CN113572601B - VNC remote safety communication method based on national secret TLS - Google Patents

Abstract

The invention discloses a VNC remote secure communication method based on national secret TLS, which comprises the steps of carrying out national secret algorithm adaptation on a TLS protocol; performing national encryption algorithm adaptation on the VNC; entering a handshake request stage, and judging whether the version number supported by the server is compatible with the version number sent by the client; entering a negotiation stage, and determining the security type of the connection between the server and the client; entering a TLS key authentication stage, and judging whether the random number sent to the client by the server is consistent with the random number obtained by decryption of the SM2 algorithm by the server; entering an initialization stage, wherein a client sends ClientInit initialization information to a server, and the server returns ServerInit initialization information; and entering an interaction stage, and sending an operation instruction of the client to the server. According to the invention, TLS encryption based on national security is used on the basis of VNC remote control, so that the security transmission service and remote access service are improved, and the security of transmission of operation instructions such as a mouse and a keyboard and result display in the remote control process is ensured.

Description

VNC remote safety communication method based on national secret TLS

Technical Field

The invention relates to the technical field of network security, in particular to a VNC remote security communication method based on national security TLS.

Background

In new years of computer and network technology, the continual innovation of network technology has led to the fact that people's office locations are no longer limited to the desks of corporate buildings. The remote desktop is raised to enable the office of an enterprise to realize different places, and the office is away from home or business trip to remotely log in the personal computer of the company at any time to perform a series of operations, so that the IT operation and maintenance personnel particularly use the remote desktop to manage the server.

There are three types of remote desktop protocols currently in use, RFB in SPICE, RDP, VNC. The RFB protocol in the VNC is suitable for windows systems and Linux graphic desktop systems, consumes less network traffic and is commonly used around 100K. VNCs were developed by the AT & T laboratory under GPL (General Public License) authority, and the software was freely available to anyone. The VNC software is composed of two parts: VNC server and VNC viewer. After a user installs the VNC server on a remotely controlled computer, the user can execute the VNC viewer at the master control end to perform remote control. VNC employs RFB communication protocol, RFB (remote frame buffer) is a simple protocol for a remote graphic user, and since it works on the frame buffer level, it can be applied to all window systems, and its use is very wide.

The RFB protocol has a vulnerability of allowing the client to negotiate an authentication method with the server, and a man-in-the-middle can remotely access the server by bypassing authentication and selecting a password-free mode. For example, security types supported by VNC are None authentication (no password is required), and protocols are sent using plaintext; VNC authentication, wherein protocol data adopts plaintext, and a server side sends 16 a random number encrypted by DES; TLS authentication, which uses TLS protocol authentication to transfer protocol data after encryption. If the server sends all the supported security types, the man-in-the-middle forces the client to select the security type as None authentication to send to the server, so that the client can be easily forged to access the server, and the security performance of the security transmission service and the remote access service is further reduced.

In addition, the traditional TLS authentication adopts an international RSA algorithm for encryption, and the security of the RSA algorithm is seriously threatened along with the improvement of the running speed of a computer, so that the TLS authentication supported by the VNC is easier to decrypt.

Disclosure of Invention

Based on the above, the invention aims to provide a VNC remote security communication method based on national security TLS, which improves security transmission service and remote access service and ensures security of operation command transmission and result display of a mouse and a keyboard in a remote control process.

In order to solve the technical problems, the invention adopts the following technical scheme:

the invention provides a VNC remote security communication method based on national security TLS, which comprises the following steps:

step S110, performing national encryption algorithm adaptation on the TLS protocol, and integrating the national encryption algorithm into the TLS protocol for secure communication;

step S120, performing national encryption algorithm adaptation on the VNC, and integrating the national encryption algorithm into the VNC for safety communication;

step S130, entering a handshake request stage, judging whether the version number supported by the server is compatible with the version number sent by the client, if not, disconnecting the server from the client; if yes, go to step S140;

step S140, entering a negotiation stage, and determining the security type of the connection between the server and the client;

step S150, entering a TLS key authentication stage, and judging whether the random number sent to the client by the server is consistent with the random number obtained by decryption of the SM2 algorithm by the server; if not, closing the connection between the server and the client; if yes, go to step S160;

step S160, entering an initialization stage, wherein the client sends ClientInit initialization information to the server, and the server returns ServerInit initialization information;

step S170, entering an interaction stage, sending an operation instruction of the client to the server, and controlling the server to perform corresponding operation and result display.

In one embodiment, the method of step S130 includes:

the server side sends version protocol information to the client side;

after receiving the version protocol information, the client randomly transmits one version number of the client to negotiate with the server;

judging whether the version number supported by the server is compatible with the version number sent by the client, if not, disconnecting the server from the client; if yes, go to step S140; wherein, the version number is added with GM prefix.

In one embodiment, the security type in step S140 is TLS authentication, where the TLS authentication is a national secret TLS authentication after the national secret algorithm is integrated into the TLS protocol.

In one embodiment, the method of step S140 includes the specific operations of:

the server side sends appointed TLS authentication information to the client side, and informs the client side to authenticate in a TLS encryption mode;

after receiving the appointed TLS authentication information, the client sends returned information with the security type of TLS authentication to the server, and the negotiation stage operation is realized.

In one embodiment, the TLS encryption is based on a TLS encryption implemented by a domestic cipher suite SM2-SM3-SM 4.

In one embodiment, the method of step S150 specifically includes:

entering a TLS key authentication stage, and sending random number information to a client by a server;

the client encrypts the random number through TLS and uses the VNC connection password as a key to generate a return message through encryption processing, and the return message is sent to the server;

the server decrypts the returned message through SM2 algorithm to obtain another random number;

judging whether the random number sent to the client by the server is consistent with the random number obtained by decryption of the SM2 algorithm by the server; if not, closing the connection between the server and the client; if yes, go to step S160.

In one embodiment, the VNC connection password is a password that the client is required to input when accessing the server.

In one embodiment, the method for entering the TLS key authentication stage in step S150 specifically includes:

applying for authentication;

auditing information;

issuing a certificate;

TLS handshake;

the server sends the certificate;

verifying a server certificate;

key agreement; the client sends the random number and encrypts and sends the random number to the server by using the public key of the certificate, and obtains a negotiation key, wherein the generation of the negotiation key is obtained through the calculation of an SM2 signature algorithm, and parameters used when the negotiation key is calculated through the SM2 signature algorithm comprise the hashed random number plus the length of the encrypted certificate and the certificate.

In one embodiment, the method of TLS handshake includes the specific operations of:

the Client sends Client Hello information to the server, wherein the Client Hello information comprises a generated random number random_c and an encryption algorithm supported by the Client, and the encryption algorithm comprises a domestic cipher suite SM2-SM3-SM4; after the Client Hello information is received by the Server, the random number ramdom_s is obtained through an SM2-SM3-SM4 algorithm supported by the Server, and the Server Hello information is returned to the Client, so that the TLS handshake operation is completed.

In one embodiment, the method for verifying the server certificate specifically includes:

the client reads plaintext information in the certificate sent by the server, calculates to obtain a message digest of the certificate by adopting an SM3 hash function, decrypts the signature data digest by utilizing an SM2 public key of a CA mechanism trusted by the client, and compares the decrypted signature data digest with the message digest of the certificate; the CA mechanism trusted by the client verifies whether the domain name information and the effective time of the certificate are revoked, so that the verification operation of the server certificate is realized.

In summary, according to the VNC remote secure communication method based on the national secret TLS provided by the present invention, by using the national secret TLS encryption based on the VNC remote control, the encryption security is higher in the authentication stage in the process of establishing the connection between the client and the server of the VNC, the server verifies the connection of the client, prevents the man in the middle from masquerading the connection of the client and controlling the attack server, improves the security transmission service and the remote access service, and ensures the security of the transmission of the operation instructions such as the mouse and the keyboard and the result display in the remote control process.

Drawings

Fig. 1 is a flow chart of a VNC remote secure communication method based on national security TLS according to an embodiment of the present invention.

Detailed Description

In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

Fig. 1 is a flow chart of a first VNC remote security communication method based on TLS, which is provided in an embodiment of the present invention, as shown in fig. 1, and specifically includes the following steps:

step S110, performing national cryptographic algorithm adaptation on the TLS protocol, merging the national cryptographic algorithm into the TLS protocol for secure communication, and realizing data security with signature speed obviously superior to that of the traditional RSA algorithm and equivalent to 2048-bit security level of the RSA algorithm by using a shorter key length; specifically, the cipher_suite. Go and key_agreement. Go files in the TLS protocol source code are modified to adapt to the SM2 cryptographic algorithm, so that the TLS protocol supports the cryptographic algorithm and performs signature verification on the transmission data.

Step S120, performing national cryptographic algorithm adaptation on the VNC, and integrating the national cryptographic algorithm into the VNC for safety communication, so as to increase the national cryptographic algorithm adaptation in the VNC when the authentication type of the VNC is TLS authentication; specifically, when the auth.c file in the VNC source code is of the type of auth.c type authentication, performing adaptation of the domestic cipher suite SM2-SM3-SM4 on auth.c files in the VNC source code of the client and the server, and adding a GM (national cipher) prefix to the version number of the VNC to represent a version number adaptation national cipher algorithm.

Wherein, step S120 may be set before step S110, and the sequence relationship between step S120 and step S110 does not affect the specific implementation effect of the VNC remote security communication method based on national security TLS of the present invention.

Step S130, entering a handshake request stage, judging whether the version number supported by the server is compatible with the version number sent by the client, if not, disconnecting the server from the client; if yes, go to step S140.

Specifically, step S130 is performed, a handshake request stage is entered, whether the version number supported by the server is compatible with the version number sent by the client is judged, if not, the connection between the server and the client is disconnected; if yes, the method of step S140 is executed, and specific operations include:

the server side sends version protocol information to the client side; the version protocol information is the highest version number information of the VNC which can be supported by the server side;

after receiving the version protocol information, the client randomly transmits one version number of the client to negotiate with the server; specifically, the version numbers supported by the VNC release at present are 3.3, 3.7 and 3.8, and in this embodiment, the most commonly used version numbers 3.8 and 003.008 are selected for transmission.

Judging whether the version number supported by the server is compatible with the version number sent by the client, if not, disconnecting the server from the client; if yes, go to step S140; wherein, the version number is added with GM prefix.

Step S140, entering a negotiation stage, and determining the security type of the connection between the server and the client, wherein the security type is TLS authentication, and the TLS authentication is national secret TLS authentication after a national secret algorithm is integrated into a TLS protocol.

Specifically, the step S140 is a method for determining a security type of connection between the server and the client after entering a negotiation stage, and the specific operations include:

the server side sends appointed TLS authentication information to the client side, and informs the client side to authenticate in a TLS encryption mode; in this embodiment, the version VNC3.8 supports TLS encryption type, and the TLS encryption mode is TLS encryption implemented based on the domestic cipher suite SM2-SM3-SM4, and the corresponding command is: vncserver-securitytypes= VeNCrypt, TLSVnc, when set, the client is required to input a password to access the server;

after receiving the appointed TLS authentication information, the client sends returned information with the security type of TLS authentication to the server, and the negotiation stage operation is realized.

In the specific operation in step S130 and step S140, the server sends the supported security types to the client, where the security types include 0:invaid, 1:none non-authentication, 2:vnc authentication, 18:tls authentication, and the like, and security type 0 indicates a connection failure, and the server returns a failure reason, for example, the server does not support the version number of the client request; the security type 1 is password-free authentication; the security type 2 is plaintext transmission, and only the TLS encrypted transmission of the security type 18 can achieve the purpose of secure transmission, so that the server side sends information of the security type TLS authentication to the client side, the client side is informed to authenticate in a TLS encrypted mode, and the client side replies the same security type to the server side to indicate confirmation.

Step S150, entering a TLS key authentication stage, and judging whether the random number sent to the client by the server is consistent with the random number obtained by decryption of the SM2 algorithm by the server; if not, returning an authorization result of 1 to indicate that the authorization fails, and closing the connection between the server and the client; if yes, the authorization result is returned to be 0, and step S160 is executed.

Specifically, the method of step S150 includes the specific operations of:

entering a TLS key authentication stage, and sending random number information to a client by a server; the random number information sent by the server is a sixteen-byte random number;

the client encrypts the random number through TLS and uses the VNC connection password as a key to generate a return message through encryption processing, and the return message is sent to the server; the TLS encryption is realized based on domestic cipher suite SM2-SM3-SM4, and is encryption by taking a SM2 algorithm to encrypt a random number and a VNC connection cipher as a key, and further, the TLS encryption is encryption by taking an SM2 elliptic curve public key cipher algorithm to encrypt the random number and the VNC connection cipher, wherein the VNC connection cipher is a cipher required to be input by a client when the client accesses a server.

The server decrypts the returned message through SM2 algorithm to obtain another random number;

judging whether the random number sent to the client by the server is consistent with the random number obtained by decryption of the SM2 algorithm by the server; if not, returning an authorization result of 1 to indicate that the authorization fails, and closing the connection between the server and the client; if yes, the authorization result is returned to be 0, and step S160 is executed.

In one embodiment, the method for entering the TLS key authentication stage in step S150 specifically includes:

application authentication: the server generates a public key (pub_ svr) and a private key (pri_ svr) by using an SM2 encryption algorithm in the GMSL, generates a request file (csr) by using an SM3 signature algorithm according to the public key, and submits the request file to a CA mechanism, wherein the request file contains information such as the public key, organization information, personal information (domain name) and the like; the CA mechanism is built by compiled GMSL, and also has the functions of issuing certificates, signing and verifying labels, simulating users and issuing mechanisms, checking certificates and the like;

auditing information: auditing the applicant information by using a CA organization to verify the authenticity of the provided information and whether the certificate format is in a standard x509 format;

issuing a certificate: when the applicant information audit passes, the CA mechanism issues an authentication file, namely a certificate, to the applicant, wherein the certificate comprises the following information: the public key of the applicant, the organization information and personal information of the applicant, the information of the issuing mechanism, namely the CA mechanism, the validity time, the certificate serial number and other information plaintext are contained with a signature; the signature generation method comprises the steps of firstly calculating a message digest of the disclosed plaintext information by using an SM3 digest algorithm, and then encrypting the message digest by using a private key of a CA mechanism to obtain a ciphertext, namely a signature;

TLS handshake: the Client sends Client Hello information to the server, wherein the Client Hello information comprises a generated random number random_c and an encryption algorithm supported by the Client, and the encryption algorithm comprises a domestic cipher suite SM2-SM3-SM4; after receiving Client Hello information, the Server receives random numbers ramdom_s through an SM2-SM3-SM4 algorithm supported by the Server, and returns Server Hello information to the Client to complete TLS handshake operation;

the server sends a certificate: the national secret specification defines that two certificates, a signature certificate and an encryption certificate (a double-certificate system) need to be sent when the certificate is sent; just as in the standard TLS message format, the first certificate is a signed certificate and the second certificate is an encrypted certificate;

and (3) checking a server certificate: the client reads the related plaintext information in the certificate sent by the server, calculates to obtain the information abstract of the certificate by adopting an SM3 hash function, then decrypts the signature data abstract by utilizing the SM2 public key of the CA mechanism trusted by the client, compares the decrypted signature data abstract with the information abstract of the certificate, and can confirm the validity of the certificate, namely the public key is legal if the decrypted signature data abstract is consistent with the information abstract of the certificate; the CA mechanism trusted by the client verifies the domain name information, the effective time, the revocation information and the like of the certificate so as to realize the verification operation of the certificate of the server;

key agreement: the client sends the random number and encrypts and sends the random number to the server by using the public key of the certificate, and obtains a negotiation key, wherein the generation of the negotiation key is obtained through the calculation of an SM2 signature algorithm, and parameters used when the negotiation key is calculated through the SM2 signature algorithm comprise the hashed random number plus the length of the encrypted certificate and the certificate.

Specifically, the client sends client_key_exchange and change_cipher_spec and encrypted_handleshake_message to perform key negotiation, the client generates a random number hash_in and a data length hash_len for the client, encrypts and sends the random number hash_in and the data length hash_len to the server by using a certificate public key, and obtains a negotiation key, and the calculation is shown as follows:

Sm2_sign(random_c+random_s+hash_len+hash_in)；

the change_cipher_spec informs the server of the subsequent communication of the client side, and the subsequent communication is carried out by adopting a negotiation key and an SM2-SM3-SM4 encryption algorithm; the encrypted_handleshake_message is used for generating a piece of data for the client to combine the hash values of all communication parameters and other related information before, encrypting by adopting a negotiation key and an SM2 algorithm, and then sending the encrypted data to a server for data and handshake verification;

the server decrypts the random number hansh_in sent by the client by using the private key, obtains a random number length hash_len, and calculates a negotiation key based on the random_c and the ramdom_s obtained by the exchange.

In this embodiment, after the certificate of the server passes the verification, the server also sends a change_cipher_spec to the client to inform the client that the subsequent communications all adopt the negotiation key to carry out encrypted communications with the SM2-SM3-SM4 encryption algorithm.

Step S160, entering an initialization stage, wherein the client sends ClientInit initialization information to the server, and the server returns ServerInit initialization information, wherein the ServerInit initialization information comprises the height, width, pixel format, desktop name and the like of a frame buffer of the server.

Step S170, entering an interaction stage, and sending operation instructions such as keyboard and mouse operations of the client to the server so as to control the server to perform corresponding operations and result display; wherein, the keyboard of the client sends the operation instruction to the server through the key symbol value (keysym value), each key of the mouse button adopts the 1 to 8 bit mask to mark the operation instruction to send to the server, 0 represents loosening, and 1 represents pressing.

In this embodiment, since the SM2 asymmetric encryption algorithm is used in the TLS key authentication stage, the speed is relatively slow, so as to improve the information transmission rate; after entering the interaction stage, the operation instructions such as a mouse, a keyboard and the like sent by the client are encrypted by an SM4 algorithm and then sent to the server, so that the server is correspondingly controlled.

According to the invention, TLS encryption based on national security is used on the basis of VNC remote control, so that the international universal RSA algorithm which is used daily and is easy to be attacked by a man in the middle is changed into the national security algorithm, and the safety and controllability of information communication such as VNC instructions are ensured; in addition, the key negotiation part aiming at the root of TLS secure communication is improved, for example, a signature encryption algorithm uses an SM2 asymmetric encryption algorithm, an SM3 hash algorithm is used for information abstract verification integrity, an SM4 symmetric encryption algorithm is used for encrypted data transmission, and a VNC is combined with a national encryption-based algorithm, so that encryption security is higher in an authentication stage in the connection process of a client of the VNC and a server, the server verifies the connection of the client, the impersonation of a man in the middle is prevented from connecting the client and controlling an attack server, secure transmission service and remote access service are improved, and the security of transmission of operation commands and result display of a mouse and a keyboard in the remote control process is ensured.

In order to further clarify the technical solution of the present invention, preferred embodiments are explained below.

Step S110, performing national encryption algorithm adaptation on the TLS protocol, and integrating the national encryption algorithm into the TLS protocol for secure communication;

step S120, performing national encryption algorithm adaptation on the VNC, and integrating the national encryption algorithm into the VNC for safety communication;

step S130, entering a handshake request stage, judging whether the version number supported by the server is compatible with the version number sent by the client, if not, disconnecting the server from the client; if yes, go to step S140;

step S140, entering a negotiation stage, and determining the security type of the connection between the server and the client;

step S150, entering a TLS key authentication stage, and judging whether the random number sent to the client by the server is consistent with the random number obtained by decryption of the SM2 algorithm by the server; if not, closing the connection between the server and the client; if yes, go to step S160;

step S160, entering an initialization stage, wherein the client sends ClientInit initialization information to the server, and the server returns ServerInit initialization information;

step S170, entering an interaction stage, sending an operation instruction of the client to the server, and controlling the server to perform corresponding operation and result display.

In summary, according to the VNC remote secure communication method based on the national secret TLS, by using the national secret TLS encryption based on the VNC remote control, the encryption security is higher in the authentication stage in the process of establishing the connection between the client and the server of the VNC, the server verifies the connection of the client, prevents the impersonation of a man in the middle from connecting the client and controlling the attack server, improves the security transmission service and the remote access service, and ensures the security of the transmission of operation instructions such as a mouse and a keyboard and the like and the result display in the remote control process.

Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

In the several embodiments provided by the present invention, it should be understood that the disclosed systems and methods may be implemented in other ways. For example, the system embodiments described above are merely illustrative. For example, the division of each unit is only one logic function division, and there may be another division manner in actual implementation. For example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed.

The steps in the method of the embodiment of the invention can be sequentially adjusted, combined and deleted according to actual needs. The units in the device of the embodiment of the invention can be combined, divided and deleted according to actual needs. In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated unit may be stored in a storage medium if implemented in the form of a software functional unit and sold or used as a stand-alone product. Based on such understanding, the technical solution of the present invention is essentially or a part contributing to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a terminal, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention.

The above examples merely represent a few embodiments of the present invention, which are described in more detail and are not to be construed as limiting the scope of the present invention. It should be noted that it will be apparent to those skilled in the art that several variations and modifications can be made without departing from the spirit of the invention, which are all within the scope of the invention. Accordingly, the scope of the invention should be assessed as that of the appended claims.

Claims (8)

1. The VNC remote safety communication method based on the national secret TLS is characterized by comprising the following steps of:

step S110, performing national encryption algorithm adaptation on the TLS protocol, and integrating the national encryption algorithm into the TLS protocol for secure communication;

step S120, performing national encryption algorithm adaptation on the VNC, and integrating the national encryption algorithm into the VNC for safety communication;

step S130, entering a handshake request stage, judging whether the version number supported by the server is compatible with the version number sent by the client, if not, disconnecting the server from the client; if yes, go to step S140;

step S140, entering a negotiation stage, and determining the security type of the connection between the server and the client;

step S150, entering a TLS key authentication stage, and judging whether the random number sent to the client by the server is consistent with the random number obtained by decryption of the SM2 algorithm by the server; if not, closing the connection between the server and the client; if yes, go to step S160;

step S160, entering an initialization stage, wherein the client sends ClientInit initialization information to the server, and the server returns ServerInit initialization information;

step S170, entering an interaction stage, sending an operation instruction of the client to the server, and controlling the server to perform corresponding operation and result display;

the security type in step S140 is TLS authentication, where the TLS authentication is a national secret TLS authentication after the national secret algorithm is integrated into the TLS protocol;

the method of step S150 specifically includes:

entering a TLS key authentication stage, and sending random number information to a client by a server;

the client encrypts the random number through TLS and uses the VNC connection password as a key to generate a return message through encryption processing, and the return message is sent to the server;

the server decrypts the returned message through SM2 algorithm to obtain another random number;

judging whether the random number sent to the client by the server is consistent with the random number obtained by decryption of the SM2 algorithm by the server; if not, closing the connection between the server and the client; if yes, go to step S160.

2. The VNC remote security communication method based on national security TLS according to claim 1, wherein the method of step S130 comprises:

the server side sends version protocol information to the client side;

after receiving the version protocol information, the client randomly transmits one version number of the client to negotiate with the server;

judging whether the version number supported by the server is compatible with the version number sent by the client, if not, disconnecting the server from the client; if yes, go to step S140; wherein, the version number is added with GM prefix.

3. The VNC remote security communication method based on national security TLS according to claim 1, wherein the method of step S140 specifically comprises the following steps:

the server side sends appointed TLS authentication information to the client side, and informs the client side to authenticate in a TLS encryption mode;

after receiving the appointed TLS authentication information, the client sends returned information with the security type of TLS authentication to the server, and the negotiation stage operation is realized.

4. A VNC remote security communication method based on national security TLS according to claim 3, wherein: the TLS encryption mode is realized based on domestic cipher suite SM2-SM3-SM 4.

5. The VNC remote security communication method based on national security TLS according to claim 1, wherein: the VNC connection password is a password required to be input by the client when the client accesses the server.

6. The VNC remote security communication method based on national security TLS according to claim 1, wherein the method for entering the TLS key authentication phase in step S150 comprises the following specific operations:

applying for authentication;

auditing information;

issuing a certificate;

TLS handshake;

the server sends the certificate;

verifying a server certificate;

key agreement; the client sends the random number and encrypts and sends the random number to the server by using the public key of the certificate, and obtains a negotiation key, wherein the generation of the negotiation key is obtained through the calculation of an SM2 signature algorithm, and parameters used when the negotiation key is calculated through the SM2 signature algorithm comprise the hashed random number plus the length of the encrypted certificate and the certificate.

7. The VNC remote security communication method based on national security TLS of claim 6, wherein the TLS handshake specifically comprises:

the Client sends Client Hello information to the server, wherein the Client Hello information comprises a generated random number random_c and an encryption algorithm supported by the Client, and the encryption algorithm comprises a domestic cipher suite SM2-SM3-SM4; after the Client Hello information is received by the Server, the random number ramdom_s is obtained through an SM2-SM3-SM4 algorithm supported by the Server, and the Server Hello information is returned to the Client, so that the TLS handshake operation is completed.

8. The VNC remote security communication method based on national security TLS according to claim 6, wherein the method for verifying the server certificate specifically comprises the following steps:

the client reads plaintext information in the certificate sent by the server, calculates to obtain a message digest of the certificate by adopting an SM3 hash function, decrypts the signature data digest by utilizing an SM2 public key of a CA mechanism trusted by the client, and compares the decrypted signature data digest with the message digest of the certificate; the CA mechanism trusted by the client verifies whether the domain name information and the effective time of the certificate are revoked, so that the verification operation of the server certificate is realized.