Sub-database sub-table combat and middleware (5)
Data desensitization analysis
Data desensitization refers to the transformation of certain sensitive information through desensitization rules to achieve reliable protection of sensitive private data. Personal information involving customer security data or some commercially sensitive data, such as ID number, mobile phone number, card number, customer number, etc., needs to be desensitized according to regulations.
The data desensitization module is a sub-function module under the core function of ShardingSphere distributed governance.
During the update operation, it parses the SQL input by the user and rewrites the SQL according to the desensitization configuration provided by the user, thereby encrypting the original text data and storing the ciphertext data in the underlying database.
When querying data, it takes out the ciphertext data from the database, decrypts it, and finally returns the decrypted original data to the user.
Apache ShardingSphere automates and transparentizes the data desensitization process, allowing users to use desensitized data like ordinary data without paying attention to the implementation details of data desensitization .
Encrypt-JDBC provided by ShardingSphere is deployed together with business codes. The business side needs to perform JDBC programming for Encrypt-JDBC.
flow chart
Encrypt-JDBC intercepts the SQL initiated by the user, and parses and understands the SQL behavior through the SQL syntax parser, and then finds out the fields that need to be desensitized and the encryption and decryption device used to match the target according to the desensitization rules passed in by the user. Fields are encrypted and decrypted before interacting with the underlying database.
desensitization rules
The masking configuration is mainly divided into four parts: data source configuration, encryptor configuration, masking table configuration, and query attribute configuration. The details are shown in the figure below:
- Data source configuration
refers to the configuration information of DataSource - Encryptor Configuration
Refers to what encryption strategy to use for encryption and decryption. Currently, ShardingSphere has built-in two encryption and decryption strategies:
AES/MD5 - 脱敏表配置
指定哪个列用于存储密文数据(cipherColumn)、哪个列用于存储明文数据
(plainColumn)以及用户想使用哪个列进行SQL编写(logicColumn) - 查询属性的配置
当底层数据库表里同时存储了明文数据、密文数据后,该属性开关用于决定是直
接查询数据库表里的明文数据进行返回,还是查询密文数据通过Encrypt-JDBC解密后返回。
流程处理
处理流程和转换逻辑
加密策略解析
ShardingSphere提供了两种加密策略用于数据脱敏,该两种策略分别对应ShardingSphere的两种加解密的接口,即Encryptor和QueryAssistedEncryptor。
- Encryptor
该解决方案通过提供encrypt(), decrypt()两种方法对需要脱敏的数据进行加解密。在用户进行
INSERT, DELETE, UPDATE时,ShardingSphere会按照用户配置,对SQL进行解析、改写、路由,
并会调用encrypt()将数据加密后存储到数据库, 而在SELECT时,则调用decrypt()方法将从数据库
中取出的脱敏数据进行逆向解密,最终将原始数据返回给用户。
当前,ShardingSphere针对这种类型的脱敏解决方案提供了两种具体实现类,分别是MD5(不可
逆),AES(可逆),用户只需配置即可使用这两种内置的方案。
接口
可以看到默认实现的加密接口
- QueryAssistedEncryptor
Compared with the first desensitization scheme, this scheme is safer and more complicated. Its idea is: even if it is the same data, such as two users
with the same password, the desensitized data stored in the database should be different. This concept is more conducive to protecting user information
and preventing successful credential stuffing.
It provides three functions for implementation, namely encrypt(), decrypt(), queryAssistedEncrypt(). In the encrypt() phase
, the user sets a change seed, such as a timestamp. Encrypting the content of the original data + change seed combination can
ensure that even if the original data is the same, the encrypted desensitized data will be different due to the existence of the change seed. In
decrypt(), the seed data can be used to decrypt according to the previously specified encryption algorithm. queryAssistedEncrypt() is used to generate
auxiliary query columns for the query process of original data.
Currently, ShardingSphere does not provide a specific implementation class for this type of desensitization solution, but abstracts the concept into an
interface for users to implement themselves. ShardingSphere will call the specific implementation class of the scheme provided by the user to perform data desensitization
.
configuration
new table
instance class
@Entity
@Table(name = "c_user")
public class CUser implements Serializable {
@Id
@Column(name = "id")
@GeneratedValue(strategy = GenerationType.IDENTITY)
private long id;
@Column(name = "name")
private String name;
@Column(name = "pwd")//逻辑列名
private String pwd;
}
复制代码configuration
#打印shardingsphere sql
spring.shardingsphere.props.sql.show=true
## 数据脱敏
## 使用场景
## 1 用户账号密码加密
# 分库信息配置
spring.shardingsphere.datasource.names=test0
#配置数据库信息
#配置连接池
spring.shardingsphere.datasource.test0.type=com.zaxxer.hikari.HikariDataSource
spring.shardingsphere.datasource.test0.driver-class-name=com.mysql.jdbc.Driver
spring.shardingsphere.datasource.test0.jdbc-url=jdbc:mysql://localhost:3306/test0
spring.shardingsphere.datasource.test0.username=root
spring.shardingsphere.datasource.test0.password=root
#encrypt
#原密码字段
spring.shardingsphere.encrypt.tables.c_user.columns.pwd.plain-column=pwd_plain
#脱敏后字段
spring.shardingsphere.encrypt.tables.c_user.columns.pwd.cipher-column=pwd_cipher
### 指定加密算法
#加密方式
spring.shardingsphere.encrypt.encryptors.c_user_pwd.type=aes
#加密秘钥
spring.shardingsphere.encrypt.encryptors.c_user_pwd.props.aes.key.value=1234
#绑定到表上
spring.shardingsphere.encrypt.tables.c_user.columns.pwd.encryptor=c_user_pwd
#是否使用明文列查询 默认是true
spring.shardingsphere.props.query.with.cipher.column=false
复制代码test
dao
public interface CUserRepository extends JpaRepository<CUser,Long> {
public List<CUser> findByPwd(String pwd);
}
复制代码test
/**
* 数据脱敏
*/
@org.junit.Test
public void testUser(){
CUser user = new CUser();
user.setName("test");
user.setPwd("123");
userRepository.save(user);
}
@org.junit.Test
public void testUserFind(){
System.out.println(userRepository.findByPwd("123"));
}
复制代码You can see the encrypted columns
Plain text column query
Default ciphertext list query
spring.shardingsphere.props.query.with.cipher.column=true 默认是true
复制代码