CN105721441B - Identity authentication method in virtualization environment - Google Patents

Identity authentication method in virtualization environment Download PDF

Info

Publication number
CN105721441B
CN105721441B CN201610041952.7A CN201610041952A CN105721441B CN 105721441 B CN105721441 B CN 105721441B CN 201610041952 A CN201610041952 A CN 201610041952A CN 105721441 B CN105721441 B CN 105721441B
Authority
CN
China
Prior art keywords
user
remote
authentication
server
random number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610041952.7A
Other languages
Chinese (zh)
Other versions
CN105721441A (en
Inventor
付才
余蓓
韩兰胜
刘铭
崔永泉
汤学明
骆婷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201610041952.7A priority Critical patent/CN105721441B/en
Publication of CN105721441A publication Critical patent/CN105721441A/en
Application granted granted Critical
Publication of CN105721441B publication Critical patent/CN105721441B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/08Protocols specially adapted for terminal emulation, e.g. Telnet

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention designs and realizes an identity authentication method in a virtualization environment, which specifically comprises the following steps: first, the server virtualization environment is set to allow only local IP remote connections to virtual machines. Then, the basic information of the remote virtual machine user is registered and registered, and the USB Key hardware equipment corresponding to the user is uniquely distributed to the user. And then, the remote user with the corresponding USB Key sends information such as a user name, a password and the like to the master server to request the master server for authentication, after the authentication passes through the identity authentication of the master server, the master server returns a random number to the remote user, informs the random number to the slave server, and the remote user must send the random number and the identity information of the remote user to the slave server within the effective time to initiate secondary authentication to the slave server. And after all the authentications are passed, starting the corresponding virtual machine from the server, and communicating with the remote user through the transmission agent, so that the remote user successfully logs in the remote desktop under the virtualization environment.

Description

Identity authentication method in virtualization environment
Technical Field
The invention belongs to the technical field of cloud computing, and particularly relates to an identity authentication method in a virtualization environment.
Background
Cloud computing represents a new business computing model, and has many uncertain places in practical application of various aspects, and faces many security challenges. The problem of user data security in the cloud platform is particularly prominent, and the main points are as follows: the efficiency of virtualization in the cloud requires that multiple organizations' virtual machines coexist on the same physical resource. While traditional data center security is still suitable for cloud environments, physical isolation and hardware-based security cannot protect against attacks between virtual machines on the same server. Management access is through the internet rather than a controlled and restricted direct or to-the-field connection that is adhered to in a traditional data center model. This increases risk and exposure, which would require close monitoring of changes in system control and access control limitations.
At present, the existing cloud platform basically provides a method for remotely connecting a remote user to a virtual machine, but the method is directly connected without any limitation on the connected user, so that any user can remotely connect to the virtual machine for remote desktop mapping, and the virtualization environment becomes extremely insecure.
Disclosure of Invention
Aiming at the defects of the prior art, the invention aims to provide an identity authentication method for remote connection to a virtual machine in a virtualization environment, aiming at enhancing the safety and controllable management of the virtualization remote desktop connection on the current basis and preventing malicious users from logging in the remote desktop of the virtual machine, thereby improving the overall safety level of the system.
In order to achieve the above object, the present invention provides an identity authentication method in a virtualization environment, comprising the following steps:
(1) setting the server virtualization environment to allow only local IP remote connections to the virtual machine;
(2) registering and registering basic information of a remote virtual machine user, and uniquely allocating USBKey hardware equipment corresponding to the user;
(3) when a remote user is connected to a remote virtualization environment and remotely connected with a desktop, identity authentication of a USBKey must be performed firstly;
(4) if the remote user passes the authentication of the USB Key, the remote user sends information such as a user name, a password and the like to the main server to request the authentication of the main server, otherwise, the authentication fails;
(5) if the authentication passes the identity authentication of the master server, the master server returns a random number to the remote user and informs the slave server of the random number, otherwise, the authentication fails;
(6) the remote user sends the random number and the identity information of the remote user to the slave server within the effective time, and initiates secondary authentication to the slave server;
(7) if the slave server is authenticated, the slave server starts the corresponding virtual machine and communicates with the remote user through the transmission agent, so that the remote user successfully logs in the remote desktop under the virtualization environment, the authentication is passed, and otherwise the authentication fails.
By setting the server virtualization environment to only allow local IP remote connections to the virtual machine, the remote user cannot make a direct remote desktop connection and must forward through a transport agent that only serves authenticated users, which prevents the user from bypassing authentication in order to connect to the remote virtual machine.
The USB Key and the user keep a unique corresponding relation.
The slave server and the user both obtain the same random number from the master server, the random number obtained by the user from the master server is valid only within a certain time, and the overtime authentication slave server sets the random number as invalid.
Through the technical scheme, compared with the prior art, the invention has the following beneficial effects:
1. because the step (1) only allows the local IP to be remotely connected to the virtual machine, the remote user cannot directly perform remote desktop connection and must forward the remote desktop connection through the transmission agent program, and the agent program only serves the authenticated user, so that the user cannot bypass identity authentication when the user wants to be connected to the remote virtual machine;
2. because the USB Key hardware is used in the step (2), even if a hacker knows information such as a user name, a password and the like, the hacker still cannot log in the system if the USB Key hardware is not obtained. The problem of distance definition being too sensitive is overcome;
3. since step (5) uses sending the random number to the slave server and the client at the same time, it is ensured that the user cannot directly initiate authentication to the slave server when the user does not pass the authentication of the master server.
4. Because the step (5) sets the effective time for the random number of the slave server, the user with overtime connection can not be connected to the slave server, and the problem of overdue use of the random number is effectively prevented.
Drawings
FIG. 1 is a flow chart of the identity authentication method in the virtualization environment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
As shown in fig. 1, the identity authentication method in the virtualization environment of the present invention includes the following steps:
(1) setting the server virtualization environment to allow only local IP remote connections to the virtual machine;
(2) registering and registering basic information of a remote virtual machine user, and uniquely allocating USBKey hardware equipment corresponding to the user;
(3) when a remote user is connected to a remote virtualization environment and remotely connected with a desktop, identity authentication of a USBKey must be performed firstly;
(4) if the remote user passes the authentication of the USB Key, the remote user sends information such as a user name, a password and the like to the main server to request the authentication of the main server, otherwise, the authentication fails;
(5) if the authentication passes the identity authentication of the master server, the master server returns a random number to the remote user and informs the slave server of the random number, otherwise, the authentication fails;
(6) the remote user sends the random number and the identity information of the remote user to the slave server within the effective time, and initiates secondary authentication to the slave server;
(7) if the slave server is authenticated, the slave server starts the corresponding virtual machine and communicates with the remote user through the transmission agent, so that the remote user successfully logs in the remote desktop under the virtualization environment, the authentication is passed, and otherwise the authentication fails.
By setting the server virtualization environment to only allow local IP remote connections to the virtual machine, the remote user cannot make a direct remote desktop connection and must forward through a transport agent that only serves authenticated users, which prevents the user from bypassing authentication in order to connect to the remote virtual machine.
The USB Key and the user keep a unique corresponding relation.
The slave server and the user both obtain the same random number from the master server, the random number obtained by the user from the master server is valid only within a certain time, and the overtime authentication slave server sets the random number as invalid.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (3)

1. An identity authentication method in a virtualized environment, the method comprising the steps of:
(1) the server virtualization environment is set to only allow local IP to be remotely connected to the virtual machine, so that a remote user cannot directly perform remote desktop connection and must forward the remote desktop connection through a transmission agent program, and the agent program only serves the authenticated user, so that the user cannot bypass identity authentication when the user wants to connect to the remote virtual machine;
(2) registering and registering basic information of a remote virtual machine user, and uniquely allocating USB Key hardware equipment corresponding to the basic information for the user;
(3) when a remote user is connected to a remote virtualization environment and remotely connected with a desktop, the identity authentication of a USB Key must be carried out firstly;
(4) if the remote user passes the authentication of the USB Key, the remote user sends information such as a user name, a password and the like to the main server to request the authentication of the main server, otherwise, the authentication fails;
(5) if the authentication passes the identity authentication of the master server, the master server returns a random number to the remote user and informs the slave server of the random number, otherwise, the authentication fails;
(6) the remote user sends the random number and the identity information of the remote user to the slave server within the effective time, and initiates secondary authentication to the slave server;
(7) if the slave server is authenticated, the slave server starts the corresponding virtual machine and communicates with the remote user through the transmission agent, so that the remote user successfully logs in the remote desktop under the virtualization environment, the authentication is passed, and otherwise the authentication fails.
2. The method according to claim 1, wherein the USB Key maintains a unique correspondence with a user.
3. A method according to claim 1 or 2, wherein both the slave server and the user obtain the same random number from the master server, the random number obtained by the user from the master server is valid only for a certain time, and the random number is set to be invalid by the authentication slave server when the time has expired.
CN201610041952.7A 2016-01-22 2016-01-22 Identity authentication method in virtualization environment Active CN105721441B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610041952.7A CN105721441B (en) 2016-01-22 2016-01-22 Identity authentication method in virtualization environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610041952.7A CN105721441B (en) 2016-01-22 2016-01-22 Identity authentication method in virtualization environment

Publications (2)

Publication Number Publication Date
CN105721441A CN105721441A (en) 2016-06-29
CN105721441B true CN105721441B (en) 2020-06-02

Family

ID=56154917

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610041952.7A Active CN105721441B (en) 2016-01-22 2016-01-22 Identity authentication method in virtualization environment

Country Status (1)

Country Link
CN (1) CN105721441B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106330577A (en) * 2016-11-11 2017-01-11 郑州云海信息技术有限公司 Management node switching method and system for virtualization management platform
CN109583182B (en) * 2018-11-29 2021-06-04 北京元心科技有限公司 Method and device for starting remote desktop, electronic equipment and computer storage medium
CN111092731A (en) * 2019-11-04 2020-05-01 西安万像电子科技有限公司 Authentication method and server
CN111723042B (en) * 2020-07-02 2022-05-10 宏远智控科技(北京)有限公司 Remote high-speed USB transparent transmission method, device and equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101697540A (en) * 2009-10-15 2010-04-21 浙江大学 Method for authenticating user identity through P2P service request
CN104184743A (en) * 2014-09-10 2014-12-03 西安电子科技大学 Three-layer authentication system and method oriented to cloud computing platform
CN104378206A (en) * 2014-10-20 2015-02-25 中国科学院信息工程研究所 Virtualization desktop safety certification method and system based on USB-Key
CN104579694A (en) * 2015-02-09 2015-04-29 浙江大学 Identity authentication method and system
CN104811455A (en) * 2015-05-18 2015-07-29 成都卫士通信息产业股份有限公司 Cloud computing identity authentication method
CN105187362A (en) * 2014-06-23 2015-12-23 中兴通讯股份有限公司 Method and device for connection authentication between desktop cloud client and server-side

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9104798B2 (en) * 2013-05-03 2015-08-11 International Business Machines Corporation Enabling remote debugging of virtual machines running in a cloud environment
CN104506625B (en) * 2014-12-22 2018-04-17 国云科技股份有限公司 A kind of method for lifting cloud database metadata node reliability

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101697540A (en) * 2009-10-15 2010-04-21 浙江大学 Method for authenticating user identity through P2P service request
CN105187362A (en) * 2014-06-23 2015-12-23 中兴通讯股份有限公司 Method and device for connection authentication between desktop cloud client and server-side
CN104184743A (en) * 2014-09-10 2014-12-03 西安电子科技大学 Three-layer authentication system and method oriented to cloud computing platform
CN104378206A (en) * 2014-10-20 2015-02-25 中国科学院信息工程研究所 Virtualization desktop safety certification method and system based on USB-Key
CN104579694A (en) * 2015-02-09 2015-04-29 浙江大学 Identity authentication method and system
CN104811455A (en) * 2015-05-18 2015-07-29 成都卫士通信息产业股份有限公司 Cloud computing identity authentication method

Also Published As

Publication number Publication date
CN105721441A (en) 2016-06-29

Similar Documents

Publication Publication Date Title
US10652226B2 (en) Securing communication over a network using dynamically assigned proxy servers
CN112073400B (en) Access control method, system, device and computing equipment
US9787659B2 (en) Techniques for secure access management in virtual environments
US10263987B2 (en) Techniques for sharing virtual machine (VM) resources
US9529993B2 (en) Policy-driven approach to managing privileged/shared identity in an enterprise
CN105721441B (en) Identity authentication method in virtualization environment
US20190141048A1 (en) Blockchain identification system
US9882965B2 (en) Techniques for network process identity enablement
US10165008B2 (en) Using events to identify a user and enforce policies
CN105991614A (en) Open authorization, resource access method and device, and a server
US10958670B2 (en) Processing system for providing console access to a cyber range virtual environment
US10178183B2 (en) Techniques for prevent information disclosure via dynamic secure cloud resources
TWI476627B (en) The management system and method of network service level and function of cloud virtual desktop application
EP4172818B1 (en) Shared resource identification
CN109302397B (en) Network security management method, platform and computer readable storage medium
Huang et al. A token-based user authentication mechanism for data exchange in RESTful API
CN111193709A (en) Network security protection method, management and control terminal, gateway terminal and equipment
KR20170108667A (en) System and method for providing a security service based on a security cloud
CN114268463A (en) Data security transmission method based on cloud storage
CN117176797A (en) Resource release method, device, system and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant