[go: up one dir, main page]

CN117828568B - Database auditing method, system, equipment and readable storage medium based on fine granularity access control - Google Patents

Database auditing method, system, equipment and readable storage medium based on fine granularity access control Download PDF

Info

Publication number
CN117828568B
CN117828568B CN202410010025.3A CN202410010025A CN117828568B CN 117828568 B CN117828568 B CN 117828568B CN 202410010025 A CN202410010025 A CN 202410010025A CN 117828568 B CN117828568 B CN 117828568B
Authority
CN
China
Prior art keywords
time
user
attribute
database
verification server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410010025.3A
Other languages
Chinese (zh)
Other versions
CN117828568A (en
Inventor
王伟斌
陈传凯
杨小华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xinshu Technology Co ltd
Original Assignee
Beijing Xinshu Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Xinshu Technology Co ltd filed Critical Beijing Xinshu Technology Co ltd
Priority to CN202410010025.3A priority Critical patent/CN117828568B/en
Publication of CN117828568A publication Critical patent/CN117828568A/en
Application granted granted Critical
Publication of CN117828568B publication Critical patent/CN117828568B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/3034Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a storage system, e.g. DASD based or network based
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3466Performance evaluation by tracing or monitoring
    • G06F11/3476Data logging
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Mathematical Physics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The database auditing method, the system, the device and the readable storage medium based on fine granularity access control realize the encryption and decryption of data in the database by utilizing the time factor and attribute-based encryption technology, and can perform fine granularity audit and monitoring on the operation in the database. The invention realizes the management of the user access rights based on the fine-grained access control algorithm, the database manager sets the access policy, the time of each user accessing the database is regulated, and the user access rights exceeding the limited time are revoked. The system effectively improves the safety and flexibility of the database in a dynamic environment, and shows remarkable advantages in coping with security threats such as misoperation, data leakage and the like.

Description

Database auditing method, system, equipment and readable storage medium based on fine granularity access control
Technical Field
The invention relates to a database auditing method, system, equipment and readable storage medium based on fine granularity access control, belonging to the field of database security.
Background
In recent years, with rapid development of information technology, databases are increasingly used in various fields. The large amount of data stored in the database not only contains important information and resources, but also presents a potential security risk and threat of privacy disclosure. Therefore, how to protect the security and privacy of data in databases, and how to effectively monitor and audit database operations, has become a challenge.
Traditional database audit systems audit and monitor mainly by recording operation logs. Although the database auditing system strengthens the protection of data privacy, the system adopts encryption, anonymization and other technologies to ensure the safety of sensitive data in the processes of acquisition, storage and processing, the method has limitations in fine granularity audit and monitoring. In particular, conventional auditing systems only implement privacy protection for sensitive data, and lack a more secure and efficient solution in terms of control of user access rights. Therefore, in order to realize fine-grained control of the access rights of the user to the database, the functions of user authentication and access rights revocation need to be further added into the database audit system, so that potential security threats and abnormal behaviors cannot be effectively detected and prevented.
Drawings
Fig. 1 is a system flow diagram.
Disclosure of Invention
In order to solve the problems, the invention provides a database auditing method based on fine-grained access control, which comprises the following specific steps:
(1) Storing data and performing other database operations;
(2) Monitoring database operation in real time and generating an audit log;
(3) Realizing access control of user authority by using an encryption algorithm based on a time factor;
(4) The trigger continuously monitors the operation of a user, continuously generates audit records, and periodically cleans up expired data and updates a secret key;
(5) User access time and attribute control is implemented at the application layer.
Further, in the step (3), the encryption algorithm based on the time factor specifically includes the following steps:
3.1 system initialization: the security parameter λ is input, and y=e (g, g) α is calculated, where g and α e Z q represent generator and random numbers, respectively, and e represents a bilinear map. The algorithm outputs a master public key mpk= (H 1,H2,g,Y,{Ki }), a master private key msk= (α, { k i }), where H 1,H2 is a Hash function, k i (i e 1, n) represents a random value corresponding to each attribute a i in the system,
3.2 Generating a key: the system inputs the user identity mark u id, the attribute value A i, the time for the user to acquire the attribute A i is T i,1, and the random value T r are selectedCalculation of SK 4,i,2=H1(uid||Tr||Ti,1), the user private key is (SK 1,{SK2,i},{SK3,i},{SK4,i,1,SK4,i,2).
3.3 Encryption: the access policy is set by the database administrator, the system selects the random value t i,si∈Zq, The time limit node with attribute A i is set before T i,2 OtherwiseSetting Tag mark bits, respectively uploading SK 4,i,2 and Tag to a time verification server by a database visitor and a database administrator, and calculating C 3,i=H1(SK4,i,2,uid I Tag by the time verification server to send to the database administrator, wherein Tag E {0,1} is represented in the front-back direction, tag is in the back direction when the value of Tag is 0, otherwise, tag is in the front direction; encryption of message m, computing c=my s,Cm=H2 (c||m); output ciphertext ct= (C, C m,{C1,i},{C2,i},{C3,i });
3.4 authentication attribute time: the time validation server computes ht' i=H1(uid′||A′i||Tr), SK' 4,i,2=H1(uid′||Tr||T′i,1); if SK 4,i,2≠SK′4,i,2, the time verification server terminates attribute time authentication and returns an empty character; the time verification server compares T i,2<T′i,1 according to the Tag, and if the Tag is marked as forward, T i,2≥T′i,1; otherwise, T i,2<T′i,1, the user attribute meets the access policy requirement, and the time verification server calculatesOtherwise, the user attribute time does not meet the access policy requirement, and the time verification server terminates attribute time authentication and returns an empty character. When all the attributes in the user attribute set meet the access policy attribute time requirement, the time validation server returns the user { TV i }.
3.5 Decryption: the successful time authentication of the attribute set of the database visitor returns { TV i }, inputs plaintext CT and private key SK i from the time verification server, calculatesIf it isThe plaintext m is output, otherwise the null character is returned.
3.6 User attribute revocation: when user u id needs to revoke attribute a i, reselecting T r 'for the user by the time verification server, updating user time parameter T r to T r'; after receiving the message returned by the time verification server, the user updates the local key.
3.7 Revoke user: when the system needs to revoke the user u id, the attribute authorization terminal sends a user revocation instruction to the time verification server, and the time verification server deletes the local user time parameter T r.
The invention also provides a database auditing system based on fine-grained access control, which comprises a database management module, an auditing module and an encryption module, wherein the database management module is responsible for data storage and other database operations, the auditing module monitors the database operations in real time and generates an audit log, and the encryption module realizes access control of user permission based on a time factor.
(1) The database management module stores data and performs other database operations;
(2) And an auditing module: monitoring database operation in real time and generating an audit log;
(3) An encryption module: realizing access control of user authority by using an encryption algorithm based on a time factor;
(4) Audit management module: generating an audit record, and cleaning out-of-date data and an update key;
(5) And an application management module: an application program layer is realized, and the authority of an administrator is provided.
Further, in the encryption module, the encryption algorithm based on the time factor comprises the following specific steps:
3.1 system initialization: the security parameter λ is input, and y=e (g, g) α is calculated, where g and α e Z q represent generator and random numbers, respectively, and e represents a bilinear map. The algorithm outputs a master public key mpk= (H 1,H2,g,Y,{Ki }), a master private key msk= (α, { k i }), where H 1,H2 is a Hash function, k i (i e 1, n) represents a random value corresponding to each attribute a i in the system,
3.2 Generating a key: the system inputs the user identity mark u id, the attribute value A i, the time for the user to acquire the attribute A i is T i,1, and the random value T r are selectedCalculation of SK 4,i,2=H1(uid||Tr||Ti,1), the user private key is (SK 1,{SK2,i},{SK3,i},{SK4,i,1,SK4,i,2).
3.3 Encryption: the access policy is set by the database administrator, the system selects the random value t i,si∈Zq, The time limit node with attribute A i is set before T i,2 OtherwiseSetting Tag mark bits, respectively uploading SK 4,i,2 and Tag to a time verification server by a database visitor and a database administrator, and calculating C 3,i=H1(SK4,i,2,uid I Tag by the time verification server to send to the database administrator, wherein Tag E {0,1} is represented in the front-back direction, tag is in the back direction when the value of Tag is 0, otherwise, tag is in the front direction; encryption of message m, computing c=my s,Cm=H2 (c||m); output ciphertext ct= (C, C m,{C1,i},{C2,i},{C3,i });
3.4 authentication attribute time: the time validation server computes ht' i=H1(uid′||A′i||Tr), SK' 4,i,2=H1(uid′||Tr||T′i,1); if SK 4,i,2≠SK′4,i,2, the time verification server terminates attribute time authentication and returns an empty character; the time verification server compares T i,2<T′i,1 according to the Tag, and if the Tag is marked as forward, T i,2≥T′i,1; otherwise, T i,2<T′i,1, the user attribute meets the access policy requirement, and the time verification server calculatesOtherwise, the user attribute time does not meet the access policy requirement, and the time verification server terminates attribute time authentication and returns an empty character. When all the attributes in the user attribute set meet the access policy attribute time requirement, the time validation server returns the user { TV i }.
3.5 Decryption: the successful time authentication of the attribute set of the database visitor returns { TV i }, inputs plaintext CT and private key SK i from the time verification server, calculatesIf it isThe plaintext m is output, otherwise the null character is returned.
3.6 User attribute revocation: when user u id needs to revoke attribute a i, reselecting T r 'for the user by the time verification server, updating user time parameter T r to T r'; after receiving the message returned by the time verification server, the user updates the local key.
3.7 Revoke user: when the system needs to revoke the user u id, the attribute authorization terminal sends a user revocation instruction to the time verification server, and the time verification server deletes the local user time parameter T r.
The present invention also provides an apparatus comprising: the device comprises a data acquisition device, a processor and a memory; the data acquisition device is used for acquiring data; the memory is used for storing one or more program instructions; the processor is configured to execute one or more program instructions to perform any of the methods described above.
The present invention further provides a computer readable storage medium having one or more program instructions embodied therein for performing any of the methods described above.
In order to reduce the complexity of the key generation algorithm, other symmetric encryption algorithms are not used in the private key calculation process, the number of the private keys is reduced as much as possible while the time factor authentication is met, and the efficiency reduction caused by excessive calculation overhead in the private key generation process is prevented.
The invention utilizes the time factor and attribute-based encryption technology to encrypt and decrypt the data in the database, and can audit and monitor the operation in the database in a fine granularity. The invention realizes the management of the user access rights based on the fine-grained access control algorithm, the database manager sets the access policy, the time of each user accessing the database is regulated, and the user access rights exceeding the limited time are revoked. The system effectively improves the safety and flexibility of the database in a dynamic environment, and shows remarkable advantages in coping with security threats such as misoperation, data leakage and the like.
Detailed Description
In order to solve the problems, the invention provides a database auditing method based on access control, which utilizes a time factor and attribute-based encryption technology to realize encryption and decryption of data in a database, and can audit and monitor the operation in the database in a fine granularity.
