CN105721441B - Identity authentication method in virtualization environment - Google Patents
Identity authentication method in virtualization environment Download PDFInfo
- Publication number
- CN105721441B CN105721441B CN201610041952.7A CN201610041952A CN105721441B CN 105721441 B CN105721441 B CN 105721441B CN 201610041952 A CN201610041952 A CN 201610041952A CN 105721441 B CN105721441 B CN 105721441B
- Authority
- CN
- China
- Prior art keywords
- user
- remote
- authentication
- server
- random number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0853—Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
- H04L63/0846—Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/08—Protocols specially adapted for terminal emulation, e.g. Telnet
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention designs and realizes an identity authentication method in a virtualization environment, which specifically comprises the following steps: first, the server virtualization environment is set to allow only local IP remote connections to virtual machines. Then, the basic information of the remote virtual machine user is registered and registered, and the USB Key hardware equipment corresponding to the user is uniquely distributed to the user. And then, the remote user with the corresponding USB Key sends information such as a user name, a password and the like to the master server to request the master server for authentication, after the authentication passes through the identity authentication of the master server, the master server returns a random number to the remote user, informs the random number to the slave server, and the remote user must send the random number and the identity information of the remote user to the slave server within the effective time to initiate secondary authentication to the slave server. And after all the authentications are passed, starting the corresponding virtual machine from the server, and communicating with the remote user through the transmission agent, so that the remote user successfully logs in the remote desktop under the virtualization environment.
Description
Technical Field
The invention belongs to the technical field of cloud computing, and particularly relates to an identity authentication method in a virtualization environment.
Background
Cloud computing represents a new business computing model, and has many uncertain places in practical application of various aspects, and faces many security challenges. The problem of user data security in the cloud platform is particularly prominent, and the main points are as follows: the efficiency of virtualization in the cloud requires that multiple organizations' virtual machines coexist on the same physical resource. While traditional data center security is still suitable for cloud environments, physical isolation and hardware-based security cannot protect against attacks between virtual machines on the same server. Management access is through the internet rather than a controlled and restricted direct or to-the-field connection that is adhered to in a traditional data center model. This increases risk and exposure, which would require close monitoring of changes in system control and access control limitations.
At present, the existing cloud platform basically provides a method for remotely connecting a remote user to a virtual machine, but the method is directly connected without any limitation on the connected user, so that any user can remotely connect to the virtual machine for remote desktop mapping, and the virtualization environment becomes extremely insecure.
Disclosure of Invention
Aiming at the defects of the prior art, the invention aims to provide an identity authentication method for remote connection to a virtual machine in a virtualization environment, aiming at enhancing the safety and controllable management of the virtualization remote desktop connection on the current basis and preventing malicious users from logging in the remote desktop of the virtual machine, thereby improving the overall safety level of the system.
In order to achieve the above object, the present invention provides an identity authentication method in a virtualization environment, comprising the following steps:
(1) setting the server virtualization environment to allow only local IP remote connections to the virtual machine;
(2) registering and registering basic information of a remote virtual machine user, and uniquely allocating USBKey hardware equipment corresponding to the user;
(3) when a remote user is connected to a remote virtualization environment and remotely connected with a desktop, identity authentication of a USBKey must be performed firstly;
(4) if the remote user passes the authentication of the USB Key, the remote user sends information such as a user name, a password and the like to the main server to request the authentication of the main server, otherwise, the authentication fails;
(5) if the authentication passes the identity authentication of the master server, the master server returns a random number to the remote user and informs the slave server of the random number, otherwise, the authentication fails;
(6) the remote user sends the random number and the identity information of the remote user to the slave server within the effective time, and initiates secondary authentication to the slave server;
(7) if the slave server is authenticated, the slave server starts the corresponding virtual machine and communicates with the remote user through the transmission agent, so that the remote user successfully logs in the remote desktop under the virtualization environment, the authentication is passed, and otherwise the authentication fails.
By setting the server virtualization environment to only allow local IP remote connections to the virtual machine, the remote user cannot make a direct remote desktop connection and must forward through a transport agent that only serves authenticated users, which prevents the user from bypassing authentication in order to connect to the remote virtual machine.
The USB Key and the user keep a unique corresponding relation.
The slave server and the user both obtain the same random number from the master server, the random number obtained by the user from the master server is valid only within a certain time, and the overtime authentication slave server sets the random number as invalid.
Through the technical scheme, compared with the prior art, the invention has the following beneficial effects:
1. because the step (1) only allows the local IP to be remotely connected to the virtual machine, the remote user cannot directly perform remote desktop connection and must forward the remote desktop connection through the transmission agent program, and the agent program only serves the authenticated user, so that the user cannot bypass identity authentication when the user wants to be connected to the remote virtual machine;
2. because the USB Key hardware is used in the step (2), even if a hacker knows information such as a user name, a password and the like, the hacker still cannot log in the system if the USB Key hardware is not obtained. The problem of distance definition being too sensitive is overcome;
3. since step (5) uses sending the random number to the slave server and the client at the same time, it is ensured that the user cannot directly initiate authentication to the slave server when the user does not pass the authentication of the master server.
4. Because the step (5) sets the effective time for the random number of the slave server, the user with overtime connection can not be connected to the slave server, and the problem of overdue use of the random number is effectively prevented.
Drawings
FIG. 1 is a flow chart of the identity authentication method in the virtualization environment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
As shown in fig. 1, the identity authentication method in the virtualization environment of the present invention includes the following steps:
(1) setting the server virtualization environment to allow only local IP remote connections to the virtual machine;
(2) registering and registering basic information of a remote virtual machine user, and uniquely allocating USBKey hardware equipment corresponding to the user;
(3) when a remote user is connected to a remote virtualization environment and remotely connected with a desktop, identity authentication of a USBKey must be performed firstly;
(4) if the remote user passes the authentication of the USB Key, the remote user sends information such as a user name, a password and the like to the main server to request the authentication of the main server, otherwise, the authentication fails;
(5) if the authentication passes the identity authentication of the master server, the master server returns a random number to the remote user and informs the slave server of the random number, otherwise, the authentication fails;
(6) the remote user sends the random number and the identity information of the remote user to the slave server within the effective time, and initiates secondary authentication to the slave server;
(7) if the slave server is authenticated, the slave server starts the corresponding virtual machine and communicates with the remote user through the transmission agent, so that the remote user successfully logs in the remote desktop under the virtualization environment, the authentication is passed, and otherwise the authentication fails.
By setting the server virtualization environment to only allow local IP remote connections to the virtual machine, the remote user cannot make a direct remote desktop connection and must forward through a transport agent that only serves authenticated users, which prevents the user from bypassing authentication in order to connect to the remote virtual machine.
The USB Key and the user keep a unique corresponding relation.
The slave server and the user both obtain the same random number from the master server, the random number obtained by the user from the master server is valid only within a certain time, and the overtime authentication slave server sets the random number as invalid.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (3)
1. An identity authentication method in a virtualized environment, the method comprising the steps of:
(1) the server virtualization environment is set to only allow local IP to be remotely connected to the virtual machine, so that a remote user cannot directly perform remote desktop connection and must forward the remote desktop connection through a transmission agent program, and the agent program only serves the authenticated user, so that the user cannot bypass identity authentication when the user wants to connect to the remote virtual machine;
(2) registering and registering basic information of a remote virtual machine user, and uniquely allocating USB Key hardware equipment corresponding to the basic information for the user;
(3) when a remote user is connected to a remote virtualization environment and remotely connected with a desktop, the identity authentication of a USB Key must be carried out firstly;
(4) if the remote user passes the authentication of the USB Key, the remote user sends information such as a user name, a password and the like to the main server to request the authentication of the main server, otherwise, the authentication fails;
(5) if the authentication passes the identity authentication of the master server, the master server returns a random number to the remote user and informs the slave server of the random number, otherwise, the authentication fails;
(6) the remote user sends the random number and the identity information of the remote user to the slave server within the effective time, and initiates secondary authentication to the slave server;
(7) if the slave server is authenticated, the slave server starts the corresponding virtual machine and communicates with the remote user through the transmission agent, so that the remote user successfully logs in the remote desktop under the virtualization environment, the authentication is passed, and otherwise the authentication fails.
2. The method according to claim 1, wherein the USB Key maintains a unique correspondence with a user.
3. A method according to claim 1 or 2, wherein both the slave server and the user obtain the same random number from the master server, the random number obtained by the user from the master server is valid only for a certain time, and the random number is set to be invalid by the authentication slave server when the time has expired.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610041952.7A CN105721441B (en) | 2016-01-22 | 2016-01-22 | Identity authentication method in virtualization environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610041952.7A CN105721441B (en) | 2016-01-22 | 2016-01-22 | Identity authentication method in virtualization environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105721441A CN105721441A (en) | 2016-06-29 |
CN105721441B true CN105721441B (en) | 2020-06-02 |
Family
ID=56154917
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610041952.7A Active CN105721441B (en) | 2016-01-22 | 2016-01-22 | Identity authentication method in virtualization environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105721441B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106330577A (en) * | 2016-11-11 | 2017-01-11 | 郑州云海信息技术有限公司 | Management node switching method and system for virtualization management platform |
CN109583182B (en) * | 2018-11-29 | 2021-06-04 | 北京元心科技有限公司 | Method and device for starting remote desktop, electronic equipment and computer storage medium |
CN111092731A (en) * | 2019-11-04 | 2020-05-01 | 西安万像电子科技有限公司 | Authentication method and server |
CN111723042B (en) * | 2020-07-02 | 2022-05-10 | 宏远智控科技(北京)有限公司 | Remote high-speed USB transparent transmission method, device and equipment |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101697540A (en) * | 2009-10-15 | 2010-04-21 | 浙江大学 | Method for authenticating user identity through P2P service request |
CN104184743A (en) * | 2014-09-10 | 2014-12-03 | 西安电子科技大学 | Three-layer authentication system and method oriented to cloud computing platform |
CN104378206A (en) * | 2014-10-20 | 2015-02-25 | 中国科学院信息工程研究所 | Virtualization desktop safety certification method and system based on USB-Key |
CN104579694A (en) * | 2015-02-09 | 2015-04-29 | 浙江大学 | Identity authentication method and system |
CN104811455A (en) * | 2015-05-18 | 2015-07-29 | 成都卫士通信息产业股份有限公司 | Cloud computing identity authentication method |
CN105187362A (en) * | 2014-06-23 | 2015-12-23 | 中兴通讯股份有限公司 | Method and device for connection authentication between desktop cloud client and server-side |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9104798B2 (en) * | 2013-05-03 | 2015-08-11 | International Business Machines Corporation | Enabling remote debugging of virtual machines running in a cloud environment |
CN104506625B (en) * | 2014-12-22 | 2018-04-17 | 国云科技股份有限公司 | A kind of method for lifting cloud database metadata node reliability |
-
2016
- 2016-01-22 CN CN201610041952.7A patent/CN105721441B/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101697540A (en) * | 2009-10-15 | 2010-04-21 | 浙江大学 | Method for authenticating user identity through P2P service request |
CN105187362A (en) * | 2014-06-23 | 2015-12-23 | 中兴通讯股份有限公司 | Method and device for connection authentication between desktop cloud client and server-side |
CN104184743A (en) * | 2014-09-10 | 2014-12-03 | 西安电子科技大学 | Three-layer authentication system and method oriented to cloud computing platform |
CN104378206A (en) * | 2014-10-20 | 2015-02-25 | 中国科学院信息工程研究所 | Virtualization desktop safety certification method and system based on USB-Key |
CN104579694A (en) * | 2015-02-09 | 2015-04-29 | 浙江大学 | Identity authentication method and system |
CN104811455A (en) * | 2015-05-18 | 2015-07-29 | 成都卫士通信息产业股份有限公司 | Cloud computing identity authentication method |
Also Published As
Publication number | Publication date |
---|---|
CN105721441A (en) | 2016-06-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10652226B2 (en) | Securing communication over a network using dynamically assigned proxy servers | |
CN112073400B (en) | Access control method, system, device and computing equipment | |
US9787659B2 (en) | Techniques for secure access management in virtual environments | |
US10263987B2 (en) | Techniques for sharing virtual machine (VM) resources | |
US9529993B2 (en) | Policy-driven approach to managing privileged/shared identity in an enterprise | |
CN105721441B (en) | Identity authentication method in virtualization environment | |
US20190141048A1 (en) | Blockchain identification system | |
US9882965B2 (en) | Techniques for network process identity enablement | |
US10165008B2 (en) | Using events to identify a user and enforce policies | |
CN105991614A (en) | Open authorization, resource access method and device, and a server | |
US10958670B2 (en) | Processing system for providing console access to a cyber range virtual environment | |
US10178183B2 (en) | Techniques for prevent information disclosure via dynamic secure cloud resources | |
TWI476627B (en) | The management system and method of network service level and function of cloud virtual desktop application | |
EP4172818B1 (en) | Shared resource identification | |
CN109302397B (en) | Network security management method, platform and computer readable storage medium | |
Huang et al. | A token-based user authentication mechanism for data exchange in RESTful API | |
CN111193709A (en) | Network security protection method, management and control terminal, gateway terminal and equipment | |
KR20170108667A (en) | System and method for providing a security service based on a security cloud | |
CN114268463A (en) | Data security transmission method based on cloud storage | |
CN117176797A (en) | Resource release method, device, system and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |