Disclosure of Invention
In view of the above, the present invention provides an encryption method for an electronic document, for guaranteeing data security and integrity, the method comprising:
Step 1, when a sender detects signature operation of a target user on a target electronic file, processing information and user characteristic data information of the user file are obtained;
step 2, converting the acquired characteristic data information of the user into binary codes, and executing transformation operation of adding 1 or subtracting 1 on the converted binary codes; obtaining a transformed data stream;
step 3, executing composite processing on the transformed data stream and the random number sequence, wherein the composite processing is specifically that a scrambling random sequence with a corresponding length is obtained by intercepting according to the length of the transformed data stream, and the scrambling random sequence are added to obtain a composite random data sequence, wherein the scrambling random sequence is generated by a random sequence generated by processing information of a document of a user through a random function and is generated after encryption processing of key information;
And step 4, adding the compounded random number sequence to a corresponding signature area, and sending the target electronic file to a receiver.
Further comprises: and acquiring and extracting whether picture information exists in the target document, when the picture information exists, selecting a picture with the least obvious picture outline as a signature area of digital signature information, and when the picture information does not exist in the electronic document, executing watermark capping operation, and taking the watermark capping area as the signature area.
Further, the user characteristic attribute information is fingerprint information of a user, the acquired user characteristic information is converted into binary codes, specifically, key points of the fingerprint information are taken to generate characteristic vectors, and the characteristic vectors are converted into binary images.
Further, the encryption processing of the key information is specifically that exclusive or operation is performed on the binary image by using the key information of the user.
Further, when the picture information exists, the picture with unobvious image contour information is used as a front area of the digital signature information, and an edge detection algorithm is adopted to detect the edge continuity degree through the edge to serve as a basis for judgment.
Further, the user characteristic data information includes facial characteristic information of the user.
Further, the processing information of the document includes document processing time information.
Further, when the picture information exists, after the picture information is selected, the least significant bit of the original image X with the size of MXN is cleared to obtain an image Y, the image Y is divided into image blocks with the size of MXN which are not overlapped with each other, and the total number of the image blocks is (M/M) X (N/N), and the image blocks are mapped into numbers in a matrix according to the date and time information sent by the target document so as to obtain a corresponding adding position area.
An electronic file encryption processing apparatus comprising a processor and a memory, the memory having stored thereon a computer program for execution by the processor to perform a method.
A computer readable storage medium having a computer program stored thereon, the computer program being executed by a processor to implement the method.
According to the invention, the document processing information and the characteristic data information of the user in the target document processing process are extracted, the characteristic data information is loaded in the signature area in a concealed manner, and whether the document is tampered in the transmission process or not can be known by a receiver through acquiring the signature area information and receiving the processing information of the document information, so that the integrity of the document is effectively ensured, and meanwhile, the difficulty of decoding the concealed loaded information is further enhanced by judging whether picture information exists or not.
Detailed Description
These and other features and characteristics of the present invention, as well as the methods of operation and functions of the related elements of structure, the combination of parts and economies of manufacture, may be better understood with reference to the following description and the accompanying drawings, all of which form a part of this specification. It is to be expressly understood, however, that the drawings are for the purpose of illustration and description only and are not intended as a definition of the limits of the invention. It will be understood that the figures are not drawn to scale. Various block diagrams are used in the description of the various embodiments according to the present invention.
Example 1
As shown in FIG. 1, the specific application scenario of document encryption may be sharing of a circle of friends, and when a user sends to a counterpart user, the counterpart is allowed to view, but not be allowed to tamper with at will, so as to ensure the integrity and authenticability of the document. Optionally, in sharing with a circle of friends or the like, text and picture co-existence editing is a common document format. The way of loading the personal stamp when no picture is present is also not noticeable. The document encryption of the scheme can be used based on such application scenarios.
Taking a document processing in a Windows system as an example, when a user needs to send and process the document, after the document is processed, firstly acquiring signature operation or encryption operation of the target user on the target electronic file, and adding a digital tag on the target electronic file, wherein the digital tag comprises information of the target user and document processing information;
The user information comprises user characteristic data information, and optionally the user characteristic information can be stored in a receiver or a cloud server. The user characteristic data information may be fingerprint information or facial characteristic information of the user. The user characteristic data information is embodied as a binary code, and preferably, when the image stamp information is adopted, the code length of the binary code is smaller than that of the binary code adopting the picture information.
The digital label adding method further comprises the following steps: judging whether the target electronic document has picture information, and if so, optionally selecting a picture as an adding object of the digital tag signature. The selection rule is that in order to prevent the added information from being detected or reduce the possibility of being deciphered, in the transmission, the selected information of the image added with the digital label information is not obvious enough for the outline information of the original image, so that the incomplete image information is avoided after the digital encryption information is detected, and thus a stealer knows that the file has the possibility of encryption information verification, and in the selection comparison of the image outline information, algorithms such as image edge detection and extraction, image/outline identification and tracking can be selected, and the pattern with the unobvious outline information is selected. Meanwhile, picture information with natural interference noise at the position can be selected.
Preferably, after selecting an image, clearing the least significant bit of the original image X with the size of mxn to obtain an image Y, dividing the image Y into image blocks with the size of mxn, which are not overlapped with each other, (M/M) X (N/N) pieces, and brackets represent rounding, optionally, when a user adds encryption information, the user may take a value for the addition position according to the truncated bit number in the binary code after the processing time information of the preset document changes, and determine the information of the addition position. M and N are pixel values, and optionally, when the date time information is 9 months and 24 days, the image block with the mark (2 and 4) is selected for adding information.
When the target electronic document does not contain the picture information, the data signature information can be directly set, and the digital signature information is added into the digital tag information. The digital signature information can be a watermark, or can be in the form of official seal information or seal information. Because the electronic seal has small image size and the color of most seals is less, less information can be carried; in the application requiring positioning and tamper resistance, the original digital media is embedded with watermarks block by block or segment by segment, so the watermark information amount is further limited, the characteristic information can be truncated, and the interference on the seal information is reduced, but pseudo noise can be superimposed in the process of truncation, and the noise can be specific salt and pepper noise and the like, so that the added random data sequence is prevented from being detected by a stealer due to insufficient randomness when the information is smaller.
The user characteristic data is embodied as a binary code, and a random data sequence is generated by performing scrambling composite processing on the binary code by using a binary random sequence or a random sequence array. Firstly, the user characteristic data is subjected to encryption and 1-plus or 1-minus transformation and operation to obtain a transformed user characteristic data stream, the transformed user characteristic data stream and the scrambling random number are compounded into a random data sequence, and the random data sequence is stored in a digital label. The scrambling random sequence is a random number generated according to the password or the secret key of the user and the document time preservation time information.
The document retention time information is used as a random data seed. Alternatively, first, (1) the time information of the file to be encrypted is obtained using the API function GETFILETIME, (2) then the function voids rand (unsigned int seed) is initialized with the file time information as a pseudorandom number seed; (3) Calling a function int rand (void) to obtain a pseudo-random number group; taking the pseudo-random number group as a scrambling random number; or, the pseudo-random number group and the user password or key are exclusive-ored as a scrambled random data sequence.
In the generation of the pseudo-random number set, the time information is unique and deterministic for a particular file, since the creation time and the last modification time for the files in the user's computer are not exactly the same, while the time information can be accurate to milliseconds. Based on this, the resulting pseudo-random number set is also unique, using the file time information as seed information for the pseudo-random function.
Optionally, the file creation time in the system time is processed, and the year, month, day, time, minute, second, millisecond information in the time information is processed to obtain a shaping number as the pseudorandom number seed in the function void (unsigned int seed). (4) The function int rand (void) is called to obtain a pseudorandom number group. (5) The pseudorandom number group and the user key or user password are processed and the result is added to the image as a random data sequence.
Optionally, when the document needs to be encrypted for transmission, the random data sequence can also be used as an algorithm key to execute data encryption processing on the whole document.
When the target file is modified or copied, the attribute information of the document is set to be undeletable, the modified attribute information of the document is recorded, the modified attribute comprises information such as save time information, modification times and the like, and optionally, when the file is transmitted, the MAC address of the network card information on the machine can be provided as the information marking parameter of the target document. And the receiver acquires the information of the file and adopts a secret key or a user password to carry out decryption operation, and in the decryption, when the time information after the decryption operation is not matched with the attribute information of the document, the document is determined to be modified, the integrity is not possessed, and the verification fails.