The invention designs an encryption algorithm based on access control, which can realize cryptograph processing and time-based access control on database data. The attribute authorization terminal is responsible for system initialization and key distribution, and receives a user revocation request or issues an attribute revocation instruction; the database manager is responsible for setting access strategies for data, encrypting the data according to the access strategies, storing ciphertext in the database, and strictly controlling access time of a user; and the database visitor acquires the user key from the authorized terminal, uploads the key time parameter to the time verification server for verification after downloading the ciphertext, and the ciphertext can be decrypted when the user attribute and the time meet the access policy. The encryption algorithm flow is shown in fig. 1, and the specific steps are as follows:
(1) System initialization
Order theFor the attribute space of the system, lambda is a safety parameter, the order of the cyclic multiplication groups G and G T is prime q, a primitive G is generated, a bilinear map e is G×G- & gtG T, a random value alpha epsilon Z q is given, Y=e (G, G) α, each attribute A i in the system corresponds to a random value k i∈Zq (i epsilon [1, n ]), and calculation is performedH1:H 2:{0,1}*→{0,1}λ, wherein l T is the time factor length. The system master public key and master private key are mpk= (H 1,H2,g,Y,{Ki}),MSK=(α,{ki }) respectively.
(2) Generating a key
Each user in the system has unique identity mark u id, and the random value T r is saved by the attribute authorization terminal and the time verification server and is selectedCalculation ofThe authority selects a random value a i∈Zq for each user attribute A i, calculatesAssuming that the time for the user to acquire attribute A i is T i,1, calculate SK 4,i,2=H1(uid||Tr||Ti,1), the user private key is (SK 1,{SK2,i},{SK3,i},{SK4,i,1,SK4,i,2).
(3) Encryption
Setting access policy by database manager, selecting random value s i∈Zq for each A i in attribute space, calculatingSelecting the random value T i, let the user possess the time limit node of attribute A i before T i,2 Otherwise
The data visitor and the database manager upload SK 4,i,2 and the Tag to the time verification server respectively, and the time verification server calculates C 3,i=H1(SK4,i,2,uid I Tag) to be sent to the database manager, wherein the Tag E {0,1} is represented in the front-back direction, the Tag is marked as the backward direction when the value of the Tag is 0, and otherwise, the Tag is marked as the forward direction.
The encryption of the message m is performed, c=my s,Cm=H2 (c||m) is calculated by the database administrator. Output ciphertext ct= (C, C m,{C1,i},{C2,i},{C3,i }) the database manager sends the ciphertext to the data visitor.
(4) Authentication attribute time
The time validation server computes ht' i=H1(uid′||A′i||Tr),SK' 4,i,2=H1(uid′||Tr||T′i,1). If SK 4,i,2≠SK′4,i,2, the time verification server terminates the attribute time authentication and returns a null character.
The time verification server compares T i,2<T′i,1 according to the Tag, and if the Tag is marked as forward, T i,2≥T′i,1; otherwise, T i,2<T′i,1, the user attribute meets the access policy requirement, and the time verification server calculatesOtherwise, the user attribute time does not meet the access policy requirement, and the time verification server terminates attribute time authentication and returns an empty character. When all the attributes in the user attribute set meet the access policy attribute time requirement, the time validation server returns the user { TV i }.
(5) Decryption
Successful time authentication of the data visitor property set will be returned from the time verification server { TV i }, data visitor calculation If H 2(c||m3)=Cm, outputting the plaintext m, otherwise, returning the empty character.
(6) Revoking user attributes
When user u id needs to revoke attribute a i, the attribute authorization terminal sends an attribute revocation instruction to the time verification server, which pauses the attribute time authentication for user u id, and the data visitor uploads { SK 4,j,1,SK4,j,2|Aj∈Uid }, j e [1, n ] in its own private key. The time validation server reselects T r 'for the user, calculates ht' j=H1(uid||Aj||Tr), SK′4,j,2=H1(uid||Tr′||Tj,1)。
The time verification server returns { SK '4,j,1,SK′4,j,2 } to the data visitor, updating the user time parameter T r to T r'. After receiving the message returned by the time verification server, the user updates { SK 4,j,1,SK4,j,2 } in the local key and deletes (SK 2,i,SK3,i,SK4,i,1,SK4,i,2).
(7) Revoking a user
When the system needs to cancel the user u id, the attribute authorization terminal sends a user cancel instruction to the time verification server, and the time verification server deletes the local user time parameter T r.
Specifically, suppose that user Alice wishes to ensure the security, integrity, and availability of a database through fine-grained access control. Alice wishes to design an audit system to ensure that only authorized personnel can access a particular database record, reducing the risk of data leakage and unauthorized access. The specific operation is as follows:
1. Database table design
First, the database tables are extended to accommodate new encryption and audit requirements. A time stamp field is added to the user data table for recording the write time of each piece of data. In addition, to support attribute-based encryption, a storage field for an encryption key needs to be added to the table.
2. Encryption
The attribute encryption algorithm is realized by combining the time factors, so that the data can be revoked after the appointed time, specifically, the attribute authorization terminal completes the system initialization and the distribution of the user key, distributes the private key (SK 1,{SK2,i},{SK3,i},{SK4,i,1,SK4,i,2) to the user requester, and the design of the attribute-based encryption algorithm is as follows:
Setting access policy by database manager, computing Selecting a random value T i, calculating assuming that the time-limited node of the user Alice owns the attribute A i is before T i,2
The data visitor and the database manager upload SK 4,i,2 and Tag, respectively, to a time verification server, which calculates C 3,i=H1(SK4,i,2,uid i Tag) and sends it to the database manager.
The table information m in the database is encrypted, c=my s,Cm=H2 (c||m) is calculated by the database administrator. Output ciphertext ct= (C, C m,{C1,i},{C2,i},{C3,i }) the database manager sends the ciphertext to user Alice.
After encryption is completed, performing attribute time authentication by a time authentication server, and after the fact that SK 4,i,2=SK′4,i,2 is established is confirmed, comparing T i,2 with T' i,1 by the time authentication server according to the Tag, and if the Tag is forward, determining T i,2≥T'i,1; otherwise, T i,2<T'i,1. When the user attribute meets the access policy requirement, the time verification server calculatesAnd returns { TV i } to Alice. Otherwise, the time verification server terminates the attribute time authentication and returns the null character.
When Alice's attribute a i is revoked, the attribute authorization terminal sends an attribute revocation instruction to the time verification server, which suspends attribute time authentication. Reselecting T r' for Alice by the time verification server, returning to Alice private keyTo update the local key and update Alice time parameter T r to T r'.
And for the revocation of the identity of the Alice user, the time verification server deletes the time parameter T r of Alice after receiving the revocation instruction sent by the attribute authorization terminal.
3. Auditing
And inserting an audit list into the database for recording an audit log of the user operation. The design of the audit table should take into account record key information such as user name, type of operation, time of operation, etc.
4. Generating audit records
And monitoring the operation of the user on the data by using a database trigger, and triggering the generation of the audit record. Meanwhile, a periodic task or a timing script is set, expired data is cleaned, an encryption key is updated, and timeliness and safety of the database are ensured.
5. Implementing an application layer
In the application, it is ensured that the user checks the time stamp and encryption key when writing the data, and that the audit record is generated. Limit writing to expired data and provide administrator rights to adjust access time and encryption attributes of the data.
Through the steps, the database auditing system based on fine granularity access control can be implemented, and the safety, timeliness and audit traceability of the database are improved in practical application.
The present invention also provides an apparatus comprising: the device comprises a data acquisition device, a processor and a memory; the data acquisition device is used for acquiring data; the memory is used for storing one or more program instructions; the processor is configured to execute one or more program instructions to perform any of the methods described above.
The present invention further provides a computer readable storage medium having one or more program instructions embodied therein for performing any of the methods described above.
The invention realizes the management of the user access rights based on the fine-grained access control algorithm, the database manager sets the access policy, the time of each user accessing the database is regulated, and the user access rights exceeding the limited time are revoked. The system effectively improves the safety and flexibility of the database in a dynamic environment, and has obvious advantages in coping with security threats such as misoperation, data leakage and the like.
The units, devices or modules etc. set forth in the above embodiments may be implemented in particular by a computer chip or entity or by a product having a certain function. For convenience of description, the above devices are described as being functionally divided into various modules, respectively. Of course, when implementing the present application, the functions of each module may be implemented in the same or multiple pieces of software and/or hardware, or a module implementing the same function may be implemented by multiple sub-modules or a combination of sub-units. The above-described apparatus embodiments are merely illustrative, for example, the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller can be regarded as a hardware component, and means for implementing various functions included therein can also be regarded as a structure within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, classes, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
From the above description of embodiments, it will be apparent to those skilled in the art that the present application may be implemented in software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a mobile terminal, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments of the present application.
Various embodiments in this specification are described in a progressive manner, and identical or similar parts are all provided for each embodiment, each embodiment focusing on differences from other embodiments. The application is operational with numerous general purpose or special purpose computer system environments or configurations. For example: personal computers, server computers, hand-held or portable devices, tablet devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable electronic devices, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the application, and is not meant to limit the scope of the application, but to limit the application to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the application are intended to be included within the scope of the application.

Claims (4)

1. A database auditing method based on fine granularity access control is characterized in that: the method comprises the following specific steps:
(1) Storing data and performing other database operations;
(2) Monitoring database operation in real time and generating an audit log;
(3) Realizing access control of user authority by using an encryption algorithm based on a time factor;
(4) The trigger continuously monitors the operation of a user, continuously generates audit records, and periodically cleans up expired data and updates a secret key;
(5) Realizing access time and attribute control of a user at an application program layer;
In the step (3), the encryption algorithm based on the time factor comprises the following specific steps:
3.1 system initialization: inputting a security parameter lambda, and calculating Y=e (g, g) α, wherein g and alpha epsilon Z q respectively represent a generator and a random number, and e represents bilinear mapping; the algorithm outputs a master public key mpk= (H 1,H2,g,Y,{Ki }), a master private key msk= (α, { k i }), where H 1,H2 is a Hash function, k i (i e 1, n) represents a random value corresponding to each attribute a i in the system,
3.2 Generating a key: the system inputs the user identity mark u id, the attribute value A i, the time for the user to acquire the attribute A i is T i,1, and the random value T r are selectedCalculation of SK 4,i,2=H1(uid||Tr||Ti,1), then the user private key is (SK 1,{SK2,i},{SK3,i},{SK4,i,1,SK4,i,2);
3.3 encryption: the access policy is set by the database administrator, the system selects the random value t i,si∈Zq, The time limit node with attribute A i is set before T i,2 OtherwiseSetting Tag mark bits, respectively uploading SK 4,i,2 and Tag to a time verification server by a database visitor and a database administrator, and calculating C 3,i=H1(SK4,i,2,uid I Tag by the time verification server to send to the database administrator, wherein Tag E {0,1} is represented in the front-back direction, tag is in the back direction when the value of Tag is 0, otherwise, tag is in the front direction; encryption of message m, computing c=my s,Cm=H2 (c||m); output ciphertext ct= (C, C m,{C1,i},{C2,i},{C3,i });
3.4 authentication attribute time: the time validation server computes ht' i=H1(uid′||A′i||Tr), SK' 4,i,2=H1(uid′||Tr||T′i,1); if SK 4,i,2≠SK′4,i,2, the time verification server terminates attribute time authentication and returns an empty character; the time verification server compares T i,2<T′i,1 according to the Tag, and if the Tag is marked as forward, T i,2≥T′i,1; otherwise, T i,2<T′i,1, the user attribute meets the access policy requirement, and the time verification server calculatesOtherwise, the user attribute time does not meet the access policy requirement, the time verification server terminates attribute time authentication and returns an empty character; when all the attributes in the user attribute set meet the access policy attribute time requirement, the time verification server returns the user { TV i };
3.5 decryption: the successful time authentication of the attribute set of the database visitor returns { TV i }, inputs plaintext CT and private key SK i from the time verification server, calculates If it isOutputting a plaintext m, otherwise, returning an empty character;
3.6 user attribute revocation: when user u id needs to revoke attribute a i, reselecting T r 'for the user by the time verification server, updating user time parameter T r to T r'; after receiving the message returned by the time verification server, the user updates the local key;
3.7 revoke user: when the system needs to revoke the user u id, the attribute authorization terminal sends a user revocation instruction to the time verification server, and the time verification server deletes the local user time parameter T r.
2. The utility model provides a database audit system based on fine granularity access control, this system includes database management module, audit module and encryption module, and wherein, database management module is responsible for data storage and other database operations, and audit module real-time supervision database operation generates audit log, and encryption module realizes user's authority's access control based on the time factor, its characterized in that:
(1) The database management module stores data and performs other database operations;
(2) And an auditing module: monitoring database operation in real time and generating an audit log;
(3) An encryption module: realizing access control of user authority by using an encryption algorithm based on a time factor;
