CN117395084B - Cloud storage resource access method, device, equipment and storage medium - Google Patents
Cloud storage resource access method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN117395084B CN117395084B CN202311691676.5A CN202311691676A CN117395084B CN 117395084 B CN117395084 B CN 117395084B CN 202311691676 A CN202311691676 A CN 202311691676A CN 117395084 B CN117395084 B CN 117395084B
- Authority
- CN
- China
- Prior art keywords
- message
- access
- load
- virtual machine
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 230000004044 response Effects 0.000 claims abstract description 55
- 238000004806 packaging method and process Methods 0.000 claims abstract description 10
- 238000012545 processing Methods 0.000 claims description 49
- 238000005538 encapsulation Methods 0.000 claims description 6
- 230000006870 function Effects 0.000 description 20
- 238000010586 diagram Methods 0.000 description 18
- 101100102380 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) vma-1 gene Proteins 0.000 description 12
- 238000004891 communication Methods 0.000 description 10
- 238000004590 computer program Methods 0.000 description 9
- 230000008569 process Effects 0.000 description 7
- 238000013500 data storage Methods 0.000 description 5
- 101100209622 Neurospora crassa (strain ATCC 24698 / 74-OR23-1A / CBS 708.71 / DSM 1257 / FGSC 987) vma-2 gene Proteins 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000012858 packaging process Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The application provides a cloud storage resource access method, a cloud storage resource access device, cloud storage resource access equipment and a cloud storage resource storage medium, wherein terminal equipment acquires a report Wen Fuzai for accessing a virtual machine; encrypting the message load to obtain an encrypted message Wen Fuzai; generating an access message according to the encrypted message load; sending the access message to the target physical machine so that the target physical machine decrypts the encrypted message load to obtain the message load, generating a forwarding message according to the access message and the message load, and sending the forwarding message to the target virtual machine through a virtual machine network card corresponding to the target virtual machine; receiving a response message sent by the target physical machine, wherein the response message is obtained by the target physical machine after receiving an encrypted return message returned by the target virtual machine through a virtual machine network card, and packaging the encrypted return message; and decrypting the response message to obtain a return message.
Description
Technical Field
The present disclosure relates to the field of cloud servers, and in particular, to a method, an apparatus, a device, and a storage medium for accessing cloud storage resources.
Background
Cloud storage is a mode of online storage on a network, i.e., data is stored on multiple virtual servers, typically hosted by third parties, rather than on dedicated servers. Hosting companies operate large data centers and require data storage to be hosted by people who purchase or rent storage space to them to meet the data storage requirements. According to the requirements of clients, a data center operator prepares storage virtualized resources at the back end, provides virtual machine resources for users, and provides the virtual machine resources in a storage resource pool (storage pool) mode, so that the users can store files or objects by using the storage resource pool.
In the related art, when a user accesses a resource of a virtual machine, the user needs to initiate access through a physical machine where the virtual machine is located, and access the rented virtual machine through a gateway of the physical machine where the virtual machine is located.
However, in the prior art, users cannot access virtual machine resources through own terminal equipment, and the cloud storage resource access mode has poor flexibility and poor safety.
Disclosure of Invention
The application provides a cloud storage resource access method, device, equipment and storage medium, which are used for solving the technical problems that in the prior art, a user cannot access virtual machine resources through own terminal equipment, and the cloud storage resource access mode is poor in flexibility and security.
In a first aspect, the present application provides a cloud storage resource access method, applied to a terminal device, where the method includes:
acquiring a report Wen Fuzai of the access virtual machine;
encrypting the message load to obtain an encrypted message Wen Fuzai;
generating an access message according to the encrypted message load;
the access message is sent to the destination physical machine, so that the destination physical machine decrypts the encrypted message load to obtain the message load, a forwarding message is generated according to the access message and the message load, and the forwarding message is sent to the destination virtual machine through a virtual machine network card corresponding to the destination virtual machine;
receiving a response message sent by the target physical machine, wherein the response message is obtained by the target physical machine after receiving an encrypted return message returned by the target virtual machine through the virtual machine network card, and performing packaging processing on the encrypted return message, and the encrypted return message is obtained by encrypting the return message by adopting a device key of the terminal device after the target virtual machine generates the return message according to the forwarding message;
and decrypting the response message to obtain the return message.
The user can access the cloud storage resources through own terminal equipment, an encryption function is added at the terminal equipment end and the physical machine end where the virtual machine corresponding to the terminal equipment is located, when the terminal equipment initiates access, firstly, encryption processing is carried out on a message load to obtain an encrypted message Wen Fuzai, according to the encrypted message load, the address of the accessed destination virtual machine and the address of the destination physical machine where the destination virtual machine is located, the destination physical machine can initiate access to the destination virtual machine, encryption and forwarding operations are carried out, and after the message returned by the destination virtual machine is packaged, the message is returned to the terminal equipment, so that the access of the terminal equipment to the destination virtual machine is realized, the user can access the cloud storage resources through the terminal equipment without logging in the physical machine, the flexibility of the cloud storage resource access mode is improved, and the security of cloud resource access is improved through encryption transmission.
Optionally, the message load includes an access destination address and a content load, where the access destination address includes a network card address of a destination physical machine and a private network address of a destination virtual machine in the destination physical machine;
Correspondingly, the encrypting the message load to obtain an encrypted message load comprises the following steps: encrypting the content load to obtain a content encryption load; and combining the access destination address and the content encryption load to obtain an encrypted message load.
Here, the message load of the terminal equipment initiating access includes an access destination address and a content load, the access destination address is used for indicating the address of the virtual machine so as to realize access to the destination virtual machine, the content load is used for indicating specific content of the access, and the terminal equipment performs encryption processing on the content load, so that the security of cloud storage resource access can be effectively improved, and the user experience is improved.
Optionally, the generating an access message according to the encrypted message load includes:
determining the address of the terminal equipment as the source address of an access message, and determining the network card address of the destination physical machine as the destination address of the access message;
determining a source address of the access message and a destination address of the access message as message heads of the access message, determining the encrypted message load as the load of the access message, and generating the access message according to the message heads of the access message and the load of the access message.
According to the address of the terminal equipment, the network card address of the target physical machine and the encrypted message Wen Fuzai, the terminal equipment in the application generates the access message, so that the target physical machine and the target virtual machine which are accessed can be accurately indicated, the access to the target virtual machine which provides the cloud storage resource is accurately initiated, and the access to the cloud storage resource at the terminal equipment of the user is realized.
Optionally, the decrypting the response message to obtain the return message includes:
and decrypting the response message according to the equipment key stored in the terminal equipment to obtain the return message.
Here, when encrypting, the method can adopt the equipment key stored in the terminal equipment, the terminal equipment can decrypt the response message through the own equipment key to obtain the return message, each terminal equipment adopts the own key to encrypt and decrypt, the key is not easy to leak, and the security of cloud storage resource access is further improved.
In a second aspect, the present application provides a cloud storage resource access method, applied to a destination physical machine, where the method includes:
receiving an access message sent by a terminal device, wherein the access message is a message load of an access virtual machine obtained by the terminal device, carrying out encryption processing on the message load, and generating according to the encrypted message load after obtaining the encrypted message load;
Decrypting the encrypted message load to obtain the message Wen Fuzai;
generating a forwarding message according to the access message and the message load;
the forwarding message is sent to a target virtual machine through a virtual machine network card corresponding to the target virtual machine, so that the target virtual machine generates a return message according to the forwarding message, and the return message is encrypted by adopting a device key of the terminal device to obtain an encrypted return message;
receiving an encrypted return message returned by the target virtual machine through the virtual machine network card;
packaging the encrypted return message to obtain a response message;
and sending the response message to the terminal equipment so that the terminal equipment can decrypt the response message to obtain the return message.
The target physical machine is used for running the function of the virtual machine, provides forwarding of access messages, forwarding of return messages and the like for the terminal equipment of the user, and executes the encryption and decryption functions of the messages, and the safe access of the user to the cloud storage resources through the terminal equipment is realized through forwarding, encryption and decryption of the physical machine.
Optionally, the decrypting the encrypted message load to obtain the message load includes:
Inquiring in a key database according to the equipment identification of the terminal equipment to determine the equipment key of the terminal equipment; and decrypting the encrypted message load according to the equipment key to obtain the message load.
Here, the device key of the terminal device is stored in the physical machine, so that decryption and encryption processing can be realized on the message by the stored device key corresponding to the terminal device for each terminal device, and the security of cloud storage resource access is further improved.
Optionally, the message load includes an access destination address and a content load, the access destination address includes a network card address of a destination physical machine and a private network address of a destination virtual machine in the destination physical machine, and the access message includes an address of the terminal device;
correspondingly, the generating a forwarding message according to the access message and the message load includes:
determining the address of the terminal equipment as the source address of a forwarding message, and determining the private network address of the destination virtual machine in the destination physical machine as the destination address of the forwarding message; determining the source address of the forwarding message and the destination address of the forwarding message as message heads of the forwarding message, determining the message load as the message load of the forwarding message, and generating a forwarding message according to the message heads of the forwarding message and the message load of the access message.
The physical machine generates the forwarding message through the private network address and the message load of the target virtual machine, so that the accurate forwarding of the user access message is realized, and the reliability of cloud storage resource access is further improved.
Optionally, the encapsulating the encrypted return message to obtain a response message includes:
and according to the address of the terminal equipment, the network card address of the target physical machine and the private network address of the target virtual machine in the target physical machine, carrying out encapsulation processing on the encrypted return message to obtain a response message.
In a third aspect, the present application provides a cloud storage resource access device, applied to a terminal device, where the device includes:
the acquisition module is used for acquiring a report Wen Fuzai of the access virtual machine;
the first encryption module is used for carrying out encryption processing on the message load to obtain an encrypted message Wen Fuzai;
the first generation module is used for generating an access message according to the encrypted message load;
the first processing module is used for sending the access message to the destination physical machine so that the destination physical machine can decrypt the encrypted message load to obtain the message load, generating a forwarding message according to the access message and the message load, and sending the forwarding message to the destination virtual machine through a virtual machine network card corresponding to the destination virtual machine;
The first receiving module is used for receiving a response message sent by the target physical machine, wherein the response message is obtained by packaging the encrypted return message after the target physical machine receives the encrypted return message returned by the target virtual machine through the virtual machine network card, and the encrypted return message is obtained by encrypting the return message by adopting a device key of the terminal device after the target virtual machine generates the return message according to the forwarding message;
and the first decryption module is used for decrypting the response message to obtain the return message.
Optionally, the message load includes an access destination address and a content load, where the access destination address includes a network card address of a destination physical machine and a private network address of a destination virtual machine in the destination physical machine;
correspondingly, the first encryption module is specifically configured to:
encrypting the content load to obtain a content encryption load;
and combining the access destination address and the content encryption load to obtain an encrypted message load.
Optionally, the first generating module is specifically configured to:
determining the address of the terminal equipment as the source address of an access message, and determining the network card address of the destination physical machine as the destination address of the access message;
Determining a source address of the access message and a destination address of the access message as message heads of the access message, determining the encrypted message load as the load of the access message, and generating the access message according to the message heads of the access message and the load of the access message.
Optionally, the first decryption module is specifically configured to:
and decrypting the response message according to the equipment key stored in the terminal equipment to obtain the return message.
In a fourth aspect, the present application provides a cloud storage resource access device, applied to a destination physical machine, where the device includes:
the second receiving module is used for receiving an access message sent by the terminal equipment, wherein the access message is a message load of the access virtual machine obtained by the terminal equipment, the message load is encrypted, and after the encrypted message load is obtained, the access message is generated according to the encrypted message load;
the second decryption module is configured to decrypt the encrypted packet payload to obtain the packet Wen Fuzai;
the second generation module is used for generating a forwarding message according to the access message and the message load;
the second processing module is used for sending the forwarding message to the target virtual machine through a virtual machine network card corresponding to the target virtual machine, so that the target virtual machine generates a return message according to the forwarding message, and encrypts the return message by adopting a device key of the terminal device to obtain an encrypted return message;
The third receiving module is used for receiving an encrypted return message returned by the target virtual machine through the virtual machine network card;
the third processing module is used for carrying out encapsulation processing on the encrypted return message to obtain a response message;
and the fourth processing module is used for sending the response message to the terminal equipment so that the terminal equipment can decrypt the response message to obtain the return message.
Optionally, the second decryption module is specifically configured to:
inquiring in a key database according to the equipment identification of the terminal equipment to determine the equipment key of the terminal equipment;
and decrypting the encrypted message load according to the equipment key to obtain the message load.
Optionally, the message load includes an access destination address and a content load, the access destination address includes a network card address of a destination physical machine and a private network address of a destination virtual machine in the destination physical machine, and the access message includes an address of the terminal device;
correspondingly, the second generating module is specifically configured to:
determining the address of the terminal equipment as the source address of a forwarding message, and determining the private network address of the destination virtual machine in the destination physical machine as the destination address of the forwarding message;
Determining the source address of the forwarding message and the destination address of the forwarding message as message heads of the forwarding message, determining the message load as the message load of the forwarding message, and generating a forwarding message according to the message heads of the forwarding message and the message load of the access message.
Optionally, the third processing module is specifically configured to:
and according to the address of the terminal equipment, the network card address of the target physical machine and the private network address of the target virtual machine in the target physical machine, carrying out encapsulation processing on the encrypted return message to obtain a response message.
In a fifth aspect, the present application provides a cloud storage resource access device, including: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executes the computer-executable instructions stored by the memory, causing the at least one processor to perform the cloud storage resource access method as described above in the first aspect and the various possible designs of the first aspect.
In a sixth aspect, the present application provides a computer readable storage medium, where computer executable instructions are stored, when executed by a processor, to implement the cloud storage resource access method according to the first aspect and the various possible designs of the first aspect.
In a seventh aspect, the present application provides a computer program product, comprising a computer program, which when executed by a processor, implements the cloud storage resource access method according to the first aspect and the various possible designs of the first aspect.
In an eighth aspect, the present application provides a cloud storage resource access device, including: at least one processor and memory;
the memory stores computer-executable instructions;
the at least one processor executes the computer-executable instructions stored by the memory, causing the at least one processor to perform the cloud storage resource access method of the second aspect and the various possible designs of the second aspect.
In a ninth aspect, the present application provides a computer readable storage medium, where computer executable instructions are stored, when executed by a processor, to implement the cloud storage resource access method according to the second aspect and the various possible designs of the second aspect.
In a tenth aspect, the present application provides a computer program product, comprising a computer program, which when executed by a processor, implements the cloud storage resource access method according to the second aspect and the various possible designs of the second aspect.
According to the cloud storage resource access method, device and equipment and storage medium, a user can access cloud storage resources through own terminal equipment, an encryption function is added to a terminal equipment end and a physical machine end where a virtual machine corresponding to the terminal equipment is located, when the terminal equipment initiates access, firstly, encryption processing is conducted on a message load to obtain an encryption message Wen Fuzai, according to the encrypted message load, an address of a target virtual machine to be accessed and an address of the target physical machine where the target virtual machine is located, the target physical machine can initiate access to the target virtual machine, encryption and forwarding operations are conducted on the target physical machine, and after the message returned by the target virtual machine is packaged, the terminal equipment is returned to the terminal equipment, and therefore access of the terminal equipment to the target virtual machine is achieved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive faculty for a person skilled in the art.
Fig. 1 is a schematic system architecture diagram of a cloud storage resource access method according to an embodiment of the present application;
fig. 2 is a flow chart of a cloud storage resource access method provided in an embodiment of the present application;
fig. 3 is a flow chart of another cloud storage resource access method according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an access packet according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a forwarding packet according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an encrypted return message according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a response message provided in an embodiment of the present application;
fig. 8 is a schematic structural diagram of a cloud storage resource access device according to an embodiment of the present application;
fig. 9 is a schematic structural diagram of a cloud storage resource access device according to an embodiment of the present application.
Specific embodiments of the present disclosure have been shown by way of the above drawings and will be described in more detail below. These drawings and the written description are not intended to limit the scope of the disclosed concepts in any way, but rather to illustrate the disclosed concepts to those skilled in the art by reference to specific embodiments.
Detailed Description
Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims.
The terms "first," "second," "third," and "fourth" and the like in the description and in the claims of this application and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, the user information (including but not limited to user equipment information, user personal information, etc.) and the data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or fully authorized by each party, and the collection, use and processing of the related data need to comply with the related laws and regulations and standards, and provide corresponding operation entries for the user to select authorization or rejection.
Cloud storage is a new concept that extends and derives from cloud computing concepts. Cloud computing is a development of distributed processing, parallel processing and grid computing, and is characterized in that a huge computing processing program is automatically split into a plurality of small subroutines through a network, and then the subroutines are transmitted to a huge system consisting of a plurality of servers to be subjected to computing analysis and then the processing result is transmitted back to a user. Through cloud computing technology, network service providers can process tens or even hundreds of millions of information within seconds to reach as powerful network services as "supercomputers". The concept of cloud storage is similar to cloud computing, and the cloud storage is a system which integrates a large number of different types of storage devices in a network through application software to cooperatively work and jointly provides data storage and service access functions to the outside through functions such as cluster application, grid technology or a distributed file system, so that the safety of data is ensured, and the storage space is saved. In short, cloud storage is an emerging scheme for placing storage resources on the cloud for human access. The user can conveniently access the data at any time and anywhere, by connecting to the cloud through any networking-capable device. Hosting companies operate large data centers and require data storage for the hosted people, so that the data storage requirements are met by purchasing or renting storage space from them. The data center operator prepares the storage virtualized resource at the back end according to the requirement of the client, provides the virtual machine resource for the user, and provides the virtual machine resource in a storage resource pool mode, and the user can use the storage resource pool to store files or objects. In the related art, when a user accesses a resource of a virtual machine, the user needs to initiate access through a physical machine where the virtual machine is located, and access the rented virtual machine through a gateway of the physical machine where the virtual machine is located.
In the prior art, in order to realize security of cloud storage access, vNICa and an encryption module are added to virtual machines of different tenants in a virtual machine, wherein vNICa refers to network cards (Network Interface Card, NIC) of different virtual machines. According to the scheme, the vNICa and the encryption module are added to the virtual machines of different tenants in the virtual machines, so that safety assurance during communication among the virtual machines of the same tenant is mainly solved. But there is no solution when the tenant wants to access resources on its own virtual machine on a physical machine using its own machine, e.g. the user's terminal equipment, on the public network. In summary, in the prior art, users cannot access virtual machine resources through own terminal equipment, and the cloud storage resource access mode has poor flexibility and poor security.
In order to solve the technical problems, the embodiments of the present application provide a cloud storage resource access method, apparatus, device, and storage medium, where a user may access a cloud storage resource through his own terminal device, add an encryption function to a terminal device and a physical machine terminal where a virtual machine corresponding to the terminal device is located, when the terminal device initiates access, firstly, encrypt a message load to obtain an encrypted message Wen Fuzai, and according to the encrypted message load, an address of a destination virtual machine to be accessed, and an address of the destination physical machine where the destination virtual machine is located, initiate access to the destination virtual machine through the destination physical machine, execute encryption and forwarding operations by the destination physical machine, and encapsulate a message returned by the destination virtual machine, and return the message to the terminal device.
Optionally, fig. 1 is a schematic diagram of a cloud storage resource access system architecture provided in an embodiment of the present application. The cloud storage resource access system architecture in the embodiment of the present application includes a physical machine 101 and a terminal device 102.
The physical machine 101 and the terminal device 102 may implement a communication connection.
The physical machine 101 is a destination physical machine where a destination virtual machine rented by a terminal device is located.
Wherein, a plurality of virtual machines can be operated in the physical machine 101, and cloud storage resources are provided for users through the virtual machines. A user may use cloud storage resources by accessing Virtual machines, in this embodiment of the present application, taking a physical Machine including 4 Virtual Machines (VM) as an example, as shown in fig. 1, a physical Machine 101 includes a first Virtual Machine 1011, a second Virtual Machine 1012, a third Virtual Machine 1013, and a fourth Virtual Machine 1014. The first virtual machine 1011 is also named VMa1, the second virtual machine 1012 is also named VMb1, the third virtual machine 1013 is also named VMa2, the fourth virtual machine 1014 is also named VMb2, as can be seen from the above names, VMa1 and VMa2 are virtual machines leased by user a, user a can use cloud storage resources on VMa1 and VMa2, VMb1 and VMb2 are virtual machines leased by user b, and user b can use cloud storage resources on VMb1 and VMb 2.
The physical machine 101 further includes a gateway 1015 of the physical machine, and the gateway 1015 may implement communication functions of the physical machine 101. Gateway 1015 is disposed on a hardware platform layer.
The physical machine 101 further includes a first virtual machine gateway 1016 and a second virtual machine gateway 1017, where the first virtual machine gateway 1016 is also called vNICa, and provides communication functions for VMa1 and VMa2, and the second virtual machine gateway 1017 is also called vNICb, and provides communication functions for VMb1 and VMb 2. The first virtual machine gateway 1016 and the second virtual machine gateway 1017 are provided at an Operating System (OS) layer.
The physical machine 101 further includes an encryption module 1018 of the physical machine, and the terminal device 102 further includes an encryption module 1021 of the terminal device, which can perform encryption and decryption functions.
Optionally, the physical machine may further include a virtual machine monitor (hypervisor) and other structures, which are not shown in the figure.
Optionally, the encryption module 1018 of the physical machine stores the terminal keys of all terminal devices.
Optionally, the encryption module of each terminal device stores its own terminal key.
It should be understood that any of the foregoing structures, numbers of modules, and specific compositions may be determined according to actual situations, and that fig. 1 is merely schematic.
It will be appreciated that the architecture illustrated in the embodiments of the present application does not constitute a specific limitation on the architecture of the cloud storage resource access system. In other possible embodiments of the present application, the architecture may include more or fewer components than those illustrated, or some components may be combined, some components may be separated, or different component arrangements may be specifically determined according to the actual application scenario, and the present application is not limited herein. The components shown in fig. 1 may be implemented in hardware, software, or a combination of software and hardware.
In the alternative, both the physical machine and the terminal device may include a processor or a processing device.
It will be appreciated that the processing device described above may be implemented by a processor reading instructions in a memory and executing the instructions, or by a chip circuit.
In addition, the network architecture and the service scenario described in the embodiments of the present application are for more clearly describing the technical solution of the embodiments of the present application, and do not constitute a limitation on the technical solution provided in the embodiments of the present application, and as a person of ordinary skill in the art can know, with evolution of the network architecture and appearance of a new service scenario, the technical solution provided in the embodiments of the present application is also applicable to similar technical problems.
The following describes the technical solutions of the present application and how the technical solutions of the present application solve the above technical problems in detail with specific embodiments. The following embodiments may be combined with each other, and the same or similar concepts or processes may not be described in detail in some embodiments. Embodiments of the present application will be described below with reference to the accompanying drawings.
Fig. 2 is a flow chart of a cloud storage resource access method provided in the embodiment of the present application, where the embodiment of the present application may be applied to the terminal device 102 in fig. 1, and a specific execution body may be determined according to an actual application scenario. As shown in fig. 2, the method comprises the steps of:
s201: and obtaining the message load of the access virtual machine.
The report Wen Fuzai may be obtained by an access request or an access operation of the user on the terminal device.
S202: and carrying out encryption processing on the message load to obtain an encrypted message load.
Optionally, the message load includes an access destination address and a content load, where the access destination address includes a network card address of the destination physical machine and a private network address of the destination virtual machine in the destination physical machine;
correspondingly, the encrypting processing is carried out on the message load to obtain an encrypted message load, which comprises the following steps: encrypting the content load to obtain the content encrypted load; and combining the access destination address and the content encryption load to obtain an encrypted message load.
Optionally, the content payload is encrypted by a device key of the terminal device.
Here, in the embodiment of the present application, the message load for initiating access by the terminal device includes an access destination address and a content load, where the access destination address is used to indicate an address of a virtual machine, so as to implement access to a destination virtual machine, the content load is used to indicate specific content to be accessed, and the terminal device performs encryption processing on the content load, so that security of access to cloud storage resources can be effectively improved, and user experience is improved.
S203: and generating an access message according to the encrypted message load.
Optionally, generating the access message according to the encrypted message load includes:
determining the address of the terminal equipment as the source address of the access message, and determining the network card address of the destination physical machine as the destination address of the access message;
determining a source address of the access message and a destination address of the access message as message heads of the access message, determining an encrypted message load as a load of the access message, and generating the access message according to the message heads of the access message and the load of the access message.
According to the terminal equipment in the embodiment of the application, the access message is generated according to the address of the terminal equipment, the network card address of the target physical machine and the encrypted message Wen Fuzai, the target physical machine and the target virtual machine which are accessed can be accurately indicated, the access to the target virtual machine which provides the cloud storage resource is accurately initiated, and the access to the cloud storage resource at the terminal equipment of the user is realized.
S204: and sending the access message to the target physical machine so that the target physical machine decrypts the encrypted message load to obtain the message load, generating a forwarding message according to the access message and the message load, and sending the forwarding message to the target virtual machine through a virtual machine network card corresponding to the target virtual machine.
S205: and receiving a response message sent by the destination physical machine.
The response message is obtained by the target physical machine after receiving the encrypted return message returned by the target virtual machine through the virtual machine network card and then packaging the encrypted return message.
And after the encrypted return message is generated by the target virtual machine according to the forwarding message, encrypting the return message by adopting the equipment key of the terminal equipment.
S206: and decrypting the response message to obtain a return message.
Optionally, decrypting the response message to obtain a return message, including:
and decrypting the response message according to the device key stored in the terminal device to obtain a return message.
Here, when encrypting, the embodiment of the application can use the device key stored in the terminal device, the terminal device can decrypt the response message through the device key to obtain the return message, and each terminal device adopts the key to encrypt and decrypt, so that the key is not easy to leak, and the security of cloud storage resource access is further improved.
The embodiment of the application provides a safe and reliable cloud storage resource access method, a user can access cloud storage resources through own terminal equipment, an encryption function is added at a terminal equipment end and a physical machine end where a virtual machine corresponding to the terminal equipment is located, when the terminal equipment initiates access, firstly, encryption processing is carried out on a message load to obtain an encryption message Wen Fuzai, according to the encrypted message load, an address of a destination virtual machine to be accessed and an address of the destination physical machine where the destination virtual machine is located, the destination physical machine can initiate access to the destination virtual machine through the destination physical machine, encryption and forwarding operations are carried out on the destination physical machine, and a message returned by the destination virtual machine is returned to the terminal equipment after encapsulation processing, so that the access of the terminal equipment to the destination virtual machine is realized, the user can access the cloud storage resources through the terminal equipment without logging in the physical machine, the flexibility of a cloud storage resource access mode is improved, and the security of cloud resource access is improved through encryption transmission.
Fig. 3 is a flow chart of another cloud storage resource access method provided by the embodiment of the present application, where an execution subject of the embodiment of the present application is a target physical machine, and may be applied to the physical machine 101 in fig. 1, where the physical machine 101 is a physical machine where a virtual machine corresponding to a user terminal is located, and a specific execution subject may be determined according to an actual application scenario. As shown in fig. 3, the method comprises the steps of:
S301: and receiving an access message sent by the terminal equipment.
The access message is a message load of the access virtual machine obtained by the terminal equipment, the message load is encrypted, and after the encrypted message load is obtained, the access message is generated according to the encrypted message load.
S302: and carrying out decryption processing on the encrypted message load to obtain the message load.
Here, the encrypted message load is obtained by accessing the message.
Optionally, decrypting the encrypted message load to obtain the message load, including:
inquiring in a key database according to the equipment identification of the terminal equipment to determine the equipment key of the terminal equipment; and decrypting the encrypted message load according to the equipment key to obtain the message load.
Here, the device key of the terminal device is stored in the physical machine, so that decryption and encryption processing can be realized on the message by the stored device key corresponding to the terminal device for each terminal device, and the security of cloud storage resource access is further improved.
S303: and generating a forwarding message according to the access message and the message load.
Optionally, the message load includes an access destination address and a content load, the access destination address includes a network card address of the destination physical machine and a private network address of the destination virtual machine in the destination physical machine, and the access message includes an address of the terminal device;
Correspondingly, generating a forwarding message according to the access message and the message load comprises the following steps:
determining the address of the terminal equipment as the source address of the forwarding message, and determining the private network address of the destination virtual machine in the destination physical machine as the destination address of the forwarding message; determining a source address of a forwarding message and a destination address of the forwarding message as message heads of the forwarding message, determining a message load as message loads of the forwarding message, and generating the forwarding message according to the message heads of the forwarding message and the message loads of the access message.
The physical machine generates the forwarding message through the private network address and the message load of the target virtual machine in the target physical machine, so that the accurate forwarding of the user access message is realized, and the reliability of cloud storage resource access is further improved.
S304: and sending the forwarding message to the target virtual machine through a virtual machine network card corresponding to the target virtual machine, so that the target virtual machine generates a return message according to the forwarding message, and encrypting the return message by adopting a device key of the terminal device to obtain an encrypted return message.
S305: and receiving an encrypted return message returned by the target virtual machine through the virtual machine network card.
S306: and packaging the encrypted return message to obtain a response message.
Optionally, the packaging process is performed on the encrypted return message to obtain a response message, which includes:
and according to the address of the terminal equipment, the network card address of the destination physical machine and the private network address of the destination virtual machine in the destination physical machine, packaging the encrypted return message to obtain a response message.
S307: and sending the response message to the terminal equipment so that the terminal equipment can decrypt the response message to obtain a return message.
The destination physical machine in the embodiment of the application is used for running the function of the virtual machine, providing forwarding of the access message, forwarding of the return message and the like for the terminal equipment of the user, executing the encryption and decryption functions of the message, and realizing the safe access of the user to the cloud storage resource through the terminal equipment through the forwarding, encryption and decryption of the physical machine.
In a possible implementation manner, the embodiment of the application provides a cloud storage resource access method, which specifically includes the following implementation processes:
step one: the tenant terminal, namely the terminal equipment a of the user, encrypts a message load to be sent through an encryption module of the terminal equipment a, and then sends the message load to the NIC of the physical machine M, wherein the message source address is an IP address of a, the destination address is an address of the NIC of the M, a relevant field of the message load indicates that the destination address of the message is VMa1 in the M, that is, the relevant field indicates that the destination address is the address of the physical machine M and the private network address of the VMa1 in the physical machine M.
The content load of the message load is AAA. Exemplary, fig. 4 is a schematic structural diagram of an access message provided in the embodiment of the present application, and it can be understood that the schematic structural diagram of any message in the embodiment of the present application is exemplary.
Step two: the NIC knows that the message is a message sent to VMa1 of tenant a by a terminal of tenant a according to a real destination address in the message load, then sends the message to a decryption module for decryption and then sends the message to vNICa, and the vNICa receives the message and then decrypts the message and forwards the message to VMa1, namely sends a forwarding message.
Exemplary, fig. 5 is a schematic structural diagram of a forwarding message provided in the embodiment of the present application, and it can be understood that the schematic structural diagram of any message in the embodiment of the present application is exemplary.
Step three: the VMa1 sends the self-returned message to the vNICa, namely sends an encrypted return message, the load part of the message is encrypted by the equipment KEY KEY-a of the terminal equipment, the encrypted message is sent to the NIC of M, the source address of the message is the private network address of the VMa1, and the destination address is the IP address of a.
Exemplary, fig. 6 is a schematic structural diagram of an encrypted return packet according to an embodiment of the present application, and it can be understood that the schematic structural diagram of any packet in the embodiment of the present application is exemplary.
Step four: after receiving the message, the NIC of M packages the message for the second time, the source address part of the original message adds the IP address of the NIC of M in front of the private network address of VMa1, the other parts are unchanged, the whole is used as the load of the new message, the source address of the new message is the IP address of the NIC of M, the destination address is the IP address of a, a response message is formed, and the response message is sent to a.
Exemplary, fig. 7 is a schematic structural diagram of a response message provided in the embodiment of the present application, and it can be understood that the schematic structural diagram of any message in the embodiment of the present application is exemplary.
Step five: a, after receiving the message, knowing that the message is VMa1 in M according to the load part of the message and sending the message to the user. The encrypted portion of which is decrypted.
By the method, cloud-side investment is not needed, corresponding modules are added to terminal equipment of the user, and preassembly of the modules and writing of keys of the user are needed for terminals used by each user. When the user key (the key of the terminal equipment) is changed, the keys of the encryption modules in the terminal and the physical machine are required to be changed at the same time, but the messages are encrypted by the terminal side and the physical machine side, especially for users who do not use a virtual private network (Virtual Private Network, VPN) channel provided by an operator, the safety in the network transmission process is better ensured, the problems of intercepted content and the like are avoided, and the safety of cloud storage resource access is further improved.
Fig. 8 is a schematic structural diagram of a cloud storage resource access device provided in the embodiment of the present application, which is applied to a cloud storage resource access device, and may be a terminal device 102 in fig. 1, as shown in fig. 8, where the device in the embodiment of the present application includes: an acquisition module 801, a first encryption module 802, a first generation module 803, a first processing module 804, a first receiving module 805, and a first decryption module 806. The cloud storage resource access device may be a server or a terminal device, or a chip or an integrated circuit that implements the functions of the server or the terminal device. Here, the division of the acquisition module 801, the first encryption module 802, the first generation module 803, the first processing module 804, the first receiving module 805, and the first decryption module 806 is just a division of a logic function, and both may be integrated or independent physically.
The acquiring module is used for acquiring a report Wen Fuzai of the access virtual machine;
the first encryption module is used for encrypting the message load to obtain an encrypted message Wen Fuzai;
the first generation module is used for generating an access message according to the encrypted message load;
the first processing module is used for sending the access message to the target physical machine so that the target physical machine can decrypt the encrypted message load to obtain the message load, generating a forwarding message according to the access message and the message load, and sending the forwarding message to the target virtual machine through a virtual machine network card corresponding to the target virtual machine;
The first receiving module is used for receiving a response message sent by the target physical machine, wherein the response message is obtained by encapsulating the encrypted return message after the target physical machine receives the encrypted return message returned by the target virtual machine through the virtual machine network card, and the encrypted return message is obtained by encrypting the return message by adopting a device key of the terminal device after the target virtual machine generates the return message according to the forwarding message;
and the first decryption module is used for decrypting the response message to obtain a return message.
Optionally, the message load includes an access destination address and a content load, where the access destination address includes a network card address of the destination physical machine and a private network address of the destination virtual machine in the destination physical machine;
correspondingly, the first encryption module is specifically configured to:
encrypting the content load to obtain the content encrypted load;
and combining the access destination address and the content encryption load to obtain an encrypted message load.
Optionally, the first generating module is specifically configured to:
determining the address of the terminal equipment as the source address of the access message, and determining the network card address of the destination physical machine as the destination address of the access message;
Determining a source address of the access message and a destination address of the access message as message heads of the access message, determining an encrypted message load as a load of the access message, and generating the access message according to the message heads of the access message and the load of the access message.
Optionally, the first decryption module is specifically configured to:
and decrypting the response message according to the device key stored in the terminal device to obtain a return message.
The embodiment of the present application further provides a cloud storage resource access device, which is applied to a cloud storage resource access device and may be the physical machine 101 in fig. 1, where the device in the embodiment of the present application includes: the system comprises a second receiving module, a second decryption module, a second generation module, a second processing module, a third receiving module, a third processing module and a fourth processing module. The cloud storage resource access device may be a server or a terminal device, or a chip or an integrated circuit that implements the functions of the server or the terminal device. What needs to be stated here is that: the second receiving module, the second decrypting module, the second generating module, the second processing module, the third receiving module, the third processing module and the fourth processing module are only one logic function, and the two logic functions can be integrated or independent physically.
The second receiving module is used for receiving an access message sent by the terminal equipment, wherein the access message is a message load of the access virtual machine obtained by the terminal equipment, and the message load is encrypted to obtain an encrypted message load and then generated according to the encrypted message load;
the second decryption module is used for decrypting the encrypted message load to obtain a message Wen Fuzai;
the second generation module is used for generating a forwarding message according to the access message and the message load;
the second processing module is used for sending the forwarding message to the target virtual machine through the virtual machine network card corresponding to the target virtual machine, so that the target virtual machine generates a return message according to the forwarding message, and encrypts the return message by adopting the equipment key of the terminal equipment to obtain an encrypted return message;
the third receiving module is used for receiving an encrypted return message returned by the target virtual machine through the virtual machine network card;
the third processing module is used for carrying out encapsulation processing on the encrypted return message to obtain a response message;
and the fourth processing module is used for sending the response message to the terminal equipment so that the terminal equipment can decrypt the response message to obtain a return message.
Optionally, the second decryption module is specifically configured to:
Inquiring in a key database according to the equipment identification of the terminal equipment to determine the equipment key of the terminal equipment;
and decrypting the encrypted message load according to the equipment key to obtain the message load.
Optionally, the message load includes an access destination address and a content load, the access destination address includes a network card address of the destination physical machine and a private network address of the destination virtual machine in the destination physical machine, and the access message includes an address of the terminal device;
correspondingly, the second generating module is specifically configured to:
determining the address of the terminal equipment as the source address of the forwarding message, and determining the private network address of the destination virtual machine in the destination physical machine as the destination address of the forwarding message;
determining a source address of a forwarding message and a destination address of the forwarding message as message heads of the forwarding message, determining a message load as message loads of the forwarding message, and generating the forwarding message according to the message heads of the forwarding message and the message loads of the access message.
Optionally, the third processing module is specifically configured to:
and according to the address of the terminal equipment, the network card address of the destination physical machine and the private network address of the destination virtual machine in the destination physical machine, packaging the encrypted return message to obtain a response message.
Referring to fig. 9, a schematic structural diagram of a cloud storage resource access device suitable for implementing an embodiment of the present disclosure is shown, where the cloud storage resource access device is a cloud storage resource access device, and may be a physical machine or a terminal device, where the physical machine may be a server. The terminal device may include, but is not limited to, a mobile terminal such as a mobile phone, a notebook computer, a digital broadcast receiver, a personal digital assistant (Personal Digital Assistant, PDA for short), a tablet (Portable Android Device, PAD for short), a portable multimedia player (Portable Media Player, PMP for short), an in-vehicle terminal (e.g., an in-vehicle navigation terminal), and the like, and a fixed terminal such as a digital TV, a desktop computer, and the like. The cloud storage resource access device illustrated in fig. 9 is merely an example, and should not impose any limitation on the functionality and scope of use of the embodiments of the present disclosure.
As shown in fig. 9, the cloud storage resource access apparatus may include a processing device (e.g., a central processor, a graphics processor, or the like) 901, which may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage device 908 into a random access Memory (Random Access Memory, RAM) 903. In the RAM 903, various programs and data required for the operation of the cloud storage resource access device are also stored. The processing device 901, the ROM 902, and the RAM 903 are connected to each other through a bus 904. An input/output (I/O) interface 905 is also connected to the bus 904.
In general, the following devices may be connected to the I/O interface 905: input devices 906 including, for example, a touch screen, touchpad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, and the like; an output device 907 including, for example, a liquid crystal display (Liquid Crystal Display, LCD for short), a speaker, a vibrator, and the like; storage 908 including, for example, magnetic tape, hard disk, etc.; and a communication device 909. Communication means 909 may allow the cloud storage resource access device to communicate wirelessly or wiredly with other devices to exchange data. While fig. 9 illustrates a cloud storage resource access appliance having various means, it should be understood that not all of the illustrated means are required to be implemented or provided. More or fewer devices may be implemented or provided instead.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication device 909, or installed from the storage device 908, or installed from the ROM 902. When executed by the processing device 901, performs the above-described functions defined in the methods of the embodiments of the present disclosure.
It should be noted that the computer readable medium described in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, fiber optic cables, RF (radio frequency), and the like, or any suitable combination of the foregoing.
The computer readable medium may be contained in the cloud storage resource access device; or may exist alone without being assembled into the cloud storage resource access device.
The computer-readable medium carries one or more programs which, when executed by the cloud storage resource access device, cause the cloud storage resource access device to perform the method shown in the above embodiment.
Computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a local area network (Local Area Network, LAN for short) or a wide area network (Wide Area Network, WAN for short), or it may be connected to an external computer (e.g., connected via the internet using an internet service provider).
In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of elements is merely a logical functional division, and there may be additional divisions of actual implementation, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the application disclosed herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.
Claims (7)
1. A cloud storage resource access method, which is applied to a terminal device, the method comprising:
acquiring a report Wen Fuzai of the access virtual machine;
encrypting the message load to obtain an encrypted message Wen Fuzai;
generating an access message according to the encrypted message load;
the access message is sent to a target physical machine, so that the target physical machine decrypts the encrypted message load to obtain the message load, a forwarding message is generated according to the access message and the message load, and the forwarding message is sent to the target virtual machine through a virtual machine network card corresponding to the target virtual machine;
receiving a response message sent by the target physical machine, wherein the response message is obtained by the target physical machine after receiving an encrypted return message returned by the target virtual machine through the virtual machine network card, and performing packaging processing on the encrypted return message, and the encrypted return message is obtained by encrypting the return message by adopting a device key of the terminal device after the target virtual machine generates the return message according to the forwarding message;
Decrypting the response message to obtain the return message;
the message load comprises an access destination address and a content load, wherein the access destination address comprises a network card address of a destination physical machine and a private network address of a destination virtual machine in the destination physical machine;
correspondingly, the encrypting the message load to obtain an encrypted message load comprises the following steps:
encrypting the content load to obtain a content encryption load;
combining the access destination address and the content encryption load to obtain an encrypted message Wen Fuzai;
the generating an access message according to the encrypted message load comprises the following steps:
determining the address of the terminal equipment as the source address of an access message, and determining the network card address of the destination physical machine as the destination address of the access message;
determining a source address of the access message and a destination address of the access message as message heads of the access message, determining the encrypted message load as the load of the access message, and generating the access message according to the message heads of the access message and the load of the access message.
2. The method of claim 1, wherein decrypting the response message to obtain the return message comprises:
And decrypting the response message according to the equipment key stored in the terminal equipment to obtain the return message.
3. A cloud storage resource access method, which is applied to a destination physical machine, the method comprising:
receiving an access message sent by a terminal device, wherein the access message is a message load of an access virtual machine obtained by the terminal device, carrying out encryption processing on the message load, and generating according to the encrypted message load after obtaining the encrypted message load;
decrypting the encrypted message load to obtain the message Wen Fuzai;
generating a forwarding message according to the access message and the message load;
the forwarding message is sent to a target virtual machine through a virtual machine network card corresponding to the target virtual machine, so that the target virtual machine generates a return message according to the forwarding message, and the return message is encrypted by adopting a device key of the terminal device to obtain an encrypted return message;
receiving an encrypted return message returned by the target virtual machine through the virtual machine network card;
packaging the encrypted return message to obtain a response message;
The response message is sent to the terminal equipment, so that the terminal equipment decrypts the response message to obtain the return message;
the message load comprises an access destination address and a content load, wherein the access destination address comprises a network card address of a destination physical machine and a private network address of a destination virtual machine in the destination physical machine; the encrypted message load is obtained by combining the access destination address and the content encryption load obtained by encrypting the content load;
the access message comprises the address of the terminal equipment;
correspondingly, the generating a forwarding message according to the access message and the message load includes:
determining the address of the terminal equipment as the source address of a forwarding message, and determining the private network address of the destination virtual machine in the destination physical machine as the destination address of the forwarding message;
determining the source address of the forwarding message and the destination address of the forwarding message as message heads of the forwarding message, determining the message load as the message load of the forwarding message, and generating a forwarding message according to the message heads of the forwarding message and the message load of the access message.
4. The method of claim 3, wherein decrypting the encrypted message payload to obtain the message payload comprises:
inquiring in a key database according to the equipment identification of the terminal equipment to determine the equipment key of the terminal equipment;
and decrypting the encrypted message load according to the equipment key to obtain the message load.
5. The method of claim 3, wherein the encapsulating the encrypted return message to obtain a response message comprises:
and according to the address of the terminal equipment, the network card address of the target physical machine and the private network address of the target virtual machine in the target physical machine, carrying out encapsulation processing on the encrypted return message to obtain a response message.
6. A cloud storage resource access device, comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the cloud storage resource access method of claim 1 or 2, or the cloud storage resource access method of any of claims 3 to 5.
7. A computer readable storage medium having stored therein computer executable instructions which when executed by a processor are for implementing the cloud storage resource access method of claim 1 or 2 or the cloud storage resource access method of any of claims 3 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311691676.5A CN117395084B (en) | 2023-12-11 | 2023-12-11 | Cloud storage resource access method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311691676.5A CN117395084B (en) | 2023-12-11 | 2023-12-11 | Cloud storage resource access method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117395084A CN117395084A (en) | 2024-01-12 |
| CN117395084B true CN117395084B (en) | 2024-04-09 |
Family
ID=89465255
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311691676.5A Active CN117395084B (en) | 2023-12-11 | 2023-12-11 | Cloud storage resource access method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117395084B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2369479A2 (en) * | 2006-01-24 | 2011-09-28 | Citrix Systems, Inc. | Methods and systems for providing access to a computing environment |
| CN113132394A (en) * | 2021-04-22 | 2021-07-16 | 中国建设银行股份有限公司 | Request processing system, method and device, storage medium and electronic equipment |
| CN114692120A (en) * | 2020-12-30 | 2022-07-01 | 成都鼎桥通信技术有限公司 | State password authentication method, virtual machine, terminal equipment, system and storage medium |
| CN115550041A (en) * | 2022-09-30 | 2022-12-30 | 上海浦东发展银行股份有限公司 | Data transmission method and device, computer equipment and storage medium |
| CN115987660A (en) * | 2022-12-28 | 2023-04-18 | 北京天融信网络安全技术有限公司 | VPN device communication method, device and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10044502B2 (en) * | 2015-07-31 | 2018-08-07 | Nicira, Inc. | Distributed VPN service |
| US11848918B2 (en) * | 2020-12-23 | 2023-12-19 | Oracle International Corporation | End-to-end network encryption from customer on-premise network to customer virtual cloud network using customer-managed keys |
-
2023
- 2023-12-11 CN CN202311691676.5A patent/CN117395084B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP2369479A2 (en) * | 2006-01-24 | 2011-09-28 | Citrix Systems, Inc. | Methods and systems for providing access to a computing environment |
| CN114692120A (en) * | 2020-12-30 | 2022-07-01 | 成都鼎桥通信技术有限公司 | State password authentication method, virtual machine, terminal equipment, system and storage medium |
| CN113132394A (en) * | 2021-04-22 | 2021-07-16 | 中国建设银行股份有限公司 | Request processing system, method and device, storage medium and electronic equipment |
| CN115550041A (en) * | 2022-09-30 | 2022-12-30 | 上海浦东发展银行股份有限公司 | Data transmission method and device, computer equipment and storage medium |
| CN115987660A (en) * | 2022-12-28 | 2023-04-18 | 北京天融信网络安全技术有限公司 | VPN device communication method, device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117395084A (en) | 2024-01-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3484125B1 (en) | Method and device for scheduling interface of hybrid cloud | |
| US9344410B1 (en) | Telecommunication method for securely exchanging data | |
| US20150381487A1 (en) | Cloud-based anonymous routing | |
| CN111698312B (en) | Service processing method, device, equipment and storage medium based on open platform | |
| EP3869374B1 (en) | Method, apparatus and electronic device for processing user request and storage medium | |
| CN111814166B (en) | Data encryption method and device and electronic equipment | |
| CN111030827A (en) | Information interaction method and device, electronic equipment and storage medium | |
| CN111163052B (en) | Method, device, medium and electronic equipment for connecting Internet of things platform | |
| CN111416816A (en) | Access method and device of joint debugging interface, computer equipment and storage medium | |
| CN107920060A (en) | Data access method and device based on account | |
| CN117395084B (en) | Cloud storage resource access method, device, equipment and storage medium | |
| CN116738503A (en) | Collaborative encryption method for hardware system and operating system and electronic equipment | |
| CN114615087B (en) | Data sharing method, device, equipment and medium | |
| CN115766294A (en) | Cloud server resource authentication processing method, device, equipment and storage medium | |
| CN114584378A (en) | Data processing method, device, electronic equipment and medium | |
| CN109462604B (en) | Data transmission method, device, equipment and storage medium | |
| CN117240618B (en) | Household cloud box access method, device, equipment and storage medium | |
| CN116471327B (en) | Cloud resource processing method, device, equipment and storage medium | |
| US11201856B2 (en) | Message security | |
| CN113472785B (en) | Data processing method and device, electronic equipment and readable storage medium | |
| CN115987657B (en) | Cloud storage security authentication method, device, equipment and storage medium | |
| CN115630249A (en) | Service processing method and device, electronic equipment and computer readable medium | |
| CN117061221A (en) | Method and device for realizing cloud password service | |
| CN115664797A (en) | Information transmission method, device, equipment and storage medium | |
| CN117254979A (en) | Multi-cloud access method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |