[0054] The information encryption method and device in the embodiments of the present invention address the problem of potential security risks in the prior art in which information is transmitted in clear text and stored in clear text on the receiving server. At the same time, it is considered that if an asymmetric cryptosystem is used to transfer keys and symmetric The way that the cryptosystem encrypts the source of information can theoretically guarantee the security of information, but the actual situation is: At present, most netizens on the Internet do not use this method to encrypt information. The problem lies in the two sides of encryption promotion, such as If A wants to pass encrypted information to B, then B must have encryption and decryption conditions such as an asymmetric key pair and software that supports the key system. Moreover, B also needs to transmit response information to A, and A must also have the above encryption and decryption conditions. For the convenience of description, this problem will be referred to as "the problem of both sides of encryption" in the following. It is precisely because of this problem that the above-mentioned source encryption method has been perfected for many years but few people use it, and most emails are still delivered in plain text.
[0055] For this reason, the information encryption method and device in the embodiments of the present invention, in order to ensure the security of the information, for the private plaintext information that needs to be stored or transmitted on the server, the received plaintext information is encrypted on the receiver server, so that the The information can only be decrypted and viewed by the information recipient and other legal readers of the information to ensure the safety of the information of the information recipient.
[0056] Such as figure 1 Shown is a flowchart of an information encryption method according to an embodiment of the present invention, which includes the following steps:
[0057] Step 101: The receiving end receives plaintext information.
[0058] Step 102: Encrypt the plaintext information.
[0059] Specifically, the plaintext information can be encrypted in a manner that only the information receiver can decrypt, and there can be multiple corresponding encryption methods. For example, the plaintext information can be encrypted through a symmetric key mechanism. The key mechanism means that the key used for decryption is the same as the key used for encryption. For ease of description, the random long key is referred to as a symmetric key in the subsequent description. For example, a random number can be used as a symmetric key to symmetrically encrypt the plaintext to generate ciphertext 1.
[0060] In the embodiment of the present invention, the receiving end uses the symmetric key to encrypt the plaintext information, and at the same time, it also needs to send the symmetric key to the information recipient.
[0061] Of course, a symmetric key can also be agreed between the receiver and the receiver.
[0062] Considering that if the symmetric key is stolen during the transmission process, the information may be leaked. Therefore, in order to enable the information recipient to securely obtain the symmetric key, in the embodiment of the present invention, asymmetric The key mechanism encrypts the symmetric key. The asymmetric key mechanism means that the key used for decryption is different from the key used for encryption. The decryption key of this mechanism is only owned by the information recipient, while the encryption key can be made public and anyone can obtain it. This eliminates the need for key transmission, so the encryption key is also called the public key or public key, the decryption key is also called the private key or private key, and the asymmetric cryptographic mechanism is also called the public key mechanism. For example, a message sent by A to B is encrypted with B's public key, and only B's private key can decrypt the cipher text.
[0063] The ciphertext 2 is obtained by encrypting the symmetric key using the asymmetric key mechanism, and the receiving end can store the ciphertext 1 and ciphertext 2 together at the receiving end. Of course, ciphertext 2 and ciphertext 1 can also be transmitted and stored separately, but since the key of ciphertext 1 and ciphertext 2 are paired in actual use, it is more convenient to store them together.
[0064] Of course, if the information recipient belongs to an enterprise that needs unified management or includes other recipients, you can also add the ciphertext 2-1, ciphertext 2-2, etc. of the enterprise unified management key or other recipient keys. These ciphertexts can be combined with ciphertext 1 to ensure that other authorized persons can read it.
[0065] When the receiver needs to view the information, it can use its private key to decrypt the ciphertext 2 to obtain the symmetric key, and then use the symmetric key to decrypt the ciphertext 1 to obtain the plaintext information. The private key can be generated and saved by the user, that is, the receiver, and the corresponding public key is provided by the user to the server, or is completely disclosed. In addition, the private key can also be stored locally in the recipient and protected by a password. In order to further prevent the Trojan horse software from stealing the private key and the private key password at the same time, a hardware private key (such as the USBkey used for online banking) can also be used. After the private key is imported into the hardware, the private key is unreadable and can only be used for decryption and electronic purposes. The operation of signing, for example, the ciphertext 2 is sent to the hardware during decryption, and the hardware returns the symmetric key for decrypting the ciphertext 1. In this way, unless the user's hardware private key is stolen and the private key password is stolen, the encrypted information may be decrypted and stolen, so that more security can be guaranteed.
[0066] In addition, in order to ensure the security of the transmission of the symmetric key, the receiving end may also send the symmetric key to the information receiver through an encrypted channel, so that the information receiver can decrypt the information according to the symmetric key. Describe the encrypted information.
[0067] Of course, in the embodiment of the present invention, the method for encrypting the plaintext information by the receiving end is not limited to the method described above, and other encryption methods may also be used, for example, directly encrypting the original plaintext with an asymmetric key system. After the plaintext is encrypted with a symmetric encryption system, the key can also be transmitted in a variety of ways. The asymmetric encryption algorithm is the most common one. It can also be transmitted to the information recipient through the encrypted channel as described above, or it can be saved to a A place that only the recipient of the information can access, or encrypted storage with the password of the recipient, etc. For asymmetric encryption algorithms, in addition to the traditional RSA algorithm, an identity-based encryption algorithm (IBS, Identity BasedSecurity) can also be used. The public key of this algorithm is a custom string, such as an email address, while the traditional The public key and private key of the RSA algorithm are both a long string of meaningless characters, so that the public key of IBS is easier to disclose and spread than the public key of RSA.
[0068] Step 103: Save the encrypted information to the receiving end.
[0069] It can be seen that the information encryption method in the embodiment of the present invention encrypts the received plaintext information on the recipient server for the private plaintext information that needs to be stored or transmitted on the server, so that the information can only be used by the recipient and Other information is decrypted and accessed by legal readers, which simply and effectively guarantees the security of the information.
[0070] It should be noted that the information encryption method in the embodiment of the present invention can also be combined with some other existing encryption methods, such as channel encryption, to provide a more complete security guarantee for information transmission, transmission, and reception.
[0071] The method of the embodiment of the present invention can be applied to a variety of environments, which are described below with examples.
[0072] 1. In the mail system
[0073] In order to further explain the difference between using the information encryption method of the embodiment of the present invention to send and receive emails and the traditional method of sending and receiving emails, the following first briefly introduces the traditional email sending and receiving process.
[0074] ●Traditional client/server (Clent/Server, abbreviated as C/S) mail sending and receiving process is as follows:
[0075] 11. The sender edits the mail on the mail client 1, and sends it to the mail server 1 through the smtp protocol;
[0076] 12. Mail server 1 receives the mail and finds that the recipient of the mail is a user of mail server 2, so it forwards the mail to mail server 2 through the smtp protocol;
[0077] 13. Mail server 2 receives the email and finds that the recipient of the email is a user of this server, so it saves the email to the user mailbox of this server;
[0078] 14. The recipient uses the mail client 2 to access his mailbox through the pop3 protocol and receive his own mail.
[0079] Traditional channel encryption is to replace the smtp protocol and pop3 protocol in the above steps with encrypted smtps protocol and pop3s protocol.
[0080] Traditional source encryption means that in step 11, the sender edits the email, and encrypts the source before sending it to the mail server 1. In all subsequent steps, the encrypted information is transmitted. After the person receives the email, decrypt it to obtain the plain text before reading it.
[0081] ●The process of sending and receiving mail in the traditional Webmail mail system is as follows:
[0082] 21. The sender uses the http protocol to edit the mail on the Webmail user interface. The Webmail user interface can be a separate program on the mail server 1, or a separate Web server;
[0083] 22. Mail server 1 receives the mail and finds that the recipient of the mail is a user of mail server 2, so it forwards the mail to mail server 2 through the smtp protocol;
[0084] 23. Mail server 2 receives the mail and finds that the recipient of the mail is a user of this server, so it saves the mail to the user mailbox of this server;
[0085] 24. The recipient uses the http protocol to access his mailbox through the Webmail user interface of the mail server 2 and read his mail. Similarly, the user interface of the Webmail can be an independent program on the mail server 2, or a separate Web server.
[0086] Traditional channel encryption is to replace the http protocol and smtp protocol in the above steps with encrypted https protocol and smtps protocol.
[0087] Due to the fact that both parties send and receive emails, sending and receiving may be independent. For example, an email may be sent by C/S and the recipient may use Webmail to view it, or the sender may use Webmail to send the email, and the recipient may use Mail client receives.
[0088] Traditional source encryption is generally based on the C/S mail system model on Webmail. There are two specific implementations:
[0089] (1) Install a plug-in on the user's browser, and the plug-in will perform encryption and decryption work. This method is equivalent to that although the mail system uses the Webmail method, the encryption and decryption is still implemented on the client;
[0090] (2) In the above step 21, after the sender edits the email, it is encrypted by the sender's server and then sent through the mail server 1. After the recipient's mail server 2 receives the email, the recipient visits his mailbox in step 24 When reading the mail, it is decrypted by the server. This method is a mail client that completely simulates the C/S mode with the Web.
[0091] Such as figure 2 Shown is an application flowchart of the information encryption method in the mail system according to the embodiment of the present invention.
[0092] In this embodiment, the receiving end is a mail server, and the information is mail. The process includes the following steps:
[0093] Step 201, the sender uses the client/server or the user interface of the Webmail mail system to edit the plaintext mail;
[0094] Step 202: The sender mail server 1 receives the plaintext mail, determines that the recipient of the mail is a user of the mail server 2, and then forwards the mail to the recipient mail server 2 through the smtp protocol;
[0095] Step 203: The recipient's mail server 2 receives the mail and determines that the recipient of the mail is a user of the server. If it is a plain text mail, encrypt the mail with an encryption method that only the mail recipient can decrypt, and then encrypt the mail Save to the recipient's mailbox on this server;
[0096] Step 204: The recipient logs in to his mailbox by using the client/server or Webmail encrypted mail system, decrypts the mail, and reads it.
[0097] As a special case of the above application, the recipient and the sender may be users of the same mail server, that is, the mail server 1 and the mail server 2 are the same server. As a further special case, the recipient and the sender may be the same person. In these special cases, the methods of the embodiments of the present invention are also applicable.
[0098] It can be seen that in the mail system, using the information encryption method of the embodiment of the present invention, the mail server that receives the mail encrypts the received plaintext mail. If the mail recipient wants to read his mail, he must use a secret that only he owns. The key is used to decrypt, thereby ensuring the security of mails like Webmail, even the administrator of the mail server cannot decrypt the encrypted mail. Moreover, since the mail is encrypted by the mail receiving server, there is no need for the sender of the information to have the conditions required for the encrypted information, and the bilateral issue of encryption is turned into a single party, which is convenient for users.
[0099] It should be noted that in practical applications, channel encryption can be used (many Webmail providers have used https channel encryption to allow users to safely access the mail server). For the recipient, it can basically reach the security level of traditional source encryption. . For example, Party A (sender) uses an encrypted channel to access Party A’s mail server, so the channel can be anti-eavesdropping; Party A’s mail server and Party B’s mail server can use channel encryption, and the channel can also be anti-eavesdropping; After the mail enters the mail server of Party B, it will be encrypted, which has the same effect as the traditional source encryption method. Party B can decrypt the mail through the source encryption method. In this way, only before Party A’s mail server and Party B’s mail server encrypt the email, there is information in plain text, which is a security loophole in the entire information delivery process. However, the possibility of this vulnerability causing user information leakage is very low, especially it is impossible to cause a large amount of user information leakage. Party B’s mail comes from different locations. The leak on Party A’s mail server only causes this one to be leaked, while the mail from Party C and Party D will not be leaked. On Party B’s mail server, the plaintext of the mail only exists at the moment when the mail arrives at Party B’s mail server and is not encrypted. Unless Party B’s mail server maliciously intercepts all pre-encrypted mail, large-scale information leakage will not occur.
[0100] 2. In the instant messaging system
[0101] Such as image 3 Shown is an application flowchart of an information encryption method in an instant messaging system according to an embodiment of the present invention.
[0102] In this embodiment, the receiving end is an instant messaging server, and the information is instant messaging information. The process includes the following steps:
[0103] Step 301, the user chats with other people using the instant messaging system;
[0104] Step 302: Regardless of whether the instant messaging system allows users to directly transmit instant messaging information, or allows users to indirectly transmit instant messaging information through an instant messaging server, or a combination of the two methods, the chat records of users are sent to the instant messaging server ;
[0105] Step 303: The instant messaging server determines whether the instant messaging information needs to be saved on this server, and saves the foregoing instant messaging information for the user in a manner that only the user can decrypt;
[0106] In step 304, when the user consults the chat history, he decrypts the information in a way that only he can decrypt, so that he can read it.
[0107] Of course, in the embodiment of the present invention, it is not limited to encrypting and saving the plaintext information sent by the other party to the user on the instant messaging server, but also encrypting and saving the plaintext information sent by the user.
[0108] In addition to the application situations mentioned above, the method in the embodiments of the present invention can also be applied to other situations. For example, as storage develops from user personal storage to network storage, in order to ensure the security of network storage information, users will need to be online The private information stored in the storage space is transmitted to the network storage server, or other people transfer the information that needs to be transmitted to the user to the user's network storage space, and the network storage server will use the above information for the user in a way that only the user can decrypt save. In this way, when users need to consult these information, they must decrypt the information in a way that only they can decrypt.
[0109] Of course, the information encryption method in the embodiment of the present invention can also be applied to other situations where information needs to be stored on the network, and will not be listed here.
[0110] Those of ordinary skill in the art can understand that all or part of the steps in the method of the above-mentioned embodiments can be implemented by a program instructing relevant hardware. The program can be stored in a computer readable storage medium. Media, such as: ROM/RAM, floppy disk, optical disk, etc.
[0111] Correspondingly, the embodiment of the present invention also provides an information encryption device, such as Figure 4 Shown is a schematic diagram of the device.
[0112] In this embodiment, the device includes:
[0113] The receiving unit 401 is configured to receive plaintext information;
[0114] The encryption unit 402 is configured to encrypt the plaintext information;
[0115] The saving unit 403 is used to save the encrypted information to the receiving end.
[0116] In a specific application, the encryption unit 402 may use a symmetric key mechanism to encrypt the plaintext information. Of course, it can also be implemented in a structure corresponding to other encryption algorithms, for example, directly encrypting the original plaintext with an asymmetric key system.
[0117] The information encryption device of the embodiment of the present invention encrypts the received plaintext information for the private plaintext information that needs to be stored or transmitted on the device, so that the information can only be decrypted and viewed by the information recipient and other legal readers of the information. , Effectively ensure the security of information.
[0118] In practical applications, if the encryption unit 402 uses a symmetric key mechanism to encrypt the plaintext information, in order to further ensure the security of the encryption key, the symmetric key can be encrypted or transmitted in different ways. The following are listed separately.
[0119] Such as Figure 5 What is shown is a schematic diagram of another structure of an information encryption device in an embodiment of the present invention.
[0120] In this embodiment, in addition to the receiving unit 401, the encrypting unit 402, and the storing unit 403, the information encryption device 500 further includes:
[0121] The key encryption unit 501 is configured to use the public key of the information receiver to encrypt the symmetric key used in the symmetric key mechanism using the asymmetric key mechanism, and save the encrypted symmetric key information in the receiving Terminal, so that the information receiver decrypts the encrypted symmetric key according to the private key it has saved, obtains the symmetric key, and decrypts the encrypted information according to the symmetric key
[0122] In this way, the security of the information encryption key can be effectively guaranteed.
[0123] Such as Image 6 What is shown is a schematic diagram of another structure of an information encryption device in an embodiment of the present invention.
[0124] In this embodiment, in addition to the receiving unit 401, the encrypting unit 402, and the storing unit 403, the information encryption device 600 further includes:
[0125] The symmetric key sending unit 601 is configured to send the symmetric key to an information receiver through an encryption channel, so that the information receiver can decrypt the encrypted information according to the symmetric key.
[0126] This embodiment can also effectively ensure the security of the information encryption key.
[0127] The information encryption device in the embodiment of the present invention can be used as a server in different application environments to realize the function of encrypting the plaintext information stored on the receiving end to ensure the security of the information.
[0128] For example, the information encryption device may serve as a mail server, in this case, the information is mail. Correspondingly, the device may further include:
[0129] An information sending unit for sending the plaintext information to the mail server of the recipient;
[0130] The first determining unit is configured to determine whether the recipient of the mail is a user of the mail server before the encryption unit encrypts the plaintext information; if so, notify the encryption unit to perform the pairing The plaintext information is encrypted; if not, the information sending unit is notified to perform the operation of sending the plaintext information to the mail server of the recipient.
[0131] Correspondingly, the saving unit is specifically configured to save the encrypted mail in the recipient mailbox of the mail server.
[0132] For another example, the information encryption device can also be used as an instant messaging server. In this case, the information is instant messaging information. Correspondingly, the device may further include:
[0133] The second judging unit is used to judge whether the instant messaging information needs to be stored on the relevant storage server of the instant messaging server before encrypting the plaintext information; if so, notify the encryption unit to perform the pairing The operation of encrypting plaintext information.
[0134] Correspondingly, the saving unit is specifically configured to save the encrypted instant messaging information in the chat history of the instant messaging server corresponding to the receiver or the sender.
[0135] For another example, the information encryption device can also be used as a network storage server. In this case, the information is information that the user needs to save in the network storage space.
[0136] Of course, there can also be other applications, which will not be listed here.
[0137] For the specific working process of the information encryption device when applied in different environments, reference may be made to the description in the previous embodiment, which will not be repeated here.
[0138] The specific application of the information encryption equipment in the above-mentioned different environments can ensure the security of the information when stored at the receiving end, avoid the mutual problems of the traditional encryption method, thereby solving the promotion problem of the traditional source encryption method, while protecting At present, the security of storing information is similar to that of Webmail.
[0139] The above-disclosed are only the preferred embodiments of the present invention, but the present invention is not limited to this. Anyone skilled in the art can think of without creative changes, as well as several improvements and modifications made without departing from the principle of the present invention. , Should fall within the protection scope of the present invention.
