CN103067397B

CN103067397B - A kind of safety certifying method of desktop cloud system, access gateway and certificate server

Info

Publication number: CN103067397B
Application number: CN201210592285.3A
Authority: CN
Inventors: 林国仁
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Cloud Computing Technologies Co Ltd
Priority date: 2012-12-31
Filing date: 2012-12-31
Publication date: 2017-06-13
Anticipated expiration: 2032-12-31
Also published as: CN103067397A

Abstract

The embodiment of the invention discloses a kind of safety certifying method of desktop cloud system, including：Desktop cloud access gateway receives the account and fingerprint characteristic of the user that client sends；The account number of the user and the fingerprint characteristic are sent to certificate server；Receive the first authentication result that the certificate server is returned.The embodiment of the present invention also provides a kind of desktop cloud access gateway, certificate server and desktop cloud system.Using the embodiment of the present invention, the risk of user profile leakage can be effectively reduced, improve the guarantee of user information safety under desktop cloud application scenarios.

Description

A kind of safety certifying method of desktop cloud system, access gateway and certificate server

Technical field

The present invention relates to desktop cloud applied technical field, more particularly to a kind of safety certifying method of desktop cloud system, Desktop cloud access gateway and certificate server, desktop cloud system.

Background technology

Desktop cloud refers to can be cross-platform to access by thin-client or other any equipment being connected with network Application program and whole customers desktop.In desktop cloud system, user only needs to a thin client device or other are any The equipment that network can be connected, it is possible to which, by dedicated program or browser, access resides in the personal desktop of server end And various applications.

The safety certifying method of existing desktop cloud system is generally：Under desktop cloud application scenarios, user input account, Password or fingerprint characteristic wait until that desktop cloud system carries out authentication.Once authenticating successfully, desktop cloud system shows to user User virtual machine（Virtual Machine, VM）List, user's selection virtual machine entry.

It is existing to be specifically included by the way of finger print identifying：Fingerprint instrument is connected on local client, user VM operations In the data center machine room of distal end, the domain name of user, account, password and finger print information etc. are stored on local TC.When After user input fingerprint characteristic, system obtains corresponding domain name, account, password etc. according to the finger print information from TC, according to this A little information carry out the authentication of desktop cloud system.

The method of existing this safety certification, the domain name of user, account, password and finger print information etc. are stored in local On TC, the risk that user profile is stolen is very high, once the information such as the account of user, password or fingerprint is revealed, will cause The security of user profile cannot be ensured.

The content of the invention

The invention provides a kind of safety certifying method of desktop cloud system, desktop cloud access gateway and certificate server, Desktop cloud system, can effectively reduce the risk of user profile leakage, improve user information safety under desktop cloud application scenarios Guarantee.

On the one hand, there is provided a kind of safety certifying method of desktop cloud system, methods described includes：Desktop cloud access gateway connects Receive the account and fingerprint characteristic of the user that client sends；The account number of the user and the fingerprint characteristic are sent to certification clothes Business device；Receive the first authentication result that the certificate server is returned.

In the first possible implementation of first aspect, methods described also includes：The client is received to send The user account and the second authentication information；The account number of the user and second authentication information are sent to certification clothes Business device；Receive the second authentication result that the certificate server is returned；If described the first of the certificate server return recognizes Card result is fingerprint characteristic certification success and second authentication result is the second authentication information certification success, then really Determine certification to pass through；If first authentication result and second authentication result at least that the certificate server is returned Individual is authentification failure, it is determined that certification does not pass through.

With reference to the first possible implementation of first aspect, in second possible implementation of first aspect In, second authentication information includes：Password, dynamic password, private key for user or biological characteristic；The biological characteristic includes：Rainbow Film feature, retinal feature, facial characteristics or vein pattern.

Second aspect, there is provided a kind of safety certifying method of desktop cloud system, methods described includes：Certificate server connects Receive the account and fingerprint characteristic of the user that desktop cloud access gateway sends；Account inquiry fingerprint base according to the user, obtains Correct fingerprint corresponding with the account of the user, the fingerprint characteristic that will be received is compared with the correct fingerprint, If consistent, successful first authentication result of fingerprint characteristic certification to the desktop cloud access gateway is sent；Otherwise, institute is sent State the first authentication result of fingerprint characteristic authentification failure to the desktop cloud access gateway.

In the first possible implementation of second aspect, methods described also includes：Receive desktop cloud access gateway The account and the second authentication information of the user for sending；Account according to the user inquires about the second authentication information storehouse, obtains Correct second authentication information corresponding with the account of the user, second authentication information that will be received is correct with described The second authentication information compare；If second authentication information for receiving and correct second authentication information one Cause, then send successful second authentication result of the second authentication information certification to the desktop cloud access gateway；Otherwise, then send out Send the second authentication result of the second authentication information authentification failure to the desktop cloud access gateway.

With reference to the first possible implementation of second aspect, in second possible implementation of second aspect In, second authentication information includes：Dynamic password, private key for user or biological characteristic；The biological characteristic includes：Iris is special Levy, retinal feature, facial characteristics or vein pattern.

With reference to any of the above described a kind of possible implementation of second aspect, in the third possible realization of second aspect In mode, methods described also includes：Receive the account of the user that virtual machine sends and the fingerprint characteristic of activation screen locking；According to described User account inquiry fingerprint base, obtain correct fingerprint corresponding with the account of the user, by it is described receive it is described swash The fingerprint characteristic of livelock screen is compared with the correct fingerprint, if unanimously, the fingerprint characteristic for sending the activation screen locking is recognized Card successfully activates screen locking authentication result to the virtual machine；Otherwise, then the fingerprint characteristic certification for sending the activation screen locking is lost The activation screen locking authentication result for losing is to the virtual machine.

The third aspect, there is provided a kind of desktop cloud access gateway, the desktop cloud access gateway includes：Receiving unit, uses In the account and fingerprint characteristic that receive the user that client sends；Transmitting element, for by the account of the user and the finger Line feature is sent to certificate server；The receiving unit, is additionally operable to receive the first certification knot that the certificate server is returned Really.

In the first possible implementation of the third aspect, also including processing unit；Wherein, the receiving unit, It is additionally operable to receive the account and the second authentication information of the user that the client sends；The transmitting element, be additionally operable to by The account of the user and second authentication information are sent to certificate server；The receiving unit, is additionally operable to receive described The second authentication result that certificate server is returned；The processing unit, if returned for the certificate server described the One authentication result is fingerprint characteristic certification success and second authentication result is the second authentication information certification success, Then determine that certification passes through；If first authentication result that the certificate server is returned and second authentication result are at least There is one for authentification failure, it is determined that certification does not pass through.

With reference to the first possible implementation of the third aspect, in second possible implementation of the third aspect In, second authentication information includes：Password, dynamic password, private key for user or biological characteristic；The biological characteristic includes：Rainbow Film feature, retinal feature, facial characteristics or vein pattern.

Fourth aspect, there is provided a kind of certificate server, the certificate server includes：Receiving unit, for receiving table The account and fingerprint characteristic of the user that face cloud access gateway sends；Fingerprint base；Transmitting element；Processing unit, for according to described The account of user inquires about the fingerprint base, obtains correct fingerprint corresponding with the account of the user, the finger that will be received Line feature is compared with the correct fingerprint, if unanimously, by the transmitting element send the fingerprint characteristic certification into First authentication result of work(is to the desktop cloud access gateway；Otherwise, then send the fingerprint characteristic authentification failure first is recognized Demonstrate,prove result to the desktop cloud access gateway.

In the first possible implementation of fourth aspect, also including the second authentication information storehouse；Wherein, the reception Unit, is additionally operable to receive the account and the second authentication information of the user that desktop cloud access gateway sends；The processing unit, It is additionally operable to inquire about the second authentication information storehouse according to the account of the user, obtains corresponding with the account of the user correct The second authentication information, second authentication information that will be received compares with correct second authentication information；Such as Second authentication information that fruit receives is consistent with correct second authentication information, then sent by the transmitting element Successful second authentication result of second authentication information certification is to the desktop cloud access gateway；Otherwise, then by the hair Send the second authentication result that unit sends the second authentication information authentification failure to the desktop cloud access gateway.

With reference to the first possible implementation of fourth aspect, in second possible implementation of fourth aspect In, second authentication information includes：Dynamic password, private key for user or biological characteristic；The biological characteristic includes：Iris is special Levy, retinal feature, facial characteristics or vein pattern.

With reference to any of the above described a kind of possible implementation of fourth aspect, in the third possible realization of fourth aspect In mode, the receiving unit is additionally operable to receive the account of the user that virtual machine sends and the fingerprint characteristic of activation screen locking； The processor, is additionally operable to inquire about the fingerprint base according to the account of the user, obtains corresponding with the account of the user Correct fingerprint, the fingerprint characteristic of the activation screen locking is compared with the correct fingerprint, if unanimously, by the transmission The fingerprint characteristic certification that unit sends the activation screen locking successfully activates screen locking authentication result to the virtual machine；If differing Cause, then the activation screen locking authentication result of fingerprint characteristic authentification failure of the activation screen locking is sent by the transmitting element to institute State virtual machine.

5th aspect, there is provided a kind of desktop cloud system, the system includes：Client, desktop cloud access gateway, certification Server；The client, account and fingerprint characteristic for receiving input user, sends to the desktop cloud access gateway； The desktop cloud access gateway is used to receive the account and the fingerprint characteristic of the user that the client sends；Will be described The account of user and the fingerprint characteristic are sent to certificate server；Receive the first certification knot that the certificate server is returned Really；If first authentication result is fingerprint characteristic certification success, it is determined that certification passes through, transmission allows what is logged in disappear Cease to client；If first authentication result is the fingerprint characteristic authentification failure, it is determined that certification does not pass through, weight is sent The message of new certification is to client；The certificate server includes fingerprint base, and the certificate server connects for receiving desktop cloud The account and the fingerprint characteristic of the user that function Access Gateway sends；Account according to the user inquires about the fingerprint base, obtains To correct fingerprint corresponding with the account of the user, the fingerprint characteristic that will be received is compared with the correct fingerprint It is right, if unanimously, sending successful first authentication result of the fingerprint characteristic certification to the desktop cloud access gateway；Otherwise, Then send the first authentication result of the fingerprint characteristic authentification failure to the desktop cloud access gateway.

The 5th aspect the first possible implementation in, the client, be additionally operable to receive user account and Second authentication information, sends described to the desktop cloud access gateway；The desktop cloud access gateway, is additionally operable to receive the visitor The account and the second authentication information of the user that family end sends；The account of the user and second authentication information are sent To the certificate server；The certificate server, is additionally operable to receive the account of the user that desktop cloud access gateway sends With the second authentication information；Account according to the user inquires about the second authentication information storehouse, obtains corresponding with the account of the user Correct second authentication information, second authentication information for receiving is compared with correct second authentication information It is right；If second authentication information for receiving is consistent with correct second authentication information, the second certification letter is sent Cease successful second authentication result of certification to the desktop cloud access gateway；Otherwise, then the second authentication information authentification failure is sent The second authentication result to the desktop cloud access gateway；The desktop cloud access gateway, is additionally operable to receive the authentication service The second authentication result that device is returned；If first authentication result that the certificate server is returned is recognized for the fingerprint characteristic Demonstrate,prove successfully and second authentication result is the second authentication information certification success, it is determined that certification passes through, and transmission allows to step on The message of record is to client；If first authentication result that the certificate server is returned and second authentication result are extremely Rare one is authentification failure, it is determined that certification does not pass through.

With reference to the first possible implementation of the 5th aspect, in second possible implementation of the 5th aspect In, second authentication information includes：Dynamic password, private key for user or biological characteristic；The biological characteristic includes：Iris is special Levy, retinal feature, facial characteristics or vein pattern.

With reference to any of the above described a kind of possible implementation of the 5th aspect, in second possible realization of the 5th aspect In mode, the system also includes desktop Cloud Server, and the desktop Cloud Server runs at least one virtual machine；The client End, is additionally operable to receive the account and fingerprint characteristic of user, and send the account of the user with the fingerprint characteristic for activating screen locking extremely The first virtual machine on the desktop Cloud Server；First virtual machine, account and the institute of the user are sent for receiving The fingerprint characteristic of activation screen locking is stated to the certificate server；The certificate server, for receiving the first virtual machine hair The account of the user for sending and the fingerprint characteristic of the activation screen locking；Account inquiry fingerprint base according to the user, obtains Correct fingerprint corresponding with the account of the user, the fingerprint characteristic of the activation screen locking for receiving is correct with described Fingerprint is compared, if unanimously, the fingerprint characteristic certification for sending the activation screen locking successfully activates screen locking authentication result extremely First virtual machine；Otherwise, then the activation screen locking authentication result of fingerprint characteristic authentification failure of the activation screen locking is sent extremely First virtual machine；First virtual machine, the fingerprint characteristic authentication result for receiving the activation screen locking.

6th aspect, there is provided a kind of safety certifying method of desktop cloud system, methods described includes：Desktop cloud access gateway Receive the fingerprint characteristic of the user that client sends；The fingerprint characteristic of the user is sent to certificate server；Receive described The first authentication result that certificate server is returned.

In the first possible implementation of the 6th aspect, if the first certification knot that the certificate server is returned Fruit is fingerprint characteristic certification success, then also include user's corresponding with the fingerprint characteristic in first authentication result Account and password.

With reference to any of the above described a kind of possible implementation of the 6th aspect, in second possible realization of the 6th aspect In mode, before the authentication result for receiving the certificate server return, methods described also includes：Receive the client Hold the account and the second authentication information of the user for sending；By the account number of the user and second authentication information send to The certificate server；If first authentication result that the certificate server is returned is the fingerprint characteristic certification Successful and described second authentication result is the second authentication information certification success, it is determined that certification passes through；If the certification Server return first authentication result and second authentication result at least one be authentification failure, it is determined that certification Do not pass through.

With reference to second possible implementation of the 6th aspect, in the third possible implementation of the 6th aspect In, second authentication information includes：Password, dynamic password, private key for user or biological characteristic；The biological characteristic includes：Rainbow Film feature, retinal feature, facial characteristics or vein pattern.

7th aspect, there is provided a kind of safety certifying method of desktop cloud system, methods described includes：Certificate server connects Receive the fingerprint characteristic of the user that desktop cloud access gateway sends；Inquiry fingerprint base, judges that the fingerprint characteristic whether there is in institute State in fingerprint base, if the fingerprint characteristic is present in the fingerprint base, send the fingerprint characteristic certification successful One authentication result is to the desktop cloud access gateway；Otherwise, then the first authentication result of the fingerprint characteristic authentification failure is sent To the desktop cloud access gateway.

In the first possible implementation of the 7th aspect, judge that the fingerprint characteristic is present in the finger when described During line storehouse, methods described also includes：Find the account and password of user corresponding with the fingerprint characteristic, and by the account and Password is sent to the desktop cloud access gateway.

With reference to any of the above described a kind of possible implementation of the 7th aspect, in second possible realization of the 7th aspect In mode, methods described also includes：Receive the account and the second authentication information of the user that desktop cloud access gateway sends；Root The second authentication information storehouse is inquired about according to the account of the user, correct second certification letter corresponding with the account of the user is obtained Breath, second authentication information that will be received is compared with correct second authentication information；If the institute for receiving State the second authentication information consistent with correct second authentication information, then send the second authentication information certification successful Two authentication results are to the desktop cloud access gateway；Otherwise, then the second certification of the second authentication information authentification failure is sent Result is to the desktop cloud access gateway.

