CN106656457A - Method, device and system for safe access of data based on VPN - Google Patents

Method, device and system for safe access of data based on VPN Download PDF

Info

Publication number
CN106656457A
CN106656457A CN201510728533.6A CN201510728533A CN106656457A CN 106656457 A CN106656457 A CN 106656457A CN 201510728533 A CN201510728533 A CN 201510728533A CN 106656457 A CN106656457 A CN 106656457A
Authority
CN
China
Prior art keywords
information
encryption
mobile terminal
vpn
decryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201510728533.6A
Other languages
Chinese (zh)
Inventor
邓宁堃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sanechips Technology Co Ltd
Shenzhen ZTE Microelectronics Technology Co Ltd
Original Assignee
Shenzhen ZTE Microelectronics Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen ZTE Microelectronics Technology Co Ltd filed Critical Shenzhen ZTE Microelectronics Technology Co Ltd
Priority to CN201510728533.6A priority Critical patent/CN106656457A/en
Priority to PCT/CN2016/088683 priority patent/WO2017071296A1/en
Publication of CN106656457A publication Critical patent/CN106656457A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols

Abstract

The embodiment of the invention discloses a method, device and system for safe access of data based on a VPN. The method includes the following steps: a mobile terminal obtains privacy information to be sent to a VPN server in a safe region; the mobile terminal encrypts the privacy information according to a preset encryption strategy in the safe region, and sends the encrypted privacy information to the VPN server in a non-safe region; the mobile terminal receives display information sent by the VPN server in the non-safe region; and the mobile terminal decrypts the display information according to a preset decryption strategy in the safe region, and displays the decrypted display information.

Description

A kind of method, apparatus and system of the security access data based on VPN
Technical field
The present invention relates to network security technology, more particularly to it is a kind of based on VPN (virtual private network) (VPN, Virtual Private Network) security access data method, apparatus and system.
Background technology
With the development of mobile communication technology and integrated circuit technique, mobile terminal possesses stronger and stronger place Reason ability, being increasingly becoming one can process the processing platform of portability of integrated information.At present, it is mobile whole End also becomes a kind of important tool for moving office.
Briefly, mobile office is exactly that user can access company by the mobile terminal of oneself by VPN Internal network carrying out long-range data access.Vpn server is provided with the internal network of company, Used as the interface between company's internal network and external the Internet, user is by the upper the Internet of mobile terminal connection Afterwards, can be attached with vpn server in the address of public network according to vpn server;Also, stepping on After record vpn server, user then can enter company Intranet using vpn server, carry out corresponding The data access of user's office.
But, while mobile terminal carries out telecommuting and brings convenience for user, also increase leakage company The risk of inside information and confidential data.The intelligent terminal operation system of particularly current main flow, such as, and peace Tall and erect Android, Mobile operating system IOS of Apple etc., break into virus and wooden horse again and again.Cause This, after the mobile terminal of user infects viral or implanted wooden horse, user is in logging in VPN server During, it is more likely that account, password can be caused to be stolen, or even can also be carried out far by VPN in user During journey data access, cause the leakage of intra-company's data and secret, cause serious loss.Cause This, the safety for being currently needed for being directed to the remote data access that mobile terminal is carried out based on VPN is paid attention to.
The content of the invention
To solve above-mentioned technical problem, the embodiment of the present invention is expected to provide a kind of secure access number based on VPN According to method, apparatus and system, can in terms of the bottom of hardware, improve user passed through using mobile terminal VPN carries out the safety of data access.
The technical scheme is that what is be achieved in that:
In a first aspect, embodiments providing a kind of method of the security access data based on VPN, institute The method of stating includes:
Mobile terminal obtains the private information for being sent to vpn server under safety zone;
The mobile terminal is carried out according to default encryption policy under the safety zone to the private information After encryption, the private information after the encryption is sent to vpn server under insecure area;
The mobile terminal receives the display sent by the vpn server under the insecure area to be believed Breath;
The mobile terminal is carried out the display information according to default decryption policy under the safety zone After decryption, the display information after decryption is shown.
In such scheme, the mobile terminal obtains the private for being sent to vpn server under safety zone Confidential information, specifically includes:
The mobile terminal starts and shows VPN login interfaces under the safety zone, receives input to institute State the log-on message in VPN login interfaces.
In such scheme, the mobile terminal is under safety zone according to default encryption policy to the private After confidential information is encrypted, the private information after the encryption is sent to VPN services under insecure area Device, specifically includes:
The mobile terminal is carried out the log-on message according to default encryption policy under the safety zone Encryption, and switch to the insecure area;
The mobile terminal transmits the log-on message after encryption to the VPN under the insecure area Server.
In such scheme, the mobile terminal is logged in after the vpn server, and methods described also includes:
The mobile terminal calls physiological feature harvester to obtain under the safety zone and preserves physiology spy After reference breath, key pair corresponding with the physiological characteristic information is generated;
The mobile terminal transmits the public key of the cipher key pair to described under the insecure area Vpn server.
In such scheme, methods described also includes:
The mobile terminal starts and shows physiological feature login interface under the safety zone, and calls life Reason collection apparatus device obtains physiological characteristic information;
When the physiological characteristic information for acquiring compares consistent with the physiological characteristic information of storage, the movement Terminal will compare consistent configured information by the physiological feature with the storage under safety zone for instruction The corresponding private key of information is encrypted, the configured information after being encrypted;
The mobile terminal is under the safety zone according to default encryption policy by the instruction after the encryption After information is encrypted, the configured information of two re-encryption is sent to described under the insecure area Vpn server.
In such scheme, the mobile terminal is obtained under the safety zone and is sent to vpn server Private information, specifically include:The mobile terminal receives defeated under the safety zone by input equipment The instruction for entering.
In such scheme, the mobile terminal is under safety zone according to default encryption policy to the private After confidential information is encrypted, the private information after the encryption is sent to VPN services under insecure area Device, specifically includes:
The mobile terminal enters the instruction of the input according to default encryption policy under the safety zone Row encryption, and switch to the insecure area;
The mobile terminal transmits the input instruction after encryption to the VPN under the insecure area Server.
In such scheme, methods described also includes:
The mobile terminal is encrypted de-registration request according to default encryption policy under the safety zone, And switch to the insecure area;
The mobile terminal transmits the de-registration request after encryption to the VPN under the insecure area Server;
The mobile terminal receives the note of the encryption that the vpn server sends under the insecure area Sell and successfully indicate, and switch to the safety zone;
The mobile terminal successfully indicates to be decrypted under the safety zone to the cancellation of the encryption, and Successfully indicated to complete to nullify according to the cancellation after decryption, and switch to the insecure area.
Second aspect, embodiments provides a kind of method of the security access data based on VPN, institute The method of stating includes:
Vpn server receives the encryption information sent by mobile terminal;
The vpn server is according to default corresponding with the encryption policy in the mobile terminal safety region Decryption policy encryption information is decrypted, and according to the information type after the decryption correspondingly to described Information after decryption is processed.
In such scheme, the encryption information includes the log-on message after encryption, correspondingly, the VPN Server is according to the default decryption policy pair corresponding with the encryption policy in mobile terminal safety region plus secret letter Breath is decrypted, and correspondingly the information after decryption is processed according to the information type after decryption, specifically Including:
The vpn server is decrypted according to default decryption policy, and log-on message is verified, And whether successful logged according to the result determination:
When being verified, the vpn server determines and logins successfully, the vpn server set up with Connection between the mobile terminal;
When failing the authentication, the vpn server confirms login failure.
In such scheme, after user logs in, methods described also includes:The vpn server is received To the corresponding public key of physiological characteristic information of storage, and the public key is entered with the log-on message of active user Row binding.
In such scheme, the encryption information includes that mobile terminal is believed in the physiological feature that safety zone gathers Cease the configured information of two re-encryptions after comparing with the physiological characteristic information of storage;
Correspondingly, the vpn server is according to default relative with the encryption policy in mobile terminal safety region The decryption policy answered is decrypted to encryption information, and according to decryption after information type correspondingly to decryption after Information processed, specifically include:
The vpn server is decrypted according to default decryption policy, obtains the physiological feature by storage The configured information that the corresponding private key of information is encrypted;
Instruction of the vpn server according to the corresponding public key of physiological characteristic information of the storage to encrypting Information is decrypted, and obtains whether results verification logs in successfully according to decryption:
When correct configured information is obtained, the vpn server determination is logged in into by physiological characteristic information Work(, the vpn server is set up and the connection between mobile terminal;
When correct configured information is not obtained, the vpn server confirms login failure.
In such scheme, the encryption information includes the user being encrypted by the safety zone of mobile terminal Operated be input into instruction;
Correspondingly, vpn server is according to default corresponding with the encryption policy in mobile terminal safety region Decryption policy is decrypted to encryption information, and according to the information type after decryption correspondingly to the letter after decryption Breath is processed, and is specifically included:
The vpn server is according to the default solution corresponding with the encryption policy in mobile terminal safety region After input instruction decryption of the close strategy after by encryption, send to Intranet and processed;
The vpn server receives the operating result for the input instruction that Intranet is returned.
In such scheme, the encryption information includes the cancellation being encrypted by the safety zone of mobile terminal Request;
Correspondingly, vpn server is according to default corresponding with the encryption policy in mobile terminal safety region Decryption policy is decrypted to encryption information, and according to the information type after decryption correspondingly to the letter after decryption Breath is processed, and is specifically included:
After the vpn server is decrypted to the de-registration request of the encryption, can ask according to the cancellation Ask and complete to nullify operation, and successfully instruction will be nullified and be encrypted and be back to mobile terminal.
The third aspect, embodiments provides a kind of mobile terminal, and the mobile terminal includes safety Territory element, insecure area unit and security monitoring unit;Wherein,
The safety zone unit, for obtaining the private information for being sent to vpn server;
And default encryption policy is encrypted to the private information;
And, trigger the security monitoring unit;
The security monitoring unit, for the safety zone unit to be switched to into the insecure area unit;
The insecure area unit, for the private information after the encryption to be sent to vpn server;
And, receive the display information sent by the vpn server;
And, trigger the security monitoring unit;
The security monitoring unit, is additionally operable to for the insecure area unit to switch to the safety zone list Unit;
The safety zone unit, is additionally operable to be decrypted the display information according to default decryption policy Afterwards, the display information after decryption is shown.
In such scheme, the safety zone unit, specifically for:Start and show VPN login interfaces, Receive input to the log-on message in the VPN login interfaces.
In such scheme, the safety zone unit, specifically for:According to default encryption policy by institute State log-on message to be encrypted;
The insecure area unit, specifically for:Log-on message after encryption is transmitted to VPN clothes Business device.
In such scheme, the safety zone unit is additionally operable to call physiological feature harvester to obtain simultaneously After preserving physiological characteristic information, key pair corresponding with the physiological characteristic information is generated;
The insecure area unit, is additionally operable to the public key of the cipher key pair be transmitted to VPN services Device.
In such scheme, the safety zone unit is additionally operable to start and show physiological feature login interface, And call physiological feature harvester to obtain physiological characteristic information;
And, when the physiological characteristic information for acquiring compares consistent with the physiological characteristic information of storage, will For indicating that compare consistent configured information is carried out by private key corresponding with the physiological characteristic information of the storage Encryption, the configured information after being encrypted;
And, the configured information after the encryption is encrypted according to default encryption policy, obtain double The configured information of encryption;
The insecure area unit, is additionally operable to the configured information of two re-encryption be sent to the VPN Server.
In such scheme, the safety zone unit, specifically for by the finger of input equipment receives input Order.
In such scheme, the safety zone unit, specifically for will be described according to default encryption policy The instruction of input is encrypted;
The insecure area unit, specifically for the input instruction after encryption is transmitted to VPN services Device.
In such scheme, the safety zone unit is additionally operable to be nullified according to default encryption policy and asks Ask and be encrypted;
The insecure area unit, is additionally operable to the de-registration request after encryption be transmitted to the vpn server;
And, the cancellation for receiving the encryption that the vpn server sends successfully is indicated;
The safety zone unit, is additionally operable to that the cancellation of the encryption is successfully indicated to be decrypted, and according to Cancellation after decryption successfully indicates to complete to nullify, and trigger the security monitoring unit switch to it is described non-security Territory element.
Fourth aspect, embodiments provides a kind of vpn server, and the vpn server includes Receiving unit and decryption processing unit;Wherein,
The receiving unit, for receiving the encryption information sent by mobile terminal;
The decryption processing unit, for according to the default encryption policy with the mobile terminal safety region Corresponding decryption policy is decrypted to encryption information, and according to the information type after the decryption correspondingly Information after the decryption is processed.
In such scheme, the encryption information includes the log-on message after encryption, correspondingly, the decryption Processing unit, specifically for:
It is decrypted according to default decryption policy, and log-on message is verified, and according to checking knot Whether fruit determination logs in successful:
When being verified, it is determined that logining successfully, and set up and the connection between the mobile terminal;
When failing the authentication, login failure is confirmed.
In such scheme, the receiving unit, the physiological characteristic information for being additionally operable to receive storage is corresponding Public key, and the public key is bound with the log-on message of active user.
In such scheme, the encryption information includes that mobile terminal is believed in the physiological feature that safety zone gathers Cease the configured information of two re-encryptions after comparing with the physiological characteristic information of storage;
Correspondingly, the decryption processing unit, specifically for:
It is decrypted according to default decryption policy, obtains the corresponding private key of physiological characteristic information by storage The configured information being encrypted;
And, the configured information encrypted is solved according to the corresponding public key of physiological characteristic information of the storage It is close, and obtain whether results verification logs in successfully according to decryption:
And, when correct configured information is obtained, it is determined that being logined successfully by physiological characteristic information, and build The vertical connection and mobile terminal between;
And, when correct configured information is not obtained, confirm login failure.
In such scheme, the encryption information includes the user being encrypted by the safety zone of mobile terminal Operated be input into instruction;
Correspondingly, the decryption processing unit, specifically for:
According to the default decryption policy corresponding with the encryption policy in mobile terminal safety region after it will encrypt Input instruction decryption after, send to Intranet and processed;
And, receive the operating result for the input instruction that Intranet is returned.
In such scheme, the encryption information includes the cancellation being encrypted by the safety zone of mobile terminal Request;
Correspondingly, the decryption processing unit, specifically for:
After being decrypted the de-registration request of the encryption, can complete to nullify operation according to the de-registration request, To nullify successfully indicate and be encrypted and trigger the receiving unit;
The receiving unit, is additionally operable to successfully indicate the cancellation after encryption to be back to mobile terminal.
5th aspect, embodiments provides a kind of system of the security access data based on VPN, institute The system of stating includes:Mobile terminal and vpn server;
Wherein, the mobile terminal, for obtaining the secret for being sent to vpn server under safety zone Information;
And, after being encrypted to the private information according to default encryption policy under the safety zone, The private information after the encryption is sent to the vpn server under insecure area;
And, the display information sent by the vpn server is received under the insecure area;
And, the display information is decrypted into it according to default decryption policy under the safety zone Afterwards, the display information after decryption is shown;
The vpn server, for receiving the encryption information sent by the mobile terminal;
And, according to the default decryption policy corresponding with the encryption policy in the mobile terminal safety region Encryption information is decrypted, and according to the information type after the decryption correspondingly to the letter after the decryption Breath is processed.
A kind of method, apparatus and system of the security access data based on VPN are embodiments provided, By using, for the division of area of security, mobile terminal being needed in current mobile terminal processor framework The confidentiality data being transmitted with vpn server is performed by the safety zone in processor architecture, So as to avoid when the insecure area in mobile terminal processor framework is subjected to virus infection or wooden horse implantation When, in terms of the bottom of hardware, remain able to raising user carries out data visit using mobile terminal by VPN The safety asked.
Description of the drawings
Fig. 1 is that a kind of method flow of security access data based on VPN provided in an embodiment of the present invention is illustrated Figure;
Fig. 2 is a kind of registration process schematic diagram provided in an embodiment of the present invention;
Fig. 3 is a kind of login process schematic diagram provided in an embodiment of the present invention;
Fig. 4 is a kind of log off procedure schematic diagram provided in an embodiment of the present invention;
Fig. 5 is that the method flow of another kind of security access data based on VPN provided in an embodiment of the present invention shows It is intended to;
Fig. 6 is a kind of structural representation of mobile terminal provided in an embodiment of the present invention;
Fig. 7 is a kind of structural representation of vpn server provided in an embodiment of the present invention;
Fig. 8 is that a kind of system structure of security access data based on VPN provided in an embodiment of the present invention is illustrated Figure.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly Chu, it is fully described by.
The basic thought of the embodiment of the present invention is:Using the processor frame with safety zone Yu insecure area Structure, for example, support the arm processor framework of Trust Zone, by mobile terminal in remote access data, The higher operation of level of security by operating in processor security region under SOS performed; And the non-secure operating system operated under processor insecure area is only used for moving terminal and VPN Data transfer between server so that user cannot be got in non-secure operating system is carrying out VPN Peration data during remote data access, so as to the safety of peration data.
Based on above-mentioned basic thought, below by way of some embodiments to realizing the technical scheme of above-mentioned basic thought Illustrate.In order to clearly illustrate to the technical scheme of the embodiment of the present invention, subsequent embodiment In mobile terminal with support Trust Zone technologies arm processor framework, and run ARIXTRA Illustrate as a example by the mobile terminal of Android operation system, it is possible to understand that ground, those skilled in the art can be with The technical scheme of the embodiment of the present invention is applied to support other processor framves of safety zone and insecure area Structure, and the mobile terminal of other mobile terminal operating systems is operated to, the embodiment of the present invention is not done specifically to this Repeat.
Embodiment one
Referring to Fig. 1, a kind of security access data based on VPN provided in an embodiment of the present invention is it illustrates Method, the method is applied to have concurrently in the mobile terminal of safety zone and insecure area, and the method can be wrapped Include:
S101:Mobile terminal obtains the private information for being sent to vpn server under safety zone;
S102:Mobile terminal carries out adding according to default encryption policy under safety zone to the private information After close, the private information after the encryption is sent to vpn server under insecure area;
S103:Mobile terminal receives the display information sent by vpn server under insecure area;
S104:Mobile terminal is solved the display information according to default decryption policy under safety zone After close, the display information after decryption is shown.
It should be noted that as a example by supporting the arm processor framework of Trust Zone technologies, Trust Zone Technology has separated two parallel and isolated execution environment:Non-security common performing environment, that is, it is above-mentioned Insecure area;And the security context that secure and trusted is appointed, that is, above-mentioned safety zone.Place of safety The control changed between domain and insecure area by security monitor Monitor by being realized.Therefore, it is right In having concurrently for the mobile terminal of safety zone and insecure area, can between safety zone and insecure area To be realized by setting special safety monitoring mechanism, the embodiment of the present invention is not done to this and is specifically repeated.
It is known that in embodiments of the present invention, mobile terminal is non-for method flow by shown in above-mentioned Fig. 1 Only it is merely to complete itself data-transformation facility and vpn server between under safety zone, it is pending to deliver letters The acquisition of breath with encryption and from the displaying of the receive information received by vpn server and decryption, be Complete under the safety zone of mobile terminal.Due to parallel between safety zone and insecure area and isolate, Therefore, the virus and the wooden horse of implantation that mobile terminal is infected under insecure area is similarly isolated in shifting Outside the safety zone of dynamic terminal, therefore, the flow process shown in Fig. 1 can be improved in terms of the bottom of hardware User carries out the safety of data access using mobile terminal by VPN.
Exemplarily, on the basis of the flow process shown in Fig. 1, it should be noted that private information specifically may be used To include the log-on message of logging in VPN, therefore, mobile terminal is obtained under safety zone and is sent to VPN The private information of server, specifically can include:
Mobile terminal starts and shows VPN login interfaces under safety zone, receives input to the VPN Log-on message in login interface, such as username and password etc..
Correspondingly, mobile terminal is carried out according to default encryption policy under safety zone to the private information After encryption, the private information after the encryption is sent to vpn server under insecure area, concrete bag Include:
Mobile terminal is encrypted the log-on message according to default encryption policy under safety zone, and Switch to insecure area;
And, mobile terminal transmits the log-on message after encryption to vpn server under insecure area.
It is to be appreciated that after log-on message of the vpn server after encryption is received, according to default decryption Whether strategy is decrypted, and log-on message is verified, and logged according to the result determination successful:
When being verified, vpn server determine login successfully, vpn server set up mobile terminal with Connection between vpn server;
When failing the authentication, vpn server confirms login failure.
Further, in order to lift the safety of User logs in, can with by conventional log-on message, After user name and code entry vpn server success, the physiological feature of user is can also be for, for example The fingerprint and eyeprint of user carries out the enhanced VPN of safety and logs in.Therefore, in mobile terminal by conventional Log-on message logging in VPN server after, can also include registering the physiological characteristic information of user Process, referring to Fig. 2, specifically can include:
S201:Mobile terminal calls physiological feature harvester to obtain and preserve physiological feature under safety zone After information, key pair corresponding with the physiological characteristic information is generated;
S202:Mobile terminal transmits the public key of the cipher key pair to vpn server under insecure area.
Specifically, mobile terminal can start eyeprint or fingerprint of photographic head acquisition user etc. under safety zone Physiological characteristic information;It is to be appreciated that when vpn server receives the corresponding public key of the physiological characteristic information Afterwards, the public key can be bound with the log-on message of active user, so as to subsequently can be special by the physiology Reference ceases the enhanced log-on message of safety as active user.
Further, registration is carried out with the physiological characteristic information to user corresponding, can also includes passing through The process that the physiological characteristic information of user is logged in, referring to Fig. 3, specifically can include:
S301:Mobile terminal starts and shows physiological feature login interface under safety zone, and calls physiology Collection apparatus device obtains physiological characteristic information;
S302:When the physiological characteristic information for acquiring compares consistent with the physiological characteristic information of storage, move Dynamic terminal will compare consistent configured information by believing with the physiological feature of storage under safety zone for instruction Cease corresponding private key to be encrypted, the configured information after being encrypted;
S303:Mobile terminal enters the configured information after encryption according to default encryption policy under safety zone After row encryption, the configured information of two re-encryption is sent to vpn server under insecure area.
Specifically, mobile terminal can start eyeprint or fingerprint of photographic head acquisition user etc. under safety zone Physiological characteristic information;It is to be appreciated that after vpn server receives the configured information of two re-encryption, Configured information after encryption can be obtained by decryption to the configured information of two re-encryptions, and after this is encrypted Configured information is decrypted by public key corresponding with the physiological characteristic information of storage, and is tied according to decryption Fruit is confirmed whether to log in successfully:
When correct configured information is obtained, vpn server determination is logined successfully by physiological characteristic information, The connection that vpn server is set up between mobile terminal and vpn server;
When correct configured information is not obtained, vpn server confirms login failure.
Exemplarily, the registering and logging between mobile terminal and vpn server is completed by such scheme, After the completion of the connection establishment between mobile terminal and VPN, it is necessary to pass through between mobile terminal and VPN Data interaction carries out long-range data access, can specifically include user by mobile terminal to vpn server The instruction of user input is sent, the instruction of input is sent to Intranet and completes to instruct corresponding operation by VPN;With Afterwards, the operating result for needing to be shown in user terminal is sent to VPN by Intranet, so as to pass through VPN The operating result for needing to be shown is back to into mobile terminal;Now, user is operated be input into finger Order is then a kind of private information;And need the result shown in mobile terminal to be then a kind of display information;Accordingly , the detailed process that the operating result for needing to be shown is back to mobile terminal is referred to by VPN Step S103 to S104 in Fig. 1;But, it is then a kind of private when user is operated be input into instruction During confidential information, mobile terminal obtains the private information for being sent to vpn server under safety zone, specifically Including:Mobile terminal is under safety zone by the instruction of input equipment receives input;For example, mobile terminal Touch screen can be called under safety zone to receive the input operation to user, and recorded.
Correspondingly, mobile terminal is carried out according to default encryption policy under safety zone to the private information After encryption, the private information after the encryption is sent to vpn server under insecure area, concrete bag Include:
Mobile terminal is encrypted the instruction of input according to default encryption policy under safety zone, and cuts Shift to insecure area;
And, mobile terminal transmits the input instruction after encryption to vpn server under insecure area.
It is to be appreciated that after input instruction decryption of the vpn server after by encryption, sending to Intranet Row is processed such that it is able to obtain the operating result shown for the needs of the input instruction.
Exemplarily, after mobile terminal remote data access is finished, in addition it is also necessary to which listed information is carried out Nullify, referring to Fig. 4, specifically can include:
S401:Mobile terminal is encrypted de-registration request according to default encryption policy under safety zone, And switch to insecure area;
S402:Mobile terminal transmits the de-registration request after encryption to vpn server under insecure area; It is to be appreciated that after vpn server is decrypted to the de-registration request encrypted, can be according to de-registration request Complete to nullify operation, and successfully instruction will be nullified and be encrypted.
S403:Mobile terminal receives the cancellation of the encryption of vpn server transmission under insecure area and successfully refers to Show, and switch to safety zone;
S404:Cancellation of the mobile terminal to encrypting under safety zone successfully indicates to be decrypted, and according to solution Cancellation after close successfully indicates to complete to nullify, and switches to insecure area.
Present embodiments provide a kind of side of the security access data based on VPN for being applied to mobile terminal side Method, by using in current mobile terminal processor framework for the division of area of security, by mobile terminal The confidentiality data that needs are transmitted with vpn server is carried out by the safety zone in processor architecture Perform and process, so as to avoid when the insecure area in mobile terminal processor framework is subjected to viral sense When dye or wooden horse are implanted into, in terms of the bottom of hardware, remain able to raising user and passed through using mobile terminal VPN carries out the safety of data access.
Embodiment two
Based on previous embodiment identical technology design, based on Fig. 5, embodiment of the present invention offer is it illustrates The security access data based on VPN for being applied to vpn server side method, the method can include:
S501:Vpn server receives the encryption information sent by mobile terminal;
It should be noted that the encryption information is encrypted by the safety zone of mobile terminal, and by moving What the non-encrypted region of dynamic terminal sent.
S502:Vpn server is according to the default solution corresponding with the encryption policy in mobile terminal safety region Close strategy is decrypted to encryption information, and according to the information type after decryption correspondingly to the information after decryption Processed.
It should be noted that effect of the vpn server in the technical scheme of whole embodiment is exactly to set up to move The connection of dynamic terminal and Intranet, and mobile terminal transmitted information is processed accordingly.
Specifically, when user logs in VPN by mobile terminal, encryption information can exist including mobile terminal Log-on message after the encryption of safety zone, such as username and password etc.;Correspondingly, vpn server according to The default decryption policy corresponding with the encryption policy in mobile terminal safety region is decrypted to encryption information, And correspondingly the information after decryption is processed according to the information type after decryption, specifically can include:
After log-on message of the vpn server after encryption is received, it is decrypted according to default decryption policy, And log-on message is verified, and whether successful is logged according to the result determination:
And, when being verified, vpn server determination is logined successfully, and vpn server is set up mobile whole Connection between end and vpn server;
And, when failing the authentication, vpn server confirms login failure.
Further, in order to lift the safety of User logs in, can with by conventional log-on message, After user name and code entry vpn server success, the physiological feature of user is can also be for, for example The fingerprint and eyeprint of user carries out the enhanced VPN of safety and logs in, accordingly, it would be desirable to the physiology for being directed to user is special Levying carries out extra registration.Now, encryption information can include the physiology that mobile terminal is gathered in safety zone The public key of the cipher key pair corresponding to characteristic information.Correspondingly, after user logs in, vpn server connects The corresponding public key of the physiological characteristic information is received, and the public key is tied up with the log-on message of active user It is fixed.So as to subsequently can be using the physiological characteristic information as the enhanced log-on message of the safety of active user.
Further, it is corresponding after registering to the physiological characteristic information of user, also include passing through The process that the physiological characteristic information of user is logged in, now, encryption information can include mobile terminal in peace The physiological characteristic information of region-wide collection compare with the physiological characteristic information of storage after two re-encryptions finger Show information, correspondingly, vpn server is according to default relative with the encryption policy in mobile terminal safety region The decryption policy answered is decrypted to encryption information, and according to decryption after information type correspondingly to decryption after Information processed, specifically can include:
Vpn server is decrypted according to default decryption policy, obtains the physiological characteristic information by storage The configured information that corresponding private key is encrypted;
And, configured information of the vpn server according to the corresponding public key of physiological characteristic information for storing to encryption It is decrypted, and obtains whether results verification logs in successfully according to decryption:
And, when correct configured information is obtained, vpn server is determined by physiological characteristic information login Success, the connection that vpn server is set up between mobile terminal and vpn server;
And, when correct configured information is not obtained, vpn server confirms login failure.
Exemplarily, by such scheme just can complete registration between mobile terminal and vpn server and Log in, after the completion of the connection establishment between mobile terminal and VPN, it is necessary to mobile terminal and VPN it Between long-range data access is carried out by data interaction, can specifically include user by mobile terminal to VPN Server sends the instruction of user input, and the instruction of input is sent to Intranet and completes to instruct corresponding behaviour by VPN Make;Subsequently, the operating result for needing to be shown in user terminal is sent to VPN by Intranet, so as to pass through The operating result for needing to be shown is back to mobile terminal by VPN.
Now, encryption information can include that the user being encrypted by the safety zone of mobile terminal is operated The instruction being input into;Correspondingly, vpn server is according to default and mobile terminal safety region encryption plan Slightly corresponding decryption policy is decrypted to encryption information, and correspondingly right according to the information type after decryption Information after decryption is processed, and specifically can be included:
Vpn server is according to the default decryption plan corresponding with the encryption policy in mobile terminal safety region After input instruction decryption slightly after by encryption, send to Intranet and processed;
Receive the operating result for the input instruction that Intranet is returned.
It is to be appreciated that the operating result is shown in the terminal due to needing, therefore, VPN clothes After business device can be encrypted operating result, the operating result after encryption is sent to mobile terminal.
Exemplarily, after mobile terminal remote data access is finished, in addition it is also necessary to which listed information is carried out Nullify, now, encryption information can include the de-registration request being encrypted by the safety zone of mobile terminal; Correspondingly, vpn server is according to the default decryption corresponding with the encryption policy in mobile terminal safety region Strategy is decrypted to encryption information, and correspondingly the information after decryption is entered according to the information type after decryption Row is processed, and specifically can be included:
After vpn server is decrypted the de-registration request encrypted, can complete to nullify behaviour according to de-registration request Make, and will nullify successfully indicate be encrypted and be back to mobile terminal so that mobile terminal to encrypt Cancellation successfully indicate to be decrypted after, successfully indicate to complete according to the cancellation after decryption to nullify.
Embodiment three
Based on previous embodiment identical technology design, referring to Fig. 6, embodiment of the present invention offer is it illustrates A kind of mobile terminal 60 structure, the mobile terminal 60 includes:Safety zone unit 601, non-peace Region-wide unit 602 and security monitoring unit 603;Wherein,
The safety zone unit 601, for obtaining the private information for being sent to vpn server;
And default encryption policy is encrypted to the private information;
And, trigger the security monitoring unit 603;
The security monitoring unit 603, it is described non-security for the safety zone unit 601 to be switched to Territory element 602;
The insecure area unit 602, for the private information after the encryption to be sent to VPN services Device;
And, receive the display information sent by the vpn server;
And, trigger the security monitoring unit 603;
The security monitoring unit 603, is additionally operable to for the insecure area unit 602 to switch to the peace Region-wide unit 601;
The safety zone unit 601, is additionally operable to carry out the display information according to default decryption policy After decryption, the display information after decryption is shown.
Exemplarily, the safety zone unit 601, specifically for:Start and show VPN login interfaces, Receive input to the log-on message in the VPN login interfaces.
Further, the safety zone unit 601, specifically for:According to default encryption policy by institute State log-on message to be encrypted;
The insecure area unit 602, specifically for:Log-on message after encryption is transmitted to the VPN Server.
Further, the safety zone unit 601, is additionally operable to call physiological feature harvester to obtain simultaneously After preserving physiological characteristic information, key pair corresponding with the physiological characteristic information is generated;
The insecure area unit, is additionally operable to the public key of the cipher key pair be transmitted to VPN services Device.
Further, the safety zone unit 601, is additionally operable to start and show physiological feature login interface, And call physiological feature harvester to obtain physiological characteristic information;
And, when the physiological characteristic information for acquiring compares consistent with the physiological characteristic information of storage, will For indicating that compare consistent configured information is carried out by private key corresponding with the physiological characteristic information of the storage Encryption, the configured information after being encrypted;
And, the configured information after the encryption is encrypted according to default encryption policy, obtain double The configured information of encryption;
The insecure area unit, is additionally operable to the configured information of two re-encryption be sent to the VPN Server.
Exemplarily, the safety zone unit 601, specifically for by the finger of input equipment receives input Order.
Further, the safety zone unit 601, specifically for will be described according to default encryption policy The instruction of input is encrypted;
The insecure area unit 602, specifically for the input instruction after encryption is transmitted to the VPN Server.
Exemplarily, the safety zone unit 601, is additionally operable to be nullified according to default encryption policy and asks Ask and be encrypted;
The insecure area unit 602, is additionally operable to the de-registration request after encryption be transmitted to VPN clothes Business device;
And, the cancellation for receiving the encryption that the vpn server sends successfully is indicated;
The safety zone unit 601, is additionally operable to that the cancellation of the encryption is successfully indicated to be decrypted, and Successfully indicated to complete to nullify according to the cancellation after decryption, and trigger the security monitoring unit 603 and switch to institute State insecure area unit 602.
It should be noted that during the implementing of the embodiment of the present invention, in safety zone unit 601 Operation has SOS, can be driven by equipment safety and access bottom hardware, including photographic head, tactile Touch screen, display screen.SOS is specifically used to run the high application of level of security, and such as secure vpn should With, secure payment application etc..It is simplify, stable operating system, operating in safe task therein is What serial was performed, scheduling strategy is non-preemptive, improves the safety and stability of internal system.Peace Full application just need to can be installed in the system through safety certification, it is ensured that the external security of SOS Property.In the present embodiment, during the concrete function of safety zone unit 601 is by operating in SOS Secure vpn application can include realizing, specifically VPN password logins, eyeprint registration, eyeprint log in, Safety input, safety display and secure logout function etc..There is independent equipment peace in safety zone unit 601 It is complete to drive (15), including photographic head drives safely, display screen drives safely, touch screen drives safely, can only Called by SOS (12).
Operation in insecure area unit 602 has non-secure operating system, for example, operate in current intelligent terminal On mainstream operation system Android, the various demand on intelligent terminal of user can be met.Because this is System increases income, free, and user may browse through webpage, various application programs be installed, so the safety of system Property it is not high, it is likely that by virus or wooden horse attacked;Insecure area unit 602 is also equipped with independent Non-security device drives (19), including the non-security driving of photographic head, the non-security driving of display screen, touch screen be non- Safety drives, and can only be called by non-secure operating system (16).
Security monitoring unit 603, is responsible between safety zone unit 601 and insecure area unit 602 Communication and switching.
It is to be appreciated that the hardware device such as photographic head, display screen and touch panel device is in safety zone unit 601 Can only be accessed by SOS (12), in insecure area, unit 602 can only be by non-secure operations system System (16) is accessed, and secure and non-secure isolation is realized from hardware, it is ensured that telecommuting data Safety.
Example IV
Based on previous embodiment identical technology design, referring to Fig. 7, embodiment of the present invention offer is it illustrates A kind of vpn server 70 structure, the vpn server 70 includes:Receiving unit 701 and decryption Processing unit 702;Wherein,
The receiving unit 701, for receiving the encryption information sent by mobile terminal;
The decryption processing unit 702, for according to the default encryption with the mobile terminal safety region The corresponding decryption policy of strategy is decrypted to encryption information, and according to the information type phase after the decryption Ground is answered to process the information after the decryption.
Exemplarily, the encryption information includes the log-on message after encryption, correspondingly, the decryption processing Unit 702, specifically for:
It is decrypted according to default decryption policy, and log-on message is verified, and according to checking knot Whether fruit determination logs in successful:
When being verified, it is determined that logining successfully, and set up and the connection between the mobile terminal;
When failing the authentication, login failure is confirmed.
Further, the receiving unit 701, the physiological characteristic information for being additionally operable to receive storage is corresponding Public key, and the public key is bound with the log-on message of active user.
Further, the encryption information include physiological characteristic information that mobile terminal gather in safety zone and The physiological characteristic information of storage compare after two re-encryptions configured information;
Correspondingly, the decryption processing unit 702, specifically for:
It is decrypted according to default decryption policy, obtains the corresponding private key of physiological characteristic information by storage The configured information being encrypted;
And, the configured information encrypted is solved according to the corresponding public key of physiological characteristic information of the storage It is close, and obtain whether results verification logs in successfully according to decryption:
And, when correct configured information is obtained, it is determined that being logined successfully by physiological characteristic information, and build The vertical connection and mobile terminal between;
And, when correct configured information is not obtained, confirm login failure.
Exemplarily, the encryption information includes that the user being encrypted by the safety zone of mobile terminal is carried out The be input into instruction of operation;
Correspondingly, the decryption processing unit 702, specifically for:
According to the default decryption policy corresponding with the encryption policy in mobile terminal safety region after it will encrypt Input instruction decryption after, send to Intranet and processed;
And, receive the operating result for the input instruction that Intranet is returned.
Exemplarily, the encryption information includes the de-registration request being encrypted by the safety zone of mobile terminal;
Correspondingly, the decryption processing unit 702, specifically for:
After being decrypted the de-registration request of the encryption, can complete to nullify operation according to the de-registration request, To nullify successfully indicate and be encrypted and trigger the receiving unit 701;
The receiving unit 701, is additionally operable to successfully indicate the cancellation after encryption to be back to mobile terminal.
It should be noted that vpn server 70, can complete password login certification, eyeprint login authentication, The functions such as binding, data encrypting and deciphering, the data transfer of eyeprint public key and user.Can not only be with the Internet outer net It is connected, also can be connected with company Intranet, sets up the connection of mobile terminal and company Intranet.
Embodiment five
Based on previous embodiment identical technology design, referring to Fig. 8, it illustrates the safety based on VPN and visit The structure of system 80 of data is asked, the system 80 can include:Mobile terminal 60 and vpn server 70;
Wherein, the mobile terminal 60, for obtaining under safety zone vpn server 70 is sent to Private information;
And, after being encrypted to the private information according to default encryption policy under the safety zone, The private information after the encryption is sent to the vpn server 70 under insecure area;
And, the display information sent by the vpn server 70 is received under the insecure area;
And, the display information is decrypted into it according to default decryption policy under the safety zone Afterwards, the display information after decryption is shown;
The vpn server 70, for receiving the encryption information sent by the mobile terminal 60;
And, according to the default decryption plan corresponding with the encryption policy of the safety zone of the mobile terminal 60 Slightly encryption information is decrypted, and according to the information type after the decryption correspondingly to the decryption after Information is processed.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or meter Calculation machine program product.Therefore, the present invention can using hardware embodiment, software implementation or with reference to software and The form of the embodiment of hardware aspect.And, the present invention can be adopted and wherein include calculating at one or more Computer-usable storage medium (including but not limited to disk memory and the optical storage of machine usable program code Device etc.) on implement computer program form.
The present invention is with reference to method according to embodiments of the present invention, equipment (system) and computer program Flow chart and/or block diagram describing.It should be understood that can be by computer program instructions flowchart and/or side The knot of each flow process and/or square frame and flow chart and/or the flow process in block diagram and/or square frame in block diagram Close.Can provide these computer program instructions to general purpose computer, special-purpose computer, Embedded Processor or The processor of other programmable data processing devices is producing a machine so that by computer or other can The instruction of the computing device of programming data processing equipment is produced for realizing in one flow process or multiple of flow chart The device of the function of specifying in one square frame of flow process and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing devices In the computer-readable memory for working in a specific way so that in being stored in the computer-readable memory Instruction produces the manufacture for including command device, and the command device is realized in one flow process of flow chart or multiple streams The function of specifying in one square frame of journey and/or block diagram or multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing devices, made Obtain and series of operation steps performed on computer or other programmable devices to produce computer implemented process, So as to the instruction performed on computer or other programmable devices is provided for realizing in one flow process of flow chart Or specify in one square frame of multiple flow processs and/or block diagram or multiple square frames function the step of.
The above, only presently preferred embodiments of the present invention is not intended to limit the protection model of the present invention Enclose.

Claims (29)

1. a kind of method of the security access data based on VPN (virtual private network) VPN, it is characterised in that institute The method of stating includes:
Mobile terminal obtains the private information for being sent to vpn server under safety zone;
The mobile terminal is carried out according to default encryption policy under the safety zone to the private information After encryption, the private information after the encryption is sent to vpn server under insecure area;
The mobile terminal receives the display sent by the vpn server under the insecure area to be believed Breath;
The mobile terminal is carried out the display information according to default decryption policy under the safety zone After decryption, the display information after decryption is shown.
2. method according to claim 1, it is characterised in that the mobile terminal is under safety zone Acquisition is sent to the private information of vpn server, specifically includes:
The mobile terminal starts and shows VPN login interfaces under the safety zone, receives input to institute State the log-on message in VPN login interfaces.
3. method according to claim 2, it is characterised in that the mobile terminal is under safety zone After being encrypted to the private information according to default encryption policy, by the encryption under insecure area Private information afterwards is sent to vpn server, is specifically included:
The mobile terminal is carried out the log-on message according to default encryption policy under the safety zone Encryption, and switch to the insecure area;
The mobile terminal transmits the log-on message after encryption to the VPN under the insecure area Server.
4. method according to claim 3, it is characterised in that the mobile terminal logs in the VPN After server, methods described also includes:
The mobile terminal calls physiological feature harvester to obtain under the safety zone and preserves physiology spy After reference breath, key pair corresponding with the physiological characteristic information is generated;
The mobile terminal transmits the public key of the cipher key pair to described under the insecure area Vpn server.
5. method according to claim 4, it is characterised in that methods described also includes:
The mobile terminal starts and shows physiological feature login interface under the safety zone, and calls life Reason collection apparatus device obtains physiological characteristic information;
When the physiological characteristic information for acquiring compares consistent with the physiological characteristic information of storage, the movement Terminal will compare consistent configured information by the physiological feature with the storage under safety zone for instruction The corresponding private key of information is encrypted, the configured information after being encrypted;
The mobile terminal is under the safety zone according to default encryption policy by the instruction after the encryption After information is encrypted, the configured information of two re-encryption is sent to described under the insecure area Vpn server.
6. method according to claim 1, it is characterised in that the mobile terminal is in the place of safety The private information for being sent to vpn server is obtained under domain, is specifically included:The mobile terminal is in the peace The region-wide lower instruction by input equipment receives input.
7. method according to claim 6, it is characterised in that the mobile terminal is under safety zone After being encrypted to the private information according to default encryption policy, by the encryption under insecure area Private information afterwards is sent to vpn server, is specifically included:
The mobile terminal enters the instruction of the input according to default encryption policy under the safety zone Row encryption, and switch to the insecure area;
The mobile terminal transmits the input instruction after encryption to the VPN under the insecure area Server.
8. method according to claim 1, it is characterised in that methods described also includes:
The mobile terminal is encrypted de-registration request according to default encryption policy under the safety zone, And switch to the insecure area;
The mobile terminal transmits the de-registration request after encryption to the VPN under the insecure area Server;
The mobile terminal receives the note of the encryption that the vpn server sends under the insecure area Sell and successfully indicate, and switch to the safety zone;
The mobile terminal successfully indicates to be decrypted under the safety zone to the cancellation of the encryption, and Successfully indicated to complete to nullify according to the cancellation after decryption, and switch to the insecure area.
9. a kind of method of the security access data based on VPN (virtual private network) VPN, it is characterised in that institute The method of stating includes:
Vpn server receives the encryption information sent by mobile terminal;
The vpn server is according to default corresponding with the encryption policy in the mobile terminal safety region Decryption policy encryption information is decrypted, and according to the information type after the decryption correspondingly to described Information after decryption is processed.
10. method according to claim 9, it is characterised in that the encryption information is included after encryption Log-on message, correspondingly, the vpn server is according to default with mobile terminal safety region encryption The corresponding decryption policy of strategy is decrypted to encryption information, and according to the information type after decryption correspondingly Information after decryption is processed, is specifically included:
The vpn server is decrypted according to default decryption policy, and log-on message is verified, And whether successful logged according to the result determination:
When being verified, the vpn server determines and logins successfully, the vpn server set up with Connection between the mobile terminal;
When failing the authentication, the vpn server confirms login failure.
11. methods according to claim 10, it is characterised in that after user logs in, the side Method also includes:The vpn server receives the corresponding public key of physiological characteristic information of storage, and by institute State public key to be bound with the log-on message of active user.
12. methods according to claim 11, it is characterised in that the encryption information includes mobile whole Hold double after the physiological characteristic information of safety zone collection is compared with the physiological characteristic information of storage adding Close configured information;
Correspondingly, the vpn server is according to default relative with the encryption policy in mobile terminal safety region The decryption policy answered is decrypted to encryption information, and according to decryption after information type correspondingly to decryption after Information processed, specifically include:
The vpn server is decrypted according to default decryption policy, obtains the physiological feature by storage The configured information that the corresponding private key of information is encrypted;
Instruction of the vpn server according to the corresponding public key of physiological characteristic information of the storage to encrypting Information is decrypted, and obtains whether results verification logs in successfully according to decryption:
When correct configured information is obtained, the vpn server determination is logged in into by physiological characteristic information Work(, the vpn server is set up and the connection between mobile terminal;
When correct configured information is not obtained, the vpn server confirms login failure.
13. methods according to claim 9, it is characterised in that the encryption information is included by moving The user that the safety zone of terminal is encrypted is operated be input into instruction;
Correspondingly, vpn server is according to default corresponding with the encryption policy in mobile terminal safety region Decryption policy is decrypted to encryption information, and according to the information type after decryption correspondingly to the letter after decryption Breath is processed, and is specifically included:
The vpn server is according to the default solution corresponding with the encryption policy in mobile terminal safety region After input instruction decryption of the close strategy after by encryption, send to Intranet and processed;
The vpn server receives the operating result for the input instruction that Intranet is returned.
14. methods according to claim 9, it is characterised in that the encryption information is included by moving The de-registration request that the safety zone of terminal is encrypted;
Correspondingly, vpn server is according to default corresponding with the encryption policy in mobile terminal safety region Decryption policy is decrypted to encryption information, and according to the information type after decryption correspondingly to the letter after decryption Breath is processed, and is specifically included:
After the vpn server is decrypted to the de-registration request of the encryption, can ask according to the cancellation Ask and complete to nullify operation, and successfully instruction will be nullified and be encrypted and be back to mobile terminal.
15. a kind of mobile terminals, it is characterised in that the mobile terminal includes safety zone unit, non- Safety zone unit and security monitoring unit;Wherein,
The safety zone unit, for obtaining the secret for being sent to VPN (virtual private network) vpn server letter Breath;
And default encryption policy is encrypted to the private information;
And, trigger the security monitoring unit;
The security monitoring unit, for the safety zone unit to be switched to into the insecure area unit;
The insecure area unit, for the private information after the encryption to be sent to vpn server;
And, receive the display information sent by the vpn server;
And, trigger the security monitoring unit;
The security monitoring unit, is additionally operable to for the insecure area unit to switch to the safety zone list Unit;
The safety zone unit, is additionally operable to be decrypted the display information according to default decryption policy Afterwards, the display information after decryption is shown.
16. mobile terminals according to claim 15, it is characterised in that the safety zone unit, Specifically for:Start and show VPN login interfaces, receive input to stepping in the VPN login interfaces Record information.
17. mobile terminals according to claim 16, it is characterised in that the safety zone unit, Specifically for:The log-on message is encrypted according to default encryption policy;
The insecure area unit, specifically for:Log-on message after encryption is transmitted to VPN clothes Business device.
18. mobile terminals according to claim 17, it is characterised in that the safety zone unit, It is additionally operable to call physiological feature harvester to obtain and preserve after physiological characteristic information, generates special with the physiology Reference ceases corresponding key pair;
The insecure area unit, is additionally operable to the public key of the cipher key pair be transmitted to VPN services Device.
19. mobile terminals according to claim 18, it is characterised in that the safety zone unit, It is additionally operable to start and show physiological feature login interface, and calls physiological feature harvester to obtain physiological feature Information;
And, when the physiological characteristic information for acquiring compares consistent with the physiological characteristic information of storage, will For indicating that compare consistent configured information is carried out by private key corresponding with the physiological characteristic information of the storage Encryption, the configured information after being encrypted;
And, the configured information after the encryption is encrypted according to default encryption policy, obtain double The configured information of encryption;
The insecure area unit, is additionally operable to the configured information of two re-encryption be sent to the VPN Server.
20. mobile terminals according to claim 15, it is characterised in that the safety zone unit, Specifically for by the instruction of input equipment receives input.
21. mobile terminals according to claim 20, it is characterised in that the safety zone unit, Specifically for the instruction of the input is encrypted according to default encryption policy;
The insecure area unit, specifically for the input instruction after encryption is transmitted to VPN services Device.
22. mobile terminals according to claim 15, it is characterised in that the safety zone unit, It is additionally operable to be encrypted de-registration request according to default encryption policy;
The insecure area unit, is additionally operable to the de-registration request after encryption be transmitted to the vpn server;
And, the cancellation for receiving the encryption that the vpn server sends successfully is indicated;
The safety zone unit, is additionally operable to that the cancellation of the encryption is successfully indicated to be decrypted, and according to Cancellation after decryption successfully indicates to complete to nullify, and trigger the security monitoring unit switch to it is described non-security Territory element.
23. a kind of VPN (virtual private network) vpn servers, it is characterised in that the vpn server includes Receiving unit and decryption processing unit;Wherein,
The receiving unit, for receiving the encryption information sent by mobile terminal;
The decryption processing unit, for according to the default encryption policy with the mobile terminal safety region Corresponding decryption policy is decrypted to encryption information, and according to the information type after the decryption correspondingly Information after the decryption is processed.
24. vpn servers according to claim 23, it is characterised in that the encrypted message packet The log-on message after encryption is included, correspondingly, the decryption processing unit, specifically for:
It is decrypted according to default decryption policy, and log-on message is verified, and according to checking knot Whether fruit determination logs in successful:
When being verified, it is determined that logining successfully, and set up and the connection between the mobile terminal;
When failing the authentication, login failure is confirmed.
25. vpn servers according to claim 24, it is characterised in that the receiving unit, It is additionally operable to receive the corresponding public key of physiological characteristic information of storage, and by the public key with active user's Log-on message is bound.
26. vpn servers according to claim 25, it is characterised in that the encrypted message packet Include mobile terminal and compare it with the physiological characteristic information of storage in the physiological characteristic information that safety zone gathers The configured information of two re-encryptions afterwards;
Correspondingly, the decryption processing unit, specifically for:
It is decrypted according to default decryption policy, obtains the corresponding private key of physiological characteristic information by storage The configured information being encrypted;
And, the configured information encrypted is solved according to the corresponding public key of physiological characteristic information of the storage It is close, and obtain whether results verification logs in successfully according to decryption:
And, when correct configured information is obtained, it is determined that being logined successfully by physiological characteristic information, and build The vertical connection and mobile terminal between;
And, when correct configured information is not obtained, confirm login failure.
27. vpn servers according to claim 23, it is characterised in that the encrypted message packet Include the user being encrypted by the safety zone of mobile terminal and operated be input into instruction;
Correspondingly, the decryption processing unit, specifically for:
According to the default decryption policy corresponding with the encryption policy in mobile terminal safety region after it will encrypt Input instruction decryption after, send to Intranet and processed;
And, receive the operating result for the input instruction that Intranet is returned.
28. vpn servers according to claim 23, it is characterised in that the encrypted message packet Include the de-registration request being encrypted by the safety zone of mobile terminal;
Correspondingly, the decryption processing unit, specifically for:
After being decrypted the de-registration request of the encryption, can complete to nullify operation according to the de-registration request, To nullify successfully indicate and be encrypted and trigger the receiving unit;
The receiving unit, is additionally operable to successfully indicate the cancellation after encryption to be back to mobile terminal.
A kind of 29. systems of the security access data based on VPN (virtual private network) VPN, it is characterised in that institute The system of stating includes:Mobile terminal and vpn server;
Wherein, the mobile terminal, for obtaining the secret for being sent to vpn server under safety zone Information;
And, after being encrypted to the private information according to default encryption policy under the safety zone, The private information after the encryption is sent to the vpn server under insecure area;
And, the display information sent by the vpn server is received under the insecure area;
And, the display information is decrypted into it according to default decryption policy under the safety zone Afterwards, the display information after decryption is shown;
The vpn server, for receiving the encryption information sent by the mobile terminal;
And, according to the default decryption policy corresponding with the encryption policy in the mobile terminal safety region Encryption information is decrypted, and according to the information type after the decryption correspondingly to the letter after the decryption Breath is processed.
CN201510728533.6A 2015-10-30 2015-10-30 Method, device and system for safe access of data based on VPN Pending CN106656457A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201510728533.6A CN106656457A (en) 2015-10-30 2015-10-30 Method, device and system for safe access of data based on VPN
PCT/CN2016/088683 WO2017071296A1 (en) 2015-10-30 2016-07-05 Vpn-based secure data access method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510728533.6A CN106656457A (en) 2015-10-30 2015-10-30 Method, device and system for safe access of data based on VPN

Publications (1)

Publication Number Publication Date
CN106656457A true CN106656457A (en) 2017-05-10

Family

ID=58631266

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510728533.6A Pending CN106656457A (en) 2015-10-30 2015-10-30 Method, device and system for safe access of data based on VPN

Country Status (2)

Country Link
CN (1) CN106656457A (en)
WO (1) WO2017071296A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107395601A (en) * 2017-07-26 2017-11-24 华迪计算机集团有限公司 A kind of mobile office system and method based on the safe Intranets of VPN
CN108966216A (en) * 2018-08-28 2018-12-07 云南电网有限责任公司电力科学研究院 A kind of method of mobile communication and device applied to power distribution network
CN109495885A (en) * 2017-09-13 2019-03-19 ***通信有限公司研究院 Authentication method, mobile terminal, management system and Bluetooth IC
CN112714099A (en) * 2020-11-30 2021-04-27 南方电网数字电网研究院有限公司 Communication system and method

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112580062B (en) * 2019-09-27 2023-03-21 厦门网宿有限公司 Data consistency checking method and data uploading and downloading device
CN113556340B (en) * 2021-07-21 2023-09-26 国网四川省电力公司乐山供电公司 Portable VPN terminal, data processing method and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104115152A (en) * 2012-02-16 2014-10-22 三星电子株式会社 Method and apparatus for protecting digital content using device authentication
CN104507087A (en) * 2014-12-19 2015-04-08 上海斐讯数据通信技术有限公司 Security service system and security service method for mobile office work
US9021585B1 (en) * 2013-03-15 2015-04-28 Sprint Communications Company L.P. JTAG fuse vulnerability determination and protection using a trusted execution environment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101547102A (en) * 2008-11-26 2009-09-30 邵峰晶 Novel computer system structure and device with networking inside
US9077654B2 (en) * 2009-10-30 2015-07-07 Iii Holdings 2, Llc System and method for data center security enhancements leveraging managed server SOCs
CN104573565B (en) * 2015-01-23 2017-11-17 宇龙计算机通信科技(深圳)有限公司 EMS memory management process and device on a kind of TrustZone

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104115152A (en) * 2012-02-16 2014-10-22 三星电子株式会社 Method and apparatus for protecting digital content using device authentication
US9021585B1 (en) * 2013-03-15 2015-04-28 Sprint Communications Company L.P. JTAG fuse vulnerability determination and protection using a trusted execution environment
CN104507087A (en) * 2014-12-19 2015-04-08 上海斐讯数据通信技术有限公司 Security service system and security service method for mobile office work

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107395601A (en) * 2017-07-26 2017-11-24 华迪计算机集团有限公司 A kind of mobile office system and method based on the safe Intranets of VPN
CN109495885A (en) * 2017-09-13 2019-03-19 ***通信有限公司研究院 Authentication method, mobile terminal, management system and Bluetooth IC
CN109495885B (en) * 2017-09-13 2021-09-14 ***通信有限公司研究院 Authentication method, mobile terminal, management system and Bluetooth IC card
CN108966216A (en) * 2018-08-28 2018-12-07 云南电网有限责任公司电力科学研究院 A kind of method of mobile communication and device applied to power distribution network
CN112714099A (en) * 2020-11-30 2021-04-27 南方电网数字电网研究院有限公司 Communication system and method

Also Published As

Publication number Publication date
WO2017071296A1 (en) 2017-05-04

Similar Documents

Publication Publication Date Title
CN106656457A (en) Method, device and system for safe access of data based on VPN
US11716315B2 (en) Disposable browsers and authentication techniques for a secure online user environment
US11297055B2 (en) Multifactor contextual authentication and entropy from device or device input or gesture authentication
US11044275B2 (en) Secure web container for a secure online user environment
US10380361B2 (en) Secure transaction method from a non-secure terminal
US20240106865A1 (en) Secure Web Container for a Secure Online User Environment
JP5744915B2 (en) Trusted federated identity management and data access authorization method and apparatus
CN104639562B (en) A kind of system of pushing certification and the method for work of equipment
CN105978917B (en) A kind of system and method for trusted application safety certification
US20180295137A1 (en) Techniques for dynamic authentication in connection within applications and sessions
EP3373510A1 (en) Method and device for realizing session identifier synchronization
US20110314290A1 (en) Digipass for web-functional description
CN104283879B (en) Virtual machine remote connection method and system
US10524124B2 (en) Routing systems and methods
US11259180B2 (en) Routing systems and methods
US20160292460A1 (en) Systems, methods and apparatus for secure peripheral communication
KR20160089472A (en) Automatic placeholder finder-filler
CN103648090A (en) Method for realizing security and credibility of intelligent mobile terminal and system thereof
EP2811401B1 (en) Method and apparatus for inputting data
Fazeldehkordi et al. Security and privacy in IoT systems: a case study of healthcare products
Rocha Cybersecurity analysis of a SCADA system under current standards, client requisites, and penetration testing
JP2003296279A (en) Authentication method, and client device, server device, and program thereof
CN107171784A (en) Unexpected environmental accident emergency command dispatching method and system
Sulaiman MAgSeM: A multi-agent based security model for secure cyber services
Fazeldehkordi et al. Security and Privacy Functionalities in IoT

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20170510