CN109639619A - A kind of big concurrent encryption communication algorithm towards Security Certificate gateway - Google Patents

A kind of big concurrent encryption communication algorithm towards Security Certificate gateway Download PDF

Info

Publication number
CN109639619A
CN109639619A CN201710926498.8A CN201710926498A CN109639619A CN 109639619 A CN109639619 A CN 109639619A CN 201710926498 A CN201710926498 A CN 201710926498A CN 109639619 A CN109639619 A CN 109639619A
Authority
CN
China
Prior art keywords
thread
data
worker thread
ssl
responsible
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710926498.8A
Other languages
Chinese (zh)
Inventor
于政波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Security Technology Co Ltd
Original Assignee
Beijing Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Security Technology Co Ltd filed Critical Beijing Security Technology Co Ltd
Priority to CN201710926498.8A priority Critical patent/CN109639619A/en
Publication of CN109639619A publication Critical patent/CN109639619A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to data safe transmission methods, disclose a kind of big concurrent encryption communication algorithm towards Security Certificate gateway.Traditional communication encryption library can only be increased concurrent processing by increasing the mode of thread or process number, be limited to thread and process number, be unable to fully the processing capacity of the communication bandwidth and CPU using network using the synchronization process mode for communicating and encrypting close-coupled.The present invention supports independent optimization by network communication and the independent realization of SSL processing;The asynchronous I/O mechanism of operating system is made full use of, processing capacity of handling up is improved;Using Thread Pool Technology, the computing capability of CPU is made full use of;Using queue technology, buffered is carried out to peak-data.Its major advantage is that it is possible to realize the SSL encryption communication of high concurrent (being greater than 50000), high connection number (being greater than 500), high-throughput (being greater than 800Mb/s), high peak impact per second.

Description

A kind of big concurrent encryption communication algorithm towards Security Certificate gateway
Technical field
The present invention relates to data safe transmission method more particularly to a kind of big concurrently encryption towards Security Certificate gateway are logical Interrogate algorithm.
Background technique
With the development of information technology and network technology, more and more core business are carried on internet, mobile interchange It on net or Internet of Things, needs to encrypt the transmission of data, because concurrency and handling capacity are huge, to back-end server Process performance proposes increasingly higher demands, traditional communication mode and encryption mode, using communication and encryption close-coupled Synchronization process mode, concurrent processing can only be increased by increasing the mode of thread or process number, be limited to thread and process number, nothing Method makes full use of the communication bandwidth of network and the processing capacity of CPU.
Summary of the invention
The purpose of the present invention is overcoming the shortcomings of existing methods, is innovated, mentioned on Communication Model and SSL engine design For a kind of big concurrent encryption communication algorithm towards Security Certificate gateway, independent realization is handled using network communication and SSL, so as to In independent optimization;The asynchronous I/O mechanism of operating system is made full use of, processing capacity of handling up is improved;Using Thread Pool Technology, sufficiently Utilize the computing capability of CPU;Using queue technology, buffered is carried out to peak-data.
The specific implementation of its main frame is by communications manager, listening thread, I/O worker thread, worker thread pond, transmission line Cheng Chi, SSL engine composition.
Communications manager is responsible for the management of entire gateway core module and scheduling, is responsible at customer status management and core Logic is managed to realize.Listening thread is responsible for client and connects monitoring, and after completing Handshake Protocol, I/O worker thread is added in connection.I/O Worker thread is responsible for the reception of network data, when there is complete data packet, is assigned to worker thread processing.Worker thread pond, It is responsible for worker thread management.Thread pool is sent, is responsible for sending the management of thread.SSL engine realizes the SSL of data based on memory Protocol stack.
Its realization process includes the following steps:
1) listening thread receives the connection request of remote user, and after completing ssl handshake protocol, I/ is added in grid descriptor It is managed in O worker thread.
2) I/O worker thread receiving network data, and it is stored in buffer area.
3) when the data packet in buffer area is complete, I/O worker thread obtains a worker thread from worker thread pond, and Data packet is added in queue, notice worker thread processing.
4) worker thread takes out queuing data, and SSL engine is called to be decrypted, and after the completion of decryption, invocation protocol parses mould Block carries out data parsing and business processing, after business processing, if there is result data needs to send, then from sending thread pool It obtains and sends thread, and data are added in queue, notice sends thread process.
5) it sends thread and takes out queuing data, SSL engine is called to be encrypted, after the completion of encryption, transmit data to remote Journey user.
In the step 2), I/O worker thread use EPOLL mechanism, can handle simultaneously tens of thousands of a grid descriptors at.
In the step 4), SSL engine is separated with network communication portion, and two parts independent optimization reaches high concurrent, height Performance.
The present invention has the advantages that
1) newly-built connection number per second can reach 500 or more.
2) concurrent connection number can be improved to 50000 or more.
3) handling capacity can reach 800Mb/s or more, can preferably cope with the impact of big data quantity.
Detailed description of the invention
With reference to the accompanying drawing and embodiment the present invention is described in further detail:
Fig. 1 is the building-block of logic of algorithm.
Specific embodiment
Big concurrent encryption communication algorithm implementing procedure towards Security Certificate gateway is as follows:
1) listening thread receives the connection request of remote user, and after completing ssl handshake protocol, I/ is added in grid descriptor It is managed in O worker thread.
2) I/O worker thread uses EPOLL mechanism, can handle tens of thousands of a grid descriptors simultaneously.When there is network data to arrive Up to when, receive and be stored in buffer area, judge whether to be a complete SSL frame, if not then continuing to, if it is from Worker thread pond obtains a worker thread, and data are added in corresponding queue, notice worker thread processing.
3) worker thread takes out queuing data, and SSL engine is called to be decrypted, and after the completion of decryption, invocation protocol parses mould Block carries out data parsing and business processing, after business processing, if there is result data needs to send, then from sending thread pool It obtains and sends thread, and data are added in queue, notice sends thread process.
4) it sends thread and takes out queuing data, SSL engine is called to be encrypted, after the completion of encryption, transmit data to remote Journey user.

Claims (4)

1. a kind of big concurrent encryption communication algorithm towards Security Certificate gateway, it is characterised in that including following key component:
1) communications manager is responsible for the management of entire gateway core module and scheduling, is responsible at customer status management and core Logic is managed to realize.
2) listening thread is responsible for client and connects monitoring, and after completing Handshake Protocol, I/O worker thread is added in connection.
3) I/O worker thread is responsible for the reception of network data, when there is complete data packet, is assigned to worker thread processing.
4) worker thread management is responsible in worker thread pond.
5) thread pool is sent, is responsible for sending the management of thread.
6) SSL engine realizes the ssl protocol stack of data based on memory.
2. a kind of big concurrent encryption communication algorithm towards Security Certificate gateway, it is characterised in that following steps:
1) listening thread receives the connection request of remote user, and after completing ssl handshake protocol, I/O work is added in grid descriptor Make to manage in thread.
2) I/O worker thread receiving network data, and it is stored in buffer area.
3) when the data packet in buffer area is complete, I/O worker thread obtains a worker thread from worker thread pond, and will count It is added in queue according to packet, notice worker thread processing.
4) worker thread take out queuing data, call SSL engine be decrypted, after the completion of decryption, invocation protocol parsing module into Row data parse and business processing, after business processing, if there is result data needs to send, then obtain from transmission thread pool Thread is sent, and data are added in queue, notice sends thread process.
5) it sends thread and takes out queuing data, call SSL engine to be encrypted, after the completion of encryption, transmit data to long-range use Family.
3. a kind of big concurrent encryption communication algorithm towards Security Certificate gateway according to claim 2, it is characterised in that In the step 2), I/O worker thread uses EPOLL mechanism, can handle tens of thousands of a grid descriptors simultaneously.
4. a kind of big concurrent encryption communication algorithm towards Security Certificate gateway according to claim 2, it is characterised in that In the step 4), SSL engine is separated with network communication portion, and two parts independent optimization reaches high concurrent, high-performance.
CN201710926498.8A 2017-10-09 2017-10-09 A kind of big concurrent encryption communication algorithm towards Security Certificate gateway Pending CN109639619A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710926498.8A CN109639619A (en) 2017-10-09 2017-10-09 A kind of big concurrent encryption communication algorithm towards Security Certificate gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710926498.8A CN109639619A (en) 2017-10-09 2017-10-09 A kind of big concurrent encryption communication algorithm towards Security Certificate gateway

