CN103067397B - A kind of safety certifying method of desktop cloud system, access gateway and certificate server - Google Patents
A kind of safety certifying method of desktop cloud system, access gateway and certificate server Download PDFInfo
- Publication number
- CN103067397B CN103067397B CN201210592285.3A CN201210592285A CN103067397B CN 103067397 B CN103067397 B CN 103067397B CN 201210592285 A CN201210592285 A CN 201210592285A CN 103067397 B CN103067397 B CN 103067397B
- Authority
- CN
- China
- Prior art keywords
- user
- account
- fingerprint
- desktop cloud
- fingerprint characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
The embodiment of the invention discloses a kind of safety certifying method of desktop cloud system, including:Desktop cloud access gateway receives the account and fingerprint characteristic of the user that client sends;The account number of the user and the fingerprint characteristic are sent to certificate server;Receive the first authentication result that the certificate server is returned.The embodiment of the present invention also provides a kind of desktop cloud access gateway, certificate server and desktop cloud system.Using the embodiment of the present invention, the risk of user profile leakage can be effectively reduced, improve the guarantee of user information safety under desktop cloud application scenarios.
Description
Technical field
The present invention relates to desktop cloud applied technical field, more particularly to a kind of safety certifying method of desktop cloud system,
Desktop cloud access gateway and certificate server, desktop cloud system.
Background technology
Desktop cloud refers to can be cross-platform to access by thin-client or other any equipment being connected with network
Application program and whole customers desktop.In desktop cloud system, user only needs to a thin client device or other are any
The equipment that network can be connected, it is possible to which, by dedicated program or browser, access resides in the personal desktop of server end
And various applications.
The safety certifying method of existing desktop cloud system is generally:Under desktop cloud application scenarios, user input account,
Password or fingerprint characteristic wait until that desktop cloud system carries out authentication.Once authenticating successfully, desktop cloud system shows to user
User virtual machine(Virtual Machine, VM)List, user's selection virtual machine entry.
It is existing to be specifically included by the way of finger print identifying:Fingerprint instrument is connected on local client, user VM operations
In the data center machine room of distal end, the domain name of user, account, password and finger print information etc. are stored on local TC.When
After user input fingerprint characteristic, system obtains corresponding domain name, account, password etc. according to the finger print information from TC, according to this
A little information carry out the authentication of desktop cloud system.
The method of existing this safety certification, the domain name of user, account, password and finger print information etc. are stored in local
On TC, the risk that user profile is stolen is very high, once the information such as the account of user, password or fingerprint is revealed, will cause
The security of user profile cannot be ensured.
The content of the invention
The invention provides a kind of safety certifying method of desktop cloud system, desktop cloud access gateway and certificate server,
Desktop cloud system, can effectively reduce the risk of user profile leakage, improve user information safety under desktop cloud application scenarios
Guarantee.
On the one hand, there is provided a kind of safety certifying method of desktop cloud system, methods described includes:Desktop cloud access gateway connects
Receive the account and fingerprint characteristic of the user that client sends;The account number of the user and the fingerprint characteristic are sent to certification clothes
Business device;Receive the first authentication result that the certificate server is returned.
In the first possible implementation of first aspect, methods described also includes:The client is received to send
The user account and the second authentication information;The account number of the user and second authentication information are sent to certification clothes
Business device;Receive the second authentication result that the certificate server is returned;If described the first of the certificate server return recognizes
Card result is fingerprint characteristic certification success and second authentication result is the second authentication information certification success, then really
Determine certification to pass through;If first authentication result and second authentication result at least that the certificate server is returned
Individual is authentification failure, it is determined that certification does not pass through.
With reference to the first possible implementation of first aspect, in second possible implementation of first aspect
In, second authentication information includes:Password, dynamic password, private key for user or biological characteristic;The biological characteristic includes:Rainbow
Film feature, retinal feature, facial characteristics or vein pattern.
Second aspect, there is provided a kind of safety certifying method of desktop cloud system, methods described includes:Certificate server connects
Receive the account and fingerprint characteristic of the user that desktop cloud access gateway sends;Account inquiry fingerprint base according to the user, obtains
Correct fingerprint corresponding with the account of the user, the fingerprint characteristic that will be received is compared with the correct fingerprint,
If consistent, successful first authentication result of fingerprint characteristic certification to the desktop cloud access gateway is sent;Otherwise, institute is sent
State the first authentication result of fingerprint characteristic authentification failure to the desktop cloud access gateway.
In the first possible implementation of second aspect, methods described also includes:Receive desktop cloud access gateway
The account and the second authentication information of the user for sending;Account according to the user inquires about the second authentication information storehouse, obtains
Correct second authentication information corresponding with the account of the user, second authentication information that will be received is correct with described
The second authentication information compare;If second authentication information for receiving and correct second authentication information one
Cause, then send successful second authentication result of the second authentication information certification to the desktop cloud access gateway;Otherwise, then send out
Send the second authentication result of the second authentication information authentification failure to the desktop cloud access gateway.
With reference to the first possible implementation of second aspect, in second possible implementation of second aspect
In, second authentication information includes:Dynamic password, private key for user or biological characteristic;The biological characteristic includes:Iris is special
Levy, retinal feature, facial characteristics or vein pattern.
With reference to any of the above described a kind of possible implementation of second aspect, in the third possible realization of second aspect
In mode, methods described also includes:Receive the account of the user that virtual machine sends and the fingerprint characteristic of activation screen locking;According to described
User account inquiry fingerprint base, obtain correct fingerprint corresponding with the account of the user, by it is described receive it is described swash
The fingerprint characteristic of livelock screen is compared with the correct fingerprint, if unanimously, the fingerprint characteristic for sending the activation screen locking is recognized
Card successfully activates screen locking authentication result to the virtual machine;Otherwise, then the fingerprint characteristic certification for sending the activation screen locking is lost
The activation screen locking authentication result for losing is to the virtual machine.
The third aspect, there is provided a kind of desktop cloud access gateway, the desktop cloud access gateway includes:Receiving unit, uses
In the account and fingerprint characteristic that receive the user that client sends;Transmitting element, for by the account of the user and the finger
Line feature is sent to certificate server;The receiving unit, is additionally operable to receive the first certification knot that the certificate server is returned
Really.
In the first possible implementation of the third aspect, also including processing unit;Wherein, the receiving unit,
It is additionally operable to receive the account and the second authentication information of the user that the client sends;The transmitting element, be additionally operable to by
The account of the user and second authentication information are sent to certificate server;The receiving unit, is additionally operable to receive described
The second authentication result that certificate server is returned;The processing unit, if returned for the certificate server described the
One authentication result is fingerprint characteristic certification success and second authentication result is the second authentication information certification success,
Then determine that certification passes through;If first authentication result that the certificate server is returned and second authentication result are at least
There is one for authentification failure, it is determined that certification does not pass through.
With reference to the first possible implementation of the third aspect, in second possible implementation of the third aspect
In, second authentication information includes:Password, dynamic password, private key for user or biological characteristic;The biological characteristic includes:Rainbow
Film feature, retinal feature, facial characteristics or vein pattern.
Fourth aspect, there is provided a kind of certificate server, the certificate server includes:Receiving unit, for receiving table
The account and fingerprint characteristic of the user that face cloud access gateway sends;Fingerprint base;Transmitting element;Processing unit, for according to described
The account of user inquires about the fingerprint base, obtains correct fingerprint corresponding with the account of the user, the finger that will be received
Line feature is compared with the correct fingerprint, if unanimously, by the transmitting element send the fingerprint characteristic certification into
First authentication result of work(is to the desktop cloud access gateway;Otherwise, then send the fingerprint characteristic authentification failure first is recognized
Demonstrate,prove result to the desktop cloud access gateway.
In the first possible implementation of fourth aspect, also including the second authentication information storehouse;Wherein, the reception
Unit, is additionally operable to receive the account and the second authentication information of the user that desktop cloud access gateway sends;The processing unit,
It is additionally operable to inquire about the second authentication information storehouse according to the account of the user, obtains corresponding with the account of the user correct
The second authentication information, second authentication information that will be received compares with correct second authentication information;Such as
Second authentication information that fruit receives is consistent with correct second authentication information, then sent by the transmitting element
Successful second authentication result of second authentication information certification is to the desktop cloud access gateway;Otherwise, then by the hair
Send the second authentication result that unit sends the second authentication information authentification failure to the desktop cloud access gateway.
With reference to the first possible implementation of fourth aspect, in second possible implementation of fourth aspect
In, second authentication information includes:Dynamic password, private key for user or biological characteristic;The biological characteristic includes:Iris is special
Levy, retinal feature, facial characteristics or vein pattern.
With reference to any of the above described a kind of possible implementation of fourth aspect, in the third possible realization of fourth aspect
In mode, the receiving unit is additionally operable to receive the account of the user that virtual machine sends and the fingerprint characteristic of activation screen locking;
The processor, is additionally operable to inquire about the fingerprint base according to the account of the user, obtains corresponding with the account of the user
Correct fingerprint, the fingerprint characteristic of the activation screen locking is compared with the correct fingerprint, if unanimously, by the transmission
The fingerprint characteristic certification that unit sends the activation screen locking successfully activates screen locking authentication result to the virtual machine;If differing
Cause, then the activation screen locking authentication result of fingerprint characteristic authentification failure of the activation screen locking is sent by the transmitting element to institute
State virtual machine.
5th aspect, there is provided a kind of desktop cloud system, the system includes:Client, desktop cloud access gateway, certification
Server;The client, account and fingerprint characteristic for receiving input user, sends to the desktop cloud access gateway;
The desktop cloud access gateway is used to receive the account and the fingerprint characteristic of the user that the client sends;Will be described
The account of user and the fingerprint characteristic are sent to certificate server;Receive the first certification knot that the certificate server is returned
Really;If first authentication result is fingerprint characteristic certification success, it is determined that certification passes through, transmission allows what is logged in disappear
Cease to client;If first authentication result is the fingerprint characteristic authentification failure, it is determined that certification does not pass through, weight is sent
The message of new certification is to client;The certificate server includes fingerprint base, and the certificate server connects for receiving desktop cloud
The account and the fingerprint characteristic of the user that function Access Gateway sends;Account according to the user inquires about the fingerprint base, obtains
To correct fingerprint corresponding with the account of the user, the fingerprint characteristic that will be received is compared with the correct fingerprint
It is right, if unanimously, sending successful first authentication result of the fingerprint characteristic certification to the desktop cloud access gateway;Otherwise,
Then send the first authentication result of the fingerprint characteristic authentification failure to the desktop cloud access gateway.
The 5th aspect the first possible implementation in, the client, be additionally operable to receive user account and
Second authentication information, sends described to the desktop cloud access gateway;The desktop cloud access gateway, is additionally operable to receive the visitor
The account and the second authentication information of the user that family end sends;The account of the user and second authentication information are sent
To the certificate server;The certificate server, is additionally operable to receive the account of the user that desktop cloud access gateway sends
With the second authentication information;Account according to the user inquires about the second authentication information storehouse, obtains corresponding with the account of the user
Correct second authentication information, second authentication information for receiving is compared with correct second authentication information
It is right;If second authentication information for receiving is consistent with correct second authentication information, the second certification letter is sent
Cease successful second authentication result of certification to the desktop cloud access gateway;Otherwise, then the second authentication information authentification failure is sent
The second authentication result to the desktop cloud access gateway;The desktop cloud access gateway, is additionally operable to receive the authentication service
The second authentication result that device is returned;If first authentication result that the certificate server is returned is recognized for the fingerprint characteristic
Demonstrate,prove successfully and second authentication result is the second authentication information certification success, it is determined that certification passes through, and transmission allows to step on
The message of record is to client;If first authentication result that the certificate server is returned and second authentication result are extremely
Rare one is authentification failure, it is determined that certification does not pass through.
With reference to the first possible implementation of the 5th aspect, in second possible implementation of the 5th aspect
In, second authentication information includes:Dynamic password, private key for user or biological characteristic;The biological characteristic includes:Iris is special
Levy, retinal feature, facial characteristics or vein pattern.
With reference to any of the above described a kind of possible implementation of the 5th aspect, in second possible realization of the 5th aspect
In mode, the system also includes desktop Cloud Server, and the desktop Cloud Server runs at least one virtual machine;The client
End, is additionally operable to receive the account and fingerprint characteristic of user, and send the account of the user with the fingerprint characteristic for activating screen locking extremely
The first virtual machine on the desktop Cloud Server;First virtual machine, account and the institute of the user are sent for receiving
The fingerprint characteristic of activation screen locking is stated to the certificate server;The certificate server, for receiving the first virtual machine hair
The account of the user for sending and the fingerprint characteristic of the activation screen locking;Account inquiry fingerprint base according to the user, obtains
Correct fingerprint corresponding with the account of the user, the fingerprint characteristic of the activation screen locking for receiving is correct with described
Fingerprint is compared, if unanimously, the fingerprint characteristic certification for sending the activation screen locking successfully activates screen locking authentication result extremely
First virtual machine;Otherwise, then the activation screen locking authentication result of fingerprint characteristic authentification failure of the activation screen locking is sent extremely
First virtual machine;First virtual machine, the fingerprint characteristic authentication result for receiving the activation screen locking.
6th aspect, there is provided a kind of safety certifying method of desktop cloud system, methods described includes:Desktop cloud access gateway
Receive the fingerprint characteristic of the user that client sends;The fingerprint characteristic of the user is sent to certificate server;Receive described
The first authentication result that certificate server is returned.
In the first possible implementation of the 6th aspect, if the first certification knot that the certificate server is returned
Fruit is fingerprint characteristic certification success, then also include user's corresponding with the fingerprint characteristic in first authentication result
Account and password.
With reference to any of the above described a kind of possible implementation of the 6th aspect, in second possible realization of the 6th aspect
In mode, before the authentication result for receiving the certificate server return, methods described also includes:Receive the client
Hold the account and the second authentication information of the user for sending;By the account number of the user and second authentication information send to
The certificate server;If first authentication result that the certificate server is returned is the fingerprint characteristic certification
Successful and described second authentication result is the second authentication information certification success, it is determined that certification passes through;If the certification
Server return first authentication result and second authentication result at least one be authentification failure, it is determined that certification
Do not pass through.
With reference to second possible implementation of the 6th aspect, in the third possible implementation of the 6th aspect
In, second authentication information includes:Password, dynamic password, private key for user or biological characteristic;The biological characteristic includes:Rainbow
Film feature, retinal feature, facial characteristics or vein pattern.
7th aspect, there is provided a kind of safety certifying method of desktop cloud system, methods described includes:Certificate server connects
Receive the fingerprint characteristic of the user that desktop cloud access gateway sends;Inquiry fingerprint base, judges that the fingerprint characteristic whether there is in institute
State in fingerprint base, if the fingerprint characteristic is present in the fingerprint base, send the fingerprint characteristic certification successful
One authentication result is to the desktop cloud access gateway;Otherwise, then the first authentication result of the fingerprint characteristic authentification failure is sent
To the desktop cloud access gateway.
In the first possible implementation of the 7th aspect, judge that the fingerprint characteristic is present in the finger when described
During line storehouse, methods described also includes:Find the account and password of user corresponding with the fingerprint characteristic, and by the account and
Password is sent to the desktop cloud access gateway.
With reference to any of the above described a kind of possible implementation of the 7th aspect, in second possible realization of the 7th aspect
In mode, methods described also includes:Receive the account and the second authentication information of the user that desktop cloud access gateway sends;Root
The second authentication information storehouse is inquired about according to the account of the user, correct second certification letter corresponding with the account of the user is obtained
Breath, second authentication information that will be received is compared with correct second authentication information;If the institute for receiving
State the second authentication information consistent with correct second authentication information, then send the second authentication information certification successful
Two authentication results are to the desktop cloud access gateway;Otherwise, then the second certification of the second authentication information authentification failure is sent
Result is to the desktop cloud access gateway.
With reference to second possible implementation of the 7th aspect, in the third possible implementation of the 7th aspect
In, second authentication information includes:Dynamic password, private key for user or biological characteristic;The biological characteristic includes:Iris is special
Levy, retinal feature, facial characteristics or vein pattern
In the embodiment of the present invention, the account and fingerprint characteristic of user are stored on certificate server.When User logs in desktop
, it is necessary to carry out safety certification during cloud system, client passes through desktop cloud access gateway by the account and fingerprint characteristic of user input
Send to the certificate server, safety certification is carried out by the certificate server.Fingerprint characteristic is stored local with existing
Compared in client, using the embodiment of the present invention, can effectively reduce the risk of user profile leakage, improve desktop cloud applied field
The guarantee of user information safety under scape.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to institute in embodiment
The accompanying drawing for needing to use is made
Simply introduce, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this
For the those of ordinary skill of field, on the premise of not paying creative work, can also obtain other according to these accompanying drawings
Accompanying drawing.
Fig. 1 is a kind of application scenario diagram of the safety certifying method of desktop cloud system described in the embodiment of the present invention;
Fig. 2 is the flow chart of the safety certifying method of the desktop cloud system described in the embodiment of the present invention one;
Fig. 3 is the flow chart of the safety certifying method of the desktop cloud system described in the embodiment of the present invention two;
Fig. 4 is the flow chart of the safety certifying method of the desktop cloud system described in the embodiment of the present invention three;
Fig. 5 is the flow chart of the safety certifying method of the desktop cloud system described in the embodiment of the present invention four;
Fig. 6 is the structure chart of desktop cloud access gateway provided in an embodiment of the present invention;
Fig. 7 is certificate server provided in an embodiment of the present invention;
Fig. 8 is the structure chart of desktop cloud system provided in an embodiment of the present invention;
Fig. 9 is the flow chart of the safety certifying method of the desktop cloud system described in the embodiment of the present invention five;
Figure 10 is the flow chart of the safety certifying method of the desktop cloud system described in the embodiment of the present invention six.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Whole description, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on
Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made
Embodiment, belongs to the scope of protection of the invention.
The invention provides a kind of safety certifying method of desktop cloud system, desktop cloud access gateway and certificate server,
Desktop cloud system, can effectively reduce the risk of user profile leakage, improve user information safety under desktop cloud application scenarios
Guarantee.
Reference picture 1, is a kind of application scenario diagram of the safety certifying method of desktop cloud system described in the embodiment of the present invention.Such as
Shown in Fig. 1, embodiment of the present invention methods described is applied to user's operation client to be carried out recognizing safely by desktop cloud access gateway
The scene of card.
The desktop cloud access gateway is the system component of desktop cloud, using the desktop cloud access gateway, can from appoint
The secure access to desktop cloud resource is realized using any equipment of Web browser in meaning position.
In desktop cloud system described in the embodiment of the present invention, including client 10, desktop cloud access gateway 20, certificate server
30。
As shown in figure 1, the certificate server 30 includes fingerprint base, wherein it is special to preserve the domain name of user, account, fingerprint
The information such as levy.In User logs in desktop cloud system, it is necessary to when carrying out safety certification, fingerprint characteristic, client are input into by fingerprint instrument
Account, fingerprint characteristic are sent to desktop cloud access gateway 20 by end 10 by desktop authentication protocol.Desktop cloud access gateway 20
The account that receives, fingerprint characteristic is sent to corresponding certificate server 30 carries out safety certification.The safety certification is smoothly led to
Later user is allowed to access desktop cloud.
Certainly, in embodiments of the present invention, the fingerprint characteristic can also expand to iris feature, retinal feature, face
The biological characteristic of the human bodies such as portion's feature, vein pattern.
Method and apparatus provided in an embodiment of the present invention are described in detail below.
Reference picture 2, is the flow chart of the safety certifying method of desktop cloud system described in the embodiment of the present invention one.Such as Fig. 2
Shown, methods described may comprise steps of:
Step S201:Desktop cloud access gateway receives the account and fingerprint characteristic of the user that client sends.
Step S202:The account of the user and the fingerprint characteristic are sent to certificate server.
Step S203:Receive the first authentication result that the certificate server is returned.
In the methods described of the embodiment of the present invention one, the account and fingerprint characteristic of user are stored on certificate server.When with
, it is necessary to carry out safety certification when family logs in desktop cloud system, client passes through desktop cloud access gateway by the account of user input
Sent to the certificate server with fingerprint characteristic, safety certification is carried out by the certificate server.With existing by fingerprint characteristic
Storage is compared on local client, in embodiment of the present invention methods described, can effectively reduce the risk of user profile leakage,
The guarantee of user information safety under raising desktop cloud application scenarios.
It should be noted that in embodiment of the present invention methods described, in the step S201, the desktop cloud access gateway
While receiving the account and fingerprint characteristic of the user that client sends, can also include:Receive being somebody's turn to do for the client transmission
The corresponding domain name of user.
Now, in the step S202, the desktop cloud access gateway is by the domain name of the user, account and fingerprint characteristic
Send to certificate server.
Further, in order to improve the security of embodiment of the present invention methods described, methods described can also use dual
Authentication mechanism, specific methods described can also include:The account and second for receiving the user that the client sends is recognized
Card information;The account of the user and the second authentication information are sent to certificate server;If the certificate server is returned
First authentication result is for fingerprint characteristic certification success and second authentication result is second authentication information
Certification success, it is determined that certification passes through;If first authentication result and described second that the certificate server is returned is recognized
It is authentification failure that card result is at least a kind of, it is determined that certification does not pass through.
Now, in User logs in desktop cloud system, it is necessary to simultaneously provide fingerprint characteristic and the second authentication information, only when
When fingerprint characteristic certification and the second authentification of message all succeed, User logs in is just allowed;As long as any one authentification failure in the two
Or two certifications are when all failing, User logs in is not allowed.So that, the security of embodiment of the present invention methods described is more
Height, and due to must be by finger print identifying, then even if the account of user and the second authentication information there occurs leakage, Ta Renye
Cannot realize logging in using the account and password, improve the guarantee of user information safety under desktop cloud application scenarios.
It should be noted that second authentication information can include:Password, dynamic password, private key for user(User can be with
By USB Key(U-shield)Input private key)Or biological characteristic etc..Wherein, the biological characteristic can include:Iris feature, regard
Nethike embrane feature, facial characteristics or vein pattern etc..
Reference picture 3, is the flow chart of the safety certifying method of desktop cloud system described in the embodiment of the present invention two.Such as Fig. 3
Shown, methods described may comprise steps of:
Step S301:Certificate server receives the account and fingerprint characteristic of the user that desktop cloud access gateway sends.
Step S302:Account inquiry fingerprint base according to the user, obtains corresponding with the account of the user correct
Fingerprint, the fingerprint characteristic that will be received is compared with the correct fingerprint, if unanimously, sending the fingerprint characteristic certification
Successful first authentication result is to the desktop cloud access gateway;Otherwise, the first of the fingerprint characteristic authentification failure is sent to recognize
Demonstrate,prove result to the desktop cloud access gateway.
It should be noted that in the step S301, the desktop cloud access gateway can also send the domain of the user
Name is to the certificate server.Now, the certificate server can inquire about the fingerprint base according to domain name and account.This
Invention following examples are identical with this, no longer repeat one by one afterwards.
In the methods described of the embodiment of the present invention two, the account and fingerprint characteristic of user are stored on certificate server.When with
When family logs in desktop cloud system, the certificate server receives the user account and fingerprint characteristic that desktop cloud access gateway sends,
Carry out safety certification.With it is existing by fingerprint characteristic storage on local client compared with, in embodiment of the present invention methods described, energy
Enough risks for effectively reducing user profile leakage, improve the guarantee of user information safety under desktop cloud application scenarios.
Further, in order to improve the security of embodiment of the present invention methods described, the methods described of the embodiment of the present invention two
Dual authentication mechanism can also be used, specifically, methods described can also include:Receive the described of desktop cloud access gateway transmission
The account of user and the second authentication information;Account according to the user inquires about the second authentication information storehouse, obtains and the user
Corresponding correct second authentication information of account, second authentication information that will be received and correct second certification
Information is compared;If second authentication information for receiving is consistent with correct second authentication information, send
Successful second authentication result of second authentication information certification is to the desktop cloud access gateway;Otherwise, then described is sent
Second authentication result of two authentication information authentification failures is to the desktop cloud access gateway.
Now, in User logs in desktop cloud system, it is necessary to simultaneously provide fingerprint characteristic and the second authentication information, only when
When fingerprint characteristic certification and the second authentification of message all succeed, User logs in is just allowed;As long as any one authentification failure in the two
Or two certifications are when all failing, User logs in is not allowed.So that, the security of embodiment of the present invention methods described is more
Height, and due to must be by finger print identifying, then even if the account of user and the second authentication information there occurs leakage, Ta Renye
Cannot realize logging in using the account and password, improve the guarantee of user information safety under desktop cloud application scenarios.
It should be noted that second authentication information can include:Password, dynamic password, private key for user(User can be with
By USB Key(U-shield)Input private key)Or biological characteristic etc..Wherein, the biological characteristic can include:Iris feature, regard
Nethike embrane feature, facial characteristics or vein pattern etc..
Further, when user has passed through safety certification, set up with system after being connected, if do not had in user's certain hour
System is operated, virtual machine enters holding state, virtual machine screen locking.Now, if user's activation virtual machine, makes virtual machine
When exiting screen lock state, to ensure the safety of user profile, it is necessary to user carries out safety certification again.
Now, the methods described of the embodiment of the present invention two can also include:Virtual machine receives the account of the user of user input
With the fingerprint characteristic for activating screen locking, virtual machine sends the account of user that receives to certificate server and locked for activating
The fingerprint characteristic of screen, certificate server receives the account and the fingerprint characteristic for activating screen locking of the user that virtual machine sends;Root
According to the account inquire about fingerprint base, obtain correct fingerprint corresponding with the account, by it is described receive for activating screen locking
Fingerprint characteristic compare with the correct fingerprint, if unanimously, return activation screen locking the successful certification of fingerprint characteristic certification
Result is to the virtual machine;Otherwise, the authentication result of activation screen locking fingerprint characteristic authentification failure is returned to the virtual machine.
The above method is further defined after virtual machine enters standby screen locking, if user wants to activate virtual machine, makes void
Plan machine exits screen lock state, and now user still needs carries out finger print identifying.And the finger print identifying is not in local client
On carry out, but the fingerprint characteristic of the account of user and activation screen locking is sent into virtual machine by client, virtual machine will be received
To user account and activation screen locking fingerprint characteristic send to the certificate server, still entered by the certificate server
Row finger print identifying.Thus, it is possible to effectively reduce the risk of user profile leakage, user profile peace under desktop cloud application scenarios is improved
The guarantee of full property
In current desktop cloud system, also including desktop Cloud Server, the desktop Cloud Server runs at least one void
Plan machine.When user through safety certification, after desktop cloud system described in Successful login, corresponding virtual machine can be selected to be grasped
Make.In the embodiment of the present invention three, to the safety certification of the desktop cloud system described in the embodiment of the present invention by taking the client as an example
Method is described in detail.Client in embodiment of the present invention methods described can be thin terminal, personal computer, intelligence
Mobile phone, PAD etc., the present invention are not especially limited to this.
Reference picture 4, is the flow chart of the safety certifying method of desktop cloud system described in the embodiment of the present invention three.Such as Fig. 4
Shown, methods described may comprise steps of:
Step S401:Fingerprint instrument equipment is connected on the client.
The fingerprint instrument(Finger Printer Device, FP)Be using people finger print have " people is variant,
It is constant throughout one's life " the characteristics of carry out a kind of electronic instrument of identification.The principle of the fingerprint instrument is:According to ridge and the geometry in valley
The difference of characteristic, physical features and biological nature, obtains different optics or current resistor feedback signals, according to the feedback letter
Number value fingerprint image is plotted using different image processing algorithms, then on the basis of this fingerprint image pass through fingerprint
Recognizer software carries out the extraction of fingerprint characteristic and the comparison of fingerprint character code.
Step S402:User accesses the login interface of desktop cloud system by client, is input on the login interface
Account, and fingerprint characteristic is input into by the fingerprint instrument.
Step S403:The account and fingerprint characteristic are sent to desktop cloud access network by client by desktop authentication protocol
Close.
Step S404:The desktop cloud access gateway sends to certificate server domain name, account and fingerprint characteristic, carries out
Fingerprint characteristic certification.
Step S405:After the certificate server receives domain name, account and fingerprint characteristic, according to domain name and
Account inquires about fingerprint base, correct fingerprint corresponding with domain name and account is obtained, by the fingerprint characteristic for receiving and institute
State correct fingerprint to compare, if unanimously, showing that fingerprint is correct, return to successful first authentication result of fingerprint characteristic certification to institute
State desktop cloud access gateway;Otherwise, if inconsistent, show that fingerprint is incorrect, return to the first certification of fingerprint characteristic authentification failure
Result is to the desktop cloud access gateway.
It should be noted that the certificate server includes fingerprint base.Preserved in the fingerprint base each user domain name,
The corresponding informance of account and correct fingerprint characteristic.When needing to carry out finger print identifying to certain user, it is only necessary to which utilizing should
Domain name and account that user provides, by searching the fingerprint base, find correct fingerprint corresponding with domain name and account
Feature.When the new fingerprint characteristic provided when the user this time logs in is consistent with the correct fingerprint characteristic that lookup is obtained, say
The new fingerprint characteristic that the bright user provides is correct, finger print identifying success;Otherwise, finger print identifying failure.
Specifically, the corresponding informance of the domain name, account and correct fingerprint characteristic of user in the fingerprint base is obtained
The process of taking can be realized by conventional registration process.As, user accesses desktop cloud system register interface by client,
Account and fingerprint characteristic are input into register interface.The account and fingerprint characteristic are sent to desktop cloud access network by the client
Close, the account and fingerprint characteristic are sent to certificate server by the desktop cloud access gateway, and are stored in fingerprint base.
Step S406:The desktop cloud access gateway receives the first authentication result that the certificate server is returned, and works as institute
When stating the first authentication result for fingerprint characteristic certification success, the corresponding virtual machine list of the account is returned to the client,
Into step S407;When first authentication result is fingerprint characteristic authentification failure, return authentication failure information to the visitor
Family end, into step S408.
Step S407:After the client receives the virtual machine list, user is presented to;User selects virtual machine,
Set up by desktop control protocol and connected, and beginning is normally used.
Step S408:The authentication failure message is presented to user by the client, notifies that user re-enters account
And fingerprint characteristic.
If specifically, client receives the information of authentification failure, client notification user fingerprints authentification failure, and led to
Cross login interface requirement user and re-use fingerprint instrument input fingerprint characteristic.
In the methods described of the embodiment of the present invention three, the domain name of user, account and fingerprint characteristic are stored on certificate server.
When User logs in desktop cloud system, it is necessary to carry out safety certification, client passes through desktop cloud access gateway by user input
Domain name, account and fingerprint characteristic are sent to the certificate server, and safety certification is carried out by the certificate server.Be tod with existing
Fingerprint characteristic storage is compared on local client, in embodiment of the present invention methods described, can effectively be reduced user profile and be let out
The risk of dew, improves the guarantee of user information safety under desktop cloud application scenarios.
It should be further stated that, in step S407, user's selection virtual machine is set up by desktop control protocol and connected
Connect, and after starting normal use, when not operated to the virtual machine in user's certain hour, the virtual machine enters to be treated
Machine state, the virtual machine screen locking.Now, if user's activation system, when the virtual machine is exited screen lock state, to ensure
The safety of user profile is, it is necessary to user carries out safety certification again.
Specifically, in method described in the embodiment of the present invention three, after step S407, methods described can also include:
Step S409:User's Successful login desktop cloud system, the client is reflected fingerprint instrument by desktop control protocol
It is mapped in the virtual machine of user's selection.
Step S410:After the client receives the activation system instruction of user input, display fingerprint inputting interface is given
User, receives the account of user input and for activating the fingerprint characteristic of screen locking and sending to the void by desktop control protocol
Plan machine.
Specifically, the activation system instruction of the user input typically can be " Ctrl+Alt+Del ".Certainly, the instruction
Can also be by user according to specific setting oneself is needed, the embodiment of the present invention is without limitation.
Step S411:The virtual machine receives the account and during for the fingerprint characteristic for activating screen locking, by the use
The domain name at family, account and fingerprint characteristic are sent to certificate server, carry out fingerprint characteristic certification.
Step S412:After the certificate server receives domain name, account and fingerprint characteristic, according to domain name and
Account inquires about fingerprint base, correct fingerprint corresponding with domain name and account is obtained, by the activation screen locking fingerprint for receiving
Feature is compared with the correct fingerprint, if unanimously, showing that fingerprint is correct, returns to activation screen locking fingerprint characteristic certification successful
Activate screen locking authentication result to the virtual machine;Otherwise, if inconsistent, show that fingerprint is incorrect, return to activation screen locking fingerprint special
Levy the activation screen locking authentication result of authentification failure to the virtual machine.
Step S413:The virtual machine receives the activation screen locking authentication result that the certificate server is returned, and swashs when described
When livelock screen authentication result is for the certification success of activation screen locking fingerprint characteristic, notify that the client allows User logs in, into step
Rapid S414;When the activation screen locking authentication result is for activation screen locking fingerprint characteristic authentification failure, return authentication failure information is extremely
The client, into step S415.
Step S414:The client allows User logs in and virtual machine described in normal operating.
Step S415:The authentication failure message is presented to user by the client, notifies that user re-enters account
And fingerprint characteristic.
Method described in above-described embodiment, further defines after virtual machine enters standby screen locking, if user wants to swash
Virtual machine living, makes virtual machine exit screen lock state, and now user still needs carries out finger print identifying.And the finger print identifying is not
Carried out on local client, but the account and fingerprint characteristic of user are sent to described by virtual machine by client and is recognized
Card server, still carries out finger print identifying by certificate server.Thus, it is possible to effectively reduce the risk of user profile leakage, carry
The guarantee of user information safety under desktop cloud application scenarios high.
Below by example IV to embodiment of the present invention methods described using double authentication when detailed process carry out in detail
It is thin to introduce.Second authentication information is specially password described in the embodiment of the present invention four.Certainly only it is herein with client and close
It is introduced as a example by code, in other embodiments of the present invention, the client can be, but not limited to thin terminal, second certification
Information can be, but not limited to password.
Reference picture 5, is the flow chart of the safety certifying method of desktop cloud system described in the embodiment of the present invention four.Such as Fig. 5
Shown, methods described may comprise steps of:
Step S501:Fingerprint instrument equipment is connected on the client.
Step S502:User accesses the login interface of desktop cloud system by client, is input on the login interface
Account and password, and fingerprint characteristic is input into by the fingerprint instrument.
Step S503:The account, password and fingerprint characteristic are sent to desktop by client by desktop authentication protocol
Cloud access gateway.
Step S504:The desktop cloud access gateway sends to certificate server domain name, account and fingerprint characteristic, carries out
Fingerprint characteristic certification;Domain name, account and password are sent to certificate server simultaneously, carries out account number cipher certification.
Step S505:After the certificate server receives domain name, account and fingerprint characteristic, according to domain name and
Account inquires about fingerprint base, correct fingerprint corresponding with domain name and account is obtained, by the fingerprint characteristic for receiving and institute
State correct fingerprint to compare, if unanimously, showing that fingerprint is correct, return to successful first authentication result of fingerprint characteristic certification to institute
State desktop cloud access gateway;Otherwise, if inconsistent, show that fingerprint is incorrect, return to the first certification of fingerprint characteristic authentification failure
Result is to the desktop cloud access gateway.
Step S506:After the certificate server receives domain name, account and password, according to domain name and account
Password for inquiry storehouse, obtains proper password corresponding with domain name and account, and the password for receiving is correct close with described
Code is compared, if unanimously, showing that password is correct, returns to successful second authentication result of cipher authentication to the desktop cloud access
Gateway;Otherwise, if inconsistent, password bad, the second authentication result that return cipher authentication fails to the desktop cloud are shown
Access gateway.
It should be noted that the certificate server also includes cryptographic libraries.The domain of each user is preserved in the cryptographic libraries
The corresponding informance of name, account and correct password.When needing to carry out cipher authentication to certain user, it is only necessary to utilize the use
Domain name and account that family provides, by searching the cryptographic libraries, find correct password corresponding with domain name and account.When
When the new password that the user provides when this time logging in is consistent with the correct password that lookup is obtained, illustrate that the user provides new
Password be it is correct, cipher authentication success;Otherwise, cipher authentication failure.
Specifically, the acquisition of the corresponding informance of the domain name, account and correct password of user in the cryptographic libraries
Journey can be realized by conventional registration process.As, user accesses desktop cloud system register interface by client, in note
The input of volume interface account and password.The account and password are sent to desktop cloud access gateway, the desktop by the client
The account and password are sent to certificate server by cloud access gateway, and are stored in cryptographic libraries.
It should be noted that in practical implementation, in no particular order, the two can be with for the step S505 and step S506
Perform simultaneously, it is also possible to which any one is performed after first carrying out another.
In actual applications, the cipher authentication and finger print identifying can be by the difference in functionality moulds of same certificate server
Block is realized;It is of course also possible to set two certificate servers, cipher authentication and finger print identifying are carried out respectively.And for described
In the case that second authentication information is other information, the above is equally adapted to.
Step S507:The desktop cloud access gateway receive respectively the cipher authentication result that the certificate server returns and
Fingerprint characteristic authentication result, when the two authentication result for returning is certification success, returns to the corresponding virtual machine of the account
List to the client, into step S508;When any one or two are authentification failure in the two authentication result for returning
When, return authentication failure information to the client, into step S509.
Step S508:After the client receives the virtual machine list, user is presented to;User selects virtual machine,
Set up by desktop control protocol and connected, and beginning is normally used.
Step S509:The authentication failure message is presented to user by the client, notifies that user re-enters failure
The corresponding authentication information of auth type.
For example, if cipher authentication fails, client notification user cipher authentification failure, and by login interface requirement
User re-enters password;If fingerprint characteristic authentification failure, the failure of client notification user fingerprints feature verification, and pass through
Login interface requirement user re-uses fingerprint instrument input fingerprint characteristic;If password and finger print identifying all fail, client
Notify that user cipher and finger print identifying all fail, and password is re-entered by login interface requirement user, and require user's weight
It is new to be input into fingerprint characteristic using fingerprint instrument.
In the methods described of the embodiment of the present invention four, the domain name of user, account, fingerprint characteristic and password are stored in certification
On server.When User logs in desktop cloud system, it is necessary to carry out safety certification, client will be used by desktop cloud access gateway
Domain name, account, fingerprint characteristic and the password that family is input into are respectively sent to the certificate server, are carried out by the certificate server
Safety certification.With it is existing by password and fingerprint characteristic etc. storage on local client compared with, embodiment of the present invention methods described
In, the risk of user profile leakage can be effectively reduced, improve the guarantee of user information safety under desktop cloud application scenarios.
Meanwhile, in the methods described of the embodiment of the present invention four, using dual authentication mechanism, in User logs in desktop cloud system
When, it is necessary to simultaneously provide password and fingerprint characteristic, only when cipher authentication and finger print identifying all succeed when, just permission user step on
Record;As long as any one certification does not pass through or two certifications are all obstructed out-of-date in the two, User logs in is not allowed.Therefore, originally
The security of the methods described of inventive embodiments two is higher, and due to must be by finger print identifying, then even if the account of user
Leakage is there occurs with password, other people also cannot realize logging in using the account and password, improve user under desktop cloud application scenarios
The guarantee of Information Security.
Corresponding to the safety certifying method of desktop cloud system provided in an embodiment of the present invention, the embodiment of the present invention also provides one
Plant desktop cloud access gateway.
Reference picture 6, is the structure chart of desktop cloud access gateway provided in an embodiment of the present invention.The desktop cloud access gateway
Including:
Receiving unit U101, account and fingerprint characteristic for receiving the user of client transmission.
Transmitting element U102, for the account of the user and the fingerprint characteristic to be sent to certificate server.
The receiving unit U101, is additionally operable to receive the first authentication result that the certificate server is returned.
Desktop cloud access gateway described in the embodiment of the present invention, by the account of user and fingerprint characteristic storage in certificate server
On.When User logs in desktop cloud system, it is necessary to carry out safety certification, client passes through desktop cloud access gateway by user input
Account and fingerprint characteristic send to the certificate server, safety certification is carried out by the certificate server.To refer to existing
Line characteristic storage is compared on local client, using the embodiment of the present invention, can effectively reduce the risk of user profile leakage,
The guarantee of user information safety under raising desktop cloud application scenarios.
Further, the desktop cloud access gateway, can also include:Processing unit U103;Wherein
The receiving unit U101, is additionally operable to receive the account and the second certification letter of the user that the client sends
Breath.
The transmitting element U102, is additionally operable to send the account of the user and second authentication information to certification clothes
Business device.
The receiving unit U101, is additionally operable to receive the second authentication result that the certificate server is returned.
The processing unit U103, if being the finger for first authentication result that the certificate server is returned
Line feature verification succeeds and second authentication result is the second authentication information certification success, it is determined that certification passes through;Such as
At least one is authentification failure to first authentication result and second authentication result of really described certificate server return,
Then determine that certification does not pass through.
It should be noted that second authentication information can include:Password, dynamic password, private key for user or biological special
Levy.The biological characteristic can include:Iris feature, retinal feature, facial characteristics or vein pattern.
The embodiment of the present invention also provides a kind of certificate server.Reference picture 7, is authentication service provided in an embodiment of the present invention
Device.The certificate server can include:Receiving unit U201, fingerprint base U202, transmitting element U203, processing unit U204.
The receiving unit U201, account and fingerprint characteristic for receiving the user of desktop cloud access gateway transmission.
The processing unit U204, for inquiring about the fingerprint base according to the account of the user, obtains and the user
The corresponding correct fingerprint of account, the fingerprint characteristic that will be received is compared with the correct fingerprint, if unanimously, leading to
Cross the transmitting element and send successful first authentication result of fingerprint characteristic certification to the desktop cloud access gateway;It is no
Then, then the first authentication result of the fingerprint characteristic authentification failure to the desktop cloud access gateway is sent.
In the embodiment of the present invention, the account and fingerprint characteristic of user are stored on certificate server.When User logs in desktop
During cloud system, the certificate server receives the user account and fingerprint characteristic that desktop cloud access gateway sends, and carries out safety and recognizes
Card.With it is existing by fingerprint characteristic storage on local client compared with, using the embodiment of the present invention, can effectively reduce user letter
The risk of leakage is ceased, the guarantee of user information safety under desktop cloud application scenarios is improved.
Further, the certificate server, can also include the second authentication information storehouse;Wherein,
The receiving unit U201, the account and second for being additionally operable to receive the user that desktop cloud access gateway sends is recognized
Card information.
The processing unit U204, is additionally operable to inquire about the second authentication information storehouse according to the account of the user, obtains
Correct second authentication information corresponding with the account of the user, second authentication information that will be received is correct with described
The second authentication information compare;If second authentication information for receiving and correct second authentication information one
Cause, then sending successful second authentication result of the second authentication information certification to the desktop cloud by the transmitting element connects
Function Access Gateway;Otherwise, then the second authentication result of the second authentication information authentification failure is sent to the table by the transmitting element
Face cloud access gateway.
It should be noted that second authentication information can include:Dynamic password, private key for user or biological characteristic.Institute
Stating biological characteristic can include:Iris feature, retinal feature, facial characteristics or vein pattern.
Further, the receiving unit U201, is additionally operable to receive account and the activation of the user that virtual machine sends
The fingerprint characteristic of screen locking.
The processor U204, is additionally operable to inquire about the fingerprint base according to the account of the user, obtains and the user
The corresponding correct fingerprint of account, by it is described activation screen locking fingerprint characteristic compare with the correct fingerprint, if unanimously,
The fingerprint characteristic certification for sending the activation screen locking by the transmitting element successfully activates screen locking authentication result to the void
Plan machine;If inconsistent, the activation screen locking of the fingerprint characteristic authentification failure of the activation screen locking is sent by the transmitting element
Authentication result is to the virtual machine.
The embodiment of the present invention also provides a kind of desktop cloud system.Reference picture 8, is desktop cloud system provided in an embodiment of the present invention
The structure chart of system.The desktop cloud system includes:Client U10, desktop cloud access gateway U20, certificate server U30.
The client U10, account and fingerprint characteristic for receiving input user, sends to the desktop cloud access network
Close U20.
The desktop cloud access gateway U20, for receiving the account of the user that the client U10 sends and described
Fingerprint characteristic;The account of the user and the fingerprint characteristic are sent to certificate server U30;Receive the certificate server
The first authentication result that U30 is returned;If first authentication result is fingerprint characteristic certification success, it is determined that certification is led to
Cross, transmission allows the message for logging in client U10;If first authentication result is the fingerprint characteristic authentification failure,
Then determine that certification does not pass through, send the message of re-authentication to client U10.
The certificate server U30 includes fingerprint base, and the certificate server U30 is used to receive desktop cloud access gateway
The account and the fingerprint characteristic of the user that U20 sends;Account according to the user inquires about the fingerprint base, obtain with
The corresponding correct fingerprint of account of the user, the fingerprint characteristic that will be received is compared with the correct fingerprint, if
Unanimously, then successful first authentication result of the fingerprint characteristic certification to the desktop cloud access gateway U20 is sent;Otherwise, then
Send the first authentication result of the fingerprint characteristic authentification failure to the desktop cloud access gateway U20.
Further,
The client U10, is additionally operable to receive the account and the second authentication information of user, sends described to the desktop cloud
Access gateway U20.
The desktop cloud access gateway U20, is additionally operable to receive the account and the of the user that the client U10 sends
Two authentication informations;The account of the user and second authentication information are sent to the certificate server U30.
The certificate server U30, is additionally operable to receive the account and the of the user that desktop cloud access gateway U20 sends
Two authentication informations;Account according to the user inquires about the second authentication information storehouse, obtain it is corresponding with the account of the user just
The second true authentication information, second authentication information for receiving is compared with correct second authentication information;
If second authentication information for receiving is consistent with correct second authentication information, sends the second authentication information and recognize
Demonstrate,prove successful second authentication result to the desktop cloud access gateway U20;Otherwise, then the second authentication information authentification failure is sent
Second authentication result is to the desktop cloud access gateway U20.
The desktop cloud access gateway U20, is additionally operable to receive the second authentication result that the certificate server U30 is returned;
If first authentication result that the certificate server U30 is returned is fingerprint characteristic certification success and described second recognized
Card result is the second authentication information certification success, it is determined that certification passes through, and transmission allows the message of login to client
U10;If first authentication result that the certificate server U30 is returned and second authentication result at least one be
Authentification failure, it is determined that certification does not pass through.
It should be noted that second authentication information includes:Dynamic password, private key for user or biological characteristic;The life
Thing feature includes:Iris feature, retinal feature, facial characteristics or vein pattern.
Further,
The system also includes desktop Cloud Server, and the desktop Cloud Server runs at least one virtual machine.
The client U10, is additionally operable to receive the account of user and the fingerprint characteristic of activation screen locking, and send the user
Account and activation screen locking fingerprint characteristic to the desktop Cloud Server on the first virtual machine;First virtual machine, uses
The account of the user and the fingerprint characteristic of the activation screen locking are sent in the client U10 is received, sends the user's
Account and the fingerprint characteristic of the activation screen locking are to the certificate server U30.
The certificate server U30, for receiving the account of the user that first virtual machine sends and described swashing
The fingerprint characteristic of livelock screen;Account inquiry fingerprint base according to the user, obtains corresponding with the account of the user correct
Fingerprint, the fingerprint characteristic of the activation screen locking for receiving is compared with the correct fingerprint, if unanimously, sending
The fingerprint characteristic certification of the activation screen locking successfully activates screen locking authentication result to first virtual machine;Otherwise, then send
The activation screen locking authentication result of the fingerprint characteristic authentification failure of the activation screen locking is to first virtual machine.
First virtual machine, the fingerprint characteristic authentication result for receiving the activation screen locking.
The embodiment of the present invention can also include a kind of safety certifying method of desktop cloud system, in the method, described to recognize
The fingerprint characteristic that the desktop cloud system allows all users of login is preserved in card server.Need to log in system when there is user
During system, the client is only needed to require that active user is input into fingerprint characteristic, and the fingerprint characteristic is passed through into desktop cloud access
Gateway is sent to certificate server, and the certificate server searches fingerprint base according to the fingerprint characteristic, determines the fingerprint characteristic
With the presence or absence of in the fingerprint base, if it does, explanation active user belongs to the user that the system allows to log in, then fingerprint
Certification passes through;Otherwise, illustrate that active user is not belonging to the user that the system allows to log in, then finger print identifying failure.
It is the flow of the safety certifying method of desktop cloud system described in the embodiment of the present invention five specifically, reference picture 9
Figure.As shown in figure 9, methods described can include:
Step S901:Desktop cloud access gateway receives the fingerprint characteristic of the active user that client sends.
Step S902:The fingerprint characteristic of the active user is sent to certificate server.
Step S903:Receive the first authentication result that the certificate server is returned.
Preferably, in the methods described of the embodiment of the present invention five, the desktop can also be preserved in the certificate server
Cloud system allows the account and encrypted message of all users for logging in, and for each user, the account of the user and close
Code information is one-to-one with the fingerprint characteristic of the user.Therefore, when certificate server confirms that the user allows to step on for system
After the user of record, the account and encrypted message of the user can be found according to the fingerprint characteristic of the user, and by the desktop
Cloud access gateway is back to client.Specifically, methods described can also include:When the certification knot that the certificate server is returned
When fruit is for certification success, account corresponding with the fingerprint characteristic and password are also included in the authentication result.
Then in step S903, if the first authentication result that the certificate server is returned is the fingerprint characteristic certification
Success, then also include the account and password of user corresponding with the fingerprint characteristic in first authentication result.
Preferably, the methods described of the embodiment of the present invention five, it is also possible to the double authentication to active user is realized, with further
Ensure the security of user profile, specifically:
Receive the account and the second authentication information of the user that the client sends;By the account number of the user and institute
The second authentication information is stated to send to the certificate server;If first authentication result that the certificate server is returned is
The fingerprint characteristic certification succeeds and second authentication result is the second authentication information certification success, it is determined that recognize
Card passes through;If first authentication result that the certificate server is returned and second authentication result at least one be
Authentification failure, it is determined that certification does not pass through.
It should be noted that second authentication information includes:Password, dynamic password, private key for user or biological characteristic;
The biological characteristic includes:Iris feature, retinal feature, facial characteristics or vein pattern.
In the embodiment of the present invention, the fingerprint characteristic of user is stored on certificate server.When User logs in desktop cloud system
When, it is necessary to carry out safety certification, client is sent to described the fingerprint characteristic of user input by desktop cloud access gateway recognizes
Card server, safety certification is carried out by the certificate server.With it is existing by fingerprint characteristic storage on local client compared with,
Using the embodiment of the present invention, the risk of user profile leakage can be effectively reduced, improve user profile under desktop cloud application scenarios
The guarantee of security.
Reference picture 10, is the flow chart of the safety certifying method of desktop cloud system described in the embodiment of the present invention six.As schemed
Shown in 10, methods described can include:
Step S1001:Certificate server receives the fingerprint characteristic of the active user that desktop cloud access gateway sends.
Step S1002:Inquiry fingerprint base, judges that the fingerprint characteristic whether there is in the fingerprint base, if described
Fingerprint characteristic is present in the fingerprint base, then send successful first authentication result of the fingerprint characteristic certification to the desktop
Cloud access gateway;Otherwise, then the first authentication result of the fingerprint characteristic authentification failure to the desktop cloud access gateway is sent.
In the embodiment of the present invention six, the certificate server includes fingerprint base, wherein preserve the desktop cloud system permitting
The fingerprint characteristic of all users for logging in perhaps.When there is user to need login system, the client only needs to require current use
Family is input into fingerprint characteristic, and the fingerprint characteristic is sent to certificate server by desktop cloud access gateway, the certification clothes
Business device searches fingerprint base according to the fingerprint characteristic, determines that the fingerprint characteristic whether there is in the fingerprint base, if deposited
, illustrating that active user belongs to the user that the system allows to log in, then finger print identifying passes through;Otherwise, illustrate active user not
Belong to the user that the system allows to log in, then finger print identifying failure.
Preferably, in the methods described of the embodiment of the present invention six, the desktop cloud system can also be preserved in the fingerprint base
System allows the account and encrypted message of all users for logging in, and for each user, the account and message in cipher of the user
Breath is one-to-one with the fingerprint characteristic of the user.Therefore, when certificate server confirms that the user allows what is logged in for system
After user, the account and encrypted message of the user can be found according to the fingerprint characteristic of the user, and connect by the desktop cloud
Function Access Gateway is back to client.Specifically, when the judgement fingerprint characteristic is present in the fingerprint base, methods described is also
Including:The account and password of user corresponding with the fingerprint characteristic are found, and the account and password are sent to the table
Face cloud access gateway.
Preferably, the methods described of the embodiment of the present invention six, it is also possible to the double authentication to active user is realized, with further
Ensure the security of user profile, specifically:
Methods described also includes:Receive the account and the second authentication information of the user that desktop cloud access gateway sends;
Account according to the user inquires about the second authentication information storehouse, obtains correct second certification corresponding with the account of the user
Information, second authentication information that will be received is compared with correct second authentication information;If received
Second authentication information is consistent with correct second authentication information, then send the second authentication information certification successful
Second authentication result is to the desktop cloud access gateway;Otherwise, then send the second authentication information authentification failure second is recognized
Demonstrate,prove result to the desktop cloud access gateway.
It should be noted that second authentication information includes:Dynamic password, private key for user or biological characteristic;The life
Thing feature includes:Iris feature, retinal feature, facial characteristics or vein pattern.
In the embodiment of the present invention, the fingerprint characteristic of user is stored on certificate server.When User logs in desktop cloud system
When, it is necessary to carry out safety certification, client is sent to described the fingerprint characteristic of user input by desktop cloud access gateway recognizes
Card server, safety certification is carried out by the certificate server.With it is existing by fingerprint characteristic storage on local client compared with,
Using the embodiment of the present invention, the risk of user profile leakage can be effectively reduced, improve user profile under desktop cloud application scenarios
The guarantee of security.
Above to a kind of safety certifying method of desktop cloud system provided by the present invention, desktop cloud access gateway and certification
Server, desktop cloud system, are described in detail, and specific case used herein is to principle of the invention and implementation method
It is set forth, the explanation of above example is only intended to help and understands the method for the present invention and its core concept;Simultaneously for
Those of ordinary skill in the art, according to thought of the invention, have change in specific embodiments and applications
Place.In sum, this specification content should not be construed as limiting the invention.
It will be recognized by those of ordinary skill in the art that the possibility implementation of various aspects of the invention or various aspects
System, method or computer program product can be embodied as.Therefore, each aspect of the present invention or various aspects
Possible implementation can using complete hardware embodiment, complete software embodiment (including firmware, resident software etc.), or
The form of the embodiment of integration software and hardware aspect, collectively referred to herein as " circuit ", " module " or " system ".Additionally,
The possibility implementation of each aspect of the present invention or various aspects can be in the form of computer program product, computer journey
Sequence product refers to computer readable program code of the storage in computer-readable medium.
Computer-readable medium can be computer-readable signal media or computer-readable recording medium.Computer can
Read storage medium including but not limited to electronics, magnetic, optics, electromagnetism, infrared or semiconductor system, equipment or device, or
Foregoing is any appropriately combined, such as random access memory (RAM), read-only storage (ROM), the read-only storage of erasable programmable
Device (EPROM or flash memory), optical fiber, portable read-only storage (CD-ROM).
Processor in computer reads computer readable program code of the storage in computer-readable medium so that place
Reason device is able to carry out function action specified in the combination of each step or each step in flow charts;Generation is implemented in block diagram
Each piece or each piece of combination specified in function action device.
Claims (9)
1. a kind of safety certifying method of desktop cloud system, it is characterised in that methods described includes:
Certificate server receives the account and fingerprint characteristic of the user that desktop cloud access gateway sends;
Account inquiry fingerprint base according to the user, obtains correct fingerprint corresponding with the account of the user, will receive
The fingerprint characteristic compare with the correct fingerprint, if unanimously, sending the fingerprint characteristic certification successful first and recognizing
Demonstrate,prove result to the desktop cloud access gateway;Otherwise, the first authentication result of the fingerprint characteristic authentification failure is sent to described
Desktop cloud access gateway so that desktop cloud access gateway can first authentication result be fingerprint characteristic certification success when,
Return to the corresponding virtual machine list of the account to client;
Receive the account and the fingerprint characteristic for activating screen locking of the user that virtual machine sends;Fingerprint is inquired about according to the account
Storehouse, obtains correct fingerprint corresponding with the account, by it is described receive for activate the fingerprint characteristic of screen locking with it is described just
True fingerprint is compared, if unanimously, returning to the successful authentication result of fingerprint characteristic certification of activation screen locking to the virtual machine;It is no
Then, the authentication result of activation screen locking fingerprint characteristic authentification failure is returned to the virtual machine.
2. method according to claim 1, it is characterised in that methods described also includes:
Receive the account and the second authentication information of the user that desktop cloud access gateway sends;
Account according to the user inquires about the second authentication information storehouse, obtains corresponding with the account of the user correct second
Authentication information, second authentication information that will be received is compared with correct second authentication information;
If second authentication information for receiving is consistent with correct second authentication information, sends described second and recognize
Demonstrate,prove successful second authentication result of authentification of message to the desktop cloud access gateway;Otherwise, then second authentication information is sent
Second authentication result of authentification failure is to the desktop cloud access gateway.
3. method according to claim 2, it is characterised in that second authentication information includes:Dynamic password, user are private
Key or biological characteristic;
The biological characteristic includes:Iris feature, retinal feature, facial characteristics or vein pattern.
4. a kind of certificate server, it is characterised in that the certificate server includes:
Receiving unit, account and fingerprint characteristic for receiving the user of desktop cloud access gateway transmission;
Fingerprint base;
Transmitting element;
Processing unit, for inquiring about the fingerprint base according to the account of the user, obtains corresponding with the account of the user
Correct fingerprint, the fingerprint characteristic that will be received is compared with the correct fingerprint, if unanimously, sending single by described
Unit sends successful first authentication result of fingerprint characteristic certification to the desktop cloud access gateway;Otherwise, then send described
First authentication result of fingerprint characteristic authentification failure is to the desktop cloud access gateway, so that desktop cloud access gateway can be in institute
When stating the first authentication result for fingerprint characteristic certification success, the corresponding virtual machine list of the account to client is returned;
The receiving unit, is additionally operable to receive the account and the fingerprint characteristic for activating screen locking of the user that virtual machine sends;
The processing unit, be additionally operable to by it is described receive carried out with the correct fingerprint for activating the fingerprint characteristic of screen locking
Compare, if unanimously, returning to the successful authentication result of fingerprint characteristic certification of activation screen locking to the virtual machine;Otherwise, return and swash
The authentication result of livelock screen fingerprint characteristic authentification failure is to the virtual machine.
5. certificate server according to claim 4, it is characterised in that also including the second authentication information storehouse;Wherein,
The receiving unit, is additionally operable to receive the account and the second authentication information of the user that desktop cloud access gateway sends;
The processing unit, is additionally operable to inquire about the second authentication information storehouse according to the account of the user, obtains and the use
Corresponding correct second authentication information of account at family, second authentication information that will be received is recognized with described correct second
Card information is compared;If second authentication information for receiving is consistent with correct second authentication information, lead to
Cross the transmitting element and send successful second authentication result of the second authentication information certification to the desktop cloud access gateway;
Otherwise, then the second authentication result of the second authentication information authentification failure is sent to the desktop cloud access by the transmitting element
Gateway.
6. certificate server according to claim 5, it is characterised in that second authentication information includes:Dynamic password,
Private key for user or biological characteristic;
The biological characteristic includes:Iris feature, retinal feature, facial characteristics or vein pattern.
7. a kind of desktop cloud system, it is characterised in that the system includes:Client, desktop cloud access gateway, authentication service
Device;
The client, account and fingerprint characteristic for receiving input user, sends to the desktop cloud access gateway;
The desktop cloud access gateway is used to receive the account and the fingerprint characteristic of the user that the client sends;Will
The account of the user and the fingerprint characteristic are sent to certificate server;Receive the first certification that the certificate server is returned
As a result;If first authentication result is fingerprint characteristic certification success, it is determined that certification passes through, transmission allows what is logged in
Message returns to the corresponding virtual machine list of the account to the client to client;If first authentication result
It is the fingerprint characteristic authentification failure, it is determined that certification does not pass through, sends the message of re-authentication to client;
The certificate server includes fingerprint base, and the certificate server is used to receive the use of desktop cloud access gateway transmission
The account at family and the fingerprint characteristic;Account according to the user inquires about the fingerprint base, obtains the account with the user
Corresponding correct fingerprint, the fingerprint characteristic that will be received is compared with the correct fingerprint, if unanimously, sending described
Successful first authentication result of fingerprint characteristic certification is to the desktop cloud access gateway;Otherwise, then the fingerprint characteristic is sent to recognize
The first authentication result of failure is demonstrate,proved to the desktop cloud access gateway;
The client, after being additionally operable to receive the virtual machine list, user is presented to by the virtual machine list;
The certificate server, is additionally operable to receive the account and the fingerprint characteristic for activating screen locking of the user that virtual machine sends;
According to the account inquire about fingerprint base, obtain correct fingerprint corresponding with the account, by it is described receive for activate lock
The fingerprint characteristic of screen is compared with the correct fingerprint, if unanimously, the fingerprint characteristic certification for returning to activation screen locking is successfully recognized
Result is demonstrate,proved to the virtual machine, to activate the virtual machine;Otherwise, the certification knot of activation screen locking fingerprint characteristic authentification failure is returned
Really to the virtual machine.
8. desktop cloud system according to claim 7, it is characterised in that
The client, is additionally operable to receive the account and the second authentication information of user, and the account and second for sending the user is recognized
Card information is to the desktop cloud access gateway;
The desktop cloud access gateway, is additionally operable to receive the account and the second certification letter of the user that the client sends
Breath;The account of the user and second authentication information are sent to the certificate server;
The certificate server, is additionally operable to receive the account and the second certification letter of the user that desktop cloud access gateway sends
Breath;Account according to the user inquires about the second authentication information storehouse, obtains corresponding with the account of the user correct second
Authentication information, second authentication information for receiving is compared with correct second authentication information;If received
Second authentication information for arriving is consistent with correct second authentication information, then send the second authentication information certification successful
Second authentication result is to the desktop cloud access gateway;Otherwise, then the second certification knot of the second authentication information authentification failure is sent
Really to the desktop cloud access gateway;
The desktop cloud access gateway, is additionally operable to receive the second authentication result that the certificate server is returned;If described recognize
First authentication result that card server is returned is for fingerprint characteristic certification success and second authentication result is described
Second authentication information certification success, it is determined that certification passes through, transmission allows the message for logging in client;If the certification clothes
Business device return first authentication result and second authentication result at least one be authentification failure, it is determined that certification is not
Pass through.
9. desktop cloud system according to claim 8, it is characterised in that second authentication information includes:Dynamic password,
Private key for user or biological characteristic;
The biological characteristic includes:Iris feature, retinal feature, facial characteristics or vein pattern.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210592285.3A CN103067397B (en) | 2012-12-31 | 2012-12-31 | A kind of safety certifying method of desktop cloud system, access gateway and certificate server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210592285.3A CN103067397B (en) | 2012-12-31 | 2012-12-31 | A kind of safety certifying method of desktop cloud system, access gateway and certificate server |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103067397A CN103067397A (en) | 2013-04-24 |
CN103067397B true CN103067397B (en) | 2017-06-13 |
Family
ID=48109859
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210592285.3A Active CN103067397B (en) | 2012-12-31 | 2012-12-31 | A kind of safety certifying method of desktop cloud system, access gateway and certificate server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103067397B (en) |
Families Citing this family (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103237030A (en) * | 2013-04-25 | 2013-08-07 | 深圳市中兴移动通信有限公司 | Biological recognition-based user authentication method and system |
CN105282092A (en) * | 2014-06-10 | 2016-01-27 | 中兴通讯股份有限公司 | Virtual desktop authentication method, terminal and server |
CN105187362B (en) * | 2014-06-23 | 2020-01-10 | 中兴通讯股份有限公司 | Method and device for connection authentication between desktop cloud client and server |
CN104038509B (en) * | 2014-07-03 | 2019-03-15 | 南昌欧菲生物识别技术有限公司 | Finger print identifying cloud system |
CN104135489A (en) * | 2014-08-13 | 2014-11-05 | 百度在线网络技术(北京)有限公司 | Login authentication method and device |
CN104283879B (en) * | 2014-10-09 | 2018-07-31 | 广州杰赛科技股份有限公司 | Virtual machine remote connection method and system |
CN105991709A (en) * | 2015-02-11 | 2016-10-05 | 中国移动通信集团河南有限公司 | Cloud desktop account number management method and apparatus thereof |
CN106936760A (en) * | 2015-12-30 | 2017-07-07 | 航天信息股份有限公司 | A kind of apparatus and method of login Openstack cloud system virtual machines |
CN105763610B (en) * | 2016-02-19 | 2019-03-29 | 北京佰才邦技术有限公司 | Desktop cloud service providing method and device |
CN107291432A (en) * | 2016-04-01 | 2017-10-24 | 中兴通讯股份有限公司 | Cloud desktop management-control method, device and cloud desktop access method, device |
CN107360119A (en) * | 2016-05-09 | 2017-11-17 | 中兴通讯股份有限公司 | A kind of cloud desktop Sign-On authentication method, cloud desktop control system and client |
CN106330977A (en) * | 2016-10-28 | 2017-01-11 | 宇龙计算机通信科技(深圳)有限公司 | Fingerprint authentication method and related equipment |
CN106534219A (en) * | 2016-12-31 | 2017-03-22 | 中国移动通信集团江苏有限公司 | Security authentication method and device for desktop cloud portal |
CN106878023A (en) * | 2017-02-22 | 2017-06-20 | 福建升腾资讯有限公司 | A kind of method and system that cloud desktop is logined based on fin- ger vein authentication |
CN107528842A (en) * | 2017-08-21 | 2017-12-29 | 合肥丹朋科技有限公司 | Website method for generating cipher code and device |
CN109728984B (en) * | 2018-11-26 | 2021-01-29 | 华为技术有限公司 | Access system, method and device |
CN109873805B (en) * | 2019-01-02 | 2021-06-25 | 平安科技(深圳)有限公司 | Cloud desktop login method, device, equipment and storage medium based on cloud security |
CN111966982A (en) * | 2020-07-23 | 2020-11-20 | 西安雷风电子科技有限公司 | Cloud desktop registration and login method and system based on biological characteristic authentication |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101714918A (en) * | 2009-10-23 | 2010-05-26 | 浙江维尔生物识别技术股份有限公司 | Safety system for logging in VPN and safety method for logging in VPN |
CN101764823A (en) * | 2010-01-28 | 2010-06-30 | 华为终端有限公司 | Authentication method, electronic equipment and authentication server |
CN101958792A (en) * | 2009-07-17 | 2011-01-26 | 华为技术有限公司 | Method and device for authenticating finger print of user |
CN102333065A (en) * | 2010-07-12 | 2012-01-25 | 戴元顺 | Cloud interaction protocol design |
CN102571359A (en) * | 2012-04-06 | 2012-07-11 | 上海凯卓信息科技有限公司 | Method for certificating cloud desktop based on smart card |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007280221A (en) * | 2006-04-10 | 2007-10-25 | Fujitsu Ltd | Authentication network system |
CN101267310B (en) * | 2008-05-04 | 2010-06-23 | 王琰 | Computer network access control system and method |
TWI476627B (en) * | 2012-05-11 | 2015-03-11 | Chunghwa Telecom Co Ltd | The management system and method of network service level and function of cloud virtual desktop application |
-
2012
- 2012-12-31 CN CN201210592285.3A patent/CN103067397B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101958792A (en) * | 2009-07-17 | 2011-01-26 | 华为技术有限公司 | Method and device for authenticating finger print of user |
CN101714918A (en) * | 2009-10-23 | 2010-05-26 | 浙江维尔生物识别技术股份有限公司 | Safety system for logging in VPN and safety method for logging in VPN |
CN101764823A (en) * | 2010-01-28 | 2010-06-30 | 华为终端有限公司 | Authentication method, electronic equipment and authentication server |
CN102333065A (en) * | 2010-07-12 | 2012-01-25 | 戴元顺 | Cloud interaction protocol design |
CN102571359A (en) * | 2012-04-06 | 2012-07-11 | 上海凯卓信息科技有限公司 | Method for certificating cloud desktop based on smart card |
Also Published As
Publication number | Publication date |
---|---|
CN103067397A (en) | 2013-04-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103067397B (en) | A kind of safety certifying method of desktop cloud system, access gateway and certificate server | |
CN107294721B (en) | The method and apparatus of identity registration, certification based on biological characteristic | |
US20200162255A1 (en) | System for improved identification and authentication | |
US10313881B2 (en) | System and method of authentication by leveraging mobile devices for expediting user login and registration processes online | |
KR101907958B1 (en) | Method and apparatus for controlling incoming or outgoing, user terminal and server for the same | |
US9344419B2 (en) | Methods of authenticating users to a site | |
US8572684B1 (en) | Authentication using one-time passwords and associated indicia for plural sequences | |
US8856902B2 (en) | User authentication via mobile communication device with imaging system | |
US10523665B2 (en) | Authentication on thin clients using independent devices | |
JP5928854B2 (en) | Method, device and system for managing user authentication | |
US20200162451A1 (en) | Methods, computer readable media, and systems for authentication using a text file and a one-time password | |
US20150082390A1 (en) | Method and a system for secure login to a computer, computer network, and computer website using biometrics and a mobile computing wireless electronic communication device | |
CN104540129B (en) | The registering and logging method and system of third-party application | |
US20150106893A1 (en) | Secure remote modification of device credentials using device-generated credentials | |
WO2014012476A1 (en) | Method and system of login authentication | |
US11477190B2 (en) | Dynamic user ID | |
US11032275B2 (en) | System for improved identification and authentication | |
US10282537B2 (en) | Single prompt multiple-response user authentication method | |
CN105337739B (en) | Safe login method, device, server and terminal | |
KR20190128868A (en) | Authentication system and method of blochchain distributed ledger and cryptocurrency offline storage | |
US11811777B2 (en) | Multi-factor authentication using confidant verification of user identity | |
US11777942B2 (en) | Transfer of trust between authentication devices | |
JP2010072688A (en) | Personal identification system using optical reading code | |
WO2013118302A1 (en) | Authentication management system, authentication management method, and authentication management program | |
WO2020031429A1 (en) | Terminal device, authentication server, control method for terminal device, authentication method, and program |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220208 Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province Patentee after: Huawei Cloud Computing Technology Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |