CN117319080A - Mobile terminal for isolating secret communication and communication method - Google Patents

Abstract

The application provides a mobile terminal for isolating secret communication and a communication method. The mobile terminal includes: a first operating system and a second operating system; wherein: the first operating system is used for bearing an external communication module; the second operating system is used for bearing a target APP and a VPN client; the communication interface corresponding to the first operating system is connected with the communication interface corresponding to the second operating system through a link communication chip; and the target CPU corresponding to the second operating system can only transmit the data of the target APP to the external communication module of the first operating system through the VPN client, so that the external communication module forwards the data to the VPN server through a VPN protocol. According to the method and the device, through the design of the double operating systems, the two systems are physically isolated, meanwhile, the data secret communication path of the safety system is opened, the safety system is established to an intranet tunnel, and various mobile safety risks are effectively resisted.

Description

Mobile terminal for isolating secret communication and communication method

Technical Field

The present disclosure relates to the field of network security, and in particular, to a mobile terminal and a communication method for isolating secure communication.

Background

Along with the development of mobile information technology, a smart phone with rich application functions has become the most widely used data processing terminal, but an operating system of the smart phone depends on the Internet and is monopolized by foreign products, so that hidden danger of information leakage is large, and information security situation is severe.

VPN may enable protection of data and communications within an enterprise from unauthorized access or attacks by creating a secure tunnel over a public network. Thus, the network security of enterprises can be effectively protected, and potential network threats are reduced. The VPN can enable staff to safely access the internal network of the company at other places to acquire required files, information, resources and the like.

However, the traditional VPN method for the mobile terminal cannot effectively solve the problem of internal data security of the mobile phone, and particularly risks such as theft, copying and destruction of important data of the mobile phone are not negligible when the mobile phone is in an overseas working environment.

Disclosure of Invention

The application provides a mobile terminal and a communication method for isolating secret communication, which are used for realizing data secret communication under the conditions of double hardware and double operating systems of the terminal and ensuring the safety of data.

In a first aspect, the present application provides a mobile terminal for isolating secure communications, comprising: a first operating system and a second operating system; wherein the method comprises the steps of

The first operating system is used for bearing an external communication module;

the second operating system is used for bearing a target APP and a VPN client;

the communication interface corresponding to the first operating system is connected with the communication interface corresponding to the second operating system through a link communication chip;

and the target CPU corresponding to the second operating system can only transmit the data of the target APP to the external communication module of the first operating system through the VPN client, so that the external communication module forwards the data to the VPN server through a VPN protocol.

Optionally, the VPN client is configured to generate a first authentication parameter, and send, through the first operating system, an authentication request carrying the first authentication parameter to the VPN server, so that the VPN server verifies the VPN client;

receiving an authentication passing response sent by the VPN server to establish a communication link between the VPN client and the VPN server, wherein the VPN client and the VPN server transmit data of the target APP through the communication link.

Optionally, the VPN client is specifically configured to:

generating a first secret parameter according to the identifier of the mobile terminal, the VPN communication protocol identifier and the registration secret key, wherein the registration secret key corresponding to each mobile terminal is different;

generating a first authentication parameter according to the first secret parameter and the random number;

and sending the identifier of the mobile terminal, the first authentication parameter and the random number to the VPN server.

Optionally, the VPN server verifies the VPN client by:

acquiring a pre-stored VPN communication protocol identifier corresponding to the identifier and a registration key according to the identifier of the mobile terminal;

generating a second secret parameter according to the identifier of the mobile terminal, the VPN communication protocol identifier corresponding to the identifier and the registration secret key;

generating a second authentication parameter according to the second secret parameter and the random number acquired from the VPN client;

and if the first authentication parameter is consistent with the second authentication parameter, verifying to pass.

Optionally, the second operating system is further configured to carry a second virtual network card, a second virtual network card adapter, and a second USB interface;

the first operating system is also used for bearing routing service, a first virtual network card adapter and a first USB interface;

the target APP, the VPN client, the second virtual network card adapter and the second USB interface are sequentially communicated to the link communication chip;

the external communication module, the routing service, the first virtual network card adapter and the first USB interface are sequentially communicated with the link communication chip.

Optionally, the first operating system and the second operating system are the same type of operating system, and the first operating system and the second operating system each correspond to independent hardware and kernel.

Optionally, the external communication module includes a WIFI module and/or a mobile communication module.

In a second aspect, the present application provides a method of isolating secure communications, comprising: the method is applied to the CPU of the terminal device according to the first aspect, and the method includes:

acquiring data to be transmitted of the target APP;

transmitting the data of the target APP to an external communication module of the first operating system through the VPN client, so that the external communication module forwards the data to a VPN server through a VPN protocol.

Optionally, before the obtaining the data to be transmitted by the target APP, the method further includes:

generating a first authentication parameter, and sending an authentication request carrying the first authentication parameter to the VPN server through the first operating system so that the VPN server can verify the VPN client;

receiving an authentication passing response sent by the VPN server to establish a communication link between the VPN client and the VPN server, wherein the VPN client and the VPN server transmit data of the target APP through the communication link.

Optionally, the generating the first authentication parameter includes:

generating a first secret parameter according to the identifier of the mobile terminal, the VPN communication protocol identifier and the registration secret key, wherein the registration secret key corresponding to each mobile terminal is different;

generating a first authentication parameter according to the first secret parameter and the random number;

and sending the identifier of the mobile terminal, the first authentication parameter and the random number to the VPN server.

The application provides a mobile terminal and a communication method for isolating secret communication, wherein the mobile terminal comprises the following steps: a first operating system and a second operating system; wherein the first operating system is used for bearing an external communication module; the second operating system is used for bearing a target APP and a VPN client; the communication interface corresponding to the first operating system is connected with the communication interface corresponding to the second operating system through a link communication chip; and the target CPU corresponding to the second operating system can only transmit the data of the target APP to the external communication module of the first operating system through the VPN client, so that the external communication module forwards the data to the VPN server through a VPN protocol. According to the method and the system, the target APP is isolated in the closed second operating system through the double systems, request data and acquired response data sent by the target APP can only be transmitted by the VPN client and the VPN server on a communication link communicated by the link communication chip, and therefore safe storage and safe transmission of target APP data are achieved.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.

Fig. 1 is a schematic hardware diagram of a mobile terminal for isolating secure communications according to an embodiment of the present application.

Fig. 2 is a communication link assembly diagram of a mobile terminal for isolating secure communication according to an embodiment of the present application.

Fig. 3 is a signaling diagram of a negotiation authentication process of a mobile terminal for isolating secure communication according to an embodiment of the present application.

Specific embodiments thereof have been shown by way of example in the drawings and will herein be described in more detail. These drawings and the written description are not intended to limit the scope of the inventive concepts in any way, but to illustrate the concepts of the present application to those skilled in the art by reference to specific embodiments.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present application as detailed in the accompanying claims.

In order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, the words "first", "second", etc. are used to distinguish the same item or similar items having substantially the same function and effect. For example, the first device and the second device are merely for distinguishing between different devices, and are not limited in their order of precedence. It will be appreciated by those of skill in the art that the words "first," "second," and the like do not limit the amount and order of execution, and that the words "first," "second," and the like do not necessarily differ.

In this application, the terms "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.

In the present application, "at least one" means one or more, and "a plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a alone, a and B together, and B alone, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b, or c may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or plural.

The terms referred to in this application are explained first:

a virtual private network (Virtual Private Network, VPN for short) is an encrypted communication by establishing a private network on a public network. There are wide applications in enterprise networks. The VPN gateway realizes remote access through encryption of the data packet and conversion of the destination address of the data packet. The VPN may be implemented in a variety of ways, e.g., by a server, hardware, software, etc.

VPN may enable protection of data and communications within an enterprise from unauthorized access or attacks by creating a secure tunnel over a public network. Thus, the network security of enterprises can be effectively protected, and potential network threats are reduced. The VPN can enable staff to safely access the internal network of the company at other places to acquire required files, information, resources and the like.

However, the traditional VPN method for the mobile terminal cannot effectively solve the problem of internal data security of the mobile phone, and particularly risks such as theft of the mobile phone, copying and destruction of important data cannot be ignored when the mobile phone is in an overseas working environment.

According to the mobile terminal and the communication method for isolating secret communication, the data security of the terminal target APP in the security system is protected by opening the data secret communication path of the security system.

The following describes the technical solutions of the present application and how the technical solutions of the present application solve the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.

Fig. 1 is a hardware schematic diagram of a mobile terminal for isolating secure communications according to an embodiment of the present application, where, as shown in fig. 1, the mobile terminal includes two independent hardware systems and two independent operating systems, and the first operating system and the second operating system correspond to independent hardware and kernel respectively. The communication interface corresponding to the first hardware system is connected with the communication interface corresponding to the second hardware system through a link communication chip.

Through the double hardware systems and the double operating systems, each system has own processor, memory and storage space, so that the two systems are completely isolated. Each system can independently run and manage tasks, and has high isolation and safety.

And limiting the APP (mobile application) in the second hardware system and the second operating system according to the security and privacy protection requirements of the mobile terminal for data in the isolated and secret communication.

The user is prohibited from copying and cutting the content in the application program by setting the authority of the APP, the pasting operation of the APP is limited, and verification is performed during the pasting operation, so that only allowed data can be pasted into the application program. By adding network access control to the APP, the APP is restricted to access only the designated internal network or server, but not other networks. The first operating system and the second operating system are the same type of operating system. An Android (Android) system widely applied to various mobile phones, tablet computers and other mobile devices is adopted.

The second hardware system communication only allows connection with the network communication module of the first hardware system through the link communication chip. The link communication chip not only realizes the data transmission of two hardware systems, but also further ensures the data security in the second operating system through encryption communication, authentication, access control, integrity check and the like.

Through the design of the double hardware double operation systems, the security of data of the isolation system is structurally ensured, meanwhile, the performance and stability of the system are improved, the safety communication and data transmission between the two hardware systems are realized through the link communication chip, and the safety protection capability of the mobile terminal is further enhanced.

Fig. 2 is a communication link assembly diagram of a mobile terminal for isolating secure communication according to an embodiment of the present application, and as shown in fig. 2, a communication link structure of the mobile terminal for isolating secure communication is described in detail on the basis of fig. 1. The mobile terminal for isolating secret communication comprises:

a first operating system and a second operating system; wherein: the first operating system is used for bearing an external communication module;

the second operating system is used for bearing a target APP and a VPN client;

the communication interface corresponding to the first operating system is connected with the communication interface corresponding to the second operating system through a link communication chip;

and the target CPU corresponding to the second operating system can only transmit the data of the target APP to the external communication module of the first operating system through the VPN client, so that the external communication module forwards the data to the VPN server through a VPN protocol.

The two operating systems may correspond to two different hardware systems, each carrying different functions and tasks. The first operating system is responsible for handling communication tasks with external networks or devices and the second operating system is mainly responsible for running specific applications (target APP) and VPN clients. The data security in the target APP is guaranteed, and the third-party network is prevented from being copied, cut, pasted, destroyed and sent by other applications. The target APP in the second operating system needs to send data through the external communication module of the first operating system.

And the two operating systems exchange data through a link communication chip. The security of data transfer is increased because data is not transferred directly between the two operating systems, but rather needs to be transferred through this chip.

A specific CPU in the second operating system that is responsible for running the second operating system and the target APP.

The VPN client provides a function of establishing a secure connection with the VPN server. VPN clients can ensure that data transmission over the public network is secure and that data is not stolen or tampered with. To prevent unauthorized access and data leakage, the data of the target APP can only be transmitted encrypted through the VPN client of the second operating system and can only be received by the external communication module of the first operating system. When the external communication module receives data from the second operating system, it forwards the data to the VPN server using VPN protocol. This process is performed in a secure encrypted channel, ensuring the privacy and integrity of the data.

In a specific embodiment, the second operating system is further configured to carry a second virtual network card, a second virtual network card adapter, and a second USB interface;

the first operating system is also used for bearing routing service, a first virtual network card adapter and a first USB interface.

The target APP, the VPN client, the second virtual network card adapter and the second USB interface are sequentially communicated to the link communication chip;

the external communication module, the routing service, the first virtual network card adapter and the first USB interface are sequentially communicated with the link communication chip.

The second operating system not only carries the target APP and the VPN client, but also carries a second virtual network card, a second virtual network card adapter and a second USB interface. A virtual network card is a network interface that is simulated on a computer and that is capable of simulating the function of a physical network card, but is not directly connected to the physical network. By using a virtual network card, a network connection can be created or made without a physical network card. The second virtual network card is a virtual network interface created on the second operating system for network communication with the first operating system. The virtual network card adapter is a software component for connecting the virtual network card with the actual network. It is responsible for converting the signals of the virtual network card into a format that can be transmitted through the actual network, thereby realizing network communication. The second virtual network card adapter is then a software component for communicating with the second virtual network card. The USB interface is a universal serial bus interface, and the second USB interface is an interface provided on the second operating system for connecting to the second virtual network card, where the interface is used to connect to the link communication chip.

The first operating system is used for bearing the external communication module, and also bearing the routing service, the first virtual network card adapter and the first USB interface. The external communication module comprises a WIFI module and/or a mobile communication module.

The external communication module is a key component in the first operating system, which is responsible for managing all communications with external devices. This includes communication with the WIFI module and/or the mobile communication module. The WIFI module is used for communicating through a WIFI network, and the mobile communication module is used for communicating through a mobile communication network.

Routing services are another important component in the first operating system that is responsible for managing and forwarding data packets. The routing service can select an optimal data transmission path according to network topology and communication requirements, so that reliable transmission of data is ensured.

The first virtual network card, the first virtual network card adapter and the first USB interface are components of the first operating system for providing a communication link, and detailed functions have been described in the second operating system, which are not described herein.

In a specific embodiment, the VPN client is configured to generate a first authentication parameter, and send, by using the first operating system, an authentication request carrying the first authentication parameter to the VPN server, so that the VPN server verifies the VPN client;

receiving an authentication passing response sent by the VPN server to establish a communication link between the VPN client and the VPN server, wherein the VPN client and the VPN server transmit data of the target APP through the communication link.

Before VPN negotiation, VPN client and VPN server need to carry out authentication verification. The first authentication parameter is generated by the VPN client according to the terminal device identification information and the VPN service identification, and is used to verify the identity of the client, so as to ensure that only authorized users or devices can access the VPN server.

And the VPN client sends an authentication request to the VPN server through the first operating system. The authentication request is a message containing a first authentication parameter for requesting authentication of the VPN client.

The VPN server performs identity verification on the VPN client, and only the verified client can obtain the authority for accessing the VPN server. And when the authentication passes, the VPN client receives an authentication passing response sent by the VPN server. This response indicates that the identity of the VPN client has been verified and the establishment of a communication link with the VPN server may begin.

After establishing the communication link, the VPN client and VPN server may transmit data of the target APP through this link. The data can be instructions or state information from a target APP, or the like, or the data can be obtained from a VPN server to a service server, so that the data is safely accessed remotely in two directions.

The application provides a mobile terminal for isolating secret communication, which comprises: a first operating system and a second operating system; wherein: the first operating system is used for bearing an external communication module; the second operating system is used for bearing the target APP and the VPN client; the communication interface corresponding to the first operating system is connected with the communication interface corresponding to the second operating system through a link communication chip; the target CPU corresponding to the second operating system can only transmit the data of the target APP to the external communication module of the first operating system through the VPN client, so that the external communication module forwards the data to the VPN server through the VPN protocol. Through the dual system, the target APP is isolated in the closed second operating system, and the request data and the acquired response data sent by the target APP can only be transmitted by the VPN client and the VPN server on a communication link communicated by the link communication chip, so that the target APP data is safely stored and transmitted.

Fig. 3 is a signaling diagram of a negotiation authentication process of a mobile terminal for isolating secure communication according to an embodiment of the present application.

And S301, the VPN client generates a first secret parameter according to the identifier of the mobile terminal, the identifier of the VPN communication protocol and the registration secret key, wherein the registration secret key corresponding to each mobile terminal is different.

The identifier of the mobile terminal refers to an allocated device number of the second android system, and typically, the mobile terminal with dual hardware and dual operating systems will have two device numbers, and each operating system will typically be allocated a unique device number, where these device numbers may be identifiers such as an International Mobile Equipment Identity (IMEI) or an international Mobile Equipment Identity (MEID) for uniquely identifying the mobile terminal.

VPN communication protocol identification refers to an IPSEC VPN communication protocol service identifier that is uniformly allocated and used throughout the network. It is typically assigned to each VPN client or service by a network administrator or service provider in configuring the network to ensure that all devices are properly identified and connected during IPSEC VPN communications. The IPSEC VPN communication protocol service ID is unique in the network and is used by each device to identify the VPN communication protocol service to which it belongs. In a network, VPN clients and servers need to communicate using the same ID to ensure security and reliability of data transmission.

The registration key is generated from the device and only the device that has the correct registration key can pass the authentication and access the network resource. The registration key is typically set and assigned by a network administrator or service provider at the time of device configuration, each device's registration key being unique.

The secret parameters are obtained by splicing the identification of the mobile terminal, the VPN communication protocol identification and the registration key through an SM3 algorithm and carrying out hash calculation on the identification, the VPN communication protocol identification and the registration key. SM3 is a cryptographic hash function commonly used in applications such as data integrity verification and authentication. It accepts an input data and returns a hash value of fixed length. The calculation method can ensure that the generated secret parameters are unique, and the calculated hash values are completely different as long as the input data slightly change. Therefore, the use of the SM3 algorithm can ensure that the generated secret parameters have a high degree of uniqueness and security.

S302, the VPN client generates a first authentication parameter according to the first secret parameter and the random number;

s303, the VPN client sends the identification of the mobile terminal, the first authentication parameter and the random number to the VPN server.

The VPN client firstly acquires a random number, then uses SM3 and other algorithms to splice the first secret parameter and the random number, and calculates to obtain a first authentication parameter. The use of random numbers may make the authentication parameters generated each time different, thus preventing an attacker from obtaining the correct authentication parameters by guessing or cracking. Particularly in network communication, if the authentication parameters are cracked by an attacker, the security of the system is greatly threatened. Therefore, the complexity and the security of the authentication parameters can be increased by using the random number, and the defending capability of the system is improved.

Then, the VPN client sends the identifier of the mobile terminal, the first authentication parameter, the random number used for generating the first authentication parameter, and the time stamp to the VPN server, where the time stamp can prevent replay attack, each time stamp corresponds to a specific time, and even if the attacker obtains the previous authentication parameter, the attacker cannot use the same to perform replay attack in a new time window. If an attacker tries to authenticate by using the expired authentication parameters, the VPN server refuses the request, thereby protecting the security of the system. The time stamp may also prevent brute force cracking, if an attacker tries to crack the system by trying different authentication parameters, the time stamp may limit the time window in which they try. For example, if the system sets a time stamp validity period of 1 minute, an attacker tries authentication once per second, and at most 60 authentications can be tried within one minute. This increases the difficulty of an attacker to crack the system and improves the security of the system.

S304, the VPN server acquires a pre-stored VPN communication protocol identifier corresponding to the identifier and a registration key according to the identifier of the mobile terminal;

s305, the VPN server generates a second secret parameter according to the identifier of the mobile terminal, the VPN communication protocol identifier corresponding to the identifier and the registration secret key;

s306, the VPN server generates a second authentication parameter according to the second secret parameter and the random number acquired from the VPN client;

s307, the VPN server compares the first authentication parameter with the second authentication parameter, and if the first authentication parameter is consistent with the second authentication parameter, the VPN server verifies that the VPN server passes the verification;

and S308, the VPN server side sends verification passing information to the VPN client side.

After receiving the identifier of the mobile terminal, the VPN server may query a database or a file record stored in the VPN server to obtain the VPN communication protocol identifier and the registration key corresponding to the mobile terminal. This information is stored at the server at the time of client registration. The VPN server uses the obtained VPN communication protocol identifier and the registration key to generate a second secret parameter by the identifier of the mobile terminal. The VPN server generates a second authentication parameter using the second secret parameter and the random number sent from the VPN client. The manner of generating the second authentication parameter is the same as that of the first authentication parameter, and will not be described here again. The VPN server compares the received first authentication parameter with the second authentication parameter. If the two parameters agree, then the VPN client is authenticated. If the two parameters are not consistent, then the authentication of the VPN client fails. And the VPN server feeds the verification result back to the VPN client.

The interaction process of the VPN client and the server ensures that only legal mobile terminals can pass the authentication of the VPN server, thereby accessing the protected network resources. Because of the uniqueness of the registration keys, even if an illegal terminal tries to forge legal authentication parameters, the authentication of the server cannot be passed due to the difference of the registration keys. By using random numbers, each authentication process is made unique, which increases the flexibility of the system. Meanwhile, since different keys and random numbers are used, even if two clients transmit authentication parameters at the same time, their authentication parameters are different, which prevents possible collision.

Finally, it should be noted that: other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the application following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the application pertains. The present application is not limited to the precise construction which has been described above and illustrated in the drawings, and various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A mobile terminal for isolating secure communications, comprising: a first operating system and a second operating system; wherein the method comprises the steps of

The first operating system is used for bearing an external communication module;

the second operating system is used for bearing a target APP and a VPN client;

the communication interface corresponding to the first operating system is connected with the communication interface corresponding to the second operating system through a link communication chip;

and the target CPU corresponding to the second operating system can only transmit the data of the target APP to the external communication module of the first operating system through the VPN client, so that the external communication module forwards the data to the VPN server through a VPN protocol.

2. The mobile terminal according to claim 1, wherein the VPN client is configured to generate a first authentication parameter, and send, through the first operating system, an authentication request carrying the first authentication parameter to the VPN server, so that the VPN server verifies the VPN client;

receiving an authentication passing response sent by the VPN server to establish a communication link between the VPN client and the VPN server, wherein the VPN client and the VPN server transmit data of the target APP through the communication link.

3. The mobile terminal according to claim 2, wherein the VPN client is specifically configured to:

generating a first secret parameter according to the identifier of the mobile terminal, the VPN communication protocol identifier and the registration secret key, wherein the registration secret key corresponding to each mobile terminal is different;

generating a first authentication parameter according to the first secret parameter and the random number;

and sending the identifier of the mobile terminal, the first authentication parameter and the random number to the VPN server.

4. A mobile terminal according to claim 3, wherein the VPN server verifies the VPN client by:

acquiring a pre-stored VPN communication protocol identifier corresponding to the identifier and a registration key according to the identifier of the mobile terminal;

generating a second secret parameter according to the identifier of the mobile terminal, the VPN communication protocol identifier corresponding to the identifier and the registration secret key;

generating a second authentication parameter according to the second secret parameter and the random number acquired from the VPN client;

and if the first authentication parameter is consistent with the second authentication parameter, verifying to pass.

5. The mobile terminal of claim 1, wherein the second operating system is further configured to carry a second virtual network card, a second virtual network card adapter, and a second USB interface;

the first operating system is also used for bearing routing service, a first virtual network card adapter and a first USB interface;

the target APP, the VPN client, the second virtual network card adapter and the second USB interface are sequentially communicated to the link communication chip;

the external communication module, the routing service, the first virtual network card adapter and the first USB interface are sequentially communicated with the link communication chip.

6. The mobile terminal of claim 5, wherein the first operating system and the second operating system are the same type of operating system, and wherein the first operating system and the second operating system each correspond to separate hardware and kernel.

7. The mobile terminal according to claim 1, wherein the external communication module comprises a WIFI module and/or a mobile communication module.

8. A method of isolated secure communication, wherein the method is applied to a CPU of a terminal device according to any one of claims 1 to 7, the method comprising:

acquiring data to be transmitted of the target APP;

transmitting the data of the target APP to an external communication module of the first operating system through the VPN client, so that the external communication module forwards the data to a VPN server through a VPN protocol.

9. The method of claim 8, wherein prior to the obtaining the data to be transmitted by the target APP, the method further comprises:

generating a first authentication parameter, and sending an authentication request carrying the first authentication parameter to the VPN server through the first operating system so that the VPN server can verify the VPN client;

receiving an authentication passing response sent by the VPN server to establish a communication link between the VPN client and the VPN server, wherein the VPN client and the VPN server transmit data of the target APP through the communication link.

10. The method of claim 9, wherein the generating the first authentication parameter comprises:

generating a first secret parameter according to the identifier of the mobile terminal, the VPN communication protocol identifier and the registration secret key, wherein the registration secret key corresponding to each mobile terminal is different;

generating a first authentication parameter according to the first secret parameter and the random number;

and sending the identifier of the mobile terminal, the first authentication parameter and the random number to the VPN server.