Publications (1)

Publication Number Publication Date
CN109639619A true CN109639619A (en) 2019-04-16

Family

ID=66049878

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710926498.8A Pending CN109639619A (en) 2017-10-09 2017-10-09 A kind of big concurrent encryption communication algorithm towards Security Certificate gateway

Country Status (1)

Country Link
CN (1) CN109639619A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113660342A (en) * 2021-08-18 2021-11-16 北京天空卫士网络安全技术有限公司 SSL-based communication method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102811201A (en) * 2011-05-31 2012-12-05 阿里巴巴集团控股有限公司 SSL (Secure Sockets Layer) nonblocking communication method and server therefor
CN103685300A (en) * 2013-12-23 2014-03-26 蓝盾信息安全技术股份有限公司 Embedded web server
US20150341229A1 (en) * 2014-05-20 2015-11-26 Krystallize Technologies, Inc Load generation application and cloud computing benchmarking

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102811201A (en) * 2011-05-31 2012-12-05 阿里巴巴集团控股有限公司 SSL (Secure Sockets Layer) nonblocking communication method and server therefor
CN103685300A (en) * 2013-12-23 2014-03-26 蓝盾信息安全技术股份有限公司 Embedded web server
US20150341229A1 (en) * 2014-05-20 2015-11-26 Krystallize Technologies, Inc Load generation application and cloud computing benchmarking

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
梁明刚: ""Linux下基于epoll+线程池高并发服务器实现研究"", 《万方》 *
樊扬轲: ""一种高并发认证服务器的实现"", 《万方》 *
金容波: ""支持SSL的高性能通信服务器设计与实现"", 《万方》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113660342A (en) * 2021-08-18 2021-11-16 北京天空卫士网络安全技术有限公司 SSL-based communication method and device

Similar Documents

Publication Publication Date Title
CN107046542B (en) Method for realizing consensus verification by adopting hardware at network level
CN1949765B (en) Method and system for obtaining SSH host computer public key of device being managed
CN105141552B (en) The data dispatch transmission method of time triggered mechanism is supported in FC interchangers
US9356844B2 (en) Efficient application recognition in network traffic
US8949578B2 (en) Sharing of internal pipeline resources of a network processor with external devices
CN111966446B (en) RDMA virtualization method in container environment
CN109981267B (en) Large-scale user multi-key scene cloud encryption database system and storage query method
CN102143218B (en) Web access cloud architecture and access method
CN110086752A (en) A kind of hardware platform based on multi-core network processing FPGA
WO2021120374A1 (en) Message processing method, processing unit, and a virtual private network server
WO2023216424A1 (en) Data link service processing system and method for networked encrypted transmission
CN109213790A (en) A kind of data circulation analysis method and system based on block chain
CN102780625A (en) Method and device for realizing internet protocol security (IPSEC) virtual private network (VPN) encryption and decryption processing
CN112765077B (en) PCI cipher card master control asynchronous scheduling system
CN112052483B (en) Data communication system and method of password card
CN109274647A (en) Distributed credible memory exchanges method and system
CN102970142A (en) Method and system for concurrently encrypting and decrypting virtual private network (VPN) equipment in multi-encryption-card environment
CN109309650A (en) Handle method, terminal device and the network equipment of data
WO2024066248A1 (en) Access control method and apparatus, device, and non-volatile readable storage medium
CN108566393B (en) The methods, devices and systems of data encryption
CN104283854A (en) IPsec based method for transmitting large data volume in VPN
CN112035899A (en) Data communication system and method based on password card
CN109150829B (en) Software-defined cloud network trusted data distribution method, readable storage medium and terminal
CN109639619A (en) A kind of big concurrent encryption communication algorithm towards Security Certificate gateway
WO2024037366A1 (en) Forwarding rule issuing method, and intelligent network interface card and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190416