[go: up one dir, main page]

CN108021801B - Virtual desktop-based anti-leakage method, server and storage medium - Google Patents

Virtual desktop-based anti-leakage method, server and storage medium Download PDF

Info

Publication number
CN108021801B
CN108021801B CN201711161477.8A CN201711161477A CN108021801B CN 108021801 B CN108021801 B CN 108021801B CN 201711161477 A CN201711161477 A CN 201711161477A CN 108021801 B CN108021801 B CN 108021801B
Authority
CN
China
Prior art keywords
usb
user terminal
server
protocol
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711161477.8A
Other languages
Chinese (zh)
Other versions
CN108021801A (en
Inventor
郭炳梁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN201711161477.8A priority Critical patent/CN108021801B/en
Publication of CN108021801A publication Critical patent/CN108021801A/en
Application granted granted Critical
Publication of CN108021801B publication Critical patent/CN108021801B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a virtual desktop-based anti-leakage method, a server and a storage medium. The server receives a first USB protocol instruction sent by a user terminal, analyzes the first USB protocol instruction to obtain the USB read operation, sends the USB read operation to the user terminal, so that the user terminal reads and feeds back first target data to the server from a USB storage device according to the USB read operation, decrypts the first target data according to a preset secret key, and obtains decrypted first plaintext data. The invention better overcomes the compatibility problem with third-party software by completing the decryption operation of the first target data in the protocol layer and realizing the encryption and decryption of the peripheral data compared with the method of installing the encryption and decryption plug-in the VM, thereby overcoming the technical problem that the compatibility of the encryption and decryption operation of the peripheral data cannot be better ensured in the current VDI scene.

Description

Virtual desktop-based anti-leakage method, server and storage medium
Technical Field
The invention relates to the field of desktop virtualization, in particular to a virtual desktop-based anti-leakage method, a server and a storage medium.
Background
With the continuous development of Virtual Desktop technology, more and more companies complete the construction of internal office resources of the companies through the Virtual Desktop technology, for a specific implementation mode, a Desktop operating system can be run in a server of a data center, and a user is connected with remote desktops through a transmission protocol of client equipment, so that the user can access the desktops just like accessing a traditional local Desktop, which is referred to as a Virtual Desktop Infrastructure (VDI) in the industry.
However, in a VDI scenario, if a peripheral device is used on a local computer, data security of the peripheral device needs to be ensured, and currently, data security of the peripheral device is protected, and a related plug-in is often installed in a Virtual Machine (VM), for example, a management and control driver is used to limit read and write operations, and a file filter driver is used to perform encryption and decryption operations on data. However, the way of installing the driver plug-in the VM is inconvenient to deploy and is very prone to software compatibility problems, such as conflict with third-party software. Therefore, the technical problem that the compatibility of the encryption and decryption operations for peripheral data cannot be well guaranteed exists in the current VDI scenario.
The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.
Disclosure of Invention
The invention mainly aims to provide a virtual desktop-based anti-leakage method, a server and a storage medium, and aims to solve the technical problem that the compatibility of encryption and decryption operations on peripheral data cannot be better ensured in the current VDI scene in the prior art.
In order to achieve the above object, the present invention provides a virtual desktop-based anti-leakage method, including the following steps:
the method comprises the steps that a server receives a first USB protocol instruction sent by a user terminal, the first USB protocol instruction is obtained by packaging a USB read operation input by a user through a preset USB transmission protocol by the user terminal, and the user terminal is accessed to the server through a virtual desktop technology;
analyzing the first USB protocol instruction to obtain the USB read operation;
sending the USB reading operation to a user terminal so that the user terminal reads and feeds back first target data to the server from USB storage equipment according to the USB reading operation, wherein the USB storage equipment is connected with the user terminal;
and decrypting the first target data according to a preset secret key to obtain decrypted first plaintext data.
Preferably, the analyzing the first USB protocol instruction to obtain the USB read operation specifically includes:
and analyzing the first USB protocol instruction under a preset virtual machine simulator to obtain the USB read operation.
Preferably, the receiving, by the server, the first USB protocol instruction sent by the user terminal specifically includes:
the server receives a first USB protocol instruction and a partition table sent by a user terminal;
correspondingly, the sending the USB read operation to the user terminal so that the user terminal reads and feeds back the first target data from the USB storage device to the server according to the USB read operation specifically includes:
and determining a data address corresponding to the USB read operation according to the partition table, and sending the data address to a user terminal so that the user terminal reads first target data corresponding to the data address from USB storage equipment and sends the first target data to the server.
Preferably, the receiving, by the server, the first USB protocol instruction sent by the user terminal specifically includes:
the server receives a first USB protocol instruction and a user identifier sent by a user terminal;
correspondingly, before the analyzing the first USB protocol command and obtaining the USB read operation, the method further includes:
matching the user identification with each preset authorized user identification;
and when the matching is successful, executing the step of analyzing the first USB protocol instruction.
Preferably, before the analyzing the first USB protocol command and obtaining the USB read operation, the method further includes:
matching the preset USB transmission protocol with each preset support protocol;
and when the matching is successful, executing the step of analyzing the first USB protocol instruction.
Preferably, before the server receives a first USB protocol instruction sent by a user terminal, and the first USB protocol instruction is obtained by the user terminal by encapsulating a USB read operation input by a user with a preset USB transport protocol, the method further includes:
the server receives a second USB protocol instruction and second plaintext data sent by the user terminal, wherein the second USB protocol instruction is obtained by packaging a USB write operation input by a user through the preset USB transmission protocol by the user terminal;
analyzing the second USB protocol instruction to obtain the USB write operation;
encrypting the second plaintext data according to the preset key to obtain encrypted second target data;
and sending the USB write operation and the second target data to the user terminal so that the user terminal writes the second target data in the USB storage equipment according to the USB write operation.
Preferably, before the decrypting the first target data according to the preset key to obtain the decrypted first plaintext data, the method further includes:
and generating a preset key and storing the preset key to the local to realize decryption of the first target data according to the preset key.
In addition, to achieve the above object, the present invention also provides a server, including: the system comprises a memory, a processor and a virtual desktop-based anti-compromise program stored on the memory and operable on the processor, wherein the virtual desktop-based anti-compromise program is configured to realize the steps of the virtual desktop-based anti-compromise method.
In addition, in order to achieve the above object, the present invention further provides a storage medium, where a virtual desktop-based anti-compromise program is stored, and when executed by a processor, the virtual desktop-based anti-compromise program implements the steps of the virtual desktop-based anti-compromise method.
In the invention, the first USB protocol instruction is analyzed and the decryption operation of the first target data is completed in the protocol layer, and compared with the method of installing the encryption and decryption plug-in the VM to realize the encryption and decryption of the peripheral data, the method better overcomes the compatibility problem with third-party software, thereby overcoming the technical problem that the compatibility of the encryption and decryption operation of the peripheral data cannot be better ensured in the current VDI scene.
Drawings
FIG. 1 is a schematic diagram of a server architecture of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a first embodiment of a method for preventing disclosure based on a virtual desktop according to the present invention;
FIG. 3 is a flowchart illustrating a second embodiment of the virtual desktop-based anti-disclosure method according to the present invention;
FIG. 4 is a flowchart illustrating a third embodiment of a method for preventing disclosure based on a virtual desktop according to the present invention;
fig. 5 is a flowchart illustrating a fourth embodiment of the disclosure method based on a virtual desktop.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic diagram of a server structure of a hardware operating environment according to an embodiment of the present invention.
As shown in fig. 1, the server may include: a processor 1001, such as a CPU, a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may comprise a Display screen (Display), and the optional user interface 1003 may also comprise a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
The server may be a physical device providing computing services, and is used to implement business computation, data storage or data exchange, and the like. And a data center is built through the server, the network equipment and other equipment, and a virtual desktop technology is operated based on the data center, so that the user terminal can access the server through the virtual desktop technology to realize desktop virtualization of the user terminal. The user terminal can be an electronic device such as a personal computer, generally, a plurality of VMs are operated in the server, and one user terminal can access one VM in the server to realize desktop virtualization of the current user terminal, so that not only is the configuration requirement of the local user terminal reduced, but also the safety of the user in using computing resources and storage resources is improved, and meanwhile, the operation and maintenance personnel can conveniently and uniformly manage the whole resources of the data center.
Those skilled in the art will appreciate that the architecture shown in FIG. 1 does not constitute a limitation of a server, and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a virtual desktop-based anti-disclosure program.
In the server shown in fig. 1, the network interface 1004 is mainly used for connecting other servers and performing data communication with the other servers; the user interface 1003 is mainly used for connecting a user terminal and performing data communication with the user terminal; the server calls, through the processor 1001, a virtual desktop based anti-compromise program stored in the memory 1005, and performs the following operations:
the method comprises the steps that a server receives a first USB protocol instruction sent by a user terminal, the first USB protocol instruction is obtained by packaging a USB read operation input by a user through a preset USB transmission protocol by the user terminal, and the user terminal is accessed to the server through a virtual desktop technology;
analyzing the first USB protocol instruction to obtain the USB read operation;
sending the USB reading operation to a user terminal so that the user terminal reads and feeds back first target data to the server from USB storage equipment according to the USB reading operation, wherein the USB storage equipment is connected with the user terminal;
and decrypting the first target data according to a preset secret key to obtain decrypted first plaintext data.
Further, the processor 1001 may call the virtual desktop based anti-compromise program stored in the memory 1005, and also perform the following operations:
and analyzing the first USB protocol instruction under a preset virtual machine simulator to obtain the USB read operation.
Further, the processor 1001 may call the virtual desktop based anti-compromise program stored in the memory 1005, and also perform the following operations:
the server receives a first USB protocol instruction and a partition table sent by a user terminal;
accordingly, the following operations are also performed:
and determining a data address corresponding to the USB read operation according to the partition table, and sending the data address to a user terminal so that the user terminal reads first target data corresponding to the data address from USB storage equipment and sends the first target data to the server.
Further, the processor 1001 may call the virtual desktop based anti-compromise program stored in the memory 1005, and also perform the following operations:
the server receives a first USB protocol instruction and a user identifier sent by a user terminal;
accordingly, the following operations are also performed:
matching the user identification with each preset authorized user identification;
and when the matching is successful, executing the step of analyzing the first USB protocol instruction.
Further, the processor 1001 may call the virtual desktop based anti-compromise program stored in the memory 1005, and also perform the following operations:
matching the preset USB transmission protocol with each preset support protocol;
and when the matching is successful, executing the step of analyzing the first USB protocol instruction.
Further, the processor 1001 may call the virtual desktop based anti-compromise program stored in the memory 1005, and also perform the following operations:
the server receives a second USB protocol instruction and second plaintext data sent by the user terminal, wherein the second USB protocol instruction is obtained by packaging a USB write operation input by a user through the preset USB transmission protocol by the user terminal;
analyzing the second USB protocol instruction to obtain the USB write operation;
encrypting the second plaintext data according to the preset key to obtain encrypted second target data;
and sending the USB write operation and the second target data to the user terminal so that the user terminal writes the second target data in the USB storage equipment according to the USB write operation.
Further, the processor 1001 may call the virtual desktop based anti-compromise program stored in the memory 1005, and also perform the following operations:
and generating a preset key and storing the preset key to the local to realize decryption of the first target data according to the preset key.
In this embodiment, the first USB protocol instruction is analyzed and the decryption operation of the first target data is completed in the protocol layer, and compared with the case where an encryption/decryption plug-in is installed in the VM to implement encryption/decryption of peripheral data, the problem of compatibility with third-party software is better solved, so that the technical problem that the compatibility of the encryption/decryption operation of the peripheral data cannot be better guaranteed in the current VDI scenario is solved.
Based on the hardware structure, the embodiment of the anti-leakage method based on the virtual desktop is provided.
Referring to fig. 2, fig. 2 is a flowchart illustrating a first embodiment of a method for preventing disclosure based on a virtual desktop according to the present invention.
In a first embodiment, the virtual desktop-based anti-disclosure method includes the following steps:
step S10: the method comprises the steps that a server receives a first USB protocol instruction sent by a user terminal, the first USB protocol instruction is obtained by packaging a USB read operation input by a user through a preset USB transmission protocol by the user terminal, and the user terminal is accessed to the server through a virtual desktop technology;
it is understood that the user terminal may be a thin client under the VDI architecture, the thin client is a device with relatively low performance and power consumption for accessing a VDI desktop, such as a personal computer, and the user terminal may only display a graph of a desktop operating system without installing desktop software to be used. When a user terminal uses a Universal Serial bus Device (USB Mass Storage Class Device), for example, a USB disk and a mobile hard disk are common, when the user terminal uses a VDI architecture, the user terminal cannot directly obtain data in the USB Storage Device, wherein the operation of reading or writing data is handed to the server for processing; the server may be a server carrying VDI under a VDI architecture, and the server runs the VM associated with each user terminal, so most of the calculation and operation are performed in the server, and the user terminal mainly plays a role in display and input operation, which is not limited in this embodiment.
In a specific implementation, when a USB storage device is accessed in a user terminal, for example, a USB disk is accessed in a local thin client, and when a user reads data in the USB disk, the user may perform data copying or pasting locally, but in a VDI architecture scenario, the user cannot directly obtain target data. The user terminal encapsulates the USB read operation input by the user through a preset USB transmission Protocol to obtain a first USB Protocol instruction, and the step is completed at the bottom layer of the system, wherein the preset USB transmission Protocol can be Bulk-Only Transport (BOT) Protocol and USB Attached SCSI Protocol (USAP) Protocol, and the USAP Protocol is a USB storage type transmission Protocol supported by the equipment above USB 3.0. And after the user terminal obtains the first USB protocol instruction, the first USB protocol instruction is sent to the server so as to finally obtain the data in the USB storage device.
Step S20: analyzing the first USB protocol instruction to obtain the USB read operation;
it should be understood that, when the server obtains the first USB protocol instruction, the server parses the first USB protocol instruction according to the preset USB transmission protocol, so as to obtain a USB read operation before encapsulation. Although data transmission based on a transmission protocol is a common method when using a USB storage device, in this embodiment, a USB read operation is encapsulated and analyzed through a preset USB transmission protocol, and the USB read operation is used to read data in subsequent steps, that is, it indicates that the whole steps are all implemented in a protocol layer. In other words, the encryption and decryption operations are implemented by replacing the Guest OS layer with a virtual machine simulator, such as a QEMU, so that the first USB protocol command is parsed by a preset virtual machine simulator in the server to obtain the USB read operation.
It can be understood that, since the acquisition of the read operation and the encryption and decryption operations in the subsequent operations are both implemented in the underlying protocol layer, the problem of compatibility with third-party software is overcome, and the implementation of encryption and decryption naturally does not conflict with the third-party software in the application layer.
Step S30: sending the USB reading operation to a user terminal so that the user terminal reads and feeds back first target data to the server from USB storage equipment according to the USB reading operation, wherein the USB storage equipment is connected with the user terminal;
it should be understood that after the server obtains the USB read operation, which is the operation information for reading the first target data input by the user, the server will send the USB read operation back to the user terminal. And when the user terminal obtains the USB read operation, reading data from the USB storage equipment according to the USB read operation, and acquiring first target data. The first target data is encrypted data, and in order to ensure the security of the USB storage device, the data content in the USB storage device is to be stored in an encrypted form.
Step S40: and decrypting the first target data according to a preset secret key to obtain decrypted first plaintext data.
It can be understood that, after the encrypted data is obtained, in order to enable the user to conveniently identify the data content and complete the encryption and decryption operations of the data, the first target data is decrypted according to the preset key to obtain decrypted first plaintext data. The first plaintext data is obtained by decrypting the first target data. Furthermore, step S40 is also implemented in the protocol layer, so that the first target data can be decrypted by the preset virtual machine simulator according to the preset key, and the decrypted first plaintext data is obtained. It is easy to understand that both steps S20 and S40 are performed in the virtual machine simulator, and by performing actions at the underlying protocol layer, conflicts with other software can be better reduced, and there is no limitation on the specific encryption and decryption algorithm used.
In this embodiment, the first USB protocol instruction is analyzed and the decryption operation of the first target data is completed in the protocol layer, and compared with the case where an encryption/decryption plug-in is installed in the VM to implement encryption/decryption of peripheral data, the problem of compatibility with third-party software is better solved, so that the technical problem that the compatibility of the encryption/decryption operation of the peripheral data cannot be better guaranteed in the current VDI scenario is solved.
Referring to fig. 3, fig. 3 is a flowchart illustrating a second embodiment of the virtual desktop-based anti-leakage method according to the present invention, and the second embodiment of the virtual desktop-based anti-leakage method according to the present invention is proposed based on the embodiment illustrated in fig. 2.
In the second embodiment, the step S10 specifically includes:
step S10': the method comprises the steps that a server receives a first USB protocol instruction and a partition table sent by a user terminal, the first USB protocol instruction is obtained by packaging a USB read operation input by a user through a preset USB transmission protocol by the user terminal, and the user terminal is accessed to the server through a virtual desktop technology;
it can be understood that, in this embodiment, the server will receive the partition table sent by the user terminal, and this embodiment does not limit this to the time sequence in which the server receives the first USB protocol command and receives the partition table. Therefore, before the server receives the first USB protocol instruction sent by the user terminal, the partition table can be received in advance, so that the data address can be determined in the subsequent operation, and the operation efficiency can be improved.
The Partition Table is used for dividing data of a large Table into a plurality of small subsets, and the Partition Table has a plurality of types, such as a Master Boot Record (MBR) Partition Table, a global unique identification (GUID Partition Table, GPT) Partition Table, and the like. The partition table is used for realizing sequential reading and writing of data in the USB storage device, and when the partition table is abnormal or lost, USB reading and writing operation of the data in the USB storage device cannot be realized.
The step S30 specifically includes:
step S30': determining a data address corresponding to the USB read operation according to the partition table, and sending the data address to a user terminal so that the user terminal reads first target data corresponding to the data address from a USB storage device, and sends the first target data to the server, wherein the USB storage device is a storage device connected with the user terminal;
it should be appreciated that after the partition table and USB read operations are acquired, normal reading of data may be achieved based on the partition table. The data address pointed by the USB read operation can be accurately determined according to the partition table and the USB read operation, and the data address is sent to the USB storage device, so that the first target data corresponding to the data address can be read.
In this embodiment, the data address to be read is determined according to the partition table and the USB read operation, so that the user terminal can smoothly read the first target data.
Referring to fig. 4, fig. 4 is a flowchart illustrating a third embodiment of the disclosure of a virtual desktop-based anti-disclosure method, and a third embodiment of the disclosure of the virtual desktop-based anti-disclosure method is proposed based on the embodiment shown in fig. 2.
In the third embodiment, the step S10 specifically includes:
step S101: the method comprises the steps that a server receives a first USB protocol instruction and a user identifier sent by a user terminal, the first USB protocol instruction is obtained by packaging a USB read operation input by a user through a preset USB transmission protocol by the user terminal, and the user terminal is accessed to the server through a virtual desktop technology;
it can be understood that, in order to adapt to the complex usage environment with multiple users and multiple usage rights, the user rights setting capable of performing encryption and decryption operations may be preset to deal with the actual usage of the multiple users and multiple usage rights, so the server will accept the user identifier sent by the user terminal. The user identifier is used to uniquely identify the user terminal in the current operating environment, so as to achieve an effect of identifying the identity of the user terminal, where the user identifier may mark a physical device, that is, the user terminal, or may mark a current user using the user terminal, which is not limited in this embodiment.
Step S102: matching the user identification with each preset authorized user identification;
in a specific implementation, a user list capable of performing encryption and decryption operations is preset in the server, where the preset authorized user identifier means that when the currently running user identifier is stored in advance as the preset authorized user identifier, that is, the currently running user identifier will have a service qualification for performing encryption and decryption operations, and subsequent decryption of target data or encryption operations of plaintext data will be performed. Matching the user identification with each preset authorized user identification, and when the matching is successful, namely representing that the user identification is preset as the authorized user identification, performing subsequent operation; when the matching is unsuccessful, the follow-up operation can be stopped or prompt information of the failure of the operation can be fed back.
When the matching is successful, step S103 is executed.
It should be understood that steps S101-102 are used to implement the determination for the authorized user, and meanwhile, in order to increase the operation speed of the server and reduce the probability of misoperation, each USB transmission protocol supported by the server may also be detected in advance before the data writing and reading operations are performed, so as to save the calculation amount of the server.
Step S103: matching the preset USB transmission protocol with each preset support protocol;
it is understood that, before parsing the first USB protocol command, a protocol check may be performed to determine whether the server supports the predetermined USB transmission protocol. The protocol check can be performed by reading configuration information of the server, the configuration information describes a USB transmission protocol supported by the server, namely a preset support protocol, and the preset USB transmission protocol is matched with each preset support protocol, so that whether the server supports the USB transmission protocol for encapsulating the current instruction can be judged.
When the matching is successful, step S20 is executed.
In a specific implementation, when the matching is successful, step S20 may be executed, which indicates that the server may analyze the first USB protocol instruction encapsulated by the preset USB transport protocol; and when the matching is unsuccessful, stopping subsequent operation or sending display information of operation failure to the user terminal, wherein the current operating environment of the server cannot support the preset USB transmission protocol. By performing the protocol check before performing step S20, the operating efficiency of the server can be improved.
The present embodiment does not limit the occurrence order of the authorized user determination process implemented in steps S101-102 and the supported protocol matching process implemented in step S103.
In the embodiment, the qualification of reading and writing data by the user can be better managed by presetting the preset authorized user identification, so that the confidentiality of the data is improved; moreover, by introducing the judgment that the server can support the USB transmission protocol in advance, the invalid data calculation amount can be reduced, and the operation efficiency of the equipment is improved.
Referring to fig. 5, fig. 5 is a schematic flowchart illustrating a fourth embodiment of the disclosure of an anti-disclosure method based on a virtual desktop, and the fourth embodiment of the disclosure of the invention is provided based on the embodiment shown in fig. 2.
In the third embodiment, before the step S10, the method further includes:
step S101': the server receives a second USB protocol instruction and second plaintext data sent by the user terminal, wherein the second USB protocol instruction is obtained by packaging a USB write operation input by a user through the preset USB transmission protocol by the user terminal;
it can be understood that, when the USB storage device is inserted into the user terminal under the VDI architecture, in order to write data into the USB storage device, a user may perform a data write operation on the user terminal, for example, add data into the USB storage device, and paste the data into the USB storage device in order to copy the data on the user terminal, so as to generate a USB write operation, where the USB write operation is used to write data into the USB storage device. Under the VDI architecture, the user terminal encapsulates the USB write operation input by the user through the preset USB transmission protocol to obtain a second USB protocol instruction, and the second USB protocol instruction is sent to the server so that the server executes the service of the write operation.
In a specific implementation, when the server receives a second USB protocol instruction and second plaintext data sent by the user terminal, where the second plaintext data is used for data written in a USB storage device, the second plaintext data may be stored locally in the server in advance, or may be obtained from the user terminal.
Step S102': analyzing the second USB protocol instruction to obtain the USB write operation;
it should be understood that, after acquiring the second USB protocol command, the server will parse the protocol command through the preset USB transmission protocol to acquire the USB write operation in the second USB protocol command.
Step S103': encrypting the second plaintext data according to a preset key to obtain encrypted second target data;
it can be understood that, in order to achieve the anti-disclosure effect, both the data read from and written to the USB storage device will be encrypted data, so the second plaintext data will be encrypted according to a preset key to obtain encrypted second target data.
Step S104: and sending the USB write operation and the second target data to a user terminal so that the user terminal writes the second target data in USB storage equipment according to the USB write operation.
In specific implementation, after the USB write operation and the encrypted second target data are obtained, the USB write operation and the second target data are sent to a user terminal, that is, the second target data can be written into the USB storage device, and the encrypted data can be written into the USB storage device.
Before the step S40, the method further includes:
step S40': and generating a preset key and storing the preset key to the local to realize decryption of the first target data according to the preset key.
It can be understood that, in order to facilitate the encryption and decryption operations performed by the server, the preset key may be generated in advance and stored locally in the server, and when the target data to be decrypted or the plaintext data to be encrypted is obtained, the locally stored key may be directly used to perform the anti-disclosure operation, so that the computation load of the server may be effectively saved, and the encryption and decryption speed may be increased.
In the embodiment, the second USB protocol instruction is analyzed and the encryption operation of the second plaintext data is completed in the protocol layer, so that the problem of compatibility with third-party software is better solved compared with the case that an encryption plug-in is installed in a VM to realize the encryption of peripheral data; and, by generating the preset key in advance, the encryption and decryption rate can also be improved.
In addition, an embodiment of the present invention further provides a storage medium, where a virtual desktop-based anti-disclosure program is stored on the storage medium, and when executed by a processor, the virtual desktop-based anti-disclosure program implements the following operations:
the method comprises the steps that a server receives a first USB protocol instruction sent by a user terminal, the first USB protocol instruction is obtained by packaging a USB read operation input by a user through a preset USB transmission protocol by the user terminal, and the user terminal is accessed to the server through a virtual desktop technology;
analyzing the first USB protocol instruction to obtain the USB read operation;
sending the USB reading operation to a user terminal so that the user terminal reads and feeds back first target data to the server from USB storage equipment according to the USB reading operation, wherein the USB storage equipment is connected with the user terminal;
and decrypting the first target data according to a preset secret key to obtain decrypted first plaintext data.
Further, the virtual desktop-based anti-disclosure program, when executed by the processor, further implements the following operations:
and analyzing the first USB protocol instruction under a preset virtual machine simulator to obtain the USB read operation.
Further, the virtual desktop-based anti-disclosure program, when executed by the processor, further implements the following operations:
the server receives a first USB protocol instruction and a partition table sent by a user terminal;
accordingly, the following operations are also implemented:
and determining a data address corresponding to the USB read operation according to the partition table, and sending the data address to a user terminal so that the user terminal reads first target data corresponding to the data address from USB storage equipment and sends the first target data to the server.
Further, the virtual desktop-based anti-disclosure program, when executed by the processor, further implements the following operations:
the server receives a first USB protocol instruction and a user identifier sent by a user terminal;
accordingly, the following operations are also implemented:
matching the user identification with each preset authorized user identification;
and when the matching is successful, executing the step of analyzing the first USB protocol instruction.
Further, the virtual desktop-based anti-disclosure program, when executed by the processor, further implements the following operations:
matching the preset USB transmission protocol with each preset support protocol;
and when the matching is successful, executing the step of analyzing the first USB protocol instruction.
Further, the virtual desktop-based anti-disclosure program, when executed by the processor, further implements the following operations:
the server receives a second USB protocol instruction and second plaintext data sent by the user terminal, wherein the second USB protocol instruction is obtained by packaging a USB write operation input by a user through the preset USB transmission protocol by the user terminal;
analyzing the second USB protocol instruction to obtain the USB write operation;
encrypting the second plaintext data according to the preset key to obtain encrypted second target data;
and sending the USB write operation and the second target data to the user terminal so that the user terminal writes the second target data in the USB storage equipment according to the USB write operation.
Further, the virtual desktop-based anti-disclosure program, when executed by the processor, further implements the following operations:
and generating a preset key and storing the preset key to the local to realize decryption of the first target data according to the preset key.
In this embodiment, the first USB protocol instruction is analyzed and the decryption operation of the first target data is completed in the protocol layer, and compared with the case where an encryption/decryption plug-in is installed in the VM to implement encryption/decryption of peripheral data, the problem of compatibility with third-party software is better solved, so that the technical problem that the compatibility of the encryption/decryption operation of the peripheral data cannot be better guaranteed in the current VDI scenario is solved.
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A method for preventing secret divulgence based on a virtual desktop is characterized by comprising the following steps:
the method comprises the steps that a server receives a first USB protocol instruction sent by a user terminal, the first USB protocol instruction is obtained by packaging a USB read operation input by a user through a preset USB transmission protocol by the user terminal, and the user terminal is accessed to the server through a virtual desktop technology;
analyzing the first USB protocol instruction to obtain the USB read operation;
sending the USB reading operation to a user terminal so that the user terminal reads and feeds back first target data to the server from USB storage equipment according to the USB reading operation, wherein the USB storage equipment is connected with the user terminal;
decrypting the first target data according to a preset secret key to obtain decrypted first plaintext data;
the server runs a virtual machine VM, and a user terminal can realize desktop virtualization of the user terminal by accessing one virtual machine VM in the server.
2. The method of claim 1, wherein the parsing the first USB protocol command to obtain the USB read operation specifically comprises:
and analyzing the first USB protocol instruction under a preset virtual machine simulator to obtain the USB read operation.
3. The method according to claim 1, wherein the server receives a first USB protocol command sent by the user terminal, and specifically includes:
the server receives a first USB protocol instruction and a partition table sent by a user terminal;
correspondingly, the sending the USB read operation to the user terminal so that the user terminal reads and feeds back the first target data from the USB storage device to the server according to the USB read operation specifically includes:
and determining a data address corresponding to the USB read operation according to the partition table, and sending the data address to a user terminal so that the user terminal reads first target data corresponding to the data address from USB storage equipment and sends the first target data to the server.
4. The method according to claim 1, wherein the server receives a first USB protocol command sent by the user terminal, and specifically includes:
the server receives a first USB protocol instruction and a user identifier sent by a user terminal;
correspondingly, before the analyzing the first USB protocol command and obtaining the USB read operation, the method further includes:
matching the user identification with each preset authorized user identification;
and when the matching is successful, executing the step of analyzing the first USB protocol instruction.
5. The method of any of claims 1-4, wherein prior to parsing the first USB protocol instruction to obtain the USB read operation, the method further comprises:
matching the preset USB transmission protocol with each preset support protocol;
and when the matching is successful, executing the step of analyzing the first USB protocol instruction.
6. The method according to any one of claims 1 to 4, wherein the server receives a first USB protocol instruction sent by a user terminal, before the first USB protocol instruction is obtained by encapsulating, by the user terminal, a USB read operation input by a user through a preset USB transport protocol, the method further comprises:
the server receives a second USB protocol instruction and second plaintext data sent by the user terminal, wherein the second USB protocol instruction is obtained by packaging a USB write operation input by a user through the preset USB transmission protocol by the user terminal;
analyzing the second USB protocol instruction to obtain the USB write operation;
encrypting the second plaintext data according to the preset key to obtain encrypted second target data;
and sending the USB write operation and the second target data to the user terminal so that the user terminal writes the second target data in the USB storage equipment according to the USB write operation.
7. The method according to any one of claims 1 to 4, wherein before decrypting the first target data according to a preset key to obtain decrypted first plaintext data, the method further comprises:
and generating a preset key and storing the preset key to the local to realize decryption of the first target data according to the preset key.
8. A method according to any one of claims 1 to 4, wherein the pre-set USB transport protocol comprises any one of a BOT protocol and a USAP protocol.
9. A server, characterized in that the server comprises: a memory, a processor, and a virtual desktop based anti-compromise program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the virtual desktop based anti-compromise method according to any one of claims 1 to 8.
10. A storage medium having stored thereon a virtual desktop based anti-compromise program which, when executed by a processor, implements the steps of the virtual desktop based anti-compromise method according to any one of claims 1 to 8.
CN201711161477.8A 2017-11-20 2017-11-20 Virtual desktop-based anti-leakage method, server and storage medium Active CN108021801B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711161477.8A CN108021801B (en) 2017-11-20 2017-11-20 Virtual desktop-based anti-leakage method, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711161477.8A CN108021801B (en) 2017-11-20 2017-11-20 Virtual desktop-based anti-leakage method, server and storage medium

Publications (2)

Publication Number Publication Date
CN108021801A CN108021801A (en) 2018-05-11
CN108021801B true CN108021801B (en) 2021-07-06

Family

ID=62080794

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711161477.8A Active CN108021801B (en) 2017-11-20 2017-11-20 Virtual desktop-based anti-leakage method, server and storage medium

Country Status (1)

Country Link
CN (1) CN108021801B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111158857B (en) * 2019-12-24 2024-05-24 深信服科技股份有限公司 Data encryption method, device, equipment and storage medium
US11847232B2 (en) * 2021-01-19 2023-12-19 Assa Abloy Ab Secure cloud processing
CN115643052A (en) * 2022-09-27 2023-01-24 北京城市网邻信息技术有限公司 Data encryption method, decryption method, device, system, equipment and storage medium
CN118709240B (en) * 2024-08-27 2024-12-27 中孚信息股份有限公司 Storage device access system, method, device and medium for stealth demonstration

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101271424A (en) * 2007-03-19 2008-09-24 普天信息技术研究院 A cache device based on universal serial bus
CN101640702A (en) * 2009-08-27 2010-02-03 深圳华为通信技术有限公司 Portable storage method and device
CN102831084A (en) * 2012-08-16 2012-12-19 刘伟 Controller and controlling method for re-identifying USB (universal serial bus) equipment
CN103020517A (en) * 2012-11-28 2013-04-03 福建伊时代信息科技股份有限公司 Exchange visit method and system for USB virtual desktop equipment
CN103577771A (en) * 2013-11-08 2014-02-12 中科信息安全共性技术国家工程研究中心有限公司 Virtual desktop data leakage-preventive protection technology on basis of disk encryption
CN103701589A (en) * 2013-12-19 2014-04-02 福建星网锐捷网络有限公司 Information transmission method and device based on virtual desktop system and relevant equipment
CN104539685A (en) * 2014-12-19 2015-04-22 华南理工大学 A U disk identification system and method for OpenStack cloud desktop
CN104993961A (en) * 2015-06-30 2015-10-21 广州华多网络科技有限公司 Equipment control methods, devices and system
CN105183675A (en) * 2015-09-30 2015-12-23 华为技术有限公司 USB equipment access method, device and system, terminal and server
CN105389520A (en) * 2015-11-11 2016-03-09 中国建设银行股份有限公司 Data access control method and apparatus and mobile storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160344745A1 (en) * 2006-09-25 2016-11-24 Weaved, Inc. Method and protocol for secure device deployment using a partially-encrypted provisioning file
WO2008092031A2 (en) * 2007-01-24 2008-07-31 Vir2Us, Inc. Computer system architecture having isolated file system management for secure and reliable data processing

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101271424A (en) * 2007-03-19 2008-09-24 普天信息技术研究院 A cache device based on universal serial bus
CN101640702A (en) * 2009-08-27 2010-02-03 深圳华为通信技术有限公司 Portable storage method and device
CN102831084A (en) * 2012-08-16 2012-12-19 刘伟 Controller and controlling method for re-identifying USB (universal serial bus) equipment
CN103020517A (en) * 2012-11-28 2013-04-03 福建伊时代信息科技股份有限公司 Exchange visit method and system for USB virtual desktop equipment
CN103577771A (en) * 2013-11-08 2014-02-12 中科信息安全共性技术国家工程研究中心有限公司 Virtual desktop data leakage-preventive protection technology on basis of disk encryption
CN103701589A (en) * 2013-12-19 2014-04-02 福建星网锐捷网络有限公司 Information transmission method and device based on virtual desktop system and relevant equipment
CN104539685A (en) * 2014-12-19 2015-04-22 华南理工大学 A U disk identification system and method for OpenStack cloud desktop
CN104993961A (en) * 2015-06-30 2015-10-21 广州华多网络科技有限公司 Equipment control methods, devices and system
CN105183675A (en) * 2015-09-30 2015-12-23 华为技术有限公司 USB equipment access method, device and system, terminal and server
CN105389520A (en) * 2015-11-11 2016-03-09 中国建设银行股份有限公司 Data access control method and apparatus and mobile storage medium

Also Published As

Publication number Publication date
CN108021801A (en) 2018-05-11

Similar Documents

Publication Publication Date Title
US8694786B2 (en) Virtual machine images encryption using trusted computing group sealing
US9336384B2 (en) Systems and methods for replacing application methods at runtime
US9904557B2 (en) Provisioning of operating systems to user terminals
US9536063B2 (en) Methods and apparatus for protecting software from unauthorized copying
US9064134B1 (en) Method and apparatus for mitigating software vulnerabilities
US9721102B2 (en) Boot mechanisms for bring your own management
CN108021801B (en) Virtual desktop-based anti-leakage method, server and storage medium
WO2011114655A1 (en) Information processing device, virtual machine generation method, and application software distribution system
CN108021400B (en) Data processing method and device, computer storage medium and equipment
CN111158857B (en) Data encryption method, device, equipment and storage medium
KR101837678B1 (en) Computing apparatus based on trusted execution environment
US20140281499A1 (en) Method and system for enabling communications between unrelated applications
CN104407916A (en) Cloning method and device of virtual machine
WO2016033966A1 (en) Protection method and device for application data
WO2021164462A1 (en) Data encryption method, data decryption method, computer device, and medium
US20230376600A1 (en) Method and system for upgrading firmware of vehicle infotainment system
CN111259364B (en) A method, device, device and storage medium for using a national secret encryption card
US11882123B2 (en) Kernel level application data protection
CN113360217B (en) Rules engine SDK calling method, device and storage medium
CN102799815A (en) Method and device for safely loading program library
CN103530169B (en) Method for protecting virtual machine files and user terminal
CN112363771B (en) Application processing method and related product
US8972745B2 (en) Secure data handling in a computer system
CN113411203B (en) Terminal configuration method and device, computer equipment and storage medium
CN118568743B (en) Data encryption and decryption methods, devices, media, and equipment based on hardware encryption cards

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant