| 摘要 |
Provided a database apparatus comprising a control means to execute data access control on a database, wherein the control means, receiving a database operation command from a user apparatus, comprises, regarding data and/or metadata to be handled associated with the database operation command, means for executing database operation or computation on encrypted data and/or encrypted metadata as is in ciphertext and means for executing database operation or computation on plaintext data and/or plaintext metadata, and the control means sends a processing result to the user apparatus. |
| 主权项 |
1. A database apparatus comprising:
a first storage unit; a second storage unit; and a processor which executes a program and thereby comprises:
a control unit configured to execute data access control on a database, the control unit receiving a database operation command from a user apparatus connected with the database apparatus through a network, and the control unit comprising, regarding data and/or metadata to be handled associated with the database operation command:
a first unit configured to execute a database operation or computation on encrypted data and/or encrypted metadata while keeping the encrypted data and/or encrypted metadata as ciphertext; anda second unit configured to execute the database operation or computation on plaintext data and/or plaintext metadata; wherein the first storage unit stores: information on whether or not the metadata including table and column names stored in the database are encrypted, information on whether data stored in the database is encrypted, confidentiality information representing extent of data security, and encryption algorithm identification information corresponding ng to the confidentiality information; and wherein the second storage unit stores processing content of the database operation command, confidentiality information and encryption algorithm in association with each other, wherein the control unit sends a processing result of the database operation or computation to the user apparatus, wherein the control unit further comprises an encryption calculation unit performing au encryption at the database apparatus using a public key received from the user apparatus, wherein the control unit sends a composition result of partial computation of the computation of the database operation command in ciphertext to the user apparatus, the user apparatus, when finding that further partial computation needs to be executed on plaintext, decrypts the encrypted data to obtain plaintext data and executes partial computation on plaintext data, in the case wherein further partial computation to be executed in ciphertext remains in the computation of the database operation command, and the partial computation is allowed to be executed on ciphertext while keeping the encrypted data and/or encrypted metadata as ciphertext, the user apparatus sends ciphertext obtained by encrypting the plaintext result of the partial computation to the control unit, and using the ciphertext sent from the user apparatus, the control unit executes a remaining partial computation of the computation of the database operation command on encrypted data while keeping the encrypted data and/or encrypted metadata as ciphertext and sends the computation result of the partial computation in ciphertext to the user apparatus. |
