CN103873245A

CN103873245A - Virtual machine system data encryption method and apparatus

Info

Publication number: CN103873245A
Application number: CN201210544060.0A
Authority: CN
Inventors: 刘新保
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Cloud Computing Technologies Co Ltd
Priority date: 2012-12-14
Filing date: 2012-12-14
Publication date: 2014-06-18
Anticipated expiration: 2032-12-14
Also published as: WO2014089968A1; CN103873245B

Abstract

The embodiment of the invention provides a virtual machine system data encryption method and apparatus. The virtual machine system data encryption method comprises the following steps that: terminal equipment receives a first message which is transmitted by a network encryption gateway and has been subjected to transmission layer decryption processing, and performs transmission layer decryption processing on the first message which has been subjected to the transmission layer decryption processing; the terminal equipment extracts application data from the decrypted first message, and hardware encryption processing is performed on the application data through an hardware encryption module arranged on the terminal equipment, wherein the application data are data generated by a virtual machine in a virtual machine system; and the terminal equipment generates a second message according to the encrypted application data, and performs transmission layer encryption processing on the second message, and transmits the second message which has been subjected to the transmission layer encryption processing to the network encryption gateway. With the virtual machine system data encryption method and apparatus provided by the embodiment of the invention, support for the encryption of the application data of multiple virtual machines on a physical server can be realized.

Description

Dummy machine system data ciphering method and equipment

Technical field

The embodiment of the present invention relates to the communication technology, relates in particular to a kind of dummy machine system data ciphering method and equipment.

Background technology

Along with the development of computer technology, Intel Virtualization Technology obtains large-area promotion and application.Desktop virtual is, on the physical server of realizing data center, dummy machine system is installed, and simulates the needed hardware resource of operating system by dummy machine system.Operating system, on these virtual hardware resources, can reach the hardware resource of multiple operation systems share physical servers, thereby improves resource utilization.

Encryption is a kind of important means of fail safe that ensure data, and encrypted card is to be PC(PersonalComputer, personal computer) the special card formula encryption device of cryptographic services is provided.On PC, plug encrypted card, the data that encrypted card can flow out to the data on PC or from this PC are encrypted, to ensure the fail safe of data.Carry out data encryption by encrypted card, because order key does not leave in internal memory, therefore safer.But, for the physical server that dummy machine system is installed, plug encrypted card on physical server time, owing to not having the Intel Virtualization Technology of encrypted card in prior art, can cause at synchronization, on physical server, only have a virtual machine to monopolize encrypted card and be encrypted business, need proposition a solution badly.

Summary of the invention

The embodiment of the present invention provides a kind of dummy machine system data ciphering method and equipment, to realize the encryption support of the application data to the multiple virtual machines on physical server.

First aspect, the embodiment of the present invention provides a kind of dummy machine system data ciphering method, comprising:

Terminal equipment receives the first message after transport layer encryption that network encryption gateway sends, and described the first message after transport layer encryption is carried out to transport layer decryption processing;

Described terminal equipment extracts application data from the first message deciphering, by the hardware encryption module arranging on described terminal equipment, described application data is carried out to hardware encipher processing, wherein, described application data is the data that the virtual machine in dummy machine system produces;

Described terminal equipment generates the second message according to the application data after encrypting, and described the second message is carried out to transport layer encryption, and the second message after transport layer encryption is sent to described network encryption gateway.

In the possible implementation of the first, described the first message comprises the key identification in order to tagged keys;

Described terminal equipment extracts application data from the first message deciphering, by the hardware encryption module arranging on described terminal equipment, described application data is carried out to hardware encipher processing, is specially:

In first message of described terminal equipment from described deciphering, extract described application data and described key identification, described application data and described key identification are sent to described hardware encryption module, described hardware encryption module is determined key according to described key identification, by described key, described application data is encrypted, the application data after encrypting is returned to described terminal equipment.

In conjunction with the possible implementation of the first of first aspect or first aspect, in the possible implementation of the second, described terminal equipment receives the first message after transport layer encryption that network encryption gateway sends, and is specially:

The tunnel via described network encryption gateway that described terminal equipment is set up by the virtual desktop agent client module of described terminal equipment and the virtual desktop proxy module of described virtual machine, receives described the first message after transport layer encryption that described network encryption gateway sends;

The second message after transport layer encryption is sent to described network encryption gateway by described terminal equipment, is specially:

Described terminal equipment sends to described network encryption gateway by the second message after described transport layer encryption by described tunnel.

In conjunction with the possible implementation of the second of first aspect, in the third possible implementation, the tunnel via described network encryption gateway that described terminal equipment is set up by the virtual desktop agent client module of described terminal equipment and the virtual desktop proxy module of described virtual machine, before receiving described first message after transport layer encryption of described network encryption gateway transmission, described method also comprises:

The virtual desktop agent client module of described terminal equipment and the virtual desktop proxy module of described virtual machine are set up described tunnel.

In the 4th kind of possible implementation, described method also comprises:

Described terminal equipment receives the 3rd message after transport layer encryption that described network encryption gateway sends, and described the 3rd message after transport layer encryption is carried out to transport layer decryption processing;

Described terminal equipment extracts the application data of having encrypted from the first message deciphering, by the hardware encryption module arranging on described terminal equipment, described application data of having encrypted is carried out to hardware decryption processing, wherein, described application data of having encrypted is the virtual machine data that produce, that processed through the hardware encryption module hardware encipher of described terminal equipment in dummy machine system;

Described terminal equipment generates the 4th message according to the application data after deciphering, and described the 4th message is carried out to transport layer encryption, and the 4th message after transport layer encryption is sent to described network encryption gateway.

Second aspect, a kind of dummy machine system data ciphering method of the embodiment of the present invention, comprising:

The application data that virtual machine sends according to the application program in the described virtual machine receiving generates the first message, and described the first message is sent to network encryption gateway;

Described virtual machine receives the second message after transport layer decryption processing that described network encryption gateway sends, extract the application data after the encryption in described the second message after transport layer decryption processing, application data after described encryption is sent to described application program, wherein, the application data after described encryption is that terminal equipment carries out hardware encipher processing to described application processing and obtains.

In the possible implementation of the first, the application data that described virtual machine sends according to the application program in the described virtual machine receiving generates the first message, is specially:

Application data and key identification that described virtual machine sends according to the described application program receiving generate described the first message, and wherein, described key identification is in order to tagged keys.

In conjunction with the possible implementation of the first of second aspect or second aspect, in the possible implementation of the second, described the first message is sent to network encryption gateway by described virtual machine, is specially:

The tunnel via described network encryption gateway that described virtual machine is set up by the virtual desktop proxy module of described virtual machine and the virtual desktop agent client module of described terminal equipment, sends to described network encryption gateway by described the first message;

Described virtual machine receives the second message after transport layer decryption processing that described network encryption gateway sends, and is specially:

Described virtual machine receives by described tunnel the second message after transport layer decryption processing that described network encryption gateway sends.

In conjunction with the possible implementation of the second of second aspect, in the third possible implementation, before described the first message is sent to network encryption gateway by described virtual machine, described method also comprises:

The virtual desktop agent client module of the virtual desktop proxy module of described virtual machine and described terminal equipment is set up described tunnel.

In the 4th kind of possible implementation, described method, also comprises:

The application data of having encrypted that described virtual machine sends according to the application program in the described virtual machine receiving generates the 3rd message, and described the 3rd message is sent to network encryption gateway;

Described virtual machine receives the 4th message after transport layer decryption processing that described network encryption gateway sends, extract the application data after the deciphering in described the 4th message after transport layer decryption processing, application data after described deciphering is sent to described application program, wherein, the application data after described deciphering is that terminal equipment carries out hardware decryption processing to described application processing of having encrypted and obtains.

The third aspect, the embodiment of the present invention provides a kind of terminal equipment, comprising:

Transport layer deciphering module, the first message after transport layer encryption sending for receiving network encryption gateway, carries out transport layer decryption processing by described the first message after transport layer encryption;

Cryptographic service module, be connected with described transport layer deciphering module, extract application data for the first message from deciphering, by the hardware encryption module arranging on described terminal equipment, described application data is carried out to hardware encipher processing, wherein, described application data is the data that the virtual machine in dummy machine system produces;

Transport layer encrypting module, be connected with described cryptographic service module, for generating the second message according to the application data after encrypting, described the second message is carried out to transport layer encryption, the second message after transport layer encryption is sent to described network encryption gateway.

Described cryptographic service module is specifically for extracting described application data and described key identification in the first message from described deciphering, described application data and described key identification are sent to described hardware encryption module, described hardware encryption module is determined key according to described key identification, by described key, described application data is encrypted, the application data after encrypting is returned to described terminal equipment.

In conjunction with the possible implementation of the first of the third aspect or the third aspect, in the possible implementation of the second, described terminal equipment also comprises:

Virtual desktop agent client module, for setting up the tunnel via described network encryption gateway with the virtual desktop proxy module of described virtual machine;

Described the first message after transport layer encryption that described transport layer deciphering module sends specifically for receive described network encryption gateway by described tunnel;

Described transport layer encrypting module is specifically for sending to described network encryption gateway by the second message after described transport layer encryption by described tunnel.

In the third possible implementation, the 3rd message after transport layer encryption that described transport layer deciphering module also sends for receiving described network encryption gateway, carries out transport layer decryption processing by described the 3rd message after transport layer encryption;

Described cryptographic service module is also extracted the application data of having encrypted from the first message deciphering, by the hardware encryption module arranging on described terminal equipment, described application data of having encrypted is carried out to hardware decryption processing, wherein, described application data of having encrypted is the virtual machine data that produce, that processed through the hardware encryption module hardware encipher of described terminal equipment in dummy machine system;

Described transport layer encrypting module also, for generating the 4th message according to the application data after deciphering, carries out transport layer encryption to described the 4th message, and the 4th message after transport layer encryption is sent to described network encryption gateway.

Fourth aspect, the embodiment of the present invention provides a kind of virtual machine, comprising:

Transmission processing module, generates the first message for the application data sending according to the application program of the described virtual machine receiving, and described the first message is sent to network encryption gateway;

Receiving processing module, the second message after transport layer decryption processing sending for receiving described network encryption gateway, extract the application data after the encryption in described the second message after transport layer decryption processing, application data after described encryption is sent to described application program, wherein, the application data after described encryption is that terminal equipment carries out hardware encipher processing to described application processing and obtains.

In the possible implementation of the first, described transmission processing module generates described the first message specifically for the application data and the key identification that send according to the described application program receiving, and wherein, described key identification is in order to tagged keys.

In conjunction with the possible implementation of the first of fourth aspect or fourth aspect, in the possible implementation of the second, described virtual machine also comprises:

Virtual desktop proxy module, for setting up the tunnel via described network encryption gateway with the virtual desktop agent client module of described terminal equipment;

Described transmission processing module is specifically for sending to described network encryption gateway by described tunnel by described the first message;

The second message after transport layer decryption processing that described receiving processing module sends specifically for receive described network encryption gateway by described tunnel.

In the third possible implementation, described transmission processing module also generates the 3rd message for the application data of having encrypted sending according to the application program of the described virtual machine receiving, and described the 3rd message is sent to network encryption gateway;

The 4th message after transport layer decryption processing that described receiving processing module also sends for receiving described network encryption gateway, extract the application data after the deciphering in described the 4th message after transport layer decryption processing, application data after described deciphering is sent to described application program, wherein, the application data after described deciphering is that terminal equipment carries out hardware decryption processing to described application processing of having encrypted and obtains.

The 5th aspect, the embodiment of the present invention provides a kind of terminal equipment, comprising: processor, communication interface, memory and bus:

Wherein said processor, described communication interface and described memory complete mutual communicating by letter by described bus;

Described communication interface, the first message after transport layer encryption sending for receiving network encryption gateway, and the second message after transport layer encryption is sent to described network encryption gateway;

Described memory, for storing instruction;

Described processor is configured to carry out the instruction being stored in described memory, wherein, described processor is configured to for described the first message after transport layer encryption is carried out to transport layer decryption processing, from the first message deciphering, extract application data, by the hardware encryption module arranging on described terminal equipment, described application data is carried out to hardware encipher processing, wherein, described application data is the data that the virtual machine in dummy machine system produces; Generate the second message according to the application data after encrypting, described the second message is carried out to transport layer encryption.

The 6th aspect, the embodiment of the present invention provides a kind of computer node for virtual machine, comprising: processor, communication interface, memory and bus:

Described communication interface, for the first message is sent to network encryption gateway, and receives the second message after transport layer decryption processing that described network encryption gateway sends;

Described memory, for storing instruction;

Described processor is configured to carry out the instruction being stored in described memory, and wherein, the application data that described processor is configured to for sending according to the application program of the described virtual machine receiving generates described the first message; Extract the application data after the encryption in described the second message after transport layer decryption processing, application data after described encryption is sent to described application program, wherein, the application data after described encryption is that terminal equipment carries out hardware encipher processing to described application processing and obtains.

As shown from the above technical solution, a kind of dummy machine system data ciphering method and equipment that the embodiment of the present invention provides, terminal equipment receives the first message after transport layer encryption that network encryption gateway sends, the first message after transport layer encryption is carried out to transport layer decryption processing, from the first message deciphering, extract application data, carry out hardware encipher processing by the hardware encryption module application data arranging on terminal equipment, wherein, application data is the data that the virtual machine in dummy machine system produces, generate the second message according to the application data after encrypting, the second message is carried out to transport layer encryption, the second message after transport layer encryption is sent to network encryption gateway.By the terminal equipment that is provided with hardware encryption module, the application data of virtual machine generation is encrypted, without plug encrypted card on physical server, has realized the encryption support of the application data to the multiple virtual machines on physical server.And this ciphering process takes full advantage of the disposal ability of terminal equipment, alleviate the load of virtual machine.

Brief description of the drawings

In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.

The first dummy machine system data ciphering method flow chart that Fig. 1 provides for the embodiment of the present invention;

The second dummy machine system data ciphering method flow chart that Fig. 2 provides for inventive embodiments;

The third dummy machine system data ciphering method flow chart that Fig. 3 provides for the embodiment of the present invention;

The 4th kind of dummy machine system data ciphering method flow chart that Fig. 4 provides for the embodiment of the present invention;

The first terminal equipment structural representation that Fig. 5 provides for the embodiment of the present invention;

The second terminal equipment structural representation that Fig. 6 provides for the embodiment of the present invention;

The first virtual machine structural representation that Fig. 7 provides for the embodiment of the present invention;

The second virtual machine structural representation that Fig. 8 provides for the embodiment of the present invention;

The third terminal equipment structural representation that Fig. 9 provides for the embodiment of the present invention;

The computer node structural representation for virtual machine that Figure 10 provides for the embodiment of the present invention.

Embodiment

For making object, technical scheme and the advantage of the embodiment of the present invention clearer, below in conjunction with the accompanying drawing in the embodiment of the present invention, technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.

The first dummy machine system data ciphering method flow chart that Fig. 1 provides for the embodiment of the present invention.As shown in Figure 1, the dummy machine system data ciphering method that the present embodiment provides specifically can be applied to the data encryption processing procedure in dummy machine system, in this dummy machine system, can comprise at least one physical server, on each physical server, be provided with at least two virtual machines, with one of them virtual machine instance, dummy machine system data ciphering method is described below.The dummy machine system data ciphering method that the present embodiment provides, specifically comprises:

Step C10, terminal equipment receive the first message after transport layer encryption that network encryption gateway sends, and described the first message after transport layer encryption is carried out to transport layer decryption processing;

Step C20, described terminal equipment extract application data from the first message deciphering, by the hardware encryption module arranging on described terminal equipment, described application data is carried out to hardware encipher processing, wherein, described application data is the data that the virtual machine in dummy machine system produces;

Step C30, described terminal equipment generate the second message according to the application data after encrypting, and described the second message is carried out to transport layer encryption, and the second message after transport layer encryption is sent to described network encryption gateway.

Particularly, this terminal equipment can be the object that this dummy machine system provides business service, for example, this dummy machine system can for but be not limited to provide virtual desktop business for user, user can use terminal equipment to pass through the virtual machine in desktop host-host protocol accesses virtual machine system, operation informations such as user's mouse, keyboards is issued virtual machine by terminal equipment, and virtual machine is sent to terminal equipment by virtual desktop information.Dummy machine system can also provide other business service such as mail service and storage service for user.This terminal equipment is specifically as follows the electronic equipments such as smart mobile phone, panel computer and notebook computer.

Network encryption gateway specifically can be arranged on the exit of dummy machine system, and the message that the virtual machine in dummy machine system is sent carries out transport layer encryption.Conventionally on virtual machine, operation has application program, to realize corresponding business, application data is specially the data that in business procedure, application program produces, in the time that application program need to be encrypted application data, this application data is generated the first message by virtual machine, and this first message is sent to network encryption gateway, and network encryption gateway carries out transport layer encryption to this first message, transport layer is encrypted and is also adopted the mode of hardware encipher to realize, with the reliability that ensures that transport layer is encrypted.The first message after transport layer encryption is sent to terminal equipment by network encryption gateway.The message sending due to virtual machine is expressly, by network encryption gateway, the first message is carried out to transport layer and encrypts the fail safe that can ensure application data.

On terminal equipment, be provided with hardware encryption module, this hardware encryption module is specifically as follows encryption chip or USB(Universal Serial BUS, USB) encryption device etc., in hardware encryption module, store key and/or digital certificate.First message of this of terminal equipment reception network encryption gateway transmission after transport layer encryption, carry out transport layer decryption processing, from the first message deciphering, extract application data, by the driving interface function of hardware encryption module, application data is sent to hardware encryption module again, hardware encryption module is encrypted application data by key and/or digital certificate after, application data after encrypting is returned to terminal equipment, the application data after encrypting is generated the second message by terminal equipment, then this second message is carried out to transport layer encryption.When the second message is carried out to transport layer encryption, also can carry out hardware encipher to the second message by the hardware encryption module of terminal equipment, the second message after transport layer is encrypted is sent to network encryption gateway by mobile terminal, and network encryption gateway carries out issuing virtual machine after transport layer deciphering to the second message receiving.Virtual machine extracts application data from the second message, this application data is the application data after terminal equipment hardware encipher, this application data is processed accordingly, and this processing example is as being by application data forwarding or application data being write to the operations such as disk.

In the time that the multiple virtual machines in dummy machine system need application data to be encrypted simultaneously, all can be encrypted by terminal equipment application data by said method.The terminal equipment that each virtual machine is corresponding can be same terminal equipment, can be also different terminal equipments.

The dummy machine system data ciphering method that the present embodiment provides, terminal equipment receives the first message after transport layer encryption that network encryption gateway sends, the first message after transport layer encryption is carried out to transport layer decryption processing, from the first message deciphering, extract application data, carry out hardware encipher processing by the hardware encryption module application data arranging on terminal equipment, wherein, application data is the data that the virtual machine in dummy machine system produces, generate the second message according to the application data after encrypting, the second message is carried out to transport layer encryption, the second message after transport layer encryption is sent to network encryption gateway.By the terminal equipment that is provided with hardware encryption module, the application data of virtual machine generation is encrypted, without plug encrypted card on physical server, has realized the encryption support of the application data to the multiple virtual machines on physical server.And this ciphering process takes full advantage of the disposal ability of terminal equipment, alleviate the load of virtual machine.

In the present embodiment, described the first message comprises the key identification in order to tagged keys; Correspondingly, step C20, described terminal equipment extracts application data from the first message deciphering, by the hardware encryption module arranging on described terminal equipment, described application data is carried out to hardware encipher processing, is specifically as follows:

Particularly, the number of keys of storing in the hardware encryption module of terminal equipment can be for multiple, each key has unique key identification, and the application data of encrypting except needs in the data that application program provides also has key identification, and application data and key identification are generated the first message by virtual machine.

The application data of extracting from the first message and key identification are sent to hardware encryption module by terminal equipment, and hardware encryption module is determined corresponding key according to key identification, after being encrypted, returns to terminal equipment by this key application data.

In the present embodiment, step C10, described terminal equipment receives the first message after transport layer encryption that network encryption gateway sends, and is specifically as follows:

Step C30, the second message after transport layer encryption is sent to described network encryption gateway by described terminal equipment, is specifically as follows:

Particularly, this dummy machine system is for example for providing the system of virtual desktop business, in the virtual machine of dummy machine system, be provided with virtual desktop agency (Virtual Desktop Agent, be called for short VDA) module, correspondingly, in terminal equipment, be provided with virtual desktop agent client (Virtual Desktop AgentClient) module.In virtual desktop business, the virtual desktop proxy module of virtual machine can be set up tunnel with the virtual desktop agent client module of terminal equipment, and this tunnel is via network encryption gateway.Can realizing by this tunnel alternately of virtual machine and terminal equipment.When desktop cloud replaces after traditional desktop office, ensure that original secure service do not lose, and do not needed to change original encipheror.Hardware encryption module on another reusable terminal equipment, it is the transport layer cryptographic capabilities of dummy machine system that terminal equipment and desktop cloud data center are provided, and has saved at the cost of terminal equipment side on-premise network encryption equipment and has made the access place of desktop terminal flexible.

In the present embodiment, the tunnel via described network encryption gateway that described terminal equipment is set up by the virtual desktop agent client module of described terminal equipment and the virtual desktop proxy module of described virtual machine, before receiving described first message after transport layer encryption of described network encryption gateway transmission, described method also comprises:

Particularly, set up the handling process of tunnel and can initiate request to the virtual desktop proxy module of virtual machine by the virtual desktop agent client module of terminal equipment, also can initiate request to the virtual desktop agent client module of terminal equipment by the virtual desktop proxy module of virtual machine.

The second dummy machine system data ciphering method flow chart that Fig. 2 provides for inventive embodiments.As shown in Figure 2, in the present embodiment, described dummy machine system data ciphering method can also comprise:

Step C40, described terminal equipment receive the 3rd message after transport layer encryption that described network encryption gateway sends, and described the 3rd message after transport layer encryption is carried out to transport layer decryption processing;

Step C50, described terminal equipment extract the application data of having encrypted from the first message deciphering, by the hardware encryption module arranging on described terminal equipment, described application data of having encrypted is carried out to hardware decryption processing, wherein, described application data of having encrypted is the virtual machine data that produce, that processed through the hardware encryption module hardware encipher of described terminal equipment in dummy machine system;

Step C60, described terminal equipment generate the 4th message according to the application data after deciphering, and described the 4th message is carried out to transport layer encryption, and the 4th message after transport layer encryption is sent to described network encryption gateway.

Particularly, the application data of having encrypted that terminal equipment can also send virtual machine by hardware encryption module is decrypted.This application data of having encrypted is that the application program of virtual machine before produces, and carries out hardware encipher data after treatment by the hardware encryption module of this terminal equipment.

In the time that the application program on virtual machine need to be deciphered the application data of having encrypted, this application data of having encrypted is generated the 3rd message by virtual machine, the 3rd message is sent to network encryption gateway, and network encryption gateway carries out sending to terminal equipment after transport layer encryption to the 3rd message.Three message of this of terminal equipment reception network encryption gateway transmission after transport layer encryption, carries out transport layer decryption processing, and this transport layer decrypting process also can be realized by the hardware encryption module arranging on terminal equipment.From the 3rd message deciphering, extract the application data of having encrypted, by the driving interface function of hardware encryption module, this application data of having encrypted is sent to hardware encryption module again, hardware encryption module is deciphered this application data of having encrypted by key and/or digital certificate after, application data after deciphering is returned to terminal equipment, the application data after deciphering is generated the 4th message by terminal equipment, the 4th message is carried out sending to network encryption gateway after transport layer encryption, network encryption gateway carries out issuing virtual machine after transport layer deciphering to the 4th message receiving.Virtual machine extracts the application data after deciphering from the 4th message, and this application data is processed accordingly, and this processing example is as being by application data forwarding or application data being write to the operations such as disk.

In the time that the multiple virtual machines in dummy machine system need application data to be decrypted simultaneously, all can be decrypted by terminal equipment application data by said method.

Certainly, in decryption processing flow process, also can the realizing by above-mentioned tunnel alternately of terminal equipment and virtual machine, specific implementation process, does not repeat them here.

The third dummy machine system data ciphering method flow chart that Fig. 3 provides for the embodiment of the present invention.As shown in Figure 3, the dummy machine system data ciphering method that is applied to terminal equipment that the dummy machine system data ciphering method that the present embodiment provides specifically can provide with any embodiment of the present invention coordinates realization, and specific implementation process does not repeat them here.The dummy machine system data ciphering method that the present embodiment provides, specifically comprises:

The application data that step S10, virtual machine send according to the application program in the described virtual machine receiving generates the first message, and described the first message is sent to network encryption gateway;

Step S20, described virtual machine receive the second message after transport layer decryption processing that described network encryption gateway sends, extract the application data after the encryption in described the second message after transport layer decryption processing, application data after described encryption is sent to described application program, wherein, the application data after described encryption is that terminal equipment carries out hardware encipher processing to described application processing and obtains.

The dummy machine system data ciphering method that the present embodiment provides, the application data that virtual machine sends according to the application program in the virtual machine receiving generates the first message, the first message is sent to network encryption gateway, receive the second message after transport layer decryption processing that network encryption gateway sends, extract the application data after the encryption in the second message after transport layer decryption processing, application data after encrypting is sent to application program, wherein, to be that terminal equipment is corresponding carry out hardware encipher processing with processing and obtain the application data after encryption.By the terminal equipment that is provided with hardware encryption module, the application data of virtual machine generation is encrypted, without plug encrypted card on physical server, has realized the encryption support of the application data to the multiple virtual machines on physical server.And this ciphering process takes full advantage of the disposal ability of terminal equipment, alleviate the load of virtual machine.

In the present embodiment, step S10, the application data that described virtual machine sends according to the application program in the described virtual machine receiving generates the first message, is specifically as follows:

In the time storing multiple key in the hardware encryption module of terminal equipment, by the setting of key identification, not by real cipher key delivery, ensure the fail safe of key.

In the present embodiment, step S10, described the first message is sent to network encryption gateway by described virtual machine, is specially:

Step S20, described virtual machine receives the second message after transport layer decryption processing that described network encryption gateway sends, and is specially:

In the present embodiment, step S10, before described the first message is sent to network encryption gateway by described virtual machine, described method can also comprise:

The 4th kind of dummy machine system data ciphering method flow chart that Fig. 4 provides for the embodiment of the present invention.As shown in Figure 4, described dummy machine system data ciphering method, can also comprise:

The application data of having encrypted that step S30, described virtual machine send according to the application program in the described virtual machine receiving generates the 3rd message, and described the 3rd message is sent to network encryption gateway;

Step S40, described virtual machine receive the 4th message after transport layer decryption processing that described network encryption gateway sends, extract the application data after the deciphering in described the 4th message after transport layer decryption processing, application data after described deciphering is sent to described application program, wherein, the application data after described deciphering is that terminal equipment carries out hardware decryption processing to described application processing of having encrypted and obtains.

The first terminal equipment structural representation that Fig. 5 provides for the embodiment of the present invention.As shown in Figure 5, the terminal equipment 81 that the present embodiment provides specifically can be realized each step of the dummy machine system data ciphering method that is applied to terminal equipment that any embodiment of the present invention provides, and specific implementation process does not repeat them here.The terminal equipment 81 that the present embodiment provides specifically comprises transport layer deciphering module 11, cryptographic service module 12 and transport layer encrypting module 13.The first message after transport layer encryption that described transport layer deciphering module 11 sends for receiving network encryption gateway, carries out transport layer decryption processing by described the first message after transport layer encryption; Described cryptographic service module 12 is connected with described transport layer deciphering module 11, extract application data for the first message from deciphering, by the hardware encryption module 14 arranging on described terminal equipment 81, described application data is carried out to hardware encipher processing, wherein, described application data is the data that the virtual machine in dummy machine system produces; Described transport layer encrypting module 13 is connected with described cryptographic service module 12, for generating the second message according to the application data after encrypting, described the second message is carried out to transport layer encryption, the second message after transport layer encryption is sent to described network encryption gateway.

The terminal equipment 81 that the present embodiment provides, transport layer deciphering module 11 receives the first message after transport layer encryption that network encryption gateway sends, the first message after transport layer encryption is carried out to transport layer decryption processing, cryptographic service module 12 is extracted application data from the first message deciphering, carry out hardware encipher processing by hardware encryption module 14 application data that arrange on terminal equipment 81, wherein, application data is the data that the virtual machine in dummy machine system produces, transport layer encrypting module 13 generates the second message according to the application data after encrypting, the second message is carried out to transport layer encryption, the second message after transport layer encryption is sent to network encryption gateway.By the terminal equipment 81 that is provided with hardware encryption module 14, the application data of virtual machine generation is encrypted, without plug encrypted card on physical server, has realized the encryption support of the application data to the multiple virtual machines on physical server.And this ciphering process takes full advantage of the disposal ability of terminal equipment 81, alleviate the load of virtual machine.

In the present embodiment, described the first message comprises the key identification in order to tagged keys; Described cryptographic service module 12 is specifically for extracting described application data and described key identification in the first message from described deciphering, described application data and described key identification are sent to described hardware encryption module 14, described hardware encryption module 14 is determined key according to described key identification, by described key, described application data is encrypted, the application data after encrypting is returned to described terminal equipment 81.

The second terminal equipment structural representation that Fig. 6 provides for the embodiment of the present invention.As shown in Figure 6, in the present embodiment, described terminal equipment 81 also comprises virtual desktop agent client module 15, and described virtual desktop agent client module 15 is for setting up the tunnel via described network encryption gateway with the virtual desktop proxy module of described virtual machine; Correspondingly, described the first message after transport layer encryption that described transport layer deciphering module 11 sends specifically for receive described network encryption gateway by described tunnel; Described transport layer encrypting module 13 is specifically for sending to described network encryption gateway by the second message after described transport layer encryption by described tunnel.

In the present embodiment, the 3rd message after transport layer encryption that described transport layer deciphering module 11 also sends for receiving described network encryption gateway, carries out transport layer decryption processing by described the 3rd message after transport layer encryption; Described cryptographic service module 12 is also extracted the application data of having encrypted from the first message deciphering, by the hardware encryption module 14 arranging on described terminal equipment 81, described application data of having encrypted is carried out to hardware decryption processing, wherein, described application data of having encrypted is the virtual machine data that produce, that processed through hardware encryption module 14 hardware enciphers of described terminal equipment 81 in dummy machine system; Described transport layer encrypting module 13 also, for generating the 4th message according to the application data after deciphering, carries out transport layer encryption to described the 4th message, and the 4th message after transport layer encryption is sent to described network encryption gateway.

The first virtual machine structural representation that Fig. 7 provides for the embodiment of the present invention.As shown in Figure 7, the virtual machine 82 that the present embodiment provides specifically can be realized each step of the dummy machine system data ciphering method that is applied to virtual machine that any embodiment of the present invention provides, and specific implementation process does not repeat them here.The virtual machine 82 that the present embodiment provides specifically comprises transmission processing module 21 and receiving processing module 22.Described transmission processing module 21 generates the first message for the application data sending according to the application program of the described virtual machine 82 receiving, and described the first message is sent to network encryption gateway; The second message after transport layer decryption processing that described receiving processing module 22 sends for receiving described network encryption gateway, extract the application data after the encryption in described the second message after transport layer decryption processing, application data after described encryption is sent to described application program, wherein, the application data after described encryption is that terminal equipment carries out hardware encipher processing to described application processing and obtains.

Particularly, in actual implementation procedure, application program in virtual machine 82 can be by calling the API(Application Programming Interface of transmission processing module 21, application programming interface), application data is sent to transmission processing module 21.

The virtual machine 82 that the present embodiment provides, the application data that transmission processing module 21 sends according to the application program in the virtual machine 82 receiving generates the first message, the first message is sent to network encryption gateway, receiving processing module 22 receives the second message after transport layer decryption processing that network encryption gateway sends, extract the application data after the encryption in the second message after transport layer decryption processing, application data after encrypting is sent to application program, wherein, to be that terminal equipment is corresponding carry out hardware encipher processing with processing and obtain application data after encryption.Be encrypted by being provided with the application data that the terminal equipment of hardware encryption module produces virtual machine 82, without plug encrypted card on physical server, realized the encryption support of the application data to the multiple virtual machines 82 on physical server.And this ciphering process takes full advantage of the disposal ability of terminal equipment, alleviate the load of virtual machine 82.

In the present embodiment, described transmission processing module 21 generates described the first message specifically for the application data and the key identification that send according to the described application program receiving, and wherein, described key identification is in order to tagged keys.

The second virtual machine structural representation that Fig. 8 provides for the embodiment of the present invention.As shown in Figure 8, in the present embodiment, described virtual machine 82 also comprises virtual desktop proxy module 23, and described virtual desktop proxy module 23, for setting up the tunnel via described network encryption gateway with the virtual desktop agent client module of described terminal equipment; Correspondingly, described transmission processing module 21 is specifically for sending to described network encryption gateway by described tunnel by described the first message; The second message after transport layer decryption processing that described receiving processing module 22 sends specifically for receive described network encryption gateway by described tunnel.

In the present embodiment, described transmission processing module 21 also generates the 3rd message for the application data of having encrypted sending according to the application program of the described virtual machine 82 receiving, and described the 3rd message is sent to network encryption gateway; The 4th message after transport layer decryption processing that described receiving processing module 22 also sends for receiving described network encryption gateway, extract the application data after the deciphering in described the 4th message after transport layer decryption processing, application data after described deciphering is sent to described application program, wherein, the application data after described deciphering is that terminal equipment carries out hardware decryption processing to described application processing of having encrypted and obtains.

The third terminal equipment structural representation that Fig. 9 provides for the embodiment of the present invention.As shown in Figure 9, the terminal equipment 700 that the present embodiment provides specifically can be realized each step of the dummy machine system data ciphering method that is applied to terminal equipment that any embodiment of the present invention provides, and specific implementation process does not repeat them here.The terminal equipment 700 that the present embodiment provides specifically comprises: processor 710, communication interface 720, memory 730 and communication bus 740: wherein said processor 710, described communication interface 720 and described memory 730 complete mutual communicating by letter by described communication bus 740; Described communication interface 720, the first message after transport layer encryption sending for receiving network encryption gateway, and the second message after transport layer encryption is sent to described network encryption gateway; Described memory 730, for storing instruction; Described processor 710 is configured to carry out the instruction being stored in described memory 730, wherein, described processor 710 is configured to for described the first message after transport layer encryption is carried out to transport layer decryption processing, from the first message deciphering, extract application data, by the hardware encryption module arranging on described terminal equipment, described application data is carried out to hardware encipher processing, wherein, described application data is the data that the virtual machine in dummy machine system produces; Generate the second message according to the application data after encrypting, described the second message is carried out to transport layer encryption.

The computer node structural representation for virtual machine that Figure 10 provides for the embodiment of the present invention.As described in Figure 10, the computer node 800 for virtual machine that the present embodiment provides specifically can be realized each step of the dummy machine system data ciphering method that is applied to virtual machine that any embodiment of the present invention provides, and specific implementation process does not repeat them here.The computer node 800 for virtual machine that the present embodiment provides specifically comprises: processor 810, communication interface 820, memory 830 and communication bus 840: wherein said processor 810, described communication interface 820 and described memory 830 complete mutual communicating by letter by described communication bus 840; Described communication interface 820, for the first message is sent to network encryption gateway, and receives the second message after transport layer decryption processing that described network encryption gateway sends; Described memory 830, for storing instruction; Described processor 810 is configured to carry out the instruction being stored in described memory 830, and wherein, the application data that described processor 810 is configured to for sending according to the application program of the described virtual machine receiving generates described the first message; Extract the application data after the encryption in described the second message after transport layer decryption processing, application data after described encryption is sent to described application program, wherein, the application data after described encryption is that terminal equipment carries out hardware encipher processing to described application processing and obtains.

One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can complete by the relevant hardware of program command, aforesaid program can be stored in a computer read/write memory medium, this program, in the time carrying out, is carried out the step that comprises said method embodiment; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CDs.

Finally it should be noted that: above embodiment only, in order to technical scheme of the present invention to be described, is not intended to limit; Although the present invention is had been described in detail with reference to previous embodiment, those of ordinary skill in the art is to be understood that: its technical scheme that still can record aforementioned each embodiment is modified, or part technical characterictic is wherein equal to replacement; And these amendments or replacement do not make the essence of appropriate technical solution depart from the scope of various embodiments of the present invention technical scheme.

Claims

1. a dummy machine system data ciphering method, is characterized in that, comprising:

2. dummy machine system data ciphering method according to claim 1, is characterized in that: described the first message comprises the key identification in order to tagged keys;

3. dummy machine system data ciphering method according to claim 1 and 2, is characterized in that:

Described terminal equipment receives the first message after transport layer encryption that network encryption gateway sends, and is specially:

4. dummy machine system data ciphering method according to claim 3, it is characterized in that, the tunnel via described network encryption gateway that described terminal equipment is set up by the virtual desktop agent client module of described terminal equipment and the virtual desktop proxy module of described virtual machine, before receiving described first message after transport layer encryption of described network encryption gateway transmission, described method also comprises:

5. dummy machine system data ciphering method according to claim 1, is characterized in that, described method also comprises:

6. a dummy machine system data ciphering method, is characterized in that, comprising:

7. dummy machine system data ciphering method according to claim 6, is characterized in that, the application data that described virtual machine sends according to the application program in the described virtual machine receiving generates the first message, is specially:

8. according to the dummy machine system data ciphering method described in claim 6 or 7, it is characterized in that:

Described the first message is sent to network encryption gateway by described virtual machine, is specially:

9. dummy machine system data ciphering method according to claim 8, is characterized in that, before described the first message is sent to network encryption gateway by described virtual machine, described method also comprises:

10. dummy machine system data ciphering method according to claim 6, is characterized in that, described method also comprises:

11. 1 kinds of terminal equipments, is characterized in that, comprising:

12. terminal equipments according to claim 11, is characterized in that: described the first message comprises the key identification in order to tagged keys;

13. according to the terminal equipment described in claim 11 or 12, it is characterized in that, also comprises:

14. terminal equipments according to claim 11, is characterized in that:

The 3rd message after transport layer encryption that described transport layer deciphering module also sends for receiving described network encryption gateway, carries out transport layer decryption processing by described the 3rd message after transport layer encryption;

15. 1 kinds of virtual machines, is characterized in that, comprising:

16. virtual machines according to claim 15, it is characterized in that: described transmission processing module generates described the first message specifically for the application data and the key identification that send according to the described application program receiving, wherein, described key identification is in order to tagged keys.

17. according to the virtual machine described in claim 15 or 16, it is characterized in that, also comprises:

18. virtual machines according to claim 15, is characterized in that:

Described transmission processing module also generates the 3rd message for the application data of having encrypted sending according to the application program of the described virtual machine receiving, and described the 3rd message is sent to network encryption gateway;

19. 1 kinds of terminal equipments, is characterized in that, comprising: processor, and communication interface, memory and bus:

Described memory, for storing instruction;

20. 1 kinds of computer nodes for virtual machine, is characterized in that, comprising: processor, and communication interface, memory and bus:

Described memory, for storing instruction;