CN115220831A - Method and system for providing working mode based on safe working space - Google Patents

Method and system for providing working mode based on safe working space Download PDF

Info

Publication number
CN115220831A
CN115220831A CN202110430604.XA CN202110430604A CN115220831A CN 115220831 A CN115220831 A CN 115220831A CN 202110430604 A CN202110430604 A CN 202110430604A CN 115220831 A CN115220831 A CN 115220831A
Authority
CN
China
Prior art keywords
desktop
message
data
application
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110430604.XA
Other languages
Chinese (zh)
Inventor
钱程
王鹏达
陈从江
张超
罗斌
王路
于修全
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Diankeyun Beijing Technology Co ltd
Original Assignee
Diankeyun Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Diankeyun Beijing Technology Co ltd filed Critical Diankeyun Beijing Technology Co ltd
Priority to CN202110430604.XA priority Critical patent/CN115220831A/en
Publication of CN115220831A publication Critical patent/CN115220831A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/451Execution arrangements for user interfaces
    • G06F9/452Remote windowing, e.g. X-Window System, desktop virtualisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Human Computer Interaction (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention provides a method and a system for providing a working mode based on a safe working space, wherein the method comprises the following steps: establishing a desktop and an application resource pool on a cloud platform; allocating desktop resources and application resources for a user, and constructing a safe working space; receiving a login request of a user terminal, and providing a safe working space interface for the user terminal in a video stream mode so as to display the distributed desktop resources and application resources; receiving a terminal message from a user terminal, and determining header information of the data frame, a target identifier of the message and a message type based on a predefined data frame packaging structure; under the condition that the header information of the data frame and the target identification of the message are determined to be correct, extracting data in a data area in the data frame according to the length information of the data area in the data frame, and analyzing the data in the extracted data area based on the determined message type; and identifying related requests of the user for the desktop and/or the application based on the analyzed data, and returning a video stream corresponding to the identified requests to the user terminal.

Description

Working mode providing method and system based on safe working space
Technical Field
The invention relates to the technical field of computers and working mode providing, in particular to a working mode providing method and system based on a safe working space.
Background
With the development of network and information technology, computers have become the basic platform for various industries to carry out daily work, and each member of a unit carries out communication, design, research and development, production and other works through a personal computer (one person for short). However, with the diversified development of IT ecology such as chips, operating systems, application software, and networks, and the higher and higher requirements of units on cost, efficiency, and security, especially for units with requirements on data security, the existing one-man-one-machine mode faces many defects.
First, from the viewpoint of unit information management, there are the following problems: 1) The application software can be downloaded and installed at will and dispersed on a personal physical computer, so that the potential safety hazard of malicious software attack exists, and the problems of difficult centralized management and maintenance exist; 2) File data generated by software is also dispersedly stored in each computer, and various potential safety hazards such as artificial tampering, stealing, transferring or deleting, damage and loss of computer equipment and the like exist; 3) Each computer device belongs to individual independent use, cannot be elastically shared, and cannot fully utilize computing and storage resources, so that the redundancy and waste of the whole IT resources are caused.
Secondly, from the perspective of the staff of the organization, there are the following problems: 1) Each employee needs to download and install various office, design, and collaboration-like application software on a personal computer, consuming a great deal of time and effort. Especially for large-scale software, the client is difficult to download and install slowly, the performance requirement on the computer is high, and the common computer cannot meet the requirements of installation and use. 2) In actual work, scenes of working in different places, such as headquarters of companies, branches, even families and hotels, are often involved, and the existing solution is to combine application software at a PC (personal computer) end and research and develop application software matched with a mobile end so as to realize mobile work. This model has many problems, for example, because most of the tools are applications provided by third-party companies, and do not provide mobile-side services. The unit needs to be developed with extra cost. In addition, since application software and data are installed or stored on a physical PC or a mobile phone, they cannot be directly used on other PCs or mobile phones, and thus, the mobile phone or computer equipment must be carried around. Due to the problems, actual moving work is very limited, and work efficiency and staff experience are influenced. 3) In the period of letter creation substitution, in order to guarantee normal and orderly development of services, the letter creation desktop and the application coexist with the Wintel desktop and the application, and in order to solve the problem of simultaneous access to the letter creation desktop/application to the Wintel desktop/application, 2 PCs need to be placed in each work seat at the same time, so that the operation is very complicated, and the experience and the efficiency are influenced.
How to face a series of defects such as safety, efficiency, experience that above-mentioned traditional one person one machine mode operational environment faces, provide one kind and let work safer, high-efficient, convenient and green energy-conserving safe mode of operation, be a problem that remains to be solved.
Disclosure of Invention
In order to solve the defects in the prior art, embodiments of the present invention provide a method and a system for providing a working mode based on a secure working space, so as to solve one or more technical problems in the prior art.
According to an aspect of the present invention, there is provided a secure workspace-based working mode providing method, including the steps of:
establishing a desktop and an application resource pool on a cloud platform;
allocating desktop resources and application resources for a user, and constructing a safe working space comprising the allocated desktop resources and the allocated application resources;
receiving a login request from a user terminal, providing a safe working space for the user terminal in a video stream mode, and displaying desktop resources and application resources distributed to the user in the safe working space;
receiving a terminal message from a user terminal, and determining header information of a data frame, a target identifier of the message and a message type based on a predefined data frame encapsulation structure;
under the condition that the header information of the data frame and the target identification of the message are determined to be correct, extracting data in a data area in the data frame according to the length information of the data area in the data frame, and analyzing the data in the extracted data area based on the determined message type;
and identifying related requests of the user for the desktop and/or the application based on the data in the analyzed data area, and returning a video stream corresponding to the identified requests to the user terminal.
In some embodiments of the present invention, the secure workspace includes a cloud desktop module and a cloud application module, the cloud desktop module includes desktop resources already allocated to the user, and the cloud application module includes application resources already allocated to the user; the secure workspace further comprises a cloud space module and/or a resource pool module, and the resource pool module comprises desktop resources and/or application resources which can be selected by a user.
In some embodiments of the present invention, a chat module and/or a video conference module is further included in the secure workspace.
In some embodiments of the invention, the method further comprises: receiving a desktop and/or application adding request from a user terminal, and adding the desktop and/or application in the safe working space for the user based on the desktop and/or application adding request.
In some embodiments of the present invention, after the cloud platform and the user terminal establish a connection, before receiving the terminal message, the method further includes a step of negotiating an encrypted communication mode between the cloud platform and the user terminal; the step of negotiating the encryption communication mode between the cloud platform and the user terminal comprises the following steps: receiving a registration request initiated by a user terminal by a cloud platform, wherein the registration request carries role and identification information of the user terminal; based on the received registration request, returning a response message to the user terminal, wherein the response message carries the encrypted communication mode supported by the server; and receiving the encrypted communication mode supported by the user terminal selected by the user terminal based on the encrypted communication mode supported by the server, and determining the encrypted communication mode adopted by the transmission terminal message.
In some embodiments of the invention, the decryption is performed using an encryption algorithm that matches the determined encrypted communication means when the terminal message is received.
In some embodiments of the invention, the method further comprises: the cloud platform monitors the user behavior based on a screen recording mode.
In some embodiments of the invention, the data frame encapsulation structure comprises: a source flag field, a target flag field, a message type field, a data length field and a data area; the data frame encapsulation structure further comprises one or more of the following fields: frame number, individual flags, and check value fields.
In some embodiments of the present invention, the message type that can be identified by the message type field includes some or all of the following message types: <xnotran> , , , , , , , , , , , , , , , , , , , , , , , , . </xnotran>
In some embodiments of the present invention, the display interface of the secure workspace adopts a desktop-like typesetting and interaction mode.
In another aspect of the present invention, there is also provided a secure workspace working mode providing system, which includes a processor and a memory, the memory having stored therein computer instructions, the processor being configured to execute the computer instructions stored in the memory, and when the computer instructions are executed by the processor, the system implementing the steps of the method as described above.
In another aspect of the present invention, a computer-readable storage medium is also provided, on which a computer program is stored, which computer program, when being executed by a processor, carries out the steps of the method as set forth above.
The cloud desktop and cloud application communication method and system can meet increasingly rich information interaction scenes and interaction requirements in the development of future cloud desktops and cloud applications with higher requirements.
Furthermore, the embodiment of the invention can realize the self-adaptation of the network bandwidth by dynamically counting the transmission rate of the service data, thereby enhancing the network adaptability, reducing the transmission delay, realizing better data transmission performance and high concurrency performance and improving the user experience.
Furthermore, the embodiment of the invention can ensure the data communication safety and prevent the data from being tampered by negotiating the encryption communication mode.
Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
It will be appreciated by those skilled in the art that the objects and advantages that can be achieved with the present invention are not limited to the specific details set forth above, and that these and other objects that can be achieved with the present invention will be more clearly understood from the detailed description that follows.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the principles of the invention.
Fig. 1 is a flowchart illustrating a method for providing a secure workspace-based working mode according to an embodiment of the present invention.
FIG. 2 is a diagram illustrating an infrastructure of an information processing operation mode based on a secure workspace according to an embodiment of the present invention.
Fig. 3 is a schematic diagram of a secure space interface displayed by a user terminal according to an embodiment of the present invention.
Fig. 4 is a schematic diagram of a secure space interface displayed by a user terminal according to another embodiment of the present invention.
Fig. 5 is a schematic diagram illustrating a handshake flow between a client and a server according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the following embodiments and accompanying drawings. The exemplary embodiments and descriptions of the present invention are provided to explain the present invention, but not to limit the present invention.
It should be noted that, in order to avoid obscuring the present invention with unnecessary details, only the structures and/or processing steps closely related to the scheme according to the present invention are shown in the drawings, and other details not so relevant to the present invention are omitted.
It should be emphasized that the term "comprises/comprising" when used herein, is taken to specify the presence of stated features, elements, steps or components, but does not preclude the presence or addition of one or more other features, elements, steps or components.
In order to solve a series of defects of safety, efficiency, experience and the like in the traditional one-man one-machine mode working environment, the invention provides an innovative safe working mode. More specifically, the invention provides a safe working mode providing method based on a safe working space, which creates a cloud privately-owned safe working space for a user, can replace or enable the existing working environment of the client, realizes unified receiving, unified distribution and management of resources such as desktops, applications and data, realizes safe data holding, realizes full utilization and efficient management of the resources, subverts the traditional working experience, and enables the work to be safer, more efficient, more convenient, more green and more energy-saving.
Fig. 1 is a flowchart illustrating a method for providing a secure workspace-based working mode according to an embodiment of the present invention. As shown in fig. 1, the method comprises the steps of:
and S110, establishing a desktop resource pool and an application resource pool on the cloud platform.
In the embodiment of the invention, various operating systems can be virtualized on the cloud platform through a virtualization technology to form a virtual desktop pool, or a desktop resource pool. In addition, B/S, C/S and local software application are virtualized to form a virtualized application pool, or application resource pool.
Based on the constructed desktop resource pool and application resource pool, in the following steps, a cloud privatization security workspace similar to a desktop can be further constructed for each user at a cloud (cloud platform), and desktop resources and application resources required by the user are included in the privatization security workspace. That is, in the embodiment of the present invention, the desktop resource pool and the application resource pool are formed by virtualizing the operating system and the application software, respectively, so that the user can apply for a desired desktop and application from the cloud. FIG. 2 illustrates an infrastructure for a secure workspace-based information processing mode of operation in an embodiment of the invention. As shown in fig. 2, the resource pool constructed by the cloud platform includes a desktop resource pool and an application resource pool, where the desktop resource pool includes a plurality of desktop resources, such as desktop resources of Windows, linux, UOS, and the galaxy kylin operating system, and the application resource pool includes B/S (browser/server), C/S (client/server), and/or local application resources, which may include various virtualized application software, such as word processing software (e.g., WPS, microsoft Office), audio/video playing software, social software, image processing software, and the like, and for a cloud application of the B/S architecture, the cloud application may be accessed through a browser.
Desktop resources and application resources in the resource pool can be used to provide different users for different user needs.
As shown in fig. 2, in the present invention, the desktop and the application are pooled at the cloud, and then transmitted to the user terminal (client) through the transmission pipeline, the user terminal only needs to decode and display the transmitted service stream (such as video stream), and simultaneously transmits the user instruction data of the keyboard, the mouse, and the like of the user back to the cloud, and the cloud analyzes and identifies the user instruction to complete the access and use of the desktop or the application. In the embodiment of the present invention, the user terminal may be, for example, a PC, a mobile terminal (such as a mobile phone, a PAD, etc.), a thin client, etc., but the present invention is not limited thereto. The transmission pipeline may be a new transmission protocol (may be referred to as CSP transmission protocol) proposed by the science and technology limited of electrical science cloud (beijing), which is described in chinese patent application No. 202110340014.8 entitled "cloud desktop and cloud application communication method and system" the contents of which are hereby incorporated by reference in their entirety as if fully set forth herein. The CSP transmission protocol can be suitable for various message types, and can meet increasingly rich information interaction scenes and interaction requirements appearing in the development of future cloud desktops and cloud applications with higher requirements. The CSP transmission protocol data frame structure provided by the embodiment of the invention can realize the rapid analysis of the data and improve the data transmission efficiency. Here, the CSP transmission protocol is only an example, and the present invention is not limited thereto, and may be other protocols using a similar mechanism.
And step S120, allocating desktop resources and application resources for the user.
More specifically, after the user account is registered by the user terminal on the cloud platform, the cloud platform may allocate a part of commonly used desktops or applications to a specified user account. In addition, the cloud platform may additionally allocate desktop resources and application resources to the user based on the user's request. Desktop resources and application resources distributed by the cloud platform for the user can be placed in the cloud privatized safe working space of the user.
In some embodiments of the present invention, the secure workspace may adopt a desktop-like interface design, where desktop resources and application resources may be designed in the form of modules, a desktop resource corresponds to a cloud desktop module, and an application resource corresponds to a cloud application module, see fig. 3 for an example of a secure workspace display interface displayed at the user terminal side, and may also display the secure workspace in the form of other modules, and fig. 4 shows another example of a secure workspace (workbench) display interface displayed at the user terminal side.
In addition, modules such as a cloud space and a resource pool can be provided in the safe working space, wherein the cloud space is a network disk provided for a user, a scheme of dynamic mounting with a user account can be adopted, the user logs in the machine, the same account is adopted as long as the user accesses the same network disk, and the cloud space supports a series of operations such as uploading, downloading, sharing, checking and editing of files. In an embodiment of the present invention, the resource pool module may display all application resources supported by the platform to the user, and support the input application reason to make an active application. In another embodiment of the invention, the cloud platform can set different user accounts for the same unit, and each user account user can check the application resource pool corresponding to the unit to support the active application by inputting the application reason.
