CN113709113A - Cloud desktop security and credibility authentication method based on three-terminal separation design - Google Patents
Cloud desktop security and credibility authentication method based on three-terminal separation design Download PDFInfo
- Publication number
- CN113709113A CN113709113A CN202110886369.7A CN202110886369A CN113709113A CN 113709113 A CN113709113 A CN 113709113A CN 202110886369 A CN202110886369 A CN 202110886369A CN 113709113 A CN113709113 A CN 113709113A
- Authority
- CN
- China
- Prior art keywords
- client
- virtual machine
- server
- cloud
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 31
- 238000000926 separation method Methods 0.000 title claims abstract description 18
- 238000013461 design Methods 0.000 title claims abstract description 16
- 230000006854 communication Effects 0.000 claims description 11
- 238000004891 communication Methods 0.000 claims description 7
- 238000012795 verification Methods 0.000 claims description 2
- 238000012423 maintenance Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000000007 visual effect Effects 0.000 description 3
- 210000004899 c-terminal region Anatomy 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 235000013599 spices Nutrition 0.000 description 2
- 235000014510 cooky Nutrition 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention relates to a safe and credible authentication method of a cloud desktop based on a three-terminal separation design, which comprises the following steps: the client is started, user login information is obtained, a token is generated in the session through a national Security Socket Layer (SSL), and a login request is sent to the server; the server receives a login request sent by the client, queries a database encrypted by a national secret algorithm, verifies the identity of a user, and queries all virtual machines owned by the user; the client sends the virtual machine result selected by the user to log in to the server; the server side sends a request for connecting with the cloud side and inquires remote connection information of the virtual machine; if the virtual machine is available for connection, the cloud returns the connection information of the virtual machine to the server; the server side sends the connection address and the port of the virtual machine and the console password of the virtual machine to the client side; and the client starts the remote connection software according to the information sent by the server and performs connection so that a user can operate the virtual machine. The method and the device can be used for the authentication process of the cloud desktop scene.
Description
Technical Field
The invention relates to the field of information security and cloud computing, in particular to a security credibility authentication method of a cloud desktop based on a three-terminal separation design.
Background
The cloud computing technology is a network technology, and a user directly obtains resources from a cloud network. Cloud desktop refers to a technology that computing resources and storage resources are provided by a cloud, virtual machines are generated, and then a user of each virtual machine is connected to the virtual machine on the cloud through other remote devices through a network to perform visual desktop video streaming.
The cloud desktop is a solution that can replace a personal computer, and a virtual machine in the cloud can be remotely accessed by using any x86 or arm architecture and a computer device of a visual graphical interface system. Three aspects of problems can be solved. The problem of operation and maintenance difficulty is solved firstly, and a cloud platform administrator can directly manage all the virtual machines through the cloud platform, so that the operation and maintenance difficulty is greatly reduced, and the operation and maintenance efficiency is improved. Secondly, according to different requirements, the access device can be a thin terminal with low power consumption and low heat productivity, the application range is wider than that of a common personal computer, and the access device can be used in a scene that the environment is not suitable for using the personal computer. And thirdly, the cloud platform uses multi-copy redundancy configuration, so that the security is higher than that of a personal computer. The connection technology of the cloud desktop is mature, and protocols such as SPICE, VNC and RDP can bear the connection requirements of the cloud desktop.
However, the three protocols have different problems in the use scene of the cloud desktop. Firstly, the three protocols all require the user to manually fill in the IP address and the port of the target address to start the service of the remote desktop connection, and the connection process is more complicated for common users. Secondly, the SPICE and VNC protocols only have simple password authentication mechanisms, the protection capability on illegal external connection is poor, in addition, when the remote equipment is directly connected through the two protocols, the server port needs to be directly accessed, and the risk of address exposure exists. The RDP protocol is generally only suitable for the scene that both connecting parties are Windows systems, and the application range is narrow.
The existing deployment methods include:
1) and deployment is carried out on the cloud platform and the client.
The user logs in a Web management interface of the cloud platform to manually acquire a protocol E1, an IP address E2 and a port number E3 in the virtual machine connection information E under the condition that the user needs to know a password E4 of a virtual machine console in advance.
2) And the client and the two ends of the virtual machine are deployed.
The client is not connected with the virtual machine through the cloud platform but directly connected with the virtual machine through the network. Each virtual machine needs to be in the same intranet as the client hardware.
3) The deployment mode of four ends of the cloud platform, the server, the client and the virtual machine.
Deployment difficulties with tetrapolar deployment are high.
Disclosure of Invention
The invention aims to provide a safe and credible authentication method of a cloud desktop based on a three-terminal separation design, which can be used for remotely connecting to a virtual machine through other equipment and transmitting a visual graphical interface, a usb and an audio data stream when the desktop virtual machine runs on a cloud platform, so that the authentication and management of the user identity, the legality of the used remote equipment and the user permission in the remote connection process are realized, and a solid foundation is laid for constructing a safe and credible cloud platform using environment.
The invention provides a safe and credible authentication method of a cloud desktop based on a three-terminal separation design, which comprises the following communication flows among a client, a server and a cloud:
1) the client is started to obtain user login information, a password SSL is generated in the session through an SSL encryption data packet specified by GM/T0024-;
2) the server receives a login request sent by the client, queries a database encrypted by a national secret algorithm, verifies the identity of the user, and queries all virtual machines owned by the user, and if the identity verification fails, the communication flow is ended; if the identity authentication is passed, returning the names of all the virtual machines owned by the client to the client;
3) the client sends the virtual machine result selected by the user to log in to the server;
4) the server side sends a request for connecting with the cloud side and inquires remote connection information of the virtual machine;
5) if the virtual machine is available for connection, the cloud returns the connection information of the virtual machine to the server;
6) the server side sends the connection address and the port of the virtual machine and the console password of the virtual machine to the client side;
7) and the client starts the remote connection software according to the address, the port and the console password sent by the server and performs connection so that a user can operate the virtual machine.
Further, the step 2) comprises:
and the server returns an access token and a virtual machine list which can be used by the user to the client after verifying that the login credentials are correct, so that the user can select one of the virtual machines on the client.
Further, the step 3) comprises:
and the client carries the access token to initiate a connection request for the selected logged-in virtual machine to the server.
Further, the step 4) comprises:
the server side initiates a login request to the cloud side according to legal login credentials, and the cloud side returns an access token to the server side; the server side carries the access token to request the cloud side for connection information of the virtual machine which is selected to log in.
By means of the scheme, the security credibility authentication method of the cloud desktop based on the three-end separation design adopts the three-end separation design, the security of the whole authentication method is improved, and in the whole process, except for the final connection process, the client side is not connected with the cloud side but communicates through the server side. The cloud end only opens the connection port of the virtual machine to the client end, and does not open other ports for the client end to access, so that the pressure of the cloud end management port is reduced firstly, and the client end does not have authentication information of the cloud end management port and cannot log in the cloud end. And the sensitive cloud management port is only opened to the legal server. Secondly, the client does not store the connection address, the port number and the console password required by the virtual machine connection, and the three kinds of information can be obtained from the server only through a legal authentication program, so that the client cannot be connected with the virtual machine when the client is separated from the server. The server side can also perform multi-factor authentication when the client side logs in, so that the accessed client side is a legal user, and the safety and the credibility of the authentication method are ensured through the various ways.
The foregoing description is only an overview of the technical solutions of the present invention, and in order to make the technical solutions of the present invention more clearly understood and to implement them in accordance with the contents of the description, the following detailed description is given with reference to the preferred embodiments of the present invention and the accompanying drawings.
Drawings
FIG. 1 is a diagram of a network arrangement in one embodiment of the invention;
fig. 2 is a flow chart of a three-terminal communication exchange of the present invention.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
The design of the invention adopts a C/S architecture, and three terminals exist in the model designed by the invention.
(1) The first terminal is a terminal used by a client, and is simply referred to as a client in this embodiment. And the C terminal is responsible for sending a request to the server side to apply for the connection address of the virtual machine and performing connection, and is the C terminal in the C/S architecture.
(2) The second terminal is a server providing services for the client, which is referred to as a server in this embodiment, receives a connection request sent by the client, identifies the user identity and the validity of the client through a database of the second terminal, sends a request application corresponding information to the cloud, and finally sends the connection information to the client, which is an S-terminal in the C/S architecture.
(3) And the third terminal is a management node of the cloud service cluster, and the node only receives the request sent by the server, verifies the identity validity of the server and replies the request to the server.
The embodiment provides a secure and trusted authentication method of a cloud desktop based on a three-terminal separation design, wherein the communication flow among a client, a server and a cloud is as follows:
1. the client starts, the user inputs login information, the client encrypts a data packet through an SSL specified by GM/T0024-.
2. And the server receives the login request sent by the client, queries the database encrypted by the cryptographic algorithm, verifies the identity of the user, and queries all virtual machines owned by the user, and if the virtual machines do not pass through, the communication process is finished. If the client passes the process, the names of all the virtual machines owned by the client are returned to the client.
3. The user selects the virtual machine which the user wants to log in through the client side, and the client side sends the selection result to the server side.
4. And the server sends a request for connecting with the cloud and inquires the remote connection information of the virtual machine.
5. And if the virtual machine is available for connection, the cloud returns the connection information of the virtual machine to the server.
6. The server side sends the connection address and the port of the virtual machine and the console password of the virtual machine to the client side
7. And the client starts the remote connection software according to the address, the port and the console password sent by the server and performs connection.
In one embodiment, a three-terminal communication exchange flow is shown in fig. 2.
The safe and credible authentication method of the cloud desktop based on the three-end separation design adopts the three-end separation design, the safety of the whole authentication method is improved, and in the whole process, except for the final connection process, the client is not connected with the cloud end but communicates through the server. The cloud end only opens the connection port of the virtual machine to the client end, and does not open other ports for the client end to access, so that the pressure of the cloud end management port is reduced firstly, and the client end does not have authentication information of the cloud end management port and cannot log in the cloud end. And the sensitive cloud management port is only opened to the legal server. Secondly, the client does not store the connection address, the port number and the console password required by the virtual machine connection, and the three kinds of information can be obtained from the server only through a legal authentication program, so that the client cannot be connected with the virtual machine when the client is separated from the server. The server side can also perform multi-factor authentication when the client side logs in, so that the accessed client side is a legal user, and the safety and the credibility of the authentication method are ensured through the various ways.
Referring to fig. 1, in an embodiment, a network configuration adopts two layers, and a network structure of two independent network segments is: the first tier network is an internet environment and the second tier network is a local area network environment. Wherein, an independent network segment exists in the internet environment, and the local area network environment is another independent network segment. The client and the server cannot directly enter the Internet environment in the local area network environment, and use independent local area network segments. The cloud platform server is simultaneously accessed to a local area network environment and an internet environment. The virtual machine runs on the cloud platform server and is accessed to the internet environment. The cloud platform server is provided with network safety devices on one side of the local area network environment and one side of the internet environment.
In the use scene of the office computer of the external network, the three-terminal separation authentication method of the invention is used:
1) and the user A opens the client A, inputs the correct login credentials and clicks to login. At this time, the client a initiates a login request to the server B.
2) And the server B returns an access token Ta and a virtual machine list which can be used by the user A to the client A after verifying that the login credential is correct. The user A selects one of the virtual machines C.
3) The client A carries an access token Ta to initiate a connection request for the virtual machine C to the server B.
4) The server B firstly initiates a login request to the cloud platform D according to the legal login credential, and the cloud platform D returns an access token Tb to the server B.
5) The server B carries the access token Tb to request the cloud platform D for the connection information E of the virtual machine C, and the connection information E comprises a protocol E1, an IP address E2, a port number E3 and a console password E4.
6) And the cloud platform D returns the connection information E to the server B.
7) And the server B returns the connection information E to the client A.
8) And the client A starts the remote control software to initiate connection of the virtual machine C to the cloud platform D by using the connection information E.
9) And (5) connection is established, and the user A can operate the virtual machine.
The invention has the following technical effects:
1. in the communication process between the client and the server and the communication process between the server and the cloud, a token mechanism is used for maintaining a conversation without using a session matched with a cookie, so that the pressure of the server and the cloud is reduced.
2. SSL is encrypted by using a cryptographic algorithm in the communication process of each node, the cryptographic algorithm does not specify SSL encryption rules, but the SSL protocol encrypted by the cryptographic algorithm can be obtained by GM/T0024-2014 SSL VPN technical specification standard.
3. A database encrypted using a cryptographic algorithm.
4. Compared with the deployment of the cloud platform and the two ends of the client, the user does not need to know the console password E4 and the login information of the cloud platform web management interface in a three-end separation authentication mode, so that the problem that a common user logs in the cloud platform management interface is avoided, and the password of the virtual machine console is convenient to modify; the problem of when the virtual machine restarts each time, the cloud platform reallocates the port number and brings the change of connection information to cause connection failure is solved.
5) Compared with the two-end deployment mode of the client and the virtual machine, the three-end separation method has a connection principle different from that of the two-end deployment mode of the client and the virtual machine, and in the two-end deployment mode of the client and the virtual machine, the client is not connected with the virtual machine through a cloud platform but directly connected with the virtual machine through a network. Each virtual machine needs to be in the same intranet as the client hardware.
6) Compared with a four-end deployment mode of a cloud platform, a server, a client and virtual machines, connection software does not need to be deployed in each virtual machine independently in a three-end deployment mode, and maintenance and debugging are facilitated; the video stream and the control stream which need to be transmitted by remote control are both managed by the cloud platform, so that unified scheduling optimization is facilitated, and in the four-end deployment method, the performance of the virtual machine can be improved under the same computing resource, the user experience is enhanced, specifically:
in the four-terminal deployment mode, firstly, components of connection software for remote control need to be deployed at the virtual machine terminal, which increases the difficulty of deployment, maintenance and debugging of the whole cloud desktop system. Secondly, a connection software component in the virtual machine needs to be called in the use process, and finally, video streams and control streams transmitted in remote control are transmitted into the virtual machine through the connection software component in the virtual machine to occupy computing resources of the virtual machine. Thirdly, the four-terminal deployment is used to ensure that the virtual machine is started and the connection software in the virtual machine runs normally in the connection process or cannot respond to the connection request of the virtual machine normally.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, it should be noted that, for those skilled in the art, many modifications and variations can be made without departing from the technical principle of the present invention, and these modifications and variations should also be regarded as the protection scope of the present invention.
Claims (4)
1. A safe and credible authentication method of a cloud desktop based on three-terminal separation design is characterized in that the communication flow among a client, a server and a cloud is as follows:
1) the client is started to obtain user login information, a password SSL is generated in the session through an SSL encryption data packet specified by GM/T0024-;
2) the server receives a login request sent by the client, queries a database encrypted by a national secret algorithm, verifies the identity of the user, and queries all virtual machines owned by the user, and if the identity verification fails, the communication flow is ended; if the identity authentication is passed, returning the names of all the virtual machines owned by the client to the client;
3) the client sends the virtual machine result selected by the user to log in to the server;
4) the server side sends a request for connecting with the cloud side and inquires remote connection information of the virtual machine;
5) if the virtual machine is available for connection, the cloud returns the connection information of the virtual machine to the server;
6) the server side sends the connection address and the port of the virtual machine and the console password of the virtual machine to the client side;
7) and the client starts the remote connection software according to the address, the port and the console password sent by the server and performs connection so that a user can operate the virtual machine.
2. The secure and trusted authentication method for the cloud desktop based on the three-terminal separation design according to claim 1, wherein the step 2) comprises:
and the server returns an access token and a virtual machine list used by the user to the client after verifying that the login credentials are correct, so that the user can select one of the virtual machines on the client.
3. The secure and trusted authentication method for the cloud desktop based on the three-terminal separation design according to claim 2, wherein the step 3) comprises:
and the client carries the access token to initiate a connection request for the selected logged-in virtual machine to the server.
4. The secure and trusted authentication method for the cloud desktop based on the three-terminal separation design according to claim 3, wherein the step 4) comprises:
the server side initiates a login request to the cloud side according to legal login credentials, and the cloud side returns an access token to the server side; the server side carries the access token to request the cloud side for connection information of the virtual machine which is selected to log in.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110886369.7A CN113709113A (en) | 2021-08-03 | 2021-08-03 | Cloud desktop security and credibility authentication method based on three-terminal separation design |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110886369.7A CN113709113A (en) | 2021-08-03 | 2021-08-03 | Cloud desktop security and credibility authentication method based on three-terminal separation design |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113709113A true CN113709113A (en) | 2021-11-26 |
Family
ID=78651371
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110886369.7A Pending CN113709113A (en) | 2021-08-03 | 2021-08-03 | Cloud desktop security and credibility authentication method based on three-terminal separation design |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113709113A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116483505A (en) * | 2023-05-08 | 2023-07-25 | 江苏云之遥信息科技有限公司 | Intelligent multifunctional cloud desktop system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104144172A (en) * | 2013-05-06 | 2014-11-12 | 上海宏第网络科技有限公司 | Cloud platform system and method based on desktop virtualization technology |
| CN104580496A (en) * | 2015-01-22 | 2015-04-29 | 深圳先进技术研究院 | Virtual machine visit system and server based on temporary agent |
| CN105187362A (en) * | 2014-06-23 | 2015-12-23 | 中兴通讯股份有限公司 | Method and device for connection authentication between desktop cloud client and server-side |
| CN107332808A (en) * | 2016-04-29 | 2017-11-07 | 中兴通讯股份有限公司 | A kind of method, server and the terminal of the certification of cloud desktop |
-
2021
- 2021-08-03 CN CN202110886369.7A patent/CN113709113A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104144172A (en) * | 2013-05-06 | 2014-11-12 | 上海宏第网络科技有限公司 | Cloud platform system and method based on desktop virtualization technology |
| CN105187362A (en) * | 2014-06-23 | 2015-12-23 | 中兴通讯股份有限公司 | Method and device for connection authentication between desktop cloud client and server-side |
| CN104580496A (en) * | 2015-01-22 | 2015-04-29 | 深圳先进技术研究院 | Virtual machine visit system and server based on temporary agent |
| CN107332808A (en) * | 2016-04-29 | 2017-11-07 | 中兴通讯股份有限公司 | A kind of method, server and the terminal of the certification of cloud desktop |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116483505A (en) * | 2023-05-08 | 2023-07-25 | 江苏云之遥信息科技有限公司 | Intelligent multifunctional cloud desktop system |
| CN116483505B (en) * | 2023-05-08 | 2024-03-19 | 江苏云之遥信息科技有限公司 | Intelligent multifunctional cloud desktop system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9438574B2 (en) | Client/server authentication over Fibre channel | |
| WO2018095416A1 (en) | Information processing method, device and system | |
| EP1501256B1 (en) | System and method for automatic negotiation of a security protocol | |
| US7792939B2 (en) | Method and system for obtaining secure shell host key of managed device | |
| US9094208B2 (en) | User identity management and authentication in network environments | |
| EP1676418B1 (en) | Methods and devices for sharing content on a network | |
| US10484357B1 (en) | Method and apparatus for federated single sign on using authentication broker | |
| US9148412B2 (en) | Secure configuration of authentication servers | |
| US10027491B2 (en) | Certificate distribution using derived credentials | |
| US11456861B2 (en) | Computing system and related methods providing connection lease exchange with secure connection lease communications | |
| US11611541B2 (en) | Secure method to replicate on-premise secrets in a cloud environment | |
| CN111628960B (en) | Method and apparatus for connecting to network services on a private network | |
| CN113709113A (en) | Cloud desktop security and credibility authentication method based on three-terminal separation design | |
| US11888898B2 (en) | Network configuration security using encrypted transport | |
| TWI836974B (en) | Private and secure chat connection mechanism for use in a private communication architecture | |
| TWI829435B (en) | Metaverse application gateway connection mechanism for use in a private communication architecture | |
| CN118400409A (en) | Intranet penetration network system based on C-S architecture | |
| CN118044157A (en) | Remote command access to locally deployed devices in a hybrid cloud | |
| CN117014435A (en) | Private secure chat join mechanism for private communication architecture | |
| CN118282662A (en) | Device registration method, device registration apparatus, and computer storage medium | |
| CN117014177A (en) | Meta universe application gateway linking mechanism for private communication architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211126 |