CN104394214A - Method and system for protecting desktop cloud service through access control - Google Patents
Method and system for protecting desktop cloud service through access control Download PDFInfo
- Publication number
- CN104394214A CN104394214A CN201410689562.1A CN201410689562A CN104394214A CN 104394214 A CN104394214 A CN 104394214A CN 201410689562 A CN201410689562 A CN 201410689562A CN 104394214 A CN104394214 A CN 104394214A
- Authority
- CN
- China
- Prior art keywords
- desktop cloud
- desktop
- security gateway
- data center
- password
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/08—Protocols specially adapted for terminal emulation, e.g. Telnet
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a method and a system for protecting desktop cloud service through access control and relates to the technical field of desktop cloud safety. The method for protecting the desktop cloud service through the access control is aimed to solve the problem that the existing mode of using a user name and a password to log in the desktop is weak in safety intensity. The method for protecting the desktop cloud service through the access control includes that step 1, a thin terminal connects with a desktop cloud data center through a security gateway; step 2, a user inserts a USB KEY for marking the identity in the thin terminal; the thin terminal sends an authentication request to the security gateway and sends the signing message of a secrete key in a user identity certificate read from the USB key to the security gateway; step 3, the security gateway verifies the signing message and transmits the user name and password used for logging in the desktop corresponding to the user identity certificate to the desktop could data center after the signing message passes the verification; step 4, the desktop cloud data center verifies the user name and password, and the log-in is finished after the user name and password pass the verification.
Description
Technical field
The present invention relates to desktop cloud security technology area, especially a kind of login validation method realizing desktop cloud data center in conjunction with USB KEY.
Background technology
Existing desktop cloud data center or be called that desktop cloud server adopts common username and password mode to carry out user's login usually; Domain server in conjunction with Microsoft carries out subscriber authentication.This user name pin mode security intensity is more weak, is easily affected the fail safe of whole system by conjecture and Brute Force.Simultaneously because the virtual desktop IP in desktop cloud is normally directly exposed to user, there is malicious user and virtual desktop is attacked thus walks around desktop cloud system security mechanism and obtain the risk of virtual desktop data.
Summary of the invention
Technical problem to be solved by this invention is: fundamentally eliminate above-mentioned risk.The present invention installs access security gateway additional between thin terminal and the network channel of desktop cloud data center, is combined by the debarkation authentication of the authenticating user identification of security gateway with desktop cloud data center, completes the access authentication procedure of desktop cloud.
The technical solution used in the present invention is specific as follows:
The invention provides a kind of method by the service of access control protection desktop cloud, comprising:
Step 1: thin terminal is connected with desktop cloud data center by security gateway; User identity certificate is stored and for mapping relations between the user name that logs in desktop and password in security gateway;
Step 2: the USB KEY for indicating identity is inserted into thin terminal by user; Thin terminal initiates authentication request to security gateway, and the signing messages of the key in the user identity certificate read from USB KEY is sent to security gateway;
Step 3: security gateway carries out sign test to described signing messages, sign test pass through after by the user name being used for logging in desktop corresponding for this user identity certificate and password transmission to desktop cloud data center, this thin terminal sends to the data of desktop cloud data center to let pass by security gateway simultaneously;
Step 4: desktop cloud data center verifies described user name and password, is verified rear completing user and logs in.
Further, in step 3, the user name that security gateway is used for logging in desktop by described and password are filled in POST bag, and are transferred to desktop cloud data center by http protocol.
Further, in step 4, desktop cloud data center carries out parsing to the POST bag received and obtains described user name and password.
Present invention also offers a kind of system by the service of access control protection desktop cloud, comprising:
Secure gateway client, is positioned in thin terminal, for reading the signing messages of the key in the user identity certificate in the USB KEY inserting thin terminal, initiating authentication request and described signing messages is transferred to described security gateway module to security gateway module;
Security gateway module, be positioned on security gateway, for carrying out sign test to described signing messages, sign test pass through after by corresponding for this user identity certificate user name for logging in desktop and password transmission to the login module in desktop cloud data center, send to the data of desktop cloud data center to let pass this thin terminal simultaneously;
Login module, is positioned in desktop cloud data center, for verifying described user name and password, being verified rear completing user and logging in.
Further, security gateway module is also filled in POST bag for the user name that is used for logging in desktop by described and password, and is transferred to desktop cloud data center by http protocol.
Further, login module also obtains described user name and password for carrying out parsing to the POST bag received.
In sum, owing to have employed technique scheme, the invention has the beneficial effects as follows:
1. integrated encryption device USB KEY, realizes the strong authentication to cloud desktop user, makes up " user name+password " single in current desktop cloud environment and verifies the safety defect brought;
2. pair original system is changed little, does not affect by desktop cloud technical implementation way and framework;
3. encryption device USB KEY supports many algorithms, as close in state's business men algorithm SM1, SM2, SM3 and general-purpose algorithm DES, RSA etc.;
4. can stop virtual desktop completely to flow to the unauthorised data of thin terminal;
5. the authentication request of security gateway to each thin terminal carries out record, even if there is the situation of malice access, by the authentication request record of query safe gateway can quick position to the thin terminal of carrying out malice access.
Accompanying drawing explanation
Examples of the present invention will be described by way of reference to the accompanying drawings, wherein:
Fig. 1 is the annexation figure of thin terminal in the present invention, security gateway and desktop cloud data center.
Fig. 2 is flow chart of the present invention.
Embodiment
All features disclosed in this specification, or the step in disclosed all methods or process, except mutually exclusive feature and/or step, all can combine by any way.
Arbitrary feature disclosed in this specification, unless specifically stated otherwise, all can be replaced by other equivalences or the alternative features with similar object.That is, unless specifically stated otherwise, each feature is an example in a series of equivalence or similar characteristics.
As Fig. 1, access security gateway between thin terminal and desktop cloud data center, security gateway provides inside and outside two network interfaces, and outer network interface is for connecting thin terminal, and interior network interface is for connecting desktop cloud data center.
As Fig. 2, method disclosed by the invention comprises:
Step 1: thin terminal is connected with desktop cloud data center by security gateway; User identity certificate is stored and for mapping relations between the user name that logs in desktop and password in security gateway;
Step 2: the USB KEY for indicating identity is inserted into thin terminal by user; Thin terminal initiates authentication request to security gateway, and the signing messages of the key in the user identity certificate read from USB KEY is sent to security gateway;
Step 3: security gateway carries out sign test to signing messages thus determines user identity, sign test pass through after by the user name being used for logging in desktop corresponding for this user identity certificate and password transmission to desktop cloud data center, this thin terminal sends to the data of desktop cloud data center to let pass by security gateway simultaneously;
Step 4: desktop cloud data center verifies described user name and password, is verified rear completing user and logs in.
After login completes, desktop cloud data center sends virtual desktop IP address and login token by security gateway to thin terminal.Thin terminal utilizes virtual desktop IP address and logs in token carries out data access to virtual desktop.
The step 3 of other specific embodiments comprises, and the user name that security gateway is used for logging in desktop by described and password are filled in POST bag, and are transferred to desktop cloud data center by http protocol.
Step 4 comprises, and desktop cloud data center carries out parsing to the POST bag received and obtains described user name and password.
The present invention is not limited to aforesaid embodiment.The present invention expands to any new feature of disclosing in this manual or any combination newly, and the step of the arbitrary new method disclosed or process or any combination newly.
Claims (6)
1., by a method for access control protection desktop cloud service, it is characterized in that, comprising:
Step 1: thin terminal is connected with desktop cloud data center by security gateway; User identity certificate is stored and for mapping relations between the user name that logs in desktop and password in security gateway;
Step 2: the USB KEY for indicating identity is inserted into thin terminal by user; Thin terminal initiates authentication request to security gateway, and the signing messages of the key in the user identity certificate read from USB KEY is sent to security gateway;
Step 3: security gateway carries out sign test to described signing messages, sign test pass through after by the user name being used for logging in desktop corresponding for this user identity certificate and password transmission to desktop cloud data center, this thin terminal sends to the data of desktop cloud data center to let pass by security gateway simultaneously;
Step 4: desktop cloud data center verifies described user name and password, is verified rear completing user and logs in.
2. a kind of method by the service of access control protection desktop cloud according to claim 1; it is characterized in that; in step 3, the user name that security gateway is used for logging in desktop by described and password are filled in POST bag, and are transferred to desktop cloud data center by http protocol.
3. a kind of method by the service of access control protection desktop cloud according to claim 2, is characterized in that, in step 4, desktop cloud data center carries out parsing to the POST bag received and obtains described user name and password.
4., by a system for access control protection desktop cloud service, it is characterized in that, comprising:
Secure gateway client, is positioned in thin terminal, for reading the signing messages of the key in the user identity certificate in the USB KEY inserting thin terminal, initiating authentication request and described signing messages is transferred to described security gateway module to security gateway module;
Security gateway module, be positioned on security gateway, for carrying out sign test to described signing messages, sign test pass through after by corresponding for this user identity certificate user name for logging in desktop and password transmission to the login module in desktop cloud data center, send to the data of desktop cloud data center to let pass this thin terminal simultaneously;
Login module, is positioned in desktop cloud data center, for verifying described user name and password, being verified rear completing user and logging in.
5. a kind of system by the service of access control protection desktop cloud according to claim 4; it is characterized in that; security gateway module, is also filled in POST bag for the user name that is used for logging in desktop by described and password, and is transferred to desktop cloud data center by http protocol.
6. a kind of system by the service of access control protection desktop cloud according to claim 5, is characterized in that, login module also obtains described user name and password for carrying out parsing to the POST bag received.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410689562.1A CN104394214A (en) | 2014-11-26 | 2014-11-26 | Method and system for protecting desktop cloud service through access control |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410689562.1A CN104394214A (en) | 2014-11-26 | 2014-11-26 | Method and system for protecting desktop cloud service through access control |
Publications (1)
Publication Number | Publication Date |
---|---|
CN104394214A true CN104394214A (en) | 2015-03-04 |
Family
ID=52612049
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410689562.1A Pending CN104394214A (en) | 2014-11-26 | 2014-11-26 | Method and system for protecting desktop cloud service through access control |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104394214A (en) |
Cited By (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104753930A (en) * | 2015-03-17 | 2015-07-01 | 成都盛思睿信息技术有限公司 | Cloud desktop management system based on security gateway and security access control method thereof |
CN104780156A (en) * | 2015-03-17 | 2015-07-15 | 成都盛思睿信息技术有限公司 | Secure cloud desktop system and USB access control method thereof |
CN105262742A (en) * | 2015-09-30 | 2016-01-20 | 上海有孚计算机网络有限公司 | Mobile cloud desktop equipment security management method |
CN105354507A (en) * | 2015-10-23 | 2016-02-24 | 浙江远望软件有限公司 | Data security confidentiality method under cloud environment |
CN105406963A (en) * | 2015-12-09 | 2016-03-16 | 中国联合网络通信集团有限公司 | Encryption method, encryption device, decryption method and decryption device for user account |
CN105610810A (en) * | 2015-12-23 | 2016-05-25 | 北京奇虎科技有限公司 | Data processing method, client and servers |
CN106936760A (en) * | 2015-12-30 | 2017-07-07 | 航天信息股份有限公司 | A kind of apparatus and method of login Openstack cloud system virtual machines |
CN109302414A (en) * | 2018-11-08 | 2019-02-01 | 山西省农村信用社联合社 | Desktop cloud login method, terminal, SDN controller and system based on software defined network SDN |
CN109841273A (en) * | 2018-12-27 | 2019-06-04 | 江苏曼荼罗软件股份有限公司 | A kind of one-stop integration method and device of medical diagnosis software |
CN110808983A (en) * | 2019-11-05 | 2020-02-18 | 西安雷风电子科技有限公司 | Cloud desktop identity recognition detection method for network access of cloud desktop terminal |
CN113626799A (en) * | 2021-08-11 | 2021-11-09 | 国泰君安证券股份有限公司 | System, method, device, processor and computer readable storage medium for realizing UKEY automatic unified management |
CN114866253A (en) * | 2022-04-27 | 2022-08-05 | 北京计算机技术及应用研究所 | Reliable cloud host login system and cloud host login method realized by same |
CN114866253B (en) * | 2022-04-27 | 2024-05-28 | 北京计算机技术及应用研究所 | Reliable cloud host login system and cloud host login method implemented by same |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110107409A1 (en) * | 2009-11-05 | 2011-05-05 | Vmware, Inc. | Single Sign On For a Remote User Session |
CN102420692A (en) * | 2011-12-28 | 2012-04-18 | 广州杰赛科技股份有限公司 | Safety authentication method and system of universal serial bus (USB) key of client terminal based on cloud computation |
CN103237019A (en) * | 2013-04-03 | 2013-08-07 | 中国科学院合肥物质科学研究院 | Cloud service accessing gateway system and cloud service accessing method |
CN103532966A (en) * | 2013-10-23 | 2014-01-22 | 成都卫士通信息产业股份有限公司 | Device and method supporting USB-KEY-based SSO (single sign on) of virtual desktop |
CN103544453A (en) * | 2013-10-23 | 2014-01-29 | 成都卫士通信息产业股份有限公司 | USB (universal serial bus) KEY based virtual desktop file protection method and device |
CN103780584A (en) * | 2012-10-22 | 2014-05-07 | 上海俊悦智能科技有限公司 | Cloud computing-based identity authentication fusion method |
-
2014
- 2014-11-26 CN CN201410689562.1A patent/CN104394214A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110107409A1 (en) * | 2009-11-05 | 2011-05-05 | Vmware, Inc. | Single Sign On For a Remote User Session |
CN102420692A (en) * | 2011-12-28 | 2012-04-18 | 广州杰赛科技股份有限公司 | Safety authentication method and system of universal serial bus (USB) key of client terminal based on cloud computation |
CN103780584A (en) * | 2012-10-22 | 2014-05-07 | 上海俊悦智能科技有限公司 | Cloud computing-based identity authentication fusion method |
CN103237019A (en) * | 2013-04-03 | 2013-08-07 | 中国科学院合肥物质科学研究院 | Cloud service accessing gateway system and cloud service accessing method |
CN103532966A (en) * | 2013-10-23 | 2014-01-22 | 成都卫士通信息产业股份有限公司 | Device and method supporting USB-KEY-based SSO (single sign on) of virtual desktop |
CN103544453A (en) * | 2013-10-23 | 2014-01-29 | 成都卫士通信息产业股份有限公司 | USB (universal serial bus) KEY based virtual desktop file protection method and device |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104780156A (en) * | 2015-03-17 | 2015-07-15 | 成都盛思睿信息技术有限公司 | Secure cloud desktop system and USB access control method thereof |
CN104753930A (en) * | 2015-03-17 | 2015-07-01 | 成都盛思睿信息技术有限公司 | Cloud desktop management system based on security gateway and security access control method thereof |
CN105262742A (en) * | 2015-09-30 | 2016-01-20 | 上海有孚计算机网络有限公司 | Mobile cloud desktop equipment security management method |
CN105262742B (en) * | 2015-09-30 | 2018-10-19 | 上海有孚网络股份有限公司 | Cloud desktop mobile device method for managing security |
CN105354507B (en) * | 2015-10-23 | 2018-09-11 | 浙江远望软件有限公司 | A kind of data safety time slot scrambling under cloud environment |
CN105354507A (en) * | 2015-10-23 | 2016-02-24 | 浙江远望软件有限公司 | Data security confidentiality method under cloud environment |
CN105406963A (en) * | 2015-12-09 | 2016-03-16 | 中国联合网络通信集团有限公司 | Encryption method, encryption device, decryption method and decryption device for user account |
WO2017107956A1 (en) * | 2015-12-23 | 2017-06-29 | 北京奇虎科技有限公司 | Data processing method, client and server |
CN105610810A (en) * | 2015-12-23 | 2016-05-25 | 北京奇虎科技有限公司 | Data processing method, client and servers |
CN105610810B (en) * | 2015-12-23 | 2020-08-07 | 北京奇虎科技有限公司 | Data processing method, client and server |
CN106936760A (en) * | 2015-12-30 | 2017-07-07 | 航天信息股份有限公司 | A kind of apparatus and method of login Openstack cloud system virtual machines |
CN109302414A (en) * | 2018-11-08 | 2019-02-01 | 山西省农村信用社联合社 | Desktop cloud login method, terminal, SDN controller and system based on software defined network SDN |
CN109302414B (en) * | 2018-11-08 | 2021-06-11 | 山西省农村信用社联合社 | Desktop cloud login method, terminal, SDN controller and system based on Software Defined Network (SDN) |
CN109841273A (en) * | 2018-12-27 | 2019-06-04 | 江苏曼荼罗软件股份有限公司 | A kind of one-stop integration method and device of medical diagnosis software |
CN110808983A (en) * | 2019-11-05 | 2020-02-18 | 西安雷风电子科技有限公司 | Cloud desktop identity recognition detection method for network access of cloud desktop terminal |
CN113626799A (en) * | 2021-08-11 | 2021-11-09 | 国泰君安证券股份有限公司 | System, method, device, processor and computer readable storage medium for realizing UKEY automatic unified management |
CN114866253A (en) * | 2022-04-27 | 2022-08-05 | 北京计算机技术及应用研究所 | Reliable cloud host login system and cloud host login method realized by same |
CN114866253B (en) * | 2022-04-27 | 2024-05-28 | 北京计算机技术及应用研究所 | Reliable cloud host login system and cloud host login method implemented by same |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104394214A (en) | Method and system for protecting desktop cloud service through access control | |
US10437985B2 (en) | Using a second device to enroll a secure application enclave | |
EP3723399A1 (en) | Identity verification method and apparatus | |
CN106034104B (en) | Verification method, device and system for network application access | |
TW201706900A (en) | Method and device for authentication using dynamic passwords | |
WO2018050081A1 (en) | Device identity authentication method and apparatus, electric device, and storage medium | |
US9197420B2 (en) | Using information in a digital certificate to authenticate a network of a wireless access point | |
CN108111473B (en) | Unified management method, device and system for hybrid cloud | |
US8769289B1 (en) | Authentication of a user accessing a protected resource using multi-channel protocol | |
CN104125565A (en) | Method for realizing terminal authentication based on OMA DM, terminal and server | |
US10630488B2 (en) | Method and apparatus for managing application identifier | |
JP2018517367A5 (en) | ||
CN106921663B (en) | Identity continuous authentication system and method based on intelligent terminal software/intelligent terminal | |
CN104378206A (en) | Virtualization desktop safety certification method and system based on USB-Key | |
CN106060078B (en) | User information encryption method, register method and verification method applied to cloud platform | |
CN103532966A (en) | Device and method supporting USB-KEY-based SSO (single sign on) of virtual desktop | |
CN101841525A (en) | Secure access method, system and client | |
TWI632798B (en) | Server, mobile terminal, and network real-name authentication system and method | |
US20150324554A1 (en) | Registration of devices in a digital rights management environment | |
EP2827529B1 (en) | Method, device, and system for identity authentication | |
CN104901940A (en) | 802.1X network access method based on combined public key cryptosystem (CPK) identity authentication | |
US20210073359A1 (en) | Secure one-time password (otp) authentication | |
CN106796630A (en) | User authentication | |
CN109831311A (en) | A kind of server validation method, system, user terminal and readable storage medium storing program for executing | |
WO2015176500A1 (en) | Single sign-on authentication method, device and system, and computer storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20150304 |
|
RJ01 | Rejection of invention patent application after publication |