CN108021801A - Divulgence prevention method, server and storage medium based on virtual desktop - Google Patents
Divulgence prevention method, server and storage medium based on virtual desktop Download PDFInfo
- Publication number
- CN108021801A CN108021801A CN201711161477.8A CN201711161477A CN108021801A CN 108021801 A CN108021801 A CN 108021801A CN 201711161477 A CN201711161477 A CN 201711161477A CN 108021801 A CN108021801 A CN 108021801A
- Authority
- CN
- China
- Prior art keywords
- usb
- user terminal
- protocol
- data
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/42—User authentication using separate channels for security data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of divulgence prevention method based on virtual desktop, server and storage medium.Server in the present invention receives the first usb protocol instruction that user terminal is sent, first usb protocol instruction is parsed, obtain the USB read operations, the USB read operations are sent to the user terminal, so that the user terminal reads from USB storage device according to the USB read operations and feeds back first object data to the server, the first object data are decrypted according to preset-key, the first clear data after being decrypted.The present invention passes through the decryption oprerations in protocol layer completion first object data, the encrypting and decrypting that encrypting and decrypting plug-in unit realizes peripheral data is installed than it in VM, preferably overcome the compatibility issue with third party software, so overcome the existing compatible technical problem that cannot preferably ensure the encrypting and decrypting operation for peripheral data under current VDI scenes.
Description
Technical field
The present invention relates to desktop virtualization field, more particularly to divulgence prevention method based on virtual desktop, server and deposit
Storage media.
Background technology
With the continuous development of virtual desktop technology, more and more companies are by virtual desktop technology come in the company of completing
Building for portion's office resource, for embodiment, can run desktop operating system, user in the server of data center
It is attached by the transport protocol of the client device desktop long-range with these so that user accesses their desktop and is like
It is the same to access traditional local desktop, it is known as virtual desktop architecture (Virtual Desktop in the industry
Infrastructure, VDI).
But under VDI scenes, if in using peripheral hardware, it is necessary to ensure the Information Security of peripheral hardware on local computer, and
Instantly the data safety of peripheral hardware is protected, it is more using the related plug-in unit of installation in virtual machine (Virtual Machine, VM), such as,
Read-write operation is limited by management and control driving, is operated using filter Driver on FSD to carry out the encryption and decryption of data.But this kind exists
The mode of installation drive plug disposes inconvenience and software compatibility issue easily occurs in VM, such as, play punching with third party software
Dash forward.So there is the compatibility that cannot preferably ensure the encrypting and decrypting operation for peripheral data under current VDI scenes
Technical problem.
The above is only used to facilitate the understanding of the technical scheme, and is not represented and is recognized that the above is existing skill
Art.
The content of the invention
It is a primary object of the present invention to provide a kind of divulgence prevention method based on virtual desktop, server and storage to be situated between
Matter, it is intended to solve the presence of the encrypting and decrypting that cannot preferably ensure for peripheral data under VDI scenes current in the prior art
The compatible technical problem of operation.
To achieve the above object, the present invention provides a kind of divulgence prevention method based on virtual desktop, the described method includes with
Lower step:
Server receives the first usb protocol instruction that user terminal is sent, and the first usb protocol instruction is by the user
USB read operations input by user are packaged acquisition by terminal by default USB transport protocol, and the user terminal passes through virtual
Desktop technology accesses the server;
First usb protocol instruction is parsed, obtains the USB read operations;
The USB read operations are sent to the user terminal so that the user terminal according to the USB read operations from USB
Read in storage device and feed back first object data to the server, the USB storage device and be and the user terminal
The storage device of connection;
The first object data are decrypted according to preset-key, the first clear data after being decrypted.
Preferably, it is described that first usb protocol instruction is parsed, the USB read operations are obtained, are specifically included:
First usb protocol instruction is parsed under default virtual machine simulator, obtains the USB read operations.
Preferably, the server receives the first usb protocol instruction that user terminal is sent, and specifically includes:
Server receives the instruction of the first usb protocol and the partition table that user terminal is sent;
Correspondingly, it is described to be sent to the user terminal the USB read operations, so that the user terminal is according to the USB
Read operation reads from USB storage device and feeds back first object data to the server, specifically includes:
Data address corresponding with the USB read operations is determined according to the partition table, by the data address send to
User terminal, so that the user terminal reads first object data corresponding with the data address from USB storage device,
And by the first object data sending to the server.
Preferably, the server receives the first usb protocol instruction that user terminal is sent, and specifically includes:
Server receives the instruction of the first usb protocol and the user identifier that user terminal is sent;
Correspondingly, it is described that first usb protocol instruction is parsed, before obtaining the USB read operations, the side
Method further includes:
The user identifier is matched with each preset authorization user identifier;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
Preferably, it is described that first usb protocol instruction is parsed, before obtaining the USB read operations, the side
Method further includes:
The default USB transport protocol is matched with each default supported protocol;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
Preferably, the server receives the first usb protocol instruction that user terminal is sent, and first usb protocol refers to
It is described before USB read operations input by user are packaged acquisition by order by the user terminal by default USB transport protocol
Method further includes:
The server receives the instruction of the second usb protocol and the second plaintext data that the user terminal is sent, and described the
The instruction of two usb protocols is sealed USB write operations input by user by the default USB transport protocol by the user terminal
Dress obtains;
Second usb protocol instruction is parsed, obtains the USB write operations;
The second plaintext data are encrypted according to the preset-key, obtain encrypted second target data;
The USB write operations and second target data are sent to the user terminal, so that the user terminal
Second target data is write in the USB storage device according to the USB write operations.
Preferably, it is described that the first object data are decrypted according to preset-key, with first after being decrypted
Before clear data, the method further includes:
Generate preset-key and preserve to local, the first object data are carried out according to the preset-key with realizing
Decryption.
In addition, to achieve the above object, the present invention also provides a kind of server, the server includes:Memory, processing
Device and the anti-program of divulging a secret based on virtual desktop that is stored on the memory and can run on the processor, the base
In the anti-program of divulging a secret of virtual desktop is arranged for carrying out the divulgence prevention method based on virtual desktop the step of.
In addition, to achieve the above object, the present invention also provides a kind of storage medium, it is stored with and is based on the storage medium
The anti-program of divulging a secret of virtual desktop, realized when the anti-program of divulging a secret based on virtual desktop is executed by processor it is described based on
The step of divulgence prevention method of virtual desktop.
By being parsed in protocol layer to first usb protocol instruction and completing first object data in the present invention
Decryption oprerations, install the encrypting and decrypting that encrypting and decrypting plug-in unit realizes peripheral data in VM than it, preferably overcome and the 3rd
The compatibility issue of square software, so, overcoming under current VDI scenes existing cannot preferably ensure for peripheral data
Encrypting and decrypting operation compatible technical problem.
Brief description of the drawings
Fig. 1 is the server architecture schematic diagram for the hardware running environment that the embodiment of the present invention is related to;
Fig. 2 is the flow diagram of the divulgence prevention method first embodiment of the invention based on virtual desktop;
Fig. 3 is the flow diagram of the divulgence prevention method second embodiment of the invention based on virtual desktop;
Fig. 4 is the flow diagram of the divulgence prevention method 3rd embodiment of the invention based on virtual desktop;
Fig. 5 is the flow diagram of the divulgence prevention method fourth embodiment of the invention based on virtual desktop.
The embodiments will be further described with reference to the accompanying drawings for the realization, the function and the advantages of the object of the present invention.
Embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
With reference to Fig. 1, Fig. 1 is the server architecture schematic diagram for the hardware running environment that the embodiment of the present invention is related to.
As shown in Figure 1, the server can include:Processor 1001, such as CPU, communication bus 1002, user interface
1003, network interface 1004, memory 1005.Wherein, communication bus 1002 is used for realization the connection communication between these components.
User interface 1003 can include display screen (Display), optional user interface 1003 can also include standard wireline interface,
Wave point.Network interface 1004 can optionally include standard wireline interface and wireless interface (such as WI-FI interfaces).Storage
Device 1005 can be high-speed RAM memory or the memory (non-volatile memory) of stabilization, such as disk
Memory.Memory 1005 optionally can also be the storage device independently of aforementioned processor 1001.
The server can be the physical equipment for providing the service of calculating, be used for realization business calculating, data storage or data
Exchange etc..Also, data center is built by equipment such as the server and the network equipments, virtual table is run based on data center
Surface technology, in this way, the user terminal can access the server by virtual desktop technology, to realize the table of user terminal
Face virtualizes.Wherein, the user terminal can be the electronic equipments such as PC, usually, multiple VM will be run in server,
One user terminal, to realize the desktop virtualization of active user's terminal, can not only be dropped by a VM in access server
The low configuration requirement of local user terminal, also improves user using computing resource and the security of storage resource, while just
In the overall resource of operation maintenance personnel unified management data center.
It will be understood by those skilled in the art that the structure shown in Fig. 1 does not form the restriction to server, can include
Than illustrating more or fewer components, some components or different components arrangement are either combined.
As shown in Figure 1, it can lead to as in a kind of memory 1005 of computer-readable storage medium including operating system, network
Believe module, Subscriber Interface Module SIM and the anti-program of divulging a secret based on virtual desktop.
In the server shown in Fig. 1, network interface 1004 is mainly used for connecting other servers, with other described services
Device is into row data communication;User interface 1003 is mainly used for connecting user terminal, with user terminal into row data communication;The clothes
Business device calls the anti-program of divulging a secret based on virtual desktop stored in memory 1005 by processor 1001, and performs following behaviour
Make:
Server receives the first usb protocol instruction that user terminal is sent, and the first usb protocol instruction is by the user
USB read operations input by user are packaged acquisition by terminal by default USB transport protocol, and the user terminal passes through virtual
Desktop technology accesses the server;
First usb protocol instruction is parsed, obtains the USB read operations;
The USB read operations are sent to the user terminal so that the user terminal according to the USB read operations from USB
Read in storage device and feed back first object data to the server, the USB storage device and be and the user terminal
The storage device of connection;
The first object data are decrypted according to preset-key, the first clear data after being decrypted.
Further, processor 1001 can call the anti-journey of divulging a secret based on virtual desktop stored in memory 1005
Sequence, also performs following operation:
First usb protocol instruction is parsed under default virtual machine simulator, obtains the USB read operations.
Further, processor 1001 can call the anti-journey of divulging a secret based on virtual desktop stored in memory 1005
Sequence, also performs following operation:
Server receives the instruction of the first usb protocol and the partition table that user terminal is sent;
Correspondingly, following operation is also performed:
Data address corresponding with the USB read operations is determined according to the partition table, by the data address send to
User terminal, so that the user terminal reads first object data corresponding with the data address from USB storage device,
And by the first object data sending to the server.
Further, processor 1001 can call the anti-journey of divulging a secret based on virtual desktop stored in memory 1005
Sequence, also performs following operation:
Server receives the instruction of the first usb protocol and the user identifier that user terminal is sent;
Correspondingly, following operation is also performed:
The user identifier is matched with each preset authorization user identifier;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
Further, processor 1001 can call the anti-journey of divulging a secret based on virtual desktop stored in memory 1005
Sequence, also performs following operation:
The default USB transport protocol is matched with each default supported protocol;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
Further, processor 1001 can call the anti-journey of divulging a secret based on virtual desktop stored in memory 1005
Sequence, also performs following operation:
The server receives the instruction of the second usb protocol and the second plaintext data that the user terminal is sent, and described the
The instruction of two usb protocols is sealed USB write operations input by user by the default USB transport protocol by the user terminal
Dress obtains;
Second usb protocol instruction is parsed, obtains the USB write operations;
The second plaintext data are encrypted according to the preset-key, obtain encrypted second target data;
The USB write operations and second target data are sent to the user terminal, so that the user terminal
Second target data is write in the USB storage device according to the USB write operations.
Further, processor 1001 can call the anti-journey of divulging a secret based on virtual desktop stored in memory 1005
Sequence, also performs following operation:
Generate preset-key and preserve to local, the first object data are carried out according to the preset-key with realizing
Decryption.
By being parsed in protocol layer to first usb protocol instruction and completing first object data in the present embodiment
Decryption oprerations, the encrypting and decrypting that encrypting and decrypting plug-in unit realizes peripheral data is installed than it in VM, is preferably overcome and the
The compatibility issue of software of the third party, so, overcome existing under current VDI scenes cannot preferably ensure for peripheral hardware number
According to encrypting and decrypting operate compatible technical problem.
Based on above-mentioned hardware configuration, the embodiment of the proposition divulgence prevention method of the invention based on virtual desktop.
With reference to Fig. 2, Fig. 2 is the flow diagram of the divulgence prevention method first embodiment of the invention based on virtual desktop.
In the first embodiment, the divulgence prevention method based on virtual desktop comprises the following steps:
Step S10:Server receives the first usb protocol instruction that user terminal is sent, first usb protocol instruction by
USB read operations input by user are packaged acquisition, the user terminal by the user terminal by default USB transport protocol
The server is accessed by virtual desktop technology;
It is understood that the user terminal can be the thin client under VDI frameworks, the thin client is for connecing
Enter performance in VDI desktops and all relatively low equipment of power consumption, such as, PC, also, the user terminal can be only aobvious
Show the figure of desktop operating system, desktop software to be used is needed without installation.Wherein, on the subscriber terminal using general serial
During bus apparatus (Universal Serial BusDevice), such as, USB storage device (Usb Mass Storage
Class Device), common is USB flash disk and mobile hard disk etc., in the user terminal under user uses VDI frameworks, be will be unable to straight
The data taken in USB storage device are obtained, wherein, reading the operation of data or write-in data will transfer at the server
Reason;The server can be the server that VDI is carried under VDI frameworks, will be run in the server associated with each user terminal
VM, so, most of calculating and operation will all carry out in server, and user terminal primarily serves display and inputs operation
Effect, the present embodiment are not restricted this.
In the concrete realization, when accessing USB storage device in the user terminal, such as, accessed in local thin client
One USB flash disk, in the data during user reads the USB flash disk, user can locally carry out the operation of data duplication or stickup, still,
Since under VDI framework scenes, user can not be directly obtained target data.User terminal will read USB input by user
Operation is packaged by default USB transport protocol to be instructed with obtaining the first usb protocol, which will complete in system bottom,
The default USB transport protocol can be Bulk-Only Transport (BOT) agreements and USB Attached SCSI
Protocol (USAP) agreement, wherein, the USB that USAP agreements are supported by more than USB3.0 equipment stores class transport protocol.And
And after user terminal obtains the instruction of the first usb protocol, first usb protocol instruction is sent to server, it is final to realize
Get the data in USB storage device.
Step S20:First usb protocol instruction is parsed, obtains the USB read operations;
It should be appreciated that server get first usb protocol instruction when, will be according to default USB transport protocol
First usb protocol instruction is parsed, also just acquires the USB read operations before encapsulation.Wherein, although using USB
During storage device, it is relatively conventional mode to be carried out data transmission based on transport protocol, still, in the present embodiment will be by pre-
If USB transport protocol is packaged and parses to USB read operations, and will go to realize using the USB read operations in subsequent step
The reading of data, that is, show that the whole step is realized in protocol layer, compared to adding for existing common peripheral data
Close manner of decryption, is all that encrypting and decrypting is realized in the form of application layer plug-in unit, such as, the realization of encrypting and decrypting plug-in unit is installed in VM
The encrypting and decrypting of peripheral data, existing mode are easy to compatibility issue occur with third party software.In other words, by encrypting and decrypting
Operation has been changed in virtual machine simulator and realized from sub-operating system (Guest OS) layer, virtual machine simulator such as QEMU simulations
Device, so being parsed under default virtual machine simulator in the server to first usb protocol instruction, described in acquisition
USB read operations.
It is understood that since the encrypting and decrypting operation in the acquisition and subsequent operation of read operation is all in underlying protocol
Layer is realized, also just overcomes the compatibility issue with third party software, and encrypting and decrypting realizes nature and the in application layer
Software of the third party does not conflict.
Step S30:The USB read operations are sent to the user terminal, so that the user terminal is read to grasp according to the USB
Work reads from USB storage device and feeds back first object data to the server, the USB storage device
The storage device of family terminal connection;
It should be appreciated that after server obtains the USB read operations, the USB read operations are reading input by user
The operation information of first object data is taken, the USB read operations will be sent back the user terminal by server.In the user
When terminal obtains the USB read operations, data will be read from USB storage device according to the USB read operations, can also obtained
First object data.Wherein, the first object data are encrypted data, in order to ensure the security of USB storage device,
Data content in USB storage device will use encrypted form to carry out data storage.
Step S40:The first object data are decrypted according to preset-key, the first plaintext number after being decrypted
According to.
It is understood that after encrypted data are got, in order to enable user easily identification data content with
And the encrypting and decrypting operation of data is completed, the first object data will be decrypted according to preset-key, to be decrypted
The first clear data afterwards.First clear data is that acquisition is decrypted to first object data.Also, step S40
To be realized in protocol layer, so, can under default virtual machine simulator according to preset-key to the first object data into
Row decryption, the first clear data after being decrypted.It can be readily appreciated that step S20 and step S40 will be in virtual machine simulators
Complete, conflicted by underlying protocol layer execution, can preferably reduce with other software, also, also for specific
The encryption-decryption algorithm used does not limit.
By being parsed in protocol layer to first usb protocol instruction and completing first object data in the present embodiment
Decryption oprerations, the encrypting and decrypting that encrypting and decrypting plug-in unit realizes peripheral data is installed than it in VM, is preferably overcome and the
The compatibility issue of software of the third party, so, overcome existing under current VDI scenes cannot preferably ensure for peripheral hardware number
According to encrypting and decrypting operate compatible technical problem.
With reference to Fig. 3, Fig. 3 is the flow diagram of the divulgence prevention method second embodiment of the invention based on virtual desktop, base
In the embodiment shown in above-mentioned Fig. 2, the second embodiment of the proposition divulgence prevention method of the invention based on virtual desktop.
In a second embodiment, the step S10, specifically includes:
Step S10 ':Server receives the instruction of the first usb protocol and the partition table that user terminal is sent, the first USB
USB read operations input by user are packaged acquisition, institute by protocol instructions by the user terminal by default USB transport protocol
State user terminal and the server is accessed by virtual desktop technology;
It is understood that server will receive the partition table of user terminal transmission in the present embodiment, connect for server
The instruction of the first usb protocol is received not to be restricted this with receiving time sequencing the present embodiment of partition table.So it can be connect in server
Before receiving the first usb protocol instruction that user terminal is sent, partition table is received in advance, in order to determining data in subsequent operation
Location, can improve operational efficiency.
Wherein, the partition table is used to the data of big table being divided into many small subsets, partition table there are polytype,
Such as Master Boot Record partition table (Master Boot Record, MBR), globally unique identifier partition table (GUID
Partition Table, GPT) etc..Wherein, partition table is used for realization the order reading and write-in of data in USB storage device,
Partition table it is abnormal or lose when, will be unable to realize for data in USB storage device USB read-write operations.
The step S30, specifically includes:
Step S30 ':Data address corresponding with the USB read operations is determined according to the partition table, by the data
Location is sent to the user terminal, so that the user terminal reads corresponding with the data address first from USB storage device
Target data, and by the first object data sending to the server, the USB storage device is and the user is whole
Hold the storage device of connection;
It should be appreciated that after partition table and USB read operations is got, can go to realize data just based on partition table
Often read.Wherein, the data address of USB read operations direction can be accurately determined according to the partition table and USB read operations, by institute
State data address to send to the USB storage device, you can read first object data corresponding with the data address.
Determined in the present embodiment according to partition table and USB read operations by the data address of reading so that user terminal can be with
Successfully read first object data.
With reference to Fig. 4, Fig. 4 is the flow diagram of the divulgence prevention method 3rd embodiment of the invention based on virtual desktop, base
In the embodiment shown in above-mentioned Fig. 2, the 3rd embodiment of the proposition divulgence prevention method of the invention based on virtual desktop.
In the third embodiment, the step S10, specifically includes:
Step S101:The instruction of the first usb protocol and user identifier that server reception user terminal is sent, described first
USB read operations input by user are packaged and obtained by usb protocol instruction by the user terminal by default USB transport protocol
, the user terminal accesses the server by virtual desktop technology;
It is understood that in order to adapt to the complicated use environment of the more access rights of multi-user, can pre-set can be into
The user authority setting of row encrypting and decrypting operation, to tackle the actual use of the more access rights of multi-user, so, server will connect
The user identifier sent by user terminal.The user identifier is used to uniquely identify user's end in current running environment
End, plays the effect that identity identification is carried out for user terminal, wherein, the user label can mark physical equipment i.e. user
Terminal, can also mark the active user using user terminal, and the present embodiment is not restricted this.
Step S102:The user identifier is matched with each preset authorization user identifier;
In the concrete realization, the user list that decryption oprerations can be encrypted will be pre-set in the server, it is described
Preset authorization user identifier mean currently running user identifier pre-saved for preset authorization user identifier when, i.e. generation
The currently running user identifier of table will be performed with the business qualification that decryption oprerations are encrypted subsequently to the solution of target data
Close or clear data cryptographic operation.By the way that the user identifier is matched with each preset authorization user identifier, matching
During success, that is, characterize user identifier and be predetermined to be authorized user's mark, subsequent operation will be carried out;When matching unsuccessful, can stop
The only prompt message of subsequent operation or feedback operation failure.
In successful match, step S103 is performed.
It should be appreciated that step S101-102 is used for realization the judgement for authorized user, meanwhile, for the service of improving
The speed of service and reduction maloperation probability of device, can also prop up server before the write-in of data and read operation is carried out
Each USB transport protocol held is detected in advance, to save the calculation amount of server.
Step S103:The default USB transport protocol is matched with each default supported protocol;
It is understood that before being parsed to first usb protocol instruction, protocol testing also can be first carried out,
To judge whether server supports the default USB transport protocol.The protocol testing can match somebody with somebody confidence by reading service device
Breath, the configuration information describe the i.e. default supported protocol of USB transport protocol that server is supported, the default USB are passed
Defeated agreement is matched with each default supported protocol, you can judges whether server supports the USB transmission association of encapsulation present instruction
View.
In successful match, step S20 is performed.
In the concrete realization, in successful match, you can perform step S20, illustrate that server can pass the default USB
The first usb protocol instruction of defeated protocol encapsulation is parsed;When matching unsuccessful, stop subsequent operation or to user terminal
The displaying information of operation failure is sent, because the current operating environment of server can not support default USB transport protocol.By
Protocol testing is first carried out before performing step S20, can preferably improve the operational efficiency of server.
The present embodiment is assisted for authorized user's decision process that step S101-102 is realized and the support that step S103 is realized
The order of occurrence of view both matching process is not restricted.
By pre-setting preset authorization user identifier in the present embodiment, it can preferably manage user and read and write number
According to qualification, improve the confidentiality of data;Also, it can support the judgement of USB transport protocol for server in advance by introducing,
Also invalid data calculation amount can be reduced, improves the operational efficiency of equipment.
With reference to Fig. 5, Fig. 5 is the flow diagram of the divulgence prevention method fourth embodiment of the invention based on virtual desktop, base
In the embodiment shown in above-mentioned Fig. 2, the fourth embodiment of the proposition divulgence prevention method of the invention based on virtual desktop.
In the third embodiment, before the step S10, the method further includes:
Step S101 ':The server receives the instruction of the second usb protocol and the second plaintext number that the user terminal is sent
According to USB write operations input by user are passed through the default USB transmission by the second usb protocol instruction by the user terminal
Agreement is packaged acquisition;
It is understood that when being inserted into USB storage device on the user terminal under VDI frameworks, in order to USB
Data are write in storage device, user can carry out data write operation on the subscriber terminal, such as, add into USB storage device
Addend evidence, can be the data replicated on user terminal, which is pasted into USB storage device, can so generate one
USB write operations, the USB write operations are used to write data into USB storage device.Under VDI frameworks, the user terminal will
USB write operations input by user are packaged by the default USB transport protocol and obtain the instruction of the second usb protocol, and institute
Stating the instruction of the second usb protocol will send to the server, so that the server performs the business of write operation.
In the concrete realization, the second usb protocol instruction and second of the user terminal transmission is received in the server
During clear data, wherein, the second plaintext data are used for the data for writing USB storage device, and the second plaintext data can
The server local is stored in advance, can also be obtained from the user terminal.
Step S102 ':Second usb protocol instruction is parsed, obtains the USB write operations;
It should be appreciated that server is after the instruction of the second usb protocol is obtained, will be by default USB transport protocol to this
Protocol instructions are parsed, to obtain the USB write operations in the instruction of the second usb protocol.
Step S103 ':The second plaintext data are encrypted according to preset-key, obtain encrypted second target
Data;
It is understood that in order to realize the anti-effect divulged a secret, the data for reading and writing in the USB storage device are all
It will be encrypted data, therefore the second plaintext data will be encrypted according to preset-key, to obtain encrypted
Two target datas.
Step S104:The USB write operations and second target data are sent to the user terminal, so that the user
Terminal writes second target data according to the USB write operations in USB storage device.
In the concrete realization, after the USB write operations and encrypted second target data is got, by the USB
Write operation and second target data are sent to the user terminal, you can the second target data are write USB storage device, also
Realize and data encryption is write into USB storage device.
Before the step S40, the method further includes:
Step S40 ':Generate preset-key and preserve to local, to realize according to the preset-key to first mesh
Mark data are decrypted.
It is understood that decryption oprerations are encrypted for the ease of server, preset-key can be generated in advance and by advance
, can be straight when getting the target data for needing to decrypt or needing encrypted clear data if key is stored in server local
Connect and carry out anti-compromising operations using the key locally preserved, the operand of server can be effectively saved, improve encrypting and decrypting
Speed.
By being parsed in protocol layer to second usb protocol instruction and completing second plaintext data in the present embodiment
Cryptographic operation, the encryption that encryption plug-in unit realizes peripheral data is installed in VM than it, is preferably overcome and third party software
Compatibility issue;Also, by previously generating preset-key, it can also improve encrypting and decrypting speed.
In addition, the embodiment of the present invention also proposes a kind of storage medium, it is stored with the storage medium based on virtual desktop
Anti- program of divulging a secret, following operation is realized when the anti-program of divulging a secret based on virtual desktop is executed by processor:
Server receives the first usb protocol instruction that user terminal is sent, and the first usb protocol instruction is by the user
USB read operations input by user are packaged acquisition by terminal by default USB transport protocol, and the user terminal passes through virtual
Desktop technology accesses the server;
First usb protocol instruction is parsed, obtains the USB read operations;
The USB read operations are sent to the user terminal so that the user terminal according to the USB read operations from USB
Read in storage device and feed back first object data to the server, the USB storage device and be and the user terminal
The storage device of connection;
The first object data are decrypted according to preset-key, the first clear data after being decrypted.
Further, following operation is also realized when the anti-program of divulging a secret based on virtual desktop is executed by processor:
First usb protocol instruction is parsed under default virtual machine simulator, obtains the USB read operations.
Further, following operation is also realized when the anti-program of divulging a secret based on virtual desktop is executed by processor:
Server receives the instruction of the first usb protocol and the partition table that user terminal is sent;
Correspondingly, following operation is also realized:
Data address corresponding with the USB read operations is determined according to the partition table, by the data address send to
User terminal, so that the user terminal reads first object data corresponding with the data address from USB storage device,
And by the first object data sending to the server.
Further, following operation is also realized when the anti-program of divulging a secret based on virtual desktop is executed by processor:
Server receives the instruction of the first usb protocol and the user identifier that user terminal is sent;
Correspondingly, following operation is also realized:
The user identifier is matched with each preset authorization user identifier;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
Further, following operation is also realized when the anti-program of divulging a secret based on virtual desktop is executed by processor:
The default USB transport protocol is matched with each default supported protocol;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
Further, following operation is also realized when the anti-program of divulging a secret based on virtual desktop is executed by processor:
The server receives the instruction of the second usb protocol and the second plaintext data that the user terminal is sent, and described the
The instruction of two usb protocols is sealed USB write operations input by user by the default USB transport protocol by the user terminal
Dress obtains;
Second usb protocol instruction is parsed, obtains the USB write operations;
The second plaintext data are encrypted according to the preset-key, obtain encrypted second target data;
The USB write operations and second target data are sent to the user terminal, so that the user terminal
Second target data is write in the USB storage device according to the USB write operations.
Further, following operation is also realized when the anti-program of divulging a secret based on virtual desktop is executed by processor:
Generate preset-key and preserve to local, the first object data are carried out according to the preset-key with realizing
Decryption.
By being parsed in protocol layer to first usb protocol instruction and completing first object data in the present embodiment
Decryption oprerations, the encrypting and decrypting that encrypting and decrypting plug-in unit realizes peripheral data is installed than it in VM, is preferably overcome and the
The compatibility issue of software of the third party, so, overcome existing under current VDI scenes cannot preferably ensure for peripheral hardware number
According to encrypting and decrypting operate compatible technical problem.
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
It should be noted that herein, term " comprising ", "comprising" or its any other variant are intended to non-row
His property includes, so that process, method, article or system including a series of elements not only include those key elements, and
And other elements that are not explicitly listed are further included, or further include as this process, method, article or system institute inherently
Key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that including this
Also there are other identical element in the process of key element, method, article or system.
The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.Word first, second, with
And third use does not indicate that any order.These words can be construed to title.
Through the above description of the embodiments, those skilled in the art can be understood that above-described embodiment side
Method can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but in many cases
The former is more preferably embodiment.Based on such understanding, technical scheme substantially in other words does the prior art
Going out the part of contribution can be embodied in the form of software product, which is stored in a storage medium
In (such as ROM/RAM, magnetic disc, CD), including some instructions are used so that a station terminal equipment (can be mobile phone, computer, takes
Be engaged in device, air conditioner, or network equipment etc.) perform method described in each embodiment of the present invention.
It these are only the preferred embodiment of the present invention, be not intended to limit the scope of the invention, it is every to utilize this hair
The equivalent structure or equivalent flow shift that bright specification and accompanying drawing content are made, is directly or indirectly used in other relevant skills
Art field, is included within the scope of the present invention.
Claims (10)
1. a kind of divulgence prevention method based on virtual desktop, it is characterised in that the described method comprises the following steps:
Server receives the first usb protocol instruction that user terminal is sent, and the first usb protocol instruction is by the user terminal
USB read operations input by user are packaged acquisition by default USB transport protocol, the user terminal passes through virtual desktop
Technology accesses the server;
First usb protocol instruction is parsed, obtains the USB read operations;
The USB read operations are sent to the user terminal, so that the user terminal is stored according to the USB read operations from USB
Read in equipment and feed back first object data to the server, the USB storage device is to be connected with the user terminal
Storage device;
The first object data are decrypted according to preset-key, the first clear data after being decrypted.
2. the method as described in claim 1, it is characterised in that it is described that first usb protocol instruction is parsed, obtain
The USB read operations, specifically include:
First usb protocol instruction is parsed under default virtual machine simulator, obtains the USB read operations.
3. the method as described in claim 1, it is characterised in that the server receives the first USB associations that user terminal is sent
View instruction, specifically includes:
Server receives the instruction of the first usb protocol and the partition table that user terminal is sent;
Correspondingly, it is described to be sent to the user terminal the USB read operations, so that the user terminal is read to grasp according to the USB
Work reads from USB storage device and feeds back first object data to the server, specifically includes:
Data address corresponding with the USB read operations is determined according to the partition table, the data address is sent to user
Terminal, so that the user terminal reads first object data corresponding with the data address from USB storage device, and will
The first object data sending is to the server.
4. the method as described in claim 1, it is characterised in that the server receives the first USB associations that user terminal is sent
View instruction, specifically includes:
Server receives the instruction of the first usb protocol and the user identifier that user terminal is sent;
Correspondingly, described that first usb protocol instruction is parsed, before obtaining the USB read operations, the method is also
Including:
The user identifier is matched with each preset authorization user identifier;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
5. the method as described in any one of Claims 1-4, it is characterised in that described to be instructed to first usb protocol
Parsed, before obtaining the USB read operations, the method further includes:
The default USB transport protocol is matched with each default supported protocol;
In successful match, described the step of being parsed to first usb protocol instruction is performed.
6. the method as described in any one of Claims 1-4, it is characterised in that the server receives user terminal hair
The the first usb protocol instruction sent, the first usb protocol instruction are led to USB read operations input by user by the user terminal
Cross default USB transport protocol to be packaged before acquisition, the method further includes:
The server receives the instruction of the second usb protocol and the second plaintext data that the user terminal is sent, the 2nd USB
USB write operations input by user are packaged and obtained by protocol instructions by the user terminal by the default USB transport protocol
;
Second usb protocol instruction is parsed, obtains the USB write operations;
The second plaintext data are encrypted according to the preset-key, obtain encrypted second target data;
The USB write operations and second target data are sent to the user terminal so that the user terminal according to
The USB write operations write second target data in the USB storage device.
7. the method as described in any in Claims 1-4, it is characterised in that it is described according to preset-key to described first
Target data is decrypted, and before the first clear data after being decrypted, the method further includes:
Generate preset-key and preserve to local, the first object data are solved according to the preset-key with realizing
It is close.
8. the method as described in any one of Claims 1-4, it is characterised in that the default USB transport protocol includes
Any one of BOT agreements and USAP agreements.
9. a kind of server, it is characterised in that the server includes:Memory, processor and it is stored on the memory
And the anti-program of divulging a secret based on virtual desktop that can be run on the processor, the anti-program of divulging a secret based on virtual desktop
Realized when being performed by the processor such as the divulgence prevention method described in any item of the claim 1 to 8 based on virtual desktop
Step.
A kind of 10. storage medium, it is characterised in that the anti-program of divulging a secret based on virtual desktop is stored with the storage medium,
Such as base described in any item of the claim 1 to 8 is realized when the anti-program of divulging a secret based on virtual desktop is executed by processor
In the divulgence prevention method of virtual desktop the step of.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711161477.8A CN108021801B (en) | 2017-11-20 | 2017-11-20 | Virtual desktop-based anti-leakage method, server and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711161477.8A CN108021801B (en) | 2017-11-20 | 2017-11-20 | Virtual desktop-based anti-leakage method, server and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108021801A true CN108021801A (en) | 2018-05-11 |
CN108021801B CN108021801B (en) | 2021-07-06 |
Family
ID=62080794
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711161477.8A Active CN108021801B (en) | 2017-11-20 | 2017-11-20 | Virtual desktop-based anti-leakage method, server and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108021801B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111158857A (en) * | 2019-12-24 | 2020-05-15 | 深信服科技股份有限公司 | Data encryption method, device, equipment and storage medium |
US20220229914A1 (en) * | 2021-01-19 | 2022-07-21 | Assa Abloy Ab | Secure cloud processing |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080184218A1 (en) * | 2007-01-24 | 2008-07-31 | Kenneth Largman | Computer system architecture and method having isolated file system management for secure and reliable data processing |
CN101271424A (en) * | 2007-03-19 | 2008-09-24 | 普天信息技术研究院 | Caching device based on universal serial bus |
CN101640702A (en) * | 2009-08-27 | 2010-02-03 | 深圳华为通信技术有限公司 | Portable storage method and device |
CN102831084A (en) * | 2012-08-16 | 2012-12-19 | 刘伟 | Controller and controlling method for re-identifying USB (universal serial bus) equipment |
CN103020517A (en) * | 2012-11-28 | 2013-04-03 | 福建伊时代信息科技股份有限公司 | Exchange visit method and system for USB virtual desktop equipment |
CN103577771A (en) * | 2013-11-08 | 2014-02-12 | 中科信息安全共性技术国家工程研究中心有限公司 | Virtual desktop data leakage-preventive protection technology on basis of disk encryption |
CN103701589A (en) * | 2013-12-19 | 2014-04-02 | 福建星网锐捷网络有限公司 | Information transmission method and device based on virtual desktop system and relevant equipment |
CN104539685A (en) * | 2014-12-19 | 2015-04-22 | 华南理工大学 | USB disk identifying system and method for OpenStack cloud desktop |
CN104993961A (en) * | 2015-06-30 | 2015-10-21 | 广州华多网络科技有限公司 | Equipment control methods, devices and system |
CN105183675A (en) * | 2015-09-30 | 2015-12-23 | 华为技术有限公司 | USB equipment access method, device and system, terminal and server |
CN105389520A (en) * | 2015-11-11 | 2016-03-09 | 中国建设银行股份有限公司 | Data access control method and apparatus and mobile storage medium |
US20160344745A1 (en) * | 2006-09-25 | 2016-11-24 | Weaved, Inc. | Method and protocol for secure device deployment using a partially-encrypted provisioning file |
-
2017
- 2017-11-20 CN CN201711161477.8A patent/CN108021801B/en active Active
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160344745A1 (en) * | 2006-09-25 | 2016-11-24 | Weaved, Inc. | Method and protocol for secure device deployment using a partially-encrypted provisioning file |
US20080184218A1 (en) * | 2007-01-24 | 2008-07-31 | Kenneth Largman | Computer system architecture and method having isolated file system management for secure and reliable data processing |
CN101271424A (en) * | 2007-03-19 | 2008-09-24 | 普天信息技术研究院 | Caching device based on universal serial bus |
CN101640702A (en) * | 2009-08-27 | 2010-02-03 | 深圳华为通信技术有限公司 | Portable storage method and device |
CN102831084A (en) * | 2012-08-16 | 2012-12-19 | 刘伟 | Controller and controlling method for re-identifying USB (universal serial bus) equipment |
CN103020517A (en) * | 2012-11-28 | 2013-04-03 | 福建伊时代信息科技股份有限公司 | Exchange visit method and system for USB virtual desktop equipment |
CN103577771A (en) * | 2013-11-08 | 2014-02-12 | 中科信息安全共性技术国家工程研究中心有限公司 | Virtual desktop data leakage-preventive protection technology on basis of disk encryption |
CN103701589A (en) * | 2013-12-19 | 2014-04-02 | 福建星网锐捷网络有限公司 | Information transmission method and device based on virtual desktop system and relevant equipment |
CN104539685A (en) * | 2014-12-19 | 2015-04-22 | 华南理工大学 | USB disk identifying system and method for OpenStack cloud desktop |
CN104993961A (en) * | 2015-06-30 | 2015-10-21 | 广州华多网络科技有限公司 | Equipment control methods, devices and system |
CN105183675A (en) * | 2015-09-30 | 2015-12-23 | 华为技术有限公司 | USB equipment access method, device and system, terminal and server |
CN105389520A (en) * | 2015-11-11 | 2016-03-09 | 中国建设银行股份有限公司 | Data access control method and apparatus and mobile storage medium |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111158857A (en) * | 2019-12-24 | 2020-05-15 | 深信服科技股份有限公司 | Data encryption method, device, equipment and storage medium |
CN111158857B (en) * | 2019-12-24 | 2024-05-24 | 深信服科技股份有限公司 | Data encryption method, device, equipment and storage medium |
US20220229914A1 (en) * | 2021-01-19 | 2022-07-21 | Assa Abloy Ab | Secure cloud processing |
Also Published As
Publication number | Publication date |
---|---|
CN108021801B (en) | 2021-07-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102726027B (en) | Secret key transmission method and device during pre-boot under full-disk encryption of virtual machine | |
US7987497B1 (en) | Systems and methods for data encryption using plugins within virtual systems and subsystems | |
US8977842B1 (en) | Hypervisor enabled secure inter-container communications | |
KR101575709B1 (en) | Application usage continuum across platforms | |
CN101587524B (en) | Method for encrypting data memory apparatus based on virtual system | |
CN111143869B (en) | Application package processing method and device, electronic equipment and storage medium | |
US8156331B2 (en) | Information transfer | |
US10372628B2 (en) | Cross-domain security in cryptographically partitioned cloud | |
CN109635581A (en) | A kind of data processing method, equipment, system and storage medium | |
CN107689943B (en) | Data encryption method, user terminal, server and system | |
CN105446713A (en) | Safe storage method and equipment | |
CN103593246A (en) | Communication method between virtual machine and host machine, host machine and virtual machine system | |
JP2011048661A (en) | Virtual server encryption system | |
CN107943556A (en) | KMIP and encryption card based virtualized data security method | |
CN111193725B (en) | Configuration-based combined login method and device and computer equipment | |
CN114930328A (en) | Binding a secure object of a security module to a secure guest | |
CN110334531B (en) | Virtual machine key management method, master node, system, storage medium and device | |
CN107528830A (en) | account login method, system and storage medium | |
CN106682521B (en) | File transparent encryption and decryption system and method based on driver layer | |
CN110569651A (en) | file transparent encryption and decryption method and system based on domestic operating system | |
EP4332810A1 (en) | Method for realizing virtualized trusted platform module, and secure processor and storage medium | |
CN111158857B (en) | Data encryption method, device, equipment and storage medium | |
CN109376119B (en) | Method for creating disk image file encrypted snapshot, method for using disk image file encrypted snapshot and storage medium | |
CN108021801A (en) | Divulgence prevention method, server and storage medium based on virtual desktop | |
US8972745B2 (en) | Secure data handling in a computer system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |