简体繁体 English

如何隐藏数据库表的外键关系或创建匿名条目？

[英]How can I hide the foreign key relationship of a database table or create anonymous entries?

原文 2016-12-24 08:59:57 8 1 database/ security/ database-design/ hash

Is it possible to store associated data in a database without explicitly revealing its relationship or owner? 是否可以在不显式揭示其关系或所有者的情况下将关联数据存储在数据库中？ This page talks about using a hash of user info combined with a password to identify a user that a transaction belongs to. 本页讨论使用用户信息的哈希值和密码来识别事务所属的用户。 A few searches have revealed nothing in terms of implementation details for this security feature. 一些搜索没有发现此安全功能的实现细节。

Say that I have users which have private data tied to their account, how can I make it so that someone with access to a dump of the database cannot tell which data belongs to which user? 假设我的用户的帐户绑定了私有数据，那么我该如何做到这一点，以便可以访问数据库转储的人无法分辨哪些数据属于哪个用户？

1 个解决方案

It's not a security feature, it's a design pattern (or, arguably, anti-pattern). 它不是安全功能，而是设计模式（或者可以说是反模式）。 The page you linked describes how they implemented it: sensitive information is stored with an identifier that cannot be traced back to any given user without cross-referencing information external to the database. 您链接的页面描述了它们的实现方式：敏感信息与标识符一起存储，该标识符无法在不交叉引用数据库外部信息的情况下追溯到任何给定用户。 In their example, it's the password, which when combined with other account information and hashed generates a consistent id for that user's transactions. 在他们的示例中，它是密码，当与其他帐户信息结合并进行哈希处理时，该密码将为该用户的交易生成一致的ID。 In order to correctly associate a user with their transactions, you need the original password to rebuild the hash. 为了正确地将用户与其交易关联，您需要原始密码来重建哈希。 No password = no association. 没有密码=没有关联。

So that does the job; 这样就可以了； it sacrifices referential integrity, which is why I'd call it an anti-pattern, but then that's the whole idea. 它牺牲了参照完整性，这就是为什么我称其为反模式，但这就是整个想法。 The bigger problem is that it's at likely the most sensitive possible point, since the hash must be updated for all of a user's transactions whenever the information used to generate it changes. 更大的问题是它可能是最敏感的一点，因为无论何时用于生成散列的信息发生变化，都必须为用户的所有交易更新散列。 The lack of a foreign key constraint also allows bogus transactions without any user. 缺少外键约束还允许没有任何用户的假交易。 It would be somewhat safer, structurally speaking, to have an anonymized table of transaction owners with a proper foreign key relationship to the transaction table and a hash as described linking the owner entity to the actual user. 从结构上来讲，拥有一个与交易表具有适当外键关系的交易所有者的匿名表和将所有者实体链接到实际用户的哈希表，在某种程度上会更安全。 This way, the sensitive relationship is one-to-one instead of one-to-many and the impact of an integrity failure is restricted. 这样，敏感关系是一对一的，而不是一对多的，并且可以限制完整性故障的影响。

Both of these approaches, of course, are vulnerable to simple patience and analysis -- if someone has a database dump and is sufficiently motivated, the transactions themselves can be enough to get an idea of who made them as long as they're tied to a consistent user-hash or owner. 当然，这两种方法都容易受到简单的耐心和分析的影响-如果某人具有数据库转储并且具有足够的动机，那么只要绑定了事务，事务本身就足以了解谁创建了它们一致的用户哈希或所有者。 One pizza delivery charge could be anything; 一份披萨送货费可能不算什么； several put you within a few miles of someone's house. 有几个人将您带到某人房屋的几英里内。 The more information you can correlate with an anonymous record, the less anonymous it really is. 您可以与匿名记录关联的信息越多，匿名记录实际上就越少。