With reference to second possible implementation of the 7th aspect, in the third possible implementation of the 7th aspect In, second authentication information includes：Dynamic password, private key for user or biological characteristic；The biological characteristic includes：Iris is special Levy, retinal feature, facial characteristics or vein pattern

In the embodiment of the present invention, the account and fingerprint characteristic of user are stored on certificate server.When User logs in desktop , it is necessary to carry out safety certification during cloud system, client passes through desktop cloud access gateway by the account and fingerprint characteristic of user input Send to the certificate server, safety certification is carried out by the certificate server.Fingerprint characteristic is stored local with existing Compared in client, using the embodiment of the present invention, can effectively reduce the risk of user profile leakage, improve desktop cloud applied field The guarantee of user information safety under scape.

Brief description of the drawings

In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to institute in embodiment The accompanying drawing for needing to use is made

Simply introduce, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for this For the those of ordinary skill of field, on the premise of not paying creative work, can also obtain other according to these accompanying drawings Accompanying drawing.

Fig. 1 is a kind of application scenario diagram of the safety certifying method of desktop cloud system described in the embodiment of the present invention；

Fig. 2 is the flow chart of the safety certifying method of the desktop cloud system described in the embodiment of the present invention one；

Fig. 3 is the flow chart of the safety certifying method of the desktop cloud system described in the embodiment of the present invention two；

Fig. 4 is the flow chart of the safety certifying method of the desktop cloud system described in the embodiment of the present invention three；

Fig. 5 is the flow chart of the safety certifying method of the desktop cloud system described in the embodiment of the present invention four；

Fig. 6 is the structure chart of desktop cloud access gateway provided in an embodiment of the present invention；

Fig. 7 is certificate server provided in an embodiment of the present invention；

Fig. 8 is the structure chart of desktop cloud system provided in an embodiment of the present invention；

Fig. 9 is the flow chart of the safety certifying method of the desktop cloud system described in the embodiment of the present invention five；

Figure 10 is the flow chart of the safety certifying method of the desktop cloud system described in the embodiment of the present invention six.

Specific embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Whole description, it is clear that described embodiment is only a part of embodiment of the invention, rather than whole embodiments.It is based on Embodiment in the present invention, it is every other that those of ordinary skill in the art are obtained under the premise of creative work is not made Embodiment, belongs to the scope of protection of the invention.

Reference picture 1, is a kind of application scenario diagram of the safety certifying method of desktop cloud system described in the embodiment of the present invention.Such as Shown in Fig. 1, embodiment of the present invention methods described is applied to user's operation client to be carried out recognizing safely by desktop cloud access gateway The scene of card.

The desktop cloud access gateway is the system component of desktop cloud, using the desktop cloud access gateway, can from appoint The secure access to desktop cloud resource is realized using any equipment of Web browser in meaning position.

In desktop cloud system described in the embodiment of the present invention, including client 10, desktop cloud access gateway 20, certificate server 30。

As shown in figure 1, the certificate server 30 includes fingerprint base, wherein it is special to preserve the domain name of user, account, fingerprint The information such as levy.In User logs in desktop cloud system, it is necessary to when carrying out safety certification, fingerprint characteristic, client are input into by fingerprint instrument Account, fingerprint characteristic are sent to desktop cloud access gateway 20 by end 10 by desktop authentication protocol.Desktop cloud access gateway 20 The account that receives, fingerprint characteristic is sent to corresponding certificate server 30 carries out safety certification.The safety certification is smoothly led to Later user is allowed to access desktop cloud.

Certainly, in embodiments of the present invention, the fingerprint characteristic can also expand to iris feature, retinal feature, face The biological characteristic of the human bodies such as portion's feature, vein pattern.

Method and apparatus provided in an embodiment of the present invention are described in detail below.

Reference picture 2, is the flow chart of the safety certifying method of desktop cloud system described in the embodiment of the present invention one.Such as Fig. 2 Shown, methods described may comprise steps of：

Step S201：Desktop cloud access gateway receives the account and fingerprint characteristic of the user that client sends.

Step S202：The account of the user and the fingerprint characteristic are sent to certificate server.

Step S203：Receive the first authentication result that the certificate server is returned.

In the methods described of the embodiment of the present invention one, the account and fingerprint characteristic of user are stored on certificate server.When with , it is necessary to carry out safety certification when family logs in desktop cloud system, client passes through desktop cloud access gateway by the account of user input Sent to the certificate server with fingerprint characteristic, safety certification is carried out by the certificate server.With existing by fingerprint characteristic Storage is compared on local client, in embodiment of the present invention methods described, can effectively reduce the risk of user profile leakage, The guarantee of user information safety under raising desktop cloud application scenarios.

It should be noted that in embodiment of the present invention methods described, in the step S201, the desktop cloud access gateway While receiving the account and fingerprint characteristic of the user that client sends, can also include：Receive being somebody's turn to do for the client transmission The corresponding domain name of user.

Now, in the step S202, the desktop cloud access gateway is by the domain name of the user, account and fingerprint characteristic Send to certificate server.

Further, in order to improve the security of embodiment of the present invention methods described, methods described can also use dual Authentication mechanism, specific methods described can also include：The account and second for receiving the user that the client sends is recognized Card information；The account of the user and the second authentication information are sent to certificate server；If the certificate server is returned First authentication result is for fingerprint characteristic certification success and second authentication result is second authentication information Certification success, it is determined that certification passes through；If first authentication result and described second that the certificate server is returned is recognized It is authentification failure that card result is at least a kind of, it is determined that certification does not pass through.

Now, in User logs in desktop cloud system, it is necessary to simultaneously provide fingerprint characteristic and the second authentication information, only when When fingerprint characteristic certification and the second authentification of message all succeed, User logs in is just allowed；As long as any one authentification failure in the two Or two certifications are when all failing, User logs in is not allowed.So that, the security of embodiment of the present invention methods described is more Height, and due to must be by finger print identifying, then even if the account of user and the second authentication information there occurs leakage, Ta Renye Cannot realize logging in using the account and password, improve the guarantee of user information safety under desktop cloud application scenarios.

It should be noted that second authentication information can include：Password, dynamic password, private key for user（User can be with By USB Key（U-shield）Input private key）Or biological characteristic etc..Wherein, the biological characteristic can include：Iris feature, regard Nethike embrane feature, facial characteristics or vein pattern etc..

Reference picture 3, is the flow chart of the safety certifying method of desktop cloud system described in the embodiment of the present invention two.Such as Fig. 3 Shown, methods described may comprise steps of：

Step S301：Certificate server receives the account and fingerprint characteristic of the user that desktop cloud access gateway sends.

Step S302：Account inquiry fingerprint base according to the user, obtains corresponding with the account of the user correct Fingerprint, the fingerprint characteristic that will be received is compared with the correct fingerprint, if unanimously, sending the fingerprint characteristic certification Successful first authentication result is to the desktop cloud access gateway；Otherwise, the first of the fingerprint characteristic authentification failure is sent to recognize Demonstrate,prove result to the desktop cloud access gateway.

It should be noted that in the step S301, the desktop cloud access gateway can also send the domain of the user Name is to the certificate server.Now, the certificate server can inquire about the fingerprint base according to domain name and account.This Invention following examples are identical with this, no longer repeat one by one afterwards.

In the methods described of the embodiment of the present invention two, the account and fingerprint characteristic of user are stored on certificate server.When with When family logs in desktop cloud system, the certificate server receives the user account and fingerprint characteristic that desktop cloud access gateway sends, Carry out safety certification.With it is existing by fingerprint characteristic storage on local client compared with, in embodiment of the present invention methods described, energy Enough risks for effectively reducing user profile leakage, improve the guarantee of user information safety under desktop cloud application scenarios.

Further, in order to improve the security of embodiment of the present invention methods described, the methods described of the embodiment of the present invention two Dual authentication mechanism can also be used, specifically, methods described can also include：Receive the described of desktop cloud access gateway transmission The account of user and the second authentication information；Account according to the user inquires about the second authentication information storehouse, obtains and the user Corresponding correct second authentication information of account, second authentication information that will be received and correct second certification Information is compared；If second authentication information for receiving is consistent with correct second authentication information, send Successful second authentication result of second authentication information certification is to the desktop cloud access gateway；Otherwise, then described is sent Second authentication result of two authentication information authentification failures is to the desktop cloud access gateway.

Further, when user has passed through safety certification, set up with system after being connected, if do not had in user's certain hour System is operated, virtual machine enters holding state, virtual machine screen locking.Now, if user's activation virtual machine, makes virtual machine When exiting screen lock state, to ensure the safety of user profile, it is necessary to user carries out safety certification again.

Now, the methods described of the embodiment of the present invention two can also include：Virtual machine receives the account of the user of user input With the fingerprint characteristic for activating screen locking, virtual machine sends the account of user that receives to certificate server and locked for activating The fingerprint characteristic of screen, certificate server receives the account and the fingerprint characteristic for activating screen locking of the user that virtual machine sends；Root According to the account inquire about fingerprint base, obtain correct fingerprint corresponding with the account, by it is described receive for activating screen locking Fingerprint characteristic compare with the correct fingerprint, if unanimously, return activation screen locking the successful certification of fingerprint characteristic certification Result is to the virtual machine；Otherwise, the authentication result of activation screen locking fingerprint characteristic authentification failure is returned to the virtual machine.

The above method is further defined after virtual machine enters standby screen locking, if user wants to activate virtual machine, makes void Plan machine exits screen lock state, and now user still needs carries out finger print identifying.And the finger print identifying is not in local client On carry out, but the fingerprint characteristic of the account of user and activation screen locking is sent into virtual machine by client, virtual machine will be received To user account and activation screen locking fingerprint characteristic send to the certificate server, still entered by the certificate server Row finger print identifying.Thus, it is possible to effectively reduce the risk of user profile leakage, user profile peace under desktop cloud application scenarios is improved The guarantee of full property

In current desktop cloud system, also including desktop Cloud Server, the desktop Cloud Server runs at least one void Plan machine.When user through safety certification, after desktop cloud system described in Successful login, corresponding virtual machine can be selected to be grasped Make.In the embodiment of the present invention three, to the safety certification of the desktop cloud system described in the embodiment of the present invention by taking the client as an example Method is described in detail.Client in embodiment of the present invention methods described can be thin terminal, personal computer, intelligence Mobile phone, PAD etc., the present invention are not especially limited to this.

Reference picture 4, is the flow chart of the safety certifying method of desktop cloud system described in the embodiment of the present invention three.Such as Fig. 4 Shown, methods described may comprise steps of：

Step S401：Fingerprint instrument equipment is connected on the client.

The fingerprint instrument（Finger Printer Device, FP）Be using people finger print have " people is variant, It is constant throughout one's life " the characteristics of carry out a kind of electronic instrument of identification.The principle of the fingerprint instrument is：According to ridge and the geometry in valley The difference of characteristic, physical features and biological nature, obtains different optics or current resistor feedback signals, according to the feedback letter Number value fingerprint image is plotted using different image processing algorithms, then on the basis of this fingerprint image pass through fingerprint Recognizer software carries out the extraction of fingerprint characteristic and the comparison of fingerprint character code.

Step S402：User accesses the login interface of desktop cloud system by client, is input on the login interface Account, and fingerprint characteristic is input into by the fingerprint instrument.

Step S403：The account and fingerprint characteristic are sent to desktop cloud access network by client by desktop authentication protocol Close.

Step S404：The desktop cloud access gateway sends to certificate server domain name, account and fingerprint characteristic, carries out Fingerprint characteristic certification.

Step S405：After the certificate server receives domain name, account and fingerprint characteristic, according to domain name and Account inquires about fingerprint base, correct fingerprint corresponding with domain name and account is obtained, by the fingerprint characteristic for receiving and institute State correct fingerprint to compare, if unanimously, showing that fingerprint is correct, return to successful first authentication result of fingerprint characteristic certification to institute State desktop cloud access gateway；Otherwise, if inconsistent, show that fingerprint is incorrect, return to the first certification of fingerprint characteristic authentification failure Result is to the desktop cloud access gateway.

It should be noted that the certificate server includes fingerprint base.Preserved in the fingerprint base each user domain name, The corresponding informance of account and correct fingerprint characteristic.When needing to carry out finger print identifying to certain user, it is only necessary to which utilizing should Domain name and account that user provides, by searching the fingerprint base, find correct fingerprint corresponding with domain name and account Feature.When the new fingerprint characteristic provided when the user this time logs in is consistent with the correct fingerprint characteristic that lookup is obtained, say The new fingerprint characteristic that the bright user provides is correct, finger print identifying success；Otherwise, finger print identifying failure.

Specifically, the corresponding informance of the domain name, account and correct fingerprint characteristic of user in the fingerprint base is obtained The process of taking can be realized by conventional registration process.As, user accesses desktop cloud system register interface by client, Account and fingerprint characteristic are input into register interface.The account and fingerprint characteristic are sent to desktop cloud access network by the client Close, the account and fingerprint characteristic are sent to certificate server by the desktop cloud access gateway, and are stored in fingerprint base.

Step S406：The desktop cloud access gateway receives the first authentication result that the certificate server is returned, and works as institute When stating the first authentication result for fingerprint characteristic certification success, the corresponding virtual machine list of the account is returned to the client, Into step S407；When first authentication result is fingerprint characteristic authentification failure, return authentication failure information to the visitor Family end, into step S408.

Step S407：After the client receives the virtual machine list, user is presented to；User selects virtual machine, Set up by desktop control protocol and connected, and beginning is normally used.

Step S408：The authentication failure message is presented to user by the client, notifies that user re-enters account And fingerprint characteristic.

If specifically, client receives the information of authentification failure, client notification user fingerprints authentification failure, and led to Cross login interface requirement user and re-use fingerprint instrument input fingerprint characteristic.

In the methods described of the embodiment of the present invention three, the domain name of user, account and fingerprint characteristic are stored on certificate server. When User logs in desktop cloud system, it is necessary to carry out safety certification, client passes through desktop cloud access gateway by user input Domain name, account and fingerprint characteristic are sent to the certificate server, and safety certification is carried out by the certificate server.Be tod with existing Fingerprint characteristic storage is compared on local client, in embodiment of the present invention methods described, can effectively be reduced user profile and be let out The risk of dew, improves the guarantee of user information safety under desktop cloud application scenarios.

It should be further stated that, in step S407, user's selection virtual machine is set up by desktop control protocol and connected Connect, and after starting normal use, when not operated to the virtual machine in user's certain hour, the virtual machine enters to be treated Machine state, the virtual machine screen locking.Now, if user's activation system, when the virtual machine is exited screen lock state, to ensure The safety of user profile is, it is necessary to user carries out safety certification again.

Specifically, in method described in the embodiment of the present invention three, after step S407, methods described can also include：

Step S409：User's Successful login desktop cloud system, the client is reflected fingerprint instrument by desktop control protocol It is mapped in the virtual machine of user's selection.

Step S410：After the client receives the activation system instruction of user input, display fingerprint inputting interface is given User, receives the account of user input and for activating the fingerprint characteristic of screen locking and sending to the void by desktop control protocol Plan machine.

Specifically, the activation system instruction of the user input typically can be " Ctrl+Alt+Del ".Certainly, the instruction Can also be by user according to specific setting oneself is needed, the embodiment of the present invention is without limitation.

Step S411：The virtual machine receives the account and during for the fingerprint characteristic for activating screen locking, by the use The domain name at family, account and fingerprint characteristic are sent to certificate server, carry out fingerprint characteristic certification.

Step S412：After the certificate server receives domain name, account and fingerprint characteristic, according to domain name and Account inquires about fingerprint base, correct fingerprint corresponding with domain name and account is obtained, by the activation screen locking fingerprint for receiving Feature is compared with the correct fingerprint, if unanimously, showing that fingerprint is correct, returns to activation screen locking fingerprint characteristic certification successful Activate screen locking authentication result to the virtual machine；Otherwise, if inconsistent, show that fingerprint is incorrect, return to activation screen locking fingerprint special Levy the activation screen locking authentication result of authentification failure to the virtual machine.

Step S413：The virtual machine receives the activation screen locking authentication result that the certificate server is returned, and swashs when described When livelock screen authentication result is for the certification success of activation screen locking fingerprint characteristic, notify that the client allows User logs in, into step Rapid S414；When the activation screen locking authentication result is for activation screen locking fingerprint characteristic authentification failure, return authentication failure information is extremely The client, into step S415.

Step S414：The client allows User logs in and virtual machine described in normal operating.

Step S415：The authentication failure message is presented to user by the client, notifies that user re-enters account And fingerprint characteristic.

Method described in above-described embodiment, further defines after virtual machine enters standby screen locking, if user wants to swash Virtual machine living, makes virtual machine exit screen lock state, and now user still needs carries out finger print identifying.And the finger print identifying is not Carried out on local client, but the account and fingerprint characteristic of user are sent to described by virtual machine by client and is recognized Card server, still carries out finger print identifying by certificate server.Thus, it is possible to effectively reduce the risk of user profile leakage, carry The guarantee of user information safety under desktop cloud application scenarios high.

Below by example IV to embodiment of the present invention methods described using double authentication when detailed process carry out in detail It is thin to introduce.Second authentication information is specially password described in the embodiment of the present invention four.Certainly only it is herein with client and close It is introduced as a example by code, in other embodiments of the present invention, the client can be, but not limited to thin terminal, second certification Information can be, but not limited to password.

Reference picture 5, is the flow chart of the safety certifying method of desktop cloud system described in the embodiment of the present invention four.Such as Fig. 5 Shown, methods described may comprise steps of：

Step S501：Fingerprint instrument equipment is connected on the client.

Step S502：User accesses the login interface of desktop cloud system by client, is input on the login interface Account and password, and fingerprint characteristic is input into by the fingerprint instrument.

Step S503：The account, password and fingerprint characteristic are sent to desktop by client by desktop authentication protocol Cloud access gateway.

Step S504：The desktop cloud access gateway sends to certificate server domain name, account and fingerprint characteristic, carries out Fingerprint characteristic certification；Domain name, account and password are sent to certificate server simultaneously, carries out account number cipher certification.

Step S505：After the certificate server receives domain name, account and fingerprint characteristic, according to domain name and Account inquires about fingerprint base, correct fingerprint corresponding with domain name and account is obtained, by the fingerprint characteristic for receiving and institute State correct fingerprint to compare, if unanimously, showing that fingerprint is correct, return to successful first authentication result of fingerprint characteristic certification to institute State desktop cloud access gateway；Otherwise, if inconsistent, show that fingerprint is incorrect, return to the first certification of fingerprint characteristic authentification failure Result is to the desktop cloud access gateway.

Step S506：After the certificate server receives domain name, account and password, according to domain name and account Password for inquiry storehouse, obtains proper password corresponding with domain name and account, and the password for receiving is correct close with described Code is compared, if unanimously, showing that password is correct, returns to successful second authentication result of cipher authentication to the desktop cloud access Gateway；Otherwise, if inconsistent, password bad, the second authentication result that return cipher authentication fails to the desktop cloud are shown Access gateway.

It should be noted that the certificate server also includes cryptographic libraries.The domain of each user is preserved in the cryptographic libraries The corresponding informance of name, account and correct password.When needing to carry out cipher authentication to certain user, it is only necessary to utilize the use Domain name and account that family provides, by searching the cryptographic libraries, find correct password corresponding with domain name and account.When When the new password that the user provides when this time logging in is consistent with the correct password that lookup is obtained, illustrate that the user provides new Password be it is correct, cipher authentication success；Otherwise, cipher authentication failure.

Specifically, the acquisition of the corresponding informance of the domain name, account and correct password of user in the cryptographic libraries Journey can be realized by conventional registration process.As, user accesses desktop cloud system register interface by client, in note The input of volume interface account and password.The account and password are sent to desktop cloud access gateway, the desktop by the client The account and password are sent to certificate server by cloud access gateway, and are stored in cryptographic libraries.

It should be noted that in practical implementation, in no particular order, the two can be with for the step S505 and step S506 Perform simultaneously, it is also possible to which any one is performed after first carrying out another.

In actual applications, the cipher authentication and finger print identifying can be by the difference in functionality moulds of same certificate server Block is realized；It is of course also possible to set two certificate servers, cipher authentication and finger print identifying are carried out respectively.And for described In the case that second authentication information is other information, the above is equally adapted to.

Step S507：The desktop cloud access gateway receive respectively the cipher authentication result that the certificate server returns and Fingerprint characteristic authentication result, when the two authentication result for returning is certification success, returns to the corresponding virtual machine of the account List to the client, into step S508；When any one or two are authentification failure in the two authentication result for returning When, return authentication failure information to the client, into step S509.

Step S508：After the client receives the virtual machine list, user is presented to；User selects virtual machine, Set up by desktop control protocol and connected, and beginning is normally used.

Step S509：The authentication failure message is presented to user by the client, notifies that user re-enters failure The corresponding authentication information of auth type.

For example, if cipher authentication fails, client notification user cipher authentification failure, and by login interface requirement User re-enters password；If fingerprint characteristic authentification failure, the failure of client notification user fingerprints feature verification, and pass through Login interface requirement user re-uses fingerprint instrument input fingerprint characteristic；If password and finger print identifying all fail, client Notify that user cipher and finger print identifying all fail, and password is re-entered by login interface requirement user, and require user's weight It is new to be input into fingerprint characteristic using fingerprint instrument.

In the methods described of the embodiment of the present invention four, the domain name of user, account, fingerprint characteristic and password are stored in certification On server.When User logs in desktop cloud system, it is necessary to carry out safety certification, client will be used by desktop cloud access gateway Domain name, account, fingerprint characteristic and the password that family is input into are respectively sent to the certificate server, are carried out by the certificate server Safety certification.With it is existing by password and fingerprint characteristic etc. storage on local client compared with, embodiment of the present invention methods described In, the risk of user profile leakage can be effectively reduced, improve the guarantee of user information safety under desktop cloud application scenarios.

Meanwhile, in the methods described of the embodiment of the present invention four, using dual authentication mechanism, in User logs in desktop cloud system When, it is necessary to simultaneously provide password and fingerprint characteristic, only when cipher authentication and finger print identifying all succeed when, just permission user step on Record；As long as any one certification does not pass through or two certifications are all obstructed out-of-date in the two, User logs in is not allowed.Therefore, originally The security of the methods described of inventive embodiments two is higher, and due to must be by finger print identifying, then even if the account of user Leakage is there occurs with password, other people also cannot realize logging in using the account and password, improve user under desktop cloud application scenarios The guarantee of Information Security.

Corresponding to the safety certifying method of desktop cloud system provided in an embodiment of the present invention, the embodiment of the present invention also provides one Plant desktop cloud access gateway.

Reference picture 6, is the structure chart of desktop cloud access gateway provided in an embodiment of the present invention.The desktop cloud access gateway Including：

Receiving unit U101, account and fingerprint characteristic for receiving the user of client transmission.

Transmitting element U102, for the account of the user and the fingerprint characteristic to be sent to certificate server.

The receiving unit U101, is additionally operable to receive the first authentication result that the certificate server is returned.

Desktop cloud access gateway described in the embodiment of the present invention, by the account of user and fingerprint characteristic storage in certificate server On.When User logs in desktop cloud system, it is necessary to carry out safety certification, client passes through desktop cloud access gateway by user input Account and fingerprint characteristic send to the certificate server, safety certification is carried out by the certificate server.To refer to existing Line characteristic storage is compared on local client, using the embodiment of the present invention, can effectively reduce the risk of user profile leakage, The guarantee of user information safety under raising desktop cloud application scenarios.

Further, the desktop cloud access gateway, can also include：Processing unit U103；Wherein

The receiving unit U101, is additionally operable to receive the account and the second certification letter of the user that the client sends Breath.

The transmitting element U102, is additionally operable to send the account of the user and second authentication information to certification clothes Business device.

The receiving unit U101, is additionally operable to receive the second authentication result that the certificate server is returned.

The processing unit U103, if being the finger for first authentication result that the certificate server is returned Line feature verification succeeds and second authentication result is the second authentication information certification success, it is determined that certification passes through；Such as At least one is authentification failure to first authentication result and second authentication result of really described certificate server return, Then determine that certification does not pass through.

It should be noted that second authentication information can include：Password, dynamic password, private key for user or biological special Levy.The biological characteristic can include：Iris feature, retinal feature, facial characteristics or vein pattern.

The embodiment of the present invention also provides a kind of certificate server.Reference picture 7, is authentication service provided in an embodiment of the present invention Device.The certificate server can include：Receiving unit U201, fingerprint base U202, transmitting element U203, processing unit U204.

The receiving unit U201, account and fingerprint characteristic for receiving the user of desktop cloud access gateway transmission.

The processing unit U204, for inquiring about the fingerprint base according to the account of the user, obtains and the user The corresponding correct fingerprint of account, the fingerprint characteristic that will be received is compared with the correct fingerprint, if unanimously, leading to Cross the transmitting element and send successful first authentication result of fingerprint characteristic certification to the desktop cloud access gateway；It is no Then, then the first authentication result of the fingerprint characteristic authentification failure to the desktop cloud access gateway is sent.

In the embodiment of the present invention, the account and fingerprint characteristic of user are stored on certificate server.When User logs in desktop During cloud system, the certificate server receives the user account and fingerprint characteristic that desktop cloud access gateway sends, and carries out safety and recognizes Card.With it is existing by fingerprint characteristic storage on local client compared with, using the embodiment of the present invention, can effectively reduce user letter The risk of leakage is ceased, the guarantee of user information safety under desktop cloud application scenarios is improved.

Further, the certificate server, can also include the second authentication information storehouse；Wherein,

The receiving unit U201, the account and second for being additionally operable to receive the user that desktop cloud access gateway sends is recognized Card information.

The processing unit U204, is additionally operable to inquire about the second authentication information storehouse according to the account of the user, obtains Correct second authentication information corresponding with the account of the user, second authentication information that will be received is correct with described The second authentication information compare；If second authentication information for receiving and correct second authentication information one Cause, then sending successful second authentication result of the second authentication information certification to the desktop cloud by the transmitting element connects Function Access Gateway；Otherwise, then the second authentication result of the second authentication information authentification failure is sent to the table by the transmitting element Face cloud access gateway.

It should be noted that second authentication information can include：Dynamic password, private key for user or biological characteristic.Institute Stating biological characteristic can include：Iris feature, retinal feature, facial characteristics or vein pattern.

Further, the receiving unit U201, is additionally operable to receive account and the activation of the user that virtual machine sends The fingerprint characteristic of screen locking.

The processor U204, is additionally operable to inquire about the fingerprint base according to the account of the user, obtains and the user The corresponding correct fingerprint of account, by it is described activation screen locking fingerprint characteristic compare with the correct fingerprint, if unanimously, The fingerprint characteristic certification for sending the activation screen locking by the transmitting element successfully activates screen locking authentication result to the void Plan machine；If inconsistent, the activation screen locking of the fingerprint characteristic authentification failure of the activation screen locking is sent by the transmitting element Authentication result is to the virtual machine.

The embodiment of the present invention also provides a kind of desktop cloud system.Reference picture 8, is desktop cloud system provided in an embodiment of the present invention The structure chart of system.The desktop cloud system includes：Client U10, desktop cloud access gateway U20, certificate server U30.

The client U10, account and fingerprint characteristic for receiving input user, sends to the desktop cloud access network Close U20.

The desktop cloud access gateway U20, for receiving the account of the user that the client U10 sends and described Fingerprint characteristic；The account of the user and the fingerprint characteristic are sent to certificate server U30；Receive the certificate server The first authentication result that U30 is returned；If first authentication result is fingerprint characteristic certification success, it is determined that certification is led to Cross, transmission allows the message for logging in client U10；If first authentication result is the fingerprint characteristic authentification failure, Then determine that certification does not pass through, send the message of re-authentication to client U10.

The certificate server U30 includes fingerprint base, and the certificate server U30 is used to receive desktop cloud access gateway The account and the fingerprint characteristic of the user that U20 sends；Account according to the user inquires about the fingerprint base, obtain with The corresponding correct fingerprint of account of the user, the fingerprint characteristic that will be received is compared with the correct fingerprint, if Unanimously, then successful first authentication result of the fingerprint characteristic certification to the desktop cloud access gateway U20 is sent；Otherwise, then Send the first authentication result of the fingerprint characteristic authentification failure to the desktop cloud access gateway U20.

Further,

The client U10, is additionally operable to receive the account and the second authentication information of user, sends described to the desktop cloud Access gateway U20.

The desktop cloud access gateway U20, is additionally operable to receive the account and the of the user that the client U10 sends Two authentication informations；The account of the user and second authentication information are sent to the certificate server U30.

The certificate server U30, is additionally operable to receive the account and the of the user that desktop cloud access gateway U20 sends Two authentication informations；Account according to the user inquires about the second authentication information storehouse, obtain it is corresponding with the account of the user just The second true authentication information, second authentication information for receiving is compared with correct second authentication information； If second authentication information for receiving is consistent with correct second authentication information, sends the second authentication information and recognize Demonstrate,prove successful second authentication result to the desktop cloud access gateway U20；Otherwise, then the second authentication information authentification failure is sent Second authentication result is to the desktop cloud access gateway U20.

The desktop cloud access gateway U20, is additionally operable to receive the second authentication result that the certificate server U30 is returned； If first authentication result that the certificate server U30 is returned is fingerprint characteristic certification success and described second recognized Card result is the second authentication information certification success, it is determined that certification passes through, and transmission allows the message of login to client U10；If first authentication result that the certificate server U30 is returned and second authentication result at least one be Authentification failure, it is determined that certification does not pass through.

It should be noted that second authentication information includes：Dynamic password, private key for user or biological characteristic；The life Thing feature includes：Iris feature, retinal feature, facial characteristics or vein pattern.

Further,

The system also includes desktop Cloud Server, and the desktop Cloud Server runs at least one virtual machine.

The client U10, is additionally operable to receive the account of user and the fingerprint characteristic of activation screen locking, and send the user Account and activation screen locking fingerprint characteristic to the desktop Cloud Server on the first virtual machine；First virtual machine, uses The account of the user and the fingerprint characteristic of the activation screen locking are sent in the client U10 is received, sends the user's Account and the fingerprint characteristic of the activation screen locking are to the certificate server U30.

The certificate server U30, for receiving the account of the user that first virtual machine sends and described swashing The fingerprint characteristic of livelock screen；Account inquiry fingerprint base according to the user, obtains corresponding with the account of the user correct Fingerprint, the fingerprint characteristic of the activation screen locking for receiving is compared with the correct fingerprint, if unanimously, sending The fingerprint characteristic certification of the activation screen locking successfully activates screen locking authentication result to first virtual machine；Otherwise, then send The activation screen locking authentication result of the fingerprint characteristic authentification failure of the activation screen locking is to first virtual machine.

First virtual machine, the fingerprint characteristic authentication result for receiving the activation screen locking.

The embodiment of the present invention can also include a kind of safety certifying method of desktop cloud system, in the method, described to recognize The fingerprint characteristic that the desktop cloud system allows all users of login is preserved in card server.Need to log in system when there is user During system, the client is only needed to require that active user is input into fingerprint characteristic, and the fingerprint characteristic is passed through into desktop cloud access Gateway is sent to certificate server, and the certificate server searches fingerprint base according to the fingerprint characteristic, determines the fingerprint characteristic With the presence or absence of in the fingerprint base, if it does, explanation active user belongs to the user that the system allows to log in, then fingerprint Certification passes through；Otherwise, illustrate that active user is not belonging to the user that the system allows to log in, then finger print identifying failure.

It is the flow of the safety certifying method of desktop cloud system described in the embodiment of the present invention five specifically, reference picture 9 Figure.As shown in figure 9, methods described can include：

Step S901：Desktop cloud access gateway receives the fingerprint characteristic of the active user that client sends.

Step S902：The fingerprint characteristic of the active user is sent to certificate server.

Step S903：Receive the first authentication result that the certificate server is returned.

Preferably, in the methods described of the embodiment of the present invention five, the desktop can also be preserved in the certificate server Cloud system allows the account and encrypted message of all users for logging in, and for each user, the account of the user and close Code information is one-to-one with the fingerprint characteristic of the user.Therefore, when certificate server confirms that the user allows to step on for system After the user of record, the account and encrypted message of the user can be found according to the fingerprint characteristic of the user, and by the desktop Cloud access gateway is back to client.Specifically, methods described can also include：When the certification knot that the certificate server is returned When fruit is for certification success, account corresponding with the fingerprint characteristic and password are also included in the authentication result.

Then in step S903, if the first authentication result that the certificate server is returned is the fingerprint characteristic certification Success, then also include the account and password of user corresponding with the fingerprint characteristic in first authentication result.

Preferably, the methods described of the embodiment of the present invention five, it is also possible to the double authentication to active user is realized, with further Ensure the security of user profile, specifically：

Receive the account and the second authentication information of the user that the client sends；By the account number of the user and institute The second authentication information is stated to send to the certificate server；If first authentication result that the certificate server is returned is The fingerprint characteristic certification succeeds and second authentication result is the second authentication information certification success, it is determined that recognize Card passes through；If first authentication result that the certificate server is returned and second authentication result at least one be Authentification failure, it is determined that certification does not pass through.

It should be noted that second authentication information includes：Password, dynamic password, private key for user or biological characteristic； The biological characteristic includes：Iris feature, retinal feature, facial characteristics or vein pattern.

In the embodiment of the present invention, the fingerprint characteristic of user is stored on certificate server.When User logs in desktop cloud system When, it is necessary to carry out safety certification, client is sent to described the fingerprint characteristic of user input by desktop cloud access gateway recognizes Card server, safety certification is carried out by the certificate server.With it is existing by fingerprint characteristic storage on local client compared with, Using the embodiment of the present invention, the risk of user profile leakage can be effectively reduced, improve user profile under desktop cloud application scenarios The guarantee of security.

Reference picture 10, is the flow chart of the safety certifying method of desktop cloud system described in the embodiment of the present invention six.As schemed Shown in 10, methods described can include：

Step S1001：Certificate server receives the fingerprint characteristic of the active user that desktop cloud access gateway sends.

Step S1002：Inquiry fingerprint base, judges that the fingerprint characteristic whether there is in the fingerprint base, if described Fingerprint characteristic is present in the fingerprint base, then send successful first authentication result of the fingerprint characteristic certification to the desktop Cloud access gateway；Otherwise, then the first authentication result of the fingerprint characteristic authentification failure to the desktop cloud access gateway is sent.

In the embodiment of the present invention six, the certificate server includes fingerprint base, wherein preserve the desktop cloud system permitting The fingerprint characteristic of all users for logging in perhaps.When there is user to need login system, the client only needs to require current use Family is input into fingerprint characteristic, and the fingerprint characteristic is sent to certificate server by desktop cloud access gateway, the certification clothes Business device searches fingerprint base according to the fingerprint characteristic, determines that the fingerprint characteristic whether there is in the fingerprint base, if deposited , illustrating that active user belongs to the user that the system allows to log in, then finger print identifying passes through；Otherwise, illustrate active user not Belong to the user that the system allows to log in, then finger print identifying failure.

Preferably, in the methods described of the embodiment of the present invention six, the desktop cloud system can also be preserved in the fingerprint base System allows the account and encrypted message of all users for logging in, and for each user, the account and message in cipher of the user Breath is one-to-one with the fingerprint characteristic of the user.Therefore, when certificate server confirms that the user allows what is logged in for system After user, the account and encrypted message of the user can be found according to the fingerprint characteristic of the user, and connect by the desktop cloud Function Access Gateway is back to client.Specifically, when the judgement fingerprint characteristic is present in the fingerprint base, methods described is also Including：The account and password of user corresponding with the fingerprint characteristic are found, and the account and password are sent to the table Face cloud access gateway.

Preferably, the methods described of the embodiment of the present invention six, it is also possible to the double authentication to active user is realized, with further Ensure the security of user profile, specifically：

Methods described also includes：Receive the account and the second authentication information of the user that desktop cloud access gateway sends； Account according to the user inquires about the second authentication information storehouse, obtains correct second certification corresponding with the account of the user Information, second authentication information that will be received is compared with correct second authentication information；If received Second authentication information is consistent with correct second authentication information, then send the second authentication information certification successful Second authentication result is to the desktop cloud access gateway；Otherwise, then send the second authentication information authentification failure second is recognized Demonstrate,prove result to the desktop cloud access gateway.

Above to a kind of safety certifying method of desktop cloud system provided by the present invention, desktop cloud access gateway and certification Server, desktop cloud system, are described in detail, and specific case used herein is to principle of the invention and implementation method It is set forth, the explanation of above example is only intended to help and understands the method for the present invention and its core concept；Simultaneously for Those of ordinary skill in the art, according to thought of the invention, have change in specific embodiments and applications Place.In sum, this specification content should not be construed as limiting the invention.

It will be recognized by those of ordinary skill in the art that the possibility implementation of various aspects of the invention or various aspects System, method or computer program product can be embodied as.Therefore, each aspect of the present invention or various aspects Possible implementation can using complete hardware embodiment, complete software embodiment (including firmware, resident software etc.), or The form of the embodiment of integration software and hardware aspect, collectively referred to herein as " circuit ", " module " or " system ".Additionally, The possibility implementation of each aspect of the present invention or various aspects can be in the form of computer program product, computer journey Sequence product refers to computer readable program code of the storage in computer-readable medium.

Computer-readable medium can be computer-readable signal media or computer-readable recording medium.Computer can Read storage medium including but not limited to electronics, magnetic, optics, electromagnetism, infrared or semiconductor system, equipment or device, or Foregoing is any appropriately combined, such as random access memory (RAM), read-only storage (ROM), the read-only storage of erasable programmable Device (EPROM or flash memory), optical fiber, portable read-only storage (CD-ROM).

Processor in computer reads computer readable program code of the storage in computer-readable medium so that place Reason device is able to carry out function action specified in the combination of each step or each step in flow charts；Generation is implemented in block diagram Each piece or each piece of combination specified in function action device.

Claims

1. a kind of safety certifying method of desktop cloud system, it is characterised in that methods described includes：

Certificate server receives the account and fingerprint characteristic of the user that desktop cloud access gateway sends；

Account inquiry fingerprint base according to the user, obtains correct fingerprint corresponding with the account of the user, will receive The fingerprint characteristic compare with the correct fingerprint, if unanimously, sending the fingerprint characteristic certification successful first and recognizing Demonstrate,prove result to the desktop cloud access gateway；Otherwise, the first authentication result of the fingerprint characteristic authentification failure is sent to described Desktop cloud access gateway so that desktop cloud access gateway can first authentication result be fingerprint characteristic certification success when, Return to the corresponding virtual machine list of the account to client；

Receive the account and the fingerprint characteristic for activating screen locking of the user that virtual machine sends；Fingerprint is inquired about according to the account Storehouse, obtains correct fingerprint corresponding with the account, by it is described receive for activate the fingerprint characteristic of screen locking with it is described just True fingerprint is compared, if unanimously, returning to the successful authentication result of fingerprint characteristic certification of activation screen locking to the virtual machine；It is no Then, the authentication result of activation screen locking fingerprint characteristic authentification failure is returned to the virtual machine.

2. method according to claim 1, it is characterised in that methods described also includes：

Receive the account and the second authentication information of the user that desktop cloud access gateway sends；

Account according to the user inquires about the second authentication information storehouse, obtains corresponding with the account of the user correct second Authentication information, second authentication information that will be received is compared with correct second authentication information；

If second authentication information for receiving is consistent with correct second authentication information, sends described second and recognize Demonstrate,prove successful second authentication result of authentification of message to the desktop cloud access gateway；Otherwise, then second authentication information is sent Second authentication result of authentification failure is to the desktop cloud access gateway.

3. method according to claim 2, it is characterised in that second authentication information includes：Dynamic password, user are private Key or biological characteristic；

The biological characteristic includes：Iris feature, retinal feature, facial characteristics or vein pattern.

4. a kind of certificate server, it is characterised in that the certificate server includes：

Receiving unit, account and fingerprint characteristic for receiving the user of desktop cloud access gateway transmission；

Fingerprint base；

Transmitting element；

Processing unit, for inquiring about the fingerprint base according to the account of the user, obtains corresponding with the account of the user Correct fingerprint, the fingerprint characteristic that will be received is compared with the correct fingerprint, if unanimously, sending single by described Unit sends successful first authentication result of fingerprint characteristic certification to the desktop cloud access gateway；Otherwise, then send described First authentication result of fingerprint characteristic authentification failure is to the desktop cloud access gateway, so that desktop cloud access gateway can be in institute When stating the first authentication result for fingerprint characteristic certification success, the corresponding virtual machine list of the account to client is returned；

The receiving unit, is additionally operable to receive the account and the fingerprint characteristic for activating screen locking of the user that virtual machine sends；

The processing unit, be additionally operable to by it is described receive carried out with the correct fingerprint for activating the fingerprint characteristic of screen locking Compare, if unanimously, returning to the successful authentication result of fingerprint characteristic certification of activation screen locking to the virtual machine；Otherwise, return and swash The authentication result of livelock screen fingerprint characteristic authentification failure is to the virtual machine.

5. certificate server according to claim 4, it is characterised in that also including the second authentication information storehouse；Wherein,

The receiving unit, is additionally operable to receive the account and the second authentication information of the user that desktop cloud access gateway sends；

The processing unit, is additionally operable to inquire about the second authentication information storehouse according to the account of the user, obtains and the use Corresponding correct second authentication information of account at family, second authentication information that will be received is recognized with described correct second Card information is compared；If second authentication information for receiving is consistent with correct second authentication information, lead to Cross the transmitting element and send successful second authentication result of the second authentication information certification to the desktop cloud access gateway； Otherwise, then the second authentication result of the second authentication information authentification failure is sent to the desktop cloud access by the transmitting element Gateway.

6. certificate server according to claim 5, it is characterised in that second authentication information includes：Dynamic password, Private key for user or biological characteristic；

7. a kind of desktop cloud system, it is characterised in that the system includes：Client, desktop cloud access gateway, authentication service Device；

The client, account and fingerprint characteristic for receiving input user, sends to the desktop cloud access gateway；

The desktop cloud access gateway is used to receive the account and the fingerprint characteristic of the user that the client sends；Will The account of the user and the fingerprint characteristic are sent to certificate server；Receive the first certification that the certificate server is returned As a result；If first authentication result is fingerprint characteristic certification success, it is determined that certification passes through, transmission allows what is logged in Message returns to the corresponding virtual machine list of the account to the client to client；If first authentication result It is the fingerprint characteristic authentification failure, it is determined that certification does not pass through, sends the message of re-authentication to client；

The certificate server includes fingerprint base, and the certificate server is used to receive the use of desktop cloud access gateway transmission The account at family and the fingerprint characteristic；Account according to the user inquires about the fingerprint base, obtains the account with the user Corresponding correct fingerprint, the fingerprint characteristic that will be received is compared with the correct fingerprint, if unanimously, sending described Successful first authentication result of fingerprint characteristic certification is to the desktop cloud access gateway；Otherwise, then the fingerprint characteristic is sent to recognize The first authentication result of failure is demonstrate,proved to the desktop cloud access gateway；

The client, after being additionally operable to receive the virtual machine list, user is presented to by the virtual machine list；

The certificate server, is additionally operable to receive the account and the fingerprint characteristic for activating screen locking of the user that virtual machine sends； According to the account inquire about fingerprint base, obtain correct fingerprint corresponding with the account, by it is described receive for activate lock The fingerprint characteristic of screen is compared with the correct fingerprint, if unanimously, the fingerprint characteristic certification for returning to activation screen locking is successfully recognized Result is demonstrate,proved to the virtual machine, to activate the virtual machine；Otherwise, the certification knot of activation screen locking fingerprint characteristic authentification failure is returned Really to the virtual machine.

8. desktop cloud system according to claim 7, it is characterised in that

The client, is additionally operable to receive the account and the second authentication information of user, and the account and second for sending the user is recognized Card information is to the desktop cloud access gateway；

The desktop cloud access gateway, is additionally operable to receive the account and the second certification letter of the user that the client sends Breath；The account of the user and second authentication information are sent to the certificate server；

The certificate server, is additionally operable to receive the account and the second certification letter of the user that desktop cloud access gateway sends Breath；Account according to the user inquires about the second authentication information storehouse, obtains corresponding with the account of the user correct second Authentication information, second authentication information for receiving is compared with correct second authentication information；If received Second authentication information for arriving is consistent with correct second authentication information, then send the second authentication information certification successful Second authentication result is to the desktop cloud access gateway；Otherwise, then the second certification knot of the second authentication information authentification failure is sent Really to the desktop cloud access gateway；

The desktop cloud access gateway, is additionally operable to receive the second authentication result that the certificate server is returned；If described recognize First authentication result that card server is returned is for fingerprint characteristic certification success and second authentication result is described Second authentication information certification success, it is determined that certification passes through, transmission allows the message for logging in client；If the certification clothes Business device return first authentication result and second authentication result at least one be authentification failure, it is determined that certification is not Pass through.

9. desktop cloud system according to claim 8, it is characterised in that second authentication information includes：Dynamic password, Private key for user or biological characteristic；