CN112486607B - Virtual desktop authorization permission method based on combination of software and hardware - Google Patents
Virtual desktop authorization permission method based on combination of software and hardware Download PDFInfo
- Publication number
- CN112486607B CN112486607B CN202011314899.6A CN202011314899A CN112486607B CN 112486607 B CN112486607 B CN 112486607B CN 202011314899 A CN202011314899 A CN 202011314899A CN 112486607 B CN112486607 B CN 112486607B
- Authority
- CN
- China
- Prior art keywords
- ukey
- virtual desktop
- authorization
- serial number
- permission information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/451—Execution arrangements for user interfaces
- G06F9/452—Remote windowing, e.g. X-Window System, desktop virtualisation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
Abstract
The invention discloses a virtual desktop authorization permission method based on software and hardware combination, which comprises the following steps: encrypting the permission information into an authorization code, operating a UKey security module to encrypt the authorization code and a UKey serial number, writing the encrypted authorization code and the UKey serial number into a UKey security area, and issuing a client name and the authorization code to a client; acquiring a client name and an authorization code, operating a UKey security module to read and decrypt information of a UKey security zone if the client name is the same as the client name analyzed by the authorization code, and storing the authorization code and the permission information if a decryption result is the same as the permission information analyzed by the authorization code and the UKey serial number; and reading the permission information, if the permission period is valid and the authorization number of the virtual desktops is less than the maximum number of the virtual desktops, allowing the virtual desktops to be started and updating the authorization number of the virtual desktops, and releasing the authorization of the occupied virtual desktops when the virtual desktops are shut down. The invention does not need to collect the hardware feature code and avoids the risk of illegal hardware copy after the UKey is lost and stolen.
Description
Technical Field
The invention relates to virtual desktop authorization, in particular to a virtual desktop authorization permission method based on software and hardware combination.
Background
The authorization license is a more general right-maintaining means for software release, namely an identity card of the legal software, and the essence is to prevent copying and piracy, charge per function and the like. At present, most of commercial software and shared software adopt an authorized license mode to ensure that the software is not stolen so as to ensure the benefits of the software.
Unlike common software, cloud desktop products generally offer prices according to the number of virtual desktops, so the maximum number of virtual desktops must be included in the authorization license information.
Most manufacturers in the field of cloud desktops select an authorization licensing scheme based on pure software protection, a license is a serial number string with a fixed length, and under the condition that other auxiliary measures are not combined, the risk of multiplexing and piracy exists. Therefore, this type of license authorization usually requires collecting hardware feature codes (generally called machine codes, and mainly includes information such as a motherboard, a CPU, a memory, and a network card), and then generating a serial number according to the hardware information, so that the serial number cannot be reused on other hardware. This can lead to problems in the product flow, where licenses cannot be prepared in advance, and license serial numbers can only be generated after hardware feature codes are collected on site, and waiting for unpacking and deployment is required.
Some manufacturers also select an authorization and permission scheme based on hardware protection, license information is preset in a USB peripheral (generally UKey equipment), and automatic authorization is successful after one-plug. UKey is a widely used security mechanism, can be used for software protection, identity authentication, electronic transaction, data security and the like, and has many cases in the fields of financial enterprises, public institutions and military industry. The UKey equipment is hardware equipment with a USB interface, adopts an intelligent card chip inside the UKey, is internally provided with a C51 virtual machine, can load and run a C51 executable program, and has a certain storage space. UKey itself provides some security authentication mechanisms:
1. the developer ID is 8 bytes in length, the developer ID is generated by using a seed mode, the length of the seed is 250 bytes at most, the generation of the developer ID is irreversible, and only a generator knows what kind of seed can generate the own developer ID, so that the safety is improved.
2. The developer password is 24 bytes in length, and can only be written and deleted in files (such as created files and deleted files) in the UKey, but cannot acquire any data in the UKey, the retry times of the developer password are set, and when the continuous input error times reach the maximum limit times, the developer password is locked, and the UKey cannot be used continuously.
3. The hardware serial number, UKey, has a 64-bit (8 bytes) globally unique hardware serial number, and cannot be modified.
UKey is relatively simpler and safer. However, since the UKey is a hardware object, there are also situations of loss and theft, and in particular, there is also a risk of being copied by hardware.
Disclosure of Invention
The technical problem to be solved by the invention is as follows: aiming at the technical problems in the prior art, the invention provides a virtual desktop authorization permission method based on software and hardware combination, which can avoid the risk of UKey loss and theft without collecting hardware feature codes and can also prevent UKey from being copied by illegal hardware.
In order to solve the technical problems, the technical scheme provided by the invention is as follows:
a virtual desktop authorization permission method based on software and hardware combination comprises the following steps:
s1) generating an authorization code: judging whether UKey equipment is correct equipment, if yes, encrypting the permission information into an authorization code, reading a hardware serial number of the UKey equipment as a UKey serial number, loading and operating a UKey security module in the UKey equipment, encrypting the authorization code and the UKey serial number, writing the encrypted authorization code and the encrypted UKey serial number into a UKey security area, issuing a client name and the authorization code in the permission information to a user, entering the next step, and if not, ending and exiting;
s2) activation authorization code: obtaining a client name 0 and an authorization code 1 input by a user, analyzing the authorization code 1 to obtain permission information 1, judging whether UKey equipment is correct equipment or not if the UKey equipment is correct equipment, reading a hardware serial number of the UKey equipment as a UKey serial number 1, loading and operating a UKey safety module in the UKey equipment to read information of a UKey safety zone and decrypt to obtain permission information and the UKey serial number, and storing the authorization code 1 and corresponding permission information in a database of a virtual desktop management system if the permission information is the same as the permission information 1 and the UKey serial number is the same as the UKey serial number 1, and then entering the next step, otherwise, ending and exiting;
s3) virtual desktop authorization: acquiring a virtual desktop starting request, reading permission information of a database of a virtual desktop management system, if the permission period in the permission information is valid and the authorization number of the virtual desktop is less than the maximum virtual desktop number in the permission information, allowing the virtual desktop to be started and updating the authorization number of the virtual desktop, otherwise, not allowing the virtual desktop to be started, and releasing the occupied authorization of the virtual desktop when the virtual desktop is shut down.
Further, step S1) is preceded by a step of configuring a UKey security module, specifically including: and packaging the core encryption and decryption algorithm and the corresponding codes into a C51 program and writing the program into UKey equipment.
Further, the encrypting the license information into the authorization code in step S1) specifically includes: inputting permission information, wherein the permission information comprises a client name, a permission period and the maximum number of virtual desktops, carrying out BASE64 conversion on the client name, the permission period and the maximum number of virtual desktops, then splicing into AES encryption blocks, using AES encryption to generate a ciphertext, carrying out BASE64 conversion on the ciphertext, and finally grouping to generate an authorization code with the format of AAAAA-BBB-CCCCCCCCC-DDDDD-EEE.
Further, the step S1), the writing of the encrypted authorization code and the encrypted UKey serial number into the UKey security zone by the UKey security module in the UKey device specifically includes: and carrying out confusion operation on the authorization code and the UKey serial number to obtain a permission information ciphertext and a UKey serial number ciphertext, encrypting the permission information ciphertext and the UKey serial number ciphertext by using an AES algorithm through a UKey safety module to obtain a key file, and writing the key file into a UKey safety area.
Further, the specific step of step S2) includes:
s21) obtaining a client name 0 and an authorization code 1 input by a user, and analyzing the authorization code 1 to obtain permission information 1, wherein the permission information 1 comprises the client name 1, a permission term 1 and a maximum virtual desktop number 1;
s22) judging whether the client name 0 is the same as the client name 1, if so, entering the next step, otherwise, ending and exiting;
s23) judging whether the UKey equipment is correct equipment, if so, entering the next step, and if not, ending and exiting;
s24) reading a hardware serial number of UKey equipment as a UKey serial number 1, loading a UKey security module in the UKey equipment, reading information of a UKey security zone and decrypting the information to obtain permission information and the UKey serial number, wherein the permission information comprises a client name, a permission period and the number of maximum virtual desktops;
s25) if the customer name 1 is the same as the customer name, the permission period 1 is the same as the permission period, the maximum virtual desktop number 1 is the same as the maximum virtual desktop number, and the UKey serial number 1 is the same as the UKey serial number, entering the next step, otherwise, ending and exiting;
s26), storing the authorization code 1, and storing the permission information 1 or the permission information in the database and the memory of the virtual desktop management system.
Further, the specific step of step S3) includes:
s31), acquiring a current virtual desktop starting request, and reading permission information from a database of the virtual desktop management system;
s32) judging whether the permission period in the permission information is valid, if yes, entering the next step, otherwise, not allowing the virtual desktop to start and exit;
s33) judging whether the authorization number of the virtual desktops is less than the number of the virtual desktops in the authorization information, if so, entering the next step, otherwise, not allowing the virtual desktops to be started and quit;
s34) allowing the current virtual desktop to start and the current virtual desktop to occupy a virtual desktop for authorization, and updating the authorization number of the virtual desktop;
s35) monitoring all the started virtual desktops, monitoring the virtual desktop authorization occupied by the virtual desktop which is released to be shut down when the virtual desktop is shut down, and updating the virtual desktop authorization number.
Further, the step S1) and the step S2) of determining whether the UKey device is the correct device specifically include: opening the UKey equipment, reading a developer ID and a developer password of the UKey equipment, and verifying whether the developer ID and the developer password of the UKey equipment are correct, if so, determining that the UKey equipment is correct, otherwise, determining that the UKey equipment is wrong.
The invention also provides a virtual desktop authorization permission device based on software and hardware combination, which comprises:
the authorization code production tool module is used for judging whether the UKey equipment is correct equipment or not, if so, encrypting the permission information into an authorization code, reading a hardware serial number of the UKey equipment as a UKey serial number, loading and operating a UKey security module in the UKey equipment, encrypting the authorization code and the UKey serial number and writing the encrypted authorization code and the encrypted UKey serial number into a UKey security area;
the virtual desktop management system module is used for acquiring a client name 0 and an authorization code 1 input by a user, analyzing the authorization code 1 to obtain permission information 1, judging whether UKey equipment is correct equipment or not if the UKey equipment is correct equipment, reading a hardware serial number of the UKey equipment as a UKey serial number 1, loading and operating a UKey safety module in the UKey equipment to read information of a UKey safety area and decrypt to obtain permission information and the UKey serial number, and storing the authorization code 1 and corresponding permission information in a database of the virtual desktop management system if the permission information is the same as the permission information 1 and the UKey serial number is the same as the UKey serial number 1; the virtual desktop management system is also used for acquiring a virtual desktop starting request, reading permission information of a database of the virtual desktop management system, if the permission period in the permission information is valid and the authorization number of the current virtual desktop is less than the maximum virtual desktop number in the permission information, allowing the virtual desktop to be started and adding one to the authorization number of the current virtual desktop, otherwise not allowing the virtual desktop to be started, and releasing the occupied virtual desktop authorization when the virtual desktop is shut down;
and the UKey equipment is used for providing the running environment of the UKey safety module and simultaneously storing the encrypted authorization code and the UKey serial number.
The invention also provides a virtual desktop authorization permission device based on the combination of software and hardware, which comprises computer equipment, wherein the computer equipment is programmed or configured to execute the virtual desktop authorization permission method based on the combination of software and hardware.
The present invention also provides a computer readable storage medium storing a computer program programmed or configured to execute the virtual desktop authorization licensing method based on a combination of software and hardware described above.
Compared with the prior art, the invention has the advantages that:
1. the invention can prepare and produce the authorization code in advance, store the permission information in the database of the virtual desktop management system, and does not need to collect and bind the hardware feature code of the user field machine when the virtual desktop authorizes the permission, and does not need to wait for the field unpacking deployment, thereby simplifying the deployment process.
2. The invention adopts a software and hardware combination mode, and the authentication mechanism adopts twice encryption to generate the authorization permission information, and six checks the activation authorization code, thereby greatly improving the security strength of the license.
3. The security mechanism of the invention is based on the UKey security module, and under the premise of ensuring the reliability and the algorithm complexity, the UKey security module has low possibility of being cracked, and can prevent reverse cracking, data leakage and hardware replication.
Drawings
Fig. 1 is a schematic diagram of a UKey security module in the embodiment of the present invention.
FIG. 2 is a schematic diagram illustrating steps of an embodiment of the present invention.
Fig. 3 is a flowchart of generating an authorization code according to an embodiment of the present invention.
Fig. 4 is a flowchart of an activation authorization code according to an embodiment of the present invention.
Fig. 5 is a flowchart of virtual desktop authorization according to an embodiment of the present invention.
Detailed Description
The invention is further described below with reference to the drawings and specific preferred embodiments of the description, without thereby limiting the scope of protection of the invention.
As shown in fig. 1, the present invention performs secondary development on a UKey device, and configures a UKey security module in the UKey device, so that an authorization code and a UKey serial number are encrypted by the UKey security module to obtain a key file, and the key file is decrypted by the UKey security module to obtain corresponding license information and a UKey serial number, and the UKey security module is a security component that encapsulates a core encryption/decryption algorithm and a code into a C51 program, generates a binary file after compiling, and runs inside the UKey. When each new UKey equipment is initialized, the ID and password of a developer can be automatically set, and simultaneously, the UKey security module is also written into the UKey equipment so as to facilitate subsequent loading and operation. On the premise of ensuring reliability and algorithm complexity, the possibility that the UKey security module is cracked is equal to zero.
As shown in fig. 2, the virtual desktop authorization permission method based on the combination of software and hardware of this embodiment includes the following steps:
s1) generating an authorization code: judging whether UKey equipment is correct equipment, if so, encrypting the permission information into an authorization code, reading a hardware serial number of the UKey equipment as a UKey serial number, loading and operating a UKey security module in the UKey equipment, encrypting the authorization code and the UKey serial number, writing the encrypted authorization code and the encrypted UKey serial number into a UKey security area, issuing a client name and the authorization code in the permission information to a user, then entering the next step, and if not, ending and exiting, as shown in FIG. 3;
s2) activation authorization code: acquiring a client name 0 and an authorization code 1 input by a user, wherein the client name and the authorization code input by the user may be inconsistent with a received original client name and authorization code due to operation errors and the like, in this embodiment, the client name and the authorization code input by the user are distinguished from the original client name and authorization code by the client name 0 and the authorization code 1, analyzing the authorization code 1 to obtain permission information 1, if the client name 0 is the same as the client name 1 in the permission information 1, determining whether the UKey device is a correct device, if so, reading a UKey serial number 1, loading and operating a UKey security module in the UKey device to read information in a UKey security zone and decrypt the permission information and the UKey serial number, namely, the permission information and the original UKey serial number decrypted by the original authorization code in step S1), if the permission information and the permission information 1 are the same and the UKey serial number 1 are the same, when the conditions are met, it is indicated that the content input by the client is the same as the obtained original client name and the authorization code, wherein the authorization code 1 is the authorization code in the step S1), the authorization code 1 and the corresponding permission information are stored in the database of the virtual desktop management system, and then the next step is performed, otherwise, the operation is finished and the operation is exited;
s3) virtual desktop authorization: acquiring a virtual desktop starting request, reading permission information of a database of a virtual desktop management system, if the permission period in the permission information is valid and the authorization number of the virtual desktop is less than the maximum virtual desktop number in the permission information, allowing the virtual desktop to be started and updating the authorization number of the virtual desktop, otherwise, not allowing the virtual desktop to be started, and releasing the occupied authorization of the virtual desktop when the virtual desktop is shut down.
The steps enable the method of the embodiment to prepare and manufacture the UKey equipment with the permission information in advance, when the authorization code is activated, only the permission information input by the user and the permission information in the UKey equipment carried by the user need to be verified, and the authorization code and the corresponding permission information are stored in the database of the virtual desktop management system, so that the hardware feature code of the field machine of the user does not need to be collected and bound, and the field unpacking deployment does not need to be waited, thereby simplifying the deployment process. Meanwhile, in the process of generating the authorization code, twice encryption is adopted, and in the process of activating the authorization code, the permission information input by the user and the permission information in the UKey equipment are respectively verified, so that the safety intensity is greatly improved. Finally, in the embodiment, the UKey equipment stores the key file processed by the UKey security module, so that reverse cracking, data leakage and hardware copying can be prevented.
Step S1) of this embodiment further includes a step of configuring a UKey security module, specifically including: the core encryption and decryption algorithm and the corresponding code are packaged into a C51 program and then written into UKey equipment, and the subsequent steps of loading and running the C51 program according to actual requirements can realize that the UKey security module encrypts the authorization code and the UKey serial number and then writes the authorization code and the UKey serial number into a UKey security zone or the UKey security module reads the information of the UKey security zone and decrypts the information to obtain the permission information and the UKey serial number.
Step S1) and step S2) of this embodiment specifically include: and reading the developer ID and the developer password of the UKey equipment, verifying whether the developer ID and the developer password of the UKey equipment are correct, if so, determining that the UKey equipment is correct, otherwise, determining that the UKey equipment is wrong.
In step S1) of this embodiment, encrypting the license information into the authorization code specifically includes: inputting permission information, wherein the permission information of the embodiment comprises a client name, a permission period and the maximum virtual desktop number, performing BASE64 conversion on the client name, the permission period and the maximum virtual desktop number, then splicing into AES encryption blocks, generating a ciphertext by using AES encryption, performing BASE64 conversion on the ciphertext, and finally grouping to generate an authorization code in the format of AAAAA-BBB-CCCCCCCCC-DDDDD-EEE.
In step S1) of this embodiment, encrypting the authorization code and the UKey serial number by using the UKey security module in the UKey device, and writing the encrypted authorization code and the encrypted UKey serial number into the UKey security area specifically includes: the authorization code and the UKey serial number are subjected to confusion operation to obtain a permission information ciphertext and a UKey serial number ciphertext, the permission information ciphertext and the UKey serial number ciphertext are encrypted by using an AES algorithm through a UKey security module to obtain a key file, the key file is written into a UKey security area, the authorization code and the UKey serial number are subjected to secondary encryption to obtain a key on the basis that the permission information is encrypted into the authorization code, the security strength is improved, and the security is improved for confusion operation of the authorization code and the UKey serial number.
As shown in fig. 4, step S2) of the present embodiment includes the following specific steps:
s21) obtaining a client name 0 and an authorization code 1 input by a user, and analyzing the authorization code 1 to obtain permission information 1, wherein the permission information 1 comprises the client name 1, a permission term 1 and a maximum virtual desktop number 1;
s22) judging whether the client name 0 is the same as the client name 1, if so, entering the next step, otherwise, ending and exiting;
s23) judging whether the UKey equipment is correct equipment, if so, entering the next step, and if not, ending and exiting;
s24) reading a hardware serial number of UKey equipment as a UKey serial number 1, loading a UKey security module in the UKey equipment, reading information of a UKey security zone and decrypting the information to obtain permission information and the UKey serial number, wherein the permission information comprises a client name, a permission period and the number of maximum virtual desktops;
s25) if the customer name 1 is the same as the customer name, the permission period 1 is the same as the permission period, the maximum virtual desktop number 1 is the same as the maximum virtual desktop number, and the UKey serial number 1 is the same as the UKey serial number, entering the next step, otherwise, ending and exiting;
s26), storing the authorization code 1, and storing the permission information 1 or the permission information in the database and the memory of the virtual desktop management system.
Step S2), the method not only checks the customer name and the customer name in the authorization information obtained by analyzing the authorization code, but also checks the authorization information obtained by analyzing the authorization code and the decryption result of the key stored in the UKey security zone of the UKey device, and the authorization code can be activated only when each check is passed, thereby ensuring the security of the process of activating the authorization code.
As shown in fig. 5, step S3) of the present embodiment includes the following specific steps:
s31), acquiring a current virtual desktop starting request, and reading permission information from a database of the virtual desktop management system;
s32) judging whether the permission period in the permission information is valid, if yes, entering the next step, otherwise, not allowing the virtual desktop to start and exit;
s33) judging whether the authorization number of the virtual desktops is less than the number of the virtual desktops in the authorization information, if so, entering the next step, otherwise, not allowing the virtual desktops to be started and quit;
s34) allowing the current virtual desktop to start and the current virtual desktop to occupy a virtual desktop for authorization, and updating the authorization number of the virtual desktop;
s35) monitoring all the started virtual desktops, monitoring the virtual desktop authorization occupied by the virtual desktop which is released to be shut down when the virtual desktop is shut down, and updating the virtual desktop authorization number.
In the specific step of step S3), in order to avoid that the number of the running virtual desktops exceeds the maximum number of virtual desktops without binding the hardware feature codes of the user site machines running the virtual desktops, this embodiment adopts a mode that the running virtual desktops occupy virtual desktop authorization, when the current virtual desktop authorization number is greater than the maximum virtual desktop number, the subsequent virtual desktops are not allowed to be started, when the virtual desktops are closed, the occupied virtual desktop authorization is released, and an index of virtual desktop authorization is provided for the subsequently started virtual desktops, thereby implementing dynamic management on the number of the started virtual desktops.
The embodiment further provides a virtual desktop authorization permission device based on software and hardware combination, including:
the authorization code production tool module is used for judging whether the UKey equipment is correct equipment or not, if so, encrypting the permission information into an authorization code, reading a UKey serial number, loading and operating a UKey security module in the UKey equipment, encrypting the authorization code and the UKey serial number and writing the encrypted authorization code and the encrypted UKey serial number into a UKey security area;
the virtual desktop management system module is used for acquiring a client name 0 and an authorization code 1 input by a user, analyzing the authorization code 1 to obtain permission information 1, judging whether UKey equipment is correct equipment or not if the UKey equipment is correct equipment, reading a hardware serial number of the UKey equipment as a UKey serial number 1, loading and operating a UKey safety module in the UKey equipment to read information of a UKey safety area and decrypt to obtain permission information and the UKey serial number, and storing the authorization code 1 and corresponding permission information in a database of the virtual desktop management system if the permission information is the same as the permission information 1 and the UKey serial number is the same as the UKey serial number 1; the virtual desktop management system is also used for acquiring a virtual desktop starting request, reading permission information of a database of the virtual desktop management system, if the permission period in the permission information is valid and the authorization number of the current virtual desktop is less than the maximum virtual desktop number in the permission information, allowing the virtual desktop to be started and adding one to the authorization number of the current virtual desktop, otherwise not allowing the virtual desktop to be started, and releasing the occupied virtual desktop authorization when the virtual desktop is shut down;
and the UKey equipment is used for providing the running environment of the UKey safety module and simultaneously storing the encrypted authorization code and the UKey serial number.
In this embodiment, the authorization code production tool module is a machine, which runs an authorization code production tool program and is specially used for making and issuing authorization codes, as shown in fig. 3, when an authorization code is generated according to step S1), a UKey device needs to be inserted into the machine and the authorization code production tool program needs to be run, the program reads a developer ID and a developer password of the UKey device, verifies whether the developer ID and the developer password of the UKey device are correct, otherwise, the process is finished directly, after license information such as a client name, a license deadline, and a maximum virtual desktop number is input, BASE64 conversion is performed on the client name, the license deadline, and the maximum virtual desktop number, then the client name, the license deadline, and the maximum virtual desktop number are spliced into an AES encryption block, an AES encryption block is used to generate a ciphertext, BASE64 conversion is performed on the ciphertext, finally, authorization codes in the format of AAAAA-bbb-cccc-ddedded-eee are generated in groups, and the UKey security module is loaded and run at the same time, and performing confusion operation by taking the authorization code and the read hardware serial number of the UKey equipment as a UKey serial number to obtain a permission information ciphertext and a UKey serial number ciphertext, then encrypting the permission information ciphertext and the UKey serial number ciphertext by using an AES algorithm to obtain a key and writing the key into a UKey safety area, pulling out the UKey equipment after the manufacture is finished, simultaneously recording the customer name and the authorization code, and issuing the UKey equipment, the customer name and the authorization code to a user.
In this embodiment, the virtual desktop management system module is a server running the virtual desktop management system, as shown in fig. 4, when the authorization code is activated according to step S2), the UKey device needs to be inserted into the server, and enters an authorization code activation page, the user inputs the corresponding client name 0 and authorization code 1, the management system background will decrypt the authorization code 1 to obtain the authorization information 1 including the client name 1, the authorization deadline 1, and the maximum virtual desktop number 1, and check whether the client name 0 and the client name 1 are consistent, if not, the activation fails directly, if so, the developer ID and the developer password of the UKey device are read, and if not, the developer ID and the developer password of the UKey device are verified to be correct, otherwise, the hardware serial number of the UKey device is read as the UKey serial number 1, the UKey security module is loaded and run, and the information stored in the UKey security zone is read, and decrypting license information and UKey serial number which are encrypted by a UKey security module and are loaded and operated by a previous authorization code production tool module, comparing the client name, the license time limit, the maximum virtual desktop number and the UKey serial number with the client name 1, the license time limit 1, the maximum virtual desktop number 1 and the UKey serial number 1 in sequence, failing to activate if one item is different, successfully activating if all the information is consistent, and storing the authorization code and the corresponding license information to a database and a memory of a virtual desktop management system.
As shown in fig. 5, according to step S3), when authorizing the virtual desktops, the virtual desktop management system reads the authorization information from the database and synchronizes to the runtime memory when starting, then obtains a virtual desktop preparation start request, and when the virtual desktops are ready to start, checks whether the authorization time limit is valid, if the permission time limit is expired, the virtual desktops are not allowed to start, and still in the valid time, further checks whether the current total authorization number of the virtual desktops is greater than the maximum virtual desktop number, if the permission time limit is reached or exceeded, the virtual desktops are allowed to start, and occupy one virtual desktop authorization number, each virtual desktop will occupy the authorization during the running period, and will not release the occupied authorization until the virtual desktop is shut down.
The invention also provides a virtual desktop authorization permission device based on the combination of software and hardware, which comprises computer equipment, wherein the computer equipment is programmed or configured to execute the virtual desktop authorization permission method based on the combination of software and hardware.
The present invention also provides a computer readable storage medium storing a computer program programmed or configured to execute the virtual desktop authorization licensing method based on a combination of software and hardware described above.
The foregoing is considered as illustrative of the preferred embodiments of the invention and is not to be construed as limiting the invention in any way. Although the present invention has been described with reference to the preferred embodiments, it is not intended to be limited thereto. Therefore, any simple modification, equivalent change and modification made to the above embodiments according to the technical spirit of the present invention should fall within the protection scope of the technical scheme of the present invention, unless the technical spirit of the present invention departs from the content of the technical scheme of the present invention.
Claims (10)
1. A virtual desktop authorization permission method based on software and hardware combination is characterized by comprising the following steps:
s1) generating an authorization code: judging whether UKey equipment is correct equipment, if yes, encrypting the permission information into an authorization code, reading a hardware serial number of the UKey equipment as a UKey serial number, loading and operating a UKey security module in the UKey equipment, encrypting the authorization code and the UKey serial number, writing the encrypted authorization code and the encrypted UKey serial number into a UKey security area, issuing a client name and the authorization code in the permission information to a user, entering the next step, and if not, ending and exiting;
s2) activation authorization code: obtaining a client name 0 and an authorization code 1 input by a user, analyzing the authorization code 1 to obtain permission information 1, judging whether UKey equipment is correct equipment or not if the UKey equipment is correct equipment, reading a hardware serial number of the UKey equipment as a UKey serial number 1, loading and operating a UKey safety module in the UKey equipment to read information of a UKey safety zone and decrypt to obtain permission information and the UKey serial number, and storing the authorization code 1 and corresponding permission information in a database of a virtual desktop management system if the permission information is the same as the permission information 1 and the UKey serial number is the same as the UKey serial number 1, and then entering the next step, otherwise, ending and exiting;
s3) virtual desktop authorization: acquiring a virtual desktop starting request, reading permission information of a database of a virtual desktop management system, if the permission period in the permission information is valid and the authorization number of the virtual desktop is less than the maximum virtual desktop number in the permission information, allowing the virtual desktop to be started and updating the authorization number of the virtual desktop, otherwise, not allowing the virtual desktop to be started, and releasing the occupied authorization of the virtual desktop when the virtual desktop is shut down.
2. The virtual desktop authorization permission method based on the combination of software and hardware as claimed in claim 1, characterized in that, before step S1), a step of configuring a UKey security module is further included, specifically including: and packaging the core encryption and decryption algorithm and the corresponding codes into a C51 program and writing the program into UKey equipment.
3. The virtual desktop authorization method based on the combination of software and hardware according to claim 1, wherein the encrypting the license information into the authorization code in step S1) specifically includes: inputting permission information, wherein the permission information comprises a client name, a permission period and the maximum number of virtual desktops, carrying out BASE64 conversion on the client name, the permission period and the maximum number of virtual desktops, then splicing into AES encryption blocks, using AES encryption to generate a ciphertext, carrying out BASE64 conversion on the ciphertext, and finally grouping to generate an authorization code with the format of AAAAA-BBB-CCCCCCCCC-DDDDD-EEE.
4. The virtual desktop authorization permission method based on combination of software and hardware according to claim 1, wherein in step S1), the writing of the authorization code and the UKey serial number into the UKey security zone after the UKey security module in the UKey device encrypts the authorization code and the UKey serial number specifically includes: and carrying out confusion operation on the authorization code and the UKey serial number to obtain a permission information ciphertext and a UKey serial number ciphertext, encrypting the permission information ciphertext and the UKey serial number ciphertext by using an AES algorithm through a UKey safety module to obtain a key file, and writing the key file into a UKey safety area.
5. The virtual desktop authorization permission method based on the combination of software and hardware as claimed in claim 1, wherein the specific steps of step S2) include:
s21) obtaining a client name 0 and an authorization code 1 input by a user, and analyzing the authorization code 1 to obtain permission information 1, wherein the permission information 1 comprises the client name 1, a permission term 1 and a maximum virtual desktop number 1;
s22) judging whether the client name 0 is the same as the client name 1, if so, entering the next step, otherwise, ending and exiting;
s23) judging whether the UKey equipment is correct equipment, if so, entering the next step, and if not, ending and exiting;
s24) reading a hardware serial number of UKey equipment as a UKey serial number 1, loading a UKey security module in the UKey equipment, reading information of a UKey security zone and decrypting the information to obtain permission information and the UKey serial number, wherein the permission information comprises a client name, a permission period and the number of maximum virtual desktops;
s25) if the customer name 1 is the same as the customer name, the permission period 1 is the same as the permission period, the maximum virtual desktop number 1 is the same as the maximum virtual desktop number, and the UKey serial number 1 is the same as the UKey serial number, entering the next step, otherwise, ending and exiting;
s26), storing the authorization code 1, and storing the permission information 1 or the permission information in the database and the memory of the virtual desktop management system.
6. The virtual desktop authorization permission method based on the combination of software and hardware as claimed in claim 1, wherein the specific steps of step S3) include:
s31), acquiring a current virtual desktop starting request, and reading permission information from a database of the virtual desktop management system;
s32) judging whether the permission period in the permission information is valid, if yes, entering the next step, otherwise, not allowing the virtual desktop to start and exit;
s33) judging whether the authorization number of the virtual desktops is less than the number of the virtual desktops in the authorization information, if so, entering the next step, otherwise, not allowing the virtual desktops to be started and quit;
s34) allowing the current virtual desktop to start and the current virtual desktop to occupy a virtual desktop for authorization, and updating the authorization number of the virtual desktop;
s35) monitoring all the started virtual desktops, monitoring the virtual desktop authorization occupied by the virtual desktop which is released to be shut down when the virtual desktop is shut down, and updating the virtual desktop authorization number.
7. The virtual desktop authorization permission method based on combination of software and hardware as claimed in claim 1, wherein the determining whether the UKey device is the correct device in step S1) and step S2) specifically includes: opening the UKey equipment, reading a developer ID and a developer password of the UKey equipment, and verifying whether the developer ID and the developer password of the UKey equipment are correct, if so, determining that the UKey equipment is correct, otherwise, determining that the UKey equipment is wrong.
8. A virtual desktop authorization permission device based on software and hardware combination is characterized by comprising:
the authorization code production tool module is used for judging whether the UKey equipment is correct equipment or not, if so, encrypting the permission information into an authorization code, reading a hardware serial number of the UKey equipment as a UKey serial number, loading and operating a UKey security module in the UKey equipment, encrypting the authorization code and the UKey serial number and writing the encrypted authorization code and the encrypted UKey serial number into a UKey security area;
the virtual desktop management system module is used for acquiring a client name 0 and an authorization code 1 input by a user, analyzing the authorization code 1 to obtain permission information 1, judging whether UKey equipment is correct equipment or not if the UKey equipment is correct equipment, reading a hardware serial number of the UKey equipment as a UKey serial number 1, loading and operating a UKey safety module in the UKey equipment to read information of a UKey safety area and decrypt to obtain permission information and the UKey serial number, and storing the authorization code 1 and corresponding permission information in a database of the virtual desktop management system if the permission information is the same as the permission information 1 and the UKey serial number is the same as the UKey serial number 1; the virtual desktop management system is also used for acquiring a virtual desktop starting request, reading permission information of a database of the virtual desktop management system, if the permission period in the permission information is valid and the authorization number of the current virtual desktop is less than the maximum virtual desktop number in the permission information, allowing the virtual desktop to be started and adding one to the authorization number of the current virtual desktop, otherwise not allowing the virtual desktop to be started, and releasing the occupied virtual desktop authorization when the virtual desktop is shut down;
and the UKey equipment is used for providing the running environment of the UKey safety module and simultaneously storing the encrypted authorization code and the UKey serial number.
9. A virtual desktop authorization permission device based on software and hardware combination, which is characterized by comprising a computer device programmed or configured to execute the virtual desktop authorization permission method based on software and hardware combination according to any one of claims 1 to 7.
10. A computer-readable storage medium storing a computer program programmed or configured to perform the virtual desktop authorization licensing method of any one of claims 1-7 based on a combination of hardware and software.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011314899.6A CN112486607B (en) | 2020-11-20 | 2020-11-20 | Virtual desktop authorization permission method based on combination of software and hardware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011314899.6A CN112486607B (en) | 2020-11-20 | 2020-11-20 | Virtual desktop authorization permission method based on combination of software and hardware |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112486607A CN112486607A (en) | 2021-03-12 |
| CN112486607B true CN112486607B (en) | 2022-04-29 |
Family
ID=74932998
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011314899.6A Active CN112486607B (en) | 2020-11-20 | 2020-11-20 | Virtual desktop authorization permission method based on combination of software and hardware |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112486607B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113139171B (en) * | 2021-03-29 | 2022-07-08 | 聚融医疗科技(杭州)有限公司 | Method and system for controlling software license and hardware license of ultrasonic diagnosis system |
| CN113569205A (en) * | 2021-06-25 | 2021-10-29 | 合肥综合性国家科学中心人工智能研究院(安徽省人工智能实验室) | SDK software interface service authorization method and device |
| CN115189929A (en) * | 2022-06-27 | 2022-10-14 | 苏州华兴源创科技股份有限公司 | Method, device, computer equipment and storage medium for authorization authentication |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072102A (en) * | 2007-03-23 | 2007-11-14 | 南京联创网络科技有限公司 | Information leakage preventing technology based on safety desktop for network environment |
| CN107291432A (en) * | 2016-04-01 | 2017-10-24 | 中兴通讯股份有限公司 | Cloud desktop management-control method, device and cloud desktop access method, device |
| CN107689943A (en) * | 2016-08-04 | 2018-02-13 | 深圳市深信服电子科技有限公司 | A kind of method of data encryption, user terminal, server and system |
| CN111782319A (en) * | 2020-06-16 | 2020-10-16 | 贵州省广播电视信息网络股份有限公司 | System and method for realizing shared access by mounting USBKey on cloud desktop |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9306954B2 (en) * | 2011-06-30 | 2016-04-05 | Cloud Security Corporation | Apparatus, systems and method for virtual desktop access and management |
| US20160077685A1 (en) * | 2014-09-15 | 2016-03-17 | Microsoft Technology Licensing, Llc | Operating System Virtual Desktop Techniques |
-
2020
- 2020-11-20 CN CN202011314899.6A patent/CN112486607B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072102A (en) * | 2007-03-23 | 2007-11-14 | 南京联创网络科技有限公司 | Information leakage preventing technology based on safety desktop for network environment |
| CN107291432A (en) * | 2016-04-01 | 2017-10-24 | 中兴通讯股份有限公司 | Cloud desktop management-control method, device and cloud desktop access method, device |
| CN107689943A (en) * | 2016-08-04 | 2018-02-13 | 深圳市深信服电子科技有限公司 | A kind of method of data encryption, user terminal, server and system |
| CN111782319A (en) * | 2020-06-16 | 2020-10-16 | 贵州省广播电视信息网络股份有限公司 | System and method for realizing shared access by mounting USBKey on cloud desktop |
Non-Patent Citations (2)
| Title |
|---|
| 基于USB-Key身份认证与访问控制系统的研究与实现;李骥龙;《中国优秀硕士学位论文全文数据库信息科技》;20190615;全文 * |
| 基于VOI的桌面虚拟化研究;何钦淋;《信息安全与通信保密》;20130510(第05期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112486607A (en) | 2021-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112486607B (en) | Virtual desktop authorization permission method based on combination of software and hardware | |
| US8447889B2 (en) | Portable mass storage device with virtual machine activation | |
| US20210294879A1 (en) | Securing executable code integrity using auto-derivative key | |
| CN100424678C (en) | System and method for authenticating software using hidden intermediate keys | |
| CN102508791B (en) | Method and device for encrypting hard disk partition | |
| CN102456111B (en) | Method and system for license control of Linux operating system | |
| US20050138387A1 (en) | System and method for authorizing software use | |
| US20050060561A1 (en) | Protection of data | |
| CN109992987B (en) | Script file protection method and device based on Nginx and terminal equipment | |
| US20080126705A1 (en) | Methods Used In A Portable Mass Storage Device With Virtual Machine Activation | |
| JP6072091B2 (en) | Secure access method and secure access device for application programs | |
| EP2264640B1 (en) | Feature specific keys for executable code | |
| WO2011134207A1 (en) | Method for protecting software | |
| JP5118700B2 (en) | Portable mass storage with virtual machine activation | |
| EP3001341B1 (en) | NFC device, software installation method, software uninstallation method, computer program and article of manufacture | |
| CN109753770A (en) | Determine method and device, method for burn-recording and device, the electronic equipment of burning data | |
| CN104715208A (en) | Platform integrity checking method based on TPM chip | |
| CN108650214B (en) | Dynamic page encryption anti-unauthorized method and device | |
| CN115062330B (en) | TPM-based intelligent password key password application interface implementation method | |
| KR101711024B1 (en) | Method for accessing temper-proof device and apparatus enabling of the method | |
| CN112241633A (en) | Bidirectional authentication implementation method and system for non-contact smart card | |
| WO2024011833A1 (en) | Hybrid security service cryptosystem and implementation method therefor | |
| CN108491735A (en) | Nor Flash method for secure storing, device and equipment | |
| CN111639353A (en) | Data management method and device, embedded equipment and storage medium | |
| CN111611603A (en) | Safe volume production control equipment of SATA interface |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |