Database application level encryption solution Secure Encryption

1. What is database application layer encryption?

Database application layer encryption is an encryption method that encrypts the data before the application system processes the data, and then passes the encrypted data to the database for storage. This method can effectively protect the security of data during transmission and prevent data leakage.

The principle of application layer encryption is to use encryption functions or call encryption components in the application system to encrypt sensitive data. The specific process is to encrypt the original data before the application layer transmits it to the MySQL client or server. Encryption technology ensures that the data is not leaked during transmission. Business processing and encryption and decryption functions are implemented in the application system. Data is transferred from the application layer to the bottom layer of the database in the form of ciphertext for storage, ensuring the safe flow of data between different levels.

  The advantage of the application layer encryption solution is that it does not limit the database type and is supported by various databases. At the same time, it can realize separate control over the encryption and decryption permissions of users with different permissions in the application.

2. Implementation steps of database application level encryption scheme

Typically the following steps are involved:

1. Determine encryption requirements: First, you need to clarify the data types and sensitive information that need to be encrypted in the database, such as user passwords, personal information, transaction data, etc.
2. Choose an encryption algorithm: Choose an appropriate encryption algorithm according to your needs, such as symmetric encryption algorithms (AES, DES , SM4, etc.) or asymmetric encryption algorithms (RSA, ECC , SM2, etc.).
3. Encrypted data storage: The data fields that need to be encrypted are encrypted using encryption algorithms in the database to ensure the security and confidentiality of the data during storage.
4. Encrypted data transmission: When transmitting data between the client and the database, encryption algorithms are used to encrypt the data to ensure the security and confidentiality of the data during transmission.
5. Identity authentication and access control: Through identity authentication and access control mechanisms, only authorized users can access and operate encrypted data in the database to prevent unauthorized access and malicious attacks.
6. Log monitoring and auditing: Record and monitor all operations of the database, discover and handle security events in a timely manner, and ensure data security and integrity.
7. Data backup and recovery: When data is attacked or accidentally lost, data can be quickly restored through the backup and recovery mechanism to ensure business continuity and stability.

3. Concerns about database application-level encryption schemes

When implementing encryption solutions at the database application level, you need to pay attention to the following points:

1. Performance optimization: The execution of encryption algorithms will bring certain performance overhead, so it is necessary to optimize the execution efficiency of the algorithm as much as possible while ensuring data security.
2. Data consistency: During the process of encrypted storage and transmission, data consistency must be ensured to ensure that encryption and decryption operations will not cause data inconsistency.
3. Key management: For encryption algorithms, the security of keys is crucial. Strict key management measures need to be taken to ensure the safe storage and use of keys.
4. Compliance with laws and regulations: When encrypting the database, you need to comply with relevant laws, regulations and standard requirements to ensure the compliance of the encryption operation.
5. Security assessment: Regularly conduct security assessments of database encryption solutions to identify potential security risks and take timely measures to repair and improve them.

To sum up, database application-level encryption solutions need to consider many aspects, including demand analysis, algorithm selection, data storage and transmission, identity authentication and access control, log monitoring and auditing, data backup and recovery, etc. At the same time, attention should be paid to issues such as performance optimization, data consistency, key management, and legal and regulatory compliance to ensure that the database encryption solution can effectively protect the security and confidentiality of sensitive data.

4. Shanghai Andang KDPS data protection system

5. Overview of Andang KADP module scenarios

1. Overview

     Andang KADP is an application -level encryption software         for application docking of the Andang data protection system KDPS , which can support a variety of algorithms.

     2. Function

• Internal symmetric key encryption and decryption
• Import external keys (AES, DES, SM4) for encryption and decryption
• Supports asymmetric key (RSA, SM2) operations
• Supports asymmetric key (RSA, SM2) signature verification
• Support SM3 digest algorithm operation
• Support FPE encryption and decryption
• 3. Comply with safety requirements
• There are approved working modes and non-approved working modes
• A description of all keys, key components, and other sensitive security parameters used by the cryptographic module.
• Roles, Services and Identification
• 4. Encryption effect

6. Integrated interface example

import

Directly put the kadp_jar folder into the project directory
and add maven dependencies

      <dependency>
            <groupId>com.andang.kadp</groupId>
            <artifactId>kadp-1.0.2.jar</artifactId>
            <version>1.0.2</version>
            <scope>system</scope>
            <systemPath>${project.basedir}/kadp_jar1.0.2/kadp-1.0.2.jar</systemPath>
        </dependency>
 

Create KadpClient

        String domain= " "; //Enter ksp address
        String ksptoken= " "; //Enter token

        KADPClient client = new KADPClient(domain, ksptoken);

Encryption and decryption

1.  Symmetric encryption

        //Encrypt
        String text = "hello";
        String iv = "KgU3skd/1oFzGX3u";
        String encrypted1 = client.encrypt(text.getBytes(), Symmetric.AES, Mode.CBC, Padding.PKCS5Padding, iv, 16, "16 ", true);
        System.out.println("Generated ciphertext: " + afterEncryption);
2.  Symmetric decryption

        //Decrypt
        String plaintext = client.decrypt(encrypted1, Symmetric.AES, Mode.CBC, Padding.PKCS5Padding, "1234567887654321", 16, "16", true); System.out.println("Decrypted content: "+plaintext );
. . . . . .

For more information, please refer to the Andang Document Center