进行完整性验证后,才能依据授权数据实施访问控制。而由于工控系统对于效率的要求较高,若每次数据访问都在访问控制流程中加入完整性验证过程,则会极大降低效率。因此,可以将完整性验证流程单独实现为一个数据库的扩展模块,并设置开关函数,能够根据不同的应用场景选择打开或关闭访问控制流程中的完整性验证过程。The original access control mechanism needs to add an integrity verification process, that is, after the access control mechanism receives an access request, it must verify the integrity of the authorization data stored in the system table before implementing access control based on the authorization data. Since the industrial control system has high requirements for efficiency, if the integrity verification process is added to the access control process for each data access, the efficiency will be greatly reduced. Therefore, the integrity verification process can be separately implemented as an extension module of the database, and a switch function can be set to enable or disable the integrity verification process in the access control process according to different application scenarios.

而审计机制的改造则分为两个方面:一方面,审计机制在对数据库实施审计记录操作前,要先对审计配置相关信息进行完整性验证。然而,与访问控制机制的修改不同的是,审计配置信息通常只会在数据库启动时读取一次,不会对整个数据库系统的效率造成影响,因此可以直接将该完整性验证流程加入审计功能的代码中。另一方面,审计日志作为后续分析的基础,必须确保其可信性。因此,需要在审计机制产生审计日志时,对日志进行完整性保护。首先,基于审计日志通常包含较多记录的特点,实施完整性保护时应采用记录级别的完整性保护,而非整个日志;其次,记录级的完整性保护只能确保攻击者无法篡改单条审计记录,但是无法验证攻击者是否删除或增加了审计记录。所以需要额外地对审计日志使用安全芯片提供的单调计数器。具体地,要对原有审计日志的格式进行修改,增加两列属性分别用于存储计数值和完整性值。每次产生审计记录时,都应由审计机制查询当前单调计数器的值,并利用安全芯片的签名密钥对该记录的完整性值和计数器值一起进行签名并存储。由于单调计数器受安全芯片保护,无法被篡改,其值只能增加不能减少,因此攻击者删除或增加审计记录,都能够通过检查计数值检验出来。The transformation of the audit mechanism is divided into two aspects: On the one hand, the audit mechanism must first verify the integrity of the information related to the audit configuration before implementing the audit record operation on the database. However, unlike the modification of the access control mechanism, the audit configuration information is usually only read once when the database is started, and will not affect the efficiency of the entire database system. Therefore, the integrity verification process can be directly added to the audit function. in the code. On the other hand, audit logs, as the basis for subsequent analysis, must ensure their credibility. Therefore, it is necessary to protect the integrity of the log when the audit mechanism generates the audit log. First of all, based on the fact that audit logs usually contain many records, the integrity protection of the record level should be used instead of the entire log when implementing integrity protection; secondly, the integrity protection of the record level can only ensure that an attacker cannot tamper with a single audit record , but there is no way to verify whether an attacker deleted or added audit records. Therefore, it is necessary to additionally use the monotonic counter provided by the security chip for the audit log. Specifically, the format of the original audit log needs to be modified, and two columns of attributes are added to store the count value and integrity value respectively. Every time an audit record is generated, the audit mechanism should query the value of the current monotonic counter, and use the signature key of the security chip to sign and store the integrity value of the record together with the counter value. Since the monotonic counter is protected by the security chip and cannot be tampered with, its value can only increase but not decrease, so the deletion or addition of audit records by an attacker can be verified by checking the count value.

Claims (9)

1. a kind of database security protection method based on reliable computing technology, on the basis of data base management system TCB, lead to The safeguard protection of safety chip and the realization of credible metric module to database is crossed, this method specifically includes:
1) safety chip startup with high safety is based on using the system of this method, and builds trust chain, the trust chain includes Credible metric module and data base management system TCB;Meanwhile the safety chip produces a signature key, the signature key Use environment be appointed as this trust chain environment;
2) when writing safety-relevant data into database by security mechanism, first by credible metric module to current number Credible measurement is carried out according to base management system TCB safe condition;If current data base management system TCB is in a safe condition, The integrity measurement value of the safety-relevant data is signed using signature key, and by the safety-relevant data and signature Value is stored in database together, and the security mechanism includes Audit Mechanism, and the safety-relevant data includes audit configuration information And audit log;The Audit Mechanism is used to be audited according to the audit configuration information stored in database, the audit day The write-in flow of will comprises the following steps:
2-1) form of original audit log is modified, two Column Properties of increase are respectively used to stored count value and integrality Value;
2-2) Audit Mechanism asks the signature key of safety chip before record of the audit is carried out;
2-3) credible measurement can be carried out to current data base management system TCB safe condition using credible metric module;
When 2-4) producing record of the audit every time, the current of the monotone counter provided by safety chip is all inquired about by Audit Mechanism Count value, if data base management system TCB is in a safe condition, Audit Mechanism is then using the signature key of safety chip to the note The integrity value and Counter Value of record carry out signing together and in data storage storehouses;
3) when reading the safety-relevant data from database by security mechanism, first by credible metric module to working as Preceding data base management system TCB safe condition carries out credible measurement;If current data base management system TCB is in safe shape State, then the signature value and the integrality of safety-relevant data that are read are verified.
2. the database security protection method based on reliable computing technology as claimed in claim 1, it is characterised in that the peace Full mechanism includes:Authentication mechanism and access control mechanisms, the safety-relevant data include:Identity information and authorization message;Institute Authentication mechanism is stated to be used to carry out identity validation according to the identity information stored in database;The access control mechanisms are used for basis The authorization message stored in database conducts interviews control.
3. the database security protection method based on reliable computing technology as claimed in claim 2, it is characterised in that the body The write-in flow of part information comprises the following steps:
The identity information of user 1-a) is obtained by authentication mechanism, and asks the signature key of safety chip;
Credible measurement 1-b) is carried out to current data base management system TCB safe condition using credible metric module;
If 1-c) data base management system TCB is in a safe condition, authentication mechanism is then using signature key to the complete of identity information Whole property value is signed, and is then stored in the information and signature value in database together.
4. the database security protection method based on reliable computing technology as claimed in claim 3, it is characterised in that the body The reading flow of part information comprises the following steps:
2-a) authentication mechanism reads out identity information and its signature value from database;
2-b) authentication mechanism checking signature value and the integrality of identity information, if by detection, can carry out follow-up certification Operation, otherwise reporting authentication failure.
5. the database security protection method based on reliable computing technology as claimed in claim 2, it is characterised in that described to award The write-in flow of power information comprises the following steps:
The authorization message of safety officer 3-a) is obtained by access control mechanisms, and asks the signature key of safety chip;
Credible measurement 3-b) is carried out to current data base management system TCB safe condition using credible metric module;
If 3-c) data base management system TCB is in a safe condition, access control mechanisms are then using signature key to authorization message Integrity value signed, then authorization message and signature value are stored in database together.
6. the database security protection method based on reliable computing technology as claimed in claim 5, it is characterised in that described to award The reading flow of power information comprises the following steps:
4-a) access control mechanisms read out authorization message and its signature value from database;
4-b) the integrality of access control mechanisms checking signature value and authorization message, if by detection, according to this authorization message Conduct interviews control, and otherwise reporting authentication fails.
7. the database security protection method based on reliable computing technology as claimed in claim 1, it is characterised in that described to examine The write-in flow of meter configuration information comprises the following steps:
5-a) be audited the audit configuration information of keeper by Audit Mechanism, and asks the signature key of safety chip;
5-b) credible measurement can be carried out to current data base management system TCB safe condition using credible metric module;
If 5-c) data base management system TCB is in a safe condition, Audit Mechanism is then using signature key to configuration information of auditing Integrity value signed, then the information and signature value are stored in database together.
8. the database security protection method based on reliable computing technology as claimed in claim 7, it is characterised in that described to examine The reading flow of meter configuration information comprises the following steps:
6-a) Audit Mechanism reads out configuration information and its signature value from database;
6-b) Audit Mechanism checking signature value and the integrality of configuration information, if by detection, are carried out according to this configuration information Audit, otherwise reporting authentication failure.
9. the database security protection method based on reliable computing technology as claimed in claim 1, it is characterised in that described to examine The reading flow of meter daily record comprises the following steps:
8-a) Audit Mechanism reads out audit log and its signature value from database;
8-b) Audit Mechanism checking signature value and the integrality of record of the audit, if by detection, can carry out follow-up audit Query analysis operates, and otherwise reporting authentication fails.
CN201510128903.2A 2015-03-23 2015-03-23 A kind of database security protection method based on reliable computing technology Active CN104794410B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510128903.2A CN104794410B (en) 2015-03-23 2015-03-23 A kind of database security protection method based on reliable computing technology

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510128903.2A CN104794410B (en) 2015-03-23 2015-03-23 A kind of database security protection method based on reliable computing technology

Publications (2)

Publication Number Publication Date
CN104794410A CN104794410A (en) 2015-07-22
CN104794410B true CN104794410B (en) 2018-01-09

Family

ID=53559199

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510128903.2A Active CN104794410B (en) 2015-03-23 2015-03-23 A kind of database security protection method based on reliable computing technology

Country Status (1)

Country Link
CN (1) CN104794410B (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109145631A (en) * 2017-06-15 2019-01-04 上海长城计算机网络工程有限公司 A kind of database information security system
CN109670312A (en) * 2017-10-13 2019-04-23 华为技术有限公司 Method of controlling security and computer system
WO2020151831A1 (en) * 2019-01-25 2020-07-30 Huawei Technologies Co., Ltd. Method for end entity attestation
CN111814157B (en) * 2019-04-12 2022-12-27 阿里巴巴集团控股有限公司 Data security processing system, method, storage medium, processor and hardware security card
EP3989478B1 (en) * 2020-10-22 2023-10-18 Moxa Inc. Computing system and device for handling a chain of trust
CN113010886A (en) * 2021-02-24 2021-06-22 西安超越申泰信息科技有限公司 Database auditing system strategy protection method
CN114978677A (en) * 2022-05-20 2022-08-30 中国电信股份有限公司 Asset access control method, apparatus, electronic device and computer readable medium
CN117725631A (en) * 2023-12-18 2024-03-19 四川和恩泰半导体有限公司 Secure memory bank and method for starting secure memory bank

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242267A (en) * 2007-08-01 2008-08-13 西安西电捷通无线网络通信有限公司 A Trusted Network Connection Method with Enhanced Security
CN102340500A (en) * 2011-07-13 2012-02-01 中国人民解放军海军计算技术研究所 Security management system and method of dependable computing platform
CN103500202A (en) * 2013-09-29 2014-01-08 中国船舶重工集团公司第七0九研究所 Security protection method and system for light-weight database

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100217988A1 (en) * 2007-04-12 2010-08-26 Avow Systems, Inc. Electronic document management and delivery

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101242267A (en) * 2007-08-01 2008-08-13 西安西电捷通无线网络通信有限公司 A Trusted Network Connection Method with Enhanced Security
CN102340500A (en) * 2011-07-13 2012-02-01 中国人民解放军海军计算技术研究所 Security management system and method of dependable computing platform
CN103500202A (en) * 2013-09-29 2014-01-08 中国船舶重工集团公司第七0九研究所 Security protection method and system for light-weight database

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于可信平台模块的虚拟单调计数器研究;李昊 等;《计算机研究与发展》;20111231;第48卷(第3期);全文 *

Also Published As

Publication number Publication date
CN104794410A (en) 2015-07-22

Similar Documents

Publication Publication Date Title
CN104794410B (en) A kind of database security protection method based on reliable computing technology
Sabt et al. Trusted execution environment: What it is, and what it is not
CN103038745B (en) Extended Integrity Measurement
Xue et al. RootAgency: A digital signature-based root privilege management agency for cloud terminal devices
US11418499B2 (en) Password security
CN104615947B (en) A kind of believable data base integrity guard method and system
CN106713365A (en) Cloud environment-based network security system
CN108399329A (en) A method of improving trusted application safety
CN104573549A (en) Credible method and system for protecting confidentiality of database
Erinle et al. Sok: Design, vulnerabilities, and security measures of cryptocurrency wallets
CN120068051B (en) Firmware protection method and system based on security coprocessor
CN119203252A (en) DCS host computer file trust assurance method and related device based on trusted computing
Kathole et al. Challenges and key issues in IoT privacy and security
Yalew et al. TruApp: A TrustZone-based authenticity detection service for mobile apps
Mampilly et al. Blockchain in Cybersecurity
Kiš et al. A cybersecurity case for the adoption of blockchain in the financial industry
Lakhe Practical Hadoop Security
Fisher et al. Trust and trusted computing platforms
CN101819619A (en) Method for preventing virus and Trojan
Ezirim et al. Trusted platform module–a survey
Sharma et al. OVERVIEW OF DATA SECURITY, CLASSIFICATION AND CONTROL MEASURE: A STUDY.
Jøsang Cybersecurity
Zhao Authentication and Data Protection under Strong Adversarial Model
Cox Security tenets for life critical embedded systems
Dilworth et al. A Disambiguation of Security-based Software Testing

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
EXSB Decision made by sipo to initiate substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant