CN106656457A - Method, device and system for safe access of data based on VPN - Google Patents
Method, device and system for safe access of data based on VPN Download PDFInfo
- Publication number
- CN106656457A CN106656457A CN201510728533.6A CN201510728533A CN106656457A CN 106656457 A CN106656457 A CN 106656457A CN 201510728533 A CN201510728533 A CN 201510728533A CN 106656457 A CN106656457 A CN 106656457A
- Authority
- CN
- China
- Prior art keywords
- information
- encryption
- mobile terminal
- vpn
- decryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
Abstract
The embodiment of the invention discloses a method, device and system for safe access of data based on a VPN. The method includes the following steps: a mobile terminal obtains privacy information to be sent to a VPN server in a safe region; the mobile terminal encrypts the privacy information according to a preset encryption strategy in the safe region, and sends the encrypted privacy information to the VPN server in a non-safe region; the mobile terminal receives display information sent by the VPN server in the non-safe region; and the mobile terminal decrypts the display information according to a preset decryption strategy in the safe region, and displays the decrypted display information.
Description
Technical field
The present invention relates to network security technology, more particularly to it is a kind of based on VPN (virtual private network) (VPN, Virtual
Private Network) security access data method, apparatus and system.
Background technology
With the development of mobile communication technology and integrated circuit technique, mobile terminal possesses stronger and stronger place
Reason ability, being increasingly becoming one can process the processing platform of portability of integrated information.At present, it is mobile whole
End also becomes a kind of important tool for moving office.
Briefly, mobile office is exactly that user can access company by the mobile terminal of oneself by VPN
Internal network carrying out long-range data access.Vpn server is provided with the internal network of company,
Used as the interface between company's internal network and external the Internet, user is by the upper the Internet of mobile terminal connection
Afterwards, can be attached with vpn server in the address of public network according to vpn server;Also, stepping on
After record vpn server, user then can enter company Intranet using vpn server, carry out corresponding
The data access of user's office.
But, while mobile terminal carries out telecommuting and brings convenience for user, also increase leakage company
The risk of inside information and confidential data.The intelligent terminal operation system of particularly current main flow, such as, and peace
Tall and erect Android, Mobile operating system IOS of Apple etc., break into virus and wooden horse again and again.Cause
This, after the mobile terminal of user infects viral or implanted wooden horse, user is in logging in VPN server
During, it is more likely that account, password can be caused to be stolen, or even can also be carried out far by VPN in user
During journey data access, cause the leakage of intra-company's data and secret, cause serious loss.Cause
This, the safety for being currently needed for being directed to the remote data access that mobile terminal is carried out based on VPN is paid attention to.
The content of the invention
To solve above-mentioned technical problem, the embodiment of the present invention is expected to provide a kind of secure access number based on VPN
According to method, apparatus and system, can in terms of the bottom of hardware, improve user passed through using mobile terminal
VPN carries out the safety of data access.
The technical scheme is that what is be achieved in that:
In a first aspect, embodiments providing a kind of method of the security access data based on VPN, institute
The method of stating includes:
Mobile terminal obtains the private information for being sent to vpn server under safety zone;
The mobile terminal is carried out according to default encryption policy under the safety zone to the private information
After encryption, the private information after the encryption is sent to vpn server under insecure area;
The mobile terminal receives the display sent by the vpn server under the insecure area to be believed
Breath;
The mobile terminal is carried out the display information according to default decryption policy under the safety zone
After decryption, the display information after decryption is shown.
In such scheme, the mobile terminal obtains the private for being sent to vpn server under safety zone
Confidential information, specifically includes:
The mobile terminal starts and shows VPN login interfaces under the safety zone, receives input to institute
State the log-on message in VPN login interfaces.
In such scheme, the mobile terminal is under safety zone according to default encryption policy to the private
After confidential information is encrypted, the private information after the encryption is sent to VPN services under insecure area
Device, specifically includes:
The mobile terminal is carried out the log-on message according to default encryption policy under the safety zone
Encryption, and switch to the insecure area;
The mobile terminal transmits the log-on message after encryption to the VPN under the insecure area
Server.
In such scheme, the mobile terminal is logged in after the vpn server, and methods described also includes:
The mobile terminal calls physiological feature harvester to obtain under the safety zone and preserves physiology spy
After reference breath, key pair corresponding with the physiological characteristic information is generated;
The mobile terminal transmits the public key of the cipher key pair to described under the insecure area
Vpn server.
In such scheme, methods described also includes:
The mobile terminal starts and shows physiological feature login interface under the safety zone, and calls life
Reason collection apparatus device obtains physiological characteristic information;
When the physiological characteristic information for acquiring compares consistent with the physiological characteristic information of storage, the movement
Terminal will compare consistent configured information by the physiological feature with the storage under safety zone for instruction
The corresponding private key of information is encrypted, the configured information after being encrypted;
The mobile terminal is under the safety zone according to default encryption policy by the instruction after the encryption
After information is encrypted, the configured information of two re-encryption is sent to described under the insecure area
Vpn server.
In such scheme, the mobile terminal is obtained under the safety zone and is sent to vpn server
Private information, specifically include:The mobile terminal receives defeated under the safety zone by input equipment
The instruction for entering.
In such scheme, the mobile terminal is under safety zone according to default encryption policy to the private
After confidential information is encrypted, the private information after the encryption is sent to VPN services under insecure area
Device, specifically includes:
The mobile terminal enters the instruction of the input according to default encryption policy under the safety zone
Row encryption, and switch to the insecure area;
The mobile terminal transmits the input instruction after encryption to the VPN under the insecure area
Server.
In such scheme, methods described also includes:
The mobile terminal is encrypted de-registration request according to default encryption policy under the safety zone,
And switch to the insecure area;
The mobile terminal transmits the de-registration request after encryption to the VPN under the insecure area
Server;
The mobile terminal receives the note of the encryption that the vpn server sends under the insecure area
Sell and successfully indicate, and switch to the safety zone;
The mobile terminal successfully indicates to be decrypted under the safety zone to the cancellation of the encryption, and
Successfully indicated to complete to nullify according to the cancellation after decryption, and switch to the insecure area.
Second aspect, embodiments provides a kind of method of the security access data based on VPN, institute
The method of stating includes:
Vpn server receives the encryption information sent by mobile terminal;
The vpn server is according to default corresponding with the encryption policy in the mobile terminal safety region
Decryption policy encryption information is decrypted, and according to the information type after the decryption correspondingly to described
Information after decryption is processed.
In such scheme, the encryption information includes the log-on message after encryption, correspondingly, the VPN
Server is according to the default decryption policy pair corresponding with the encryption policy in mobile terminal safety region plus secret letter
Breath is decrypted, and correspondingly the information after decryption is processed according to the information type after decryption, specifically
Including:
The vpn server is decrypted according to default decryption policy, and log-on message is verified,
And whether successful logged according to the result determination:
When being verified, the vpn server determines and logins successfully, the vpn server set up with
Connection between the mobile terminal;
When failing the authentication, the vpn server confirms login failure.
In such scheme, after user logs in, methods described also includes:The vpn server is received
To the corresponding public key of physiological characteristic information of storage, and the public key is entered with the log-on message of active user
Row binding.
In such scheme, the encryption information includes that mobile terminal is believed in the physiological feature that safety zone gathers
Cease the configured information of two re-encryptions after comparing with the physiological characteristic information of storage;
Correspondingly, the vpn server is according to default relative with the encryption policy in mobile terminal safety region
The decryption policy answered is decrypted to encryption information, and according to decryption after information type correspondingly to decryption after
Information processed, specifically include:
The vpn server is decrypted according to default decryption policy, obtains the physiological feature by storage
The configured information that the corresponding private key of information is encrypted;
Instruction of the vpn server according to the corresponding public key of physiological characteristic information of the storage to encrypting
Information is decrypted, and obtains whether results verification logs in successfully according to decryption:
When correct configured information is obtained, the vpn server determination is logged in into by physiological characteristic information
Work(, the vpn server is set up and the connection between mobile terminal;
When correct configured information is not obtained, the vpn server confirms login failure.
In such scheme, the encryption information includes the user being encrypted by the safety zone of mobile terminal
Operated be input into instruction;
Correspondingly, vpn server is according to default corresponding with the encryption policy in mobile terminal safety region
Decryption policy is decrypted to encryption information, and according to the information type after decryption correspondingly to the letter after decryption
Breath is processed, and is specifically included:
The vpn server is according to the default solution corresponding with the encryption policy in mobile terminal safety region
After input instruction decryption of the close strategy after by encryption, send to Intranet and processed;
The vpn server receives the operating result for the input instruction that Intranet is returned.
In such scheme, the encryption information includes the cancellation being encrypted by the safety zone of mobile terminal
Request;
Correspondingly, vpn server is according to default corresponding with the encryption policy in mobile terminal safety region
Decryption policy is decrypted to encryption information, and according to the information type after decryption correspondingly to the letter after decryption
Breath is processed, and is specifically included:
After the vpn server is decrypted to the de-registration request of the encryption, can ask according to the cancellation
Ask and complete to nullify operation, and successfully instruction will be nullified and be encrypted and be back to mobile terminal.
The third aspect, embodiments provides a kind of mobile terminal, and the mobile terminal includes safety
Territory element, insecure area unit and security monitoring unit;Wherein,
The safety zone unit, for obtaining the private information for being sent to vpn server;
And default encryption policy is encrypted to the private information;
And, trigger the security monitoring unit;
The security monitoring unit, for the safety zone unit to be switched to into the insecure area unit;
The insecure area unit, for the private information after the encryption to be sent to vpn server;
And, receive the display information sent by the vpn server;
And, trigger the security monitoring unit;
The security monitoring unit, is additionally operable to for the insecure area unit to switch to the safety zone list
Unit;
The safety zone unit, is additionally operable to be decrypted the display information according to default decryption policy
Afterwards, the display information after decryption is shown.
In such scheme, the safety zone unit, specifically for:Start and show VPN login interfaces,
Receive input to the log-on message in the VPN login interfaces.
In such scheme, the safety zone unit, specifically for:According to default encryption policy by institute
State log-on message to be encrypted;
The insecure area unit, specifically for:Log-on message after encryption is transmitted to VPN clothes
Business device.
In such scheme, the safety zone unit is additionally operable to call physiological feature harvester to obtain simultaneously
After preserving physiological characteristic information, key pair corresponding with the physiological characteristic information is generated;
The insecure area unit, is additionally operable to the public key of the cipher key pair be transmitted to VPN services
Device.
In such scheme, the safety zone unit is additionally operable to start and show physiological feature login interface,
And call physiological feature harvester to obtain physiological characteristic information;
And, when the physiological characteristic information for acquiring compares consistent with the physiological characteristic information of storage, will
For indicating that compare consistent configured information is carried out by private key corresponding with the physiological characteristic information of the storage
Encryption, the configured information after being encrypted;
And, the configured information after the encryption is encrypted according to default encryption policy, obtain double
The configured information of encryption;
The insecure area unit, is additionally operable to the configured information of two re-encryption be sent to the VPN
Server.
In such scheme, the safety zone unit, specifically for by the finger of input equipment receives input
Order.
In such scheme, the safety zone unit, specifically for will be described according to default encryption policy
The instruction of input is encrypted;
The insecure area unit, specifically for the input instruction after encryption is transmitted to VPN services
Device.
In such scheme, the safety zone unit is additionally operable to be nullified according to default encryption policy and asks
Ask and be encrypted;
The insecure area unit, is additionally operable to the de-registration request after encryption be transmitted to the vpn server;
And, the cancellation for receiving the encryption that the vpn server sends successfully is indicated;
The safety zone unit, is additionally operable to that the cancellation of the encryption is successfully indicated to be decrypted, and according to
Cancellation after decryption successfully indicates to complete to nullify, and trigger the security monitoring unit switch to it is described non-security
Territory element.
Fourth aspect, embodiments provides a kind of vpn server, and the vpn server includes
Receiving unit and decryption processing unit;Wherein,
The receiving unit, for receiving the encryption information sent by mobile terminal;
The decryption processing unit, for according to the default encryption policy with the mobile terminal safety region
Corresponding decryption policy is decrypted to encryption information, and according to the information type after the decryption correspondingly
Information after the decryption is processed.
In such scheme, the encryption information includes the log-on message after encryption, correspondingly, the decryption
Processing unit, specifically for:
It is decrypted according to default decryption policy, and log-on message is verified, and according to checking knot
Whether fruit determination logs in successful:
When being verified, it is determined that logining successfully, and set up and the connection between the mobile terminal;
When failing the authentication, login failure is confirmed.
In such scheme, the receiving unit, the physiological characteristic information for being additionally operable to receive storage is corresponding
Public key, and the public key is bound with the log-on message of active user.
In such scheme, the encryption information includes that mobile terminal is believed in the physiological feature that safety zone gathers
Cease the configured information of two re-encryptions after comparing with the physiological characteristic information of storage;
Correspondingly, the decryption processing unit, specifically for:
It is decrypted according to default decryption policy, obtains the corresponding private key of physiological characteristic information by storage
The configured information being encrypted;
And, the configured information encrypted is solved according to the corresponding public key of physiological characteristic information of the storage
It is close, and obtain whether results verification logs in successfully according to decryption:
And, when correct configured information is obtained, it is determined that being logined successfully by physiological characteristic information, and build
The vertical connection and mobile terminal between;
And, when correct configured information is not obtained, confirm login failure.
In such scheme, the encryption information includes the user being encrypted by the safety zone of mobile terminal
Operated be input into instruction;
Correspondingly, the decryption processing unit, specifically for:
According to the default decryption policy corresponding with the encryption policy in mobile terminal safety region after it will encrypt
Input instruction decryption after, send to Intranet and processed;
And, receive the operating result for the input instruction that Intranet is returned.
In such scheme, the encryption information includes the cancellation being encrypted by the safety zone of mobile terminal
Request;
Correspondingly, the decryption processing unit, specifically for:
After being decrypted the de-registration request of the encryption, can complete to nullify operation according to the de-registration request,
To nullify successfully indicate and be encrypted and trigger the receiving unit;
The receiving unit, is additionally operable to successfully indicate the cancellation after encryption to be back to mobile terminal.
5th aspect, embodiments provides a kind of system of the security access data based on VPN, institute
The system of stating includes:Mobile terminal and vpn server;
Wherein, the mobile terminal, for obtaining the secret for being sent to vpn server under safety zone
Information;
And, after being encrypted to the private information according to default encryption policy under the safety zone,
The private information after the encryption is sent to the vpn server under insecure area;
And, the display information sent by the vpn server is received under the insecure area;
And, the display information is decrypted into it according to default decryption policy under the safety zone
Afterwards, the display information after decryption is shown;
The vpn server, for receiving the encryption information sent by the mobile terminal;
And, according to the default decryption policy corresponding with the encryption policy in the mobile terminal safety region
Encryption information is decrypted, and according to the information type after the decryption correspondingly to the letter after the decryption
Breath is processed.
A kind of method, apparatus and system of the security access data based on VPN are embodiments provided,
By using, for the division of area of security, mobile terminal being needed in current mobile terminal processor framework
The confidentiality data being transmitted with vpn server is performed by the safety zone in processor architecture,
So as to avoid when the insecure area in mobile terminal processor framework is subjected to virus infection or wooden horse implantation
When, in terms of the bottom of hardware, remain able to raising user carries out data visit using mobile terminal by VPN
The safety asked.
Description of the drawings
Fig. 1 is that a kind of method flow of security access data based on VPN provided in an embodiment of the present invention is illustrated
Figure;
Fig. 2 is a kind of registration process schematic diagram provided in an embodiment of the present invention;
Fig. 3 is a kind of login process schematic diagram provided in an embodiment of the present invention;
Fig. 4 is a kind of log off procedure schematic diagram provided in an embodiment of the present invention;
Fig. 5 is that the method flow of another kind of security access data based on VPN provided in an embodiment of the present invention shows
It is intended to;
Fig. 6 is a kind of structural representation of mobile terminal provided in an embodiment of the present invention;
Fig. 7 is a kind of structural representation of vpn server provided in an embodiment of the present invention;
Fig. 8 is that a kind of system structure of security access data based on VPN provided in an embodiment of the present invention is illustrated
Figure.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clearly
Chu, it is fully described by.
The basic thought of the embodiment of the present invention is:Using the processor frame with safety zone Yu insecure area
Structure, for example, support the arm processor framework of Trust Zone, by mobile terminal in remote access data,
The higher operation of level of security by operating in processor security region under SOS performed;
And the non-secure operating system operated under processor insecure area is only used for moving terminal and VPN
Data transfer between server so that user cannot be got in non-secure operating system is carrying out VPN
Peration data during remote data access, so as to the safety of peration data.
Based on above-mentioned basic thought, below by way of some embodiments to realizing the technical scheme of above-mentioned basic thought
Illustrate.In order to clearly illustrate to the technical scheme of the embodiment of the present invention, subsequent embodiment
In mobile terminal with support Trust Zone technologies arm processor framework, and run ARIXTRA
Illustrate as a example by the mobile terminal of Android operation system, it is possible to understand that ground, those skilled in the art can be with
The technical scheme of the embodiment of the present invention is applied to support other processor framves of safety zone and insecure area
Structure, and the mobile terminal of other mobile terminal operating systems is operated to, the embodiment of the present invention is not done specifically to this
Repeat.
Embodiment one
Referring to Fig. 1, a kind of security access data based on VPN provided in an embodiment of the present invention is it illustrates
Method, the method is applied to have concurrently in the mobile terminal of safety zone and insecure area, and the method can be wrapped
Include:
S101:Mobile terminal obtains the private information for being sent to vpn server under safety zone;
S102:Mobile terminal carries out adding according to default encryption policy under safety zone to the private information
After close, the private information after the encryption is sent to vpn server under insecure area;
S103:Mobile terminal receives the display information sent by vpn server under insecure area;
S104:Mobile terminal is solved the display information according to default decryption policy under safety zone
After close, the display information after decryption is shown.
It should be noted that as a example by supporting the arm processor framework of Trust Zone technologies, Trust Zone
Technology has separated two parallel and isolated execution environment:Non-security common performing environment, that is, it is above-mentioned
Insecure area;And the security context that secure and trusted is appointed, that is, above-mentioned safety zone.Place of safety
The control changed between domain and insecure area by security monitor Monitor by being realized.Therefore, it is right
In having concurrently for the mobile terminal of safety zone and insecure area, can between safety zone and insecure area
To be realized by setting special safety monitoring mechanism, the embodiment of the present invention is not done to this and is specifically repeated.
It is known that in embodiments of the present invention, mobile terminal is non-for method flow by shown in above-mentioned Fig. 1
Only it is merely to complete itself data-transformation facility and vpn server between under safety zone, it is pending to deliver letters
The acquisition of breath with encryption and from the displaying of the receive information received by vpn server and decryption, be
Complete under the safety zone of mobile terminal.Due to parallel between safety zone and insecure area and isolate,
Therefore, the virus and the wooden horse of implantation that mobile terminal is infected under insecure area is similarly isolated in shifting
Outside the safety zone of dynamic terminal, therefore, the flow process shown in Fig. 1 can be improved in terms of the bottom of hardware
User carries out the safety of data access using mobile terminal by VPN.
Exemplarily, on the basis of the flow process shown in Fig. 1, it should be noted that private information specifically may be used
To include the log-on message of logging in VPN, therefore, mobile terminal is obtained under safety zone and is sent to VPN
The private information of server, specifically can include:
Mobile terminal starts and shows VPN login interfaces under safety zone, receives input to the VPN
Log-on message in login interface, such as username and password etc..
Correspondingly, mobile terminal is carried out according to default encryption policy under safety zone to the private information
After encryption, the private information after the encryption is sent to vpn server under insecure area, concrete bag
Include:
Mobile terminal is encrypted the log-on message according to default encryption policy under safety zone, and
Switch to insecure area;
And, mobile terminal transmits the log-on message after encryption to vpn server under insecure area.
It is to be appreciated that after log-on message of the vpn server after encryption is received, according to default decryption
Whether strategy is decrypted, and log-on message is verified, and logged according to the result determination successful:
When being verified, vpn server determine login successfully, vpn server set up mobile terminal with
Connection between vpn server;
When failing the authentication, vpn server confirms login failure.
Further, in order to lift the safety of User logs in, can with by conventional log-on message,
After user name and code entry vpn server success, the physiological feature of user is can also be for, for example
The fingerprint and eyeprint of user carries out the enhanced VPN of safety and logs in.Therefore, in mobile terminal by conventional
Log-on message logging in VPN server after, can also include registering the physiological characteristic information of user
Process, referring to Fig. 2, specifically can include:
S201:Mobile terminal calls physiological feature harvester to obtain and preserve physiological feature under safety zone
After information, key pair corresponding with the physiological characteristic information is generated;
S202:Mobile terminal transmits the public key of the cipher key pair to vpn server under insecure area.
Specifically, mobile terminal can start eyeprint or fingerprint of photographic head acquisition user etc. under safety zone
Physiological characteristic information;It is to be appreciated that when vpn server receives the corresponding public key of the physiological characteristic information
Afterwards, the public key can be bound with the log-on message of active user, so as to subsequently can be special by the physiology
Reference ceases the enhanced log-on message of safety as active user.
Further, registration is carried out with the physiological characteristic information to user corresponding, can also includes passing through
The process that the physiological characteristic information of user is logged in, referring to Fig. 3, specifically can include:
S301:Mobile terminal starts and shows physiological feature login interface under safety zone, and calls physiology
Collection apparatus device obtains physiological characteristic information;
S302:When the physiological characteristic information for acquiring compares consistent with the physiological characteristic information of storage, move
Dynamic terminal will compare consistent configured information by believing with the physiological feature of storage under safety zone for instruction
Cease corresponding private key to be encrypted, the configured information after being encrypted;
S303:Mobile terminal enters the configured information after encryption according to default encryption policy under safety zone
After row encryption, the configured information of two re-encryption is sent to vpn server under insecure area.
Specifically, mobile terminal can start eyeprint or fingerprint of photographic head acquisition user etc. under safety zone
Physiological characteristic information;It is to be appreciated that after vpn server receives the configured information of two re-encryption,
Configured information after encryption can be obtained by decryption to the configured information of two re-encryptions, and after this is encrypted
Configured information is decrypted by public key corresponding with the physiological characteristic information of storage, and is tied according to decryption
Fruit is confirmed whether to log in successfully:
When correct configured information is obtained, vpn server determination is logined successfully by physiological characteristic information,
The connection that vpn server is set up between mobile terminal and vpn server;
When correct configured information is not obtained, vpn server confirms login failure.
Exemplarily, the registering and logging between mobile terminal and vpn server is completed by such scheme,
After the completion of the connection establishment between mobile terminal and VPN, it is necessary to pass through between mobile terminal and VPN
Data interaction carries out long-range data access, can specifically include user by mobile terminal to vpn server
The instruction of user input is sent, the instruction of input is sent to Intranet and completes to instruct corresponding operation by VPN;With
Afterwards, the operating result for needing to be shown in user terminal is sent to VPN by Intranet, so as to pass through VPN
The operating result for needing to be shown is back to into mobile terminal;Now, user is operated be input into finger
Order is then a kind of private information;And need the result shown in mobile terminal to be then a kind of display information;Accordingly
, the detailed process that the operating result for needing to be shown is back to mobile terminal is referred to by VPN
Step S103 to S104 in Fig. 1;But, it is then a kind of private when user is operated be input into instruction
During confidential information, mobile terminal obtains the private information for being sent to vpn server under safety zone, specifically
Including:Mobile terminal is under safety zone by the instruction of input equipment receives input;For example, mobile terminal
Touch screen can be called under safety zone to receive the input operation to user, and recorded.
Correspondingly, mobile terminal is carried out according to default encryption policy under safety zone to the private information
After encryption, the private information after the encryption is sent to vpn server under insecure area, concrete bag
Include:
Mobile terminal is encrypted the instruction of input according to default encryption policy under safety zone, and cuts
Shift to insecure area;
And, mobile terminal transmits the input instruction after encryption to vpn server under insecure area.
It is to be appreciated that after input instruction decryption of the vpn server after by encryption, sending to Intranet
Row is processed such that it is able to obtain the operating result shown for the needs of the input instruction.
Exemplarily, after mobile terminal remote data access is finished, in addition it is also necessary to which listed information is carried out
Nullify, referring to Fig. 4, specifically can include:
S401:Mobile terminal is encrypted de-registration request according to default encryption policy under safety zone,
And switch to insecure area;
S402:Mobile terminal transmits the de-registration request after encryption to vpn server under insecure area;
It is to be appreciated that after vpn server is decrypted to the de-registration request encrypted, can be according to de-registration request
Complete to nullify operation, and successfully instruction will be nullified and be encrypted.
S403:Mobile terminal receives the cancellation of the encryption of vpn server transmission under insecure area and successfully refers to
Show, and switch to safety zone;
S404:Cancellation of the mobile terminal to encrypting under safety zone successfully indicates to be decrypted, and according to solution
Cancellation after close successfully indicates to complete to nullify, and switches to insecure area.
Present embodiments provide a kind of side of the security access data based on VPN for being applied to mobile terminal side
Method, by using in current mobile terminal processor framework for the division of area of security, by mobile terminal
The confidentiality data that needs are transmitted with vpn server is carried out by the safety zone in processor architecture
Perform and process, so as to avoid when the insecure area in mobile terminal processor framework is subjected to viral sense
When dye or wooden horse are implanted into, in terms of the bottom of hardware, remain able to raising user and passed through using mobile terminal
VPN carries out the safety of data access.
Embodiment two
Based on previous embodiment identical technology design, based on Fig. 5, embodiment of the present invention offer is it illustrates
The security access data based on VPN for being applied to vpn server side method, the method can include:
S501:Vpn server receives the encryption information sent by mobile terminal;
It should be noted that the encryption information is encrypted by the safety zone of mobile terminal, and by moving
What the non-encrypted region of dynamic terminal sent.
S502:Vpn server is according to the default solution corresponding with the encryption policy in mobile terminal safety region
Close strategy is decrypted to encryption information, and according to the information type after decryption correspondingly to the information after decryption
Processed.
It should be noted that effect of the vpn server in the technical scheme of whole embodiment is exactly to set up to move
The connection of dynamic terminal and Intranet, and mobile terminal transmitted information is processed accordingly.
Specifically, when user logs in VPN by mobile terminal, encryption information can exist including mobile terminal
Log-on message after the encryption of safety zone, such as username and password etc.;Correspondingly, vpn server according to
The default decryption policy corresponding with the encryption policy in mobile terminal safety region is decrypted to encryption information,
And correspondingly the information after decryption is processed according to the information type after decryption, specifically can include:
After log-on message of the vpn server after encryption is received, it is decrypted according to default decryption policy,
And log-on message is verified, and whether successful is logged according to the result determination:
And, when being verified, vpn server determination is logined successfully, and vpn server is set up mobile whole
Connection between end and vpn server;
And, when failing the authentication, vpn server confirms login failure.
Further, in order to lift the safety of User logs in, can with by conventional log-on message,
After user name and code entry vpn server success, the physiological feature of user is can also be for, for example
The fingerprint and eyeprint of user carries out the enhanced VPN of safety and logs in, accordingly, it would be desirable to the physiology for being directed to user is special
Levying carries out extra registration.Now, encryption information can include the physiology that mobile terminal is gathered in safety zone
The public key of the cipher key pair corresponding to characteristic information.Correspondingly, after user logs in, vpn server connects
The corresponding public key of the physiological characteristic information is received, and the public key is tied up with the log-on message of active user
It is fixed.So as to subsequently can be using the physiological characteristic information as the enhanced log-on message of the safety of active user.
Further, it is corresponding after registering to the physiological characteristic information of user, also include passing through
The process that the physiological characteristic information of user is logged in, now, encryption information can include mobile terminal in peace
The physiological characteristic information of region-wide collection compare with the physiological characteristic information of storage after two re-encryptions finger
Show information, correspondingly, vpn server is according to default relative with the encryption policy in mobile terminal safety region
The decryption policy answered is decrypted to encryption information, and according to decryption after information type correspondingly to decryption after
Information processed, specifically can include:
Vpn server is decrypted according to default decryption policy, obtains the physiological characteristic information by storage
The configured information that corresponding private key is encrypted;
And, configured information of the vpn server according to the corresponding public key of physiological characteristic information for storing to encryption
It is decrypted, and obtains whether results verification logs in successfully according to decryption:
And, when correct configured information is obtained, vpn server is determined by physiological characteristic information login
Success, the connection that vpn server is set up between mobile terminal and vpn server;
And, when correct configured information is not obtained, vpn server confirms login failure.
Exemplarily, by such scheme just can complete registration between mobile terminal and vpn server and
Log in, after the completion of the connection establishment between mobile terminal and VPN, it is necessary to mobile terminal and VPN it
Between long-range data access is carried out by data interaction, can specifically include user by mobile terminal to VPN
Server sends the instruction of user input, and the instruction of input is sent to Intranet and completes to instruct corresponding behaviour by VPN
Make;Subsequently, the operating result for needing to be shown in user terminal is sent to VPN by Intranet, so as to pass through
The operating result for needing to be shown is back to mobile terminal by VPN.
Now, encryption information can include that the user being encrypted by the safety zone of mobile terminal is operated
The instruction being input into;Correspondingly, vpn server is according to default and mobile terminal safety region encryption plan
Slightly corresponding decryption policy is decrypted to encryption information, and correspondingly right according to the information type after decryption
Information after decryption is processed, and specifically can be included:
Vpn server is according to the default decryption plan corresponding with the encryption policy in mobile terminal safety region
After input instruction decryption slightly after by encryption, send to Intranet and processed;
Receive the operating result for the input instruction that Intranet is returned.
It is to be appreciated that the operating result is shown in the terminal due to needing, therefore, VPN clothes
After business device can be encrypted operating result, the operating result after encryption is sent to mobile terminal.
Exemplarily, after mobile terminal remote data access is finished, in addition it is also necessary to which listed information is carried out
Nullify, now, encryption information can include the de-registration request being encrypted by the safety zone of mobile terminal;
Correspondingly, vpn server is according to the default decryption corresponding with the encryption policy in mobile terminal safety region
Strategy is decrypted to encryption information, and correspondingly the information after decryption is entered according to the information type after decryption
Row is processed, and specifically can be included:
After vpn server is decrypted the de-registration request encrypted, can complete to nullify behaviour according to de-registration request
Make, and will nullify successfully indicate be encrypted and be back to mobile terminal so that mobile terminal to encrypt
Cancellation successfully indicate to be decrypted after, successfully indicate to complete according to the cancellation after decryption to nullify.
Embodiment three
Based on previous embodiment identical technology design, referring to Fig. 6, embodiment of the present invention offer is it illustrates
A kind of mobile terminal 60 structure, the mobile terminal 60 includes:Safety zone unit 601, non-peace
Region-wide unit 602 and security monitoring unit 603;Wherein,
The safety zone unit 601, for obtaining the private information for being sent to vpn server;
And default encryption policy is encrypted to the private information;
And, trigger the security monitoring unit 603;
The security monitoring unit 603, it is described non-security for the safety zone unit 601 to be switched to
Territory element 602;
The insecure area unit 602, for the private information after the encryption to be sent to VPN services
Device;
And, receive the display information sent by the vpn server;
And, trigger the security monitoring unit 603;
The security monitoring unit 603, is additionally operable to for the insecure area unit 602 to switch to the peace
Region-wide unit 601;
The safety zone unit 601, is additionally operable to carry out the display information according to default decryption policy
After decryption, the display information after decryption is shown.
Exemplarily, the safety zone unit 601, specifically for:Start and show VPN login interfaces,
Receive input to the log-on message in the VPN login interfaces.
Further, the safety zone unit 601, specifically for:According to default encryption policy by institute
State log-on message to be encrypted;
The insecure area unit 602, specifically for:Log-on message after encryption is transmitted to the VPN
Server.
Further, the safety zone unit 601, is additionally operable to call physiological feature harvester to obtain simultaneously
After preserving physiological characteristic information, key pair corresponding with the physiological characteristic information is generated;
The insecure area unit, is additionally operable to the public key of the cipher key pair be transmitted to VPN services
Device.
Further, the safety zone unit 601, is additionally operable to start and show physiological feature login interface,
And call physiological feature harvester to obtain physiological characteristic information;
And, when the physiological characteristic information for acquiring compares consistent with the physiological characteristic information of storage, will
For indicating that compare consistent configured information is carried out by private key corresponding with the physiological characteristic information of the storage
Encryption, the configured information after being encrypted;
And, the configured information after the encryption is encrypted according to default encryption policy, obtain double
The configured information of encryption;
The insecure area unit, is additionally operable to the configured information of two re-encryption be sent to the VPN
Server.
Exemplarily, the safety zone unit 601, specifically for by the finger of input equipment receives input
Order.
Further, the safety zone unit 601, specifically for will be described according to default encryption policy
The instruction of input is encrypted;
The insecure area unit 602, specifically for the input instruction after encryption is transmitted to the VPN
Server.
Exemplarily, the safety zone unit 601, is additionally operable to be nullified according to default encryption policy and asks
Ask and be encrypted;
The insecure area unit 602, is additionally operable to the de-registration request after encryption be transmitted to VPN clothes
Business device;
And, the cancellation for receiving the encryption that the vpn server sends successfully is indicated;
The safety zone unit 601, is additionally operable to that the cancellation of the encryption is successfully indicated to be decrypted, and
Successfully indicated to complete to nullify according to the cancellation after decryption, and trigger the security monitoring unit 603 and switch to institute
State insecure area unit 602.
It should be noted that during the implementing of the embodiment of the present invention, in safety zone unit 601
Operation has SOS, can be driven by equipment safety and access bottom hardware, including photographic head, tactile
Touch screen, display screen.SOS is specifically used to run the high application of level of security, and such as secure vpn should
With, secure payment application etc..It is simplify, stable operating system, operating in safe task therein is
What serial was performed, scheduling strategy is non-preemptive, improves the safety and stability of internal system.Peace
Full application just need to can be installed in the system through safety certification, it is ensured that the external security of SOS
Property.In the present embodiment, during the concrete function of safety zone unit 601 is by operating in SOS
Secure vpn application can include realizing, specifically VPN password logins, eyeprint registration, eyeprint log in,
Safety input, safety display and secure logout function etc..There is independent equipment peace in safety zone unit 601
It is complete to drive (15), including photographic head drives safely, display screen drives safely, touch screen drives safely, can only
Called by SOS (12).
Operation in insecure area unit 602 has non-secure operating system, for example, operate in current intelligent terminal
On mainstream operation system Android, the various demand on intelligent terminal of user can be met.Because this is
System increases income, free, and user may browse through webpage, various application programs be installed, so the safety of system
Property it is not high, it is likely that by virus or wooden horse attacked;Insecure area unit 602 is also equipped with independent
Non-security device drives (19), including the non-security driving of photographic head, the non-security driving of display screen, touch screen be non-
Safety drives, and can only be called by non-secure operating system (16).
Security monitoring unit 603, is responsible between safety zone unit 601 and insecure area unit 602
Communication and switching.
It is to be appreciated that the hardware device such as photographic head, display screen and touch panel device is in safety zone unit 601
Can only be accessed by SOS (12), in insecure area, unit 602 can only be by non-secure operations system
System (16) is accessed, and secure and non-secure isolation is realized from hardware, it is ensured that telecommuting data
Safety.
Example IV
Based on previous embodiment identical technology design, referring to Fig. 7, embodiment of the present invention offer is it illustrates
A kind of vpn server 70 structure, the vpn server 70 includes:Receiving unit 701 and decryption
Processing unit 702;Wherein,
The receiving unit 701, for receiving the encryption information sent by mobile terminal;
The decryption processing unit 702, for according to the default encryption with the mobile terminal safety region
The corresponding decryption policy of strategy is decrypted to encryption information, and according to the information type phase after the decryption
Ground is answered to process the information after the decryption.
Exemplarily, the encryption information includes the log-on message after encryption, correspondingly, the decryption processing
Unit 702, specifically for:
It is decrypted according to default decryption policy, and log-on message is verified, and according to checking knot
Whether fruit determination logs in successful:
When being verified, it is determined that logining successfully, and set up and the connection between the mobile terminal;
When failing the authentication, login failure is confirmed.
Further, the receiving unit 701, the physiological characteristic information for being additionally operable to receive storage is corresponding
Public key, and the public key is bound with the log-on message of active user.
Further, the encryption information include physiological characteristic information that mobile terminal gather in safety zone and
The physiological characteristic information of storage compare after two re-encryptions configured information;
Correspondingly, the decryption processing unit 702, specifically for:
It is decrypted according to default decryption policy, obtains the corresponding private key of physiological characteristic information by storage
The configured information being encrypted;
And, the configured information encrypted is solved according to the corresponding public key of physiological characteristic information of the storage
It is close, and obtain whether results verification logs in successfully according to decryption:
And, when correct configured information is obtained, it is determined that being logined successfully by physiological characteristic information, and build
The vertical connection and mobile terminal between;
And, when correct configured information is not obtained, confirm login failure.
Exemplarily, the encryption information includes that the user being encrypted by the safety zone of mobile terminal is carried out
The be input into instruction of operation;
Correspondingly, the decryption processing unit 702, specifically for:
According to the default decryption policy corresponding with the encryption policy in mobile terminal safety region after it will encrypt
Input instruction decryption after, send to Intranet and processed;
And, receive the operating result for the input instruction that Intranet is returned.
Exemplarily, the encryption information includes the de-registration request being encrypted by the safety zone of mobile terminal;
Correspondingly, the decryption processing unit 702, specifically for:
After being decrypted the de-registration request of the encryption, can complete to nullify operation according to the de-registration request,
To nullify successfully indicate and be encrypted and trigger the receiving unit 701;
The receiving unit 701, is additionally operable to successfully indicate the cancellation after encryption to be back to mobile terminal.
It should be noted that vpn server 70, can complete password login certification, eyeprint login authentication,
The functions such as binding, data encrypting and deciphering, the data transfer of eyeprint public key and user.Can not only be with the Internet outer net
It is connected, also can be connected with company Intranet, sets up the connection of mobile terminal and company Intranet.
Embodiment five
Based on previous embodiment identical technology design, referring to Fig. 8, it illustrates the safety based on VPN and visit
The structure of system 80 of data is asked, the system 80 can include:Mobile terminal 60 and vpn server 70;
Wherein, the mobile terminal 60, for obtaining under safety zone vpn server 70 is sent to
Private information;
And, after being encrypted to the private information according to default encryption policy under the safety zone,
The private information after the encryption is sent to the vpn server 70 under insecure area;
And, the display information sent by the vpn server 70 is received under the insecure area;
And, the display information is decrypted into it according to default decryption policy under the safety zone
Afterwards, the display information after decryption is shown;
The vpn server 70, for receiving the encryption information sent by the mobile terminal 60;
And, according to the default decryption plan corresponding with the encryption policy of the safety zone of the mobile terminal 60
Slightly encryption information is decrypted, and according to the information type after the decryption correspondingly to the decryption after
Information is processed.
Those skilled in the art are it should be appreciated that embodiments of the invention can be provided as method, system or meter
Calculation machine program product.Therefore, the present invention can using hardware embodiment, software implementation or with reference to software and
The form of the embodiment of hardware aspect.And, the present invention can be adopted and wherein include calculating at one or more
Computer-usable storage medium (including but not limited to disk memory and the optical storage of machine usable program code
Device etc.) on implement computer program form.
The present invention is with reference to method according to embodiments of the present invention, equipment (system) and computer program
Flow chart and/or block diagram describing.It should be understood that can be by computer program instructions flowchart and/or side
The knot of each flow process and/or square frame and flow chart and/or the flow process in block diagram and/or square frame in block diagram
Close.Can provide these computer program instructions to general purpose computer, special-purpose computer, Embedded Processor or
The processor of other programmable data processing devices is producing a machine so that by computer or other can
The instruction of the computing device of programming data processing equipment is produced for realizing in one flow process or multiple of flow chart
The device of the function of specifying in one square frame of flow process and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing devices
In the computer-readable memory for working in a specific way so that in being stored in the computer-readable memory
Instruction produces the manufacture for including command device, and the command device is realized in one flow process of flow chart or multiple streams
The function of specifying in one square frame of journey and/or block diagram or multiple square frames.
These computer program instructions also can be loaded in computer or other programmable data processing devices, made
Obtain and series of operation steps performed on computer or other programmable devices to produce computer implemented process,
So as to the instruction performed on computer or other programmable devices is provided for realizing in one flow process of flow chart
Or specify in one square frame of multiple flow processs and/or block diagram or multiple square frames function the step of.
The above, only presently preferred embodiments of the present invention is not intended to limit the protection model of the present invention
Enclose.
Claims (29)
1. a kind of method of the security access data based on VPN (virtual private network) VPN, it is characterised in that institute
The method of stating includes:
Mobile terminal obtains the private information for being sent to vpn server under safety zone;
The mobile terminal is carried out according to default encryption policy under the safety zone to the private information
After encryption, the private information after the encryption is sent to vpn server under insecure area;
The mobile terminal receives the display sent by the vpn server under the insecure area to be believed
Breath;
The mobile terminal is carried out the display information according to default decryption policy under the safety zone
After decryption, the display information after decryption is shown.
2. method according to claim 1, it is characterised in that the mobile terminal is under safety zone
Acquisition is sent to the private information of vpn server, specifically includes:
The mobile terminal starts and shows VPN login interfaces under the safety zone, receives input to institute
State the log-on message in VPN login interfaces.
3. method according to claim 2, it is characterised in that the mobile terminal is under safety zone
After being encrypted to the private information according to default encryption policy, by the encryption under insecure area
Private information afterwards is sent to vpn server, is specifically included:
The mobile terminal is carried out the log-on message according to default encryption policy under the safety zone
Encryption, and switch to the insecure area;
The mobile terminal transmits the log-on message after encryption to the VPN under the insecure area
Server.
4. method according to claim 3, it is characterised in that the mobile terminal logs in the VPN
After server, methods described also includes:
The mobile terminal calls physiological feature harvester to obtain under the safety zone and preserves physiology spy
After reference breath, key pair corresponding with the physiological characteristic information is generated;
The mobile terminal transmits the public key of the cipher key pair to described under the insecure area
Vpn server.
5. method according to claim 4, it is characterised in that methods described also includes:
The mobile terminal starts and shows physiological feature login interface under the safety zone, and calls life
Reason collection apparatus device obtains physiological characteristic information;
When the physiological characteristic information for acquiring compares consistent with the physiological characteristic information of storage, the movement
Terminal will compare consistent configured information by the physiological feature with the storage under safety zone for instruction
The corresponding private key of information is encrypted, the configured information after being encrypted;
The mobile terminal is under the safety zone according to default encryption policy by the instruction after the encryption
After information is encrypted, the configured information of two re-encryption is sent to described under the insecure area
Vpn server.
6. method according to claim 1, it is characterised in that the mobile terminal is in the place of safety
The private information for being sent to vpn server is obtained under domain, is specifically included:The mobile terminal is in the peace
The region-wide lower instruction by input equipment receives input.
7. method according to claim 6, it is characterised in that the mobile terminal is under safety zone
After being encrypted to the private information according to default encryption policy, by the encryption under insecure area
Private information afterwards is sent to vpn server, is specifically included:
The mobile terminal enters the instruction of the input according to default encryption policy under the safety zone
Row encryption, and switch to the insecure area;
The mobile terminal transmits the input instruction after encryption to the VPN under the insecure area
Server.
8. method according to claim 1, it is characterised in that methods described also includes:
The mobile terminal is encrypted de-registration request according to default encryption policy under the safety zone,
And switch to the insecure area;
The mobile terminal transmits the de-registration request after encryption to the VPN under the insecure area
Server;
The mobile terminal receives the note of the encryption that the vpn server sends under the insecure area
Sell and successfully indicate, and switch to the safety zone;
The mobile terminal successfully indicates to be decrypted under the safety zone to the cancellation of the encryption, and
Successfully indicated to complete to nullify according to the cancellation after decryption, and switch to the insecure area.
9. a kind of method of the security access data based on VPN (virtual private network) VPN, it is characterised in that institute
The method of stating includes:
Vpn server receives the encryption information sent by mobile terminal;
The vpn server is according to default corresponding with the encryption policy in the mobile terminal safety region
Decryption policy encryption information is decrypted, and according to the information type after the decryption correspondingly to described
Information after decryption is processed.
10. method according to claim 9, it is characterised in that the encryption information is included after encryption
Log-on message, correspondingly, the vpn server is according to default with mobile terminal safety region encryption
The corresponding decryption policy of strategy is decrypted to encryption information, and according to the information type after decryption correspondingly
Information after decryption is processed, is specifically included:
The vpn server is decrypted according to default decryption policy, and log-on message is verified,
And whether successful logged according to the result determination:
When being verified, the vpn server determines and logins successfully, the vpn server set up with
Connection between the mobile terminal;
When failing the authentication, the vpn server confirms login failure.
11. methods according to claim 10, it is characterised in that after user logs in, the side
Method also includes:The vpn server receives the corresponding public key of physiological characteristic information of storage, and by institute
State public key to be bound with the log-on message of active user.
12. methods according to claim 11, it is characterised in that the encryption information includes mobile whole
Hold double after the physiological characteristic information of safety zone collection is compared with the physiological characteristic information of storage adding
Close configured information;
Correspondingly, the vpn server is according to default relative with the encryption policy in mobile terminal safety region
The decryption policy answered is decrypted to encryption information, and according to decryption after information type correspondingly to decryption after
Information processed, specifically include:
The vpn server is decrypted according to default decryption policy, obtains the physiological feature by storage
The configured information that the corresponding private key of information is encrypted;
Instruction of the vpn server according to the corresponding public key of physiological characteristic information of the storage to encrypting
Information is decrypted, and obtains whether results verification logs in successfully according to decryption:
When correct configured information is obtained, the vpn server determination is logged in into by physiological characteristic information
Work(, the vpn server is set up and the connection between mobile terminal;
When correct configured information is not obtained, the vpn server confirms login failure.
13. methods according to claim 9, it is characterised in that the encryption information is included by moving
The user that the safety zone of terminal is encrypted is operated be input into instruction;
Correspondingly, vpn server is according to default corresponding with the encryption policy in mobile terminal safety region
Decryption policy is decrypted to encryption information, and according to the information type after decryption correspondingly to the letter after decryption
Breath is processed, and is specifically included:
The vpn server is according to the default solution corresponding with the encryption policy in mobile terminal safety region
After input instruction decryption of the close strategy after by encryption, send to Intranet and processed;
The vpn server receives the operating result for the input instruction that Intranet is returned.
14. methods according to claim 9, it is characterised in that the encryption information is included by moving
The de-registration request that the safety zone of terminal is encrypted;
Correspondingly, vpn server is according to default corresponding with the encryption policy in mobile terminal safety region
Decryption policy is decrypted to encryption information, and according to the information type after decryption correspondingly to the letter after decryption
Breath is processed, and is specifically included:
After the vpn server is decrypted to the de-registration request of the encryption, can ask according to the cancellation
Ask and complete to nullify operation, and successfully instruction will be nullified and be encrypted and be back to mobile terminal.
15. a kind of mobile terminals, it is characterised in that the mobile terminal includes safety zone unit, non-
Safety zone unit and security monitoring unit;Wherein,
The safety zone unit, for obtaining the secret for being sent to VPN (virtual private network) vpn server letter
Breath;
And default encryption policy is encrypted to the private information;
And, trigger the security monitoring unit;
The security monitoring unit, for the safety zone unit to be switched to into the insecure area unit;
The insecure area unit, for the private information after the encryption to be sent to vpn server;
And, receive the display information sent by the vpn server;
And, trigger the security monitoring unit;
The security monitoring unit, is additionally operable to for the insecure area unit to switch to the safety zone list
Unit;
The safety zone unit, is additionally operable to be decrypted the display information according to default decryption policy
Afterwards, the display information after decryption is shown.
16. mobile terminals according to claim 15, it is characterised in that the safety zone unit,
Specifically for:Start and show VPN login interfaces, receive input to stepping in the VPN login interfaces
Record information.
17. mobile terminals according to claim 16, it is characterised in that the safety zone unit,
Specifically for:The log-on message is encrypted according to default encryption policy;
The insecure area unit, specifically for:Log-on message after encryption is transmitted to VPN clothes
Business device.
18. mobile terminals according to claim 17, it is characterised in that the safety zone unit,
It is additionally operable to call physiological feature harvester to obtain and preserve after physiological characteristic information, generates special with the physiology
Reference ceases corresponding key pair;
The insecure area unit, is additionally operable to the public key of the cipher key pair be transmitted to VPN services
Device.
19. mobile terminals according to claim 18, it is characterised in that the safety zone unit,
It is additionally operable to start and show physiological feature login interface, and calls physiological feature harvester to obtain physiological feature
Information;
And, when the physiological characteristic information for acquiring compares consistent with the physiological characteristic information of storage, will
For indicating that compare consistent configured information is carried out by private key corresponding with the physiological characteristic information of the storage
Encryption, the configured information after being encrypted;
And, the configured information after the encryption is encrypted according to default encryption policy, obtain double
The configured information of encryption;
The insecure area unit, is additionally operable to the configured information of two re-encryption be sent to the VPN
Server.
20. mobile terminals according to claim 15, it is characterised in that the safety zone unit,
Specifically for by the instruction of input equipment receives input.
21. mobile terminals according to claim 20, it is characterised in that the safety zone unit,
Specifically for the instruction of the input is encrypted according to default encryption policy;
The insecure area unit, specifically for the input instruction after encryption is transmitted to VPN services
Device.
22. mobile terminals according to claim 15, it is characterised in that the safety zone unit,
It is additionally operable to be encrypted de-registration request according to default encryption policy;
The insecure area unit, is additionally operable to the de-registration request after encryption be transmitted to the vpn server;
And, the cancellation for receiving the encryption that the vpn server sends successfully is indicated;
The safety zone unit, is additionally operable to that the cancellation of the encryption is successfully indicated to be decrypted, and according to
Cancellation after decryption successfully indicates to complete to nullify, and trigger the security monitoring unit switch to it is described non-security
Territory element.
23. a kind of VPN (virtual private network) vpn servers, it is characterised in that the vpn server includes
Receiving unit and decryption processing unit;Wherein,
The receiving unit, for receiving the encryption information sent by mobile terminal;
The decryption processing unit, for according to the default encryption policy with the mobile terminal safety region
Corresponding decryption policy is decrypted to encryption information, and according to the information type after the decryption correspondingly
Information after the decryption is processed.
24. vpn servers according to claim 23, it is characterised in that the encrypted message packet
The log-on message after encryption is included, correspondingly, the decryption processing unit, specifically for:
It is decrypted according to default decryption policy, and log-on message is verified, and according to checking knot
Whether fruit determination logs in successful:
When being verified, it is determined that logining successfully, and set up and the connection between the mobile terminal;
When failing the authentication, login failure is confirmed.
25. vpn servers according to claim 24, it is characterised in that the receiving unit,
It is additionally operable to receive the corresponding public key of physiological characteristic information of storage, and by the public key with active user's
Log-on message is bound.
26. vpn servers according to claim 25, it is characterised in that the encrypted message packet
Include mobile terminal and compare it with the physiological characteristic information of storage in the physiological characteristic information that safety zone gathers
The configured information of two re-encryptions afterwards;
Correspondingly, the decryption processing unit, specifically for:
It is decrypted according to default decryption policy, obtains the corresponding private key of physiological characteristic information by storage
The configured information being encrypted;
And, the configured information encrypted is solved according to the corresponding public key of physiological characteristic information of the storage
It is close, and obtain whether results verification logs in successfully according to decryption:
And, when correct configured information is obtained, it is determined that being logined successfully by physiological characteristic information, and build
The vertical connection and mobile terminal between;
And, when correct configured information is not obtained, confirm login failure.
27. vpn servers according to claim 23, it is characterised in that the encrypted message packet
Include the user being encrypted by the safety zone of mobile terminal and operated be input into instruction;
Correspondingly, the decryption processing unit, specifically for:
According to the default decryption policy corresponding with the encryption policy in mobile terminal safety region after it will encrypt
Input instruction decryption after, send to Intranet and processed;
And, receive the operating result for the input instruction that Intranet is returned.
28. vpn servers according to claim 23, it is characterised in that the encrypted message packet
Include the de-registration request being encrypted by the safety zone of mobile terminal;
Correspondingly, the decryption processing unit, specifically for:
After being decrypted the de-registration request of the encryption, can complete to nullify operation according to the de-registration request,
To nullify successfully indicate and be encrypted and trigger the receiving unit;
The receiving unit, is additionally operable to successfully indicate the cancellation after encryption to be back to mobile terminal.
A kind of 29. systems of the security access data based on VPN (virtual private network) VPN, it is characterised in that institute
The system of stating includes:Mobile terminal and vpn server;
Wherein, the mobile terminal, for obtaining the secret for being sent to vpn server under safety zone
Information;
And, after being encrypted to the private information according to default encryption policy under the safety zone,
The private information after the encryption is sent to the vpn server under insecure area;
And, the display information sent by the vpn server is received under the insecure area;
And, the display information is decrypted into it according to default decryption policy under the safety zone
Afterwards, the display information after decryption is shown;
The vpn server, for receiving the encryption information sent by the mobile terminal;
And, according to the default decryption policy corresponding with the encryption policy in the mobile terminal safety region
Encryption information is decrypted, and according to the information type after the decryption correspondingly to the letter after the decryption
Breath is processed.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510728533.6A CN106656457A (en) | 2015-10-30 | 2015-10-30 | Method, device and system for safe access of data based on VPN |
PCT/CN2016/088683 WO2017071296A1 (en) | 2015-10-30 | 2016-07-05 | Vpn-based secure data access method, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510728533.6A CN106656457A (en) | 2015-10-30 | 2015-10-30 | Method, device and system for safe access of data based on VPN |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106656457A true CN106656457A (en) | 2017-05-10 |
Family
ID=58631266
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510728533.6A Pending CN106656457A (en) | 2015-10-30 | 2015-10-30 | Method, device and system for safe access of data based on VPN |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN106656457A (en) |
WO (1) | WO2017071296A1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107395601A (en) * | 2017-07-26 | 2017-11-24 | 华迪计算机集团有限公司 | A kind of mobile office system and method based on the safe Intranets of VPN |
CN108966216A (en) * | 2018-08-28 | 2018-12-07 | 云南电网有限责任公司电力科学研究院 | A kind of method of mobile communication and device applied to power distribution network |
CN109495885A (en) * | 2017-09-13 | 2019-03-19 | ***通信有限公司研究院 | Authentication method, mobile terminal, management system and Bluetooth IC |
CN112714099A (en) * | 2020-11-30 | 2021-04-27 | 南方电网数字电网研究院有限公司 | Communication system and method |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112580062B (en) * | 2019-09-27 | 2023-03-21 | 厦门网宿有限公司 | Data consistency checking method and data uploading and downloading device |
CN113556340B (en) * | 2021-07-21 | 2023-09-26 | 国网四川省电力公司乐山供电公司 | Portable VPN terminal, data processing method and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104115152A (en) * | 2012-02-16 | 2014-10-22 | 三星电子株式会社 | Method and apparatus for protecting digital content using device authentication |
CN104507087A (en) * | 2014-12-19 | 2015-04-08 | 上海斐讯数据通信技术有限公司 | Security service system and security service method for mobile office work |
US9021585B1 (en) * | 2013-03-15 | 2015-04-28 | Sprint Communications Company L.P. | JTAG fuse vulnerability determination and protection using a trusted execution environment |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101547102A (en) * | 2008-11-26 | 2009-09-30 | 邵峰晶 | Novel computer system structure and device with networking inside |
US9077654B2 (en) * | 2009-10-30 | 2015-07-07 | Iii Holdings 2, Llc | System and method for data center security enhancements leveraging managed server SOCs |
CN104573565B (en) * | 2015-01-23 | 2017-11-17 | 宇龙计算机通信科技(深圳)有限公司 | EMS memory management process and device on a kind of TrustZone |
-
2015
- 2015-10-30 CN CN201510728533.6A patent/CN106656457A/en active Pending
-
2016
- 2016-07-05 WO PCT/CN2016/088683 patent/WO2017071296A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104115152A (en) * | 2012-02-16 | 2014-10-22 | 三星电子株式会社 | Method and apparatus for protecting digital content using device authentication |
US9021585B1 (en) * | 2013-03-15 | 2015-04-28 | Sprint Communications Company L.P. | JTAG fuse vulnerability determination and protection using a trusted execution environment |
CN104507087A (en) * | 2014-12-19 | 2015-04-08 | 上海斐讯数据通信技术有限公司 | Security service system and security service method for mobile office work |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107395601A (en) * | 2017-07-26 | 2017-11-24 | 华迪计算机集团有限公司 | A kind of mobile office system and method based on the safe Intranets of VPN |
CN109495885A (en) * | 2017-09-13 | 2019-03-19 | ***通信有限公司研究院 | Authentication method, mobile terminal, management system and Bluetooth IC |
CN109495885B (en) * | 2017-09-13 | 2021-09-14 | ***通信有限公司研究院 | Authentication method, mobile terminal, management system and Bluetooth IC card |
CN108966216A (en) * | 2018-08-28 | 2018-12-07 | 云南电网有限责任公司电力科学研究院 | A kind of method of mobile communication and device applied to power distribution network |
CN112714099A (en) * | 2020-11-30 | 2021-04-27 | 南方电网数字电网研究院有限公司 | Communication system and method |
Also Published As
Publication number | Publication date |
---|---|
WO2017071296A1 (en) | 2017-05-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106656457A (en) | Method, device and system for safe access of data based on VPN | |
US11716315B2 (en) | Disposable browsers and authentication techniques for a secure online user environment | |
US11297055B2 (en) | Multifactor contextual authentication and entropy from device or device input or gesture authentication | |
US11044275B2 (en) | Secure web container for a secure online user environment | |
US10380361B2 (en) | Secure transaction method from a non-secure terminal | |
US20240106865A1 (en) | Secure Web Container for a Secure Online User Environment | |
JP5744915B2 (en) | Trusted federated identity management and data access authorization method and apparatus | |
CN104639562B (en) | A kind of system of pushing certification and the method for work of equipment | |
CN105978917B (en) | A kind of system and method for trusted application safety certification | |
US20180295137A1 (en) | Techniques for dynamic authentication in connection within applications and sessions | |
EP3373510A1 (en) | Method and device for realizing session identifier synchronization | |
US20110314290A1 (en) | Digipass for web-functional description | |
CN104283879B (en) | Virtual machine remote connection method and system | |
US10524124B2 (en) | Routing systems and methods | |
US11259180B2 (en) | Routing systems and methods | |
US20160292460A1 (en) | Systems, methods and apparatus for secure peripheral communication | |
KR20160089472A (en) | Automatic placeholder finder-filler | |
CN103648090A (en) | Method for realizing security and credibility of intelligent mobile terminal and system thereof | |
EP2811401B1 (en) | Method and apparatus for inputting data | |
Fazeldehkordi et al. | Security and privacy in IoT systems: a case study of healthcare products | |
Rocha | Cybersecurity analysis of a SCADA system under current standards, client requisites, and penetration testing | |
JP2003296279A (en) | Authentication method, and client device, server device, and program thereof | |
CN107171784A (en) | Unexpected environmental accident emergency command dispatching method and system | |
Sulaiman | MAgSeM: A multi-agent based security model for secure cyber services | |
Fazeldehkordi et al. | Security and Privacy Functionalities in IoT |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170510 |