CN110659471A - Identity authentication login method in cloud environment - Google Patents
Identity authentication login method in cloud environment Download PDFInfo
- Publication number
- CN110659471A CN110659471A CN201910900519.8A CN201910900519A CN110659471A CN 110659471 A CN110659471 A CN 110659471A CN 201910900519 A CN201910900519 A CN 201910900519A CN 110659471 A CN110659471 A CN 110659471A
- Authority
- CN
- China
- Prior art keywords
- module
- user
- cloud
- cloud terminal
- connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/451—Execution arrangements for user interfaces
- G06F9/452—Remote windowing, e.g. X-Window System, desktop virtualisation
Abstract
The invention relates to an identity authentication login method in a cloud environment, wherein before a cloud terminal user accesses a virtual machine in a cloud server, identity authentication is firstly carried out, after the authentication is passed, a connection request monitoring module at a cloud server end accesses a unified user management module, and whether the user has the authority of accessing required virtual desktop resources is determined according to the user authorization condition, so that the security of the cloud terminal user in logging in a cloud is improved. The invention also relates to an identity authentication system in the cloud environment, and the method and the system can verify the validity of the user identity and provide a secure data transmission channel.
Description
Technical Field
The invention relates to the field of cloud security, in particular to an identity authentication login method in a cloud environment.
Background
Cloud computing is an internet-based computing approach by which shared software and hardware resources and information can be provided to computers and other devices on demand. The cloud platform provides services based on cloud computing, the cloud platform provides suppliers, and customers enjoy the services of the cloud platform provided by the suppliers, so that the customers do not need to build the infrastructure of own companies and can completely rely on the cloud platform to create new image instances.
Although cloud computing provides many advantages, data security is a major concern. In particular, companies that desire to deploy their enterprise applications within a cloud environment often maintain and manage important business information associated with such applications. This important business information must be exposed to the cloud computing service provider when deploying these applications in the cloud. As a result, this business information is at risk because the cloud computing environment, by its very nature, places the information within the administrative control of the cloud computing service provider. Although there may be technical and legal protections, the integrity, confidentiality and privacy of the traffic information cannot be absolutely ensured. As just one example scenario, if a cloud service provider is obtained, enterprise business information may be exposed to third parties, and even potential competitors. This is not reasonable.
Currently, cloud computing technology is generally applied, and flexible resource allocation and on-demand access of cloud computing also bring about a lot of security problems: firstly, dynamic security boundaries cause increased difficulty in protection; secondly, the identity is easy to falsely use and is easy to be attacked by a man in the middle. Identity authentication is a main attack point of a security protection system, and is an externally exposed attack surface of the security system. Therefore, the security design in the identity authentication system in the cloud environment is very important.
In the prior art of a cloud environment, how to perform identity authentication more effectively is a problem to be solved urgently.
Disclosure of Invention
This section provides a general summary of the disclosure, and is not a comprehensive disclosure of its full scope or all of its features.
The purpose of the present disclosure is to provide an identity authentication login method in a cloud environment, the method comprising the following steps:
(1) when a user inserts the USBKey, the USBKey monitoring module is automatically triggered, the user logs in an operating system of the cloud terminal after inputting the PIN code and passing local verification, and a request for connecting a cloud server is initiated after entering the operating system of the cloud terminal;
(2) the connection request information is obtained through a connection monitoring submodule of the cloud server end and is decrypted by an SSL decryption module, whether the cloud terminal is an authorized terminal or not is verified, if the verification is passed, the connection information is sent to the cloud terminal through a connection response module, and the connection between the cloud terminal and the cloud server is completed;
after the connection is successful, verifying the validity and validity of the user identity, and confirming whether the user can log in the cloud server security virtual system;
(3) after the virtual machine management module is activated, a virtual desktop corresponding to the virtual machine is issued to a cloud terminal user according to user requirements and virtual machine resource conditions;
(4) after the virtual desktop is displayed, the enhanced RDP module is directly and safely connected with the cloud terminal through the virtual machine, peripheral virtual mapping of the cloud terminal is achieved, and a cloud terminal user can safely log in the virtual desktop.
When the cloud terminal operating system is logged in and the USBKey is detected to be inserted, the cloud terminal automatically activates the USBKey monitoring module, calls the certificate acquisition module through the USBKey monitoring module to acquire the personal digital certificate of the user, and controls and displays the login verification interface.
Preferably, the identity of the user is authenticated through the security authentication module according to the user information and the personal digital certificate information of the user, after the identity authentication is passed, the authentication success message is sent to the cloud terminal through the connection response module, and meanwhile, the virtual machine management module at the cloud server end is activated.
After the cloud terminal receives the virtual machine resources, the virtual desktop corresponding to the virtual machine is extracted through the USBKey monitoring module and displayed.
Preferably, the step (4) is specifically: and disconnecting the connection between the connection request module and the connection response module, then extracting the virtual machine information in the virtual machine resources, and establishing the secure connection between the enhanced RDP module and the connection request module in the cloud terminal directly according to the information.
The invention also provides an identity authentication login method in the cloud environment, which is applied to the cloud server side and comprises the following steps:
(1) the method comprises the steps that connection request information is obtained through a connection monitoring submodule of a cloud server end, the connection request information is decrypted through an SSL decryption module, whether a cloud terminal is an authorized terminal or not is verified, if the verification is passed, connection information is sent to the cloud terminal through a connection response module, connection between the cloud terminal and a cloud server is completed, and after the connection is successful, user identity validity and validity verification is conducted, and whether a user can log in a cloud server security virtual system or not is confirmed;
(2) after the virtual machine management module is activated, a virtual desktop corresponding to the virtual machine is issued to a cloud terminal user according to user requirements and virtual machine resource conditions;
(3) after the virtual desktop is displayed, the enhanced RDP module is directly and safely connected with the cloud terminal through the virtual machine, peripheral virtual mapping of the cloud terminal is achieved, and a cloud terminal user can safely log in the virtual desktop.
The invention also provides an identity authentication login system in the cloud environment, which realizes the identity authentication method in the cloud environment; the system comprises a cloud terminal, a cloud server and a USBKey;
the cloud terminal comprises a certificate acquisition module, a USBKey monitoring module, an SSL encryption module and a connection request module;
the cloud server comprises a security authentication module, a unified user management module, an SSL decryption module, a connection response module, a CA module, a virtual machine management module and an enhanced RDP module.
Preferably, the certificate acquisition module in the cloud terminal is used for acquiring a personal digital certificate of the user and sending the personal digital certificate to the USBKey monitoring module;
the USBKey monitoring module is used for carrying out cloud terminal user identity authentication according to the personal digital certificate of the user sent by the certificate acquisition module, and extracting desktop information of the virtual machine for display control;
the SSL encryption module is used for encrypting the connection request information and sending the encrypted information to the connection request module;
the connection request module is used for establishing connection with the connection response module of the cloud server side and then establishing connection with the enhanced RDP module of the cloud server side to complete data security interaction.
Preferably, the security authentication module in the cloud server is used for performing security authentication on the cloud terminal, and performing identity authentication on the user after the security authentication of the cloud terminal is passed;
the unified user management module is used for storing and acquiring user information corresponding to the cloud terminal and sending the user information to the CA module;
the SSL decryption module is used for receiving and decrypting the encrypted information connected with the response module and sending the obtained decryption information to the CA module or the security authentication module;
the connection response module is used for establishing connection with a connection request module of the cloud terminal to complete authentication or safe interaction of other data;
the CA module is used for acquiring user information according to the personal digital certificate of the user and sending the certificate and the user information to the security authentication module;
the virtual machine management module is used for storing and acquiring virtual machine resource information, generating a corresponding list and sending the list to the cloud terminal;
the enhanced RDP module is used for establishing a secure connection with the cloud terminal to achieve secure login and data interaction of the virtual desktop.
Preferably, the virtual machine management module is further configured to establish a secure connection between the enhanced RDP module and the connection request module in the cloud terminal.
Has the advantages that: before accessing a virtual machine in a cloud server, a cloud terminal user firstly needs to be subjected to identity authentication, after the authentication is passed, a connection request monitoring module at the cloud server end accesses a unified user management module, and whether the user has the authority of accessing the required virtual desktop resource is determined according to the user authorization condition, so that the security of the cloud terminal user for logging in the cloud is improved, and the method and the system can verify the legality of the user identity and provide a safe data transmission channel.
Further areas of applicability will become apparent from the description provided herein. The description and specific examples in this summary are intended for purposes of illustration only and are not intended to limit the scope of the present disclosure.
Drawings
The drawings described herein are for illustrative purposes only of selected embodiments and not all possible implementations, and are not intended to limit the scope of the present disclosure. In the drawings:
FIG. 1 is a first flowchart of a method for identity authentication in a cloud environment;
FIG. 2 is a flowchart of a method for identity authentication in a cloud environment;
fig. 3 is a schematic diagram of an identity authentication system in a cloud environment.
While the disclosure is susceptible to various modifications and alternative forms, specific embodiments thereof have been shown by way of example in the drawings and are herein described in detail. It should be understood, however, that the description herein of specific embodiments is not intended to limit the disclosure to the particular forms disclosed, but on the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the disclosure. It is noted that throughout the several views, corresponding reference numerals indicate corresponding parts.
Detailed Description
Examples of the present disclosure will now be described more fully with reference to the accompanying drawings. The following description is merely exemplary in nature and is not intended to limit the present disclosure, application, or uses.
Example embodiments are provided so that this disclosure will be thorough, and will fully convey the scope to those skilled in the art. Numerous specific details are set forth such as examples of specific components, devices, and methods to provide a thorough understanding of embodiments of the present disclosure. It will be apparent to those skilled in the art that specific details need not be employed, that example embodiments may be embodied in many different forms and that neither should be construed to limit the scope of the disclosure. In certain example embodiments, well-known processes, well-known structures, and well-known technologies are not described in detail.
The technical problems posed by the present disclosure will be explained in detail below. It is to be noted that this technical problem is merely exemplary and is not intended to limit the application of the present invention.
The invention provides an identity authentication login method in a cloud environment, wherein a certificate acquisition module, a USBKey monitoring module, an SSL encryption module and a connection request module are deployed in a cloud terminal; a security authentication module, a unified user management module, an SSL decryption module, a connection response module, a CA module, a virtual machine management module and an enhanced RDP module are deployed in a cloud server end to realize identity authentication of a cloud terminal user logging in the cloud server.
As shown in fig. 1, the method comprises the steps of:
(1) when a user inserts the USBKey, the USBKey monitoring module is automatically triggered, the user logs in an operating system of the cloud terminal after inputting the PIN code and passing the local verification, and a request for connecting the cloud server is initiated after entering the operating system of the cloud terminal.
The method specifically comprises the following steps: before logging in the cloud terminal operating system, the cloud terminal completes access initialization work, namely terminal network access registration and user personal digital certificate registration related to USBKey are completed.
When logging in a cloud terminal operating system and detecting that a USBKey is inserted, the cloud terminal automatically activates the USBKey monitoring module, calls the certificate acquisition module through the USBKey monitoring module to acquire a personal digital certificate of a user, and controls and displays a login verification interface. After the user inputs the PIN code in the interface, the USBKey monitoring module acquires the PIN code and the personal digital certificate of the user sent by the certificate acquisition module, and identity authentication of logging in the cloud terminal is completed locally.
After entering the cloud terminal operating system, the connection request module initiates a request for connecting the cloud server, replaces and fills the certificate and the cloud terminal information to form connection request information, and the SSL module encrypts the connection request information and then sends the encrypted connection request information to the cloud server. The connection request information includes user certificate information, client information (IP address, machine code), and the like.
(2) And acquiring the connection request information through a connection monitoring submodule of the cloud server side, decrypting the connection request information through an SSL decryption module, verifying whether the cloud terminal is an authorized terminal, and if the verification is passed, sending the connection information to the cloud terminal through a connection response module to complete the connection between the cloud terminal and the cloud server. And after the connection is successful, verifying the validity and validity of the user identity, and confirming whether the user can log in the cloud server security virtual system.
The method specifically comprises the following steps:
after the cloud server receives the encrypted connection request information, the cloud server firstly performs authentication of the cloud terminal, that is, the SSL decryption module decrypts the encrypted connection request information to obtain only client information, and sends the client information to the security authentication module. And then, the security authentication module verifies whether the cloud terminal is an authorized terminal according to the client information, if the verification is passed, the connection response module sends the connection information to the connection request module of the cloud terminal to complete the connection between the cloud terminal and the cloud server, and the interaction of subsequent partial data is realized through the connection request module and the connection response module.
And only after the cloud terminal where the user is located passes the authentication, the SSL decryption module analyzes the personal digital certificate information of the user and sends the personal digital certificate information of the user to the CA module. And then, the CA module is associated to the unified user management module through the user personal digital certificate information to acquire the user information, and the user information and the user personal digital certificate information are sent to the security authentication module together.
And authenticating the identity of the user according to the user information and the personal digital certificate information of the user through the security authentication module, sending an authentication success message to the cloud terminal through the connection response module after the identity authentication is passed, and activating the virtual machine management module at the cloud server side.
(3) And after the virtual machine management module is activated, issuing a virtual desktop corresponding to the virtual machine to a cloud terminal user according to user requirements and virtual machine resource conditions.
The method specifically comprises the following steps: after a user successfully logs in a cloud server security virtual system, a cloud server side sends a security virtual system interface to a cloud terminal, and acquires one or more pieces of virtual machine resource information through a virtual machine management module, and forms a virtual machine resource list. And then, sending the virtual machine resource list to a cloud terminal through a connection response module, and displaying the virtual machine resource list on the security virtual system interface.
And the user selects a virtual machine resource from the list according to the requirement, generates a user selection instruction and sends the user selection instruction to the cloud server through the connection request module. And after the user selection instruction is received, acquiring corresponding virtual machine resources through a virtual machine management module, and sending the corresponding virtual machine resources to the cloud terminal. After the cloud terminal receives the virtual machine resources, the virtual desktop corresponding to the virtual machine is extracted through the USBKey monitoring module and displayed.
(4) After the virtual desktop is displayed, the enhanced RDP module is directly and safely connected with the cloud terminal through the virtual machine, peripheral virtual mapping of the cloud terminal is achieved, and a cloud terminal user can safely log in the virtual desktop.
The method specifically comprises the following steps: after the virtual desktop is displayed on the cloud terminal, the user can operate the virtual desktop. Meanwhile, the connection between the connection request module and the connection response module is disconnected, then the USBKey monitoring module extracts the virtual machine information in the virtual machine resources, and the safety connection between the enhanced RDP module and the connection request module in the cloud terminal is established according to the information.
The invention also provides an identity authentication login method in the cloud environment, and the method is applied to the cloud server side.
As shown in fig. 2, the method comprises the steps of:
(1) and acquiring the connection request information through a connection monitoring submodule of the cloud server side, decrypting the connection request information through an SSL decryption module, verifying whether the cloud terminal is an authorized terminal, and if the verification is passed, sending the connection information to the cloud terminal through a connection response module to complete the connection between the cloud terminal and the cloud server. And after the connection is successful, verifying the validity and validity of the user identity, and confirming whether the user can log in the cloud server security virtual system.
The method specifically comprises the following steps:
after the cloud server receives the encrypted connection request information, the cloud server firstly performs authentication of the cloud terminal, that is, the SSL decryption module decrypts the encrypted connection request information to obtain only client information, and sends the client information to the security authentication module. And then, the security authentication module verifies whether the cloud terminal is an authorized terminal according to the client information, if the verification is passed, the connection response module sends the connection information to the connection request module of the cloud terminal to complete the connection between the cloud terminal and the cloud server, and the interaction of subsequent partial data is realized through the connection request module and the connection response module.
And only after the cloud terminal where the user is located passes the authentication, the SSL decryption module analyzes the personal digital certificate information of the user and sends the personal digital certificate information of the user to the CA module. And then, the CA module is associated to the unified user management module through the user personal digital certificate information to acquire the user information, and the user information and the user personal digital certificate information are sent to the security authentication module together.
And authenticating the identity of the user according to the user information and the personal digital certificate information of the user through the security authentication module, sending an authentication success message to the cloud terminal through the connection response module after the identity authentication is passed, and activating the virtual machine management module at the cloud server side.
(2) And after the virtual machine management module is activated, issuing a virtual desktop corresponding to the virtual machine to a cloud terminal user according to user requirements and virtual machine resource conditions.
The method specifically comprises the following steps: after a user successfully logs in a cloud server security virtual system, a cloud server side sends a security virtual system interface to a cloud terminal, and acquires one or more pieces of virtual machine resource information through a virtual machine management module, and forms a virtual machine resource list. And then, the virtual machine resource list is sent to the cloud terminal through a connection response module and is displayed on the safety virtual system interface.
And the user selects a virtual machine resource from the list according to the requirement, generates a user selection instruction and sends the user selection instruction to the cloud server through the connection request module. And after the user selection instruction is received, acquiring corresponding virtual machine resources through a virtual machine management module, and sending the corresponding virtual machine resources to the cloud terminal. After the cloud terminal receives the virtual machine resources, the virtual desktop corresponding to the virtual machine is extracted through the USBKey monitoring module and displayed.
(3) After the virtual desktop is displayed, the enhanced RDP module is directly and safely connected with the cloud terminal through the virtual machine, peripheral virtual mapping of the cloud terminal is achieved, and a cloud terminal user can safely log in the virtual desktop.
The method specifically comprises the following steps: after the virtual desktop is displayed on the cloud terminal, the user can operate the virtual desktop. Meanwhile, the connection between the connection request module and the connection response module is disconnected, then the virtual machine management module at the cloud server side extracts the virtual machine information in the virtual machine resources, and establishes the safe connection between the enhanced RDP module and the connection request module in the cloud terminal directly according to the information.
The invention also provides an identity authentication login system in the cloud environment, and as shown in fig. 3, the system comprises a cloud terminal, a cloud server terminal and a USBKey.
The cloud terminal comprises a certificate acquisition module, a USBKey monitoring module, an SSL encryption module and a connection request module.
The cloud server comprises a security authentication module, a unified user management module, an SSL decryption module, a connection response module, a CA module, a virtual machine management module and an enhanced RDP module.
The certificate acquisition module in the cloud terminal is used for acquiring the personal digital certificate of the user and sending the personal digital certificate to the USBKey monitoring module.
And the USBKey monitoring module is used for carrying out cloud terminal user identity authentication according to the personal digital certificate of the user sent by the certificate acquisition module, and extracting desktop information of the virtual machine for display control.
The SSL encryption module is used for encrypting the connection request information and sending the encrypted information to the connection request module.
The connection request module is used for establishing connection with the connection response module of the cloud server side and then establishing connection with the enhanced RDP module of the cloud server side to complete data security interaction.
The security authentication module of the cloud server is used for performing security authentication on the cloud terminal and performing identity authentication on the user after the security authentication of the cloud terminal passes.
The unified user management module is used for storing and acquiring user information corresponding to the cloud terminal and sending the user information to the CA module.
The SSL decryption module is used for receiving and decrypting the encrypted information connected with the response module and sending the acquired decrypted information to the CA module or the security authentication module.
The connection response module is used for establishing connection with the connection request module of the cloud terminal to complete authentication or safe interaction of other data.
And the CA module is used for acquiring user information according to the personal digital certificate of the user and sending the certificate and the user information to the security authentication module.
The virtual machine management module is used for storing and acquiring virtual machine resource information, generating a corresponding list and sending the list to the cloud terminal.
The virtual machine management module is also used for establishing the secure connection between the enhanced RDP module and the connection request module in the cloud terminal.
The enhanced RDP module is used for establishing a secure connection with the cloud terminal to achieve secure login and data interaction of the virtual desktop.
The specific interaction of each module in the system is as follows:
before logging in the cloud terminal operating system, the cloud terminal completes access initialization work, namely terminal network access registration and user personal digital certificate registration related to USBKey are completed.
When logging in a cloud terminal operating system and detecting that a USBKey is inserted, the cloud terminal automatically activates the USBKey monitoring module, calls the certificate acquisition module through the USBKey monitoring module to acquire a personal digital certificate of a user, and controls and displays a login verification interface. After the user inputs the PIN code in the interface, the USBKey monitoring module acquires the PIN code and the personal digital certificate of the user sent by the certificate acquisition module, and identity authentication of logging in the cloud terminal is completed locally.
After entering the cloud terminal operating system, the connection request module initiates a request for connecting the cloud server, and replaces and fills the certificate and the cloud terminal information to form connection request information. And the SSL module encrypts the connection request information and then sends the connection request information to the cloud server side. The connection request information includes user certificate information, client information (IP address, machine code), and the like.
After receiving the encrypted connection request information, the cloud server side firstly authenticates the cloud terminal, namely the SSL decryption module decrypts the encrypted connection request information to obtain only the client information and sends the client information to the security authentication module. And then, the security authentication module verifies whether the cloud terminal is an authorized terminal according to the client information, if the verification is passed, the connection response module sends the connection information to the connection request module of the cloud terminal to complete the connection between the cloud terminal and the cloud server, and the interaction of subsequent partial data is realized through the connection request module and the connection response module.
The SSL decryption module analyzes the personal digital certificate information of the user only after the cloud terminal where the user is located passes the authentication, and sends the personal digital certificate information of the user to the CA module. And then, the CA module associates the CA module with the CA module through the personal digital certificate information of the user to acquire the user information and sends the user information and the personal digital certificate information of the user to the security authentication module.
And the safety authentication module authenticates the user identity according to the user information and the user personal digital certificate information. And after the identity authentication is passed, the connection response module sends an authentication success message to the cloud terminal, and meanwhile, the virtual machine management module of the cloud server side is activated.
And the cloud server side sends a security virtual system interface to the cloud terminal after the user successfully logs in the security virtual system of the cloud server. The virtual machine management module acquires one or more pieces of virtual machine resource information and forms a virtual machine resource list. And then, the virtual machine resource list is sent to the cloud terminal through a connection response module and is displayed on the safety virtual system interface.
And the user selects a virtual machine resource from the list according to the requirement, generates a user selection instruction and sends the user selection instruction to the cloud server through the connection request module. And after receiving the user selection instruction, the virtual machine management module acquires corresponding virtual machine resources and sends the virtual machine resources to the cloud terminal. And after the cloud terminal receives the virtual machine resources, the USBKey monitoring module extracts the virtual desktop corresponding to the virtual machine and displays the virtual desktop.