Example 2
Optionally, the image feature information of the user in embodiment 1 specifically includes fingerprint information of the user, and key points of the fingerprint information are extracted from the fingerprint information, and the one-dimensional feature vector is first converted into a binary image; the binary image can be subjected to exclusive or operation by adopting key information of a user and the like to obtain an encrypted binary image, and encrypted user characteristic data can be obtained. The key information may be a binary password sequence. The key information of the user is stored in a central database, and after the receiving party obtains the file information, the receiving party further comprises encryption information in a digital label extracted from the digital label, and then the extracted data is decrypted by utilizing the key of the user; the security of the data is verified by matching the decryption information with stored user characteristic information in the database.
The matching operation is specifically that after every 8 bits of binarized decryption data information is changed into a positive integer, a gradient histogram in each set area is calculated to obtain a new feature record D2; the user characteristic data is converted into a binary coding form and connected in series to form a one-dimensional characteristic vector D1; and calculating the similarity of D1 and D2, and if the similarity is larger than a specified threshold value, passing the verification.
Optionally, the network port serial number of the processing device is added into the file information, exclusive-or processing is performed on the file processing information and the network port serial number, then the file processing information and the binary private key are processed, and the file processing information and the network port serial number are added into the digital tag information/digital signature information. The key may be a symmetric key or an asymmetric key.
Example 3
As in the scheme in embodiment 1, when the transmission document has picture information, a picture with insignificant outline information is selected as the subject of the digital tag loading. Firstly, dividing an image file, namely dividing the image file: the least significant bit of an original image X with the size of MXN is cleared to obtain an image Y, the image Y is divided into image blocks with the size of MXn, which are not overlapped with each other, and the number of the image blocks is (M/M) X (N/N), and optionally, when encryption information is added, a user can take a value on the adding position according to a preset relation of preset time information, can also directly determine the information of the adding position according to appointed information, and the information is stored and carried at the lower end of 3 bytes of each pixel color in a picture. When the color value is only 0,1 sequence, the loaded information selects 0 area or 1 area as the storage implicit encrypted composite random sequence information.
The generation of the user key may optionally be performed using the following algorithm:
Generating a public key pair and a private key pair: taking 2 prime numbers p and q, calculating n+.pq, phi (n) +.p-1) (q-1), where '≡' denotes an assignment such that n is 1024 bits; selecting an integer b that satisfies 1<b < phi (n) and gcd (b, phi (n)) =1, wherein gcd represents the greatest common divisor calculated; calculating a≡b-1 mod phi (n), and enabling KP ≡ (n, b) and KS fact that (p, q, a) are public keys and private keys respectively.
The key is generated in a prime number mode, so that the key length suitable for document processing is obtained, and the encryption processing efficiency of digital label information is improved.
Example 4
As shown in fig. 2, an electronic file encryption processing apparatus includes a processor and a memory having stored thereon a computer program that is executed by the processor to implement the methods in embodiments 1-3.
It will be appreciated by those skilled in the art that implementing all or part of the above-described embodiment method may be implemented by a computer program to instruct related hardware, where the program may be stored in a computer readable storage medium, and the program may include the above-described embodiment method when executed. Wherein the storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a hard disk (HARD DISK DRIVE, abbreviated as HDD), a Solid state disk (Solid-state-STATE DRIVE, SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
The terms "component," "module," "system," and the like as used in the present invention are intended to refer to a computer-related entity, either hardware, firmware, a combination of hardware and software, or software in execution. For example, the components may be, but are not limited to: a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of example, both an application running on a computing device and the computing device can be a component. One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers. Furthermore, these components can execute from various computer readable media having various data structures thereon. The components may communicate by way of local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or across a network such as the internet with other systems by way of the signal).
It should be noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that the technical solution of the present invention may be modified or substituted without departing from the spirit and scope of the technical solution of the present invention, which is intended to be covered in the scope of the claims of the present invention.