CN101621509A - Design architecture and method for secure load balancing by utilizing SSL communication protocol - Google Patents
Design architecture and method for secure load balancing by utilizing SSL communication protocol Download PDFInfo
- Publication number
- CN101621509A CN101621509A CN200910017289A CN200910017289A CN101621509A CN 101621509 A CN101621509 A CN 101621509A CN 200910017289 A CN200910017289 A CN 200910017289A CN 200910017289 A CN200910017289 A CN 200910017289A CN 101621509 A CN101621509 A CN 101621509A
- Authority
- CN
- China
- Prior art keywords
- ssl
- pci
- client
- load
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 23
- 238000013461 design Methods 0.000 title claims abstract description 15
- 238000004891 communication Methods 0.000 title abstract description 9
- 238000012545 processing Methods 0.000 claims abstract description 11
- 230000003993 interaction Effects 0.000 claims abstract description 7
- 230000005540 biological transmission Effects 0.000 claims description 5
- 230000008569 process Effects 0.000 claims description 5
- 238000012795 verification Methods 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 7
- 230000002452 interceptive effect Effects 0.000 abstract 1
- 241000700605 Viruses Species 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 239000013256 coordination polymer Substances 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses design architecture and a method for secure load balancing by utilizing SSL communication protocol, in particular to provide secure and reliable data communication for client and load balancing equipment by introducing SSL (Security Socket Layer) communication protocol. The invention mainly designs a processor SSL-PU based on SSL encryption, wherein, the processor SSL-PU is loaded in a load balancer and comprises a processing unit (PU), a memory cell (Flash, SRAM, DDR SDRAM, etc.), an Ethernet network controller (PCI, PCI-X, PCI-E) and GbE PHY (RJ45 interface). SSL-PU well solves the security problem caused by traditional load-balancing equipment and client clear text and the problem that traditional SSL encryption technology based on software excessively occupies system CPU and memory resources, thereby saving server bandwidth, increasing throughput and improving flexibility and availability of network; the processor well realizes the security data interaction with the client, and delivers data in the form of clear text to a load-balancing module; the load balancing module locates a request to a corresponding server according to load balancing algorithm; the server transmits data to the load balancing equipment; and the load balancer with an SSL-PU module transmits encrypted security data to the client, thereby completing secure data interactive access. The invention is particularly suitable for secure load-balancing scheduling of load balancing equipment of which the back end is a cluster system.
Description
Technical field
The present invention relates to the load-balancing technique of multiserver and, be specifically related to a kind of design architecture and method of using the safe bearing load equilibrium of SSL traffic agreement based on the encryption and decryption technique of ssl protocol.The present invention provides a kind of safe and reliable data communication by introducing the SSL traffic agreement for client and load-balancing device; and design a kind of SSL-PU processor architecture of realizing that data security is mutual; for user data provides safe and reliable protection, strengthen the network data-handling capacity, improve network more flexible and availability.
Background technology
Along with developing rapidly of Internet technology, the Internet user sharply increases.Simultaneously the ICP satisfies the higher level requirement of Internet user to internet content and situation, utilizes various technology and means, and multimedia technology especially makes the easier attraction of the visual effect user of website.The increase of the increase of user capture quantity and user's single reference flow is had higher requirement to the ability that server bears concurrent visit.Because the load capacity of separate unit server is always limited, in the face of the user capture quantity and the flowing of access that increase day by day, central processing unit of separate unit server (CPU) and I/O (I/O) become bottleneck very soon.And this problem is not simple just soluble by the performance that improves server hardware.Common solution is to adopt the server group that is made of multiple servers and the server group is implemented load-balancing technique.Then along with the safety that increases network and information of internet, applications is particularly important with regard to what become, as still adopting traditional network security safeguard way certainly will cause the great potential safety hazard of enterprise, data center and website, guarantee data security so and avoid having rogue programs such as virus, worm the intrusion of host computer system is become the essential problem that solves
Encrypting socket layer agreement (being called for short SSL) is the prevailing mode that guarantees safety of network trade on the world wide web (www).Introduced from 1994, SSL is used to popular web browser such as Netscape, Microsoft very soon, mainly acts on the confidentiality of protection consumer online transaction.The lifting of SSL traffic amount proposes unprecedented challenge to the system designers of being engaged in the networking technology equipment research.Along with people are increasing to the SSL use, the very fast needs of large-scale website and data center are handled ten hundreds of Secure Transactions simultaneously, and speed is calculated with bit per second, the limit of power of this ultra-traditional SSL solution just far away.In addition, various network device is ineffective for check SSL application layer data content, because SSL is to using layer of data encryption, the network equipment such as load balancer, content translator just can not extract user cookies, URL and act on the path and the information of conversion decision.Simultaneously, enciphered data hinders fire compartment wall and scans having hostile content such as virus, worm, causes the great potential safety hazard of enterprise, data center and website.As a result, system designer has to realize that the SSL data processing is in conjunction with the new network device design.SSL
Big defective is the consumption network server performance, and complicated cryptographic algorithm increases the weight of the data processing amount of computing platform and software.When treatment S SL coded communication amount, the two big key issues that must overcome are: technical bottleneck 2, the master CPU processing of 1, sharing transmission intermediate data result on the host bus support ICP/IP protocol and ssl protocol to handle most coprocessors use pci bus and master CPU swap datas encrypted.The current also lower processor that takies load balancing of load balancing and the mutual safety issue of client-side information and the architecture and method of internal memory of almost better not solving is so load-balancing technique is integrated focus and difficult point that the mutual safety problem of internet information becomes a research.
Summary of the invention
The invention discloses a kind of design architecture and method that the SSL traffic agreement realizes the safe bearing load equilibrium of using, specifically is to provide a kind of safe and reliable data communication by the SSL traffic agreement for client and load-balancing device.The present invention has designed a kind of processor SSL-PU that encrypts based on SSL that loads in the load equalizer, and this processor comprises PU processing unit, Flash, SRAM, DDR SDRAM, PCI/PCI-X/PCI-E ethernet controller and GbE PHY.SSL-PU has well solved the safety issue that conventional load balancing equipment and client expressly cause, also well solve tradition too takies system CPU and memory source based on the SSL encryption technology of software problem, save server bandwidth, increase throughput, improve network more flexible and availability, this module provides a kind of effective, simple and direct safe bearing load equalization methods.This processor will well have been realized with the secure data of client mutual, and data are submitted to load balancing module with expressly form, load balancing module navigates to respective server according to load-balancing algorithm with request, server sends the data to load-balancing device again, the load equalizer that has the SSL-PU module sends to client with the secure data of encrypting, thereby finishes the data interaction visit of safety.
The present invention realizes by following technical method:
The load equalizer authentication phase: 1. client sends a start information " Hello " so that begin a new session connection to SSL-PU; 2.SSL-PU determine whether that according to client's information needs generate new master key, as needs then server will comprise the required information of master key that generates when " Hello " of customer in response information; 3. the client produces a master key, and passes to SSL-PU behind the public key encryption with SSL-PU according to the SSL-PU response message of receiving; 4.SSL-PU recover this master key, and return to one of client information, allow authenticated client SSL-PU with this with the master key authentication.
The client certificate stage: before this, SSL-PU has passed through authenticated client, and this stage is mainly finished the authentication to the client.Certified SSL-PU sends an enquirement to the client, and the client then returns enquirement and its public-key cryptography behind (numeral) signature, thereby provides authentication to SSL-PU.
After mutual authentication finishes, client is passed to load equalizer after with data encryption, load equalizer sends to corresponding server with this information with form expressly according to decryption information and according to the load balancing strategy, after server is received this information, according to information request respective resources is sent to load equalizer with plaintext, client is encrypted and be transmitted to the SSL-PU processor of load equalizer by client public key to the information that server sends, client is deciphered with private key after receiving information, obtain this data message, finish with regard to the whole information interaction of this client and server end.
Description of drawings
The balanced Organization Chart of safe bearing load that Fig. 1 encrypts based on SSL
Fig. 2 SSL-PU information interaction structure chart
The basic SSL traffic of Fig. 3 figure that shakes hands
Fig. 4 SSL-PU and application interaction figure
Embodiment
Further specify this method below in conjunction with accompanying drawing:
As Fig. 1 flow process based on the safe bearing load equilibrium of SSL traffic agreement has been described, under the state of client and load equalizer end authentication end, the data interaction situation of carrying out, particularly between user side and load equalizer, carry out the ciphertext transmission, and adopt plaintext transmission, thereby reduce resources such as the CPU of server end and internal memory greatly at load equalizer and server end.Fig. 3 and Fig. 4 have illustrated shake hands whole flow process and SSL-PU processor and host application program reciprocal process of SSL in the middle of authentication.Fig. 3 has illustrated that client and load equalizer end carry out the four-stage that SSL shakes hands: set up protocol version, session id, ciphertext family, compression method, exchange random number 1.; 2. optional transmission load balancing device certificate, requesting client certificate; 3. as request, client sends certificate; 4. revise ciphertext family and finish Handshake Protocol.Fig. 4 has illustrated SSL-PU processor and the mutual process of main frame (load equalizer) interapplication communications, because the SSL traffic agreement is on transport layer, SSL-PU passes through system bus with data decryption, NIC and ICP/IP protocol stack directly consign to the Sockets application programming interfaces of application program, host application program obtains these data and carry out respective handling to be sent to server end, when host application program need send to client with the data of finishing dealing with, data were being passed through the Sockets application interface, the CP/IP protocol stack, NIC and system's PCI/PCI-X/PCI-E bus give that SSL-PU handles and issue client after handling.
Fig. 2 describes in detail, data security framework SSL-PU fundamental diagram based on the SSL traffic agreement of the present invention, the workflow of SSL-PU: by RJ-45 directly and the GeE network carry out interconnected, and and then communicate with client, key can be stored among local SRAM or the Flash (shown in 3) in the SSL-PU processor, after client-side information enters SSL-PU by network, by the PU processing unit metadata cache is gone into DDR SDRAM, the key of these data by this locality storage is being decrypted, being decrypted into expressly, the back spreads out of from the PCI/PCI-X/PCI-E ethernet controller, be submitted to host PC I/PCI-X/PCI-E bus, and give host application program and send to server end according to the load balancing strategy, when the data that obtain from server directly are forwarded to PU processing unit and DDR SDRAM, and the data of consulting at random by SSL-PU and client transmit PKI and carry out encryption, directly send to client from GbE PHY module with the form of ciphertext.
The present invention has designed the architecture and method based on hardware SSL-PU, the fail safe of number of users and the safety issue of server info have been solved, solved the problem that treatment S SL affairs too take host CPU and memory source, and reasonable extended network equipment and server bandwidth, strengthened handling capacity, improve the fail safe and the availability of network.Design architecture of the present invention is relative with method simple and direct, is particularly suitable for the load balance scheduling that the load-balancing device rear end is a group system.
Claims (6)
1. use the design architecture that the SSL traffic agreement realizes the safe bearing load equilibrium for one kind, the framework that it is characterized in that processor SSL-PU comprises PU, Flash, SRAM, DDR SDRAM, PCI/PCI-X/PCI-E ethernet controller and GbE PHY, SSL-PU by RJ-45 directly and the GbE network carry out interconnectedly, and and then communicate with client.
2. use the design architecture that the SSL traffic agreement realizes the safe bearing load equilibrium according to right 1 a kind of, it is characterized in that adopting the processor architecture SSL-PU that on load equalizer, has designed a kind of treatment S SL affairs, be used for realizing data security transmission between client and the load equalizer, SSL-PU issues the server end request msg to client and is decrypted, and the data that server mail to client are encrypted.
3. use the design architecture that the SSL traffic agreement realizes the safe bearing load equilibrium according to right 1 and 2 a kind of, it is characterized in that by the PU processing unit interaction data being carried out the SSL-PU processor that designs encryption, and in local Flash or SRAM, deposit key.
4. use the design architecture that the SSL traffic agreement realizes the safe bearing load equilibrium according to right 1, right 2 and right 3 a kind of, it is characterized in that the SSL-PU that designs in the load equalizer is connected by the PCI/PCI-X/PCI-E system bus alternately with load balancing module, and the clear data of deciphering is assigned to server end according to the load balancing strategy.
5. use the method that the SSL traffic agreement realizes the safe bearing load equilibrium for one kind, it is characterized in that key can be stored among the local SRAM or Flash in the SSL-PU processor, after client-side information enters SSL-PU by network, by the PU processing unit metadata cache is gone into DDR SDRAM, the key of these data by this locality storage is being decrypted, being decrypted into expressly, the back spreads out of from the PCI/PCI-X/PCI-E ethernet controller, be submitted to host PC I/PCI-X/PCI-E bus, and give host application program and send to server end according to the load balancing strategy, when the data that obtain from server directly are forwarded to PU processing unit and DDR SDRAM, and the data of consulting at random by SSL-PU and client transmit PKI and carry out encryption, directly send to client from GbE PHY module with the form of ciphertext.
6. use the method that the SSL traffic agreement realizes the safe bearing load equilibrium for one kind, the authentication implementation that it is characterized in that processor SSL-PU adopts individual event authentication mode or two-way authentication mode, and verification process carries out the encrypting and decrypting data by the SSL-PU processor fully to be finished by before the load balancing module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910017289A CN101621509A (en) | 2009-07-31 | 2009-07-31 | Design architecture and method for secure load balancing by utilizing SSL communication protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910017289A CN101621509A (en) | 2009-07-31 | 2009-07-31 | Design architecture and method for secure load balancing by utilizing SSL communication protocol |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101621509A true CN101621509A (en) | 2010-01-06 |
Family
ID=41514552
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910017289A Pending CN101621509A (en) | 2009-07-31 | 2009-07-31 | Design architecture and method for secure load balancing by utilizing SSL communication protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101621509A (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103457939A (en) * | 2013-08-19 | 2013-12-18 | 飞天诚信科技股份有限公司 | Method for achieving bidirectional authentication of smart secret key equipment |
| CN103713862A (en) * | 2014-01-09 | 2014-04-09 | 浪潮(北京)电子信息产业有限公司 | High-speed local storage method and system |
| CN104219207A (en) * | 2013-05-31 | 2014-12-17 | 杭州迪普科技有限公司 | Security negotiation device and method |
| CN104243510A (en) * | 2013-06-07 | 2014-12-24 | 中国科学院声学研究所 | Safe network storage system and method |
| CN105100101A (en) * | 2015-07-31 | 2015-11-25 | 新浪网技术(中国)有限公司 | Method, apparatus and system based on SSL session |
| CN106341375A (en) * | 2015-07-14 | 2017-01-18 | 腾讯科技(深圳)有限公司 | Method and system for realizing resource encrypted access |
| CN107426193A (en) * | 2017-06-30 | 2017-12-01 | 重庆大学 | For hardware-accelerated novel I/O paths design in a kind of https applications |
| CN109067803A (en) * | 2018-10-10 | 2018-12-21 | 深信服科技股份有限公司 | A kind of SSL/TLS encryption and decryption communication means, device and equipment |
| CN109714292A (en) * | 2017-10-25 | 2019-05-03 | 华为技术有限公司 | The method and apparatus of transmitting message |
| CN109818939A (en) * | 2018-12-29 | 2019-05-28 | 深圳市创梦天地科技有限公司 | A kind of data processing method and equipment |
| CN110177083A (en) * | 2019-04-26 | 2019-08-27 | 阿里巴巴集团控股有限公司 | A kind of network interface card, data transmission/method of reseptance and equipment |
| CN110324282A (en) * | 2018-03-29 | 2019-10-11 | 华耀(中国)科技有限公司 | The load-balancing method and its system of SSL/TLS visualization flow |
| CN111092888A (en) * | 2019-12-17 | 2020-05-01 | 深信服科技股份有限公司 | Method, device, equipment and storage medium for data simultaneous intercommunication |
| CN111177807A (en) * | 2018-11-12 | 2020-05-19 | 爱思开海力士有限公司 | Data storage device, method for operating the same, and storage system having the same |
| CN112738217A (en) * | 2020-12-28 | 2021-04-30 | 中国建设银行股份有限公司 | Secure interaction system and method |
| CN112954047A (en) * | 2021-02-08 | 2021-06-11 | 上海弘积信息科技有限公司 | Method for encrypting cookie through load balancing equipment |
| US11082410B2 (en) | 2019-04-26 | 2021-08-03 | Advanced New Technologies Co., Ltd. | Data transceiving operations and devices |
-
2009
- 2009-07-31 CN CN200910017289A patent/CN101621509A/en active Pending
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104219207A (en) * | 2013-05-31 | 2014-12-17 | 杭州迪普科技有限公司 | Security negotiation device and method |
| CN104219207B (en) * | 2013-05-31 | 2017-10-17 | 杭州迪普科技股份有限公司 | A kind of safe consultation device and method |
| CN104243510A (en) * | 2013-06-07 | 2014-12-24 | 中国科学院声学研究所 | Safe network storage system and method |
| CN104243510B (en) * | 2013-06-07 | 2018-08-14 | 中国科学院声学研究所 | A kind of secure network storage system and method |
| CN103457939A (en) * | 2013-08-19 | 2013-12-18 | 飞天诚信科技股份有限公司 | Method for achieving bidirectional authentication of smart secret key equipment |
| CN103457939B (en) * | 2013-08-19 | 2016-04-06 | 飞天诚信科技股份有限公司 | A kind of method realizing bidirectional authentication of smart secret key equipment |
| CN103713862A (en) * | 2014-01-09 | 2014-04-09 | 浪潮(北京)电子信息产业有限公司 | High-speed local storage method and system |
| CN106341375A (en) * | 2015-07-14 | 2017-01-18 | 腾讯科技(深圳)有限公司 | Method and system for realizing resource encrypted access |
| CN105100101A (en) * | 2015-07-31 | 2015-11-25 | 新浪网技术(中国)有限公司 | Method, apparatus and system based on SSL session |
| CN107426193A (en) * | 2017-06-30 | 2017-12-01 | 重庆大学 | For hardware-accelerated novel I/O paths design in a kind of https applications |
| CN109714292B (en) * | 2017-10-25 | 2021-05-11 | 华为技术有限公司 | Method and device for transmitting message |
| CN109714292A (en) * | 2017-10-25 | 2019-05-03 | 华为技术有限公司 | The method and apparatus of transmitting message |
| CN110324282A (en) * | 2018-03-29 | 2019-10-11 | 华耀(中国)科技有限公司 | The load-balancing method and its system of SSL/TLS visualization flow |
| CN109067803A (en) * | 2018-10-10 | 2018-12-21 | 深信服科技股份有限公司 | A kind of SSL/TLS encryption and decryption communication means, device and equipment |
| CN111177807B (en) * | 2018-11-12 | 2023-08-25 | 爱思开海力士有限公司 | Data storage device, method of operating the same, and storage system having the same |
| CN111177807A (en) * | 2018-11-12 | 2020-05-19 | 爱思开海力士有限公司 | Data storage device, method for operating the same, and storage system having the same |
| CN109818939A (en) * | 2018-12-29 | 2019-05-28 | 深圳市创梦天地科技有限公司 | A kind of data processing method and equipment |
| US11082410B2 (en) | 2019-04-26 | 2021-08-03 | Advanced New Technologies Co., Ltd. | Data transceiving operations and devices |
| CN110177083A (en) * | 2019-04-26 | 2019-08-27 | 阿里巴巴集团控股有限公司 | A kind of network interface card, data transmission/method of reseptance and equipment |
| CN111092888A (en) * | 2019-12-17 | 2020-05-01 | 深信服科技股份有限公司 | Method, device, equipment and storage medium for data simultaneous intercommunication |
| CN111092888B (en) * | 2019-12-17 | 2022-09-30 | 深信服科技股份有限公司 | Method, device, equipment and storage medium for data simultaneous intercommunication |
| CN112738217A (en) * | 2020-12-28 | 2021-04-30 | 中国建设银行股份有限公司 | Secure interaction system and method |
| CN112738217B (en) * | 2020-12-28 | 2022-05-27 | 中国建设银行股份有限公司 | Secure interaction system and method |
| CN112954047A (en) * | 2021-02-08 | 2021-06-11 | 上海弘积信息科技有限公司 | Method for encrypting cookie through load balancing equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101621509A (en) | Design architecture and method for secure load balancing by utilizing SSL communication protocol | |
| AU2021201714B2 (en) | Client(s) to cloud or remote server secure data or file object encryption gateway | |
| US11792169B2 (en) | Cloud storage using encryption gateway with certificate authority identification | |
| US10461943B1 (en) | Transparently scalable virtual hardware security module | |
| JP6358549B2 (en) | Automatic login and logout of sessions with session sharing | |
| CN102315945A (en) | Unified identity authentication method based on private agreement | |
| US11102191B2 (en) | Enabling single sign-on authentication for accessing protected network services | |
| US11777914B1 (en) | Virtual cryptographic module with load balancer and cryptographic module fleet | |
| CN106341375B (en) | Method and system for realizing encrypted access of resources | |
| CN104322001A (en) | Transport layer security traffic control using service name identification | |
| CN111628976B (en) | Message processing method, device, equipment and medium | |
| CN1930847A (en) | Method and apparatus for providing transaction-level security | |
| CN106027646B (en) | A kind of method and device accelerating HTTPS | |
| CA3066728A1 (en) | Cloud storage using encryption gateway with certificate authority identification | |
| CN115373796A (en) | Joint learning with partitioning and dynamic shuffle model updates | |
| CN105591959B (en) | A kind of system and method carrying out load balancing using SSL Session state reuse | |
| He et al. | Blockchain-based p2p content delivery with monetary incentivization and fairness guarantee | |
| Moghaddam et al. | UAA: user authentication agent for managing user identities in cloud computing environments | |
| WO2016000473A1 (en) | Business access method, system and device | |
| CN105871926A (en) | USB (universal serial bus) equipment security sharing method and system based on desktop virtualization | |
| CN104253806B (en) | Method for authenticating, client and server | |
| CN107172078B (en) | Security management and control method and system of core framework platform based on application service | |
| CN107786507A (en) | A kind of method for ensuring http data transmission securities | |
| Yang | Mobile Payment Security in the Context of Big Data: Certificateless Public Key Cryptography. | |
| Da-Yuan et al. | Implementation and performance evaluation of IPSec VPN based on netfilter |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20100106 |