3

We have an application that is installed on premises for many clients. We are trying to collect information that will be sent to us at a point in the future. We want to ensure that we can detect if any of our data is modified and if any data was deleted.

To prevent data from being modified we currently hash table rows and send the hashes with the data. However, we are struggling to detect if data has been deleted. For example if we insert 10 records in a table and hash each row the user wont be able to modify the record without us detecting it but if they drop all the records then we can't distinguish this from the initial installation.

Constraints:

  • Clients will have admin roles to DB
  • Application and DB will be behind a DMZ and won't be able to connect external services
  • Clients will be able to profile any sql commands and be able to replicate any initial setup we do. (to clearify they clients can also drop/recreate tables)
  • although clients can drop data and tables, there are some sets of data and tables that if dropped or deleted would be obvious to us during audits beacuse they should always be accumulating data and missing data or truncated data would stand out. We want to be able to detect deletion and fraud in the remaining tables.
  • We're working under the assumption that clients will not be able to reverse our code base or hash/encrypt data themselves
  • Clients will send us all data collected every month and the system will be audited by us once a year.
  • Also consider they client can take backups of the DB or snapshots of a VM in a 'good' state and then do a roll back to that 'good' state if they want to destroy data. we don't want do do any detection of vm snapshot or db backup roll backs directly.

So far the only solution we have is encrypting the install date (which could be modified) and the instance name. Then every minute 'increment' the encrypted data. When we add data to the system, we hash the data row and stick the hash in the encrypted data. Then continue to 'increment' the data. Then when the monthly data is sent we'd be able to see if they are deleting data and rolling the DB back to just after installation because the encrypted value wouldn't have any increments or would be have extra hashes that don't belong to any data.

Thanks

4

2 回答 2

2

您是否研究过事件溯源?如果性能足够好,这可能与一次性写入媒体一起用作辅助存储。这样即使对 DB 或 OS 管理员也能保证事务的完整性。我不确定使用真正的一次写入媒体进行事件溯源是否可行并且仍然保持合理的性能。

于 2016-11-16T23:27:32.143 回答
1

假设我们在您的代码中有一个 md5() 或类似函数,并且您希望控制对表“table1”的“id”字段的修改。您可以执行以下操作:

accumulatedIds = "secretkey-only-in-your-program";
for every record "record" in the table "table1"
  accumulatedIds = accumulatedIds + "." + record.id;

update hash_control set hash = md5(accumulatedIds) where table = "table1";

在表“table1”的信息每次授权更改之后。没有人可以在不被注意的情况下改变这个系统。

如果有人更改了某些 id,您会注意到这一点,因为哈希值不一样。

如果有人想重新创建您的表,除非他重新创建完全相同的信息,否则他将无法再次制作散列,因为他不知道“仅在您的程序中的密钥”。

如果有人删除了一条记录,也可以发现它,因为“accumulatedIds”不匹配。如果有人添加记录,同样适用。

用户可以删除表 hash_control 下的记录,但如果没有“secretkey...”,他将无法正确重建哈希信息,因此您也会注意到这一点。

我错过了什么??

于 2016-11-16T22:44:16.143 回答