CN104394214A - Method and system for protecting desktop cloud service through access control - Google Patents

Method and system for protecting desktop cloud service through access control Download PDF

Info

Publication number
CN104394214A
CN104394214A CN201410689562.1A CN201410689562A CN104394214A CN 104394214 A CN104394214 A CN 104394214A CN 201410689562 A CN201410689562 A CN 201410689562A CN 104394214 A CN104394214 A CN 104394214A
Authority
CN
China
Prior art keywords
desktop cloud
desktop
security gateway
data center
password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410689562.1A
Other languages
Chinese (zh)
Inventor
王华磊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Westone Information Industry Inc
Original Assignee
Chengdu Westone Information Industry Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Westone Information Industry Inc filed Critical Chengdu Westone Information Industry Inc
Priority to CN201410689562.1A priority Critical patent/CN104394214A/en
Publication of CN104394214A publication Critical patent/CN104394214A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a method and a system for protecting desktop cloud service through access control and relates to the technical field of desktop cloud safety. The method for protecting the desktop cloud service through the access control is aimed to solve the problem that the existing mode of using a user name and a password to log in the desktop is weak in safety intensity. The method for protecting the desktop cloud service through the access control includes that step 1, a thin terminal connects with a desktop cloud data center through a security gateway; step 2, a user inserts a USB KEY for marking the identity in the thin terminal; the thin terminal sends an authentication request to the security gateway and sends the signing message of a secrete key in a user identity certificate read from the USB key to the security gateway; step 3, the security gateway verifies the signing message and transmits the user name and password used for logging in the desktop corresponding to the user identity certificate to the desktop could data center after the signing message passes the verification; step 4, the desktop cloud data center verifies the user name and password, and the log-in is finished after the user name and password pass the verification.

Description

A kind of method and system by the service of access control protection desktop cloud
Technical field
The present invention relates to desktop cloud security technology area, especially a kind of login validation method realizing desktop cloud data center in conjunction with USB KEY.
Background technology
Existing desktop cloud data center or be called that desktop cloud server adopts common username and password mode to carry out user's login usually; Domain server in conjunction with Microsoft carries out subscriber authentication.This user name pin mode security intensity is more weak, is easily affected the fail safe of whole system by conjecture and Brute Force.Simultaneously because the virtual desktop IP in desktop cloud is normally directly exposed to user, there is malicious user and virtual desktop is attacked thus walks around desktop cloud system security mechanism and obtain the risk of virtual desktop data.
Summary of the invention
Technical problem to be solved by this invention is: fundamentally eliminate above-mentioned risk.The present invention installs access security gateway additional between thin terminal and the network channel of desktop cloud data center, is combined by the debarkation authentication of the authenticating user identification of security gateway with desktop cloud data center, completes the access authentication procedure of desktop cloud.
The technical solution used in the present invention is specific as follows:
The invention provides a kind of method by the service of access control protection desktop cloud, comprising:
Step 1: thin terminal is connected with desktop cloud data center by security gateway; User identity certificate is stored and for mapping relations between the user name that logs in desktop and password in security gateway;
Step 2: the USB KEY for indicating identity is inserted into thin terminal by user; Thin terminal initiates authentication request to security gateway, and the signing messages of the key in the user identity certificate read from USB KEY is sent to security gateway;
Step 3: security gateway carries out sign test to described signing messages, sign test pass through after by the user name being used for logging in desktop corresponding for this user identity certificate and password transmission to desktop cloud data center, this thin terminal sends to the data of desktop cloud data center to let pass by security gateway simultaneously;
Step 4: desktop cloud data center verifies described user name and password, is verified rear completing user and logs in.
Further, in step 3, the user name that security gateway is used for logging in desktop by described and password are filled in POST bag, and are transferred to desktop cloud data center by http protocol.
Further, in step 4, desktop cloud data center carries out parsing to the POST bag received and obtains described user name and password.
Present invention also offers a kind of system by the service of access control protection desktop cloud, comprising:
Secure gateway client, is positioned in thin terminal, for reading the signing messages of the key in the user identity certificate in the USB KEY inserting thin terminal, initiating authentication request and described signing messages is transferred to described security gateway module to security gateway module;
Security gateway module, be positioned on security gateway, for carrying out sign test to described signing messages, sign test pass through after by corresponding for this user identity certificate user name for logging in desktop and password transmission to the login module in desktop cloud data center, send to the data of desktop cloud data center to let pass this thin terminal simultaneously;
Login module, is positioned in desktop cloud data center, for verifying described user name and password, being verified rear completing user and logging in.
Further, security gateway module is also filled in POST bag for the user name that is used for logging in desktop by described and password, and is transferred to desktop cloud data center by http protocol.
Further, login module also obtains described user name and password for carrying out parsing to the POST bag received.
In sum, owing to have employed technique scheme, the invention has the beneficial effects as follows:
1. integrated encryption device USB KEY, realizes the strong authentication to cloud desktop user, makes up " user name+password " single in current desktop cloud environment and verifies the safety defect brought;
2. pair original system is changed little, does not affect by desktop cloud technical implementation way and framework;
3. encryption device USB KEY supports many algorithms, as close in state's business men algorithm SM1, SM2, SM3 and general-purpose algorithm DES, RSA etc.;
4. can stop virtual desktop completely to flow to the unauthorised data of thin terminal;
5. the authentication request of security gateway to each thin terminal carries out record, even if there is the situation of malice access, by the authentication request record of query safe gateway can quick position to the thin terminal of carrying out malice access.
Accompanying drawing explanation
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is the annexation figure of thin terminal in the present invention, security gateway and desktop cloud data center.
Fig. 2 is flow chart of the present invention.
Embodiment
All features disclosed in this specification, or the step in disclosed all methods or process, except mutually exclusive feature and/or step, all can combine by any way.
Arbitrary feature disclosed in this specification, unless specifically stated otherwise, all can be replaced by other equivalences or the alternative features with similar object.That is, unless specifically stated otherwise, each feature is an example in a series of equivalence or similar characteristics.
As Fig. 1, access security gateway between thin terminal and desktop cloud data center, security gateway provides inside and outside two network interfaces, and outer network interface is for connecting thin terminal, and interior network interface is for connecting desktop cloud data center.
As Fig. 2, method disclosed by the invention comprises:
Step 1: thin terminal is connected with desktop cloud data center by security gateway; User identity certificate is stored and for mapping relations between the user name that logs in desktop and password in security gateway;
Step 2: the USB KEY for indicating identity is inserted into thin terminal by user; Thin terminal initiates authentication request to security gateway, and the signing messages of the key in the user identity certificate read from USB KEY is sent to security gateway;
Step 3: security gateway carries out sign test to signing messages thus determines user identity, sign test pass through after by the user name being used for logging in desktop corresponding for this user identity certificate and password transmission to desktop cloud data center, this thin terminal sends to the data of desktop cloud data center to let pass by security gateway simultaneously;
Step 4: desktop cloud data center verifies described user name and password, is verified rear completing user and logs in.
After login completes, desktop cloud data center sends virtual desktop IP address and login token by security gateway to thin terminal.Thin terminal utilizes virtual desktop IP address and logs in token carries out data access to virtual desktop.
The step 3 of other specific embodiments comprises, and the user name that security gateway is used for logging in desktop by described and password are filled in POST bag, and are transferred to desktop cloud data center by http protocol.
Step 4 comprises, and desktop cloud data center carries out parsing to the POST bag received and obtains described user name and password.
The present invention is not limited to aforesaid embodiment.The present invention expands to any new feature of disclosing in this manual or any combination newly, and the step of the arbitrary new method disclosed or process or any combination newly.

Claims (6)

1., by a method for access control protection desktop cloud service, it is characterized in that, comprising:
Step 1: thin terminal is connected with desktop cloud data center by security gateway; User identity certificate is stored and for mapping relations between the user name that logs in desktop and password in security gateway;
Step 2: the USB KEY for indicating identity is inserted into thin terminal by user; Thin terminal initiates authentication request to security gateway, and the signing messages of the key in the user identity certificate read from USB KEY is sent to security gateway;
Step 3: security gateway carries out sign test to described signing messages, sign test pass through after by the user name being used for logging in desktop corresponding for this user identity certificate and password transmission to desktop cloud data center, this thin terminal sends to the data of desktop cloud data center to let pass by security gateway simultaneously;
Step 4: desktop cloud data center verifies described user name and password, is verified rear completing user and logs in.
2. a kind of method by the service of access control protection desktop cloud according to claim 1; it is characterized in that; in step 3, the user name that security gateway is used for logging in desktop by described and password are filled in POST bag, and are transferred to desktop cloud data center by http protocol.
3. a kind of method by the service of access control protection desktop cloud according to claim 2, is characterized in that, in step 4, desktop cloud data center carries out parsing to the POST bag received and obtains described user name and password.
4., by a system for access control protection desktop cloud service, it is characterized in that, comprising:
Secure gateway client, is positioned in thin terminal, for reading the signing messages of the key in the user identity certificate in the USB KEY inserting thin terminal, initiating authentication request and described signing messages is transferred to described security gateway module to security gateway module;
Security gateway module, be positioned on security gateway, for carrying out sign test to described signing messages, sign test pass through after by corresponding for this user identity certificate user name for logging in desktop and password transmission to the login module in desktop cloud data center, send to the data of desktop cloud data center to let pass this thin terminal simultaneously;
Login module, is positioned in desktop cloud data center, for verifying described user name and password, being verified rear completing user and logging in.
5. a kind of system by the service of access control protection desktop cloud according to claim 4; it is characterized in that; security gateway module, is also filled in POST bag for the user name that is used for logging in desktop by described and password, and is transferred to desktop cloud data center by http protocol.
6. a kind of system by the service of access control protection desktop cloud according to claim 5, is characterized in that, login module also obtains described user name and password for carrying out parsing to the POST bag received.
CN201410689562.1A 2014-11-26 2014-11-26 Method and system for protecting desktop cloud service through access control Pending CN104394214A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410689562.1A CN104394214A (en) 2014-11-26 2014-11-26 Method and system for protecting desktop cloud service through access control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410689562.1A CN104394214A (en) 2014-11-26 2014-11-26 Method and system for protecting desktop cloud service through access control

Publications (1)

Publication Number Publication Date
CN104394214A true CN104394214A (en) 2015-03-04

Family

ID=52612049

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410689562.1A Pending CN104394214A (en) 2014-11-26 2014-11-26 Method and system for protecting desktop cloud service through access control

Country Status (1)

Country Link
CN (1) CN104394214A (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104753930A (en) * 2015-03-17 2015-07-01 成都盛思睿信息技术有限公司 Cloud desktop management system based on security gateway and security access control method thereof
CN104780156A (en) * 2015-03-17 2015-07-15 成都盛思睿信息技术有限公司 Secure cloud desktop system and USB access control method thereof
CN105262742A (en) * 2015-09-30 2016-01-20 上海有孚计算机网络有限公司 Mobile cloud desktop equipment security management method
CN105354507A (en) * 2015-10-23 2016-02-24 浙江远望软件有限公司 Data security confidentiality method under cloud environment
CN105406963A (en) * 2015-12-09 2016-03-16 中国联合网络通信集团有限公司 Encryption method, encryption device, decryption method and decryption device for user account
CN105610810A (en) * 2015-12-23 2016-05-25 北京奇虎科技有限公司 Data processing method, client and servers
CN106936760A (en) * 2015-12-30 2017-07-07 航天信息股份有限公司 A kind of apparatus and method of login Openstack cloud system virtual machines
CN109302414A (en) * 2018-11-08 2019-02-01 山西省农村信用社联合社 Desktop cloud login method, terminal, SDN controller and system based on software defined network SDN
CN109841273A (en) * 2018-12-27 2019-06-04 江苏曼荼罗软件股份有限公司 A kind of one-stop integration method and device of medical diagnosis software
CN110808983A (en) * 2019-11-05 2020-02-18 西安雷风电子科技有限公司 Cloud desktop identity recognition detection method for network access of cloud desktop terminal
CN113626799A (en) * 2021-08-11 2021-11-09 国泰君安证券股份有限公司 System, method, device, processor and computer readable storage medium for realizing UKEY automatic unified management
CN114866253A (en) * 2022-04-27 2022-08-05 北京计算机技术及应用研究所 Reliable cloud host login system and cloud host login method realized by same
CN114866253B (en) * 2022-04-27 2024-05-28 北京计算机技术及应用研究所 Reliable cloud host login system and cloud host login method implemented by same

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110107409A1 (en) * 2009-11-05 2011-05-05 Vmware, Inc. Single Sign On For a Remote User Session
CN102420692A (en) * 2011-12-28 2012-04-18 广州杰赛科技股份有限公司 Safety authentication method and system of universal serial bus (USB) key of client terminal based on cloud computation
CN103237019A (en) * 2013-04-03 2013-08-07 中国科学院合肥物质科学研究院 Cloud service accessing gateway system and cloud service accessing method
CN103532966A (en) * 2013-10-23 2014-01-22 成都卫士通信息产业股份有限公司 Device and method supporting USB-KEY-based SSO (single sign on) of virtual desktop
CN103544453A (en) * 2013-10-23 2014-01-29 成都卫士通信息产业股份有限公司 USB (universal serial bus) KEY based virtual desktop file protection method and device
CN103780584A (en) * 2012-10-22 2014-05-07 上海俊悦智能科技有限公司 Cloud computing-based identity authentication fusion method

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110107409A1 (en) * 2009-11-05 2011-05-05 Vmware, Inc. Single Sign On For a Remote User Session
CN102420692A (en) * 2011-12-28 2012-04-18 广州杰赛科技股份有限公司 Safety authentication method and system of universal serial bus (USB) key of client terminal based on cloud computation
CN103780584A (en) * 2012-10-22 2014-05-07 上海俊悦智能科技有限公司 Cloud computing-based identity authentication fusion method
CN103237019A (en) * 2013-04-03 2013-08-07 中国科学院合肥物质科学研究院 Cloud service accessing gateway system and cloud service accessing method
CN103532966A (en) * 2013-10-23 2014-01-22 成都卫士通信息产业股份有限公司 Device and method supporting USB-KEY-based SSO (single sign on) of virtual desktop
CN103544453A (en) * 2013-10-23 2014-01-29 成都卫士通信息产业股份有限公司 USB (universal serial bus) KEY based virtual desktop file protection method and device

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104780156A (en) * 2015-03-17 2015-07-15 成都盛思睿信息技术有限公司 Secure cloud desktop system and USB access control method thereof
CN104753930A (en) * 2015-03-17 2015-07-01 成都盛思睿信息技术有限公司 Cloud desktop management system based on security gateway and security access control method thereof
CN105262742A (en) * 2015-09-30 2016-01-20 上海有孚计算机网络有限公司 Mobile cloud desktop equipment security management method
CN105262742B (en) * 2015-09-30 2018-10-19 上海有孚网络股份有限公司 Cloud desktop mobile device method for managing security
CN105354507B (en) * 2015-10-23 2018-09-11 浙江远望软件有限公司 A kind of data safety time slot scrambling under cloud environment
CN105354507A (en) * 2015-10-23 2016-02-24 浙江远望软件有限公司 Data security confidentiality method under cloud environment
CN105406963A (en) * 2015-12-09 2016-03-16 中国联合网络通信集团有限公司 Encryption method, encryption device, decryption method and decryption device for user account
WO2017107956A1 (en) * 2015-12-23 2017-06-29 北京奇虎科技有限公司 Data processing method, client and server
CN105610810A (en) * 2015-12-23 2016-05-25 北京奇虎科技有限公司 Data processing method, client and servers
CN105610810B (en) * 2015-12-23 2020-08-07 北京奇虎科技有限公司 Data processing method, client and server
CN106936760A (en) * 2015-12-30 2017-07-07 航天信息股份有限公司 A kind of apparatus and method of login Openstack cloud system virtual machines
CN109302414A (en) * 2018-11-08 2019-02-01 山西省农村信用社联合社 Desktop cloud login method, terminal, SDN controller and system based on software defined network SDN
CN109302414B (en) * 2018-11-08 2021-06-11 山西省农村信用社联合社 Desktop cloud login method, terminal, SDN controller and system based on Software Defined Network (SDN)
CN109841273A (en) * 2018-12-27 2019-06-04 江苏曼荼罗软件股份有限公司 A kind of one-stop integration method and device of medical diagnosis software
CN110808983A (en) * 2019-11-05 2020-02-18 西安雷风电子科技有限公司 Cloud desktop identity recognition detection method for network access of cloud desktop terminal
CN113626799A (en) * 2021-08-11 2021-11-09 国泰君安证券股份有限公司 System, method, device, processor and computer readable storage medium for realizing UKEY automatic unified management
CN114866253A (en) * 2022-04-27 2022-08-05 北京计算机技术及应用研究所 Reliable cloud host login system and cloud host login method realized by same
CN114866253B (en) * 2022-04-27 2024-05-28 北京计算机技术及应用研究所 Reliable cloud host login system and cloud host login method implemented by same

Similar Documents

Publication Publication Date Title
CN104394214A (en) Method and system for protecting desktop cloud service through access control
US10437985B2 (en) Using a second device to enroll a secure application enclave
EP3723399A1 (en) Identity verification method and apparatus
CN106034104B (en) Verification method, device and system for network application access
TW201706900A (en) Method and device for authentication using dynamic passwords
WO2018050081A1 (en) Device identity authentication method and apparatus, electric device, and storage medium
US9197420B2 (en) Using information in a digital certificate to authenticate a network of a wireless access point
CN108111473B (en) Unified management method, device and system for hybrid cloud
US8769289B1 (en) Authentication of a user accessing a protected resource using multi-channel protocol
CN104125565A (en) Method for realizing terminal authentication based on OMA DM, terminal and server
US10630488B2 (en) Method and apparatus for managing application identifier
JP2018517367A5 (en)
CN106921663B (en) Identity continuous authentication system and method based on intelligent terminal software/intelligent terminal
CN104378206A (en) Virtualization desktop safety certification method and system based on USB-Key
CN106060078B (en) User information encryption method, register method and verification method applied to cloud platform
CN103532966A (en) Device and method supporting USB-KEY-based SSO (single sign on) of virtual desktop
CN101841525A (en) Secure access method, system and client
TWI632798B (en) Server, mobile terminal, and network real-name authentication system and method
US20150324554A1 (en) Registration of devices in a digital rights management environment
EP2827529B1 (en) Method, device, and system for identity authentication
CN104901940A (en) 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication
US20210073359A1 (en) Secure one-time password (otp) authentication
CN106796630A (en) User authentication
CN109831311A (en) A kind of server validation method, system, user terminal and readable storage medium storing program for executing
WO2015176500A1 (en) Single sign-on authentication method, device and system, and computer storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20150304

RJ01 Rejection of invention patent application after publication