(4) Audit management module: generating an audit record, and cleaning out-of-date data and an update key;
(5) And an application management module: an application program layer is realized, and an administrator authority is provided;
In the encryption module, the encryption algorithm based on the time factor comprises the following specific steps:
3.1 system initialization: inputting a security parameter lambda, and calculating Y=e (g, g) α, wherein g and alpha epsilon Z q respectively represent a generator and a random number, and e represents bilinear mapping; the algorithm outputs a master public key mpk= (H 1,H2,g,Y,{Ki }), a master private key msk= (α, { k i }), where H 1,H2 is a Hash function, k i (i e 1, n) represents a random value corresponding to each attribute a i in the system,
3.2 Generating a key: the system inputs the user identity mark u id, the attribute value A i, the time for the user to acquire the attribute A i is T i,1, and the random value T r are selectedCalculation of SK 4,i,2=H1(uid||Tr||Ti,1), then the user private key is (SK 1,{SK2,i},{SK3,i},{SK4,i,1,SK4,i,2);
3.3 encryption: the access policy is set by the database administrator, the system selects the random value t i,si∈Zq, The time limit node with attribute A i is set before T i,2 OtherwiseSetting Tag mark bits, respectively uploading SK 4,i,2 and Tag to a time verification server by a database visitor and a database administrator, and calculating C 3,i=H1(SK4,i,2,uid I Tag by the time verification server to send to the database administrator, wherein Tag E {0,1} is represented in the front-back direction, tag is in the back direction when the value of Tag is 0, otherwise, tag is in the front direction; encryption of message m, computing c=my s,Cm=H2 (c||m); output ciphertext ct= (C, C m,{C1,i},{C2,i},{C3,i });
3.4 authentication attribute time: the time validation server computes ht' i=H1(uid′||A′i||Tr), SK' 4,i,2=H1(uid′||Tr||T′i,1); if SK 4,i,2≠SK′4,i,2, the time verification server terminates attribute time authentication and returns an empty character; the time verification server compares T i,2<T′i,1 according to the Tag, and if the Tag is marked as forward, T i,2≥T′i,1; otherwise, T i,2<T′i,1, the user attribute meets the access policy requirement, and the time verification server calculatesOtherwise, the user attribute time does not meet the access policy requirement, the time verification server terminates attribute time authentication and returns an empty character; when all the attributes in the user attribute set meet the access policy attribute time requirement, the time verification server returns the user { TV i };
3.5 decryption: the successful time authentication of the attribute set of the database visitor returns { TV i }, inputs plaintext CT and private key SK i from the time verification server, calculates If it isOutputting a plaintext m, otherwise, returning an empty character;
3.6 user attribute revocation: when user u id needs to revoke attribute a i, reselecting T r 'for the user by the time verification server, updating user time parameter T r to T r'; after receiving the message returned by the time verification server, the user updates the local key;
3.7 revoke user: when the system needs to revoke the user u id, the attribute authorization terminal sends a user revocation instruction to the time verification server, and the time verification server deletes the local user time parameter T r.
3. A database auditing apparatus based on fine-grained access control, the apparatus comprising: the device comprises a data acquisition device, a processor and a memory; the data acquisition device is used for acquiring data; the memory is used for storing one or more program instructions; the processor is configured to execute one or more program instructions for performing the method of claim 1.
4. A fine grain access control based database auditing computer readable storage medium containing one or more program instructions for performing the method of claim 1.
CN202410010025.3A 2024-01-03 2024-01-03 Database auditing method, system, equipment and readable storage medium based on fine granularity access control Active CN117828568B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410010025.3A CN117828568B (en) 2024-01-03 2024-01-03 Database auditing method, system, equipment and readable storage medium based on fine granularity access control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410010025.3A CN117828568B (en) 2024-01-03 2024-01-03 Database auditing method, system, equipment and readable storage medium based on fine granularity access control

Publications (2)

Publication Number Publication Date
CN117828568A CN117828568A (en) 2024-04-05
CN117828568B true CN117828568B (en) 2024-08-06

Family

ID=90511126

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410010025.3A Active CN117828568B (en) 2024-01-03 2024-01-03 Database auditing method, system, equipment and readable storage medium based on fine granularity access control

Country Status (1)

Country Link
CN (1) CN117828568B (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116167089A (en) * 2023-04-20 2023-05-26 恒辉信达技术有限公司 High security database

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103457739B (en) * 2013-09-06 2017-03-22 北京握奇智能科技有限公司 Method and device for acquiring dynamic token parameters
CN110197062B (en) * 2019-05-29 2022-03-15 轲飞(北京)环保科技有限公司 Virtual machine dynamic access control method and control system
CN111431904B (en) * 2020-03-25 2022-05-06 上海威固信息技术股份有限公司 Cloud storage access control method based on time characteristics
CN111783128B (en) * 2020-07-24 2021-09-28 国网湖南省电力有限公司 Verifiable distributed database access control method
CN114143854B (en) * 2020-09-04 2023-10-20 华为技术有限公司 Communication method and device
CN117235796B (en) * 2023-09-27 2024-05-07 宁远县大麦电子商务有限公司 Electronic commerce data processing method

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116167089A (en) * 2023-04-20 2023-05-26 恒辉信达技术有限公司 High security database

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于时间因子的可撤销可追踪属性基加密方案;许城洲;《计算机工程与科学》;20230215;第45卷(第2期);286-294 *

Also Published As

Publication number Publication date
CN117828568A (en) 2024-04-05

Similar Documents

Publication Publication Date Title
CN109033855B (en) Data transmission method and device based on block chain and storage medium
US9866375B2 (en) Multi-level key management
CN101802833B (en) Local stores service is provided to the application run in application execution environment
Xu et al. An integrated privacy preserving attribute-based access control framework supporting secure deduplication
Samanthula et al. An efficient and secure data sharing framework using homomorphic encryption in the cloud
US20030210790A1 (en) Optimizing costs associated with managing encrypted data
CN110519049A (en) A kind of cloud data protection system based on credible performing environment
CN110602063A (en) Multi-authorization-center access control method and system and cloud storage system
US11588631B2 (en) Systems and methods for blockchain-based automatic key generation
Zheng et al. Toward assured data deletion in cloud storage
US20220086000A1 (en) Cryptographic systems
Sesay et al. A secure database encryption scheme
Huang et al. EABDS: Attribute‐Based Secure Data Sharing with Efficient Revocation in Cloud Computing
CN108632385A (en) Multiway tree data directory structure cloud storage method for secret protection based on time series
Gajmal et al. Blockchain-based access control and data sharing mechanism in cloud decentralized storage system
CN114584295A (en) Universal black box traceable method and device for attribute-based proxy re-encryption system
Rao et al. R-PEKS: RBAC enabled PEKS for secure access of cloud data
Seitz et al. Key management for encrypted data storage in distributed systems
CN120128360A (en) A supply chain data security and access control method with revocable attribute encryption
Ma et al. A secure and efficient data deduplication scheme with dynamic ownership management in cloud computing
Nabeel et al. Privacy-Preserving Fine-Grained Access Control in Public Clouds.
Luo et al. Accountable data sharing scheme based on blockchain and SGX
Ambika et al. TAR-AFT: A Framework to Secure Shared Cloud Data with Group Management.
CN108055127A (en) It calculates and supports heat update Encryption Algorithm and key data encryption method with data separating
CN117828568B (en) Database auditing method, system, equipment and readable storage medium based on fine granularity access control

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant