CN117857143A

CN117857143A - Mail security encryption method, computer and readable storage medium

Info

Publication number: CN117857143A
Application number: CN202311742811.4A
Authority: CN
Inventors: 成晓雄; 周斌; 郭建平
Original assignee: Sage Microelectronics Corp
Current assignee: Sage Microelectronics Corp
Priority date: 2023-12-18
Filing date: 2023-12-18
Publication date: 2024-04-09

Abstract

The invention relates to the technical field of information security. The invention discloses a mail security encryption method, a computer and a readable storage medium, wherein the method comprises the following steps: when the mail sending end uses the sending end safety key to send the mail, the computer embeds the sending end private key in the mail and stores the randomly generated salt value and the digital fingerprint generated by the mail attachment content into the mail text, when the receiving end opens the mail, the computer authenticates the mail text and checks the mail attachment, if the authentication is passed, the receiving end is allowed to open the mail text, if the authentication is passed, the receiving end is allowed to open the mail attachment, thereby ensuring that the mail can only be opened by a reliable receiving end, and if the mail attachment is tampered with the receiving end, the attachment can not be opened, and ensuring the safety of the whole mail content.

Description

Mail security encryption method, computer and readable storage medium

Technical Field

The present invention relates to the field of information security technologies, and in particular, to a mail security encryption method, a computer, and a readable storage medium.

Background

With the rapid development of information technology, mail has become an indispensable means for business or organization internal office and communication, and since the mail sent by the business or organization may contain confidential business information, customer data or personal identity information, maintaining the security of the mail is important for the business or organization.

At present, enterprises or organizations manage internal mails through addresses of the mails, once the mail addresses are written wrong, forwarded by other people by mistake or maliciously forwarded to external people or organizations, internal information of the organizations may be leaked, the opening of mail texts lacks a strategy of security protection, whether attachments of the mails are maliciously tampered or not cannot be known, and the security of the whole mail content cannot be guaranteed.

Disclosure of Invention

The application provides a mail security encryption method, a computer and a readable storage medium, which are used for embedding a sender private key into a mail and storing a randomly generated salt value and a digital fingerprint generated by mail attachment content into a mail text when a mail sender uses a sender security key to send the mail, authenticating the mail text and checking the mail attachment when a receiver opens the mail, allowing the receiver to open the mail text if the authentication is passed, allowing the receiver to open the mail attachment if the authentication is passed, ensuring that the mail can only be opened by a reliable receiver, and ensuring the security of the whole mail content if the mail attachment is tampered with the receiver.

In a first aspect, the present application provides a mail security encryption method, including: when the computer detects that the mail sending end uses the sending end safety key to send the mail, the computer embeds a sending end private key in the mail, and the mail comprises an attachment and a text; the computer randomly generates a salt value; the computer splices the content of the accessory with the salt value to form a character string; the computer calculates the character string to obtain a digital fingerprint; the computer storing the salt value and the digital fingerprint in the body; when the mail receiving end uses the receiving end safety key to open the mail, the computer uses the public key and the receiving end private key to authenticate the sending end private key; if the authentication is successful, the computer allows the mail receiving end to open the text by using the receiving end safety key; the computer checks the salt value and the digital fingerprint according to the content of the accessory; when the verification results are consistent, the computer allows the mail receiving end to open the accessory.

By adopting the technical scheme, when the mail sender uses the sender safety key to send the mail, the computer embeds the sender private key in the mail and stores the randomly generated salt value and the digital fingerprint generated by the mail attachment content into the mail body, when the receiver opens the mail, the computer authenticates the mail body and checks the mail attachment, if the authentication is passed, the receiver is allowed to open the mail body, if the authentication is passed, the receiver is allowed to open the mail attachment, thereby ensuring that the mail can only be opened by a reliable receiver, and if the mail attachment is tampered with the receiver, the attachment can not be opened, and the safety of the whole mail content is ensured.

With reference to some embodiments of the first aspect, in some embodiments, after the step of allowing the mail receiving end to open the attachment when the verification result is consistent, the step further includes: when the computer detects that the mail receiving end opens early mail, the computer carries out algorithm feature detection on the early mail, and the early mail is the mail before the public key is replaced; if the early mail accords with the algorithm characteristic, the computer allows the mail receiving end to open the early mail.

By adopting the technical scheme, the computer detects the algorithm characteristics of the early mail, if the early mail accords with the algorithm characteristics, the early mail can be opened by the mail receiving end, so that after the public key is replaced due to the safety guarantee and other reasons, the mail receiving end can still open the mail before replacement, the service continuity can be maintained, and the related service flow can be ensured to be normally carried out.

With reference to some embodiments of the first aspect, in some embodiments, when the mail receiving end uses the receiving end security key to open the mail, the computer uses the public key and the receiving end private key to authenticate the sending end private key; if the authentication is successful, the computer allows the mail receiving end to open the text by using the receiving end security key, and the steps specifically include: the computer determines the authority range of the mail sending end according to the private key of the sending end; the computer determines the identity information of the mail receiving end according to the private key of the receiving end; if the identity information belongs to the authority range, the computer uses the public key to decrypt the mail text, so that the mail receiving end can open the mail text.

By adopting the technical scheme, the identity information of the receiving end can be effectively prevented from being forged and deceptively set by using the private key, the private key is associated with the authority range of the mail sending end, and only the mail receiving end with the matched authority range can be confirmed to be the effective identity and the mail text can be opened, so that the safety of mail communication can be enhanced, and the risks of malicious attack and fraudulent conduct are reduced.

With reference to some embodiments of the first aspect, in some embodiments, the step of verifying the salt value and the digital fingerprint by the computer according to the content of the accessory specifically includes: the computer obtaining the salt value and the digital fingerprint from the text; the computer splices the salt value and the current accessory content to form a current character string; the current character string is operated to obtain a current digital fingerprint; the computer compares the current digital fingerprint with the digital fingerprint.

By adopting the technical scheme, whether the accessory content is tampered or damaged in the transmission process can be verified by comparing the current digital fingerprint with the original digital fingerprint, if the two digital fingerprints are not matched, the accessory content is possibly tampered, the integrity of the accessory content can be verified, and the safety of the mail accessory is ensured.

With reference to the embodiments of the first aspect, in some embodiments, after the step of allowing the mail receiving end to open the text by using the receiving end security key if the authentication is successful, the step further includes: if the authentication fails, the computer does not allow the mail receiving end to open the mail text.

By adopting the technical scheme, if authentication fails, the fact that the mail receiving end is not in the authority range of the mail sending end is probably due to the fact that the mail address of the mail sending end is wrongly written or wrongly forwarded or maliciously forwarded to external personnel or organizations by other people, access of unauthorized personnel or organizations to the mail of the internal organizations can be prevented, the safety of the mail of the internal organizations is guaranteed, and confidentiality and privacy of data in the organizations can be effectively protected.

With reference to some embodiments of the first aspect, in some embodiments, after the step of allowing the mail receiving end to open the attachment when the verification result is consistent, the step further includes: when the verification results are inconsistent, the computer does not allow the mail receiving end to open the mail attachment; the computer sends prompt information to the mail receiving end, wherein the prompt information is used for prompting the mail receiving end that the content of the attachment is tampered.

By adopting the technical scheme, when the verification results are inconsistent, the content of the mail attachment is shown to be maliciously tampered in the transmission process, at the moment, the mail attachment is not allowed to be opened by the mail receiving end, so that the data integrity protection of the mail attachment can be enhanced, after receiving the prompt information, a receiver can further take measures, such as confirming with a sender, reacquiring the original attachment and the like, so as to ensure the integrity and the authenticity of the content of the attachment, and the mail attachment which is maliciously tampered possibly contains malicious codes or viruses, so that the safety of the mail receiving end can be influenced, the risk of spreading the malicious codes can be reduced by forbidding opening the tampered attachment, and the safety of the mail receiving end is protected.

With reference to some embodiments of the first aspect, in some embodiments, the computer sends a prompt to the mail receiving end, where the prompt is used to prompt the mail receiving end that the content of the attachment is tampered, and the step further includes: the computer sends prompt information to the mail sender, wherein the prompt information is used for prompting the mail sender that the mail attachment content has been tampered.

By adopting the technical scheme, after the mail sending end receives the prompt information, the mail sending end realizes that the attached content is tampered, and can perform security check on the mail system to prevent similar tampering events from happening again, and after the mail sending end receives the prompt information, the mail sending end can verify and check the attached content to ensure the authenticity and integrity of the attached content, so that the credibility of the attached content can be improved, and the mail receiving end can obtain accurate and complete attached content.

In a second aspect, an embodiment of the present application provides a mail security encryption system, including a computer, the computer including: the system comprises an embedding module, a generating module, a splicing module, an operation module, a storage module, an authentication module, a first permission module, a verification module and a second permission module.

The embedding module is used for embedding a sender private key into the mail when the computer detects that the sender uses the sender security key to send the mail, wherein the mail comprises an attachment and a text;

the generation module is used for randomly generating a salt value;

the splicing module splices the content of the accessory with the salt value to form a character string;

the operation module is used for carrying out operation on the character string to obtain a digital fingerprint;

the storage module is used for storing the salt value and the digital fingerprint in the text;

the authentication module is used for authenticating the private key of the sending end by the computer by using the public key and the private key of the receiving end when the receiving end of the mail uses the safety key of the receiving end to open the mail;

the first permission module allows the mail receiving end to open the text by using the receiving end safety key if authentication is successful;

the verification module is used for verifying the salt value and the digital fingerprint according to the content of the accessory;

And the second permission module allows the mail receiving end to open the accessory when the verification results are consistent.

In a third aspect, embodiments of the present application provide a computer comprising: one or more processors and memory; the memory is coupled to the one or more processors, the memory for storing computer program code comprising computer instructions that the one or more processors call for causing the computer to perform the method as described in the first aspect and any possible implementation of the first aspect.

In a fourth aspect, embodiments of the present application provide a computer-readable storage medium comprising instructions that, when executed on a computer, cause the computer to perform a method as described in the first aspect and any possible implementation of the first aspect.

One or more technical solutions provided in the embodiments of the present application at least have the following technical effects or advantages:

1. according to the method and the device, when the mail sender uses the sender safety key to send the mail, the computer embeds the sender private key in the mail and stores the randomly generated salt value and the digital fingerprint generated by the mail attachment content into the mail text, when the receiver opens the mail, the computer authenticates the mail text and checks the mail attachment, if the authentication is passed, the receiver is allowed to open the mail text, if the authentication is passed, the receiver is allowed to open the mail attachment, the mail can be opened only by a reliable receiver, and if the mail attachment is tampered with the receiver, the attachment cannot be opened, so that the safety of the whole mail content is ensured.

2. The identity information of the receiving end can be effectively prevented from being forged and deceptively set by using the private key, the private key is associated with the authority range of the mail sending end, and only the mail receiving end with the matched authority range can be confirmed to be the effective identity and the mail text can be opened, so that the safety of mail communication can be enhanced, and the risks of malicious attack and fraudulent conduct are reduced.

3. According to the method and the device, whether the accessory content is tampered or damaged in the transmission process can be verified by comparing the current digital fingerprint with the original digital fingerprint, if the two digital fingerprints are not matched, the accessory content is possibly tampered, the integrity of the accessory content can be verified, and the safety of mail accessories is guaranteed.

Drawings

Fig. 1 is a schematic diagram of an interaction scenario of a mail security encryption system according to an embodiment of the present application.

Fig. 2 is another flow chart of a mail security encryption method in an embodiment of the present application.

Fig. 3 is another flow chart of a mail security encryption method in an embodiment of the present application.

Fig. 4 is another flow chart of a mail security encryption method in an embodiment of the present application.

Fig. 5 is a schematic diagram of a functional module structure of a mail security encryption system according to an embodiment of the present application.

Fig. 6 is a schematic diagram of a physical device structure of a computer in an embodiment of the present application.

Detailed Description

The terminology used in the following embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in the specification and the appended claims, the singular forms "a," "an," "the," and "the" are intended to include the plural forms as well, unless the context clearly indicates to the contrary. It should also be understood that the term "and/or" as used in this application refers to and encompasses any or all possible combinations of one or more of the listed items.

The terms "first," "second," and the like, are used below for descriptive purposes only and are not to be construed as implying or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature, and in the description of embodiments of the present application, unless otherwise indicated, the meaning of "a plurality" is two or more.

Fig. 1 is a schematic diagram of an interaction scenario of a mail security encryption system according to an embodiment of the present application. The mail security encryption system comprises a computer, a mail sending end and a mail receiving end, wherein the mail sending end and the mail receiving end can communicate with each other, when the mail sending end sends a mail to the mail receiving end, the computer embeds a sending end private key in the mail and stores a randomly generated salt value and a digital fingerprint generated by mail attachment content into a mail text, when the receiving end opens the mail, the computer authenticates the mail text and checks the mail attachment, if the authentication is passed, the receiving end is allowed to open the mail text, and if the authentication is passed, the receiving end is allowed to open the mail attachment.

The foregoing is a schematic diagram of an interaction scenario of a mail security encryption system in an embodiment of the present application, and in conjunction with fig. 2, a scheme of a mail encryption method of the present application is described below:

fig. 2 is a schematic flow chart of a mail security encryption method in the embodiment of the application.

S201, when the computer detects that the mail sender uses the sender safety key to send the mail, the computer embeds the sender private key in the mail.

The security key refers to a key used for encrypting the mail, wherein each sender sending the mail by using the security key has a security key, and one security key corresponds to one private key.

In some embodiments, when detecting that the header of the mail has the added header field information, the computer first uses the sender security key to encrypt the mail, where the encryption operation is to perform byte-level substitution, permutation, confusion, and other operations on the body of the mail by using an encryption algorithm to generate ciphertext, so as to encrypt the mail. It can be understood that the same encryption algorithm and decryption algorithm are included in the sender security key and the public key in step S206, and the public key may restore the ciphertext into plaintext by performing reverse operations on the ciphertext and performing reverse decryption operations of substitution, replacement and confusion.

And secondly, the computer adds the data contained in the private key of the sending end corresponding to the safety key of the sending end to the head of the mail, wherein the private key of the sending end contains the identity information of the sending end, and the private key of the sending end is used for indicating the identity of the sending end in a subsequent authentication link.

S202, the computer randomly generates a salt value.

It will be appreciated that a salt value is a random value used in encryption techniques, which is typically added before or after the data to increase the security of the data to be protected.

In some embodiments, the computer generates a random binary sequence as the salt value by a pseudo-random generator program, and each generated salt value is a unique number; before sending the mail, the sending end will evaluate the importance degree of the mail to be sent in advance, if the importance degree of the mail is higher, the computer generated salt value length will be longer, if the importance degree of the mail is lower, the computer generated salt value length will be shorter, and longer salt value can provide stronger security.

In some embodiments, if the importance of the mail is general, the computer-generated salt length is 8 to 16 bytes, if the importance of the mail is high, the computer-generated salt length is 16 to 32 bytes, and the number of bytes is determined according to the importance of the mail, and other range values are possible, which is not limited herein.

It will be appreciated that a pseudo-random generator is a computer program or algorithm that generates a series of seemingly random numbers through a deterministic algorithm.

S203, the computer splices the content of the accessory and the salt value to form a character string.

In some embodiments, the computer obtains the content of the attachment in the mail by parsing the attachment of the mail, and represents the content of the attachment as a binary data block or character string, and connects the content of the attachment with the salt value according to a certain splicing rule, for example, the attachment operator (such as "+") of the character string or the character string splicing function may be used.

In general, the attachment content and the salt value may be spliced together in a fixed order, or a specific separation may be added between them, or the spliced character string may be further subjected to a hash or the like, which is not limited herein.

S204, the computer calculates the character string to obtain a digital fingerprint.

It is understood that a digital fingerprint refers to a sequence of numbers that converts a string or data into a fixed length for uniquely identifying and characterizing the string or data.

In some embodiments, the computer may convert the concatenated string into a digital fingerprint via a hash function, pass the string as an input to the hash function, and obtain a hash value as an output, and may select an appropriate hash function, such as MD5, SHA-1, SHA-256, and the like, without limitation.

It can be understood that the digital fingerprint is a fixed-length character string calculated by a hash algorithm, has higher uniqueness, can judge whether the data is changed or tampered by comparing the digital fingerprints, and can determine that a difference exists between the two character strings if the digital fingerprints of the two character strings are different.

S205, the computer stores the salt value and the digital fingerprint in the text.

In some embodiments, the computer inserts the salt value and the digital fingerprint as annotations in the hypertext markup language at specific locations in the body of the mail, where the user cannot see the annotation content on a reading interface in the mail, but the computer can read the annotation content by parsing the code in the hypertext markup language, and the computer can also use the selector and the pseudo-class in the cascading style sheet to hide the corresponding elements, store the salt value and the digital fingerprint as the content of the hidden elements, such that the user cannot see the hidden elements in the body of the mail, but the computer can read the content of the hidden elements by parsing the cascading style sheet, which is not limiting herein.

S206, when the mail receiving end uses the receiving end safety key to open the mail, the computer uses the public key and the receiving end private key to authenticate the sending end private key.

When a mail is sent to a mail receiving end from the mail sending end through a network communication connection between the mail sending end and the mail receiving end, when the mail receiving end uses a receiving end safety key to open the mail, a computer determines identity information corresponding to the receiving end private key according to the receiving end private key, after the identity information is obtained, an authority range corresponding to the identity information of the receiving end is determined in an identity information database in the computer, at the moment, the computer obtains the receiving end private key through the receiving end safety key, the receiving end private key contains the identity information of the receiving end, and when the computer determines the authority range, if the identity information corresponding to the receiving end private key is contained in the authority range, the computer proves that a receiving party corresponding to the receiving end is an authorized person of the sending end corresponding to the sending end, and the authority for opening the mail body is provided.

When the computer determines that the receiving end is within the authority range of the transmitting end, the computer decrypts the mail by using a decryption algorithm through the public key, wherein the decryption algorithm is the decryption algorithm corresponding to the encryption algorithm mentioned in step S201, and the text of the mail is converted from ciphertext to plaintext.

S207, if the authentication is successful, the computer allows the mail receiving end to open the text by using the receiving end safety key.

After the text of the mail is converted from the ciphertext to the plaintext, the computer authorizes the mail receiving end, so that the mail receiving end can open the text of the mail through the receiving end security key, and if the computer determines that the receiving end is within the authority range of the sending end, the mail receiving end does not hold the receiving end security key after the text of the mail is converted from the ciphertext to the plaintext, if the condition that the receiving end security key is tampered maliciously or attacked and the like occurs, the mail receiving end cannot open the text of the mail.

After step S207, the method further comprises: if the authentication fails, the computer does not allow the mail receiving end to open the mail text.

It will be understood that this step is a case where the authentication of the mail receiving end by the computer in step S207 fails, and when the computer determines that the mail receiving end is not within the authority range of the mail sending end, the computer will not decrypt the mail by using the decryption algorithm through the public key, so that the mail receiving end cannot open the mail body.

In the above embodiment, if authentication fails, it means that the mail receiving end is not within the authority range of the mail sending end, possibly because the mail address of the mail sending end is wrongly written or wrongly forwarded or maliciously forwarded by other people to external personnel or organizations, access of unauthorized personnel or organizations to internal organization mails can be prevented, security of the internal organization mails is ensured, and confidentiality and privacy of internal organization data can be effectively protected.

S208, the computer checks the salt value and the digital fingerprint according to the content of the accessory.

In some embodiments, after the mail has been transmitted through a plurality of computers or network nodes, the computer acquires the salt value and the digital fingerprint stored in the text of the mail, opens the attachment of the mail to acquire the content in the attachment, and splices the salt value and the content of the attachment of the mail after transmission in the same manner as in step S203 to obtain a character string.

In some embodiments, the computer converts the obtained character string into a digital fingerprint according to the algorithm in step S204, compares the digital fingerprint of the mail before transmission with the digital fingerprint of the mail after transmission, and if the two digital fingerprints are not completely identical, indicates that the content of the attachment is changed and is inconsistent with the content of the attachment before transmission.

S209, when the verification results are consistent, the computer allows the mail receiving end to open the accessory.

In some embodiments, when the digital fingerprints obtained by the two operations are completely consistent, it indicates that the content of the attachment is not changed after the mail is transmitted through a plurality of computers or network nodes, and the attachment is not tampered with by hackers, and at this time, the computer authorizes the mail receiving end to enable the mail receiving end to open the attachment.

In the above embodiment, when the mail sender uses the sender security key to send the mail, the computer embeds the sender private key in the mail and stores the randomly generated salt value and the digital fingerprint generated by the mail attachment content into the mail body, and when the receiver opens the mail, the computer authenticates the mail body and checks the mail attachment, if the authentication is passed, the receiver is allowed to open the mail body, and if the authentication is passed, the receiver is allowed to open the mail attachment, so that the mail can only be opened by a reliable receiver, and if the mail attachment is tampered with the receiver, the attachment cannot be opened, so that the security of the whole mail content is ensured.

The above scheme is mainly a scheme in which a computer encrypts, decrypts, and authenticates the body and the attachment of the mail, and a scheme after checking and authenticating the body and the attachment of the mail is completed is described below.

The foregoing is a schematic flow chart of a mail security encryption method in the embodiment of the present application, and in the following, with reference to fig. 3, a scheme after verification and authentication of the text and attachment of the mail is completed by the mail security encryption method in the present application is described:

as shown in fig. 3, another flow chart of a mail security encryption method in an embodiment of the present application is shown.

S301, when the verification results are consistent, the computer allows the mail receiving end to open the accessory.

It is understood that this step is similar to step S209, and will not be described here.

S302, when the computer detects that the mail receiving end opens an early mail, the computer performs algorithm feature detection on the early mail, wherein the early mail is the mail before the public key is replaced.

In some embodiments, in order to ensure the security of mail encryption, the private key and the public key corresponding to all the security keys and the security keys are replaced within a preset time period, a new security key, the private key and the public key corresponding to the security key are generated, and a timestamp is generated when the security keys are replaced, at this time, the computer compares the timestamp sent by the mail with the timestamp of the replacement key, and if the timestamp sent by the mail is earlier than the timestamp of the replacement key, the mail is indicated to be sent before the replacement key, and is an early mail.

It will be appreciated that when the computer decrypts the mail using the public key, a mail identifier will be generated that uniquely identifies the mail, and since the decryption algorithm used by the public key is the same, the format of the mail identifier is the same, and the mail identifier is generated by the decryption algorithm and is typically stored in the header field of the mail.

In some embodiments, the computer obtains the mail identifier of the early mail in the header field of the early mail, if the format of the mail identifier accords with the format of the mail identifier generated by the decryption algorithm used by the public key, the early mail is proved to be the mail which has been decrypted and authenticated before and can be opened by the mail receiving end in the authority range, if the format of the mail identifier does not accord with the format of the mail identifier generated by the decryption algorithm used by the public key, the mail is proved to not be the mail which is decrypted and authenticated, and a certain risk may exist.

S303, if the early mail accords with the algorithm characteristic, the computer allows the mail receiving end to open the early mail.

In some embodiments, if the format of the mail identifier conforms to the format of the mail identifier generated by the decryption algorithm used by the public key, the computer detects the identity information of the mail receiving end, if the identity information of the mail receiving end is within the authority range of the mail sending end, the computer will be authorized to the mail receiving end, so that the mail receiving end can open the early mail, and if the format of the mail identifier conforms to the format of the mail identifier generated by the decryption algorithm used by the public key, but the identity information of the mail receiving end is not within the authority range of the mail sending end, the mail receiving end cannot open the early mail.

In the above embodiment, the computer detects the algorithm feature of the early mail, if the early mail accords with the algorithm feature, the early mail can be opened by the mail receiving end, so that after the public key is replaced due to the reasons of ensuring the security and the like, the mail receiving end can still open the mail before replacement, the service continuity can be maintained, and the related service flow can be ensured to be normally performed.

S304, when the verification results are inconsistent, the computer does not allow the mail receiving end to open the mail attachment.

It can be understood that the step is that the computer fails to verify the two digital fingerprints in step S209, when the digital fingerprints obtained by the two operations are not completely identical, it means that the content of the attachment has been changed after the mail is transmitted through a plurality of computers or network nodes, and the malicious tampering of the hacker is suffered, and at this time, the computer will not authorize the mail receiving end to make it impossible to open the attachment.

S305, the computer sends prompt information to the mail receiving end.

When the computer detects that the digital fingerprints obtained by two operations are not completely consistent, the fact that the mail is subjected to malicious tampering after being transmitted is indicated, at the moment, the computer cannot authorize the mail receiving end to enable the mail receiving end to be incapable of opening the attachment and send prompt information to the mail receiving end, the prompt information is used for prompting a mail receiving end corresponding to the mail receiving end, potential safety risks exist in the attachment of the mail, knowledge and vigilance of the user on the safety of the mail can be increased, and the risk of carelessly opening the malicious attachment is reduced.

In the above embodiment, when the verification result is inconsistent, it indicates that the content of the mail attachment has been tampered maliciously in the transmission process, at this time, the mail receiving end is not allowed to open the mail attachment, which can enhance the data integrity protection of the mail attachment, after receiving the prompt information, the receiving end may further take measures, such as confirming with the sender, reacquiring the original attachment, etc., to ensure the integrity and authenticity of the attachment content, and since the mail attachment tampered maliciously may contain malicious codes or viruses, the security of the mail receiving end may be affected, and the opening of the tampered attachment may reduce the risk of spreading the malicious codes, thereby protecting the security of the mail receiving end.

S306, the computer sends prompt information to the mail sender.

After the computer sends the prompt message to the mail receiving end, the prompt message also occurs to the mail sending end corresponding to the mail sender, and the prompt message is used for prompting that the mail sent by the mail sender is attacked, so that the mail sender can timely find technicians to process.

The above is a scheme after verification and authentication of the text and the attachment of the mail, and a more specific scheme in the mail security encryption method in the present application is described below with reference to fig. 4:

As shown in fig. 4, another flow chart of a mail security encryption method in an embodiment of the present application is shown.

S401, the computer determines the authority range of the mail sending end according to the private key of the sending end.

In some embodiments, the private key of the sender includes the identity information of the sender of the mail, where the identity information refers to the identity information corresponding to the sender of the mail, for example, the employee identity information of the sender of the mail, in the identity information database, according to the authority range corresponding to the sender of the mail, for example, the employees of all departments in the mail company sent by the employee a are in the authority range, and the employees of other companies are in the authority range, and then not all the employees are in the authority range, and only the employees need to be added to the authority range of the employee a after approval.

S402, the computer determines the identity information of the mail receiving end according to the private key of the receiving end.

In some embodiments, when the mail receiving end uses the receiving end security key to open the mail, the computer obtains the receiving end private key corresponding to the receiving end security key and obtains the identity information of the mail receiving end in the receiving end private key, and determines whether the mail receiving end is within the authority range of the mail sending party in the identity information database.

S403, if the identity information belongs to the authority range, the computer decrypts the mail text by using the public key, so that the mail receiving end can open the mail text by using the receiving end safety key.

In some embodiments, if the mail receiving side is within the authority range of the mail sending side, the computer decrypts the body of the mail by using the public key, where the decryption algorithm is the decryption algorithm corresponding to the encryption algorithm mentioned in step S201, converts the body of the mail from ciphertext to plaintext, and after the body of the mail is decrypted, the mail receiving side can open the body of the mail by using the receiving side security key.

In the above embodiment, the identity information of the receiving end is determined by using the private key, so that identity forging and spoofing can be effectively prevented, the private key is associated with the authority range of the mail sending end, and only the mail receiving end with the matched authority range can be confirmed to be the effective identity and the mail text is opened, so that the security of mail communication can be enhanced, and the risks of malicious attack and fraud are reduced.

S404, the computer acquires the salt value and the digital fingerprint from the text.

In step S205, the computer stores the salt and the digital fingerprint in the body, and the computer acquires the salt and the digital fingerprint from the body of the mail after the mail is transmitted to the mail receiver via a plurality of computers or network nodes.

S405, the computer splices the salt value and the current accessory content to form a current character string.

The current attachment content refers to the attachment content of the mail transmitted by the plurality of computers or the network nodes, the transmitted attachment content may be unchanged or may be changed, the current character string refers to a character string spliced according to the current attachment content and the salt value, and if the attachment content has been changed, the current character string is also distinguished from the character string in S203.

In some embodiments, the computer represents the content of the attachment as a binary data block or string and concatenates the attachment content with the salt value according to a concatenation rule, such as may be implemented using a concatenation operator (e.g., "+") of the string or a string concatenation function, in the same manner as in step S203.

S406, the computer calculates the current character string to obtain the current digital fingerprint.

The current digital fingerprint refers to the digital fingerprint obtained by operating the current character string, and if the current attachment content is different from the attachment content in S203, the current digital fingerprint obtained by operating is also different from the digital fingerprint obtained in S204.

In some embodiments, in the same manner as in step S204, the computer converts the concatenated string into a digital fingerprint by a hash function, passes the string as input to the hash function, and obtains a hash value as output, which is then the digital fingerprint.

S407, the computer compares the current digital fingerprint with the digital fingerprint.

The current digital fingerprint refers to the digital fingerprint calculated in S406.

The computer compares the digital fingerprint obtained in step S406 with the digital fingerprint obtained in step S204, and if the two digital fingerprints are completely identical, the content of the accessory is proved not to be tampered.

S408, when the verification results are consistent, the computer allows the mail receiving end to open the accessory.

When the comparison result in step S407 is completely consistent, the computer grants the mail receiving end the ability to open the attachment of the mail.

In the above embodiment, by comparing the current digital fingerprint with the original digital fingerprint, it can be verified whether the attachment content is tampered or damaged in the transmission process, if the two digital fingerprints are not matched, it is indicated that the attachment content may be tampered, the integrity of the attachment content can be verified, and the security of the mail attachment is ensured.

The above embodiments are only for illustrating the technical solution of the present application, and are not limiting thereof; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit of the corresponding technical solutions from the scope of the technical solutions of the embodiments of the present application.

The system in the embodiments of the present application is described from a modular point of view as follows:

referring to fig. 5, a schematic diagram of a functional module structure of a mail security encryption system provided in an embodiment of the present application, where the mail security encryption system includes a computer, and the computer includes:

the embedding module 501 is used for embedding a sender private key into a mail when the computer detects that the sender uses a sender safety key to send the mail, wherein the mail comprises an attachment and a text;

a generation module 502 for randomly generating a salt value;

a splicing module 503 for splicing the content of the attachment and the salt value to form a character string;

the operation module 504 is used for performing operation on the character string to obtain a digital fingerprint;

A storage module 505 that stores the salt value and the digital fingerprint in the body;

the authentication module 506, when the mail receiving end uses the receiving end security key to open the mail, the computer uses the public key and the receiving end private key to authenticate the sending end private key;

a first license module 507, for allowing the mail receiving end to open the text by using the receiving end security key if the authentication is successful;

a verification module 508 for verifying the salt value and the digital fingerprint according to the content of the attachment;

the second permission module 509 allows the mail receiving end to open the attachment when the verification results agree.

The system in the embodiment of the present application is described above from the point of view of the modularized functional entity, and the system in the embodiment of the present application is described below from the point of view of hardware processing, please refer to fig. 6, which is a schematic diagram of the physical device structure of the computer provided in the embodiment of the present application.

It should be noted that the structure of the system shown in fig. 6 is only an example, and should not impose any limitation on the functions and the application scope of the embodiments of the present invention.

As shown in fig. 6, the system includes a central processing unit (Central Processing Unit, CPU) 601 which can perform various appropriate actions and processes according to a program stored in a Read-Only Memory (ROM) 602 or a program loaded from a storage section 608 into a random access Memory (Random Access Memory, RAM) 603, for example, performing the method described in the above embodiment. In the RAM603, various programs and data required for system operation are also stored. The CPU601, ROM602, and RAM603 are connected to each other through a bus 604. An Input/Output (I/O) interface 605 is also connected to bus 604.

The following components are connected to the I/O interface 605: an input portion 606 including a camera, an infrared sensor, etc.; an output portion 607 including a liquid crystal display (Liquid Crystal Display, LCD), a speaker, and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN (Local Area Network ) card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The drive 610 is also connected to the I/O interface 605 as needed. Removable media 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on drive 610 so that a computer program read therefrom is installed as needed into storage section 608.

In particular, according to embodiments of the present invention, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present invention include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising a computer program for performing the method shown in the flowchart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 609, and/or installed from the removable medium 611. When executed by a Central Processing Unit (CPU) 601, the computer program performs the various functions defined in the present invention.

It should be noted that, the computer readable medium shown in the embodiments of the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of a nine-level readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-Only Memory (ROM), an erasable programmable read-Only Memory (Erasable Programmable Read Only Memory, EPROM), flash Memory, an optical fiber, a portable compact disc read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with a computer-readable computer program embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. Where each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

Specifically, the system of the present embodiment includes a processor and a memory, where a computer program is stored in the memory, and when the computer program is executed by the processor, the secure encryption method provided in the foregoing embodiment is implemented.

As another aspect, the present invention also provides a computer-readable storage medium, which may be contained in the computer described in the above embodiment; or may exist alone without being assembled into the system. The storage medium carries one or more computer programs which, when executed by a processor of the computer, cause the computer to implement the methods provided in the embodiments described above.

As used in the above embodiments, the term "when …" may be interpreted to mean "if …" or "after …" or "in response to determination …" or "in response to detection …" depending on the context. Similarly, the phrase "at the time of determination …" or "if detected (a stated condition or event)" may be interpreted to mean "if determined …" or "in response to determination …" or "at the time of detection (a stated condition or event)" or "in response to detection (a stated condition or event)" depending on the context.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces, in whole or in part, a flow or function consistent with embodiments of the present application. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid state disk), etc.

Those of ordinary skill in the art will appreciate that implementing all or part of the above-described method embodiments may be accomplished by a computer program to instruct related hardware, the program may be stored in a computer readable storage medium, and the program may include the above-described method embodiments when executed. And the aforementioned storage medium includes: ROM or random access memory RAM, magnetic or optical disk, etc.

Claims

1. A mail security encryption method, the method comprising:

when the computer detects that the mail sending end uses the sending end safety key to send the mail, the computer embeds a sending end private key in the mail, and the mail comprises an attachment and a text;

the computer randomly generates a salt value;

the computer splices the content of the accessory and the salt value to form a character string;

the computer calculates the character string to obtain a digital fingerprint;

the computer storing the salt value and the digital fingerprint in the text;

when the mail receiving end is detected to open the mail by using a receiving end safety key, the computer authenticates the sending end private key by using a public key and a receiving end private key;

If the authentication is successful, the computer allows the mail receiving end to open the text by using the receiving end safety key;

the computer verifies the salt value and the digital fingerprint according to the content of the accessory;

and when the verification results are consistent, the computer allows the mail receiving end to open the accessory.

2. The method of claim 1, wherein the computer allows the mail receiving end to open the attachment after the step of allowing the mail receiving end to open the attachment when the verification results are identical, the method further comprising:

when the computer detects that the mail receiving end opens early mail, the computer performs algorithm feature detection on the early mail, wherein the early mail is the mail before the public key is replaced;

and if the early mail accords with the algorithm characteristic, the computer allows the mail receiving end to open the early mail.

3. The method of claim 1, wherein the computer authenticates the sender private key using a public key and a receiver private key when a receiver of the mail opens the mail using a receiver security key; if the authentication is successful, the step of allowing the mail receiving end to open the text by using the receiving end safety key by the computer specifically comprises the following steps:

The computer determines the authority range of the mail sending end according to the private key of the sending end;

the computer determines the identity information of the mail receiving end according to the private key of the receiving end;

and if the identity information belongs to the authority range, the computer decrypts the mail text by using the public key, so that the mail receiving end can open the mail text by using the receiving end safety key.

4. The method according to claim 1, wherein the step of verifying the salt value and the digital fingerprint by the computer according to the content of the accessory comprises:

the computer acquires the salt value and the digital fingerprint from the text;

the computer splices the salt value and the current accessory content to form a current character string;

the current character string is operated to obtain a current digital fingerprint;

the computer compares the current digital fingerprint with the digital fingerprint.

5. The method of claim 1, wherein said computer allows said mail receiving end to open said body using said receiving end security key if said authentication is successful, said method further comprising:

If the authentication fails, the computer does not allow the mail receiving end to open the mail text.

6. The method of claim 1, wherein the computer allows the mail receiving end to open the attachment after the step of allowing the mail receiving end to open the attachment when the verification results are identical, the method further comprising:

when the verification results are inconsistent, the computer does not allow the mail receiving end to open the mail attachment;

the computer sends prompt information to the mail receiving end, wherein the prompt information is used for prompting the mail receiving end that the content of the attachment is tampered.

7. The method of claim 6, wherein the computer sends a prompt message to the mail receiving end, the prompt message being used to prompt the mail receiving end that the content of the attachment has been tampered with, the method further comprising:

the computer sends prompt information to the mail sending end, wherein the prompt information is used for prompting the mail sending end that the mail attachment content is tampered.

8. A mail security encryption system, the mail security encryption system comprising a computer, the computer comprising:

The generation module is used for randomly generating a salt value;

the operation module is used for carrying out operation on the character strings to obtain digital fingerprints;

a storage module that stores the salt value and the digital fingerprint in the body text;

the authentication module is used for authenticating the private key of the sending end by the computer by using the public key and the private key of the receiving end when the mail receiving end uses the safety key of the receiving end to open the mail;

9. A computer, comprising: one or more processors and memory;

the memory is coupled to the one or more processors, the memory for storing computer program code comprising computer instructions that the one or more processors call to cause the computer to perform the method of any of claims 1-7.

10. A computer readable storage medium comprising instructions which, when run on a computer, cause the computer to perform the method of any of claims 1-7.