After the virtual desktop is displayed on the cloud terminal, the user can operate the virtual desktop. Meanwhile, the cloud terminal disconnects the connection request module and the connection response module, then the virtual machine management module extracts the virtual machine information in the virtual machine resources, and establishes the safe connection between the enhanced RDP module and the connection request module in the cloud terminal according to the information.
The preferred embodiments of the present disclosure are described above with reference to the drawings, but the present disclosure is of course not limited to the above examples. Various changes and modifications within the scope of the appended claims may be made by those skilled in the art, and it should be understood that these changes and modifications naturally will fall within the technical scope of the present disclosure.
For example, a plurality of functions included in one unit may be implemented by separate devices in the above embodiments. Alternatively, a plurality of functions implemented by a plurality of units in the above embodiments may be implemented by separate devices, respectively. In addition, one of the above functions may be implemented by a plurality of units. Needless to say, such a configuration is included in the technical scope of the present disclosure.
In this specification, the steps described in the flowcharts include not only the processing performed in time series in the described order but also the processing performed in parallel or individually without necessarily being performed in time series. Further, even in the steps processed in time series, needless to say, the order can be changed as appropriate.
Although the embodiments of the present disclosure have been described in detail with reference to the accompanying drawings, it should be understood that the above-described embodiments are merely illustrative of the present disclosure and do not constitute a limitation of the present disclosure. It will be apparent to those skilled in the art that various modifications and variations can be made in the above-described embodiments without departing from the spirit and scope of the disclosure. Accordingly, the scope of the disclosure is to be defined only by the claims appended hereto, and by their equivalents.
Claims (10)
1. An identity authentication login method in a cloud environment comprises the following steps:
(1) when a user inserts the USBKey, the USBKey monitoring module is automatically triggered, the user logs in an operating system of the cloud terminal after inputting the PIN code and passing local verification, and a request for connecting a cloud server is initiated after entering the operating system of the cloud terminal;
(2) the connection request information is obtained through a connection monitoring submodule of the cloud server end and is decrypted by an SSL decryption module, whether the cloud terminal is an authorized terminal or not is verified, if the verification is passed, the connection information is sent to the cloud terminal through a connection response module, and the connection between the cloud terminal and the cloud server is completed;
after the connection is successful, verifying the validity and validity of the user identity, and confirming whether the user can log in the cloud server security virtual system;
(3) after the virtual machine management module is activated, a virtual desktop corresponding to the virtual machine is issued to a cloud terminal user according to user requirements and virtual machine resource conditions;
(4) after the virtual desktop is displayed, the enhanced RDP module is directly and safely connected with the cloud terminal through the virtual machine, peripheral virtual mapping of the cloud terminal is achieved, and a cloud terminal user can safely log in the virtual desktop.
2. The method according to claim 1, wherein when the USBKey is detected to be inserted while logging in the cloud terminal operating system, the cloud terminal automatically activates the USBKey monitoring module, and the USBKey monitoring module calls the certificate acquisition module to acquire the personal digital certificate of the user, and controls and displays a login verification interface.
3. The method according to claim 1, wherein the identity of the user is authenticated through a security authentication module according to the user information and the personal digital certificate information of the user, and when the identity authentication is passed, an authentication success message is sent to the cloud terminal through a connection response module, and simultaneously, a virtual machine management module at the cloud server side is activated.
4. The method according to claim 1, wherein after the cloud terminal receives the virtual machine resources, the virtual desktop corresponding to the virtual machine is extracted and displayed through the USBKey monitoring module.
5. The method according to claim 1, wherein the step (4) is specifically: and disconnecting the connection between the connection request module and the connection response module, then extracting the virtual machine information in the virtual machine resources, and establishing the secure connection between the enhanced RDP module and the connection request module in the cloud terminal directly according to the information.
6. An identity authentication login method in a cloud environment is applied to a cloud server side, and comprises the following steps:
(1) the method comprises the steps that connection request information is obtained through a connection monitoring submodule of a cloud server end, the connection request information is decrypted through an SSL decryption module, whether a cloud terminal is an authorized terminal or not is verified, if the verification is passed, connection information is sent to the cloud terminal through a connection response module, connection between the cloud terminal and a cloud server is completed, and after the connection is successful, user identity validity and validity verification is conducted, and whether a user can log in a cloud server security virtual system or not is confirmed;
(2) after the virtual machine management module is activated, a virtual desktop corresponding to the virtual machine is issued to a cloud terminal user according to user requirements and virtual machine resource conditions;
(3) after the virtual desktop is displayed, the enhanced RDP module is directly and safely connected with the cloud terminal through the virtual machine, peripheral virtual mapping of the cloud terminal is achieved, and a cloud terminal user can safely log in the virtual desktop.
7. An identity authentication login system in a cloud environment, which implements the identity authentication method in the cloud environment according to any one of claims 1 to 5; the system comprises a cloud terminal, a cloud server and a USBKey;
the cloud terminal comprises a certificate acquisition module, a USBKey monitoring module, an SSL encryption module and a connection request module;
the cloud server comprises a security authentication module, a unified user management module, an SSL decryption module, a connection response module, a CA module, a virtual machine management module and an enhanced RDP module.
8. The system of claim 7,
the certificate acquisition module in the cloud terminal is used for acquiring a personal digital certificate of a user and sending the personal digital certificate to the USBKey monitoring module;
the USBKey monitoring module is used for carrying out cloud terminal user identity authentication according to the personal digital certificate of the user sent by the certificate acquisition module, and extracting desktop information of the virtual machine for display control;
the SSL encryption module is used for encrypting the connection request information and sending the encrypted information to the connection request module;
the connection request module is used for establishing connection with the connection response module of the cloud server side and then establishing connection with the enhanced RDP module of the cloud server side to complete data security interaction.
9. The system of claim 7,
the security authentication module at the cloud server side is used for performing security authentication on the cloud terminal and performing identity authentication on a user after the security authentication of the cloud terminal is passed;
the unified user management module is used for storing and acquiring user information corresponding to the cloud terminal and sending the user information to the CA module;
the SSL decryption module is used for receiving and decrypting the encrypted information connected with the response module and sending the obtained decryption information to the CA module or the security authentication module;
the connection response module is used for establishing connection with a connection request module of the cloud terminal to complete authentication or safe interaction of other data;
the CA module is used for acquiring user information according to the personal digital certificate of the user and sending the certificate and the user information to the security authentication module;
the virtual machine management module is used for storing and acquiring virtual machine resource information, generating a corresponding list and sending the list to the cloud terminal;
the enhanced RDP module is used for establishing a secure connection with the cloud terminal to achieve secure login and data interaction of the virtual desktop.
10. The system of claim 9, wherein the virtual machine management module is further configured to establish a secure connection between the enhanced RDP module and the connection request module in the cloud terminal directly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910900519.8A CN110659471A (en) | 2019-09-23 | 2019-09-23 | Identity authentication login method in cloud environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910900519.8A CN110659471A (en) | 2019-09-23 | 2019-09-23 | Identity authentication login method in cloud environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110659471A true CN110659471A (en) | 2020-01-07 |
Family
ID=69039007
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910900519.8A Pending CN110659471A (en) | 2019-09-23 | 2019-09-23 | Identity authentication login method in cloud environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110659471A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112347439A (en) * | 2020-11-11 | 2021-02-09 | 西安万像电子科技有限公司 | Method and system for visitor login access |
| CN113055472A (en) * | 2021-03-11 | 2021-06-29 | 北京德风新征程科技有限公司 | Internet of things data control method and device based on security authentication |
| CN114884993A (en) * | 2022-05-07 | 2022-08-09 | 杭州天宽科技有限公司 | Virtual android system for enhancing data security |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102420692A (en) * | 2011-12-28 | 2012-04-18 | 广州杰赛科技股份有限公司 | Safety authentication method and system of universal serial bus (USB) key of client terminal based on cloud computation |
| CN104639516A (en) * | 2013-11-13 | 2015-05-20 | 华为技术有限公司 | Method, equipment and system for authenticating identities |
| CN104811455A (en) * | 2015-05-18 | 2015-07-29 | 成都卫士通信息产业股份有限公司 | Cloud computing identity authentication method |
| US20150256341A1 (en) * | 2012-11-22 | 2015-09-10 | Huawei Technologies Co., Ltd. | Management Control Method, Apparatus, and System for Virtual Machine |
| CN105187362A (en) * | 2014-06-23 | 2015-12-23 | 中兴通讯股份有限公司 | Method and device for connection authentication between desktop cloud client and server-side |
| CN105359491A (en) * | 2013-06-14 | 2016-02-24 | 微软技术许可有限责任公司 | User authentication in a cloud environment |
| CN107241345A (en) * | 2017-06-30 | 2017-10-10 | 西安电子科技大学 | Cloud computing resources management method based on UKey |
| CN108259440A (en) * | 2016-12-29 | 2018-07-06 | 航天信息股份有限公司 | USBKey authentications based on cloud computing are in the method and system of B/S framework applications |
-
2019
- 2019-09-23 CN CN201910900519.8A patent/CN110659471A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102420692A (en) * | 2011-12-28 | 2012-04-18 | 广州杰赛科技股份有限公司 | Safety authentication method and system of universal serial bus (USB) key of client terminal based on cloud computation |
| US20150256341A1 (en) * | 2012-11-22 | 2015-09-10 | Huawei Technologies Co., Ltd. | Management Control Method, Apparatus, and System for Virtual Machine |
| CN105359491A (en) * | 2013-06-14 | 2016-02-24 | 微软技术许可有限责任公司 | User authentication in a cloud environment |
| CN104639516A (en) * | 2013-11-13 | 2015-05-20 | 华为技术有限公司 | Method, equipment and system for authenticating identities |
| CN105187362A (en) * | 2014-06-23 | 2015-12-23 | 中兴通讯股份有限公司 | Method and device for connection authentication between desktop cloud client and server-side |
| CN104811455A (en) * | 2015-05-18 | 2015-07-29 | 成都卫士通信息产业股份有限公司 | Cloud computing identity authentication method |
| CN108259440A (en) * | 2016-12-29 | 2018-07-06 | 航天信息股份有限公司 | USBKey authentications based on cloud computing are in the method and system of B/S framework applications |
| CN107241345A (en) * | 2017-06-30 | 2017-10-10 | 西安电子科技大学 | Cloud computing resources management method based on UKey |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112347439A (en) * | 2020-11-11 | 2021-02-09 | 西安万像电子科技有限公司 | Method and system for visitor login access |
| CN112347439B (en) * | 2020-11-11 | 2023-04-11 | 西安万像电子科技有限公司 | Method and system for visitor login access |
| CN113055472A (en) * | 2021-03-11 | 2021-06-29 | 北京德风新征程科技有限公司 | Internet of things data control method and device based on security authentication |
| CN114884993A (en) * | 2022-05-07 | 2022-08-09 | 杭州天宽科技有限公司 | Virtual android system for enhancing data security |
| CN114884993B (en) * | 2022-05-07 | 2023-12-22 | 杭州天宽科技有限公司 | Virtualized android system for enhancing data security |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109309565B (en) | Security authentication method and device | |
| CN109088889B (en) | SSL encryption and decryption method, system and computer readable storage medium | |
| CN107465689B (en) | Key management system and method of virtual trusted platform module in cloud environment | |
| EP3286867B1 (en) | Method, apparatus, and system for cloud-based encryption machine key injection | |
| EP3424195B1 (en) | Encrypted password transport across untrusted cloud network | |
| CN105187362B (en) | Method and device for connection authentication between desktop cloud client and server | |
| US9231925B1 (en) | Network authentication method for secure electronic transactions | |
| EP2328107B1 (en) | Identity controlled data center | |
| CN108111473B (en) | Unified management method, device and system for hybrid cloud | |
| US9455980B2 (en) | Management of certificate authority (CA) certificates | |
| EP2544117A1 (en) | Method and system for sharing or storing personal data without loss of privacy | |
| CN105072125B (en) | A kind of http communication system and method | |
| CN108809633B (en) | Identity authentication method, device and system | |
| CN110933078B (en) | H5 unregistered user session tracking method | |
| US7822976B2 (en) | Network data security system and protecting method thereof | |
| US11349646B1 (en) | Method of providing secure communications to multiple devices and multiple parties | |
| CN110659471A (en) | Identity authentication login method in cloud environment | |
| CN113204760B (en) | Method and system for establishing secure channel for software cryptographic module | |
| CN103916363A (en) | Communication security management method and system for encryption machine | |
| CN113886771A (en) | Software authorization authentication method | |
| CN114338201B (en) | Data processing method and device, electronic equipment and storage medium | |
| CN111756530A (en) | Quantum service mobile engine system, network architecture and related equipment | |
| US11888822B1 (en) | Secure communications to multiple devices and multiple parties using physical and virtual key storage | |
| CN117749393B (en) | SSLVPN user identity verification method and system based on collaborative signature | |
| KR101893758B1 (en) | System and method for monitoring leakage of internal information through analyzing encrypted traffic |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 801, 8 / F, building 4a, international R & D headquarters park, 68 Olympic street, Jianye District, Nanjing City, Jiangsu Province 210019 Applicant after: JIANGSU HENGBAO INTELLIGENT SYSTEM TECHNOLOGY Co.,Ltd. Address before: 212355 Hengtang Industrial Zone, Yunyang Town, Danyang City, Zhenjiang City, Jiangsu Province Applicant before: JIANGSU HENGBAO INTELLIGENT SYSTEM TECHNOLOGY Co.,Ltd. |
|
| CB02 | Change of applicant information | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200107 |
|
| RJ01 | Rejection of invention patent application after publication |