In alternative embodiments of the present invention, a chat module and/or a video conferencing module may also be included in the secure workspace.
Step S130, receiving a login request from a user terminal, providing a safe working space for the user terminal in a video stream mode, and displaying desktop resources and application resources allocated to the user in the safe working space.
After the user terminal logs in the cloud platform, the cloud platform can provide a privatized safe working space interface for the user terminal in a video stream mode, and therefore the user can use a desktop or application resources in the safe working space. The user may use the desktop or application resources in the secure workspace by the following steps.
Step S140, receiving a terminal message from the ue, and determining header information of the data frame, a target identifier of the message, and a message type based on a predefined data frame encapsulation structure.
When the user uses the desktop or the application resources in the secure workspace, for example, the corresponding cloud desktop or the cloud application module on the interface can be selected by clicking the corresponding module with a mouse, and then the terminal message is automatically generated based on the CSP transmission protocol according to the operation of the user and is sent to the cloud platform (cloud server). The data frame encapsulation structure of the generated terminal message conforms to the CSP transmission protocol.
The cloud platform receives a terminal message from a user terminal, and determines header information of a data frame, a target identifier of the message and a message type based on a data frame packaging structure predefined by a CSP (compact strip service) transmission protocol (or CSP communication protocol). Where the header is the entry that determines whether the protocol message meets the receiving criteria, and therefore its accuracy needs to be determined first. The determination is incorrect when the header does not conform to the protocol definition or the destination identifier is not within the range of current module identifiers. Whether the head is correct or not can be determined by searching the position of the head of the frame. In the case where the header is determined to be correct, it is further determined whether a target identifier, which indicates a recipient of the data, is satisfied, whereby it is possible to determine whether the message is intended for itself. Optionally, in case that the target identifier is matched, it may further check whether the message type is correct, and since the message types between the specific source and the specific destination are predefined several types, if the message type does not belong to the message type defined between the source and the destination, it is determined that the message type is incorrect.
And S150, under the condition that the header information of the data frame and the target identification of the message are determined to be correct, extracting data in a data area in the data frame according to the length information of the data area in the data frame, and analyzing the data in the extracted data area based on the determined message type.
The data in the data area is the main part of the message, namely the core content of the message, wherein the specific request of the user for the desktop and/or the application is contained.
In an embodiment of the present invention, before analyzing the extracted data in the data area based on the determined message type, a first check value may be calculated based on a predetermined check algorithm, and the correctness of the data in the data area is checked by comparing the first check value with the check value in the service message; in the case where the data in the data area is verified as correct, the data in the extracted data area is re-parsed.
And step S160, identifying a related request of the user for the desktop and/or the application based on the data in the analyzed data area, and returning a video stream corresponding to the identified request to the user terminal as a response to the terminal message.
Therefore, the user terminal can realize the application of desktop resources and application resources in the safe working space by sending the terminal message and receiving the corresponding response.
Table 1 below shows an example of a protocol format (data frame format) of the cloud desktop and the cloud application communication protocol in the embodiment of the present invention.
Table 1. Examples of data frame formats (data frame structures) based on cloud desktop and cloud application CSP communication protocols.
Figure BDA0003031204720000071
Figure BDA0003031204720000081
As can be seen from table 1, the data frame encapsulation structure includes: a source mark field, a target mark field, a message type field, a data length field and a data area; the data frame encapsulation structure further comprises one or more of the following fields: frame number, individual flags, and check value fields.
In table 1, the data length of each portion is only an example, and the data length value of each portion may also be determined or adjusted to another suitable value according to the actual application.
In table 1, the packetization number defaults to 0 (i.e., when no packetization is performed), and is not 0 when data is packetized, for example: when the length of the message body part [ data area ] exceeds the maximum length that can be expressed by the [ data length ] and is not 0 when packetizing, or when the length of the [ data area ] exceeds the artificially defined maximum length (data length upper limit value) and is not 0 when packetizing, the maximum length of data per frame can be defined as 1460B (link layer default MTU (maximum transmission unit)), and the part exceeding the maximum length can be subjected to packetizing.
In table 1, the types of the messages may include, for example, the types as in table 2 below.
Table 2. Message type example:
Figure BDA0003031204720000082
Figure BDA0003031204720000091
Figure BDA0003031204720000101
Figure BDA0003031204720000111
examples of the flag values of the corresponding source flag and destination flag in tables 1 and 2 are shown in table 3.
TABLE 3 example Source and destination flags
Figure BDA0003031204720000112
As shown in table 3, the client module may be set to different flag values based on the type of client. The business service module can also be set to different flag values based on its type. The flag value set above to serve as a unique flag is merely an example, and the present invention is not limited thereto. In addition, there may be other types of source and destination flags, and similarly set, with a unique flag value.
In table 3, the SaaS client module and the SaaS _ service module generally belong to a client, the session management module, the SaaS manager, the transmission relay module (SaaS relay module), and the monitoring module generally exist on the server side and generally belong to a server, but the client and the server are in a relative concept, and when the session management module and the SaaS manager, the SaaS manager and the transmission relay module, and the SaaS manager and the SaaS agent transmit messages therebetween, one serves as the client and the other serves as the server.
In table 2, the message originator of the module registration response message is the message recipient of the module registration message, and the message recipient of the module registration response message is the message originator of the module registration message. Similarly, between the message pairs of heartbeat message and heartbeat response message, join session message and join session response message, connect desktop message and connect desktop response message, leave session message and leave session response message, the message sender of one message is the message receiver of the other message.
As can be seen from table 2 above, the message type of the terminal message may include a message for monitoring a mouse event, a keyboard event, joining a session, leaving a session, connecting a desktop, starting a specific application, and so on, so that the cloud platform may be notified of a desktop operation to be performed by itself or an operation for the application. The message types shown in table 2 above are merely examples, the present invention is not limited thereto, more or fewer message types may be used in practical applications, and other message types having the communication protocol data frame formats shown in table 1 may be defined based on the cloud desktop and the cloud application. For example, the management modules at the server side are all connected with the monitoring module and have message interaction with the monitoring module, and these message types are not shown in table 1, but the data frame format defined by the communication protocol of the present invention is also applicable to these message types. The cloud desktop and cloud application communication method in the embodiment of the invention is described only by taking part of messages as an example, but the method is also applicable to communication of other message types by adopting the protocol in the invention.
The data field may be different for different message types and the data length may be different. For example, the content of the data field of the module registration message may include client identification information (such as client ID and client role information), the content of the data field of the module registration response message may include registration status information (such as registration success, registration failure, or module illegitimate), and the content of the data field of the connection desktop message may include session identification and client (consumer) identification information; the contents of the data field of the connect desktop response message may include the session identification, the actual returned video resolution and width and height, and the status code (success or failure); the contents of the data field of the mouse event message may include, for example, the client identification, the current position of the mouse (e.g., X and Y coordinates), the type of mouse event (e.g., scroll wheel slide down, scroll wheel slide up, mouse movement, left mouse button, right mouse button, center mouse button, press event, etc.); the content of the data field of the keyboard event message may include, for example, a client identifier, a key value corresponding to a keyboard key (a preset keyboard key mapping table, which embodies a mapping relationship between a keyboard key and a corresponding key value), whether to press, and the like, which are not illustrated herein one by one.
The data frame packaging structure based on the CSP transmission protocol comprises fields such as a data frame head, a source mark, a target mark, a message type and the like. After receiving an input message carrying service data to be analyzed, a message receiver (cloud server) first searches for a frame header position to determine whether the header is correct. It is further determined whether the target identification is met, i.e. whether the message is intended for itself, in case the header is determined to be correct. The header is the entry to determine whether the protocol message conforms to the reception standard, and therefore its accuracy needs to be determined first. The determination is incorrect when the header does not conform to the protocol definition or the destination identifier is not within the range of the current module identifier. And if the message type does not belong to the message type defined between the source and the destination, judging that the message type is incorrect.
In step S150, if the message type is determined to be correct, the data of the data area in the data to be analyzed is extracted according to the length of the data frame.
After acquiring the data, a first check value may be further calculated based on a predetermined check algorithm and the data in the data area may be checked whether it is correct by comparing with the check value in the message, and in case that it is determined that the data is correct, the data content in the data area may be further parsed. In the embodiment of the present invention, there may be multiple verification algorithms to obtain the verification value, for example, an MD5 algorithm may be used to obtain the verification value for comparing with the verification value in the message, or the "source identifier", "destination identifier", "data type", "sequence number", and "data length" values may be accumulated and 32 bits may be taken as the verification value. The verification algorithm listed here is only an example, and the present invention is not limited thereto. By checking the data, whether the data is changed or not can be known, so that the data can be effectively prevented from being tampered.
After the data passes the verification, the analysis of the data is the step of obtaining the content of the message data area field and identifying it. The status of the interaction may be known based on the identified content or a corresponding response may be made. That is, the desktop resource and the application resource are applied based on the data in the parsed data region.
When a user double-clicks any one module, a mouse event message is sent to the cloud server, and the module can be quickly opened by analyzing the mouse event message. Additionally, clicking (e.g., right clicking) on a blank area may support desktop refresh. Clicking (such as right clicking) the cloud desktop module can support the startup, shutdown, restart and the like of the desktop. In the safe working space, desktops or applications are deployed at the cloud end, the cloud platform can deliver the desktops or the applications to the user terminal in a video stream mode, and after the cloud desktops or the cloud applications are opened by a user, the viewed interface is the video stream transmitted by the cloud end through a transmission protocol. All data generated by the application are uniformly stored in the cloud, and no data is stored locally.
Therefore, as long as the network is intercommunicated, the user can log in the cloud platform through the personal account to open the safe working space at any time and any place by using the personal account through any terminal such as a computer, a mobile phone, a pad and the like, so that the desktop resource and the application resource in the safe working space are used.
In addition, in some embodiments of the invention, the user may apply for more desktops or applications from the cloud server through the resource pool of the secure workspace. For example, if a user wants to add a new application to a cloud application module of the secure workspace, the module to be added may be selected from the resource pool module to request the cloud platform to add the requested application resource. After receiving the desktop and/or application adding request from the user terminal, the cloud platform may add the desktop and/or application in the secure workspace for the user based on the desktop and/or application adding request. For example, after receiving the application, the administrator gives authorization or refuses, and if authorized, the user will see the corresponding desktop or application on the secure workspace. The user can directly use the desktop or application resources of the cloud end by directly applying for the desktop or application in the resource pool only through authorization of an administrator without downloading and installing. In the safe working space, all software and data are stored in the cloud environment in a unified mode, the user side does not store any data, the data do not fall to the local area, the data are not prone to being lost, and the safety of the data is further improved. In addition, for the administrator, the administrator can monitor or view the screen recording of the application or the desktop accessed by the terminal user in real time or offline, that is, the monitoring of the user behavior is realized based on the screen recording mode.
In addition, in some embodiments of the present invention, the secure workspace allocated by the cloud end for the user may further include a chat module (secure cloud chat module), that is, the secure workspace may be configured with a text, voice and video session function, and may support the user and an administrator, that is, other associated users in the platform, to implement a text, voice or video session.
In some embodiments of the present invention, the secure workspace allocated by the cloud to the user may further include a video conference module, that is, the secure workspace is configured with a self-contained video conference function, so that a video conference between different users in the platform can be supported.
According to the invention, a resource pool mixed with desktop resources and application resources is established at the cloud, and is transmitted and delivered to the user terminal through a CSP (chip scale package) communication protocol capable of embodying message types, so that a user can log in a safe working space on any equipment such as a mobile phone, a pad and a pc through an account, and the desktop and the application are used as local. All desktop operating systems are installed at the cloud, all applications are deployed or installed at the unified cloud, all data are stored in the unified cloud, and the user terminal does not perform core calculation and stores any data.
In some embodiments of the invention, a desktop-like typesetting and interaction mode is adopted for a display interface of the secure workspace to modularly display modules such as a resource pool, a cloud application, a cloud desktop and a cloud space, and each module supports operations such as dragging, double-click opening, single-machine closing and right-click refreshing. The user can open the module quickly by double clicking any one module. And right clicking the blank area to support desktop refreshing. And right clicking the cloud desktop module to support starting, shutting down and restarting the desktop.
The working mode providing method based on the safe working space integrates the following management and use modes of a desktop or an application: (1) Based on the design and operation mode of the cloud security working space; (2) a hybrid mode of desktop and application resource pools; (3) The cloud delivers a desktop or application mode in a picture stream (video stream) mode; (4) A user applies for application or a desktop through a resource pool, and an administrator performs a desktop/application authorization, distribution and recovery mode through resource management; (5) A mode of accessing a desktop or an application in a cross-platform mode, for example, a Windows desktop or an application can be accessed through an android mobile phone because a video stream is transmitted; (6) And a user behavior monitoring mode based on an operation screen recording mode.
In the embodiment of the invention, the secure negotiation for realizing the secure communication between the user terminal and the server can be realized based on the CSP transmission protocol. The security negotiation defines the encrypted communication mode of the data for secure and confidential communication. As an example, the step of negotiating an encrypted communication scheme between the client and the server may include the steps of:
(1) Receiving a registration request initiated by a client by a server, wherein the registration request carries role and identification information of the client;
(2) Based on the received registration request, returning a response message to the client, wherein the response message carries the encrypted communication mode supported by the server;
(3) And receiving the encrypted communication mode supported by the client selected by the client based on the encrypted communication mode supported by the server, and determining the encrypted communication mode adopted by the transmission terminal message.
The handshake flow in the embodiment of the invention defines an encryption communication mode of data, which is used for realizing safe and confidential communication.
Fig. 5 is a schematic diagram illustrating a handshake process between a client and a server according to an embodiment of the present invention, where as shown in fig. 5, the handshake process includes the following steps:
step 1, a client initiates a registration request to indicate own role and unique identification information.
After the client and the server establish communication (e.g., TCP connection establishment is successful), the first message is a registration request message, and the registration request message may carry its role type and identification information (e.g., role ID).
And 2, the server side responds to the registration request, returns the registration state and indicates whether the server side needs encryption and a supported encryption communication mode.
In the registration response message returned by the server, the registration status (e.g., registration success or registration failure) and the encrypted communication mode supported by the server may be carried to indicate that data communication needs to be encrypted, or of course, an encryption indication identifier may be additionally carried to indicate whether encryption is needed.
And 3, screening the encryption communication modes supported by the client.
After receiving the encrypted communication mode supported by the server from the server, the client can screen the encrypted communication mode supported by the client.
And 4, the client sends the encrypted communication mode supported by the client to the server.
The encrypted communication method supported by the client is selected from the encrypted communication methods supported by the server, and therefore is also the encrypted communication method supported by the server.
And 5, the server selects an encryption communication mode from the received encryption communication modes supported by the client.
And 6, the server side sends a response message to the client side, wherein the response message comprises the selected encryption communication mode.
And 7, the client starts an encryption negotiation process based on the encryption communication mode selected by the server and initiates an encryption negotiation request to the server.
The negotiation request is used for negotiating with the server terminal a specific secret algorithm matched with the selected encryption communication mode. The encryption algorithm may be a specific encryption algorithm in a symmetric algorithm, or may be a specific encryption algorithm in an asymmetric algorithm. The encryption negotiation request may or may not carry an encryption algorithm for selection by the server. After determining the encryption communication mode adopted by the transmission terminal message, negotiating the encryption algorithm under the determined encryption communication mode between the server and the user terminal.
And 8, the server side sends a negotiation completion response to the client side, so that the encryption negotiation process is completed.
The negotiation response carries the specific encryption algorithm selected by the client. Based on the negotiation response, the client and the service end encrypt the subsequent service data based on a common encryption algorithm.
And 9, the client sends the service data to the server to carry out service data communication.
In this step, the client encrypts the data in the protocol format using the encryption algorithm negotiated in step 7 and step 8, and then transmits the encrypted data to the server.
And step 10, the server side sends the service data to the client side to carry out service data communication.
In this step, the server uses the encryption algorithm negotiated in step 7 and step 8 to decrypt the data in the protocol format, and then performs the protocol unpacking processing.
In an alternative embodiment of the invention, steps 4-6 in the handshake flow of fig. 5 may also be replaced by the following steps:
and 4', the client selects the encryption communication modes supported by the client from the encryption communication modes supported by the server, directly selects one encryption communication mode and informs the client. In this way, the client and the server can directly encrypt and transmit data in the encrypted communication mode selected by the client.
The communication protocol of the present invention supports symmetric encryption and asymmetric encryption communication modes, and can adopt the existing symmetric encryption and asymmetric encryption communication modes, the specifically used encryption communication mode is determined by the handshake process negotiation in fig. 5, the data in the protocol format is transmitted after being encrypted by using the selected encryption communication mode standard after the handshake process, and the opposite end decrypts the data after receiving the data and then performs protocol unpacking processing.
Based on the flow shown in fig. 5, the CSP transmission protocol can further ensure the security of the service data.
Corresponding to the aforementioned method for providing working mode based on secure workspace, the present invention further provides a system for providing working mode based on secure workspace, which comprises a processor and a memory, wherein the memory stores computer instructions, the processor is configured to execute the computer instructions stored in the memory, and when the computer instructions are executed by the processor, the system realizes the steps of the aforementioned method.
The present invention also relates to a storage medium on which computer program code may be stored, which when executed may implement various embodiments of the method of the present invention, and which may be a tangible storage medium such as an optical disk, a Random Access Memory (RAM), a memory, a Read Only Memory (ROM), an electrically programmable ROM, an electrically erasable programmable ROM, a register, a hard disk, a removable disk, a CD-ROM, or any other form of tangible storage medium known in the art.
It is to be understood that the invention is not limited to the specific arrangements and instrumentality described above and shown in the drawings. A detailed description of known methods is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present invention are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications and additions or change the order between the steps after comprehending the spirit of the present invention.
Those of ordinary skill in the art will appreciate that the various illustrative components, systems, and methods described in connection with the embodiments disclosed herein may be implemented as hardware, software, or combinations thereof. Whether this is done in hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include an electronic circuit, a semiconductor memory device, a ROM, a flash memory, an Erasable ROM (EROM), a floppy disk, a CD-ROM, an optical disk, a hard disk, an optical fiber medium, a Radio Frequency (RF) link, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.
It should also be noted that the exemplary embodiments noted in this patent describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed simultaneously.
Features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments and/or in combination with or instead of the features of the other embodiments in the present invention.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes may be made to the embodiment of the present invention by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (12)

1. A method for providing a working mode based on a secure working space, the method comprising the steps of:
establishing a desktop and an application resource pool on a cloud platform;
allocating desktop resources and application resources for a user, and constructing a safe working space comprising the allocated desktop resources and the allocated application resources;
receiving a login request from a user terminal, providing a safe working space for the user terminal in a video stream mode, and displaying desktop resources and application resources distributed to the user in the safe working space;
receiving a terminal message from a user terminal, and determining header information of the data frame, a target identifier of the message and a message type based on a predefined data frame packaging structure;
under the condition that the header information of the data frame and the target identification of the message are determined to be correct, extracting data in a data area in the data frame according to the length information of the data area in the data frame, and analyzing the data in the extracted data area based on the determined message type;
and identifying related requests of the user for the desktop and/or the application based on the data in the analyzed data area, and returning a video stream corresponding to the identified requests to the user terminal.
2. The method of claim 1, wherein a cloud desktop module and a cloud application module are included in the secure workspace, desktop resources allocated to the user are included in the cloud desktop module, and application resources allocated to the user are included in the cloud application module; the secure workspace further comprises a cloud space module and/or a resource pool module, and the resource pool module comprises desktop resources and/or application resources which can be selected by a user.
3. The method of claim 2, further comprising a chat module and/or a video conference module in the secure workspace.
4. The method of claim 1, further comprising:
receiving a desktop and/or application adding request from a user terminal, and adding the desktop and/or application in the safe working space for the user based on the desktop and/or application adding request.
5. The method according to claim 1, wherein after the connection between the cloud platform and the user terminal is established, before the terminal message is received, the method further comprises a step of negotiating an encrypted communication mode between the cloud platform and the user terminal; the step of negotiating the encrypted communication mode between the cloud platform and the user terminal comprises:
receiving a registration request initiated by a user terminal by a cloud platform, wherein the registration request carries the role and identification information of the user terminal;
based on the received registration request, returning a response message to the user terminal, wherein the response message carries the encrypted communication mode supported by the server;
and receiving the encrypted communication mode supported by the user terminal selected by the user terminal based on the encrypted communication mode supported by the server, and determining the encrypted communication mode adopted by the transmission terminal message.
6. The method of claim 5, further comprising:
and when receiving the terminal message, decrypting by using the encryption algorithm matched with the determined encryption communication mode.
7. The method of claim 1, further comprising:
the cloud platform monitors the user behavior based on a screen recording mode.
8. The method of claim 1, wherein the data frame encapsulation structure comprises: a source mark field, a target mark field, a message type field, a data length field and a data area; the data frame encapsulation structure further comprises one or more of the following fields: frame number, respective flags, and check value fields.
9. The method of claim 8, wherein the message type that can be identified by the message type field comprises some or all of the following message types: <xnotran> , , , , , , , , , , , , , , , , , , , , , , , , . </xnotran>
10. The method of claim 1, wherein the display interface of the secure workspace employs a desktop-like typesetting and interaction mode.
11. A system for providing a secure workspace-based mode of operation, the system comprising a processor and a memory, wherein the memory has stored therein computer instructions, the processor being configured to execute the computer instructions stored in the memory, and wherein the system when executed by the processor implements the steps of the method of any one of claims 1 to 10.
12. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 10.
CN202110430604.XA 2021-04-21 2021-04-21 Method and system for providing working mode based on safe working space Pending CN115220831A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110430604.XA CN115220831A (en) 2021-04-21 2021-04-21 Method and system for providing working mode based on safe working space

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110430604.XA CN115220831A (en) 2021-04-21 2021-04-21 Method and system for providing working mode based on safe working space

Publications (1)

Publication Number Publication Date
CN115220831A true CN115220831A (en) 2022-10-21

Family

ID=83605831

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110430604.XA Pending CN115220831A (en) 2021-04-21 2021-04-21 Method and system for providing working mode based on safe working space

Country Status (1)

Country Link
CN (1) CN115220831A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105872078A (en) * 2016-05-12 2016-08-17 中国电子科技网络信息安全有限公司 Mixed cloud desktop system and management method
CN111399964A (en) * 2020-03-27 2020-07-10 重庆海云捷迅科技有限公司 Cloud desktop platform based on video streaming technology
CN112507303A (en) * 2020-12-10 2021-03-16 医渡云(北京)技术有限公司 Cloud desktop management method, device and system, storage medium and electronic equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105872078A (en) * 2016-05-12 2016-08-17 中国电子科技网络信息安全有限公司 Mixed cloud desktop system and management method
CN111399964A (en) * 2020-03-27 2020-07-10 重庆海云捷迅科技有限公司 Cloud desktop platform based on video streaming technology
CN112507303A (en) * 2020-12-10 2021-03-16 医渡云(北京)技术有限公司 Cloud desktop management method, device and system, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
EP3484125B1 (en) Method and device for scheduling interface of hybrid cloud
US8769127B2 (en) Cross-domain solution (CDS) collaborate-access-browse (CAB) and assured file transfer (AFT)
JP4307448B2 (en) System and method for managing distributed objects as a single representation
US20020083214A1 (en) Protocol adapter framework for integrating non-IIOP applications into an object server container
JP5293580B2 (en) Web service system, web service method and program
CN111901357B (en) Remote network connection method, system, computer device and storage medium
WO2005036304A2 (en) Mobility device server
CN111756751B (en) Message transmission method and device and electronic equipment
WO2007100942A9 (en) Methods and systems for providing access to a computing environment provided by a virtual machine executing in a hypervisor executing in a terminal services session
US20230254286A1 (en) Vpn deep packet inspection
US9332017B2 (en) Monitoring remote access to an enterprise network
EP1519540A2 (en) Mobility device server
CN111726328B (en) Method, system and related device for remotely accessing a first device
US7571464B2 (en) Secure bidirectional cross-system communications framework
CN111711637A (en) Network communication technology&#39;s promotion safety guarantee system
WO2014089968A1 (en) Virtual machine system data encryption method and device
CN115220831A (en) Method and system for providing working mode based on safe working space
CN112861037B (en) Data labeling method, device, system, electronic equipment and storage medium
US10216926B2 (en) Isolation of untrusted code in operating system without isolation capability
CN110430211B (en) Virtualization cloud desktop system and operation method
CN115664686A (en) Login method, login device, computer equipment and storage medium
CN113783835B (en) Password sharing method, device, equipment and storage medium
CN112019504B (en) Method and device for acquiring wifi dynamic verification code
CN115189945B (en) Transaction request verification method and device, electronic equipment and readable storage medium
US20240004731A1 (en) Clipboard data redirection between virtual desktops

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination