CN108021801A - Divulgence prevention method, server and storage medium based on virtual desktop - Google Patents

Divulgence prevention method, server and storage medium based on virtual desktop Download PDF

Info

Publication number
CN108021801A
CN108021801A CN201711161477.8A CN201711161477A CN108021801A CN 108021801 A CN108021801 A CN 108021801A CN 201711161477 A CN201711161477 A CN 201711161477A CN 108021801 A CN108021801 A CN 108021801A
Authority
CN
China
Prior art keywords
usb
user terminal
protocol
data
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711161477.8A
Other languages
Chinese (zh)
Other versions
CN108021801B (en
Inventor
郭炳梁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201711161477.8A priority Critical patent/CN108021801B/en
Publication of CN108021801A publication Critical patent/CN108021801A/en
Application granted granted Critical
Publication of CN108021801B publication Critical patent/CN108021801B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of divulgence prevention method based on virtual desktop, server and storage medium.Server in the present invention receives the first usb protocol instruction that user terminal is sent, first usb protocol instruction is parsed, obtain the USB read operations, the USB read operations are sent to the user terminal, so that the user terminal reads from USB storage device according to the USB read operations and feeds back first object data to the server, the first object data are decrypted according to preset-key, the first clear data after being decrypted.The present invention passes through the decryption oprerations in protocol layer completion first object data, the encrypting and decrypting that encrypting and decrypting plug-in unit realizes peripheral data is installed than it in VM, preferably overcome the compatibility issue with third party software, so overcome the existing compatible technical problem that cannot preferably ensure the encrypting and decrypting operation for peripheral data under current VDI scenes.

Description

Divulgence prevention method, server and storage medium based on virtual desktop
Technical field
The present invention relates to desktop virtualization field, more particularly to divulgence prevention method based on virtual desktop, server and deposit Storage media.
Background technology
With the continuous development of virtual desktop technology, more and more companies are by virtual desktop technology come in the company of completing Building for portion's office resource, for embodiment, can run desktop operating system, user in the server of data center It is attached by the transport protocol of the client device desktop long-range with these so that user accesses their desktop and is like It is the same to access traditional local desktop, it is known as virtual desktop architecture (Virtual Desktop in the industry Infrastructure, VDI).
But under VDI scenes, if in using peripheral hardware, it is necessary to ensure the Information Security of peripheral hardware on local computer, and Instantly the data safety of peripheral hardware is protected, it is more using the related plug-in unit of installation in virtual machine (Virtual Machine, VM), such as, Read-write operation is limited by management and control driving, is operated using filter Driver on FSD to carry out the encryption and decryption of data.But this kind exists The mode of installation drive plug disposes inconvenience and software compatibility issue easily occurs in VM, such as, play punching with third party software Dash forward.So there is the compatibility that cannot preferably ensure the encrypting and decrypting operation for peripheral data under current VDI scenes Technical problem.
The above is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that the above is existing skill Art.
The content of the invention
It is a primary object of the present invention to provide a kind of divulgence prevention method based on virtual desktop, server and storage to be situated between Matter, it is intended to solve the presence of the encrypting and decrypting that cannot preferably ensure for peripheral data under VDI scenes current in the prior art The compatible technical problem of operation.
To achieve the above object, the present invention provides a kind of divulgence prevention method based on virtual desktop, the described method includes with Lower step:
Server receives the first usb protocol instruction that user terminal is sent, and the first usb protocol instruction is by the user USB read operations input by user are packaged acquisition by terminal by default USB transport protocol, and the user terminal passes through virtual Desktop technology accesses the server;
First usb protocol instruction is parsed, obtains the USB read operations;
The USB read operations are sent to the user terminal so that the user terminal according to the USB read operations from USB Read in storage device and feed back first object data to the server, the USB storage device and be and the user terminal The storage device of connection;
The first object data are decrypted according to preset-key, the first clear data after being decrypted.
Preferably, it is described that first usb protocol instruction is parsed, the USB read operations are obtained, are specifically included:
First usb protocol instruction is parsed under default virtual machine simulator, obtains the USB read operations.
Preferably, the server receives the first usb protocol instruction that user terminal is sent, and specifically includes:
Server receives the instruction of the first usb protocol and the partition table that user terminal is sent;
Correspondingly, it is described to be sent to the user terminal the USB read operations, so that the user terminal is according to the USB Read operation reads from USB storage device and feeds back first object data to the server, specifically includes:
Data address corresponding with the USB read operations is determined according to the partition table, by the data address send to User terminal, so that the user terminal reads first object data corresponding with the data address from USB storage device, And by the first object data sending to the server.
Preferably, the server receives the first usb protocol instruction that user terminal is sent, and specifically includes:
Server receives the instruction of the first usb protocol and the user identifier that user terminal is sent;
Correspondingly, it is described that first usb protocol instruction is parsed, before obtaining the USB read operations, the side Method further includes:
The user identifier is matched with each preset authorization user identifier;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
Preferably, it is described that first usb protocol instruction is parsed, before obtaining the USB read operations, the side Method further includes:
The default USB transport protocol is matched with each default supported protocol;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
Preferably, the server receives the first usb protocol instruction that user terminal is sent, and first usb protocol refers to It is described before USB read operations input by user are packaged acquisition by order by the user terminal by default USB transport protocol Method further includes:
The server receives the instruction of the second usb protocol and the second plaintext data that the user terminal is sent, and described the The instruction of two usb protocols is sealed USB write operations input by user by the default USB transport protocol by the user terminal Dress obtains;
Second usb protocol instruction is parsed, obtains the USB write operations;
The second plaintext data are encrypted according to the preset-key, obtain encrypted second target data;
The USB write operations and second target data are sent to the user terminal, so that the user terminal Second target data is write in the USB storage device according to the USB write operations.
Preferably, it is described that the first object data are decrypted according to preset-key, with first after being decrypted Before clear data, the method further includes:
Generate preset-key and preserve to local, the first object data are carried out according to the preset-key with realizing Decryption.
In addition, to achieve the above object, the present invention also provides a kind of server, the server includes:Memory, processing Device and the anti-program of divulging a secret based on virtual desktop that is stored on the memory and can run on the processor, the base In the anti-program of divulging a secret of virtual desktop is arranged for carrying out the divulgence prevention method based on virtual desktop the step of.
In addition, to achieve the above object, the present invention also provides a kind of storage medium, it is stored with and is based on the storage medium The anti-program of divulging a secret of virtual desktop, realized when the anti-program of divulging a secret based on virtual desktop is executed by processor it is described based on The step of divulgence prevention method of virtual desktop.
By being parsed in protocol layer to first usb protocol instruction and completing first object data in the present invention Decryption oprerations, install the encrypting and decrypting that encrypting and decrypting plug-in unit realizes peripheral data in VM than it, preferably overcome and the 3rd The compatibility issue of square software, so, overcoming under current VDI scenes existing cannot preferably ensure for peripheral data Encrypting and decrypting operation compatible technical problem.
Brief description of the drawings
Fig. 1 is the server architecture schematic diagram for the hardware running environment that the embodiment of the present invention is related to;
Fig. 2 is the flow diagram of the divulgence prevention method first embodiment of the invention based on virtual desktop;
Fig. 3 is the flow diagram of the divulgence prevention method second embodiment of the invention based on virtual desktop;
Fig. 4 is the flow diagram of the divulgence prevention method 3rd embodiment of the invention based on virtual desktop;
Fig. 5 is the flow diagram of the divulgence prevention method fourth embodiment of the invention based on virtual desktop.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
With reference to Fig. 1, Fig. 1 is the server architecture schematic diagram for the hardware running environment that the embodiment of the present invention is related to.
As shown in Figure 1, the server can include:Processor 1001, such as CPU, communication bus 1002, user interface 1003, network interface 1004, memory 1005.Wherein, communication bus 1002 is used for realization the connection communication between these components. User interface 1003 can include display screen (Display), optional user interface 1003 can also include standard wireline interface, Wave point.Network interface 1004 can optionally include standard wireline interface and wireless interface (such as WI-FI interfaces).Storage Device 1005 can be high-speed RAM memory or the memory (non-volatile memory) of stabilization, such as disk Memory.Memory 1005 optionally can also be the storage device independently of aforementioned processor 1001.
The server can be the physical equipment for providing the service of calculating, be used for realization business calculating, data storage or data Exchange etc..Also, data center is built by equipment such as the server and the network equipments, virtual table is run based on data center Surface technology, in this way, the user terminal can access the server by virtual desktop technology, to realize the table of user terminal Face virtualizes.Wherein, the user terminal can be the electronic equipments such as PC, usually, multiple VM will be run in server, One user terminal, to realize the desktop virtualization of active user's terminal, can not only be dropped by a VM in access server The low configuration requirement of local user terminal, also improves user using computing resource and the security of storage resource, while just In the overall resource of operation maintenance personnel unified management data center.
It will be understood by those skilled in the art that the structure shown in Fig. 1 does not form the restriction to server, can include Than illustrating more or fewer components, some components or different components arrangement are either combined.
As shown in Figure 1, it can lead to as in a kind of memory 1005 of computer-readable storage medium including operating system, network Believe module, Subscriber Interface Module SIM and the anti-program of divulging a secret based on virtual desktop.
In the server shown in Fig. 1, network interface 1004 is mainly used for connecting other servers, with other described services Device is into row data communication;User interface 1003 is mainly used for connecting user terminal, with user terminal into row data communication;The clothes Business device calls the anti-program of divulging a secret based on virtual desktop stored in memory 1005 by processor 1001, and performs following behaviour Make:
Server receives the first usb protocol instruction that user terminal is sent, and the first usb protocol instruction is by the user USB read operations input by user are packaged acquisition by terminal by default USB transport protocol, and the user terminal passes through virtual Desktop technology accesses the server;
First usb protocol instruction is parsed, obtains the USB read operations;
The USB read operations are sent to the user terminal so that the user terminal according to the USB read operations from USB Read in storage device and feed back first object data to the server, the USB storage device and be and the user terminal The storage device of connection;
The first object data are decrypted according to preset-key, the first clear data after being decrypted.
Further, processor 1001 can call the anti-journey of divulging a secret based on virtual desktop stored in memory 1005 Sequence, also performs following operation:
First usb protocol instruction is parsed under default virtual machine simulator, obtains the USB read operations.
Further, processor 1001 can call the anti-journey of divulging a secret based on virtual desktop stored in memory 1005 Sequence, also performs following operation:
Server receives the instruction of the first usb protocol and the partition table that user terminal is sent;
Correspondingly, following operation is also performed:
Data address corresponding with the USB read operations is determined according to the partition table, by the data address send to User terminal, so that the user terminal reads first object data corresponding with the data address from USB storage device, And by the first object data sending to the server.
Further, processor 1001 can call the anti-journey of divulging a secret based on virtual desktop stored in memory 1005 Sequence, also performs following operation:
Server receives the instruction of the first usb protocol and the user identifier that user terminal is sent;
Correspondingly, following operation is also performed:
The user identifier is matched with each preset authorization user identifier;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
Further, processor 1001 can call the anti-journey of divulging a secret based on virtual desktop stored in memory 1005 Sequence, also performs following operation:
The default USB transport protocol is matched with each default supported protocol;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
Further, processor 1001 can call the anti-journey of divulging a secret based on virtual desktop stored in memory 1005 Sequence, also performs following operation:
The server receives the instruction of the second usb protocol and the second plaintext data that the user terminal is sent, and described the The instruction of two usb protocols is sealed USB write operations input by user by the default USB transport protocol by the user terminal Dress obtains;
Second usb protocol instruction is parsed, obtains the USB write operations;
The second plaintext data are encrypted according to the preset-key, obtain encrypted second target data;
The USB write operations and second target data are sent to the user terminal, so that the user terminal Second target data is write in the USB storage device according to the USB write operations.
Further, processor 1001 can call the anti-journey of divulging a secret based on virtual desktop stored in memory 1005 Sequence, also performs following operation:
Generate preset-key and preserve to local, the first object data are carried out according to the preset-key with realizing Decryption.
By being parsed in protocol layer to first usb protocol instruction and completing first object data in the present embodiment Decryption oprerations, the encrypting and decrypting that encrypting and decrypting plug-in unit realizes peripheral data is installed than it in VM, is preferably overcome and the The compatibility issue of software of the third party, so, overcome existing under current VDI scenes cannot preferably ensure for peripheral hardware number According to encrypting and decrypting operate compatible technical problem.
Based on above-mentioned hardware configuration, the embodiment of the proposition divulgence prevention method of the invention based on virtual desktop.
With reference to Fig. 2, Fig. 2 is the flow diagram of the divulgence prevention method first embodiment of the invention based on virtual desktop.
In the first embodiment, the divulgence prevention method based on virtual desktop comprises the following steps:
Step S10:Server receives the first usb protocol instruction that user terminal is sent, first usb protocol instruction by USB read operations input by user are packaged acquisition, the user terminal by the user terminal by default USB transport protocol The server is accessed by virtual desktop technology;
It is understood that the user terminal can be the thin client under VDI frameworks, the thin client is for connecing Enter performance in VDI desktops and all relatively low equipment of power consumption, such as, PC, also, the user terminal can be only aobvious Show the figure of desktop operating system, desktop software to be used is needed without installation.Wherein, on the subscriber terminal using general serial During bus apparatus (Universal Serial BusDevice), such as, USB storage device (Usb Mass Storage Class Device), common is USB flash disk and mobile hard disk etc., in the user terminal under user uses VDI frameworks, be will be unable to straight The data taken in USB storage device are obtained, wherein, reading the operation of data or write-in data will transfer at the server Reason;The server can be the server that VDI is carried under VDI frameworks, will be run in the server associated with each user terminal VM, so, most of calculating and operation will all carry out in server, and user terminal primarily serves display and inputs operation Effect, the present embodiment are not restricted this.
In the concrete realization, when accessing USB storage device in the user terminal, such as, accessed in local thin client One USB flash disk, in the data during user reads the USB flash disk, user can locally carry out the operation of data duplication or stickup, still, Since under VDI framework scenes, user can not be directly obtained target data.User terminal will read USB input by user Operation is packaged by default USB transport protocol to be instructed with obtaining the first usb protocol, which will complete in system bottom, The default USB transport protocol can be Bulk-Only Transport (BOT) agreements and USB Attached SCSI Protocol (USAP) agreement, wherein, the USB that USAP agreements are supported by more than USB3.0 equipment stores class transport protocol.And And after user terminal obtains the instruction of the first usb protocol, first usb protocol instruction is sent to server, it is final to realize Get the data in USB storage device.
Step S20:First usb protocol instruction is parsed, obtains the USB read operations;
It should be appreciated that server get first usb protocol instruction when, will be according to default USB transport protocol First usb protocol instruction is parsed, also just acquires the USB read operations before encapsulation.Wherein, although using USB During storage device, it is relatively conventional mode to be carried out data transmission based on transport protocol, still, in the present embodiment will be by pre- If USB transport protocol is packaged and parses to USB read operations, and will go to realize using the USB read operations in subsequent step The reading of data, that is, show that the whole step is realized in protocol layer, compared to adding for existing common peripheral data Close manner of decryption, is all that encrypting and decrypting is realized in the form of application layer plug-in unit, such as, the realization of encrypting and decrypting plug-in unit is installed in VM The encrypting and decrypting of peripheral data, existing mode are easy to compatibility issue occur with third party software.In other words, by encrypting and decrypting Operation has been changed in virtual machine simulator and realized from sub-operating system (Guest OS) layer, virtual machine simulator such as QEMU simulations Device, so being parsed under default virtual machine simulator in the server to first usb protocol instruction, described in acquisition USB read operations.
It is understood that since the encrypting and decrypting operation in the acquisition and subsequent operation of read operation is all in underlying protocol Layer is realized, also just overcomes the compatibility issue with third party software, and encrypting and decrypting realizes nature and the in application layer Software of the third party does not conflict.
Step S30:The USB read operations are sent to the user terminal, so that the user terminal is read to grasp according to the USB Work reads from USB storage device and feeds back first object data to the server, the USB storage device The storage device of family terminal connection;
It should be appreciated that after server obtains the USB read operations, the USB read operations are reading input by user The operation information of first object data is taken, the USB read operations will be sent back the user terminal by server.In the user When terminal obtains the USB read operations, data will be read from USB storage device according to the USB read operations, can also obtained First object data.Wherein, the first object data are encrypted data, in order to ensure the security of USB storage device, Data content in USB storage device will use encrypted form to carry out data storage.
Step S40:The first object data are decrypted according to preset-key, the first plaintext number after being decrypted According to.
It is understood that after encrypted data are got, in order to enable user easily identification data content with And the encrypting and decrypting operation of data is completed, the first object data will be decrypted according to preset-key, to be decrypted The first clear data afterwards.First clear data is that acquisition is decrypted to first object data.Also, step S40 To be realized in protocol layer, so, can under default virtual machine simulator according to preset-key to the first object data into Row decryption, the first clear data after being decrypted.It can be readily appreciated that step S20 and step S40 will be in virtual machine simulators Complete, conflicted by underlying protocol layer execution, can preferably reduce with other software, also, also for specific The encryption-decryption algorithm used does not limit.
By being parsed in protocol layer to first usb protocol instruction and completing first object data in the present embodiment Decryption oprerations, the encrypting and decrypting that encrypting and decrypting plug-in unit realizes peripheral data is installed than it in VM, is preferably overcome and the The compatibility issue of software of the third party, so, overcome existing under current VDI scenes cannot preferably ensure for peripheral hardware number According to encrypting and decrypting operate compatible technical problem.
With reference to Fig. 3, Fig. 3 is the flow diagram of the divulgence prevention method second embodiment of the invention based on virtual desktop, base In the embodiment shown in above-mentioned Fig. 2, the second embodiment of the proposition divulgence prevention method of the invention based on virtual desktop.
In a second embodiment, the step S10, specifically includes:
Step S10 ':Server receives the instruction of the first usb protocol and the partition table that user terminal is sent, the first USB USB read operations input by user are packaged acquisition, institute by protocol instructions by the user terminal by default USB transport protocol State user terminal and the server is accessed by virtual desktop technology;
It is understood that server will receive the partition table of user terminal transmission in the present embodiment, connect for server The instruction of the first usb protocol is received not to be restricted this with receiving time sequencing the present embodiment of partition table.So it can be connect in server Before receiving the first usb protocol instruction that user terminal is sent, partition table is received in advance, in order to determining data in subsequent operation Location, can improve operational efficiency.
Wherein, the partition table is used to the data of big table being divided into many small subsets, partition table there are polytype, Such as Master Boot Record partition table (Master Boot Record, MBR), globally unique identifier partition table (GUID Partition Table, GPT) etc..Wherein, partition table is used for realization the order reading and write-in of data in USB storage device, Partition table it is abnormal or lose when, will be unable to realize for data in USB storage device USB read-write operations.
The step S30, specifically includes:
Step S30 ':Data address corresponding with the USB read operations is determined according to the partition table, by the data Location is sent to the user terminal, so that the user terminal reads corresponding with the data address first from USB storage device Target data, and by the first object data sending to the server, the USB storage device is and the user is whole Hold the storage device of connection;
It should be appreciated that after partition table and USB read operations is got, can go to realize data just based on partition table Often read.Wherein, the data address of USB read operations direction can be accurately determined according to the partition table and USB read operations, by institute State data address to send to the USB storage device, you can read first object data corresponding with the data address.
Determined in the present embodiment according to partition table and USB read operations by the data address of reading so that user terminal can be with Successfully read first object data.
With reference to Fig. 4, Fig. 4 is the flow diagram of the divulgence prevention method 3rd embodiment of the invention based on virtual desktop, base In the embodiment shown in above-mentioned Fig. 2, the 3rd embodiment of the proposition divulgence prevention method of the invention based on virtual desktop.
In the third embodiment, the step S10, specifically includes:
Step S101:The instruction of the first usb protocol and user identifier that server reception user terminal is sent, described first USB read operations input by user are packaged and obtained by usb protocol instruction by the user terminal by default USB transport protocol , the user terminal accesses the server by virtual desktop technology;
It is understood that in order to adapt to the complicated use environment of the more access rights of multi-user, can pre-set can be into The user authority setting of row encrypting and decrypting operation, to tackle the actual use of the more access rights of multi-user, so, server will connect The user identifier sent by user terminal.The user identifier is used to uniquely identify user's end in current running environment End, plays the effect that identity identification is carried out for user terminal, wherein, the user label can mark physical equipment i.e. user Terminal, can also mark the active user using user terminal, and the present embodiment is not restricted this.
Step S102:The user identifier is matched with each preset authorization user identifier;
In the concrete realization, the user list that decryption oprerations can be encrypted will be pre-set in the server, it is described Preset authorization user identifier mean currently running user identifier pre-saved for preset authorization user identifier when, i.e. generation The currently running user identifier of table will be performed with the business qualification that decryption oprerations are encrypted subsequently to the solution of target data Close or clear data cryptographic operation.By the way that the user identifier is matched with each preset authorization user identifier, matching During success, that is, characterize user identifier and be predetermined to be authorized user's mark, subsequent operation will be carried out;When matching unsuccessful, can stop The only prompt message of subsequent operation or feedback operation failure.
In successful match, step S103 is performed.
It should be appreciated that step S101-102 is used for realization the judgement for authorized user, meanwhile, for the service of improving The speed of service and reduction maloperation probability of device, can also prop up server before the write-in of data and read operation is carried out Each USB transport protocol held is detected in advance, to save the calculation amount of server.
Step S103:The default USB transport protocol is matched with each default supported protocol;
It is understood that before being parsed to first usb protocol instruction, protocol testing also can be first carried out, To judge whether server supports the default USB transport protocol.The protocol testing can match somebody with somebody confidence by reading service device Breath, the configuration information describe the i.e. default supported protocol of USB transport protocol that server is supported, the default USB are passed Defeated agreement is matched with each default supported protocol, you can judges whether server supports the USB transmission association of encapsulation present instruction View.
In successful match, step S20 is performed.
In the concrete realization, in successful match, you can perform step S20, illustrate that server can pass the default USB The first usb protocol instruction of defeated protocol encapsulation is parsed;When matching unsuccessful, stop subsequent operation or to user terminal The displaying information of operation failure is sent, because the current operating environment of server can not support default USB transport protocol.By Protocol testing is first carried out before performing step S20, can preferably improve the operational efficiency of server.
The present embodiment is assisted for authorized user's decision process that step S101-102 is realized and the support that step S103 is realized The order of occurrence of view both matching process is not restricted.
By pre-setting preset authorization user identifier in the present embodiment, it can preferably manage user and read and write number According to qualification, improve the confidentiality of data;Also, it can support the judgement of USB transport protocol for server in advance by introducing, Also invalid data calculation amount can be reduced, improves the operational efficiency of equipment.
With reference to Fig. 5, Fig. 5 is the flow diagram of the divulgence prevention method fourth embodiment of the invention based on virtual desktop, base In the embodiment shown in above-mentioned Fig. 2, the fourth embodiment of the proposition divulgence prevention method of the invention based on virtual desktop.
In the third embodiment, before the step S10, the method further includes:
Step S101 ':The server receives the instruction of the second usb protocol and the second plaintext number that the user terminal is sent According to USB write operations input by user are passed through the default USB transmission by the second usb protocol instruction by the user terminal Agreement is packaged acquisition;
It is understood that when being inserted into USB storage device on the user terminal under VDI frameworks, in order to USB Data are write in storage device, user can carry out data write operation on the subscriber terminal, such as, add into USB storage device Addend evidence, can be the data replicated on user terminal, which is pasted into USB storage device, can so generate one USB write operations, the USB write operations are used to write data into USB storage device.Under VDI frameworks, the user terminal will USB write operations input by user are packaged by the default USB transport protocol and obtain the instruction of the second usb protocol, and institute Stating the instruction of the second usb protocol will send to the server, so that the server performs the business of write operation.
In the concrete realization, the second usb protocol instruction and second of the user terminal transmission is received in the server During clear data, wherein, the second plaintext data are used for the data for writing USB storage device, and the second plaintext data can The server local is stored in advance, can also be obtained from the user terminal.
Step S102 ':Second usb protocol instruction is parsed, obtains the USB write operations;
It should be appreciated that server is after the instruction of the second usb protocol is obtained, will be by default USB transport protocol to this Protocol instructions are parsed, to obtain the USB write operations in the instruction of the second usb protocol.
Step S103 ':The second plaintext data are encrypted according to preset-key, obtain encrypted second target Data;
It is understood that in order to realize the anti-effect divulged a secret, the data for reading and writing in the USB storage device are all It will be encrypted data, therefore the second plaintext data will be encrypted according to preset-key, to obtain encrypted Two target datas.
Step S104:The USB write operations and second target data are sent to the user terminal, so that the user Terminal writes second target data according to the USB write operations in USB storage device.
In the concrete realization, after the USB write operations and encrypted second target data is got, by the USB Write operation and second target data are sent to the user terminal, you can the second target data are write USB storage device, also Realize and data encryption is write into USB storage device.
Before the step S40, the method further includes:
Step S40 ':Generate preset-key and preserve to local, to realize according to the preset-key to first mesh Mark data are decrypted.
It is understood that decryption oprerations are encrypted for the ease of server, preset-key can be generated in advance and by advance , can be straight when getting the target data for needing to decrypt or needing encrypted clear data if key is stored in server local Connect and carry out anti-compromising operations using the key locally preserved, the operand of server can be effectively saved, improve encrypting and decrypting Speed.
By being parsed in protocol layer to second usb protocol instruction and completing second plaintext data in the present embodiment Cryptographic operation, the encryption that encryption plug-in unit realizes peripheral data is installed in VM than it, is preferably overcome and third party software Compatibility issue;Also, by previously generating preset-key, it can also improve encrypting and decrypting speed.
In addition, the embodiment of the present invention also proposes a kind of storage medium, it is stored with the storage medium based on virtual desktop Anti- program of divulging a secret, following operation is realized when the anti-program of divulging a secret based on virtual desktop is executed by processor:
Server receives the first usb protocol instruction that user terminal is sent, and the first usb protocol instruction is by the user USB read operations input by user are packaged acquisition by terminal by default USB transport protocol, and the user terminal passes through virtual Desktop technology accesses the server;
First usb protocol instruction is parsed, obtains the USB read operations;
The USB read operations are sent to the user terminal so that the user terminal according to the USB read operations from USB Read in storage device and feed back first object data to the server, the USB storage device and be and the user terminal The storage device of connection;
The first object data are decrypted according to preset-key, the first clear data after being decrypted.
Further, following operation is also realized when the anti-program of divulging a secret based on virtual desktop is executed by processor:
First usb protocol instruction is parsed under default virtual machine simulator, obtains the USB read operations.
Further, following operation is also realized when the anti-program of divulging a secret based on virtual desktop is executed by processor:
Server receives the instruction of the first usb protocol and the partition table that user terminal is sent;
Correspondingly, following operation is also realized:
Data address corresponding with the USB read operations is determined according to the partition table, by the data address send to User terminal, so that the user terminal reads first object data corresponding with the data address from USB storage device, And by the first object data sending to the server.
Further, following operation is also realized when the anti-program of divulging a secret based on virtual desktop is executed by processor:
Server receives the instruction of the first usb protocol and the user identifier that user terminal is sent;
Correspondingly, following operation is also realized:
The user identifier is matched with each preset authorization user identifier;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
Further, following operation is also realized when the anti-program of divulging a secret based on virtual desktop is executed by processor:
The default USB transport protocol is matched with each default supported protocol;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
Further, following operation is also realized when the anti-program of divulging a secret based on virtual desktop is executed by processor:
The server receives the instruction of the second usb protocol and the second plaintext data that the user terminal is sent, and described the The instruction of two usb protocols is sealed USB write operations input by user by the default USB transport protocol by the user terminal Dress obtains;
Second usb protocol instruction is parsed, obtains the USB write operations;
The second plaintext data are encrypted according to the preset-key, obtain encrypted second target data;
The USB write operations and second target data are sent to the user terminal, so that the user terminal Second target data is write in the USB storage device according to the USB write operations.
Further, following operation is also realized when the anti-program of divulging a secret based on virtual desktop is executed by processor:
Generate preset-key and preserve to local, the first object data are carried out according to the preset-key with realizing Decryption.
By being parsed in protocol layer to first usb protocol instruction and completing first object data in the present embodiment Decryption oprerations, the encrypting and decrypting that encrypting and decrypting plug-in unit realizes peripheral data is installed than it in VM, is preferably overcome and the The compatibility issue of software of the third party, so, overcome existing under current VDI scenes cannot preferably ensure for peripheral hardware number According to encrypting and decrypting operate compatible technical problem.
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
It should be noted that herein, term " comprising ", "comprising" or its any other variant are intended to non-row His property includes, so that process, method, article or system including a series of elements not only include those key elements, and And other elements that are not explicitly listed are further included, or further include as this process, method, article or system institute inherently Key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including this Also there are other identical element in the process of key element, method, article or system.
The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.Word first, second, with And third use does not indicate that any order.These words can be construed to title.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side Method can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but in many cases The former is more preferably embodiment.Based on such understanding, technical scheme substantially in other words does the prior art Going out the part of contribution can be embodied in the form of software product, which is stored in a storage medium In (such as ROM/RAM, magnetic disc, CD), including some instructions are used so that a station terminal equipment (can be mobile phone, computer, takes Be engaged in device, air conditioner, or network equipment etc.) perform method described in each embodiment of the present invention.
It these are only the preferred embodiment of the present invention, be not intended to limit the scope of the invention, it is every to utilize this hair The equivalent structure or equivalent flow shift that bright specification and accompanying drawing content are made, is directly or indirectly used in other relevant skills Art field, is included within the scope of the present invention.

Claims (10)

1. a kind of divulgence prevention method based on virtual desktop, it is characterised in that the described method comprises the following steps:
Server receives the first usb protocol instruction that user terminal is sent, and the first usb protocol instruction is by the user terminal USB read operations input by user are packaged acquisition by default USB transport protocol, the user terminal passes through virtual desktop Technology accesses the server;
First usb protocol instruction is parsed, obtains the USB read operations;
The USB read operations are sent to the user terminal, so that the user terminal is stored according to the USB read operations from USB Read in equipment and feed back first object data to the server, the USB storage device is to be connected with the user terminal Storage device;
The first object data are decrypted according to preset-key, the first clear data after being decrypted.
2. the method as described in claim 1, it is characterised in that it is described that first usb protocol instruction is parsed, obtain The USB read operations, specifically include:
First usb protocol instruction is parsed under default virtual machine simulator, obtains the USB read operations.
3. the method as described in claim 1, it is characterised in that the server receives the first USB associations that user terminal is sent View instruction, specifically includes:
Server receives the instruction of the first usb protocol and the partition table that user terminal is sent;
Correspondingly, it is described to be sent to the user terminal the USB read operations, so that the user terminal is read to grasp according to the USB Work reads from USB storage device and feeds back first object data to the server, specifically includes:
Data address corresponding with the USB read operations is determined according to the partition table, the data address is sent to user Terminal, so that the user terminal reads first object data corresponding with the data address from USB storage device, and will The first object data sending is to the server.
4. the method as described in claim 1, it is characterised in that the server receives the first USB associations that user terminal is sent View instruction, specifically includes:
Server receives the instruction of the first usb protocol and the user identifier that user terminal is sent;
Correspondingly, described that first usb protocol instruction is parsed, before obtaining the USB read operations, the method is also Including:
The user identifier is matched with each preset authorization user identifier;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
5. the method as described in any one of Claims 1-4, it is characterised in that described to be instructed to first usb protocol Parsed, before obtaining the USB read operations, the method further includes:
The default USB transport protocol is matched with each default supported protocol;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
6. the method as described in any one of Claims 1-4, it is characterised in that the server receives user terminal hair The the first usb protocol instruction sent, the first usb protocol instruction are led to USB read operations input by user by the user terminal Cross default USB transport protocol to be packaged before acquisition, the method further includes:
The server receives the instruction of the second usb protocol and the second plaintext data that the user terminal is sent, the 2nd USB USB write operations input by user are packaged and obtained by protocol instructions by the user terminal by the default USB transport protocol ;
Second usb protocol instruction is parsed, obtains the USB write operations;
The second plaintext data are encrypted according to the preset-key, obtain encrypted second target data;
The USB write operations and second target data are sent to the user terminal so that the user terminal according to The USB write operations write second target data in the USB storage device.
7. the method as described in any in Claims 1-4, it is characterised in that it is described according to preset-key to described first Target data is decrypted, and before the first clear data after being decrypted, the method further includes:
Generate preset-key and preserve to local, the first object data are solved according to the preset-key with realizing It is close.
8. the method as described in any one of Claims 1-4, it is characterised in that the default USB transport protocol includes Any one of BOT agreements and USAP agreements.
9. a kind of server, it is characterised in that the server includes:Memory, processor and it is stored on the memory And the anti-program of divulging a secret based on virtual desktop that can be run on the processor, the anti-program of divulging a secret based on virtual desktop Realized when being performed by the processor such as the divulgence prevention method described in any item of the claim 1 to 8 based on virtual desktop Step.
A kind of 10. storage medium, it is characterised in that the anti-program of divulging a secret based on virtual desktop is stored with the storage medium, Such as base described in any item of the claim 1 to 8 is realized when the anti-program of divulging a secret based on virtual desktop is executed by processor In the divulgence prevention method of virtual desktop the step of.
CN201711161477.8A 2017-11-20 2017-11-20 Virtual desktop-based anti-leakage method, server and storage medium Active CN108021801B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711161477.8A CN108021801B (en) 2017-11-20 2017-11-20 Virtual desktop-based anti-leakage method, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711161477.8A CN108021801B (en) 2017-11-20 2017-11-20 Virtual desktop-based anti-leakage method, server and storage medium

Publications (2)

Publication Number Publication Date
CN108021801A true CN108021801A (en) 2018-05-11
CN108021801B CN108021801B (en) 2021-07-06

Family

ID=62080794

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711161477.8A Active CN108021801B (en) 2017-11-20 2017-11-20 Virtual desktop-based anti-leakage method, server and storage medium

Country Status (1)

Country Link
CN (1) CN108021801B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111158857A (en) * 2019-12-24 2020-05-15 深信服科技股份有限公司 Data encryption method, device, equipment and storage medium
US20220229914A1 (en) * 2021-01-19 2022-07-21 Assa Abloy Ab Secure cloud processing

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080184218A1 (en) * 2007-01-24 2008-07-31 Kenneth Largman Computer system architecture and method having isolated file system management for secure and reliable data processing
CN101271424A (en) * 2007-03-19 2008-09-24 普天信息技术研究院 Caching device based on universal serial bus
CN101640702A (en) * 2009-08-27 2010-02-03 深圳华为通信技术有限公司 Portable storage method and device
CN102831084A (en) * 2012-08-16 2012-12-19 刘伟 Controller and controlling method for re-identifying USB (universal serial bus) equipment
CN103020517A (en) * 2012-11-28 2013-04-03 福建伊时代信息科技股份有限公司 Exchange visit method and system for USB virtual desktop equipment
CN103577771A (en) * 2013-11-08 2014-02-12 中科信息安全共性技术国家工程研究中心有限公司 Virtual desktop data leakage-preventive protection technology on basis of disk encryption
CN103701589A (en) * 2013-12-19 2014-04-02 福建星网锐捷网络有限公司 Information transmission method and device based on virtual desktop system and relevant equipment
CN104539685A (en) * 2014-12-19 2015-04-22 华南理工大学 USB disk identifying system and method for OpenStack cloud desktop
CN104993961A (en) * 2015-06-30 2015-10-21 广州华多网络科技有限公司 Equipment control methods, devices and system
CN105183675A (en) * 2015-09-30 2015-12-23 华为技术有限公司 USB equipment access method, device and system, terminal and server
CN105389520A (en) * 2015-11-11 2016-03-09 中国建设银行股份有限公司 Data access control method and apparatus and mobile storage medium
US20160344745A1 (en) * 2006-09-25 2016-11-24 Weaved, Inc. Method and protocol for secure device deployment using a partially-encrypted provisioning file

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160344745A1 (en) * 2006-09-25 2016-11-24 Weaved, Inc. Method and protocol for secure device deployment using a partially-encrypted provisioning file
US20080184218A1 (en) * 2007-01-24 2008-07-31 Kenneth Largman Computer system architecture and method having isolated file system management for secure and reliable data processing
CN101271424A (en) * 2007-03-19 2008-09-24 普天信息技术研究院 Caching device based on universal serial bus
CN101640702A (en) * 2009-08-27 2010-02-03 深圳华为通信技术有限公司 Portable storage method and device
CN102831084A (en) * 2012-08-16 2012-12-19 刘伟 Controller and controlling method for re-identifying USB (universal serial bus) equipment
CN103020517A (en) * 2012-11-28 2013-04-03 福建伊时代信息科技股份有限公司 Exchange visit method and system for USB virtual desktop equipment
CN103577771A (en) * 2013-11-08 2014-02-12 中科信息安全共性技术国家工程研究中心有限公司 Virtual desktop data leakage-preventive protection technology on basis of disk encryption
CN103701589A (en) * 2013-12-19 2014-04-02 福建星网锐捷网络有限公司 Information transmission method and device based on virtual desktop system and relevant equipment
CN104539685A (en) * 2014-12-19 2015-04-22 华南理工大学 USB disk identifying system and method for OpenStack cloud desktop
CN104993961A (en) * 2015-06-30 2015-10-21 广州华多网络科技有限公司 Equipment control methods, devices and system
CN105183675A (en) * 2015-09-30 2015-12-23 华为技术有限公司 USB equipment access method, device and system, terminal and server
CN105389520A (en) * 2015-11-11 2016-03-09 中国建设银行股份有限公司 Data access control method and apparatus and mobile storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111158857A (en) * 2019-12-24 2020-05-15 深信服科技股份有限公司 Data encryption method, device, equipment and storage medium
CN111158857B (en) * 2019-12-24 2024-05-24 深信服科技股份有限公司 Data encryption method, device, equipment and storage medium
US20220229914A1 (en) * 2021-01-19 2022-07-21 Assa Abloy Ab Secure cloud processing

Also Published As

Publication number Publication date
CN108021801B (en) 2021-07-06

Similar Documents

Publication Publication Date Title
CN102726027B (en) Secret key transmission method and device during pre-boot under full-disk encryption of virtual machine
US7987497B1 (en) Systems and methods for data encryption using plugins within virtual systems and subsystems
US8977842B1 (en) Hypervisor enabled secure inter-container communications
KR101575709B1 (en) Application usage continuum across platforms
CN101587524B (en) Method for encrypting data memory apparatus based on virtual system
CN111143869B (en) Application package processing method and device, electronic equipment and storage medium
US8156331B2 (en) Information transfer
US10372628B2 (en) Cross-domain security in cryptographically partitioned cloud
CN109635581A (en) A kind of data processing method, equipment, system and storage medium
CN107689943B (en) Data encryption method, user terminal, server and system
CN105446713A (en) Safe storage method and equipment
CN103593246A (en) Communication method between virtual machine and host machine, host machine and virtual machine system
JP2011048661A (en) Virtual server encryption system
CN107943556A (en) KMIP and encryption card based virtualized data security method
CN111193725B (en) Configuration-based combined login method and device and computer equipment
CN114930328A (en) Binding a secure object of a security module to a secure guest
CN110334531B (en) Virtual machine key management method, master node, system, storage medium and device
CN107528830A (en) account login method, system and storage medium
CN106682521B (en) File transparent encryption and decryption system and method based on driver layer
CN110569651A (en) file transparent encryption and decryption method and system based on domestic operating system
EP4332810A1 (en) Method for realizing virtualized trusted platform module, and secure processor and storage medium
CN111158857B (en) Data encryption method, device, equipment and storage medium
CN109376119B (en) Method for creating disk image file encrypted snapshot, method for using disk image file encrypted snapshot and storage medium
CN108021801A (en) Divulgence prevention method, server and storage medium based on virtual desktop
US8972745B2 (en) Secure data handling in a computer system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant