CN115865907A - Secure communication method between desktop cloud server and terminal - Google Patents
Secure communication method between desktop cloud server and terminal Download PDFInfo
- Publication number
- CN115865907A CN115865907A CN202211480165.4A CN202211480165A CN115865907A CN 115865907 A CN115865907 A CN 115865907A CN 202211480165 A CN202211480165 A CN 202211480165A CN 115865907 A CN115865907 A CN 115865907A
- Authority
- CN
- China
- Prior art keywords
- server
- terminal
- session
- virtual desktop
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/08—Protocols specially adapted for terminal emulation, e.g. Telnet
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0852—Quantum cryptography
Abstract
The invention provides a secure communication method of a desktop cloud server and a terminal, wherein virtual desktop resources are stored in the server, after a terminal initiates an authentication request to the server in a security mode and passes the authentication request, the server opens the virtual desktop resources matched with terminal authentication information, and maps a virtual desktop image on the terminal, when the virtual desktop resources matched with the terminal authentication information are positioned in a first server and the terminal is connected with a second server in a networking mode, an application session is established with the first server through the second server, a session key for encryption and decryption is distributed to the first server and the second server by a crypto-pipe platform based on a session ID, and the session key is generated by QKD equipment and has a true random characteristic.
Description
The application is a divisional application of a patent with an application date of 2022, 9 and 22 months, an application number of CN202211156166.3, and a name of the patent being a secure communication method between a desktop cloud server and a terminal.
Technical Field
The invention relates to the technical field of desktop cloud, in particular to a secure communication method between a desktop cloud server and a terminal.
Background
The desktop cloud is characterized in that the desktop cloud provides mobile office for users by the fact that data of the desktop cloud does not fall to the ground, and the desktop cloud is a new office mode which replaces a traditional computer, in the mode, user data are stored in the server, in the prior art, the server only verifies a login password of the user to open related virtual desktop resources to the server, and after the verification is passed, the server and terminal data are not subjected to secret processing in data transmission, so that the security of the transmitted data is extremely low, and the data are easy to steal by hackers; in the prior art, the security mode for the files is realized by installing encryption software on the terminal, and all files on the terminal are encrypted by the mode, so that the editing and transmission of the non-security files are complicated for a user, in other words, the terminal in the prior art comprises a non-encryption common operating system and a full-encryption security operating system, and a realization mode which can be switched between the non-encryption common operating system and the full-encryption security operating system and meets the common requirements of not only meeting the security office requirements but also freely editing the outgoing files is not disclosed; meanwhile, in the prior art, before a file encrypted by one terminal is not decrypted, as long as other terminals also install authorized encryption software or know the opening password of the encrypted file, the encrypted file can be normally opened at other terminals, and the encrypted file is only opened by a certain specific terminal before being decrypted temporarily, so that the requirement that a user has exclusive rights to the held terminal cannot be met.
Disclosure of Invention
In order to overcome the defects and shortcomings in the prior art, the invention provides a secure communication method between a desktop cloud server and a terminal, wherein virtual desktop resources are stored in the server, after a terminal initiates an authentication request to the server in a secret mode and passes the authentication request, the server opens the virtual desktop resources matched with the terminal authentication information and maps a virtual desktop image on the terminal, and when the virtual desktop resources matched with the terminal authentication information are located in a first server and the terminal is connected with a second server in a networking mode, the secure communication method comprises the following steps: s106: the second server establishes an application session with the first server to generate a third session ID; s107: a second encryption machine in communication connection with the second server carries the third session ID and the cloud ID associated with the authentication information to apply for a session key-C from a second secure management platform, encrypts an access request initiated by the second server to the first server by using the session key-C, and sends the access request to the first server; s108: after the first server verifies that the cloud ID passes, applying a session key-c to a first secure management platform to decrypt the access request based on the third session ID, and calling the virtual desktop matched with the cloud ID; s109: encrypting the virtual desktop image by using the session key-C and transmitting the virtual desktop image to the second server, and transmitting the virtual desktop image to the terminal after the second server decrypts the virtual desktop image by using the session key-C; wherein the first platform comprises a QKD1, the second platform comprises a QKD2, the session key-C is generated by the QKD2 device, and the session key-C is generated by the QKD1 device.
Further, before step 106 is performed, the secure communication method further includes: the terminal establishes an application session with the second server to generate a second session ID; encrypting the second session ID by using a protection key formed by the quantum key, and sending the identity code of the security chip and the second session ID ciphertext to the second crypto-tube platform to obtain a session key-B; the user inputs authentication information at the terminal, and the authentication information is encrypted by using the session key-B and then transmitted to the second server; the second encryption machine carries the second session ID to apply for a session key-b to the second encrypted management platform so as to decrypt the authentication information; and the second server inquires that the virtual desktop resource matched with the authentication information is positioned in the first server, and initiates an access request to the first server.
Further, the terminal main control unit writes a key parameter into a data header of data to be encrypted, and sends the data to be encrypted to the security chip, and the security chip generates the protection key from the quantum key stored in the security chip according to the key parameter.
Further, the server has a plurality of servers including a master server and at least one slave server, each of the servers is provided with the secure management platform on one side, the server is connected with the secure management platform in a communication manner, and the secure management platforms perform data communication through an optical fiber or a quantum satellite, so that the QKD1 and the QKD2 distribute the session key based on a preset protocol.
Further, after the terminal is connected with the server in a networking manner, if the virtual desktop which the terminal enjoys the access right is not acquired from the connected server, the connected server initiates an inquiry request to the host server, the host server reports the position information of the virtual desktop to the connected server, and the connected server initiates an access request to the server storing the virtual desktop information.
Further, the master server records a corresponding relationship between the authentication information and the cloud ID, the cloud ID records server information of the virtual desktop in which the virtual desktop is located, the server information being matched with the terminal, and the master server and the slave server both record the authentication information of the terminal.
Further, the number of the servers is multiple, each server records a corresponding relationship between the authentication information and the cloud ID, and if the connected server is different from the server where the virtual desktop is located, the server information where the virtual desktop is located can be directly acquired from the connected server, and the connected server initiates access to the server where the virtual desktop is located.
Further, in a security mode, when the file of the virtual desktop is sent out, a protection module of the server intercepts the sending out behavior and verifies the authentication information input by the terminal.
Furthermore, the server is also connected with a quantum computer which is suitable for providing computing power support for the server, and the quantum computer and the server are in communication based on a TCP protocol.
Further, after the terminal initiates an authentication request to the server and is passed, an authentication unit of the server issues a temporary identity token to the terminal, where the temporary identity token at least includes the authentication information, valid login time, and a session ID, and subsequently, before the application session is disconnected, accesses from the terminal to the server all carry the temporary identity token.
The invention provides a secure communication method of a desktop cloud server and a terminal, wherein virtual desktop resources are stored in the server, after a terminal initiates an authentication request to the server in a security mode and passes the authentication request, the server opens the virtual desktop resources matched with terminal authentication information, and maps a virtual desktop image on the terminal, when the virtual desktop resources matched with the terminal authentication information are positioned in a first server and the terminal is connected with a second server in a networking mode, an application session is established with the first server through the second server, a session key for encryption and decryption is distributed to the first server and the second server by a crypto-pipe platform based on a session ID, and the session key is generated by QKD equipment and has a true random characteristic.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic diagram of data transmission in a secure communication method between a desktop cloud server and a terminal in an embodiment of the present invention;
fig. 2 is a flowchart of a secure communication method between a desktop cloud server and a terminal according to a first embodiment of the present invention;
FIG. 3 is a flowchart of step S102 in the first embodiment of the present invention;
fig. 4 is a flowchart of a preferred embodiment of a secure communication method between a desktop cloud server and a terminal according to a first embodiment of the present invention;
fig. 5 is a flowchart of a secure communication method between a desktop cloud server and a terminal according to a second embodiment of the present invention;
fig. 6 is a flowchart of a secure communication method between a desktop cloud server and a terminal according to a third embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the description of the present invention, the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implying any number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present invention, "a plurality" means a plurality, e.g., two, three, four, etc., unless specifically limited otherwise.
In the description of the present invention, unless otherwise explicitly specified or limited, the terms "connected" and the like are to be construed broadly, e.g., as meaning fixedly attached, detachably attached, or integrally formed; can be mechanically connected, electrically connected or can communicate with each other; they may be directly connected or indirectly connected through intervening media, or may be connected through the use of two elements or the interaction of two elements. The specific meanings of the above terms in the present invention can be understood by those skilled in the art according to specific situations.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
The terminal comprises but is not limited to a computer, the terminal comprises a hardware of a conventional terminal and a security chip, the security chip is electrically connected with a main control unit of the terminal, the security chip has a data storage function and certain data processing capacity, a plurality of bytes of quantum keys are filled in an internal storage area of the security chip in advance through a key filling machine before the security chip is fixedly installed in a terminal shell, the total capacity of the quantum keys is determined according to the data quantity required to be encrypted by the terminal and can be 32M or 64M, the protection keys in the terminal are formed by extracting partial quantum random numbers in the quantum keys according to key parameters, the length of the protection keys can be 128bit, the security chip also pre-stores an encryption algorithm, for example, the SM4 encryption algorithm is stored in the security chip, the terminal main control unit writes key parameters into data heads of data to be encrypted, the data to be encrypted are sent to the security chip, the security chip generates protection keys from the quantum keys stored in the security chip according to the key parameters, substitutes the protection keys and the data to be encrypted into the security chip to realize decryption and decryption of the data to be encrypted. It is understood that the data packet of the data to be encrypted generally includes a data header and a data portion, and the encryption and decryption operations of the embodiment of the present application are performed on the data portion. The security chip is provided with a unique identity code, the identity codes of the security chips of different terminals are different, the corresponding relation between a quantum key and the identity code of the security chip is shared on a crypto platform, the crypto platform comprises a quantum random number generator, a key exchanger and a quantum security service mobile engine, in fact, after the quantum random number generator in the crypto platform generates a quantum random number, the quantum random number is sent to the key exchanger for deviation correction processing to form the quantum key, then the quantum key is filled into the security chip through a key filling machine, during filling, the identity code of each security chip and key information filled on the security chip are registered in the quantum security service mobile engine, and therefore the corresponding relation between the quantum key and the security chip is stored in the crypto platform. The server stores a virtual desktop pool, the virtual desktop pool comprises system resources such as windows, UOS, kylin OS and deepin and software resources such as office and nails, and a server supplier can configure a plurality of software resources on a system appointed by the server supplier according to the requirements of a terminal user to form a virtual desktop to be presented to the user. The terminal is connected to a server via a classical network, said server being communicably connected to an encryption engine for performing an encryption or decryption process on data transmitted by the terminal to the server. As shown in fig. 1 to 3, in a first embodiment of the present application, the secure communication method includes:
s101: the terminal accepts the user to select and configure the terminal into a common mode or a secret mode;
specifically, the terminal comprises two operation modes, if a user selects a common mode, the terminal is used as the terminal in the prior art, the terminal is provided with an operation system, and the user can freely send out local files in the environment of the operation system without being checked; if the user selects the security mode, the terminal is equivalent to display equipment at the moment and is used for displaying the virtual desktop resources matched with the terminal on the server.
S102: in a security mode, after the terminal sends an authentication request to the server to be passed, the server opens the virtual desktop pool resource matched with the terminal authentication information, and maps a virtual desktop image on the terminal;
specifically, an application program for starting a security mode is installed on the terminal, after the terminal is started, a user can enter an authentication interface of the terminal for accessing the desktop cloud server by opening the application program, the user inputs authentication information, and if the server verifies that the input is correct, the virtual desktop pool resource matched with the authentication information is opened to the terminal. It is to be understood that, before step S102 is implemented, a system administrator configures the virtual desktop matching the authentication information, and generates a cloud ID uniquely associated with the authentication information, where the cloud ID records at least server information where the virtual desktop is located, and after the terminal passes authentication, the terminal only has access right to the virtual desktop matching the authentication information. In other words, the terminal user may purchase a specific virtual desktop resource from the server provider according to actual requirements, the virtual desktop resource is configured by the system administrator at the server side and then opened when the terminal authentication passes, and the resources available for operation are generally different after different terminal users pass the authentication. And after the terminal passes the authentication, mapping the corresponding virtual desktop image on the terminal.
S103: the terminal collects the operation instruction input by the user on the virtual desktop, and transmits the operation instruction to the server after being encrypted by the session key-A;
s104: and the encryption machine applies for a session key-a to a crypto-tube platform, decrypts the operation instruction and then sends the decrypted operation instruction to the server, and the server executes corresponding action according to the operation instruction.
Illustratively, a user double-clicks a certain office application program on a virtual desktop of a terminal to generate a corresponding operation instruction, the operation instruction is encrypted by a session key-A at the terminal and then wirelessly transmitted to a server, the server sends an operation instruction ciphertext to an encryption machine, the encryption machine applies the session key-a to a crypto-tube platform to decrypt the operation instruction, the operation instruction plaintext is transmitted back to the server after decryption, and the server executes an opening action if the content of the operation instruction is 'open a certain office application program'.
In a further preferred embodiment, the secure communication method further comprises:
s105: and the server executes corresponding actions and simultaneously generates an operation image, the operation image is encrypted by the session key-a and then transmitted to the terminal, and the terminal decrypts the operation image by using the session key-A and displays the operation image on an interface of the terminal.
Specifically, the server responds to an operation instruction input by the terminal to generate an operation image on the virtual desktop, the server sends the operation image to the encryption machine, the encryption machine encrypts operation image data by using the session key-a and then transmits the encrypted operation image data back to the server, the server transmits an operation image ciphertext to the terminal main control unit, the main control unit sends the operation image ciphertext to the security chip, the security chip decrypts the operation image data by using the session key-A and then transmits the operation image ciphertext back to the main control unit, and the main control unit completes digital-to-analog conversion on the operation image plaintext and then displays the operation image plaintext on a terminal interface. It can be understood that the running image is substantially composed of a plurality of image data streams, and the encryption and decryption operations can be performed on data packets formed in the image data streams within a preset time interval, and transmission of the data ciphertext is realized. It is understood that after S102 is implemented, S103 to S105 may be executed in a loop.
The session key-A and the session key-a are formed by true random numbers generated by a quantum random number generator in the crypto platform based on quantum physical principles, and it can be understood that the true random numbers generated by the quantum random number generator in the crypto platform can be filled in a security chip to be used as a protection key, and can also be stored in a quantum security service mobile engine of the crypto platform to be used as a session key.
According to the safe communication method of the desktop cloud server and the terminal, the terminal can be selectively configured into a common mode or a confidential mode, so that the terminal not only retains conventional information processing capacity, but also can access the function of a private virtual desktop at any time, and diversified office requirements of users can be met; particularly, a security chip is arranged in the terminal, the operation instruction transmitted from the terminal to the server can be realized in a security mode, and/or the application image fed back to the terminal by the server is encrypted by a session key formed by a quantum random number.
In the first embodiment of the present application, step S102 is embodied as:
s1021: the terminal accesses the network and is connected with the server in a networking way, and the terminal and the server establish an application session to generate a first session ID;
s1022: the terminal encrypts the first session ID by using a protection key formed by the quantum key built in the security chip, and sends the identity code of the security chip and the first session ID ciphertext to a crypto-tube platform to obtain the session key-A;
specifically, the corresponding relationship between the identity code of the secure chip and the quantum key is shared in advance on the crypto-tube platform, the terminal main control unit comprises a random number generation unit capable of randomly generating key parameters, the key parameters comprise key offsets, such as an offset 16 generated randomly, the terminal main control unit writes the identity code and the key parameters of the secure chip into a data header of a first session ID data packet, after the first session ID data packet is sent to the secure chip by the terminal main control unit, the secure chip obtains the key parameters from the data header of the first session ID, such as an offset, namely, a 128-bit true random number is intercepted from a 17 th bit from an initial position of the quantum key to form a protection key, the secure chip encrypts a data portion of the first session ID by using the protection key and sends a data packet formed by combining a ciphertext of the data portion and the data header back to the terminal main control unit, the terminal transmits the first session ID data packet to the crypto-tube platform, the crypto tube platform locates quantum key information of the secure chip stored in its own by the identity code, then extracts a portion of the quantum key from the quantum key parameters to generate a portion of the crypto-tube platform, the protection key and sends the first session ID to the crypto-tube platform, and the crypto-tube platform to encrypt the session data packet, and decrypt the session data packet, and send a session key packet to a session data packet to a-a session key-encryption operation to a session-encryption operation to generate a session-encryption key. That is, in the present invention, the encryption/decryption operation of the server-side data is performed in the encryption device, and the encryption/decryption operation of the terminal-side data is performed in the security chip.
In another embodiment, only the key parameter for generating the protection key may be written into the header of the first session ID, the identity code of the security chip may be provided as a separate packet, and when the terminal sends the first session ID packet to the crypto platform, the identity code packet of the security chip is sent together. The protection key can be randomly generated by the quantum key, so that the quantum key filled in the security chip can be recycled. Certainly, the protection key may also be formed sequentially from the quantum key, for example, starting from the starting position of the quantum key, 128 bits are intercepted sequentially to form the protection key each time encryption is required, and since the quantum key itself has a true random property, the randomly or sequentially generated protection key also has a true random property, so that data encrypted by the protection key has an absolute security property, and is difficult to crack.
S1023: the user inputs authentication information at the terminal, and the authentication information is encrypted by using the session key-A and then transmitted to the server;
specifically, a user inputs authentication information in an application program of a terminal starting a secret mode, a terminal main control unit sends the authentication information to a security chip through a data bus connected with the security chip, the security chip encrypts by using a session key-A and then sends the encrypted authentication information back to the main control unit, and the main control unit transmits an authentication information ciphertext to a server.
S1024: the server sends the authentication information ciphertext and the first session ID to the encryption machine, and the encryption machine carries the first session ID to apply for a decryption key to the crypto-tube platform; specifically, after the application session is established between the terminal and the server, the terminal and the server respectively hold a first session ID, the encryption engine transmits the first session ID to the crypto platform in a wired manner, and the crypto platform generates a session key-a which is the same as or associated with the session key-A with reference to the first session ID and sends the session key-a to the encryption engine. It can be understood that, when the terminal and the server apply for the session key to the crypto-tube platform that the session IDs carried by the session key are the same, the session keys sent by the crypto-tube platform to the terminal and the server are the same or associated, one of the session keys implements encrypted data, and the other session key implements decryption of a data ciphertext. Preferably, the session key-a and the session key-a are the same.
S1025: the encryption machine utilizes the session key-a to decrypt the authentication information and sends the authentication information to an authentication unit of the server so as to confirm the access authority of the terminal, and a terminal user can only access virtual desktop resources which are pre-configured by a system administrator and are associated with the authentication information of the terminal.
In the technical scheme provided by the invention, the session key is obtained by encrypting the session ID by the security chip by using the self-protection key on the crypto-tube platform, and because the quantum keys charged by different terminals are different and the protection key formed based on the quantum key is also different, the data encrypted on one side of the server by using the session key obtained by using the A terminal protection key can only be decrypted at the A terminal, if the data encrypted by the session key obtained by using the A terminal protection key is intercepted by the B terminal, the intercepted data cannot be decrypted because the B terminal cannot form the same protection key as the A terminal, so that the virtual desktop matched with the authentication and confidentiality information is only accessed by a unique and specific terminal and other terminals cannot be accessed, thereby fully ensuring the security of the user file and meeting the requirement of the user on the exclusive right of the held terminal.
In a further preferred embodiment, at the server side, after encrypting the session key-a by using the protection key in the secure management platform, the session key-a is sent to the terminal, so as to ensure the security of the session key-a in the transmission process; and at the terminal side, the session key-A is decrypted by using the protection key in the security chip, and after decryption, the operation instruction input by the virtual desktop of the terminal can be encrypted by using the session key-A.
In a further preferred embodiment, after the terminal passes the authentication, the authentication unit issues a temporary identity token to the terminal, the server sends the temporary identity token to the encryption machine, the encryption machine encrypts the temporary identity token by using the session key-a and then sends the encrypted temporary identity token back to the server, and the server transmits a temporary identity token ciphertext to the terminal main control unit;
the terminal main control unit sends the temporary identity token ciphertext to a security chip, the security chip utilizes the session key-A for decryption, the temporary identity token is carried by the terminal when the terminal accesses the server before the application session is disconnected, the temporary identity token data packet contains authentication information, effective login time, session ID and the like, and when the terminal encrypts and transmits data to the server, the temporary identity token is written into a data header of the data to be encrypted.
In a further preferred embodiment, in the security mode, when the file of the virtual desktop is sent out, the protection module of the server intercepts the sending out behavior, and verifies the authentication information input by the terminal.
Illustratively, when a terminal logs in an application program in a security mode and copies a selected file in a virtual desktop to a U disk, a terminal interface pops up a prompt box for inputting authentication information, if the authentication information input by the user is consistent with information corresponding to the virtual desktop resource recorded by a server, the selected file is allowed to be copied to the U disk, and if the authentication information input by the user is inconsistent with the information recorded in the server, the copying operation is invalid, and the outgoing cannot be realized.
In a further preferred embodiment, the server is further connected with a quantum computer adapted to provide computational support for the server, and the quantum computer and the server communicate based on a TCP protocol.
In order to meet the use requirements of terminal users in multiple regions, it is necessary to deploy multiple desktop cloud servers in different cities throughout the country, and in order to improve the communication efficiency between a terminal and a server, the terminal is generally connected to the server closest to the terminal, in other embodiments of the present invention, when the virtual desktop resource matched with the terminal authentication information is located in a first server and the terminal is connected to a second server in a network, in other words, if the server for the initial authentication of the terminal is in a region a and the terminal is moved to a region B by the user, because the terminal is close to the server in the region B, the terminal automatically or manually selects to network with the server in the region B, so as to avoid the occurrence of an excessively long time delay in data transmission, in this case, as shown in fig. 4, the secure communication method further includes:
s106: the second server establishes an application session with the first server to generate a third session ID;
specifically, before the step S106 is implemented, the terminal is connected to the second server in a networking manner, an application session is established, a second session ID is generated, and the terminal and the second server each hold the second session ID;
the terminal main control unit sends a second session ID data packet to a security chip, the security chip extracts a part of quantum random numbers from the quantum key filled by the security chip to form a protection key, the second session ID is encrypted by using the protection key, a second session ID ciphertext is returned to the terminal main control unit, the terminal main control unit wirelessly sends an identity code of the security chip and the second session ID ciphertext to a second crypto-tube platform, the second crypto-tube platform generates a protection key suitable for decrypting the second session ID data packet according to the identity code, and sends the protection key and the second session ID ciphertext to a second encryption machine in communication connection with the second crypto-tube platform, the second encryption machine decrypts the second session ID ciphertext by using the protection key and then returns to the second crypto-tube platform, the second crypto-tube platform generates a session key-B and transmits the session key-B to the terminal, and registers the corresponding relationship between the session key-B and the second session ID;
the user inputs authentication information at the terminal, the terminal main control unit sends the authentication information to the security chip, and the security chip encrypts the authentication information by using the session key-B and then transmits the encrypted authentication information to the second server through the terminal main control unit;
the second server sends the authentication information to a second encryption machine, the second encryption machine carries the second session ID to apply for a session key-B to the second encryption management platform, the session key-B is used for decrypting the authentication information, because the session IDs carried by the second encryption machine and the session ID carried by the session key applied by the terminal to the second encryption management platform are the same, the session key-B and the session key-B distributed by the second encryption management platform to the second encryption management platform are the same or associated, and the data encrypted by one session key can be decrypted by the other session key;
and sending a plaintext of authentication information to the second server by the second encryption machine, inquiring that the virtual desktop resource matched with the authentication information is located in the first server by the second server, initiating an access request to the first server, and establishing an application session with the first server.
Preferably, the desktop cloud servers in the invention are multiple, and include a master server and a plurality of slave servers, one side of each server is equipped with a secure management platform, the server is in wired connection with each device of the secure management platform, data communication is performed between the secure management platforms through optical fibers or quantum satellites, after the terminal is in networking connection with the server, if the virtual desktop which the terminal enjoys access authority is not obtained from the connected server, an inquiry request is initiated to the master server by the connected server, the master server reports the position information of the virtual desktop to the connected server, and the connected server initiates an access request to the server storing the virtual desktop information. In fact, the corresponding relation between authentication information and cloud ID is recorded in the master server, server information where a virtual desktop matched with the terminal is located is recorded in the cloud ID, and terminal authentication information is recorded in both the master server and the slave server, that is, the terminal can enter a confidential mode as long as the authentication information is input correctly when the terminal is connected with a desktop cloud server deployed by any supplier, but if the connected server is different from the server where the virtual desktop is located, the connection desktop acquires the server where the virtual desktop is located from the master server, and then the server where the virtual desktop is located transmits the virtual desktop to the connected server, or virtual desktop data is directly packaged and sent to the connected server. In this embodiment, the first server is a master server, and the second server is a slave server.
Certainly, in other embodiments, a plurality of desktop cloud servers are provided, each server records a corresponding relationship between authentication information and a cloud ID, and if a connected server is different from a server where a virtual desktop is located, information of the server where the virtual desktop is located can be directly obtained from the connected server, and then the connected server initiates access to the server where the virtual desktop is located.
S107: the second encryption machine which is in communication connection with the second server carries the third session ID and the cloud ID associated with the authentication information to apply for a session key-C from a second secure management platform, the second secure management platform registers the corresponding relation between the third session ID and the session key-C and sends the session key-C to the second encryption machine, and the second encryption machine utilizes the session key-C to encrypt an access request sent by the second server to the first server and sends the access request to the first server;
s108: the first server verifies whether the cloud ID is matched with the self ID, if so, the virtual desktop matched with the terminal is located in the first server, the first server sends the access request data packet to the first encryption machine, the first encryption machine carries the third session ID to apply for a session key-C to the first encrypted management platform, and the session IDs carried by the first encryption machine and the second encryption machine are the same, so that the obtained session key-C and the session key-C are the same, the access request can be decrypted by using the session key-C, the first encryption machine sends the access request plaintext to the first server, and the first server calls the virtual desktop matched with the cloud ID;
s109: sending a data packet formed by a virtual desktop data stream to a first encryption machine, encrypting the image of the virtual desktop by the first encryption machine by using the session key-C and transmitting the image to a second server, sending an image ciphertext to a second encryption machine by the second server, and transmitting the image of the virtual desktop to the terminal after decrypting the image by using the session key-C;
the first close management platform comprises a QKD1, the second close management platform comprises a QKD2, the session key-C is generated by the QKD2 device, and the session key-C is generated by the QKD1 device. It should be noted that, the QKD device is a quantum key distribution device, and the QKD1 and the QKD2 realize key distribution by transmitting quantum states based on the BB84 protocol or the B92 protocol, it can be understood that data of quantum keys in the QKD1 and the QKD2 are the same, and when the first server and the second server apply for a key based on the same session ID, the obtained session key-C and the session key-C are the same, and the two can mutually implement mutual inverse operations of encryption and decryption.
In a second embodiment of the present application, as shown in fig. 5, the secure communication method includes:
s201: the terminal accepts the user to select and configure the terminal into a common mode or a secret mode;
s202: in a security mode, after the terminal initiates an authentication request to the server and passes the authentication request, the server opens the virtual desktop pool resource matched with the terminal authentication information and maps a virtual desktop image on the terminal;
s203: the terminal collects the operation instruction input by the user on the virtual desktop and transmits the operation instruction to the server;
s204: the server executes corresponding actions according to the operation instructions and generates an operation image, the server sends the operation image to the encryption machine, the encryption machine applies for a session key-A to the crypto-tube platform, and the operation image is encrypted by the session key-A and then transmitted to the terminal;
s205: the terminal main control unit receives the operation image ciphertext, sends the operation image ciphertext to the security chip, the security chip applies for a session key-a to the crypto-tube platform to decrypt the operation image, and the security chip returns the decrypted operation image plaintext to the terminal main control unit so that the operation image is displayed on an interface of the terminal;
wherein the session key-A and the session key-a are formed of quantum random numbers.
The embodiment is different from the first embodiment of the application in that the second embodiment does not encrypt the operation instruction input by the terminal on the virtual desktop, and only encrypts the running image mapped on the terminal by the virtual desktop, so that the communication efficiency between the desktop cloud server and the terminal is improved on the basis of ensuring the transmission safety of the running image.
In a third embodiment of the present application, as shown in fig. 6, the secure communication method includes:
s301: the terminal accepts the user to select and configure the terminal into a common mode or a secret mode;
s302: in a security mode, after the terminal initiates an authentication request to the server and passes the authentication request, the server opens the virtual desktop pool resource matched with the terminal authentication information and maps a virtual desktop image on the terminal;
s303: the terminal collects an operation instruction input by the user on the open virtual desktop, and the operation instruction is encrypted by the session key-A and then transmitted to the encryption machine;
s304: the encryption machine applies for a session key-a to a crypto-tube platform to decrypt the operation instruction and then sends the decrypted operation instruction to the server, and the server executes corresponding action according to the operation instruction;
wherein the session key-A and the session key-a are formed of quantum random numbers.
The difference between the embodiment and the first embodiment of the present application is that the operation instruction encrypted by the terminal in the third embodiment is not transmitted to the server and then sent to the encryption machine by the server, but the operation instruction ciphertext is directly transmitted to the encryption machine, the encryption machine in the embodiment includes a communication module, and is capable of receiving data and performing encryption and decryption processing, and this implementation manner not only ensures the security of data transmission between the desktop cloud server and the terminal, but also improves communication efficiency and prompts the user operation experience.
It should be noted that, the data encryption or decryption by using the key described in the present invention refers to the operation of substituting the key and the data to be encrypted or decrypted into a preset algorithm to realize encryption or decryption. Meanwhile, the steps S101 to S105, S106 to S109, S201 to S205, S301 to S304, and S1021 to S1025 in the present invention are only used to indicate a part of the operation of the secure communication method, and the execution sequence is not limited to be executed in the description sequence.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A secure communication method between a desktop cloud server and a terminal is characterized in that virtual desktop resources are stored in the server, after the terminal initiates an authentication request to the server in a confidential mode and passes the authentication request, the server opens the virtual desktop resources matched with terminal authentication information and maps a virtual desktop image to the terminal, and when the virtual desktop resources matched with the terminal authentication information are located in a first server and the terminal is connected with a second server in a networking mode, the secure communication method comprises the following steps:
s106: the second server establishes an application session with the first server to generate a third session ID;
s107: a second encryption machine which is in communication connection with the second server carries the third session ID and the cloud ID associated with the authentication information to apply for a session key-C to a second cryptographic management platform, encrypts an access request which is sent to the first server by the second server by using the session key-C, and sends the access request to the first server;
s108: after the first server verifies that the cloud ID passes, applying a session key-c to a first secure management platform to decrypt the access request based on the third session ID, and calling the virtual desktop matched with the cloud ID;
s109: encrypting the virtual desktop image by using the session key-C and transmitting the virtual desktop image to the second server, and decrypting the virtual desktop image by using the session key-C and transmitting the virtual desktop image to the terminal by using the second server;
wherein the first platform comprises a QKD1, the second platform comprises a QKD2, the session key-C is generated by the QKD2 device, and the session key-C is generated by the QKD1 device.
2. The secure communication method according to claim 1, wherein the terminal is built in a secure chip pre-charged with quantum keys, and before step 106 is performed, the secure communication method further comprises:
the terminal establishes an application session with the second server to generate a second session ID;
encrypting the second session ID by using a protection key formed by the quantum key, and sending the identity code of the security chip and the second session ID ciphertext to the second crypto-tube platform to obtain a session key-B;
the user inputs authentication information at the terminal, and the authentication information is encrypted by using the session key-B and then transmitted to the second server;
the second encryption machine carries the second session ID to apply for a session key-b to the second encrypted management platform so as to decrypt the authentication information;
and the second server inquires that the virtual desktop resource matched with the authentication information is positioned in the first server, and initiates an access request to the first server.
3. The secure communication method according to claim 2, wherein the terminal main control unit writes a key parameter into a header of data to be encrypted, and sends the data to be encrypted to the secure chip, and the secure chip generates the protection key from the quantum key stored in its own internal device according to the key parameter.
4. The secure communication method according to claim 1, wherein the server has a plurality of servers including a master server and at least one slave server, each of the servers is provided with a secure management platform on one side, the server is communicably connected to the secure management platform, and the secure management platforms perform data communication therebetween through an optical fiber or a quantum satellite, so that the QKD1 and the QKD2 distribute the session key based on a preset protocol.
5. The secure communication method according to claim 4, wherein after the terminal is connected to the server in a network, if the virtual desktop for which the terminal has access right cannot be acquired from the connected server, the connected server initiates an inquiry request to the host server, the host server reports location information of the virtual desktop to the connected server, and the connected server initiates an access request to the server storing the virtual desktop information.
6. The secure communication method according to claim 4, wherein the master server records a correspondence between the authentication information and the cloud ID, the cloud ID records the server information of the virtual desktop that matches the terminal, and the master server and the slave server both record the authentication information of the terminal.
7. The secure communication method according to claim 1, wherein a plurality of the servers are provided, each of the servers records a correspondence between the authentication information and the cloud ID, and if the connected server is different from the server in which the virtual desktop is located, the server information in which the virtual desktop is located can be directly acquired from the connected server, and the connected server initiates access to the server in which the virtual desktop is located.
8. The secure communication method according to any one of claims 1 to 7, wherein in the secure mode, when the file of the virtual desktop is sent out, a protection module of the server intercepts the sending out action and verifies the authentication information input by the terminal.
9. The secure communication method according to claim 8, wherein a quantum computer adapted to provide computational support to the server is further connected to the server, and the quantum computer and the server communicate based on a TCP protocol.
10. The secure communication method according to claim 8, wherein after the terminal initiates the authentication request to the server and is passed, an authentication unit of the server issues a temporary identity token to the terminal, where the temporary identity token includes at least the authentication information, valid login time, and session ID, and subsequently before the application session is disconnected, the temporary identity token is carried by accesses of the terminal to the server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211480165.4A CN115865907A (en) | 2022-09-22 | 2022-09-22 | Secure communication method between desktop cloud server and terminal |
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211156166.3A CN115242785B (en) | 2022-09-22 | 2022-09-22 | Secure communication method between desktop cloud server and terminal |
| CN202211480165.4A CN115865907A (en) | 2022-09-22 | 2022-09-22 | Secure communication method between desktop cloud server and terminal |
Related Parent Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211156166.3A Division CN115242785B (en) | 2022-09-22 | 2022-09-22 | Secure communication method between desktop cloud server and terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115865907A true CN115865907A (en) | 2023-03-28 |
Family
ID=83667009
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211156166.3A Active CN115242785B (en) | 2022-09-22 | 2022-09-22 | Secure communication method between desktop cloud server and terminal |
| CN202211480165.4A Pending CN115865907A (en) | 2022-09-22 | 2022-09-22 | Secure communication method between desktop cloud server and terminal |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211156166.3A Active CN115242785B (en) | 2022-09-22 | 2022-09-22 | Secure communication method between desktop cloud server and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (2) | CN115242785B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115801252B (en) * | 2023-01-31 | 2023-04-14 | 江苏微知量子科技有限公司 | Safe cloud desktop system combined with quantum encryption technology |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243143B (en) * | 2013-06-08 | 2017-03-29 | 科大国盾量子技术股份有限公司 | A kind of mobile secret communication method based on quantum key distribution network |
| CN106507344B (en) * | 2016-09-23 | 2019-11-26 | 浙江神州量子网络科技有限公司 | Quantum communication system and its communication means |
| CN109951513B (en) * | 2019-01-11 | 2021-10-22 | 如般量子科技有限公司 | Quantum-resistant computing smart home quantum cloud storage method and system based on quantum key card |
| CN110289952B (en) * | 2019-06-25 | 2021-12-28 | 湖北凯乐量子通信光电科技有限公司 | Quantum data link security terminal and security communication network |
| US11153079B2 (en) * | 2019-11-25 | 2021-10-19 | Verizon Patent And Licensing Inc. | Systems and methods for utilizing quantum entropy for secure virtual private network connections |
| US20230070408A1 (en) * | 2020-02-17 | 2023-03-09 | Eyl Inc. | Secure communication device equipped with quantum encryption chip based quantum random number and method of providing secure communication service using the same |
| CN113541931B (en) * | 2020-04-21 | 2023-07-25 | 上海国盾量子信息技术有限公司 | Quantum communication virtual device creation method and related device |
| CN113596062A (en) * | 2021-09-01 | 2021-11-02 | 江西雕视信息技术股份有限公司 | Intelligent desktop cloud terminal based on quantum security |
| CN114826593B (en) * | 2022-06-28 | 2022-09-16 | 济南量子技术研究院 | Quantum security data transmission method and digital certificate authentication system |
-
2022
- 2022-09-22 CN CN202211156166.3A patent/CN115242785B/en active Active
- 2022-09-22 CN CN202211480165.4A patent/CN115865907A/en active Pending
Also Published As
| Publication number | Publication date |
|---|---|
| CN115242785B (en) | 2022-12-16 |
| CN115242785A (en) | 2022-10-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110784491B (en) | Internet of things safety management system | |
| CN106161402B (en) | Encryption equipment key injected system, method and device based on cloud environment | |
| US10554393B2 (en) | Universal secure messaging for cryptographic modules | |
| CN101605137B (en) | Safe distribution file system | |
| US8984295B2 (en) | Secure access to electronic devices | |
| US20030081774A1 (en) | Method and apparatus for dynamic generation of symmetric encryption keys and exchange of dynamic symmetric key infrastructure | |
| CN105471833A (en) | Safe communication method and device | |
| US20040177248A1 (en) | Network connection system | |
| CN108809633B (en) | Identity authentication method, device and system | |
| CN113037484B (en) | Data transmission method, device, terminal, server and storage medium | |
| CN110235134B (en) | Addressing trusted execution environments using clean room provisioning | |
| CN111800467B (en) | Remote synchronous communication method, data interaction method, equipment and readable storage medium | |
| JP4245972B2 (en) | Wireless communication method, wireless communication device, communication control program, communication control device, key management program, wireless LAN system, and recording medium | |
| CN107018155A (en) | A kind of outer net terminal security accesses the method and system of the specific data of Intranet | |
| CN104767766A (en) | Web Service interface verification method, Web Service server and client side | |
| CN111600948B (en) | Cloud platform application and data security processing method, system, storage medium and program based on identification password | |
| CN115242785B (en) | Secure communication method between desktop cloud server and terminal | |
| CN111756530B (en) | Quantum service mobile engine system, network architecture and related equipment | |
| JP2004015725A (en) | Communication system, authentication method in communication system, program therefor and recording medium therefor | |
| CN109379345B (en) | Sensitive information transmission method and system | |
| JP4998314B2 (en) | Communication control method and communication control program | |
| CN111489462B (en) | Personal Bluetooth key system | |
| CN111489461B (en) | Bluetooth key system for group | |
| KR20040088137A (en) | Method for generating encoded transmission key and Mutual authentication method using the same | |
| CN115001936B (en) | Operation and maintenance management system and method based on management agent and computer equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |