Database Encryption to Provide Write Protection

摘要

An online computer system including a database uses an encrypted table that allows for write protection its contents. Middleware logic operating on the system acts as an interface for access to the database, so that any business logic on the system accesses the database through simple procedural calls to the middleware rather than directly to the database itself. The middleware logic abstracts logic that helps implement write protection with the encrypted table. Data to be encrypted that has been traditionally written to other tables is migrated to the encrypted table, where the data encrypted using an authenticated encryption with additional data (AEAD) algorithm. To implement AEAD, the original table, column, and primary key indicating where the data would have otherwise been stored are together used as additional authenticated data (AAD). This tuple of information is also stored in the encrypted table.

主权项

1. A computer implemented method comprising:
receiving a write request to a database, the write request specifying an original table (OT) name of one of a plurality of tables in the database, a column name of one of a plurality of columns in the OT, and a data entry to be written; accessing an OT primary key where the data entry is to be written; writing the data entry to a first location in the OT corresponding to the column name and the OT primary key; preparing an additional authenticated data (AAD) comprising the OT name, the column name, and the OT primary key; obtaining a cipher text based on the data entry and the AAD; and writing the cipher text to a second location in a cipher text column of an encrypted table (ET) different than the OT, the second location being in a row of the ET where the row also stores the OT name, the column name, and the OT primary key.