[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN110297687B - Data interaction method, device and system based on virtual host - Google Patents

Data interaction method, device and system based on virtual host Download PDF

Info

Publication number
CN110297687B
CN110297687B CN201810234873.7A CN201810234873A CN110297687B CN 110297687 B CN110297687 B CN 110297687B CN 201810234873 A CN201810234873 A CN 201810234873A CN 110297687 B CN110297687 B CN 110297687B
Authority
CN
China
Prior art keywords
virtual host
key
data
encryption
encrypted data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810234873.7A
Other languages
Chinese (zh)
Other versions
CN110297687A (en
Inventor
赵汉表
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201810234873.7A priority Critical patent/CN110297687B/en
Publication of CN110297687A publication Critical patent/CN110297687A/en
Application granted granted Critical
Publication of CN110297687B publication Critical patent/CN110297687B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a data interaction method, device and system based on a virtual host. Wherein the method comprises the following steps: receiving a loading instruction; according to the loading instruction, a first virtual host and a second virtual host are respectively loaded on the physical hosts, wherein the first virtual host is connected with the second virtual host through data, the first virtual host is used for encrypting and decrypting the data, and the second virtual host is used for providing business services. The invention solves the technical problem of low data security caused by data leakage.

Description

Data interaction method, device and system based on virtual host
Technical Field
The present invention relates to the field of computers, and in particular, to a data interaction method, device and system based on a virtual host.
Background
Currently, with the development of cloud computing technology, more and more applications and services will migrate to virtual hosts in the cloud. In order to ensure the data security of the host operating system, one method commonly adopted in the art is to adopt a trusted platform module (Trusted Platform Module, abbreviated as TPM) mode, which strictly requires that only trusted programs can operate on the operating system, and take out keys from the TPM chip to encrypt and decrypt the secret data in the database.
However, the encryption and decryption process is generally directly in the service process, so that the problem that the security of data is low because the attacker can read the data including the private information such as the user name, the password and the credit card number from the server memory due to the data security after the kernel is attacked and the data leakage such as buffer overflow and the like caused by the defects of the service program, such as heart bleeding (heart bleed) leak) occurring in the secure socket layer password library (OpenSSL), cannot be solved well.
For the above-mentioned problem of low security of data due to data leakage, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the invention provides a data interaction method, device and system based on a virtual host, which are used for at least solving the technical problem of low data security caused by data leakage.
According to an aspect of an embodiment of the present invention, a data interaction method based on a virtual host is provided. The method comprises the following steps: receiving a loading instruction; according to the loading instruction, a first virtual host and a second virtual host are respectively loaded on the physical hosts, wherein the first virtual host is connected with the second virtual host through data, the first virtual host is used for encrypting and decrypting the data, and the second virtual host is used for providing business services.
According to an aspect of the embodiment of the invention, a data interaction method based on the virtual host is also provided. The method comprises the following steps: the second virtual host receives the first encrypted data; the second virtual host sends the first encrypted data to the first virtual host through a communication channel of the shared memory; the second virtual host receives second encrypted data sent by the first virtual host through a communication channel, wherein the first virtual host decrypts the first encrypted data by using a preset first key to obtain user data, and encrypts the user data by using a preset second key to obtain second encrypted data; the second virtual host stores second encrypted data.
According to an aspect of the embodiment of the invention, a data interaction method based on the virtual host is also provided. The method comprises the following steps: the second virtual host receives the first encryption request; the second virtual host sends a first encryption request to the first virtual host through a communication channel of the shared memory; the second virtual host receives a first encryption keyword and request content sent by the first virtual host through a communication channel, wherein the first virtual host encrypts and decrypts the first encryption request according to a first key and a second key to obtain the first encryption keyword and the request content; the second virtual host performs data searching according to the first encryption keyword, and screens out second encryption data corresponding to the first encryption request from the searching result according to the request content; the second virtual host sends second encrypted data to the first virtual host through a communication channel, wherein the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data; the second virtual host outputs the first encrypted data.
According to an aspect of the embodiment of the invention, a data interaction method based on the virtual host is also provided. The method comprises the following steps: the first virtual host receives first encrypted data sent by the second virtual host through a communication channel of the shared memory; the first virtual host decrypts the first encrypted data by using a preset first key to obtain user data; the first virtual host encrypts the user data by using a preset second key to obtain second encrypted data; the first virtual host sends the second encrypted data to the second virtual host through the communication channel so that the second virtual host stores the second encrypted data.
According to an aspect of the embodiment of the invention, a data interaction method based on the virtual host is also provided. The method comprises the following steps: the first virtual host receives a first encryption request sent by a second virtual host through a communication channel of a shared memory; the first virtual host encrypts and decrypts the first encryption request according to a first key and a second key to obtain a first encryption keyword and request content, wherein the first key is used for realizing data security transmission between a user and the first virtual host, and the second key is used for realizing data security storage; the first virtual host sends the first encryption key word and the request content to the second virtual host through a communication channel of the shared memory, wherein the second virtual host searches data according to the first encryption key word and screens second encryption data corresponding to the first encryption request from a search result according to the request content; the first virtual host receives second encrypted data sent by the second virtual host through a communication channel; the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data; the first virtual host sends the first encrypted data to the second virtual host through the communication channel.
According to another aspect of embodiments of the present invention, a computing device is also provided. The device comprises: the input/output device is used for receiving a loading instruction; the loading device is used for loading the first virtual host and the second virtual host on the physical host respectively according to the loading instruction, wherein the first virtual host is connected with the second virtual host through data, the first virtual host is used for encrypting and decrypting the data, and the second virtual host is used for providing business services.
According to another aspect of the embodiment of the invention, a data interaction device based on a virtual host is also provided. The device comprises: the first receiving module is used for receiving the first encrypted data; the sending module is used for sending the first encrypted data to the first virtual host through a communication channel of the shared memory; the second receiving module is used for receiving second encrypted data sent by the first virtual host through the communication channel, wherein the first virtual host encrypts and decrypts the first encrypted data according to a first key and a second key to obtain second encrypted data, the first key is used for realizing data security transmission between a user and the first virtual host, and the second key is used for realizing data security storage; and the storage module is used for storing the second encrypted data.
According to another aspect of the embodiment of the invention, a data interaction device based on a virtual host is also provided. The device comprises: the first receiving module is used for receiving a first encryption request; the first sending module is used for sending a first encryption request to the first virtual host through a communication channel of the shared memory; the second receiving module is used for receiving a first encryption keyword and request content sent by the first virtual host through the communication channel, wherein the first virtual host encrypts and decrypts the first encryption request according to the first key and the second key to obtain the first encryption keyword and the request content; the processor is used for searching data according to the first encryption key words and screening second encryption data corresponding to the first encryption request from the searching result according to the request content; the second sending module is used for sending the second encrypted data to the first virtual host through the communication channel, wherein the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data; and the return module is used for outputting the first encrypted data.
According to another aspect of the embodiment of the invention, a data interaction device based on a virtual host is also provided. The device comprises: the receiving module is used for receiving first encrypted data sent by the second virtual host through a communication channel of the shared memory; the processing module is used for encrypting and decrypting the first encrypted data according to the first key and the second key to obtain second encrypted data, the first key is used for realizing data security transmission between the user and the first virtual host, and the second key is used for realizing data security storage; and the sending module is used for sending the second encrypted data to the second virtual host through the communication channel so that the second virtual host stores the second encrypted data.
According to another aspect of the embodiment of the invention, a data interaction device based on a virtual host is also provided. The device comprises: the receiving module is used for receiving a first encryption request sent by the second virtual host through a communication channel of the shared memory; the first processing module is used for encrypting and decrypting the first encryption request according to a first key and a second key to obtain a first encryption keyword and request content, the first key is used for realizing data security transmission between a user and a first virtual host, and the second key is used for realizing data security storage; the first sending module is used for sending the first encryption key words and the request content to the second virtual host through the communication channel of the shared memory, wherein the second virtual host searches data according to the first encryption key words and screens out second encryption data corresponding to the first encryption request from the search result according to the request content; the second sending module is used for receiving second encrypted data sent by the second virtual host through the communication channel; the second processing module is used for encrypting and decrypting the second encrypted data according to the first key and the second key to obtain first encrypted data; and the third sending module is used for sending the first encrypted data to the second virtual host through the communication channel.
According to another aspect of the embodiment of the invention, a data interaction system based on a virtual host is also provided. The device comprises: the second virtual host is used for receiving the first encryption request; the first virtual host is connected with the second virtual host through a communication channel of the shared memory and is used for receiving a first encryption request sent by the second virtual host through the communication channel, encrypting and decrypting the first encryption request according to a first key and a second key to obtain a first encryption keyword and request content, the first encryption keyword and the request content are sent to the second virtual host through the communication channel of the shared memory, the first key is used for realizing data security transmission between a user and the first virtual host, and the second key is used for realizing data security storage; the second virtual host performs data searching according to the first encryption key word, screens out second encryption data corresponding to the first encryption request from the searching result according to the request content, sends the second encryption data to the first virtual host through the communication channel, and outputs first encryption data obtained by encrypting and decrypting the first encryption request by the first virtual host according to the first key and the second key.
According to another aspect of the embodiments of the present invention, there is also provided a storage medium. The storage medium comprises a stored program, wherein the device where the storage medium is located is controlled to execute the data interaction method based on the virtual host when the program runs.
According to another aspect of an embodiment of the present invention, there is also provided a processor. The processor is used for running a program, wherein the data interaction method based on the virtual host is executed when the program runs.
According to another aspect of the embodiment of the invention, a computer terminal is also provided. The computer terminal includes: a processor; and a memory, coupled to the processor, for providing instructions to the processor for processing the steps of: receiving a loading instruction; according to the loading instruction, a first virtual host and a second virtual host are respectively loaded on the physical hosts, wherein the first virtual host is connected with the second virtual host through data, the first virtual host is used for encrypting and decrypting the data, and the second virtual host is used for providing business services.
In the embodiment of the invention, a loading instruction is received; according to the loading instruction, a first virtual host and a second virtual host are respectively loaded on the physical hosts, wherein the first virtual host is connected with the second virtual host through data, the first virtual host is used for encrypting and decrypting the data, and the second virtual host is used for providing business services. The first virtual host and the second virtual host are loaded on the physical host, so that the first virtual host and the second virtual host are in data connection, that is, the first virtual host provides a data protection method for encrypting and decrypting safety data for the second virtual host, so that the data safety of the second virtual host is protected, the data leakage is avoided, the aim of data interaction based on the virtual host is achieved, the technical effect of improving the safety of the data is achieved, and the technical problem of low safety of the data due to the data leakage is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
FIG. 1 is a schematic diagram of a virtual host based data interaction system in accordance with an embodiment of the present invention;
FIG. 2 is a schematic diagram of a virtual host load according to an embodiment of the invention;
FIG. 3 is a schematic diagram of communication channel establishment between virtual hosts according to an embodiment of the present invention;
FIG. 4 is a flow chart of a user data security save according to an embodiment of the present invention;
FIG. 5 is a flow chart of a user data security read according to an embodiment of the present invention;
FIG. 6 is a block diagram of a hardware architecture of a computer terminal (or mobile device) for implementing a virtual host based data interaction method according to an embodiment of the present invention;
FIG. 7 is a flow chart of a method of virtual host based data interaction according to an embodiment of the invention;
FIG. 8 is a flow chart of another virtual host based data interaction method according to an embodiment of the invention;
FIG. 9 is a flow chart of another virtual host based data interaction method according to an embodiment of the invention;
FIG. 10 is a flow chart of another virtual host based data interaction method according to an embodiment of the invention;
FIG. 11 is a flow chart of another virtual host based data interaction method according to an embodiment of the invention;
FIG. 12 is a schematic diagram of a computing device according to an embodiment of the invention;
FIG. 13 is a schematic diagram of another virtual host based data interaction apparatus according to an embodiment of the invention;
FIG. 14 is a schematic diagram of another virtual host based data interaction apparatus according to an embodiment of the invention;
FIG. 15 is a schematic diagram of another virtual host based data interaction apparatus according to an embodiment of the present invention;
FIG. 16 is a schematic diagram of another virtual host based data interaction apparatus according to an embodiment of the invention; and
fig. 17 is a block diagram of a computer mobile terminal according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, partial terms or terminology appearing in describing embodiments of the present application are applicable to the following explanation:
encrypting and decrypting the virtual host: the system for encrypting and decrypting the data is very concise, can comprise an operating system, an encrypting and decrypting program and a security module with basically required functions, does not need to support a network and a protocol, can greatly reduce the complexity of the system to reduce the vulnerability risk, and has a unique communication channel which is a shared memory channel with a service virtual host.
Service virtual host: the service is provided, but the encryption and decryption functions of the data are completed by the encryption and decryption virtual host.
Example 1
The embodiment of the invention provides a data interaction system based on a virtual host.
FIG. 1 is a schematic diagram of a virtual host based data interaction system according to an embodiment of the present invention. As shown in fig. 1, the system 100 includes: a second virtual host 102 and a first virtual host 104.
The second virtual host 102 is configured to receive the first encryption request.
The first virtual host 104 is connected with the second virtual host 102 through a communication channel of the shared memory, and is configured to receive a first encryption request sent by the second virtual host 102 through the communication channel, encrypt and decrypt the first encryption request according to a preset first key and a preset second key to obtain a first encryption keyword and a request content, where a secure encryption communication channel is established between the user terminal and the encrypted and decrypted virtual host by means of the service virtual host, and the first key and the second key required for communication are negotiated, the first key is used to implement secure data transmission between the user terminal and the first virtual host 104, the second key is used to implement secure data storage, the first virtual host 104 sends the first encryption keyword and the request content to the second virtual host 102 through the communication channel of the shared memory, and the first virtual host 104 and the second virtual host 102 can operate on the same physical host.
In this embodiment, the second virtual host 102 may be a service virtual host for providing service, but the encryption and decryption functions of the data are completed by the first virtual host 104. The second virtual host 102 in this embodiment is configured to receive a first encryption request, for example, the user terminal encrypts a required specified data request with an E key to obtain a first encryption request, send the first encryption request to the second virtual host 102, and the second virtual host 102 receives the first decryption request, and may forward the first decryption request to the first virtual host 104 through a communication channel of a shared memory, where the communication channel of the shared memory may be a shared memory queue channel.
The first virtual host 104 in this embodiment may be an encryption and decryption virtual host, where the encryption and decryption virtual host is used for taking charge of an encryption and decryption function of data, and a system running on the encryption and decryption virtual host is very concise, and may include an operating system, an encryption and decryption program and a security module with basically required functions, without supporting a network and a protocol, so that complexity of the encryption and decryption virtual host is greatly reduced to reduce a vulnerability risk. The first virtual host 104 receives a first encryption request sent by the second virtual host 102 through a communication channel of the shared memory, and can encrypt and decrypt the first encryption request according to a first key and a second key to obtain a first encryption keyword and a request content, where the first key is used to implement data secure transmission between the user terminal and the first virtual host 104, and the second key is used to implement data secure storage.
Optionally, the first key is a key E, which may be a dynamic negotiation key between the user terminal and the first virtual host 104, and is used for secure transmission of data between the user terminal and the first virtual host 104, where the first virtual host 104 decrypts the first encryption request according to the key E to obtain a request keyword and a request content, where the request keyword is generally a data index and is used as a condition item for searching the database, for example, a telephone number of a user is requested, then a user Identifier (ID) is the request keyword, and the entire keyword and the requested content are the request content.
Optionally, the second key is a data encryption/decryption key, which is used to encrypt data and store the encrypted data in a database or have other storage modes, so as to protect the data storage security, and may be a key E1, where the first virtual host 104 encrypts the request keyword again according to the key E1 to obtain the first encrypted keyword, and the request content may not be encrypted, and the second virtual host 102 needs to know the content specifically requested by the first virtual host 104. After the first virtual host 104 encrypts and decrypts the first encryption request according to the first key and the second key to obtain the first encryption keyword and the request content, the first encryption keyword and the request content are sent to the second virtual host 102 through the communication channel of the shared memory, for example, the encryption and decryption virtual host forwards the request content and the request keyword to the service virtual host through the communication channel of the shared memory.
In this embodiment, the second virtual host 102 may perform data searching according to the first encryption keyword to obtain a searching result, where the searching result includes second encrypted data corresponding to the first encryption request, and the second virtual host 102 shares a communication channel of the memory to send the second encrypted data to the first virtual host 104, and outputs first encrypted data obtained by encrypting and decrypting the second encrypted data by the first virtual host 104 according to the first key and the second key.
Optionally, after the second virtual host 102 receives the first encryption keyword and the request content, the second virtual host 102 performs data searching according to the first encryption keyword to obtain a searching result, and screens second encryption data corresponding to the first encryption request from the searching result according to the request content, for example, the second encryption data corresponding to the first encryption request is data required by a user, and the second virtual host 102 performs database searching according to the first encryption keyword to obtain a searching result, and obtains corresponding data required by the user from the searching result, where the data may be E1 (user data). After the second virtual host 102 screens the second encrypted data corresponding to the first encrypted request from the search result according to the request content, the second encrypted data is sent to the first virtual host 104 through the communication channel of the shared memory, for example, the service virtual host forwards E1 (user data) to the encrypted and decrypted virtual host through the communication channel of the shared memory, and the second virtual host 102 also outputs the first encrypted data obtained by the first virtual host 104 performing encryption and decryption processing on the second encrypted data according to the first key and the second key, for example, returns the first encrypted data to the user terminal.
The first encryption key is an input condition for searching data, the request content is a content item to be selected, for example, a request user telephone number, the first encryption key is a user ID, the telephone number is the request content, and the telephone number returned by the database is the data to be finally returned.
It should be noted that, encryption and decryption in this embodiment are transparent to the second virtual host 102, and the second virtual host 102 does not need to know the second key, and the second virtual host 102 does not need to perform a data search according to the first encryption keyword and does not need a decryption step, and the data returned by the database needs the first virtual host 104 to process the decryption process.
Optionally, the physical host receives a load instruction; according to the loading instruction, a first virtual host and a second virtual host are respectively loaded on the physical hosts, wherein the first virtual host is connected with the second virtual host through data, the first virtual host is used for encrypting and decrypting the data, and the second virtual host is used for providing business services.
In this embodiment, when the second virtual host 102 is allocated to a physical host for running according to a user's requirement on the virtual machine, the first virtual host 104 with the encryption and decryption function that is bound needs to be simultaneously allocated to the same physical host, so that the second virtual host 102 and the first virtual host 104 are connected by data, for example, data interaction is performed through a communication channel of a shared memory. After receiving the loading instruction from the management platform, the physical host loads the second virtual host 102 and the first virtual host 104 on the physical host respectively, and establishes a communication channel for sharing the memory for the second virtual host 102 and the first virtual host 104.
In order to ensure the security of the operating environments of the second virtual host 102 and the first virtual host 104, the embodiment can perform strict authentication on the operating environments of the physical hosts, for example, perform trusted computing authentication by using a TPM mode, and only the second virtual host 102 and the first virtual host 104 are operated on safe and trusted physical hosts, so as to prevent leakage of the first key and the second key.
Alternatively, in this embodiment, the first encryption key and the second encryption key used by the first virtual host 104 may be transferred to the physical host by the management platform of the virtual host after being transferred to the physical host through the secure channel between the second virtual host 102 and the first virtual host 104 when the second virtual host 102 and the first virtual host 104 are loaded.
Optionally, the data connection between the first virtual host and the second virtual host includes: the second virtual host receives the first encrypted data; the second virtual host sends the first encrypted data to the first virtual host through a communication channel of the shared memory; the second virtual host receives second encrypted data sent by the first virtual host through a communication channel, wherein the first virtual host decrypts the first encrypted data by using a preset first key to obtain user data, and encrypts the user data by using a preset second key to obtain second encrypted data; the second virtual host stores second encrypted data.
In this embodiment, during the process of data connection between the first virtual host 104 and the second virtual host 102, the second virtual host 102 receives first encrypted data, for example, a secure encrypted communication channel is established between the user terminal and the first virtual host 104 by means of the second virtual host 102, and a first key required for communication is negotiated, the first virtual host 104 encrypts user data using the first key to obtain first encrypted data, and transmits the first encrypted data to the second virtual host 102, and the second virtual host 102 receives the first encrypted data. After the second virtual host 102 receives the first encrypted data, the first encrypted data is sent to the first virtual host 104 through the communication channel of the shared memory, that is, the service virtual host may forward the first encrypted data to the encrypted and decrypted virtual host through the communication channel of the shared memory. After the first virtual host 104 receives the first encrypted data, the first encrypted data is encrypted and decrypted according to the first key and the second key to obtain second encrypted data, so that data security transmission between the user terminal and the first virtual host 104 is realized, and data security storage is realized, for example, after the encrypted and decrypted virtual host acquires the first encrypted data, the data is decrypted by using the key E, and the data is re-encrypted by using the unified key E1, so that the second encrypted data is obtained. After the first virtual host 104 obtains the second encrypted data, the second encrypted data may be sent to the second virtual host 102 through a communication channel that shares a memory, where the second virtual host 102 receives the second encrypted data and may store the second encrypted data, or alternatively, the second encrypted data may be stored in a database or in another storage manner.
In the whole flow of this embodiment, since the second virtual host 102 only contacts the encrypted data, for example, the first encrypted data and the second encrypted data, even if the second virtual host 102 is invaded, it is difficult to obtain the plaintext of the user data, thereby avoiding data leakage and improving the security of the data.
Optionally, the first virtual host performs encryption and decryption processing on the first encrypted data according to the first key and the second key, and obtaining the second encrypted data includes: the first virtual host decrypts the first encrypted data by using the first key to obtain user data; and the first virtual host encrypts the user data by using the second key to obtain second encrypted data.
In this embodiment, when the first virtual host 104 encrypts and decrypts the first encrypted data according to the first key and the second key to obtain the second encrypted data, the first virtual host 104 may decrypt the first encrypted data using the first key, for example, after the first encrypted data is obtained by the encrypting and decrypting virtual host, the first encrypted data may be decrypted using the key E to obtain the user data, and then the second key is used to encrypt the user data, for example, the user data is re-encrypted using the uniform key E1 to obtain the second encrypted data, and then the second virtual host 102 receives the second encrypted data sent by the first virtual host 104 through the communication channel, and stores the second encrypted data.
Optionally, the data connection between the first virtual host and the second virtual host includes: the second virtual host receives the first encryption request; the second virtual host sends a first encryption request to the first virtual host through a communication channel; the second virtual host receives a first encryption keyword and request content sent by the first virtual host through a communication channel, wherein the first virtual host encrypts and decrypts the first encryption request according to a first key and a second key to obtain the first encryption keyword and the request content, the first key is used for realizing data security transmission between the user terminal and the first virtual host, and the second key is used for realizing data security storage; the second virtual host performs data searching according to the first encryption keyword, and screens out second encryption data corresponding to the first encryption request from the searching result according to the request content; the second virtual host sends second encrypted data to the first virtual host through a communication channel, wherein the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data; the second virtual host outputs the first encrypted data.
In this embodiment, the first encryption request may be a request in which the user requests desired specified data to be encrypted using the E-key. The second virtual host 102 receives the first encryption request and forwards the first encryption request to the first virtual host 104 via the memory-shared communication channel. After the first virtual host 104 obtains the first encryption request, the first encryption request is encrypted and decrypted according to the first key and the second key to obtain a first encryption keyword and a request content, for example, the first encryption request is decrypted by using the key E to obtain the request keyword and the request content, the request keyword is re-encrypted by using the unified key E1 to obtain the first encryption keyword, and the first encryption keyword and the request content are sent to the second virtual host 102. After receiving the first encryption keyword and the request content sent by the first virtual host 104 through the communication channel, the second virtual host 102 performs data searching according to the first encryption keyword, and screens out second encryption data corresponding to the first encryption request from the searching result according to the request content, for example, performs database searching according to the first encryption keyword, so as to obtain second encryption data required by the corresponding user. The second virtual host 102 sends the obtained second encrypted data to the first virtual host 104 through a communication channel, the first virtual host 104 encrypts and decrypts the first encrypted request according to the first key and the second key, so as to obtain first encrypted data, the first virtual host 104 forwards the first encrypted data to the second virtual host 102 through the communication channel of the shared memory, the second virtual host 102 forwards the first encrypted data to the user terminal after receiving the first encrypted data, and the user terminal can decrypt the data by using the key E after receiving the first encrypted data, so as to complete the extraction of the user data.
In this embodiment, the whole process is that the second virtual host 102 only contacts the encrypted data, so that even if the second virtual host 102 is invaded, it is difficult to obtain the plaintext of the user data, thereby avoiding the leakage of the data and improving the security of the data.
Optionally, the first virtual host encrypts and decrypts the first encryption request according to the first key and the second key, and obtaining the first encryption keyword and the request content includes: the first virtual host decrypts the first encryption request by using the first key to obtain a request keyword and request content; the first virtual host encrypts the request keyword by using the second key to obtain a first encrypted keyword.
In this embodiment, when the first virtual host 104 encrypts and decrypts the first encryption request according to the first key and the second key to obtain the first encryption key and the request content, the first virtual host 104 may decrypt the first encryption request using the first key, for example, decrypt the first encryption request using the key E to obtain the request key and the request content. After the first virtual host 104 decrypts the first encryption request by using the first key to obtain the request keyword and the request content, the second key may be used to encrypt the request keyword, for example, the key E1 is used to encrypt the request keyword again to obtain the first encryption keyword, further the second virtual host 102 receives the first encryption keyword and the request content sent by the first virtual host 104 through the communication channel, performs data search according to the first encryption keyword, screens out second encryption data corresponding to the first encryption request from the search result according to the request content, sends the second encryption data to the first virtual host 104 through the communication channel, and the first virtual host 104 encrypts and decrypts the second encryption data according to the first key and the second key to obtain the first encryption data, and the second virtual host 102 returns the first encryption data to the user terminal.
Optionally, the first virtual host performs encryption and decryption processing on the second encrypted data according to the first key and the second key, and obtaining the first encrypted data includes: the first virtual host decrypts the second encrypted data by using the second key to obtain user data; the first virtual host encrypts user data by using the first key to obtain first encrypted data.
In this embodiment, when the first virtual host 104 encrypts and decrypts the second encrypted data according to the first key and the second key to obtain the first encrypted data, the first virtual host 104 may decrypt the second encrypted data using the second key, for example, the encrypting and decrypting virtual host decrypts the second encrypted data by the uniform key E1 to obtain the user data, encrypts the user data using the first key, for example, re-encrypts the user data by the key E to obtain the first encrypted data, and the second virtual host 102 returns the first encrypted data to the user terminal.
Optionally, the first key is a key that is negotiated in advance between the user terminal and the first virtual host 104, and the second key is a preset uniform key.
In this embodiment, the first key may be a key negotiated in advance between the user terminal and the first virtual host 104, may be a dynamic negotiation key between the user terminal and the encrypted and decrypted virtual host, and is used for data security transmission between the user terminal and the encrypted and decrypted virtual host, for example, the first key is a key E; the second key is a preset unified key, which may be a unified data encryption and decryption key, and is used for encrypting the data and storing the encrypted data in a database or other storage modes so as to protect the data storage security, for example, the second key is a key E1.
Because the second virtual host 102 and the first virtual host 104 are loaded on the physical host, the first virtual host 104 is connected with the second virtual host 102 through data, that is, the first virtual host 104 provides a data protection method for encrypting and decrypting safety data for the second virtual host 102, so as to protect the data safety of the second virtual host 102, avoid data leakage, achieve the aim of data interaction based on the virtual host, achieve the technical effect of improving the safety of the data, and further solve the technical problem of low safety of the data caused by data leakage.
The technical solution of the embodiment of the present invention will be illustrated in the following with reference to a preferred embodiment. Specifically, the first virtual host is taken as an encryption and decryption virtual host, and the second virtual host is taken as a service virtual host for illustration.
The embodiment mainly relates to two main processes, one is virtual machine host loading and communication establishment, and the other is data protection process.
FIG. 2 is a schematic diagram of a virtual host load according to an embodiment of the invention. As shown in fig. 2, when the virtual host is allocated to a certain physical host to run according to the requirement of the user on the virtual host, the virtual host with encryption and decryption functions needs to be simultaneously allocated to the same physical host, so that the service virtual host and the encryption and decryption virtual host run on the same physical host. After receiving the loading instruction of the management platform, the physical host can load the service virtual host and the encryption and decryption virtual host on the physical host, and establish a communication channel of the shared memory for the service virtual host and the encryption and decryption virtual host.
FIG. 3 is a schematic diagram of communication channel establishment between virtual hosts according to an embodiment of the present invention. As shown in fig. 3, the encryption and decryption virtual host includes an encryption and decryption program, and the service virtual host includes a service program, and the communication channel between the encryption and decryption virtual host and the service virtual host is established by directly performing data exchange through a shared memory queue driver of a simplified operating system in the encryption and decryption virtual host and a shared memory queue driver in an operating system of the service virtual host and through a shared memory queue channel in the physical host.
In this embodiment, the encryption and decryption virtual host receives a first encryption request sent by the service virtual host through the shared memory queue channel, performs encryption and decryption processing on the first encryption request according to the first key and the second key by the encryption and decryption program to obtain a first encryption keyword and request content, and sends the first encryption keyword and request content to the service virtual host through the shared memory queue channel under the driving of the shared memory queue of the simplified operating system, where the service virtual host receives the first encryption keyword and request content. Optionally, the first key is a key E, which may be a dynamic negotiation key between the user terminal and the encrypted and decrypted virtual host, and is used for secure transmission of data between the user terminal and the encrypted and decrypted virtual host, and the first encryption request is decrypted according to the key E to obtain a request keyword and a request content, where the request keyword may be a data index, and is used as a condition item for searching a database, for example, a telephone number of a user is requested, a user ID is the request keyword, and the whole keyword and the requested content are the request content.
After the service virtual host receives the first encryption keyword and the request content, the service virtual host can search data according to the first encryption keyword through the service program to obtain a search result, and screen second encryption data corresponding to the first encryption request from the search result according to the request content, for example, the second encryption data corresponding to the first encryption request is data required by a user, the service virtual host searches a database according to the first encryption keyword through the service program to obtain a search result, and obtains corresponding data required by the user from the search result, wherein the data can be E1 (user data). After the service virtual host screens the second encrypted data corresponding to the first encrypted request from the search result according to the request content, the service virtual host sends the second encrypted data to the encrypted and decrypted virtual host through the shared memory queue channel under the drive of the shared memory queue, for example, the service virtual host forwards E1 (user data) to the encrypted and decrypted virtual host through the shared memory queue channel, the service virtual host also outputs first encrypted data obtained by the encrypted and decrypted virtual host encrypting and decrypting the second encrypted data according to the first key and the second key, the first encrypted data can be decrypted by the encrypted and decrypted virtual host using the second key to obtain the user data, the first key is a key E, the second key is a uniform key E1, the encrypted and decrypted virtual host decrypts the second encrypted data through the uniform key E1 to obtain the user data, the key E is used for re-encrypting the user data, and the service virtual host further receives the first encrypted data sent by the encrypted and decrypted virtual host and outputs the first encrypted data.
In this embodiment, in order to ensure the security of the encryption and decryption virtual host and the service virtual host operating environment, the operating environment of the physical host may be strictly authenticated, for example, trusted computing authentication is performed by using a TPM mode, and only the virtual host is operated on the secure and trusted physical host, so as to prevent the leakage of the key.
In this embodiment, the encryption and decryption virtual host may use a unified encryption key, a private key, and the like, and may be transferred to the encryption and decryption virtual host by the virtual host management platform after being transferred to the physical host through a secure channel with the physical host when the virtual host is loaded.
Fig. 4 is a flow chart of a user data security save according to an embodiment of the present invention. As shown in fig. 4, the process of securely storing user data of this embodiment includes the steps of:
in step S401, a secure encrypted communication channel is established between the user terminal and the encrypted and decrypted virtual host by means of the service virtual host, and a key required for communication is negotiated.
In this embodiment, a secure encrypted communication channel is established between the user terminal and the encryption and decryption virtual host by means of the service virtual host, and a key required for communication is negotiated to include a key E and a key E1, where the key E and the key E1 are used for the encryption and decryption virtual host to encrypt and decrypt the first encryption request, so as to obtain the first encryption keyword and the request content.
Optionally, the key E is a dynamic negotiation key between the user terminal and the encryption and decryption virtual host, and is used for secure transmission of data between the user terminal and the encryption and decryption virtual host, and may be used for performing decryption processing on the first encryption request between the encryption and decryption virtual host to obtain a request keyword and a request content, where the request keyword may be a data index, and may be used as a condition item for searching a database, for example, a telephone number of a user is requested, then the user ID is the request keyword, and the whole keyword and the request content are the request content.
Optionally, the key E1 is a data encryption and decryption key, and is used for encrypting the data and storing the encrypted data in a database or in other storage modes to protect the data storage security, the key E1 is used for encrypting and decrypting the request keyword again by the virtual host to obtain a first encryption keyword, and the request content can be stored without encryption.
In step S402, the user terminal encrypts the user data using the preset key E, and transmits the encrypted data to the service virtual host through the communication channel of the shared memory.
In step S403, the service virtual host extracts the encrypted user data E (user data) therein, obtains a first encryption request, and forwards the first encryption request to the encryption and decryption virtual host through the communication channel of the shared memory.
In step S404, after the encryption/decryption virtual host obtains the first encryption request, the first encryption request is decrypted using the key E to obtain the request keyword and the request content, and the request keyword is re-encrypted using the unified key E1 to obtain the first encryption keyword, that is, the encrypted E1 (user data).
In step S405, the encryption and decryption virtual host forwards the encrypted E1 (user data) to the service virtual host through the communication channel of the shared memory.
In step S406, the service virtual host stores E1 (user data) in the database.
The service virtual host stores E1 (user data) in other storage manners.
The whole flow of the embodiment is that the service virtual host only contacts the encrypted data, so that even if the service virtual host is invaded, the plaintext of the user data is difficult to obtain, thereby avoiding data leakage and improving the safety of the data.
Fig. 5 is a schematic flow chart of a user data security reading according to an embodiment of the present invention. As shown in fig. 5, the process of safely reading user data includes the following steps:
in step S501, a secure encrypted communication channel is established between the user terminal and the encrypted and decrypted virtual host by means of the service virtual host, and a key E required for communication is negotiated.
In step S502, the user terminal encrypts the required specified data request with the E key, and then sends the encrypted request to the service virtual host.
In step S503, the service virtual host extracts the encrypted E (user request) in the encrypted request, and forwards the E (user request) to the encrypted and decrypted virtual host through the communication channel of the shared memory.
In step S504, after the encryption and decryption virtual host obtains the encrypted user request, the key E is used to decrypt the request keyword, and the unified key E1 is used to re-encrypt the request keyword one by one, so as to obtain the encrypted keyword.
In step S505, the encryption and decryption virtual host forwards the request and the encryption keyword to the service virtual host through the shared memory communication channel.
In step S506, after receiving the request and the encryption keyword, the service virtual host performs database lookup according to the request and the encryption keyword to obtain the data required by the corresponding user, where the data is E1 (user data).
In step S507, the service virtual host forwards E1 (user data) to the encryption and decryption virtual host through the shared memory communication channel.
In step S508, the encryption/decryption virtual machine decrypts E1 (user data) with the unified key E1, and re-encrypts E (user data) with the communication encryption key E.
Step S509, the encryption and decryption virtual machine forwards the encrypted E (user data) to the service virtual host through the shared memory communication channel.
In step S510, the service virtual host receives the E (user data) and forwards it to the user.
In step S511, the user terminal decrypts the data using the key E after receiving E (user data), thereby completing the extraction of the user data.
In this embodiment, the service virtual host only contacts the encrypted data in the whole flow, so that even if the service virtual host is invaded, the plaintext of the user data is difficult to obtain, thereby avoiding the leakage of the data and improving the security of the data.
In this embodiment, hardware encryption generally requires additional cost input, such services cannot be provided on a general universal server on the cloud, and the data protection scheme of the dual virtual machine can be suitable for deployment on a large scale cloud.
The embodiment fully utilizes the existing security isolation technology among all virtual hosts in the physical hosts, and provides a data protection technology for encrypting and decrypting the security data by using one virtual host as another service virtual host, so that the data encryption and decryption process is isolated from the complex service process, the service hosts can not leak user data even if being invaded, and the security of the data is improved. And the encryption and decryption processing flow and the business flow are respectively put into different independent virtual hosts of the same physical host, and are communicated by using a simple and efficient communication channel sharing the memory, so that the security, the high efficiency and the timeliness of the encryption and decryption processing can be fully ensured.
In the embodiment, the program and the operating system running on the encryption and decryption virtual host are relatively simple and similar to the island environment, so that the risk of invasion of the virtual host can be greatly reduced, and a better data security protection effect is provided.
Example 2
In accordance with an embodiment of the present invention, there is also provided an embodiment of a virtual host-based data interaction method, it being noted that the steps illustrated in the flowchart of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flowchart, in some cases, the steps illustrated or described may be performed in an order other than that illustrated herein.
The method embodiment provided in the first embodiment of the present application may be executed in a mobile terminal, a computer terminal or a similar computing device. Fig. 6 is a block diagram of a hardware structure of a computer terminal (or mobile device) for implementing a virtual host-based data interaction method according to an embodiment of the present invention. As shown in fig. 6, the computer terminal 60 (or mobile device 60) may include one or more processors 602 (shown in the figures as 602a, 602b, … …,602 n) (the processor 602 may include, but is not limited to, a microprocessor MCU, a programmable logic device FPGA, etc. processing means), a memory 604 for storing data, and a transmission means 606 for communication functions. In addition, the method may further include: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power supply, and/or a camera. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 6 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the computer terminal 60 may also include more or fewer components than shown in FIG. 6, or have a different configuration than shown in FIG. 6.
It should be noted that the one or more processors 602 and/or other data processing circuits described above may be referred to herein generally as "data processing circuits. The data processing circuit may be embodied in whole or in part in software, hardware, firmware, or any other combination. Furthermore, the data processing circuitry may be a single stand-alone processing module, or incorporated, in whole or in part, into any of the other elements in the computer terminal 60 (or mobile device). As referred to in the embodiments of the present application, the data processing circuit acts as a processor control (e.g., selection of the path of the variable resistor termination to interface).
The memory 604 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the virtual host-based data interaction method in the embodiment of the present invention, and the processor 602 executes the software programs and modules stored in the memory 604 to perform various functional applications and data processing, that is, implement the virtual host-based data interaction method of the application program. Memory 604 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory. In some examples, memory 604 may further comprise memory located remotely from processor 602, which may be connected to computer terminal 60 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission means 606 is used for receiving or transmitting data via a network. The specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 60. In one example, the transmission device 606 includes a network adapter (Network Interface Controller, NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 606 may be a Radio Frequency (RF) module for communicating with the internet wirelessly.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 60 (or mobile device).
It should be noted here that in some alternative embodiments, the computer device (or mobile device) shown in fig. 6 described above may include hardware elements (including circuitry), software elements (including computer code stored on a computer-readable medium), or a combination of both hardware and software elements. It should be noted that fig. 6 is only one example of a specific example, and is intended to illustrate the types of components that may be present in the computer device (or mobile device) described above.
In the above-described operating environment, the present application provides a data interaction method based on a virtual host as shown in fig. 7. It should be noted that the data interaction method based on the virtual host of this embodiment may be performed by the data interaction system based on the virtual host of the embodiment shown in fig. 1.
Fig. 7 is a flowchart of a data interaction method based on a virtual host according to an embodiment of the present invention. As shown in fig. 7, the method includes the steps of:
in step S702, a load instruction is received.
In the technical solution provided in step S702 of the present invention, the load instruction may be a load instruction from a virtual host management platform, for loading a virtual host, and optionally, the physical host receives the load instruction.
In step S704, the first virtual host and the second virtual host are loaded on the physical host according to the loading instruction, respectively.
In the technical solution provided in the above step S704 of the present invention, after receiving the loading instruction, the first virtual host and the second virtual host are respectively loaded on the physical host according to the loading instruction, where the first virtual host and the second virtual host are connected by data, for example, data interaction is performed through a communication channel of the shared memory, the first virtual host is used for encrypting and decrypting data, and the second virtual host is used for providing service.
In this embodiment, the second virtual host may be a service virtual host, for providing service, but the encryption and decryption functions of the data are completed by the first virtual host, where the first virtual host may be an encryption and decryption virtual host, and the encryption and decryption virtual host is used for taking charge of the encryption and decryption functions of the data, and the system running on the first virtual host is very concise and may include an operating system, an encryption and decryption program and a security module with basically required functions, without supporting a network and a protocol, so that the complexity of the first virtual host can be greatly reduced to reduce the vulnerability risk.
When a second virtual host is allocated to a certain physical host for operation according to the requirement of a user on the virtual machine, the virtual host management platform needs to simultaneously allocate the first virtual host with the binding encryption and decryption function to the same physical host, so that the second virtual host and the first service host are in data connection, for example, data interaction is performed through a communication channel of a shared memory. After receiving the loading instruction from the virtual host management platform, the physical host loads the second virtual host and the first virtual host on the physical host respectively, and establishes a communication channel for the second virtual host and the first virtual host to share the memory.
In order to ensure the safety of the virtual machine operation environment, the operation environment of the physical host machine can be strictly authenticated, for example, the trusted computing authentication is performed by using a TPM mode, and the virtual machine is only operated on the safe and trusted physical host machine so as to prevent the secret key from leaking.
This embodiment is achieved by receiving a load instruction; according to the loading instruction, a first virtual host and a second virtual host are respectively loaded on the physical hosts, wherein the first virtual host is connected with the second virtual host through data, the first virtual host is used for encrypting and decrypting the data, and the second virtual host is used for providing business services. The first virtual host and the second virtual host are loaded on the physical host, so that the first virtual host and the second virtual host are in data connection, that is, the first virtual host provides a data protection method for encrypting and decrypting safety data for the second virtual host, so that the data safety of the second virtual host is protected, the data leakage is avoided, the aim of data interaction based on the virtual host is achieved, the technical effect of improving the safety of the data is achieved, and the technical problem of low safety of the data due to the data leakage is solved.
As an alternative embodiment, the data connection between the first virtual host and the second virtual host includes: the second virtual host receives the first encrypted data; the second virtual host sends the first encrypted data to the first virtual host through a communication channel of the shared memory; the second virtual host receives second encrypted data sent by the first virtual host through a communication channel, wherein the first virtual host decrypts the first encrypted data by using a preset first key to obtain user data, and encrypts the user data by using a preset second key to obtain second encrypted data; the second virtual host stores second encrypted data.
In this embodiment, a secure encrypted communication channel is established between a user terminal and an encrypted and decrypted virtual host by means of a service virtual host, and a first key and a second key required for communication are negotiated, where the first key is used to implement secure data transmission between the user terminal and the first virtual host, and the second key is used to implement secure data storage, and the first virtual host sends a first encrypted keyword and a request content to the second virtual host through a communication channel sharing a memory.
During the process of data connection between the first virtual host and the second virtual host, the second virtual host receives first encrypted data, for example, a secure encrypted communication channel is established between the user terminal and the first virtual host by means of the second virtual host, a first key required for communication is negotiated, the user data is encrypted by using the first key to obtain first encrypted data, the first encrypted data is transmitted to the second virtual host, and the second virtual host receives the first encrypted data, wherein the first key can be a key E, can be a dynamic negotiation key between the user terminal and the first virtual host, and is used for realizing data secure transmission between the user terminal and the first virtual host.
After the second virtual host receives the first encrypted data, the first encrypted data is sent to the first virtual host through the communication channel of the shared memory, that is, the service virtual host can forward the first encrypted data to the encryption and decryption virtual host through the communication channel of the shared memory. After the first virtual host receives the first encrypted data, encrypting and decrypting the first encrypted data according to the first key and the second key to obtain second encrypted data, for example, after the encrypted and decrypted virtual host obtains the first encrypted data, the first key E is used for decrypting the data, the second key E1 is used for re-encrypting the data to obtain second encrypted data, the second key is the data encryption and decryption key and is used for encrypting the data and storing the encrypted data in a database or other storage modes to protect data storage safety, so that data safety transmission between the user terminal and the first virtual host is realized, and data safety storage is realized.
After the first virtual host obtains the second encrypted data, the second encrypted data may be sent to the second virtual host through a communication channel of the shared memory, where the second virtual host receives the second encrypted data and may store the second encrypted data, or alternatively, the second encrypted data may be stored in a database or stored in another storage manner.
Because the second virtual host only contacts the encrypted data, for example, the first encrypted data and the second encrypted data, even if the second virtual host is invaded, the plaintext of the user data is difficult to obtain, thereby avoiding data leakage and improving the security of the data.
As an optional implementation manner, the first virtual host performs encryption and decryption processing on the first encrypted data according to the first key and the second key, and obtaining the second encrypted data includes: the first virtual host decrypts the first encrypted data by using the first key to obtain user data; and the first virtual host encrypts the user data by using the second key to obtain second encrypted data.
In this embodiment, when the first virtual host encrypts and decrypts the first encrypted data according to the first key and the second key to obtain the second encrypted data, the first virtual host may decrypt the first encrypted data using the first key, for example, after the first encrypted data is obtained by the encrypting and decrypting virtual host, the first encrypted data may be decrypted using the key E to obtain the user data, and then the user data is encrypted using the second key, for example, the user data is re-encrypted using the unified key E1 to obtain the second encrypted data, and then the second virtual host receives the second encrypted data sent by the first virtual host through the communication channel, and stores the second encrypted data.
As an alternative embodiment, the data connection between the first virtual host and the second virtual host includes: the second virtual host receives the first encryption request; the second virtual host sends a first encryption request to the first virtual host through a communication channel; the second virtual host receives a first encryption keyword and request content sent by the first virtual host through a communication channel, wherein the first virtual host encrypts and decrypts the first encryption request according to a first key and a second key to obtain the first encryption keyword and the request content, the first key is used for realizing data security transmission between the user terminal and the first virtual host, and the second key is used for realizing data security storage; the second virtual host performs data searching according to the first encryption keyword, and screens out second encryption data corresponding to the first encryption request from the searching result according to the request content; the second virtual host sends second encrypted data to the first virtual host through a communication channel, wherein the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data; the second virtual host outputs the first encrypted data.
In this embodiment, the first encryption request may be a request in which the user requests desired specified data to be encrypted using the E-key. The second virtual host receives the first encryption request and forwards the first encryption request to the first virtual host through a communication channel shared by the memory. After the first virtual host acquires the first encryption request, encrypting and decrypting the first encryption request according to the first key and the second key to obtain a first encryption keyword and request content, re-encrypting the request keyword by using the unified key E1 to obtain the first encryption keyword, and sending the first encryption keyword and the request content to the second virtual host, wherein the request keyword is generally a data index and is used as a condition item for searching a database, such as a telephone number of a user, a user Identification (ID) is the request keyword, the whole keyword and the request content are request content, and the second virtual host needs to know a content item specifically requested by the first virtual host without encryption.
After receiving the first encryption keyword and the request content sent by the first virtual host through the communication channel, the second virtual host performs data searching according to the first encryption keyword, and screens out second encryption data corresponding to the first encryption request from the searching result according to the request content, for example, performs database searching according to the first encryption keyword, and obtains second encryption data required by the corresponding user.
In this embodiment, the first encryption key is an input condition for searching data, the requested content is a content item to be selected, for example, a request user telephone number, the first encryption key is a user ID, the telephone number is the requested content, and the telephone number returned by the database is the data to be finally returned.
It should be noted that, encryption and decryption in this embodiment are transparent to the second virtual host, and the second virtual host does not need to know the second key, and the second virtual host does not need to perform data searching according to the first encryption keyword or decryption, and the data returned by the database needs to be processed by the first virtual host in the decryption process.
The second virtual host sends the obtained second encrypted data to the first virtual host through the communication channel, the first virtual host encrypts and decrypts the first encrypted request according to the first key and the second key, so that first encrypted data is obtained, the first virtual host forwards the first encrypted data to the second virtual host through the communication channel of the shared memory, the second virtual host forwards the first encrypted data to a user after receiving the first encrypted data, and the user can decrypt the data by using the key E after receiving the first encrypted data, so that the extraction of the user data is completed.
In this embodiment, since the second virtual host only contacts the encrypted data, even if the second virtual host is invaded, it is difficult to obtain the plaintext of the user data, thereby avoiding the leakage of the data and improving the security of the data.
As an optional implementation manner, the first virtual host performs encryption and decryption processing on the first encryption request according to the first key and the second key, and obtaining the first encryption keyword and the request content includes: the first virtual host decrypts the first encryption request by using the first key to obtain a request keyword and request content; the first virtual host encrypts the request keyword by using the second key to obtain a first encrypted keyword.
In this embodiment, when the first virtual host encrypts and decrypts the first encryption request according to the first key and the second key to obtain the first encryption key and the request content, the first virtual host may decrypt the first encryption request using the first key, for example, decrypt the first encryption request using the key E to obtain the request key and the request content. After the first virtual host decrypts the first encryption request by using the first key to obtain a request keyword and a request content, the request keyword can be encrypted by using the second key, for example, the request keyword is re-encrypted by using the key E1 to obtain the first encryption keyword, then the second virtual host receives the first encryption keyword and the request content sent by the first virtual host through the communication channel, performs data search according to the first encryption keyword, screens out second encryption data corresponding to the first encryption request from the search result according to the request content, sends the second encryption data to the first virtual host through the communication channel, and the first virtual host performs encryption and decryption processing on the second encryption data according to the first key and the second key to obtain the first encryption data, and the second virtual host outputs the first encryption data.
As an optional implementation manner, the first virtual host performs encryption and decryption processing on the second encrypted data according to the first key and the second key, and obtaining the first encrypted data includes: the first virtual host decrypts the second encrypted data by using the second key to obtain user data; the first virtual host encrypts user data by using the first key to obtain first encrypted data.
In this embodiment, when the first virtual host performs encryption and decryption processing on the second encrypted data according to the first key and the second key to obtain the first encrypted data, the first virtual host may use the second key to decrypt the second encrypted data, for example, the encryption and decryption virtual host decrypts the second encrypted data through the uniform key E1 to obtain the user data, and then uses the first key to encrypt the user data, for example, uses the key E to re-encrypt the user data, thereby obtaining the first encrypted data, and then the second virtual host receives and outputs the first encrypted data.
As an alternative implementation manner, the first key is a key pre-negotiated by the user terminal and the first virtual host, and the second key is a preset unified key.
In this embodiment, the first key may be a key negotiated in advance between the user terminal and the first virtual host, may be a dynamic negotiation key between the user terminal and the encrypted and decrypted virtual host, and is used for data secure transmission between the user terminal and the encrypted and decrypted virtual host, for example, the first key is a key E; the second key is a preset unified key, which may be a unified data encryption and decryption key, and is used for encrypting the data and storing the encrypted data in a database or other storage modes so as to protect the data storage security, for example, the second key is a key E1.
The first virtual host and the second virtual host are loaded on the physical host, so that the first virtual host and the second virtual host are in data connection, that is, the first virtual host provides a data protection method for encrypting and decrypting safety data for the second virtual host, so that the data safety of the second virtual host is protected, the data leakage is avoided, the aim of data interaction based on the virtual host is achieved, the technical effect of improving the safety of the data is achieved, and the technical problem of low safety of the data due to the data leakage is solved.
FIG. 8 is a flow chart of another virtual host based data interaction method according to an embodiment of the invention. As shown in fig. 8, the method includes the steps of:
In step S802, the second virtual host receives the first encrypted data.
In the technical solution provided in the above step S802 of the present invention, during the process of data connection between the first virtual host and the second virtual host, the second virtual host receives first encrypted data, for example, a secure encrypted communication channel is established between the user terminal and the first virtual host by means of the second virtual host, and a first key required for communication is negotiated, the user data is encrypted by using the first key to obtain first encrypted data, the first encrypted data is transmitted to the second virtual host, and the second virtual host receives the first encrypted data.
In step S804, the second virtual host sends the first encrypted data to the first virtual host through the communication channel of the shared memory.
In the technical solution provided in the above step S804 of the present invention, after the second virtual host receives the first encrypted data, the second virtual host sends the first encrypted data to the first virtual host through the communication channel of the shared memory.
After the second virtual host receives the first encrypted data, the first encrypted data is sent to the first virtual host through the communication channel of the shared memory, that is, the service virtual host can forward the first encrypted data to the encryption and decryption virtual host through the communication channel of the shared memory.
In step S806, the second virtual host receives the second encrypted data sent by the first virtual host through the communication channel.
In the technical solution provided in the above step S806, the second virtual host receives the second encrypted data sent by the first virtual host through the communication channel, where the first virtual host decrypts the first encrypted data with a preset first key, and encrypts the user data with a preset second key after obtaining the user data, so as to obtain the second encrypted data.
After the first virtual host receives the first encrypted data, encrypting and decrypting the first encrypted data according to the first key and the second key to obtain second encrypted data, for example, after the encrypted and decrypted virtual host obtains the first encrypted data, the first key E is used for decrypting the data, the second key E1 is used for re-encrypting the data to obtain second encrypted data, the second key is the data encryption and decryption key and is used for encrypting the data and storing the encrypted data in a database or other storage modes to protect data storage safety, so that data safety transmission between the user terminal and the first virtual host is realized, and data safety storage is realized.
After the first virtual host obtains the second encrypted data, the second encrypted data may be sent to the second virtual host through a communication channel of the shared memory, and the second virtual host receives the second encrypted data.
In step S808, the second virtual host stores the second encrypted data.
In the technical solution provided in step S808 of the present invention, after the second virtual host receives the second encrypted data sent by the first virtual host through the communication channel, the second virtual host stores the second encrypted data, and may store the second encrypted data, or alternatively, store the second encrypted data in a database or store the second encrypted data in another storage manner.
Through the steps S802 to S808, the second virtual host receives the first encrypted data; the second virtual host sends the first encrypted data to the first virtual host through a communication channel of the shared memory; the second virtual host receives second encrypted data sent by the first virtual host through a communication channel, wherein the first virtual host decrypts the first encrypted data by using a preset first key to obtain user data, and encrypts the user data by using a preset second key to obtain second encrypted data; the second virtual host stores second encrypted data. Because the second virtual host only contacts the encrypted data, for example, the first encrypted data and the second encrypted data, even if the second virtual host is invaded, the plaintext of the user data is difficult to obtain, thereby avoiding data leakage and improving the security of the data.
As an optional implementation manner, the first virtual host performs encryption and decryption processing on the first encrypted data according to the first key and the second key, and obtaining the second encrypted data includes: the first virtual host decrypts the first encrypted data by using the first key to obtain user data; and the first virtual host encrypts the user data by using the second key to obtain second encrypted data.
In this embodiment, when the first virtual host encrypts and decrypts the first encrypted data according to the first key and the second key to obtain the second encrypted data, the first virtual host may decrypt the first encrypted data using the first key, for example, after the first encrypted data is obtained by the encrypting and decrypting virtual host, the first encrypted data may be decrypted using the key E to obtain the user data, and then the user data is encrypted using the second key, for example, the user data is re-encrypted using the unified key E1 to obtain the second encrypted data, and then the second virtual host receives the second encrypted data sent by the first virtual host through the communication channel, and stores the second encrypted data.
FIG. 9 is a flow chart of another virtual host based data interaction method according to an embodiment of the invention. As shown in fig. 9, the method includes the steps of:
In step S902, the second virtual host receives the first encryption request.
In the technical solution provided in the above step S902 of the present invention, the first encryption request may be a request obtained by encrypting the required specified data request with the E-key by the user. The second virtual host receives the first encryption request, which may be received for the service virtual host.
In step S904, the second virtual host sends the first encryption request to the first virtual host through the communication channel of the shared memory.
In the technical solution provided in the above step S904 of the present invention, after the second virtual host receives the first encryption request, the second virtual host sends the first encryption request to the first virtual host through the communication channel of the shared memory.
In step S906, the second virtual host receives the first encryption keyword and the request content sent by the first virtual host through the communication channel.
In the technical solution provided in the above step S906 of the present invention, the second virtual host receives the first encryption keyword and the request content sent by the first virtual host through the communication channel, where the first virtual host encrypts and decrypts the first encryption request according to the first key and the second key to obtain the first encryption keyword and the request content.
In this embodiment, after the first virtual host obtains the first encryption request, the first virtual host encrypts and decrypts the first encryption request according to the first key and the second key to obtain a first encryption keyword and a request content, for example, the first encryption request is decrypted by using the key E to obtain the request keyword and the request content, the request keyword is re-encrypted by using the uniform key E1 to obtain the first encryption keyword, the first encryption keyword and the request content are sent to the second virtual host, and the second virtual host receives the first encryption keyword and the request content sent by the first virtual host through the communication channel.
In step S908, the second virtual host performs data search according to the first encryption keyword, and screens out the second encrypted data corresponding to the first encryption request from the search result according to the request content.
In the technical solution provided in the above step S908 of the present invention, after the second virtual host receives the first encryption keyword and the request content sent by the first virtual host through the communication channel, the second virtual host performs data searching according to the first encryption keyword, and screens out the second encryption data corresponding to the first encryption request from the searching result according to the request content, for example, performs database searching according to the first encryption keyword, so as to obtain the second encryption data required by the corresponding user.
In step S910, the second virtual host sends the second encrypted data to the first virtual host through the communication channel.
In the technical solution provided in the above step S910 of the present invention, the second virtual host sends the second encrypted data to the first virtual host through the communication channel, the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain the first encrypted data, and forwards the first encrypted data to the second virtual host through the communication channel of the shared memory
In step S912, the second virtual host outputs the first encrypted data.
In the technical scheme provided in the step S912, the second virtual host receives the first encrypted data forwarded by the first virtual host, returns the first encrypted data to the user terminal, and after receiving the first encrypted data, the user terminal can decrypt the data by using the key E, thereby completing the extraction of the user data.
Through the above steps S902 to S912, the second virtual host receives the first encryption request; the second virtual host sends a first encryption request to the first virtual host through a communication channel of the shared memory; the second virtual host receives a first encryption keyword and request content sent by the first virtual host through a communication channel, wherein the first virtual host encrypts and decrypts the first encryption request according to a first key and a second key to obtain the first encryption keyword and the request content; the second virtual host performs data searching according to the first encryption keyword, and screens out second encryption data corresponding to the first encryption request from the searching result according to the request content; the second virtual host sends second encrypted data to the first virtual host through a communication channel, wherein the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data; the second virtual host outputs the first encrypted data, so that safe reading of the user data is realized, and the safety of the data is improved.
As an optional implementation manner, the first virtual host performs encryption and decryption processing on the first encryption request according to the first key and the second key, and obtaining the first encryption keyword and the request content includes: the first virtual host decrypts the first encryption request by using the first key to obtain a request keyword and request content; the first virtual host encrypts the request keyword by using the second key to obtain a first encrypted keyword.
In this embodiment, when the first virtual host encrypts and decrypts the first encryption request according to the first key and the second key to obtain the first encryption key and the request content, the first virtual host may decrypt the first encryption request using the first key, for example, decrypt the first encryption request using the key E to obtain the request key and the request content. After the first virtual host decrypts the first encrypted request using the first key to obtain the request keyword and the request content, the request keyword may be encrypted using the second key, for example, the request keyword is re-encrypted using the key E1, so as to obtain the first encrypted keyword.
As an optional implementation manner, the first virtual host performs encryption and decryption processing on the second encrypted data according to the first key and the second key, and obtaining the first encrypted data includes: the first virtual host decrypts the second encrypted data by using the second key to obtain user data; the first virtual host encrypts user data by using the first key to obtain first encrypted data.
In this embodiment, the first virtual host may decrypt the second encrypted data using the second key, for example, the encrypted and decrypted virtual host decrypts the second encrypted data using the unified key E1 to obtain the user data, and encrypts the user data using the first key, for example, re-encrypts the user data using the key E to obtain the first encrypted data, and then the second virtual host outputs the first encrypted data.
FIG. 10 is a flow chart of another virtual host based data interaction method according to an embodiment of the invention. As shown in fig. 10, the method includes the steps of:
in step S1002, the first virtual host receives first encrypted data sent by the second virtual host through the communication channel of the shared memory.
In the technical scheme provided in the step S1002 of the present invention, the first virtual host receives the first encrypted data sent by the second virtual host through the communication channel of the shared memory.
The first encrypted data is received by the second virtual host, and the first virtual host receives the first encrypted data forwarded by the second virtual host through the communication channel of the shared memory, for example, the encryption and decryption virtual host receives the first encrypted data forwarded by the service virtual host through the communication channel of the shared memory.
In step S1004, the first virtual host decrypts the first encrypted data using the preset first key to obtain the user data.
In step S1006, the first virtual host encrypts the user data using a preset second key to obtain second encrypted data.
In the technical solutions provided in the above steps S1004 and S1006 of the present invention, the first virtual host performs encryption and decryption processing on the first encrypted data according to the first key and the second key, so as to obtain the second encrypted data, where the first key is used to implement secure data transmission between the user terminal and the first virtual host, and the second key is used to implement secure data storage.
After the first virtual host receives the first encrypted data, encrypting and decrypting the first encrypted data according to the first key and the second key to obtain second encrypted data, for example, after the encrypted and decrypted virtual host obtains the first encrypted data, the first key E is used for decrypting the data, the second key E1 is used for re-encrypting the data to obtain second encrypted data, the second key is the data encryption and decryption key and is used for encrypting the data and storing the encrypted data in a database or other storage modes to protect data storage safety, so that data safety transmission between the user terminal and the first virtual host is realized, and data safety storage is realized.
In step S1008, the first virtual host transmits the second encrypted data to the second virtual host through the communication channel, so that the second virtual host stores the second encrypted data.
In the technical scheme provided in the step S1008, after the first virtual host encrypts and decrypts the first encrypted data according to the first key and the second key to obtain the second encrypted data, the first virtual host sends the second encrypted data to the second virtual host through the communication channel, so that the second virtual host stores the second encrypted data. Alternatively, the second encrypted data may be stored in a database or other storage by the second virtual host.
In this embodiment, through steps S1002 to S1008, the first virtual host receives first encrypted data sent by the second virtual host through the communication channel of the shared memory; the first virtual host decrypts the first encrypted data by using a preset first key to obtain user data; the first virtual host encrypts the user data by using a preset second key to obtain second encrypted data; the first virtual host sends the second encrypted data to the second virtual host through the communication channel so that the second virtual host stores the second encrypted data, and the first virtual host provides a data protection method for encrypting and decrypting the security data for the second virtual host so as to protect the data security of the second virtual host, avoid data leakage and improve the security of the data.
FIG. 11 is a flow chart of another virtual host based data interaction method according to an embodiment of the invention. As shown in fig. 11, the method includes the steps of:
in step S1102, the first virtual host receives a first encryption request sent by the second virtual host through a communication channel of the shared memory.
In the technical solution provided in the above step S1102 of the present invention, the first encryption request may be a request obtained by encrypting the required specified data request with the E-key by the user. The second virtual host receives the first encryption request, and forwards the first encryption request to the first virtual host through a communication channel shared by the memory, so that the first virtual host obtains the first encryption request.
In step S1104, the first virtual host encrypts and decrypts the first encryption request according to the first key and the second key to obtain the first encryption keyword and the request content, where the first key is used to implement data secure transmission between the user terminal and the first virtual host, and the second key is used to implement data secure storage.
In the technical solution provided in the above step S1104 of the present invention, after the first virtual host receives the first encryption request sent by the second virtual host through the communication channel of the shared memory, the first virtual host encrypts and decrypts the first encryption request according to the first key and the second key to obtain the first encryption keyword and the request content, where the first key is used to implement data secure transmission between the user terminal and the first virtual host, and the second key is used to implement data secure storage. For example, the first virtual host decrypts the first encrypted request by using the key E to obtain a request keyword and a request content, and re-encrypts the request keyword by using the unified key E1 to obtain the first encrypted keyword.
In step S1106, the first virtual host sends the first encryption key and the request content to the second virtual host through the communication channel of the shared memory.
In the technical solution provided in the above step S1106 of the present invention, after the first virtual host encrypts and decrypts the first encryption request according to the first key and the second key to obtain the first encryption key and the request content, the first virtual host sends the first encryption key and the request content to the second virtual host through the communication channel of the shared memory, and the second virtual host searches the data according to the first encryption key, and screens out the second encryption data corresponding to the first encryption request from the search result according to the request content, for example, the second virtual host searches the database according to the first encryption key to obtain the second encryption data required by the corresponding user.
In step S1108, the first virtual host receives the second encrypted data sent by the second virtual host through the communication channel.
In the technical solution provided in the above step S1108 of the present invention, after the second virtual host performs database lookup according to the first encryption keyword, and obtains the second encrypted data required by the corresponding user, the first virtual host receives the second encrypted data sent by the second virtual host through the communication channel.
In step S1110, the first virtual host performs encryption and decryption processing on the second encrypted data according to the first key and the second key, to obtain the first encrypted data.
In the technical scheme provided in the step S1110, after the first virtual host receives the second encrypted data sent by the second virtual host through the communication channel, the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain the first encrypted data.
In step S1112, the first virtual host sends the first encrypted data to the second virtual host through the communication channel.
In the technical solution provided in the above step S1112 of the present invention, the first virtual host sends the first encrypted data to the second virtual host through the communication channel, and the second virtual host forwards the first encrypted data to the user after receiving the first encrypted data, and the user can decrypt the data using the key E after receiving the first encrypted data, thereby completing the extraction of the user data.
Through the steps S1102 to S1112, the first virtual host receives a first encryption request sent by the second virtual host through the communication channel of the shared memory; the first virtual host encrypts and decrypts the first encryption request according to the first key and the second key to obtain a first encryption keyword and request content, wherein the first key is used for realizing data security transmission between the user terminal and the first virtual host, and the second key is used for realizing data security storage; the first virtual host sends the first encryption key word and the request content to the second virtual host through a communication channel of the shared memory, wherein the second virtual host searches data according to the first encryption key word and screens second encryption data corresponding to the first encryption request from a search result according to the request content; the first virtual host receives second encrypted data sent by the second virtual host through a communication channel; the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data; the first virtual host sends the first encrypted data to the second virtual host through the communication channel, and the first virtual host provides a data protection method for encrypting and decrypting the safety data for the second virtual host so as to protect the data safety of the second virtual host, avoid data leakage and improve the safety of the data.
In the embodiment, the service virtual host and the encryption and decryption virtual host are separated, the data connection is carried out, the service plaintext does not appear, thereby improving the security of the data,
it should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present invention is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present invention. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required for the present invention.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
Example 3
According to an embodiment of the present invention, there is also provided a computing device for implementing the above-mentioned data interaction method based on a virtual host.
FIG. 12 is a schematic diagram of a computing device according to an embodiment of the invention. As shown in fig. 12, the computing device 1200 includes: an input-output device 1201 and a loading device 1202.
Input-output device 1201 is configured to receive a load instruction.
The loading device 1202 is configured to load a first virtual host and a second virtual host on a physical host according to a loading instruction, where the first virtual host is connected to the second virtual host by data, the first virtual host is used for encrypting and decrypting data, and the second virtual host is used for providing a service.
Here, it should be noted that the input-output device 1201 and the loading device 1202 described above correspond to steps S702 to S704 in embodiment 2, and the two devices are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to those disclosed in embodiment 2 described above. It should be noted that the above-described apparatus may be operated as a part of the device in the computer terminal 60 provided in embodiment 2.
FIG. 13 is a schematic diagram of another virtual host based data interaction apparatus according to an embodiment of the present invention. As shown in fig. 13, the apparatus 1300 includes: a first receiving module 1301, a transmitting module 1302, a second receiving module 1303 and a storage module 1304.
The first receiving module 1301 is configured to receive the first encrypted data.
The sending module 1302 is configured to send the first encrypted data to the first virtual host through a communication channel of the shared memory.
The second receiving module 1303 is configured to receive second encrypted data sent by the first virtual host through the communication channel, where the first virtual host performs encryption and decryption processing on the first encrypted data according to a first key and a second key to obtain second encrypted data, the first key is used to implement secure data transmission between the user terminal and the first virtual host, and the second key is used to implement secure data storage.
A storage module 1304 for storing the second encrypted data.
Here, the first receiving module 1301, the transmitting module 1302, the second receiving module 1303, and the storage module 1304 correspond to steps S802 to S808 in embodiment 2, and the four modules are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to those disclosed in embodiment 2. It should be noted that the above-described module may be operated as a part of the apparatus in the computer terminal 60 provided in embodiment 2.
FIG. 14 is a schematic diagram of another virtual host based data interaction apparatus according to an embodiment of the invention. As shown in fig. 14, the apparatus 1400 includes: a first receiving module 1401, a first transmitting module 1402, a second receiving module 1403, a screening module 1404, a second transmitting module 1405, and a returning module 1406.
The first receiving module 1401 is configured to receive a first encryption request.
The first sending module 1402 is configured to send a first encryption request to a first virtual host through a communication channel of a shared memory.
The second receiving module 1403 is configured to receive a first encryption keyword and a request content sent by a first virtual host through a communication channel, where the first virtual host performs encryption and decryption processing on a first encryption request according to a first key and a second key, to obtain the first encryption keyword and the request content.
And the screening module 1404 is configured to search data according to the first encryption keyword, and screen second encryption data corresponding to the first encryption request from the search result according to the request content.
The second sending module 1405 is configured to send the second encrypted data to the first virtual host through the communication channel, where the first virtual host performs encryption and decryption processing on the second encrypted data according to the first key and the second key, to obtain the first encrypted data.
A return module 1406 for outputting the first encrypted data.
Here, the first receiving module 1401, the first transmitting module 1402, the second receiving module 1403, the processor 1404, the second transmitting module 1405, and the returning module 1406 correspond to steps S902 to S912 in embodiment 2, and the two modules are the same as the examples and the application scenarios implemented by the corresponding steps, but are not limited to those disclosed in embodiment 2. It should be noted that the above-described module may be operated as a part of the apparatus in the computer terminal 60 provided in embodiment 2.
FIG. 15 is a schematic diagram of another virtual host based data interaction apparatus according to an embodiment of the present invention. As shown in fig. 15, the apparatus 1500 includes: a receiving module 1501, a decrypting module 1502, an encrypting module 1503 and a transmitting module 1504.
And the receiving module 1501 is configured to receive the first encrypted data sent by the second virtual host through the communication channel of the shared memory.
The decryption module 1502 is configured to decrypt the first encrypted data by using a preset first key by using the first virtual host, to obtain user data.
And the encryption module 1503 is configured to encrypt the user data with a preset second key to obtain second encrypted data.
The sending module 1504 is configured to send the second encrypted data to the second virtual host through the communication channel, so that the second virtual host stores the second encrypted data.
Here, the receiving module 1501, the decrypting module 1502, the encrypting module 1503 and the transmitting module 1504 correspond to steps S1002 to S1006 in embodiment 2, and the four modules are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to those disclosed in embodiment 2. It should be noted that the above-described module may be operated as a part of the apparatus in the computer terminal 60 provided in embodiment 2.
FIG. 16 is a schematic diagram of another virtual host based data interaction apparatus according to an embodiment of the present invention. As shown in fig. 16, the apparatus 1600 includes: a receiving module 1601, a first processing module 1602, a first transmitting module 1603, a second transmitting module 1604, a second processing module 1605, and a third transmitting module 1606.
The receiving module 1601 is configured to receive a first encryption request sent by a second virtual host through a communication channel of the shared memory.
The first processing module 1602 is configured to encrypt and decrypt the first encryption request according to a first key and a second key, to obtain a first encryption key and a request content, where the first key is used to implement secure data transmission between the user terminal and the first virtual host, and the second key is used to implement secure data storage.
The first sending module 1603 is configured to send the first encryption keyword and the request content to the second virtual host through the communication channel of the shared memory, where the second virtual host performs data search according to the first encryption keyword, and screens out second encrypted data corresponding to the first encryption request from the search result according to the request content.
The second sending module 1604 is configured to receive second encrypted data sent by the second virtual host through the communication channel.
The second processing module 1605 is configured to encrypt and decrypt the second encrypted data according to the first key and the second key, to obtain the first encrypted data.
A third transmitting module 1606, configured to transmit the first encrypted data to the second virtual host through the communication channel.
Here, the above-mentioned receiving module 1601, first processing module 1602, first transmitting module 1603, second processing module 1605, and third transmitting module 1606 correspond to steps S1102 to S1112 in embodiment 2, and the two modules are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to those disclosed in embodiment 2. It should be noted that the above-described module may be operated as a part of the apparatus in the computer terminal 60 provided in embodiment 2.
According to the embodiment, the first virtual host and the second virtual host are loaded on the physical host, so that the first virtual host and the second virtual host are connected with each other through data, that is, the first virtual host provides a data protection method for encrypting and decrypting safety data for the second virtual host, so that the data safety of the second virtual host is protected, data leakage is avoided, the purpose of data interaction based on the virtual host is achieved, the technical effect of improving the safety of the data is achieved, and the technical problem that the safety of the data is low due to the data leakage is solved.
Example 4
Embodiments of the present invention may provide a computer terminal, which may be any one of a group of computer terminals. Alternatively, in the present embodiment, the above-described computer terminal may be replaced with a terminal device such as a mobile terminal.
Alternatively, in this embodiment, the above-mentioned computer terminal may be located in at least one network device among a plurality of network devices of the computer network.
In this embodiment, the computer terminal may execute the program code of the following steps in the positioning method of the application program: receiving a loading instruction; according to the loading instruction, a first virtual host and a second virtual host are respectively loaded on the physical hosts, wherein the first virtual host is connected with the second virtual host through data, the first virtual host is used for encrypting and decrypting the data, and the second virtual host is used for providing business services.
Alternatively, fig. 17 is a block diagram of a computer mobile terminal according to an embodiment of the present invention. As shown in fig. 17, the computer mobile terminal a may include: one or more (only one is shown) processors 172, memory 174, and a transmission 176.
The memory may be used to store software programs and modules, such as program instructions/modules corresponding to the data interaction method and apparatus based on the virtual host in the embodiments of the present invention, and the processor executes the software programs and modules stored in the memory, thereby executing various functional applications and data processing, that is, implementing the data interaction method based on the virtual host. The memory may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further comprise memory remotely located from the processor, the remote memory being connectable to the computer terminal a through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The processor may call the information and the application program stored in the memory through the transmission device to perform the following steps: receiving a loading instruction; according to the loading instruction, a first virtual host and a second virtual host are respectively loaded on the physical hosts, wherein the first virtual host is connected with the second virtual host through data, the first virtual host is used for encrypting and decrypting the data, and the second virtual host is used for providing business services.
Optionally, the above processor may further execute program code for: the second virtual host receives the first encrypted data; the communication channel of the shared memory of the second virtual host sends the first encrypted data to the first virtual host; the second virtual host receives second encrypted data sent by the first virtual host through a communication channel, wherein the first virtual host decrypts the first encrypted data by using a preset first key to obtain user data, and encrypts the user data by using a preset second key to obtain second encrypted data; the second virtual host stores second encrypted data.
Optionally, the above processor may further execute program code for: the first virtual host decrypts the first encrypted data by using the first key to obtain user data; and the first virtual host encrypts the user data by using the second key to obtain second encrypted data.
Optionally, the above processor may further execute program code for: the second virtual host receives the first encryption request; the second virtual host sends a first encryption request to the first virtual host through a communication channel; the second virtual host receives a first encryption keyword and request content sent by the first virtual host through a communication channel, wherein the first virtual host encrypts and decrypts the first encryption request according to a first key and a second key to obtain the first encryption keyword and the request content, the first key is used for realizing data security transmission between the user terminal and the first virtual host, and the second key is used for realizing data security storage; the second virtual host performs data searching according to the first encryption keyword, and screens out second encryption data corresponding to the first encryption request from the searching result according to the request content; the second virtual host sends second encrypted data to the first virtual host through a communication channel, wherein the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data; the second virtual host outputs the first encrypted data.
Optionally, the above processor may further execute program code for: the first virtual host decrypts the first encryption request by using the first key to obtain a request keyword and request content; the first virtual host encrypts the request keyword by using the second key to obtain a first encrypted keyword.
Optionally, the above processor may further execute program code for: the first virtual host decrypts the second encrypted data by using the second key to obtain user data; the first virtual host encrypts user data by using the first key to obtain first encrypted data.
Optionally, the processor may call the information stored in the memory and the application program through the transmission device to perform the following steps: the second virtual host receives the first encrypted data; the second virtual host sends the first encrypted data to the first virtual host through a communication channel of the shared memory; the second virtual host receives second encrypted data sent by the first virtual host through a communication channel, wherein the first virtual host decrypts the first encrypted data by using a preset first key to obtain user data, and encrypts the user data by using a preset second key to obtain second encrypted data; the second virtual host stores second encrypted data.
Optionally, the processor may call the information stored in the memory and the application program through the transmission device to perform the following steps: the second virtual host receives the first encryption request; the second virtual host sends a first encryption request to the first virtual host through a communication channel of the shared memory; the second virtual host receives a first encryption keyword and request content sent by the first virtual host through a communication channel, wherein the first virtual host encrypts and decrypts the first encryption request according to a first key and a second key to obtain the first encryption keyword and the request content; the second virtual host performs data searching according to the first encryption keyword, and screens out second encryption data corresponding to the first encryption request from the searching result according to the request content; the second virtual host sends second encrypted data to the first virtual host through a communication channel, wherein the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data; the second virtual host outputs the first encrypted data.
Optionally, the above processor may further execute program code for: the first virtual host decrypts the first encryption request by using the first key to obtain a request keyword and request content; the first virtual host encrypts the request keyword by using the second key to obtain a first encrypted keyword.
Optionally, the above processor may further execute program code for: the first virtual host decrypts the second encrypted data by using the second key to obtain user data; the first virtual host encrypts user data by using the first key to obtain first encrypted data.
Optionally, the processor may call the information stored in the memory and the application program through the transmission device to perform the following steps: the first virtual host receives first encrypted data sent by the second virtual host through a communication channel of the shared memory; the first virtual host decrypts the first encrypted data by using a preset first key to obtain user data; the first virtual host encrypts the user data by using a preset second key to obtain second encrypted data; the first virtual host sends the second encrypted data to the second virtual host through the communication channel so that the second virtual host stores the second encrypted data.
Optionally, the processor may call the information stored in the memory and the application program through the transmission device to perform the following steps: the first virtual host receives a first encryption request sent by a second virtual host through a communication channel of a shared memory; the first virtual host encrypts and decrypts the first encryption request according to the first key and the second key to obtain a first encryption keyword and request content, wherein the first key is used for realizing data security transmission between the user terminal and the first virtual host, and the second key is used for realizing data security storage; the first virtual host sends the first encryption key word and the request content to the second virtual host through a communication channel of the shared memory, wherein the second virtual host searches data according to the first encryption key word and screens second encryption data corresponding to the first encryption request from a search result according to the request content; the first virtual host receives second encrypted data sent by the second virtual host through a communication channel; the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data; the first virtual host sends the first encrypted data to the second virtual host through the communication channel.
By adopting the embodiment of the invention, a data interaction method based on a virtual host is provided, and a loading instruction is received; according to the loading instruction, a first virtual host and a second virtual host are respectively loaded on the physical hosts, wherein the first virtual host is connected with the second virtual host through data, the first virtual host is used for encrypting and decrypting the data, and the second virtual host is used for providing business services. The first virtual host and the second virtual host are loaded on the physical host, so that the first virtual host and the second virtual host are in data connection, that is, the first virtual host provides a data protection method for encrypting and decrypting safety data for the second virtual host, so that the data safety of the second virtual host is protected, the data leakage is avoided, the aim of data interaction based on the virtual host is achieved, the technical effect of improving the safety of the data is achieved, and the technical problem of low safety of the data due to the data leakage is solved.
It will be appreciated by those skilled in the art that the configuration shown in fig. 17 is merely illustrative, and the computer terminal may be a smart phone (such as an Android phone, an iOS phone, etc.), a tablet computer, a palm-phone computer, a mobile internet device (Mobile Internet Devices, MID), a PAD, etc. Fig. 17 is not limited to the structure of the electronic device. For example, the computer terminal 17 may also include more or fewer components (such as a network interface, a display device, etc.) than shown in fig. 17, or have a different configuration than shown in fig. 17.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of the above embodiments may be implemented by a program for instructing a terminal device to execute in association with hardware, the program may be stored in a computer readable storage medium, and the storage medium may include: flash disk, read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.
Example 5
The embodiment of the invention also provides a storage medium. Alternatively, in this embodiment, the storage medium may be used to store the program code executed by the data interaction method based on the virtual host provided in the first embodiment.
Alternatively, in this embodiment, the storage medium may be located in any one of the computer terminals in the computer terminal group in the computer network, or in any one of the mobile terminals in the mobile terminal group.
Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of: receiving a loading instruction; according to the loading instruction, a first virtual host and a second virtual host are respectively loaded on the physical hosts, wherein the first virtual host is connected with the second virtual host through data, the first virtual host is used for encrypting and decrypting the data, and the second virtual host is used for providing business services.
Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of: the second virtual host receives the first encrypted data; the second virtual host sends the first encrypted data to the first virtual host through a communication channel of the shared memory; the second virtual host receives second encrypted data sent by the first virtual host through a communication channel, wherein the first virtual host decrypts the first encrypted data by using a preset first key to obtain user data, and encrypts the user data by using a preset second key to obtain second encrypted data; the second virtual host stores second encrypted data.
Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of: the second virtual host receives the first encryption request; the second virtual host sends a first encryption request to the first virtual host through a communication channel of the shared memory; the second virtual host receives a first encryption keyword and request content sent by the first virtual host through a communication channel, wherein the first virtual host encrypts and decrypts the first encryption request according to a first key and a second key to obtain the first encryption keyword and the request content; the second virtual host performs data searching according to the first encryption keyword, and screens out second encryption data corresponding to the first encryption request from the searching result according to the request content; the second virtual host sends second encrypted data to the first virtual host through a communication channel, wherein the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data; the second virtual host outputs the first encrypted data.
Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of: the first virtual host receives first encrypted data sent by the second virtual host through a communication channel of the shared memory, and decrypts the first encrypted data by using a preset first key to obtain user data; the first virtual host encrypts the user data by using a preset second key to obtain second encrypted data; the first virtual host sends the second encrypted data to the second virtual host through the communication channel so that the second virtual host stores the second encrypted data.
Alternatively, in the present embodiment, the storage medium is configured to store program code for performing the steps of: the first virtual host receives a first encryption request sent by a second virtual host through a communication channel of a shared memory; the first virtual host encrypts and decrypts the first encryption request according to the first key and the second key to obtain a first encryption keyword and request content, wherein the first key is used for realizing data security transmission between the user terminal and the first virtual host, and the second key is used for realizing data security storage; the first virtual host sends the first encryption key word and the request content to the second virtual host through a communication channel of the shared memory, wherein the second virtual host searches data according to the first encryption key word and screens second encryption data corresponding to the first encryption request from a search result according to the request content; the first virtual host receives second encrypted data sent by the second virtual host through a communication channel; the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data; the first virtual host sends the first encrypted data to the second virtual host through the communication channel.
The foregoing embodiment numbers of the present invention are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present invention, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, such as the division of the units, is merely a logical function division, and may be implemented in another manner, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied essentially or in part or all of the technical solution or in part in the form of a software product stored in a storage medium, including instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present invention and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present invention, which are intended to be comprehended within the scope of the present invention.

Claims (21)

1. A data interaction method based on a virtual host, comprising:
receiving a loading instruction;
according to the loading instruction, a first virtual host and a second virtual host are respectively loaded on a physical host, wherein the first virtual host is in data connection with the second virtual host, the first virtual host is used for encrypting and decrypting data, and the second virtual host is used for providing business services;
the data connection between the first virtual host and the second virtual host comprises: the second virtual host receives first encrypted data; the second virtual host sends the first encrypted data to the first virtual host through a communication channel sharing a memory; the second virtual host receives second encrypted data sent by the first virtual host through the communication channel, wherein the first virtual host encrypts and decrypts the first encrypted data according to a first key and a second key to obtain the second encrypted data, the first key is used for realizing data security transmission between a user and the first virtual host, and the second key is used for realizing data security storage; the second virtual host stores the second encrypted data.
2. The method of claim 1, wherein the first virtual host performing encryption and decryption processing on the first encrypted data according to a first key and a second key to obtain the second encrypted data comprises:
the first virtual host decrypts the first encrypted data by using the first key to obtain user data;
and the first virtual host encrypts the user data by using the second key to obtain the second encrypted data.
3. The method of claim 1, wherein the data connection between the first virtual host and the second virtual host comprises:
the second virtual host receives a first encryption request;
the second virtual host sends the first encryption request to the first virtual host through a communication channel sharing a memory;
the second virtual host receives a first encryption keyword and request content sent by the first virtual host through the communication channel, wherein the first virtual host encrypts and decrypts the first encryption request according to a first key and a second key to obtain the first encryption keyword and the request content, the first key is used for realizing data security transmission between a user and the first virtual host, and the second key is used for realizing data security storage;
The second virtual host performs data searching according to the first encryption keyword, and screens out second encryption data corresponding to the first encryption request from a searching result according to the request content;
the second virtual host sends the second encrypted data to the first virtual host through the communication channel, wherein the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data;
the second virtual host outputs the first encrypted data.
4. The method of claim 3, wherein the first virtual host performing encryption and decryption processing on the first encryption request according to the first key and the second key to obtain the first encryption key and the request content includes:
the first virtual host decrypts the first encryption request by using the first key to obtain a request keyword and the request content;
and the first virtual host encrypts the request keyword by using the second key to obtain the first encrypted keyword.
5. The method of claim 3, wherein the first virtual host performing encryption and decryption processing on the second encrypted data according to the first key and the second key, to obtain first encrypted data includes:
The first virtual host decrypts the second encrypted data by using the second key to obtain user data;
and the first virtual host encrypts the user data by using the first key to obtain first encrypted data.
6. The method according to any one of claims 1 to 5, wherein the first key is a key that the user negotiates with the first virtual host in advance, and the second key is a preset unified key.
7. A data interaction method based on a virtual host, comprising:
the second virtual host receives the first encrypted data;
the second virtual host sends the first encrypted data to the first virtual host through a communication channel of the shared memory;
the second virtual host receives second encrypted data sent by the first virtual host through the communication channel, wherein the first virtual host decrypts the first encrypted data by using a preset first key, and encrypts the user data by using a preset second key after obtaining the user data to obtain second encrypted data;
the second virtual host stores the second encrypted data.
8. A data interaction method based on a virtual host, comprising:
the second virtual host receives the first encryption request;
the second virtual host sends the first encryption request to the first virtual host through a communication channel sharing the memory;
the second virtual host receives a first encryption keyword and request content sent by the first virtual host through the communication channel, wherein the first virtual host encrypts and decrypts the first encryption request according to a first key and a second key to obtain the first encryption keyword and the request content;
the second virtual host performs data searching according to the first encryption keyword, and screens out second encryption data corresponding to the first encryption request from a searching result according to the request content;
the second virtual host sends the second encrypted data to the first virtual host through the communication channel, wherein the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data;
the second virtual host outputs the first encrypted data.
9. The method of claim 8, wherein the first virtual host performing encryption and decryption processing on the first encryption request according to the first key and the second key to obtain the first encryption key and the request content comprises:
the first virtual host decrypts the first encryption request by using the first key to obtain a request keyword and the request content;
and the first virtual host encrypts the request keyword by using the second key to obtain the first encrypted keyword.
10. The method of claim 8, wherein the first virtual host performing encryption and decryption processing on the second encrypted data according to the first key and the second key, to obtain first encrypted data comprises:
the first virtual host decrypts the second encrypted data by using the second key to obtain user data;
and the first virtual host encrypts the user data by using the first key to obtain the first encrypted data.
11. A data interaction method based on a virtual host, comprising:
the first virtual host receives first encrypted data sent by the second virtual host through a communication channel of the shared memory;
The first virtual host decrypts the first encrypted data by using a preset first key to obtain user data;
the first virtual host encrypts the user data by using a preset second key to obtain second encrypted data;
the first virtual host sends the second encrypted data to the second virtual host through the communication channel so that the second virtual host stores the second encrypted data.
12. A data interaction method based on a virtual host, comprising:
the first virtual host receives a first encryption request sent by a second virtual host through a communication channel of a shared memory;
the first virtual host encrypts and decrypts the first encryption request according to a first key and a second key to obtain a first encryption keyword and request content, wherein the first key is used for realizing data security transmission between a user and the first virtual host, and the second key is used for realizing data security storage;
the first virtual host sends the first encryption key word and the request content to the second virtual host through the communication channel, wherein the second virtual host searches data according to the first encryption key word and screens out second encryption data corresponding to the first encryption request from a search result according to the request content;
The first virtual host receives the second encrypted data sent by the second virtual host through the communication channel;
the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data;
the first virtual host sends the first encrypted data to the second virtual host through the communication channel.
13. A computing device, comprising:
the input/output device is used for receiving a loading instruction;
the loading device is used for loading a first virtual host and a second virtual host on the physical host according to the loading instruction, wherein the first virtual host is in data connection with the second virtual host, the first virtual host is used for encrypting and decrypting data, and the second virtual host is used for providing business services; the data connection between the first virtual host and the second virtual host comprises: the second virtual host receives first encrypted data; the second virtual host sends the first encrypted data to the first virtual host through a communication channel sharing a memory; the second virtual host receives second encrypted data sent by the first virtual host through the communication channel, wherein the first virtual host encrypts and decrypts the first encrypted data according to a first key and a second key to obtain the second encrypted data, the first key is used for realizing data security transmission between a user and the first virtual host, and the second key is used for realizing data security storage; the second virtual host stores the second encrypted data.
14. A data interaction device based on a virtual host, comprising:
the first receiving module is used for receiving the first encrypted data;
the sending module is used for sending the first encrypted data to the first virtual host through a communication channel of the shared memory;
the second receiving module is used for receiving second encrypted data sent by the first virtual host through the communication channel, wherein the first virtual host decrypts the first encrypted data by using a preset first key, and encrypts the user data by using a preset second key after obtaining the user data to obtain second encrypted data;
and the storage module is used for storing the second encrypted data.
15. A data interaction device based on a virtual host, comprising:
the first receiving module is used for receiving a first encryption request;
the first sending module is used for sending the first encryption request to the first virtual host through a communication channel of the shared memory;
the second receiving module is used for receiving a first encryption keyword and request content sent by the first virtual host through the communication channel, wherein the first virtual host encrypts and decrypts the first encryption request according to a first key and a second key to obtain the first encryption keyword and the request content;
The screening module is used for searching data according to the first encryption keyword and screening second encryption data corresponding to the first encryption request from the searching result according to the request content;
the second sending module is used for sending the second encrypted data to the first virtual host through the communication channel, wherein the first virtual host encrypts and decrypts the second encrypted data according to the first key and the second key to obtain first encrypted data;
and the return module is used for outputting the first encrypted data.
16. A data interaction device based on a virtual host, comprising:
the receiving module is used for receiving first encrypted data sent by the second virtual host through a communication channel of the shared memory;
the decryption module is used for decrypting the first encrypted data by using a preset first key to obtain user data;
the encryption module is used for encrypting the user data by using a preset second key to obtain second encrypted data;
and the sending module is used for sending the second encrypted data to the second virtual host through the communication channel so that the second virtual host stores the second encrypted data.
17. A data interaction device based on a virtual host, comprising:
the receiving module is used for receiving a first encryption request sent by the second virtual host through a communication channel of the shared memory;
the first processing module is used for encrypting and decrypting the first encryption request according to a first key and a second key to obtain a first encryption keyword and request content, wherein the first key is used for realizing data security transmission between a user and a first virtual host, and the second key is used for realizing data security storage;
the first sending module is used for sending the first encryption key word and the request content to the second virtual host through the communication channel, wherein the second virtual host performs data searching according to the first encryption key word and screens out second encryption data corresponding to the first encryption request from a searching result according to the request content;
the second sending module is used for receiving the second encrypted data sent by the second virtual host through the communication channel;
the second processing module is used for encrypting and decrypting the second encrypted data according to the first key and the second key to obtain first encrypted data;
And the third sending module is used for sending the first encrypted data to the second virtual host through the communication channel.
18. A data interaction system based on a virtual host, comprising:
the second virtual host is used for receiving the first encryption request;
the first virtual host is connected with the second virtual host through a communication channel of a shared memory and is used for receiving the first encryption request sent by the second virtual host through the communication channel, encrypting and decrypting the first encryption request according to a first key and a second key to obtain a first encryption keyword and request content, and sending the first encryption keyword and the request content to the second virtual host through the communication channel, wherein the first key is used for realizing data security transmission between a user and the first virtual host, and the second key is used for realizing data security storage;
the second virtual host performs data searching according to the first encryption keyword, screens out second encryption data corresponding to the first encryption request from a searching result according to the request content, sends the second encryption data to the first virtual host through the communication channel, and outputs first encryption data obtained by encrypting and decrypting the second encryption data by the first virtual host according to the first key and the second key.
19. A storage medium comprising a stored program, wherein the program, when run, controls a device on which the storage medium resides to perform the virtual host based data interaction method of any one of claims 1 to 12.
20. A processor for running a program, wherein the program when run performs a virtual host based data interaction method as claimed in any one of claims 1 to 12.
21. A computer terminal, comprising:
a processor; and
a memory, coupled to the processor, for providing instructions to the processor to process the following processing steps: receiving a loading instruction; according to the loading instruction, a first virtual host and a second virtual host are respectively loaded on a physical host, wherein the first virtual host is in data connection with the second virtual host, the first virtual host is used for encrypting and decrypting data, and the second virtual host is used for providing business services; the data connection between the first virtual host and the second virtual host comprises: the second virtual host receives first encrypted data; the second virtual host sends the first encrypted data to the first virtual host through a communication channel sharing a memory; the second virtual host receives second encrypted data sent by the first virtual host through the communication channel, wherein the first virtual host encrypts and decrypts the first encrypted data according to a first key and a second key to obtain the second encrypted data, the first key is used for realizing data security transmission between a user and the first virtual host, and the second key is used for realizing data security storage; the second virtual host stores the second encrypted data.
CN201810234873.7A 2018-03-21 2018-03-21 Data interaction method, device and system based on virtual host Active CN110297687B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810234873.7A CN110297687B (en) 2018-03-21 2018-03-21 Data interaction method, device and system based on virtual host

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810234873.7A CN110297687B (en) 2018-03-21 2018-03-21 Data interaction method, device and system based on virtual host

Publications (2)

Publication Number Publication Date
CN110297687A CN110297687A (en) 2019-10-01
CN110297687B true CN110297687B (en) 2023-05-30

Family

ID=68025436

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810234873.7A Active CN110297687B (en) 2018-03-21 2018-03-21 Data interaction method, device and system based on virtual host

Country Status (1)

Country Link
CN (1) CN110297687B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102289631A (en) * 2011-08-12 2011-12-21 无锡城市云计算中心有限公司 Method for realizing virtual safety computing environment
WO2016106566A1 (en) * 2014-12-30 2016-07-07 华为技术有限公司 Method, apparatus and system for encryption/decryption in virtualization system
CN105843669A (en) * 2016-03-21 2016-08-10 浪潮集团有限公司 TPM encryption based virtual machine data protection method
WO2017128720A1 (en) * 2016-01-27 2017-08-03 华为技术有限公司 Vtpm-based method and system for virtual machine security and protection

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3127300B1 (en) * 2014-05-12 2019-09-04 Google LLC Managing nic-encrypted flows for migrating guests or tasks
US10069626B2 (en) * 2016-02-23 2018-09-04 Red Hat, Inc. Multiple encryption keys for a virtual machine

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102289631A (en) * 2011-08-12 2011-12-21 无锡城市云计算中心有限公司 Method for realizing virtual safety computing environment
WO2016106566A1 (en) * 2014-12-30 2016-07-07 华为技术有限公司 Method, apparatus and system for encryption/decryption in virtualization system
WO2017128720A1 (en) * 2016-01-27 2017-08-03 华为技术有限公司 Vtpm-based method and system for virtual machine security and protection
CN105843669A (en) * 2016-03-21 2016-08-10 浪潮集团有限公司 TPM encryption based virtual machine data protection method

Also Published As

Publication number Publication date
CN110297687A (en) 2019-10-01

Similar Documents

Publication Publication Date Title
US11438176B2 (en) Mutually authenticated ECDHE key exchange for a device and a network using multiple PKI key pairs
CN110971398A (en) Data processing method, device and system
US9225696B2 (en) Method for different users to securely access their respective partitioned data in an electronic apparatus
US10230697B2 (en) User terminals, and methods and computer-readable recording mediums storing computer programs for transmitting and receiving messages
CN113382029B (en) File data processing method and device
CN110399717B (en) Key acquisition method and device, storage medium and electronic device
CN109862103B (en) File data secure sharing method and device based on block chain
CN109905474B (en) Data security sharing method and device based on block chain
CN112910869B (en) Method, device and storage medium for encrypting and decrypting data information
CN104507080A (en) File processing method and terminal
CN112822177B (en) Data transmission method, device, equipment and storage medium
CN103458400A (en) Key management method for voice encryption communication system
CN111427860B (en) Distributed storage system and data processing method thereof
CN111327605B (en) Method, terminal, server and system for transmitting private information
CN114637743A (en) Database operation method, system, storage medium and computer terminal
US11637704B2 (en) Method and apparatus for determining trust status of TPM, and storage medium
US10396989B2 (en) Method and server for providing transaction keys
CN108322464B (en) Key verification method and device
CN109756992B (en) Method, device and system for establishing network connection
CN112771815B (en) Key processing method and device
CN110297687B (en) Data interaction method, device and system based on virtual host
CN109600631B (en) Video file encryption and publishing method and device
CN113452513B (en) Key distribution method, device and system
CN116048716A (en) Direct storage access method and device and related equipment
US11870887B2 (en) Managing central secret keys of a plurality of user devices associated with a single public key

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant