CN108243157A - The method for implanting and device of sensitive information in virtual machine - Google Patents
The method for implanting and device of sensitive information in virtual machine Download PDFInfo
- Publication number
- CN108243157A CN108243157A CN201611219614.4A CN201611219614A CN108243157A CN 108243157 A CN108243157 A CN 108243157A CN 201611219614 A CN201611219614 A CN 201611219614A CN 108243157 A CN108243157 A CN 108243157A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- sent
- sensitive information
- random number
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
The embodiment of the present application provides the method for implanting and device of sensitive information in a kind of virtual machine, and this method includes:Private key and the public key with private key pairing are generated, public key and pre-set user name are sent to virtual machine;Virtual machine log on request is sent to virtual machine based on containment login protocol, virtual machine log on request includes pre-set user name and private key, and virtual machine log on request establishes the escape way based on containment login protocol for request and virtual machine;Sensitive information is sent to virtual machine by escape way.First public key is configured in virtual machine by using the mode of I layer interfaces injection, the escape way between management equipment and virtual machine is being established by way of logging in containment agreement, the possibility that sensitive information is intercepted and captured by the other users of I layer interfaces is avoided, improves the safety of information.
Description
Technical field
The invention relates to the method for implanting and dress of sensitive information in computer technology more particularly to a kind of virtual machine
It puts.
Background technology
Traditional network equipment is such as router, interchanger, fire wall, the hardware that is typically included based on the equipment
Possessed function, and there is fixed network, such as the support to various agreements, load balancing, rate control etc., such
The network equipment is difficult to upgrade and dilatation.Prior art generally use network function virtualizes to solve the above problems, network function
Virtualization technology realizes virtual net by creating virtual machine (Virtual Machine, abbreviation VM) in the arbitrary network equipment
Network function VNF (Virtualization Network Function, abbreviation VNF), VNF can be created flexibly according to demand
It builds, network equipment function is made to be no longer dependent on specialized hardware, resource fully can flexibly be shared.
In network function virtualization process, usually by virtual network function management equipment be responsible for create virtual machine, and
Virtual network function is disposed on virtual machine.After virtual network function is disposed, in the entire Life Cycle of virtual network function
In the range of phase, it is also necessary to and the interaction of virtual network function management equipment could complete spring function.Therefore existing needs virtual
The possibility of the sensitive informations such as shared key, account is configured between network function management equipment and the virtual machine of establishment.
Existing virtual network function management equipment during virtual machine is created, usually by openstack or
The infrastructure layers management software such as vmware passes information to virtual machine, i.e., is directly injected into information to virtual by I layer interfaces
Machine.But the information that this kind of injection mode can will be passed to virtual machine is exposed to I layer interfaces, the other users of I layer interfaces pass through
It is directly viewable the attribute of virtual machine, command history obtains and the modes such as reloads after CD and be obtained with the information.Cause
This, existing virtual machine information method for implanting existence information can not secrecy the problem of.
Invention content
The embodiment of the present application provides the method for implanting and device of sensitive information in a kind of virtual machine, to solve existing void
Intend machine information method for implanting existence information can not secrecy the problem of.
In a first aspect, the embodiment of the present application provides a kind of method for implanting of sensitive information in virtual machine, set applied to management
Standby side, this method include:
Private key and the public key with private key pairing are generated, the public key and pre-set user name are sent to described virtual
Machine;Virtual machine log on request is sent to the virtual machine based on containment login protocol, the virtual machine log on request includes institute
Pre-set user name and the private key are stated, the virtual machine log on request is based on the safety for asking to establish with the virtual machine
The escape way of shell login protocol;Sensitive information is sent to the virtual machine by the escape way.
First public key is configured in virtual machine by using the mode of I layer interfaces injection, by logging in containment agreement
Mode establish escape way between management equipment and virtual machine, avoid what information was intercepted and captured by the other users of I layer interfaces
Possibility, improves the safety of information, while employs the mode based on public private key pair and establish secure communication automatically, avoids
Using account is manually entered and pin mode brings artificial configuration speed slower, cause large scale deployment virtual machine slow
Problem.
In a kind of possible realization method, it is described by the escape way to the virtual machine send sensitive information it
Before, the method further includes:
The first random number is generated, and first random number is sent to the virtual machine;
It is then described that sensitive information is sent to the virtual machine by the escape way, including:
The sensitive information is encrypted using first random number, and pass through the escape way will be encrypted
Sensitive information is sent to the virtual machine.
Sensitive information is encrypted by using the first random number, and by the first random number and encrypted sensitive information
Virtual machine is injected using different channels, further improves the safety of information.
In a kind of possible realization method, it is described by the escape way to the virtual machine send sensitive information it
Before, the method further includes:
The key that the virtual machine is sent is received, the key includes the second random number using the public key encryption, adopts
The key, which is decrypted, with the private key obtains second random number;
It is then described that sensitive information is sent to the virtual machine by the escape way, including:
The sensitive information is encrypted using second random number, and pass through the escape way will be encrypted
Sensitive information is sent to the virtual machine.
The second random number that virtual machine is sent by the way of unsymmetrical key have higher safety, using second with
Sensitive information is encrypted machine number, then further improves the safety of information.
Second aspect, the embodiment of the present application provides a kind of method for implanting of sensitive information in virtual machine, applied to virtual machine
Side, this method include:
Public key and the pre-set user name that management equipment is sent are received, the public key is stored in the pre-set user name corresponds to
Authentication of documents in;The virtual machine log on request that the management equipment is sent is received, the virtual machine log on request includes to be tested
Demonstrate,prove user name and private key;The public key in the corresponding authentication of documents of the user name to be verified is obtained, detects the user to be verified
Whether the public key in the corresponding authentication of documents of name matches with the private key;If so, it is established with the management equipment based on described
The escape way of containment login protocol;Receive the sensitive information that the management equipment is sent by the escape way.
In a kind of possible realization method, the sensitive letter for receiving the management equipment and being sent by the escape way
Before breath, the method further includes:
Receive the first random number that the virtual machine is sent;
The then sensitive information for receiving the management equipment and being sent by the escape way, including:
Receive the sensitivity after the first random number encryption described in the use that the management equipment is sent by the escape way
Information is decrypted the encrypted sensitive information using first random number.
In a kind of possible realization method, the sensitive letter for receiving the management equipment and being sent by the escape way
Before breath, the method further includes:
The second random number is generated, and second random number is obtained into key using the public key encryption, by the key
It is sent to the management equipment;
The then sensitive information for receiving the management equipment and being sent by the escape way, including:
The management equipment is received by what the escape way was sent using the sensitivity of second random number encryption to believe
Breath, is decrypted the encrypted sensitive information using second random number.
The third aspect, the embodiment of the present application provide a kind of method for implanting of sensitive information in virtual machine, are set applied to management
Standby side, this method include:
Private key and the public key with private key pairing are generated, generates random number, and sensitive using the random number encryption
The encrypted sensitive information, pre-set user name and the public key are sent to virtual machine by information;It is logged in and assisted based on containment
It discusses to the virtual machine and sends virtual machine log on request, the virtual machine log on request includes the pre-set user name and the private
Key, the virtual machine log on request are established the safety based on the containment login protocol with the virtual machine for request and are led to
Road;The random number is sent to the virtual machine by the escape way.
Fourth aspect, the embodiment of the present application provides a kind of method for implanting of sensitive information in virtual machine, applied to virtual machine
Side, this method include:
Encrypted sensitive information, pre-set user name and public key that management equipment is sent are received, the public key is stored in
In the corresponding authentication of documents of the pre-set user name;The virtual machine log on request that the management equipment is sent is received, it is described virtual
Machine log on request includes user name to be verified and private key;The public key in the corresponding authentication of documents of the user name to be verified is obtained,
Whether the public key detected in the corresponding authentication of documents of the user name to be verified matches with the private key;If so, with the pipe
It manages equipment and establishes the escape way based on the containment login protocol;The management equipment is received to send out by the escape way
The random number sent is decrypted encrypted sensitive information using the random number.
5th aspect, the embodiment of the present application provide a kind of method for implanting of sensitive information in virtual machine, are set applied to management
Standby side, this method include:
Private key and the public key with private key pairing are generated, the public key is sent to virtual machine;It receives described virtual
The key that machine is sent, and the key is decrypted to obtain random number using the private key;Using the random number to sensitivity
Information is encrypted, and encrypted sensitive information is sent to the virtual machine.
6th aspect, the embodiment of the present application provides a kind of method for implanting of sensitive information in virtual machine, applied to virtual machine
Side, this method include:
Receive the public key that management equipment is sent;Random number is generated, and the random number is encrypted using the public key
Key is obtained, the key is sent to the management equipment;The management equipment is received using the quick of the random number encryption
Feel information, encrypted sensitive information is decrypted using the random number.
The embodiment of the present application also provides a kind of injection device of sensitive information in virtual machine, for performing above-mentioned first to
The method for implanting of sensitive information, has identical technical characteristic and technique effect, the embodiment of the present application in the virtual machine of six aspects
This is repeated no more.
7th aspect, the embodiment of the present application provide a kind of injection device of sensitive information in virtual machine, which includes:
Key generating unit, for the public key for generating private key and being matched with the private key;
Transmitting element, for the public key and pre-set user name to be sent to the virtual machine;
The transmitting element is additionally operable to, and virtual machine log on request is sent to the virtual machine based on containment login protocol,
The virtual machine log on request includes the pre-set user name and the private key, and the virtual machine log on request is for request and institute
It states virtual machine and establishes the escape way based on the containment login protocol;
The transmitting element is additionally operable to, and sensitive information is sent to the virtual machine by the escape way.
In a kind of possible realization method, the Key generating unit is additionally operable to, and generates the first random number;It is described to send list
Member is additionally operable to, and first random number is sent to the virtual machine;Described device further includes:
Encryption unit, for the sensitive information to be encrypted using first random number;
The transmitting element is additionally operable to, and is sent to encrypted sensitive information by the escape way described virtual
Machine.
In a kind of possible realization method, described device further includes:
Receiving unit, for receiving the key that the virtual machine is sent, the key is included using the public key encryption
Second random number;
Decryption unit obtains second random number for decrypting the key using the private key;
Encryption unit, for the sensitive information to be encrypted using second random number;
The transmitting element is specifically used for, and is sent to encrypted sensitive information by the escape way described virtual
Machine.
Eighth aspect, the embodiment of the present application provide a kind of injection device of sensitive information in virtual machine, which includes:
Receiving unit, for receiving the public key and pre-set user name of management equipment transmission;
Storage unit, for the public key to be stored in the corresponding authentication of documents of the pre-set user name;
The receiving unit is additionally operable to, and receives the virtual machine log on request that the management equipment is sent, and the virtual machine is stepped on
Land request includes user name to be verified and private key;
Authentication unit, for obtaining the public key in the corresponding authentication of documents of the user name to be verified, detection is described to be tested
Whether the public key in the corresponding authentication of documents of card user name matches with the private key;
Unit is established, is matched for the public key in the corresponding authentication of documents of the user name to be verified with the private key
When, establish the escape way based on the containment login protocol with the management equipment;
The receiving unit is additionally operable to, and receives the sensitive information that the management equipment is sent by the escape way.
In a kind of possible realization method, the receiving unit is additionally operable to, and receive the virtual machine transmission first is random
Number;
The receiving unit is specifically used for, and receives described in the use that the management equipment is sent by the escape way
Sensitive information after one random number encryption;
Described device includes:
Decryption unit, for the encrypted sensitive information to be decrypted using first random number.
In a kind of possible realization method, described device further includes:
Key generating unit for generating the second random number, and second random number is obtained using the public key encryption
To key;
Transmitting element, for the key to be sent to the management equipment;
The receiving unit is specifically used for, and receives the management equipment and passes through use described that the escape way is sent
The sensitive information of two random number encryptions;
Decryption unit, for the encrypted sensitive information to be decrypted using second random number.
9th aspect, the embodiment of the present application provide a kind of injection device of sensitive information in virtual machine, which includes:
Key generating unit for the public key for generating private key and being matched with the private key, generates random number;
Encryption unit, for using the random number encryption sensitive information;
Transmitting element, for the encrypted sensitive information, pre-set user name and the public key to be sent to virtual machine;
The transmitting element is additionally operable to, and virtual machine log on request is sent to the virtual machine based on containment login protocol,
The virtual machine log on request includes the pre-set user name and the private key, and the virtual machine log on request is for request and institute
It states virtual machine and establishes the escape way based on the containment login protocol;
The transmitting element is additionally operable to, and the random number is sent to the virtual machine by the escape way.
Tenth aspect, the embodiment of the present application provide a kind of injection device of sensitive information in virtual machine, which includes:
Receiving unit, for receiving encrypted sensitive information, pre-set user name and the public key of management equipment transmission;
Storage unit, for the public key to be stored in the corresponding authentication of documents of the pre-set user name;
The receiving unit is additionally operable to, and receives the virtual machine log on request that the management equipment is sent, and the virtual machine is stepped on
Land request includes user name to be verified and private key;
Authentication unit, for obtaining the public key in the corresponding authentication of documents of the user name to be verified, detection is described to be tested
Whether the public key in the corresponding authentication of documents of card user name matches with the private key;
Unit is established, is matched for the public key in the corresponding authentication of documents of the user name to be verified with the private key
When, establish the escape way based on the containment login protocol with the management equipment;
The receiving unit is additionally operable to, and receives the random number that the management equipment is sent by the escape way;
Decryption unit, for encrypted sensitive information to be decrypted using the random number.
Tenth on the one hand, and the embodiment of the present application provides a kind of injection device of sensitive information in virtual machine, which includes:
Key generating unit, for the public key for generating private key and being matched with the private key;
Transmitting element, for the public key to be sent to virtual machine;
Receiving unit, for receiving the key that the virtual machine is sent;
Decryption unit, for being decrypted to obtain random number to the key using the private key;
Encryption unit, for sensitive information to be encrypted using the random number;
The transmitting element is additionally operable to, and encrypted sensitive information is sent to the virtual machine.
12nd aspect, the embodiment of the present application provide a kind of injection device of sensitive information in virtual machine, which includes:
Receiving unit, for receiving the public key of management equipment transmission;
Key generating unit, for generating random number;
Encryption unit, for being encrypted to obtain key to the random number using the public key;
Transmitting element, for the key to be sent to the management equipment;
The receiving unit is additionally operable to, and receives the sensitive information that the management equipment uses the random number encryption;
Decryption unit, for encrypted sensitive information to be decrypted using the random number.
The embodiment of the present application also provides a kind of management equipment and virtual machine, for performing the void of the above-mentioned first to the 6th aspect
The method for implanting of sensitive information in plan machine, has identical technical characteristic and technique effect, and the embodiment of the present application is no longer superfluous to this
It states.
13rd aspect, the embodiment of the present application provide a kind of management equipment, which includes:
Processor, for the public key for generating private key and being matched with the private key;
Transmitter, for the public key and pre-set user name to be sent to the virtual machine;
The transmitter is additionally operable to, and virtual machine log on request, institute are sent to the virtual machine based on containment login protocol
State virtual machine log on request include the pre-set user name and the private key, the virtual machine log on request for ask with it is described
Virtual machine establishes the escape way based on the containment login protocol;
The transmitter is additionally operable to, and sensitive information is sent to the virtual machine by the escape way.
In a kind of possible realization method, the processor is additionally operable to, and generates the first random number;The transmitter is also used
In first random number is sent to the virtual machine;
The processor is additionally operable to, and the sensitive information is encrypted using first random number;
The transmitter is additionally operable to, and encrypted sensitive information is sent to the virtual machine by the escape way.
In a kind of possible realization method, the management equipment further includes:
Receiver, for receiving the key that the virtual machine is sent, the key includes the using the public key encryption
Two random numbers;
The processor is additionally operable to, and decrypting the key using the private key obtains second random number, will be described quick
Sense information is encrypted using second random number;
The transmitter is specifically used for, and is sent to encrypted sensitive information by the escape way described virtual
Machine.
Fourteenth aspect, the embodiment of the present application provide a kind of virtual machine, which includes:
Receiver, for receiving the public key and pre-set user name of management equipment transmission;
Processor, for the public key to be stored in the corresponding authentication of documents of the pre-set user name;
The receiver is additionally operable to, and receives the virtual machine log on request that the management equipment is sent, and the virtual machine logs in
Request includes user name to be verified and private key;
The processor is additionally operable to, and obtains the public key in the corresponding authentication of documents of the user name to be verified, described in detection
Whether the public key in the corresponding authentication of documents of user name to be verified matches with the private key;If so, it is built with the management equipment
Be based on the escape way of the containment login protocol;
The receiver is additionally operable to, and receives the sensitive information that the management equipment is sent by the escape way.
In a kind of possible realization method, the receiver is additionally operable to, and receives the first random number that the virtual machine is sent;
The receiver is specifically used for, and receives first described in the use that the management equipment is sent by the escape way
Sensitive information after random number encryption;
The processor is additionally operable to, and the encrypted sensitive information is decrypted using first random number.
In a kind of possible realization method, the processor is additionally operable to, and generates the second random number, and random by described second
Number obtains key using the public key encryption;The virtual machine further includes:
Transmitter, for the key to be sent to the management equipment;
The receiver is specifically used for, and receives the management equipment and passes through use described second that the escape way is sent
The sensitive information of random number encryption;
The processor is additionally operable to, and the encrypted sensitive information is decrypted using second random number.
15th aspect, the embodiment of the present application provide a kind of management equipment, which includes:
Processor for the public key for generating private key and being matched with the private key, generates random number, using the random number
Encrypted sensitive information;
Transmitter, for the encrypted sensitive information, pre-set user name and the public key to be sent to virtual machine;
The transmitter is additionally operable to, and virtual machine log on request, institute are sent to the virtual machine based on containment login protocol
State virtual machine log on request include the pre-set user name and the private key, the virtual machine log on request for ask with it is described
Virtual machine establishes the escape way based on the containment login protocol;
The transmitter is additionally operable to, and the random number is sent to the virtual machine by the escape way.
16th aspect, the embodiment of the present application provide a kind of virtual machine, which includes:
Receiver, for receiving encrypted sensitive information, pre-set user name and the public key of management equipment transmission;
Processor, for the public key to be stored in the corresponding authentication of documents of the pre-set user name;
The receiver is additionally operable to, and receives the virtual machine log on request that the management equipment is sent, and the virtual machine logs in
Request includes user name to be verified and private key;
The processor is additionally operable to, and obtains the public key in the corresponding authentication of documents of the user name to be verified, described in detection
Whether the public key in the corresponding authentication of documents of user name to be verified matches with the private key;If so, it is built with the management equipment
Be based on the escape way of the containment login protocol;
The receiver is additionally operable to, and receives the random number that the management equipment is sent by the escape way;
The processor is additionally operable to, and encrypted sensitive information is decrypted using the random number.
17th aspect, the embodiment of the present application provide a kind of management equipment, which includes:
Processor, for the public key for generating private key and being matched with the private key;
Transmitter, for the public key to be sent to virtual machine;
Receiver, for receiving the key that the virtual machine is sent;
The processor is additionally operable to, and the key is decrypted to obtain random number using the private key, using it is described with
Sensitive information is encrypted in machine number;
The transmitter is additionally operable to, and encrypted sensitive information is sent to the virtual machine.
18th aspect, the embodiment of the present application provide a kind of virtual machine, which includes:
Receiver, for receiving the public key of management equipment transmission;
Processor for generating random number, is encrypted to obtain key using the public key to the random number;
Transmitter, for the key to be sent to the management equipment;
The receiver is additionally operable to, and receives the sensitive information that the management equipment uses the random number encryption;
The processor is additionally operable to, and encrypted sensitive information is decrypted using the random number.
19th aspect, the embodiment of the present application provide a kind of computer readable storage medium, computer readable storage medium
In be stored with computer executed instructions, when at least one processor of the injection device of sensitive information in virtual machine performs the calculating
During machine execute instruction, the injection device of sensitive information performs the various possibility in above-mentioned first aspect to the 6th aspect in virtual machine
The method for implanting of sensitive information in the virtual machine provided is provided.
20th aspect, the embodiment of the present application provide a kind of computer program product, which includes meter
Calculation machine execute instruction, the computer executed instructions store in a computer-readable storage medium.Node Controller it is at least one
Processor can read the computer executed instructions from computer readable storage medium, and at least one processor performs the computer
It is sensitive in first aspect to the various virtual machines that may design offer of the 6th aspect that execute instruction so that Node Controller is implemented
The method for implanting of information.
Description of the drawings
Fig. 1 is the method for implanting application scenarios schematic diagram of sensitive information in virtual machine provided by the embodiments of the present application;
Fig. 2 is the flow signal of the method for implanting embodiment one of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Fig. 3 is the flow signal of the method for implanting embodiment two of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Fig. 4 is the flow signal of the method for implanting embodiment three of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Fig. 5 is the flow signal of the method for implanting example IV of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Fig. 6 is the flow signal of the method for implanting embodiment five of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Fig. 7 is the structural representation of the injection device embodiment one of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Fig. 8 is the structural representation of the injection device embodiment two of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Fig. 9 is the structural representation of the injection device embodiment three of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Figure 10 is the structural representation of the injection device example IV of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Figure 11 is the structural representation of the injection device embodiment five of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Figure 12 is the structural representation of the injection device embodiment six of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Figure 13 is the structural representation of the injection device embodiment seven of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Figure 14 is the structural representation of the injection device embodiment eight of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Figure 15 is the structural representation of the injection device embodiment nine of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Figure 16 is the structural representation of the injection device embodiment ten of sensitive information in virtual machine provided by the embodiments of the present application
Figure;
Figure 17 is the structure diagram of management equipment embodiment one provided by the embodiments of the present application;
Figure 18 is the structure diagram of managing device embodiment two provided by the embodiments of the present application;
Figure 19 is the structure diagram of virtual machine embodiment one provided by the embodiments of the present application;
Figure 20 is the structure diagram of virtual machine embodiment two provided by the embodiments of the present application.
Specific embodiment
Fig. 1 is the method for implanting application scenarios schematic diagram of sensitive information in virtual machine provided by the embodiments of the present application.Such as Fig. 1
Shown, virtual network function managing device 101 is used to create virtual machine 103 in traditional network equipment, and in virtual machine 103
The virtual network function of upper deployment.Traditional network equipment is illustrative, can be router, interchanger, fire wall, service
Device, base station etc..In specific establishment, deletion or management virtual machine 103, virtual network function managing device 101 is set by basis
It applies layer-management software 102 to realize, infrastructure layer management software 102 can be illustratively that openstack, vmware etc. are publicly-owned
Cloud or enterprise's office cloud platform.
When information exchange is carried out between virtual network function managing device 101 and virtual machine 103, I layers of generally use connects
The mode of mouth injection realizes that information is transmitted, and illustratively, the mode of I layer interfaces injection includes but not limited to:openstack
Config driver when the personality parameters of create server interfaces, openstack nova boot,
Vmware vCloud injection scripts files and vmware vCloud loaded discs.But in a manner that I layer interfaces inject,
So that the information for passing to virtual machine 103 is open state for I layer interfaces, the other users that may have access to I layer interfaces are equal
It the modes such as can reload after CD by being directly viewable virtual machine 103 attribute, command history or obtaining and obtain virtually
Network function managing device 101 passes to the information of virtual machine 103, therefore, existing when the information of transmission is sensitive information
Virtual machine information method for implanting existence information can not secrecy the problem of.
To solve the above problems, the application provides the method for implanting and device of sensitive information in a kind of virtual machine, exist below
On the basis of application scenarios shown in Fig. 1, in conjunction with specific embodiments to sensitive information in virtual machine provided by the embodiments of the present application
Method for implanting and device are described in detail.
Fig. 2 is the flow diagram of the method for implanting of sensitive information in virtual machine provided by the embodiments of the present application.Such as Fig. 2 institutes
Show, this method includes:
S201, management equipment generation private key and the public key with private key pairing, void is sent to by public key and pre-set user name
Plan machine;
S202, virtual machine receive public key and the pre-set user name that management equipment is sent, and public key is stored in pre-set user name
In corresponding authentication of documents;
S203, virtual machine log on request is sent to virtual machine based on containment login protocol, virtual machine log on request includes
Pre-set user name and private key, virtual machine log on request are established the safety based on containment login protocol with virtual machine for request and are led to
Road;
S204, virtual machine receive the virtual machine log on request that management equipment is sent, and virtual machine log on request includes to be verified
User name and private key;
S205, virtual machine obtain the public key in the corresponding authentication of documents of user name to be verified, detect user name pair to be verified
Whether the public key in the authentication of documents answered matches with private key;If matching, performs S206;
S206, virtual machine and management equipment establish the escape way based on containment login protocol;
S207, management equipment send sensitive information by escape way to virtual machine.
Illustratively, management equipment is the virtual network function managing device 101 in Fig. 1, and virtual machine is virtual in Fig. 1
Machine 103.
Specifically, in S201 and S202, management equipment arranges a pre-set user name, management equipment life in advance with virtual machine
Public key into disposable private key and with private key pairing;Public key and pre-set user name are sent to virtual machine.Illustratively, it manages
Equipment obtains pre-set user name, which can be management equipment preset user name when creating virtual machine.Management
Equipment obtains private key and the public key with private key pairing, is used for being based on the login of OpenSSHv2 (containment login).Example
Property, the life of the rivest, shamir, adelmans such as RSA Algorithm, knapsack algorithm, Diffie-Hellman Encryption Algorithm can be used in management equipment
Public key into private key and with private key pairing, is denoted as public private key pair.After public private key pair is generated, by public key and pre-set user name
It is sent to virtual machine.Illustratively, the mode of I layer interfaces injection may be used, public key and pre-set user name are sent to virtually
Machine.Optionally, virtual machine is after public key and pre-set user name is received, by public key configuration in virtual machine, illustratively, when
Can be in the corresponding authorized_keys texts of pre-set user name by public key configuration when virtual machine uses linux operating systems
In shelves.
Specifically, in S203, to ensure the safety of sensitive information, peace can be established between management equipment and virtual machine
Full tunnel.Illustratively, can be that management equipment sends virtual machine log on request to virtual machine, virtual machine log on request is used for please
It asks and establishes escape way with virtual machine.The mode for sending virtual machine entry request is based on containment login protocol.Escape way
It is then that management equipment logs in the escape way of the OpenSSH service foundation of virtual machine based on private key mutual trust.
Pre-set user name and private key can specifically be included in virtual machine log on request, pre-set user name is used to know virtual machine
Not Fa Song virtual machine log on request management equipment, private key is used to implement the certification of management equipment and virtual machine.
Specifically, in S204, the virtual machine log on request of virtual machine reception is specifically included in virtual machine entry request and is treated
Verify user name and private key, it is contemplated that virtual machine is likely to be received asks from missent virtual machine entry, therefore, virtually
Machine need to be specifically as follows in detection virtual machine according to the user name to be verified and private key received with the presence or absence of a public key and private
Key matches.
Illustratively, verification process is specifically as follows virtual machine after virtual machine entry request is received, and detects virtual machine
In whether be pre-stored with the user name to be verified, if further being detected in the presence of if in the corresponding authentication of documents of the user name to be verified
Whether be preset with the matched public key of private key, when exist public key matched with private key when, then certification passes through, realize virtual machine with
Escape way is established between management equipment.
Optionally, after S204, virtual machine can also be successfully established message to management equipment sendaisle.
Specifically, in S205, based on OpenSSHv2 agreements, when detect in virtual machine there are a public key with it is default
When user name and private key match, escape way is directly acquired between management equipment and virtual machine, management equipment can be directly to virtual
Machine sends information.
Specifically, in S206, after escape way foundation, management equipment is sent quick by escape way to virtual machine
Feel information.Since escape way is different from I layer interface injection modes, the information sent by escape way have passed through SSH agreements
It is encrypted, is not exposed to the other users of I layer interfaces so that the user of I layer interfaces or other users can not be intercepted and captured logical
The information of escape way transmission is crossed, improves the safety of information.
Optionally, virtual machine is stored information in after sensitive information is received under preset path, so as to other follow-up industry
It make sures with the sensitive information.Optionally, management equipment and virtual machine will disposably be preset after sending, receiving sensitive information
User name, private key and public key matched with private key are deleted.
The method for implanting of sensitive information in virtual machine provided by the embodiments of the present application, including:Generate private key and and private key
Public key and pre-set user name are sent to virtual machine by the public key of pairing;It is sent virtually to virtual machine based on containment login protocol
Machine log on request, virtual machine log on request include pre-set user name and private key, and virtual machine log on request is for request and virtual machine
Establish the escape way based on containment login protocol;Sensitive information is sent to virtual machine by escape way.By using I layers
Interface injection mode first by public key be configured in virtual machine, established by way of logging in containment agreement management equipment with
Escape way between virtual machine avoids the possibility that information is intercepted and captured by the other users of I layer interfaces, improves the peace of information
Quan Xing, while employ the mode based on public private key pair and establish secure communication automatically is avoided using being manually entered account and close
Code mode brings artificial configuration speed slower, leads to the slow problem of large scale deployment virtual machine.
Specifically, on the basis of above-described embodiment, to further improve the safety of information, Fig. 3 is implemented for the application
The flow diagram of the method for implanting embodiment two of sensitive information in the virtual machine that example provides, as shown in figure 3, this method includes:
S300, management equipment generate the first random number, and the first random number is sent to virtual machine;
S301, management equipment generation private key and the public key with private key pairing, void is sent to by public key and pre-set user name
Plan machine;
S302, virtual machine receive the first random number, public key and pre-set user name that management equipment is sent, and public key is stored in
In the corresponding authentication of documents of pre-set user name;
S303, virtual machine log on request is sent to virtual machine based on containment login protocol, virtual machine log on request includes
Pre-set user name and private key, virtual machine log on request are established the safety based on containment login protocol with virtual machine for request and are led to
Road;
S304, virtual machine receive the virtual machine log on request that management equipment is sent, and virtual machine log on request includes to be verified
User name and private key;
S305, virtual machine obtain the public key in the corresponding authentication of documents of user name to be verified, detect user name pair to be verified
Whether the public key in the authentication of documents answered matches with private key;If matching, performs S306;
S306, virtual machine and management equipment establish the escape way based on containment login protocol;
Sensitive information is encrypted using the first random number for S307, management equipment, and pass through escape way will encrypt after
Sensitive information be sent to virtual machine;
S308, virtual machine are decrypted encrypted sensitive information using the first random number.
Specifically, S300 is performed before S307, S300 and S301 to S306 does not have stringent time sequencing.S300 may be used also
It is performed simultaneously with S301, the embodiment of the present application does not limit this.
Specifically, S301 to S306 is identical with the S201 in embodiment illustrated in fig. 2 to S206, the application is no longer superfluous to this
It states.
Specifically, in S300, management equipment chooses at random a data as the first random number, and by the first random number
Virtual machine is sent to, the first random number can be one or more numbers, letter, character etc..Specific sending method can be with
By way of being injected I layer interfaces.
Specifically, in S307, management equipment carries out the sensitive information for being sent to virtual machine using the first random number
Encryption, obtains encrypted sensitive information, and the escape way for passing through the foundation in S306 sends encrypted sensitive information
To virtual machine so that the safety higher of the sensitive information of transmission.Optionally, cipher mode shifts to an earlier date for management equipment with virtual machine
The cipher mode of agreement can be illustratively Advanced Encryption Standardalgorithm (Advanced Encryption Standard, letter
Claim AES), data encryption algorithm (Data Encryption Standard, vehicle economy S), Message Digest 5 the 5th edition
Symmetric encipherment algorithms such as (Message Digest Algorithm 5, abbreviation MD5).
Specifically, in S308, virtual machine is receiving the first random number sent using different injection modes and encryption
After sensitive information afterwards, encrypted sensitive information is decrypted using the first random number, you can obtain sensitive information.
Optionally, on the basis of above-mentioned embodiment illustrated in fig. 2, to further improve the safety of sensitive information, Fig. 4 is
The flow diagram of the method for implanting embodiment three of sensitive information in virtual machine provided by the embodiments of the present application, as shown in figure 4, should
Method includes:
S401, management equipment generation private key and the public key with private key pairing, void is sent to by public key and pre-set user name
Plan machine;
S402, virtual machine receive public key and the pre-set user name that management equipment is sent, and public key is stored in pre-set user name
In corresponding authentication of documents;
S403, virtual machine log on request is sent to virtual machine based on containment login protocol, virtual machine log on request includes
Pre-set user name and private key, virtual machine log on request are established the safety based on containment login protocol with virtual machine for request and are led to
Road;
S404, virtual machine receive the virtual machine log on request that management equipment is sent, and virtual machine log on request includes to be verified
User name and private key;
S405, virtual machine obtain the public key in the corresponding authentication of documents of user name to be verified, detect user name pair to be verified
Whether the public key in the authentication of documents answered matches with private key;If matching, performs S406;
S406, virtual machine and management equipment establish the escape way based on containment login protocol;
S407, virtual machine generate the second random number, and the second random number are obtained key using public key encryption, and key is sent out
Give management equipment;
S408, management equipment obtain the second random number using private key decruption key, and sensitive information is used the second random number
It is encrypted;
Encrypted sensitive information is sent to virtual machine by S409, management equipment by escape way;
S410, virtual machine are decrypted encrypted sensitive information using the second random number.
Specifically, S401 to S406 is identical with the S201 in embodiment illustrated in fig. 2 to S206, the embodiment of the present application is no longer superfluous
It states.
Specifically, in S407, virtual machine generates the second random number, and by the second random number using the public key obtained in advance
It is encrypted to obtain key, then key is sent to management equipment.
Specifically, in S408 to S409, management equipment is decrypted key after key is received, using private key,
The second random number is obtained, sensitive information is encrypted using the second random number, and pass through escape way by encrypted sensitivity
Information is sent to virtual machine.
Illustratively, use public private key pair carry out secrecy transmission operation principle for:First equipment generates public key and private key
Afterwards, private key is stored in the first equipment, and maintained secrecy;Public key is public data, is arbitrarily wanted to the first equipment transmission data
Equipment can all obtain.After the second equipment gets public key, using public key encryption data to be transmitted and the first equipment is sent to, the
One equipment can utilize the data of the private key pair encryption of storage to be decrypted, and obtain data.And even if other equipment obtains encryption
Data due to not having the private key of the first equipment, and can not correctly be decrypted or be verified, ensure that the safety of data
Property.
Specifically, in S410, encrypted sensitive information is decrypted using the second random number, obtains sensitive letter
Breath.
Difference lies in shown in the second random number and Fig. 3 in the present embodiment in implementing with implementation shown in Fig. 3 for the present embodiment
The first random number generated respectively by virtual machine and management equipment, the second random number in the present embodiment passes through asymmetric encryption
Mode is sent to management equipment so that the second random number compares the first random number security performance higher in embodiment illustrated in fig. 3.
By further generating random number by the way of safer in the embodiment of the present application, and sensitive information is carried out
Encryption, and using the transmission mode transmission random number of different safety and encrypted sensitive information, further improve sensitivity
The safety of information.
It is saving signaling interaction flow, it is contemplated that the second random number passes through asymmetric encryption with reference to embodiment illustrated in fig. 4
Mode is sent to management equipment, has enough safeties, on the other hand the embodiment of the present application also provides quick in a kind of virtual machine
Feel the method for implanting of information.Fig. 5 is the method for implanting example IV of sensitive information in virtual machine provided by the embodiments of the present application
Flow diagram, as shown in figure 5, this method includes:
S501, management equipment generation private key and the public key with private key pairing, virtual machine is sent to by public key;
S502, virtual machine generation random number, and random number is encrypted to obtain key using public key, key is sent to
Management equipment;
S503, management equipment are decrypted key to obtain random number using private key, using random number to sensitive information into
Row encryption, virtual machine is sent to by encrypted sensitive information;
S504, virtual machine are decrypted encrypted sensitive information using random number.
Wherein, the generating mode phase of the generating mode of the public private key pair in S501 and the public private key pair in above-described embodiment
Together, the application repeats no more this.
Specifically, virtual machine generates a random number, and the random number is encrypted using the public key sent in S501
Management equipment is sent to key, then by key.Management equipment is decrypted key after key is received, using private key
To random number, then sensitive information is encrypted using random number, and encrypted sensitive information is sent to virtual machine, it is empty
Plan machine is decrypted encrypted sensitive information using random number, you can obtains sensitive information.
With reference to embodiment illustrated in fig. 3, on the other hand the embodiment of the present application also provides a kind of note of sensitive information in virtual machine
Enter method.Fig. 6 is the flow diagram of the method for implanting embodiment five of sensitive information in virtual machine provided by the embodiments of the present application,
As shown in fig. 6, this method includes:
S601, management equipment generation private key and the public key with private key pairing, generate random number, and using random number encryption
Encrypted sensitive information, pre-set user name and public key are sent to virtual machine by sensitive information;
S602, virtual machine receive encrypted sensitive information, pre-set user name and public key that management equipment is sent, by public key
It is stored in the corresponding authentication of documents of pre-set user name;
S603, management equipment are based on containment login protocol and send virtual machine log on request to virtual machine, and virtual machine logs in
Request includes pre-set user name and private key, and virtual machine log on request is established for request and virtual machine based on containment login protocol
Escape way;
S604, virtual machine receive the virtual machine log on request that management equipment is sent, and virtual machine log on request includes to be verified
User name and private key;
S605, virtual machine obtain the public key in the corresponding authentication of documents of user name to be verified, detect user name pair to be verified
Whether the public key in the authentication of documents answered matches with private key;If matching, performs S606;
S606, virtual machine and management equipment establish the escape way based on containment login protocol;
S607, management equipment send random number by escape way to virtual machine;
S608, virtual machine receive the random number that management equipment is sent by escape way, using random number to encrypted
Sensitive information is decrypted.
Specifically, difference lies in pass through I layer interfaces injection etc. in the present embodiment for the present embodiment and embodiment illustrated in fig. 3
Mode will be sent to virtual machine, and pass through escape way and send random number using the sensitive information after random number encryption so that its
His user can not obtain random number, even if can not still decrypt to obtain sensitive information so as to intercept and capture encrypted sensitive information.With
Random number is sent, and send by escape way and add using random number using modes such as I layer interfaces injections in Fig. 3 institutes embodiment
Sensitive information after close is similar, can improve the safety of sensitive information.
The embodiment of the present application also provides a kind of injection device of sensitive information in virtual machine, for performing above-mentioned Fig. 2 to Fig. 6
The method for implanting of sensitive information in shown virtual machine has identical technical characteristic and technique effect, the embodiment of the present application pair
This is repeated no more.
Fig. 7 is the structural representation of the injection device embodiment one of sensitive information in virtual machine provided by the embodiments of the present application
Figure, as shown in fig. 7, the device includes;
Key generating unit 701, for the public key for generating private key and being matched with private key;
Transmitting element 702, for public key and pre-set user name to be sent to virtual machine;
Transmitting element 702 is additionally operable to, and virtual machine log on request, virtual machine are sent to virtual machine based on containment login protocol
Log on request includes pre-set user name and private key, and virtual machine log on request is logged in for asking to establish with virtual machine based on containment
The escape way of agreement;
Transmitting element 702 is additionally operable to, and sensitive information is sent to virtual machine by escape way.
On the basis of embodiment shown in Fig. 7, Fig. 8 is the injection of sensitive information in virtual machine provided by the embodiments of the present application
The structure diagram of device embodiment two, as shown in figure 8,
Key generating unit 801 is additionally operable to, and generates the first random number;
Transmitting element 802 is additionally operable to, and the first random number is sent to virtual machine;
The device further includes:
Encryption unit 803, for sensitive information to be encrypted using the first random number;
Transmitting element 802 is additionally operable to, and encrypted sensitive information is sent to virtual machine by escape way.
On the basis of embodiment shown in Fig. 7, Fig. 9 is the injection of sensitive information in virtual machine provided by the embodiments of the present application
The structure diagram of device embodiment two, as shown in figure 9, the device further includes:
Receiving unit 904, for receiving the key of virtual machine transmission, key is included using the second random of public key encryption
Number;
Decryption unit 905, for obtaining the second random number using private key decruption key;
Encryption unit 903, for sensitive information to be encrypted using the second random number;
Transmitting element 902 is specifically used for, and encrypted sensitive information is sent to virtual machine by escape way.
Wherein, Key generating unit 901 is identical with the Key generating unit 701 in embodiment illustrated in fig. 7, and the application is to this
It repeats no more.
Figure 10 is the structural representation of the injection device example IV of sensitive information in virtual machine provided by the embodiments of the present application
Figure, as shown in Figure 10, which includes:
Receiving unit 1001, for receiving the public key and pre-set user name of management equipment transmission;
Storage unit 1002, for public key to be stored in the corresponding authentication of documents of pre-set user name;
Receiving unit 1001 is additionally operable to, and receives the virtual machine log on request that management equipment is sent, virtual machine log on request packet
Include user name to be verified and private key;
Authentication unit 1003 for obtaining the public key in the corresponding authentication of documents of user name to be verified, detects use to be verified
Whether the public key in the corresponding authentication of documents of name in an account book matches with private key;
Unit 1004 is established, when being matched for the public key in the corresponding authentication of documents of user name to be verified with private key, with
Management equipment establishes the escape way based on containment login protocol;
Receiving unit 1001 is additionally operable to, and receives the sensitive information that management equipment is sent by escape way.
On the basis of embodiment illustrated in fig. 10, Figure 11 is the note of sensitive information in virtual machine provided by the embodiments of the present application
Enter the structure diagram of device embodiment five, as shown in figure 11,
Receiving unit 1101 is additionally operable to, and receives the first random number that virtual machine is sent;
Receiving unit 1101 is specifically used for, and receives the first random number encryption of use that management equipment is sent by escape way
Sensitive information afterwards;
The device further includes:
Decryption unit 1105, for encrypted sensitive information to be decrypted using the first random number.
Wherein, storage unit 1102, authentication unit 1103, establish storage list in unit 1104 and embodiment illustrated in fig. 10
Member 1002, establishes that unit 1004 is identical, and the application repeats no more this at authentication unit 1003.
On the basis of embodiment illustrated in fig. 10, Figure 12 is the note of sensitive information in virtual machine provided by the embodiments of the present application
Enter the structure diagram of device embodiment six, as shown in figure 12, device further includes:
Key generating unit 1206 for generating the second random number, and the second random number is obtained using public key encryption close
Key;
Transmitting element 1207, for key to be sent to management equipment;
Receiving unit 1201 is specifically used for, and receives the second random number encryption of use that management equipment is sent by escape way
Sensitive information;
Decryption unit 1205, for encrypted sensitive information to be decrypted using the second random number.
Wherein, storage unit 1202, authentication unit 1203, establish storage list in unit 1204 and embodiment illustrated in fig. 10
Member 1002, establishes that unit 1004 is identical, and the application repeats no more this at authentication unit 1003.
Figure 13 is the structural representation of the injection device embodiment seven of sensitive information in virtual machine provided by the embodiments of the present application
Figure, as shown in figure 13, which includes:
Key generating unit 1301 for the public key for generating private key and being matched with private key, generates random number;
Encryption unit 1302, for using random number encryption sensitive information;
Transmitting element 1303, for encrypted sensitive information, pre-set user name and public key to be sent to virtual machine;
Transmitting element 1303 is additionally operable to, and sends virtual machine log on request to virtual machine based on containment login protocol, virtually
Machine log on request includes pre-set user name and private key, and virtual machine log on request is stepped on for asking to establish with virtual machine based on containment
Record the escape way of agreement;
Transmitting element 1303 is additionally operable to, and random number is sent to virtual machine by escape way.
Figure 14 is the structural representation of the injection device embodiment eight of sensitive information in virtual machine provided by the embodiments of the present application
Figure, as shown in figure 14, which includes:
Receiving unit 1401, for receiving encrypted sensitive information, pre-set user name and the public key of management equipment transmission;
Storage unit 1402, for public key to be stored in the corresponding authentication of documents of pre-set user name;
Receiving unit 1401 is additionally operable to, and receives the virtual machine log on request that management equipment is sent, virtual machine log on request packet
Include user name to be verified and private key;
Authentication unit 1403 for obtaining the public key in the corresponding authentication of documents of user name to be verified, detects use to be verified
Whether the public key in the corresponding authentication of documents of name in an account book matches with private key;
Unit 1404 is established, when being matched for the public key in the corresponding authentication of documents of user name to be verified with private key, with
Management equipment establishes the escape way based on containment login protocol;
Receiving unit 1401 is additionally operable to, and receives the random number that management equipment is sent by escape way;
Decryption unit 1405, for encrypted sensitive information to be decrypted using random number.
Figure 15 is the structural representation of the injection device embodiment nine of sensitive information in virtual machine provided by the embodiments of the present application
Figure, as shown in figure 15, which includes:
Key generating unit 1501, for the public key for generating private key and being matched with private key;
Transmitting element 1502, for public key to be sent to virtual machine;
Receiving unit 1503, for receiving the key of virtual machine transmission;
Decryption unit 1504, for key to be decrypted to obtain random number using private key;
Encryption unit 1505, for sensitive information to be encrypted using random number;
Transmitting element 1502 is additionally operable to, and encrypted sensitive information is sent to virtual machine.
Figure 16 is the structural representation of the injection device embodiment ten of sensitive information in virtual machine provided by the embodiments of the present application
Figure, as shown in figure 16, which includes:
Receiving unit 1601, for receiving the public key of management equipment transmission;
Key generating unit 1602, for generating random number;
Encryption unit 1603, for random number to be encrypted to obtain key using public key;
Transmitting element 1604, for key to be sent to management equipment;
Receiving unit 1601 is additionally operable to, and receives the sensitive information that management equipment uses random number encryption;
Decryption unit 1605, for encrypted sensitive information to be decrypted using random number.
The embodiment of the present application also provides a kind of management equipment and virtual machine, for performing above-mentioned Fig. 2 to shown in fig. 6 virtual
The method for implanting of sensitive information in machine, has identical technical characteristic and technique effect, and the embodiment of the present application repeats no more this.
Figure 17 is the structure diagram of management equipment embodiment one provided by the embodiments of the present application, as shown in figure 17, the dress
Put including:
Processor 1701, for the public key for generating private key and being matched with private key;
Transmitter 1702, for public key and pre-set user name to be sent to virtual machine;
Transmitter 1702 is additionally operable to, and virtual machine log on request, virtual machine are sent to virtual machine based on containment login protocol
Log on request includes pre-set user name and private key, and virtual machine log on request is logged in for asking to establish with virtual machine based on containment
The escape way of agreement;
Transmitter 1702 is additionally operable to, and sensitive information is sent to virtual machine by escape way.
Optionally, processor 1701 is additionally operable to, and generates the first random number;Transmitter 1702 is additionally operable to, by the first random number
It is sent to virtual machine;
Processor 1701 is additionally operable to, and sensitive information is encrypted using the first random number;
Transmitter 1702 is additionally operable to, and encrypted sensitive information is sent to virtual machine by escape way.
Optionally, on the basis of embodiment illustrated in fig. 17, Figure 18 is implemented for management equipment provided by the embodiments of the present application
The structure diagram of example two, as shown in figure 18, the device include:Management equipment further includes:
Receiver 1803, for receiving the key of virtual machine transmission, key includes the second random number using public key encryption;
Processor 1801 is additionally operable to, and the second random number is obtained using private key decruption key, by sensitive information using second with
Machine number is encrypted;
Transmitter 1802 is specifically used for, and encrypted sensitive information is sent to virtual machine by escape way.
Figure 19 is the structure diagram of virtual machine embodiment one provided by the embodiments of the present application, and as shown in figure 19, this is virtual
Machine includes:
Receiver 1901, for receiving the public key and pre-set user name of management equipment transmission;
Processor 1902, for public key to be stored in the corresponding authentication of documents of pre-set user name;
Receiver 1901 is additionally operable to, and receives the virtual machine log on request that management equipment is sent, and virtual machine log on request includes
User name to be verified and private key;
Processor 1902 is additionally operable to, and is obtained the public key in the corresponding authentication of documents of user name to be verified, is detected use to be verified
Whether the public key in the corresponding authentication of documents of name in an account book matches with private key;It is logged in if so, being established with management equipment based on containment
The escape way of agreement;
Receiver 1901 is additionally operable to, and receives the sensitive information that management equipment is sent by escape way.
Optionally, receiver 1901 is additionally operable to, and receives the first random number that virtual machine is sent;
Receiver 1901 is specifically used for, after receiving the first random number encryption of use that management equipment is sent by escape way
Sensitive information;
Processor 1902 is additionally operable to, and encrypted sensitive information is decrypted using the first random number.
Optionally, on the basis of embodiment illustrated in fig. 19, Figure 20 is virtual machine embodiment provided by the embodiments of the present application
Two structure diagram, as shown in figure 20,
Processor 2002 is additionally operable to, and generates the second random number, and the second random number is obtained key using public key encryption;It is empty
Plan machine further includes:
Transmitter 2003, for key to be sent to management equipment;
Receiver 2001 is specifically used for, and receives the second random number encryption of use that management equipment is sent by escape way
Sensitive information;
Processor 2002 is additionally operable to, and encrypted sensitive information is decrypted using the second random number.
Optionally, as shown in figure 17, management equipment provided by the embodiments of the present application includes:
Processor 1701 for the public key for generating private key and being matched with private key, generates random number, using random number encryption
Sensitive information;
Transmitter 1702, for encrypted sensitive information, pre-set user name and public key to be sent to virtual machine;
Transmitter 1702 is additionally operable to, and virtual machine log on request, virtual machine are sent to virtual machine based on containment login protocol
Log on request includes pre-set user name and private key, and virtual machine log on request is logged in for asking to establish with virtual machine based on containment
The escape way of agreement;
Transmitter 1702 is additionally operable to, and random number is sent to virtual machine by escape way.
Optionally, as shown in figure 19, the embodiment of the present application also provides a kind of virtual machine, which includes:
Receiver 1901, for receiving encrypted sensitive information, pre-set user name and the public key of management equipment transmission;
Processor 1902, for public key to be stored in the corresponding authentication of documents of pre-set user name;
Receiver 1901 is additionally operable to, and receives the virtual machine log on request that management equipment is sent, and virtual machine log on request includes
User name to be verified and private key;
Processor 1902 is additionally operable to, and is obtained the public key in the corresponding authentication of documents of user name to be verified, is detected use to be verified
Whether the public key in the corresponding authentication of documents of name in an account book matches with private key;It is logged in if so, being established with management equipment based on containment
The escape way of agreement;
Receiver 1901 is additionally operable to, and receives the random number that management equipment is sent by escape way;
Processor 1902 is additionally operable to, and encrypted sensitive information is decrypted using random number.
Optionally, as shown in figure 18, the embodiment of the present application also provides a kind of management equipment, which includes:
Processor 1801, for the public key for generating private key and being matched with private key;
Transmitter 1802, for public key to be sent to virtual machine;
Receiver 1803, for receiving the key of virtual machine transmission;
Processor 1801 is additionally operable to, and key is decrypted using private key to obtain random number, and sensitivity is believed using random number
Breath is encrypted;
Transmitter 1802 is additionally operable to, and encrypted sensitive information is sent to virtual machine.
Optionally, as shown in figure 20, the embodiment of the present application also provides a kind of virtual machine, which includes:
Receiver 2001, for receiving the public key of management equipment transmission;
Processor 2002 for generating random number, is encrypted random number using public key to obtain key;
Transmitter 2003, for key to be sent to management equipment;
Receiver 2001 is additionally operable to, and receives the sensitive information that management equipment uses random number encryption;
Processor 2002 is additionally operable to, and encrypted sensitive information is decrypted using random number.
The embodiment of the present application also provides a kind of computer readable storage medium, and meter is stored in computer readable storage medium
Calculation machine execute instruction, when at least one processor of the injection device of sensitive information in virtual machine performs the computer executed instructions
When, the injection device of sensitive information performs sensitive information in the virtual machine that above-mentioned Fig. 2 is provided to embodiment illustrated in fig. 6 in virtual machine
Method for implanting.
The embodiment of the present application also provides a kind of computer program product, which includes computer execution and refer to
It enables, which stores in a computer-readable storage medium.At least one processor of Node Controller can be with
The computer executed instructions are read from computer readable storage medium, at least one processor, which performs the computer executed instructions, to be made
Obtain the method for implanting that Node Controller implements sensitive information in the virtual machine that above-mentioned Fig. 2 is provided to embodiment illustrated in fig. 6.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above-mentioned each method embodiment can lead to
The relevant hardware of program instruction is crossed to complete.Aforementioned program can be stored in a computer read/write memory medium.The journey
Sequence when being executed, performs the step of including above-mentioned each method embodiment;And aforementioned storage medium includes:ROM, RAM, magnetic disc or
The various media that can store program code such as person's CD.
Finally it should be noted that:The above various embodiments is only to illustrate the technical solution of the application, rather than its limitations;To the greatest extent
Pipe is described in detail the application with reference to foregoing embodiments, it will be understood by those of ordinary skill in the art that:Its according to
Can so modify to the technical solution recorded in foregoing embodiments either to which part or all technical features into
Row equivalent replacement;And these modifications or replacement, each embodiment technology of the application that it does not separate the essence of the corresponding technical solution
The range of scheme.
Claims (20)
1. a kind of method for implanting of sensitive information in virtual machine, which is characterized in that including:
Private key and the public key with private key pairing are generated, the public key and pre-set user name are sent to the virtual machine;
Virtual machine log on request is sent to the virtual machine based on containment login protocol, the virtual machine log on request includes institute
Pre-set user name and the private key are stated, the virtual machine log on request is based on the safety for asking to establish with the virtual machine
The escape way of shell login protocol;
Sensitive information is sent to the virtual machine by the escape way.
2. according to the method described in claim 1, it is characterized in that, described sent by the escape way to the virtual machine
Before sensitive information, the method further includes:
The first random number is generated, and first random number is sent to the virtual machine;
It is then described that sensitive information is sent to the virtual machine by the escape way, including:
The sensitive information is encrypted using first random number, and by the escape way by encrypted sensitivity
Information is sent to the virtual machine.
3. according to the method described in claim 1, it is characterized in that, described sent by the escape way to the virtual machine
Before sensitive information, the method further includes:
The key that the virtual machine is sent is received, the key includes the second random number using the public key encryption, using institute
It states the private key decryption key and obtains second random number;
It is then described that sensitive information is sent to the virtual machine by the escape way, including:
The sensitive information is encrypted using second random number, and by the escape way by encrypted sensitivity
Information is sent to the virtual machine.
4. a kind of method for implanting of sensitive information in virtual machine, which is characterized in that including:
Public key and the pre-set user name that management equipment is sent are received, the public key is stored in the pre-set user name is corresponding to recognize
It demonstrate,proves in document;
Receive the virtual machine log on request that the management equipment is sent, the virtual machine log on request include user name to be verified and
Private key;
The public key in the corresponding authentication of documents of the user name to be verified is obtained, detects the corresponding certification of the user name to be verified
Whether the public key in document matches with the private key;
If so, establish the escape way based on the containment login protocol with the management equipment;
Receive the sensitive information that the management equipment is sent by the escape way.
5. according to the method described in claim 4, it is characterized in that, the reception management equipment passes through the escape way
Before the sensitive information of transmission, the method further includes:
Receive the first random number that the virtual machine is sent;
The then sensitive information for receiving the management equipment and being sent by the escape way, including:
The sensitive information after the first random number encryption described in the use that the management equipment is sent by the escape way is received,
The encrypted sensitive information is decrypted using first random number.
6. according to the method described in claim 4, it is characterized in that, the reception management equipment passes through the escape way
Before the sensitive information of transmission, the method further includes:
The second random number is generated, and second random number is obtained into key using the public key encryption, the key is sent
To the management equipment;
The then sensitive information for receiving the management equipment and being sent by the escape way, including:
The sensitive information using second random number encryption that the management equipment is sent by the escape way is received, is adopted
The encrypted sensitive information is decrypted with second random number.
7. a kind of method for implanting of sensitive information in virtual machine, which is characterized in that including:
Private key and the public key with private key pairing are generated, generates random number, and use the random number encryption sensitive information,
The encrypted sensitive information, pre-set user name and the public key are sent to virtual machine;
Virtual machine log on request is sent to the virtual machine based on containment login protocol, the virtual machine log on request includes institute
Pre-set user name and the private key are stated, the virtual machine log on request is based on the safety for asking to establish with the virtual machine
The escape way of shell login protocol;
The random number is sent to the virtual machine by the escape way.
8. a kind of method for implanting of sensitive information in virtual machine, which is characterized in that including:
Encrypted sensitive information, pre-set user name and public key that management equipment is sent are received, the public key is stored in described
In the corresponding authentication of documents of pre-set user name;
Receive the virtual machine log on request that the management equipment is sent, the virtual machine log on request include user name to be verified and
Private key;
The public key in the corresponding authentication of documents of the user name to be verified is obtained, detects the corresponding certification of the user name to be verified
Whether the public key in document matches with the private key;
If so, establish the escape way based on the containment login protocol with the management equipment;
The random number that the management equipment is sent by the escape way is received, using the random number to encrypted sensitivity
Information is decrypted.
9. a kind of method for implanting of sensitive information in virtual machine, which is characterized in that including:
Private key and the public key with private key pairing are generated, the public key is sent to virtual machine;
The key that the virtual machine is sent is received, and the key is decrypted to obtain random number using the private key;
Sensitive information is encrypted using the random number, encrypted sensitive information is sent to the virtual machine.
10. a kind of method for implanting of sensitive information in virtual machine, which is characterized in that including:
Receive the public key that management equipment is sent;
Random number is generated, and the random number is encrypted to obtain key using the public key, the key is sent to institute
State management equipment;
The sensitive information that the management equipment uses the random number encryption is received, using the random number to encrypted sensitivity
Information is decrypted.
11. a kind of injection device of sensitive information in virtual machine, which is characterized in that including:
Key generating unit, for the public key for generating private key and being matched with the private key;
Transmitting element, for the public key and pre-set user name to be sent to the virtual machine;
The transmitting element is additionally operable to, and virtual machine log on request is sent to the virtual machine based on containment login protocol, described
Virtual machine log on request includes the pre-set user name and the private key, and the virtual machine log on request is for request and the void
Plan machine establishes the escape way based on the containment login protocol;
The transmitting element is additionally operable to, and sensitive information is sent to the virtual machine by the escape way.
12. according to the devices described in claim 11, which is characterized in that the Key generating unit is additionally operable to, generation first with
Machine number;The transmitting element is additionally operable to, and first random number is sent to the virtual machine;Described device further includes:
Encryption unit, for the sensitive information to be encrypted using first random number;
The transmitting element is specifically used for, and encrypted sensitive information is sent to the virtual machine by the escape way.
13. according to the devices described in claim 11, which is characterized in that described device further includes:
Receiving unit, for receiving the key that the virtual machine is sent, the key includes second using the public key encryption
Random number;
Decryption unit obtains second random number for decrypting the key using the private key;
Encryption unit, for the sensitive information to be encrypted using second random number;
The transmitting element is specifically used for, and encrypted sensitive information is sent to the virtual machine by the escape way.
14. a kind of injection device of sensitive information in virtual machine, which is characterized in that including:
Receiving unit, for receiving the public key and pre-set user name of management equipment transmission;
Storage unit, for the public key to be stored in the corresponding authentication of documents of the pre-set user name;
The receiving unit is additionally operable to, and receives the virtual machine log on request that the management equipment is sent, the virtual machine logs in please
It asks including user name to be verified and private key;
Authentication unit for obtaining the public key in the corresponding authentication of documents of the user name to be verified, detects the use to be verified
Whether the public key in the corresponding authentication of documents of name in an account book matches with the private key;
Unit is established, when being matched for the public key in the corresponding authentication of documents of the user name to be verified with the private key, with
The management equipment establishes the escape way based on the containment login protocol;
The receiving unit is additionally operable to, and receives the sensitive information that the management equipment is sent by the escape way.
15. device according to claim 14, which is characterized in that the receiving unit is additionally operable to, and receives the virtual machine
The first random number sent;
The receiving unit is specifically used for, receive described in the use that the management equipment is sent by the escape way first with
The encrypted sensitive information of machine number;
Described device includes:
Decryption unit, for the encrypted sensitive information to be decrypted using first random number.
16. device according to claim 14, which is characterized in that described device further includes:
Key generating unit for generating the second random number, and second random number is obtained using the public key encryption close
Key;
Transmitting element, for the key to be sent to the management equipment;
The receiving unit is specifically used for, receive the management equipment by use described second that the escape way is sent with
The encrypted sensitive information of machine number;
Decryption unit, for the encrypted sensitive information to be decrypted using second random number.
17. a kind of injection device of sensitive information in virtual machine, which is characterized in that including:
Key generating unit for the public key for generating private key and being matched with the private key, generates random number;
Encryption unit, for using the random number encryption sensitive information;
Transmitting element, for the encrypted sensitive information, pre-set user name and the public key to be sent to virtual machine;
The transmitting element is additionally operable to, and virtual machine log on request is sent to the virtual machine based on containment login protocol, described
Virtual machine log on request includes the pre-set user name and the private key, and the virtual machine log on request is for request and the void
Plan machine establishes the escape way based on the containment login protocol;
The transmitting element is additionally operable to, and the random number is sent to the virtual machine by the escape way.
18. a kind of injection device of sensitive information in virtual machine, which is characterized in that including:
Receiving unit, for receiving encrypted sensitive information, pre-set user name and the public key of management equipment transmission;
Storage unit, for the public key to be stored in the corresponding authentication of documents of the pre-set user name;
The receiving unit is additionally operable to, and receives the virtual machine log on request that the management equipment is sent, the virtual machine logs in please
It asks including user name to be verified and private key;
Authentication unit for obtaining the public key in the corresponding authentication of documents of the user name to be verified, detects the use to be verified
Whether the public key in the corresponding authentication of documents of name in an account book matches with the private key;
Unit is established, when being matched for the public key in the corresponding authentication of documents of the user name to be verified with the private key, with
The management equipment establishes the escape way based on the containment login protocol;
The receiving unit is additionally operable to, and receives the random number that the management equipment is sent by the escape way;
Decryption unit, for encrypted sensitive information to be decrypted using the random number.
19. a kind of injection device of sensitive information in virtual machine, which is characterized in that including:
Key generating unit, for the public key for generating private key and being matched with the private key;
Transmitting element, for the public key to be sent to virtual machine;
Receiving unit, for receiving the key that the virtual machine is sent;
Decryption unit, for being decrypted to obtain random number to the key using the private key;
Encryption unit, for sensitive information to be encrypted using the random number;
The transmitting element is additionally operable to, and encrypted sensitive information is sent to the virtual machine.
20. a kind of injection device of sensitive information in virtual machine, which is characterized in that including:
Receiving unit, for receiving the public key of management equipment transmission;
Key generating unit, for generating random number;
Encryption unit, for being encrypted to obtain key to the random number using the public key;
Transmitting element, for the key to be sent to the management equipment;
The receiving unit is additionally operable to, and receives the sensitive information that the management equipment uses the random number encryption;
Decryption unit, for encrypted sensitive information to be decrypted using the random number.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611219614.4A CN108243157A (en) | 2016-12-26 | 2016-12-26 | The method for implanting and device of sensitive information in virtual machine |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611219614.4A CN108243157A (en) | 2016-12-26 | 2016-12-26 | The method for implanting and device of sensitive information in virtual machine |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108243157A true CN108243157A (en) | 2018-07-03 |
Family
ID=62702095
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611219614.4A Pending CN108243157A (en) | 2016-12-26 | 2016-12-26 | The method for implanting and device of sensitive information in virtual machine |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108243157A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111212116A (en) * | 2019-12-24 | 2020-05-29 | 湖南舜康信息技术有限公司 | High-performance computing cluster creating method and system based on container cloud |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102986190A (en) * | 2010-07-08 | 2013-03-20 | 国际商业机器公司 | Resource access management |
CN103618737A (en) * | 2013-12-10 | 2014-03-05 | 浪潮电子信息产业股份有限公司 | VNC console optimization scheme of virtual machines in cloud computing environment |
CN104219041A (en) * | 2014-09-23 | 2014-12-17 | 中国南方电网有限责任公司 | Data transmission encryption method applicable for mobile internet |
US20160234040A1 (en) * | 2015-02-11 | 2016-08-11 | Dell Products L.P. | Virtual channel virtual private network |
-
2016
- 2016-12-26 CN CN201611219614.4A patent/CN108243157A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102986190A (en) * | 2010-07-08 | 2013-03-20 | 国际商业机器公司 | Resource access management |
CN103618737A (en) * | 2013-12-10 | 2014-03-05 | 浪潮电子信息产业股份有限公司 | VNC console optimization scheme of virtual machines in cloud computing environment |
CN104219041A (en) * | 2014-09-23 | 2014-12-17 | 中国南方电网有限责任公司 | Data transmission encryption method applicable for mobile internet |
US20160234040A1 (en) * | 2015-02-11 | 2016-08-11 | Dell Products L.P. | Virtual channel virtual private network |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111212116A (en) * | 2019-12-24 | 2020-05-29 | 湖南舜康信息技术有限公司 | High-performance computing cluster creating method and system based on container cloud |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2021184961A1 (en) | Contract deploying method and apparatus | |
WO2021184968A1 (en) | Cluster key sharing method and device | |
WO2021184882A1 (en) | Method and apparatus for verifying contract | |
KR102464299B1 (en) | Blockchain implementation method and system | |
KR101722631B1 (en) | Secured access to resources using a proxy | |
US10601801B2 (en) | Identity authentication method and apparatus | |
CN103795692B (en) | Open authorization method, system and certification authority server | |
CN102804677B (en) | Discovery of secure network enclaves | |
EP3123657B1 (en) | Method and apparatus for cloud-assisted cryptography | |
CN110061845A (en) | Block chain data ciphering method, device, computer equipment and storage medium | |
CN109067528B (en) | Password operation method, work key creation method, password service platform and equipment | |
Künnemann et al. | YubiSecure? Formal security analysis results for the Yubikey and YubiHSM | |
CN101815091A (en) | Cipher providing equipment, cipher authentication system and cipher authentication method | |
CN108429719A (en) | Cryptographic key protection method and device | |
CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
US11757625B2 (en) | Multi-factor-protected private key distribution | |
US20210058245A1 (en) | Proof-of-work key wrapping for crytographically controlling data access | |
CN102833256A (en) | Method and cloud system for registering cluster control server and node control server | |
CN107196907A (en) | A kind of guard method of Android SO files and device | |
CN109257347A (en) | Communication means and relevant apparatus, storage medium suitable for data interaction between bank | |
CN103888429B (en) | Virtual machine starts method, relevant device and system | |
CN109697370A (en) | Database data encipher-decipher method, device, computer equipment and storage medium | |
CN106936797A (en) | The management method and system of magnetic disk of virtual machine and file encryption key in a kind of cloud | |
CN117240625A (en) | Tamper-resistant data processing method and device and electronic equipment | |
CN110750326B (en) | Disk encryption and decryption method and system for virtual machine |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180703 |
|
RJ01 | Rejection of invention patent application after publication |