CN103812867A - Self-adaption encryption and decryption security storage system and method based on ISCSI - Google Patents

Abstract

The invention discloses a self-adaption encryption and decryption security storage system and a self-adaption encryption and decryption security storage method based on ISCSI. The self-adaption encryption and decryption security storage system based on the ISCSI comprises a start end and an object end which are connected, wherein the start end comprises a start end load calculator, a start end conversion controller and a start end encryption and decryption machine, and the object end comprises an object end load calculator, an object end convertor and an object end encryption and decryption machine. The load calculators collect load information once in each Delta T1 and calculate load value. The start end conversion controller collects load value of the start end and the object end, calculates load average value once in each Delta T2, and judges whether status transition needs to be performed or not according to the load average value of the start end and the object end, and if not, status is kept invariant, and if yes, status transition command is sent to the object end encryption and decryption machine and the start end encryption and decryption machine. The encryption and decryption machines perform encryption and decryption on data, and accept the status transition command so as to achieve the status transition. The self-adaption encryption and decryption security storage system and the self-adaption encryption and decryption security storage method based on the ISCSI can reasonably split encryption and decryption tasks according to server loads, and accordingly substantially improve performance of an ISCSI security storage system.

Description

A kind of self adaptation encryption and decryption safe storage system and method based on iSCSI

Technical field

Invention herein belongs to high-performance secure memory techniques field, is specifically related to a kind of self adaptation encryption and decryption safe storage system and method based on iSCSI.

Background technology

Along with the high speed development of computer technology and Internet technology, the data that produce in network are explosive growth, and how safely and efficiently access data becomes one of key issue of field of storage.

ISCSI (Internet Small Computer System Interface) agreement, i.e. internet small computer system interface agreement, is one of key pact in the network storage.ISCSI agreement is take TCP/IP (Transmission Control Protocol/Internet Protocol) agreement as basis, make SCSI (the Small Computer System Interface) agreement that originally can only transmit in bus, can between IP (Internet Protocol) network equipment, transmit.ISCSI storage system, with its with low cost, easy dilatation backup, higher transmission speed and the easy advantage such as installation and maintenance, is widely used in the network storage.

Because information is the most valuable resources of any entity or individual, once loss of data or leakage can cause serious consequence, particularly to having the unit of sensitive information as security bureau, army etc.The storage guaranteeing data security, need to be encrypted the data that will deposit in, is also difficult to obtain real information even if so directly steal data from storage medium, has just guaranteed in this way the high security of data storages.But current iSCSI storage system is all to carry out static encryption and decryption on start end server or destination end server, does not consider the loading condition at two ends.In the time data being carried out to senior encryption and decryption calculating, need very large amount of calculation, particularly in the situation that server itself externally provides service load very high, CPU is too busy, easily become bottleneck, cause whole iSCSI safe storage system performance degradation, affect stability and the storage system life-span of stores service.

Summary of the invention

For above defect or the Improvement requirement of prior art, the invention provides a kind of self adaptation encryption and decryption safe storage system and method based on iSCSI, from the angle of iSCSI storage system entirety adaptive load balancing, encryption and decryption task is carried out to dynamic assignment according to the loading condition of start end and destination end, the state of the load of assurance start end and destination end in relative equilibrium, thereby prevent load bottleneck, guaranteeing, under the prerequisite of data storage security, to improve the performance of encrypting and deciphering system.

The technical solution adopted for the present invention to solve the technical problems is, a kind of self adaptation encryption and decryption safe storage system based on iSCSI is provided, and described system comprises interconnected start end and destination end,

Described start end comprises the start end load calculator, start end switching controller and the start end encryption and decryption device that connect successively, and described start end load calculator, for collecting start end load information every the Δ T1 time, calculates start end load value; Described start end switching controller is for collecting the load value of start end and destination end, and every the load average at Δ T2 Time Calculation two ends, judge whether to carry out state conversion according to the load average at described two ends, if do not carry out state conversion, hold mode is constant, if carry out state conversion, sends state conversion command to destination end and start end encryption and decryption device; Described start end encryption and decryption device, for iSCSI data are carried out encryption and decryption and accepted described state conversion command, is realized state conversion, the migration of finishing the work;

Described destination end comprises the destination end load calculator, destination end transducer and the destination end encryption and decryption device that connect successively, and described destination end load calculator, for collecting destination end load information every the Δ T1 time, calculates destination end load value; Described destination end transducer, for destination end load value is sent to start end, receives described state conversion command and described state transitions order is sent to destination end encryption and decryption device; Described destination end encryption and decryption device, for iSCSI data are carried out encryption and decryption and accepted described state conversion command, is realized state conversion, the migration of finishing the work.

In the self adaptation encryption and decryption safe storage system based on iSCSI of the present invention, judge whether to carry out state conversion according to the load average at described two ends, deterministic process is followed following encryption and decryption state transition rules:

(1) if L (Initiator) differs and is less than Δ d with L (Target) load value, encryption and decryption task status remains unchanged;

(2) if L (Initiator) differs by more than Δ d with L (Target) load value, but two ends load value is all less than LTH, and encryption and decryption task status remains unchanged;

(3) if L (Initiator) differs by more than Δ d with L (Target) load value, but two ends load value is all greater than LTH, and encryption and decryption task status remains unchanged;

(4) if while not meeting (1) (2) (3) bar and L (Initiator) >L (Target):

Be state 2 if <1> is current, state conversion command is for to convert state 2 to state 1

Be state 3 if <2> is current, state conversion command is for to convert state 3 to state 1

Be state 4 if <3> is current, state conversion command is for to be converted to state 3 by state 4

Be state 1 if <4> is current, encryption and decryption task status remains unchanged

(5) if while not meeting (1) (2) (3) bar and L (Initiator) <L (Target):

Be state 1 if <1> is current, state conversion command is for to convert state 1 to state 2

Be state 2 if <2> is current, state conversion command is for to convert state 2 to state 4

Be state 3 if <3> is current, state conversion command is for to be converted to state 4 by state 3

Be state 4 if <4> is current, encryption and decryption task status remains unchanged

(6) if (1) (2) (3) (4) (5) situation in addition, encryption and decryption task status remains unchanged;

Δ d is start end and the poor threshold values of destination end load, and L (Initiator) is start end load average in the Δ T2 time, and L (Target) is Δ T2 time internal object end load average, and LTH is start end and destination end load threshold values;

Described state 1 be start end without task, destination end encryption and decryption; State 2 is encrypted for start end, and destination end is deciphered; State 3 is start end deciphering, and destination end is encrypted; State 4 is start end encryption and decryption, and destination end is without task.

In the self adaptation encryption and decryption safe storage system based on iSCSI of the present invention, described start end switching controller state of a control transfer process, and in Guarantee Status transfer process, transmit the strong consistency of data.

In the self adaptation encryption and decryption safe storage system based on iSCSI of the present invention, described start end load value, load average and destination end load value, load average obtain according to following load calculation model:

$\stackrel{\&OverBar;}{L}\left(\mathrm{CPU}\right)=\left\{\right[\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{L}_i\left(\mathrm{CPU}\right)]/k\}\&times;100=\left\{\right[L_1\left(\mathrm{CPU}\right)+L_2\left(\mathrm{CPU}\right)+...+L_k\left(\mathrm{CPU}\right)]/k\}\&times;100$

$\stackrel{\&OverBar;}{L}\left(M\right)=[C\left(\mathrm{Used}\right)/C\left(\mathrm{All}\right)]\&times;100$

$L\left(\mathrm{Server}\right)=\stackrel{\&OverBar;}{L}\left(\mathrm{CPU}\right)\&times;W\left(\mathrm{CPU}\right)+\stackrel{\&OverBar;}{L}\left(M\right)\&times;W\left(M\right)$

W(CPU)+W(M)＝1

$\stackrel{\&OverBar;}{L}\left(\mathrm{Server}\right)=\left[\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}\left(L_j\left(\mathrm{Server}\right)\right)\right]/n=[L_1\left(\mathrm{Server}\right)+L_2\left(\mathrm{Server}\right)+...+L_n\left(\mathrm{Server}\right)]/n$

Described L (Server) is server overall load amount, and wherein k is the core amounts of CPU core in server,

for the average load amount of server CPU, C (Used) is the current internal memory use amount of server, C (All) is the physics size of all internal memories of server, W (CPU) accounts for the proportion of whole server load amount for cpu load amount, and W (M) accounts for the proportion of whole server load amount for memory negative carrying capacity;

for the average load amount of server in Δ T2, Δ T2 is the time interval that switching controller is changed judgement, and Δ T1 is the time interval that load calculator is collected server load, L _j(Server) be server overall load amount in j Δ T1 time; Described server is start end server or destination end server.

Correspondingly, the present invention also provides a kind of self adaptation encryption and decryption method for secure storing based on iSCSI, and described method comprises the steps:

S1, iSCSI start end are collected start end server load information every Δ T1, calculates start end load value, and is passed to start end switching controller;

S2, iscsi target end are collected the load information of destination end server every Δ T1, calculate destination end load value, and passed to start end;

S3, iSCSI start end are obtained described start end load value and destination end load value, and every the Δ T2 time, calculate the load average of interior start end of Δ T2 time and destination end;

S4, iSCSI start end switching controller judge whether to carry out state conversion according to the load average at described two ends, if do not need state conversion, perform step S1; If need state conversion, send state conversion command to start end encryption and decryption device and destination end, carry out state conversion, make the encryption and decryption task of high capacity one end can partly or entirely move to low load one end.

In the self adaptation encryption and decryption method for secure storing based on iSCSI of the present invention, judge whether to carry out state conversion according to the load average at described two ends, deterministic process is followed following encryption and decryption state transition rules:

Judge whether to carry out state conversion according to the load average at described two ends, and generate state conversion command, its process is followed following encryption and decryption state transition rules:

(1) if L (Initiator) differs and is less than Δ d with L (Target) load value, encryption and decryption task status remains unchanged;

(2) if L (Initiator) differs by more than Δ d with L (Target) load value, but two ends load value is all less than LTH, and encryption and decryption task status remains unchanged;

(3) if L (Initiator) differs by more than Δ d with L (Target) load value, but two ends load value is all greater than LTH, and encryption and decryption task status remains unchanged;

(4) if while not meeting (1) (2) (3) bar and L (Initiator) >L (Target):

Be state 2 if <1> is current, state conversion command is for to convert state 2 to state 1

Be state 3 if <2> is current, state conversion command is for to convert state 3 to state 1

Be state 4 if <3> is current, state conversion command is for to be converted to state 3 by state 4

Be state 1 if <4> is current, encryption and decryption task status remains unchanged

(5) if while not meeting (1) (2) (3) bar and L (Initiator) <L (Target):

Be state 1 if <1> is current, state conversion command is for to convert state 1 to state 2

Be state 2 if <2> is current, state conversion command is for to convert state 2 to state 4

Be state 3 if <3> is current, state conversion command is for to be converted to state 4 by state 3

Be state 4 if <4> is current, encryption and decryption task status remains unchanged

(6) if (1) (2) (3) (4) (5) situation in addition, encryption and decryption task status remains unchanged;

Δ d is start end and the poor threshold values of destination end load, and L (Initiator) is start end load average in the Δ T2 time, and L (Target) is Δ T2 time internal object end load average, and LTH is start end and destination end load threshold values;

Described state 1 be start end without task, destination end encryption and decryption; State 2 is encrypted for start end, and destination end is deciphered; State 3 is start end deciphering, and destination end is encrypted; State 4 is start end encryption and decryption, and destination end is without task.

In the self adaptation encryption and decryption method for secure storing based on iSCSI of the present invention, described step S41 also comprises following sub-step:

If S41 need to carry out state conversion, start end switching controller sends state conversion command to start end encryption and decryption device, and waits for that start end encryption and decryption device state converts reply;

S42, start end encryption and decryption device receive after described state conversion command, first suspend and accept the I/O request that upper strata issues, and then judge the current I/O request of carrying out that whether has, and have the I/O request of carrying out if current, perform step S43; The I/O request of not carrying out if current, execution step S44;

There is the I/O carrying out to ask if S43 is current, wait for after it is finished and perform step S44;

S44, start end encryption and decryption device are corresponding state according to described state conversion command by current start end encryption and decryption task state transition;

After S45, start end encryption and decryption task state transition complete, start end encryption and decryption device sends to start end switching controller the reply that start end state converts; Start end switching controller receives after the reply that described start end state converts, and sends state conversion command, and wait for that destination end state converts reply to destination end transducer;

S46, destination end transducer receive after described state conversion command, send described state conversion command to destination end encryption and decryption device, and wait for that destination end encryption and decryption device state converts reply; Destination end encryption and decryption device receives after described state conversion command, is corresponding state according to described state conversion command by current encryption and decryption task state transition, and the reply converting to destination end transducer device transmission state;

S47, destination end transducer receive after the successful reply of destination end encryption and decryption device state conversion, the state information of modifying target end transducer, and convert reply to start end encryption and decryption switching controller transmission destination end state;

S48, start end encryption and decryption switching controller receive described destination end state and convert after reply, recover to receive the I/O request on upper strata, and send to start end switching controller the reply that recovers the I/O request that receives upper strata;

S49, start end switching controller receive the reply of the I/O request on described recovery reception upper strata, and now whole encryption and decryption task state transition all completes, execution step S1.

In the self adaptation encryption and decryption method for secure storing based on iSCSI of the present invention, described start end load value, load average and destination end load value, load average obtain according to following load calculation model:

$\stackrel{\&OverBar;}{L}\left(\mathrm{CPU}\right)=\left\{\right[\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{L}_i\left(\mathrm{CPU}\right)]/k\}\&times;100=\left\{\right[L_1\left(\mathrm{CPU}\right)+L_2\left(\mathrm{CPU}\right)+...+L_k\left(\mathrm{CPU}\right)]/k\}\&times;100$

$\stackrel{\&OverBar;}{L}\left(M\right)=[C\left(\mathrm{Used}\right)/C\left(\mathrm{All}\right)]\&times;100$

$L\left(\mathrm{Server}\right)=\stackrel{\&OverBar;}{L}\left(\mathrm{CPU}\right)\&times;W\left(\mathrm{CPU}\right)+\stackrel{\&OverBar;}{L}\left(M\right)\&times;W\left(M\right)$

W(CPU)+W(M)＝1

$\stackrel{\&OverBar;}{L}\left(\mathrm{Server}\right)=\left[\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}\left(L_j\left(\mathrm{Server}\right)\right)\right]/n=[L_1\left(\mathrm{Server}\right)+L_2\left(\mathrm{Server}\right)+...+L_n\left(\mathrm{Server}\right)]/n$

Described L (Server) is server overall load amount, and wherein k is the core amounts of CPU core in server,

for the average load amount of server CPU, C (Used) is the current internal memory use amount of server, C (All) is the physics size of all internal memories of server, W (CPU) accounts for the proportion of whole server load amount for cpu load amount, and W (M) accounts for the proportion of whole server load amount for memory negative carrying capacity;

for the average load amount of server in Δ T2, Δ T2 is the time interval that switching controller is changed judgement, and Δ T1 is the time interval that load calculator is collected server load, L _j(Server) be server overall load amount in j Δ T1 time; Described server is start end server or destination end server.

Therefore, the present invention can obtain following beneficial effect: according to the loading condition of iSCSI start end and destination end, dynamically carry out the combination of encryption and decryption task and state conversion, the encryption and decryption task of high capacity one end is partly or entirely moved to low load one end, amount of calculation is carried out to Cost Allocation according to loading condition, can eliminate like this performance bottleneck, increase substantially the performance of iSCSI safe storage system; Meanwhile, carry out having guaranteed when state is changed the strong consistency of transmission data in start end and destination end, thereby avoided the catastrophic effects such as data None-identified.

Accompanying drawing explanation

Below in conjunction with drawings and Examples, the invention will be further described, in accompanying drawing:

Fig. 1 is the self adaptation encryption and decryption safe storage system structural representation that the present invention is based on iSCSI;

Fig. 2 is the self adaptation encryption and decryption method for secure storing workflow diagram that the present invention is based on iSCSI;

Fig. 3 the present invention is based on encryption and decryption task state transition rule schematic diagram in the self adaptation encryption and decryption method for secure storing of iSCSI;

Fig. 4 the present invention is based on encryption and decryption task switching flow figure in the self adaptation encryption and decryption method for secure storing of iSCSI;

Fig. 5 the present invention is based on data strong consistency in the self adaptation encryption and decryption method for secure storing of iSCSI to guarantee flow chart.

Embodiment

In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.In addition,, in each execution mode of described the present invention, involved technical characterictic just can combine mutually as long as do not form each other conflict.

Fig. 1 is the self adaptation encryption and decryption safe storage system structural representation that the present invention is based on iSCSI.As shown in Figure 1, the self adaptation encryption and decryption safe storage system that the present invention is based on iSCSI comprises iSCSI start end module and destination end module.Start end module comprises successively connected start end load calculator, start end switching controller and start end encryption and decryption device; Destination end module comprises successively connected destination end load calculator, destination end transducer and destination end encryption and decryption device.

Start end load calculator is collected start end load information every the Δ T1 time, calculates start end load value by load calculation model, as the tolerance of the current busy extent of start end place server.Then start end load value is passed to start end switching controller by start end load calculator.

Destination end load calculator is collected destination end load information every the Δ T1 time, calculates destination end load value by load calculation model, as the tolerance of the current busy extent of destination end place server.Then destination end load value is passed to destination end transducer by destination end load calculator, then be sent to start end switching controller by destination end transducer.

Start end switching controller is for collecting the load value of start end and destination end, and the load average at the two ends that calculate during this period of time every Δ T2 time basis, judges whether to carry out the conversion of encryption and decryption state according to encryption and decryption state transition rules.If needed, send state conversion command to start end encryption and decryption device and destination end; If do not needed, maintain the original state constant.The switching controller of start end is the decision-making maincenter of whole system, is most crucial module.Destination end transducer is only responsible for destination end load information to send to start end and receive the state conversion command that start end switching controller sends over.

The encryption and decryption device function of destination end and start end is identical.Start end encryption and decryption device, according to the state conversion command conversion encryption and decryption state that starts switching controller transmission, is carried out encryption and decryption task; The state conversion command conversion encryption and decryption state that destination end encryption and decryption device sends according to destination end transducer, carries out encryption and decryption task.

In the self adaptation encryption and decryption safe storage system based on iSCSI of the present invention, between start end switching controller and destination end transducer, connect and transmit load information and state conversion command by TCP.In a preferred embodiment of the invention, start end and destination end are disposed under linux system, between the switching controller of start end and destination end and encryption and decryption device, communicate by NetLink mechanism, encryption and decryption device is accepted the state conversion command of switching controller, and carries out state conversion.The encryption and decryption device of start end and the encryption and decryption device of destination end carry out the encryption and decryption of data by iSCSI agreement, guarantee that the data of final storage are ciphertexts.

Fig. 2 is the self adaptation encryption and decryption method for secure storing flow chart that the present invention is based on iSCSI.As shown in Figure 2, first start end and destination end carry out initialization, to build self adaptation iSCSI encrypting and deciphering system: by complete to hardware and systems soft ware configuration, iSCSI storage system can normally be moved, then load the modules of self adaptation encryption and decryption.In a preferred embodiment of the invention, suppose that encryption and decryption initial condition is state 1.

After initialization completes, carry out the performance optimization of iSCSI safe storage system, specifically comprise the following steps:

The load information that S1, iscsi target end are collected destination end server every Δ T1, calculates destination end server load value by load calculation model, and is passed to start end;

The load information that S2, iSCSI start end are collected start end server every Δ T1, calculates start end server load value by load calculation model, and is passed to start end switching controller;

S3, iSCSI start end are obtained described start end server load value and destination end server load value, and it is stored into respectively in Liang Ge round-robin queue, wait for Treatment Analysis; Start end is every the Δ T2 time, from described Liang Ge round-robin queue, takes out Δ T2 time load value, calculates the load average of start end and destination end in the Δ T2 time;

Whether S4, start end need to carry out state conversion according to described load average and encryption and decryption task state transition rule judgment, if do not need to carry out state conversion, perform step S1; If need to carry out state conversion, according to encryption and decryption task state transition rule generation state conversion command, and this order is sent to destination end;

If S5, destination end do not receive state conversion command, perform step S1; If destination end receives state conversion command, carry out encryption and decryption task state transition;

After S6, destination end encryption and decryption task state transition finish, destination end state is converted to reply and send to start end, the return information of start end receiving target end, task state transition completes.

Wherein, in above-mentioned steps S1 and S2, start end load value, load average and destination end load value, load average obtain according to following load calculation model:

$\stackrel{\&OverBar;}{L}\left(\mathrm{CPU}\right)=\left\{\right[\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{L}_i\left(\mathrm{CPU}\right)]/k\}\&times;100=\left\{\right[L_1\left(\mathrm{CPU}\right)+L_2\left(\mathrm{CPU}\right)+...+L_k\left(\mathrm{CPU}\right)]/k\}\&times;100$

$\stackrel{\&OverBar;}{L}\left(M\right)=[C\left(\mathrm{Used}\right)/C\left(\mathrm{All}\right)]\&times;100$

$L\left(\mathrm{Server}\right)=\stackrel{\&OverBar;}{L}\left(\mathrm{CPU}\right)\&times;W\left(\mathrm{CPU}\right)+\stackrel{\&OverBar;}{L}\left(M\right)\&times;W\left(M\right)$

W(CPU)+W(M)＝1

$\stackrel{\&OverBar;}{L}\left(\mathrm{Server}\right)=\left[\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}\left(L_j\left(\mathrm{Server}\right)\right)\right]/n=[L_1\left(\mathrm{Server}\right)+L_2\left(\mathrm{Server}\right)+...+L_n\left(\mathrm{Server}\right)]/n$

Described L (Server) is server overall load amount, and wherein k is the core amounts of CPU core in server,

for the average load amount of server CPU, C (Used) is the current internal memory use amount of server, C (All) is the physics size of all internal memories of server, W (CPU) accounts for the proportion of whole server load amount for cpu load amount, and W (M) accounts for the proportion of whole server load amount for memory negative carrying capacity;

for the average load amount of server in Δ T2, Δ T2 is the time interval that switching controller is changed judgement, and Δ T1 is the time interval that load calculator is collected server load, L _j(Server) be server overall load amount in j Δ T1 time; Described server is start end server or destination end server.

Fig. 3 the present invention is based on encryption and decryption task state transition rule schematic diagram in the self adaptation encryption and decryption method for secure storing of iSCSI.As shown in Figure 3, the state that meets native system only has 4 kinds, and the state of self adaptation encrypting and deciphering system is necessary for one of them at any time.And the conversion of state must be changed according to the direction of arrow in figure, possible conversion direction has six kinds, need carry out conversion direction judgement according to the state of current system and loading condition.

Self adaptation encrypting and deciphering system state of the present invention is as follows:

Com(EDS)＝(α,β)

α＝(e,d)?α＝(Φ,d)?α＝(e,Φ)?α＝(Φ,Φ)

β＝(e,d)?β＝(Φ,d)?β＝(e,Φ)?β＝(Φ,Φ)

Wherein, Com (EDS): the compound mode of iSCSI adaptive security storage system start end and destination end encryption and decryption

α: start end encryption and decryption task combination mode

β: destination end encryption and decryption task combination mode

E: cryptographic tasks

D: task of decryption

Φ: idle task

Table 1 Adaptable System encryption and decryption task combining form table

State	Formalization representation	Practical significance
			State 1	Com(EDS)＝((Φ,Φ),(e,d))	Start end is without task, destination end encryption and decryption
State 2	Com(EDS)＝((e,Φ),(Φ,d))	Start end is encrypted, destination end deciphering
			State 3	Com(EDS)＝((Φ,d),(e,Φ))	Start end deciphering, destination end is encrypted
State 4	Com(EDS)＝((e,d),(Φ,Φ))	Start end encryption and decryption, destination end is without task

In self adaptation encryption and decryption safe storage system, legal state only has 4 shown in table 1, and the state transition rules of switching controller is as follows:

(1) if L (Initiator) differs and is less than Δ d with L (Target) load value, encryption and decryption task status remains unchanged;

(2) if L (Initiator) differs by more than Δ d with L (Target) load value, but two ends load value is all less than LTH, and encryption and decryption task status remains unchanged;

(3) if L (Initiator) differs by more than Δ d with L (Target) load value, but two ends load value is all greater than LTH, and encryption and decryption task status remains unchanged;

(4) if while not meeting (1) (2) (3) bar and L (Initiator) >L (Target):

Be state 2 if <1> is current, state conversion command is for to convert state 2 to state 1

Be state 3 if <2> is current, state conversion command is for to convert state 3 to state 1

Be state 4 if <3> is current, state conversion command is for to be converted to state 3 by state 4

Be state 1 if <4> is current, encryption and decryption task status remains unchanged

(5) if while not meeting (1) (2) (3) bar and L (Initiator) <L (Target):

Be state 1 if <1> is current, state conversion command is for to convert state 1 to state 2

Be state 2 if <2> is current, state conversion command is for to convert state 2 to state 4

Be state 3 if <3> is current, state conversion command is for to be converted to state 4 by state 3

Be state 4 if <4> is current, encryption and decryption task status remains unchanged

(6) if (if 1) (2) (3) (4) (5) situation in addition, encryption and decryption task status remains unchanged;

Wherein, Δ d: start end and the poor threshold values of destination end load, be only greater than this threshold values and just likely carry out state conversion, can be according to practical application dynamic adjustments

L (Initiator): start end load average numeric representation

L (Target): destination end load average numeric representation

LTH: start end and destination end load threshold values, only have one end to be greater than this threshold values one end and be less than this threshold values and just likely carry out state conversion, can be according to practical application dynamic adjustments

The switching controller of start end and destination end carries out condition judgement according to above 6.By above encryption and decryption state transition rules, the encryption and decryption task of high capacity one end can partly or entirely move to low load one end, amount of calculation is carried out to Cost Allocation according to loading condition, can eliminate like this performance bottleneck, increase substantially the performance of iSCSI safe storage system.

Fig. 4 the present invention is based on encryption and decryption Task Switching flow chart in the self adaptation encryption and decryption method for secure storing of iSCSI.As shown in Figure 4, timer is every Δ T2 time excited state transfer function, and start end judges that whether the load value in round-robin queue is enough, if load value is enough, take out respectively the load value of n group start end and destination end from Liang Ge round-robin queue, and calculate the load average of start end and destination end.Start end switching controller carries out state conversion according to above-mentioned encryption and decryption task state transition rule to be judged, if need to carry out state conversion, generates state conversion command and is sent to start end encryption and decryption device and destination end transducer.

After start end encryption and decryption device state is changed successfully, the reply that generation start end state converts is also sent to start end switching controller, and start end switching controller is revised start end state information; After destination end encryption and decryption device state is changed successfully, the reply that generation destination end state converts is also sent to destination end transducer, then by destination end transducer modifying target end state information.Send or receive if the reply that in this process, state converts fails, system is carried out abnormality processing, and reset condition is constant separately to keep start end and destination end, and timer is set, and waits for that the next Δ T2 time re-starts state conversion and judges.

Fig. 5 the present invention is based on data consistency in the self adaptation encryption and decryption method for secure storing of iSCSI to guarantee flow chart, need guarantee the strong consistency of data in the time that start end and destination end are carried out state conversion, and data consistency guarantees to be divided into following two stages.

First stage is that start end converter controller determines whether to carry out state conversion according to the loading condition at two ends in the Δ T2 time and encryption and decryption state transition rules, if do not carry out state conversion, maintain the original state constant, if need to carry out state conversion, provide NextState, suppose that previous status is 1, the next state of changing is state 2.Then start end switching controller sends state conversion command to start end encryption and decryption device, start end encryption and decryption device is received after state conversion command, first suspend and receive the I/O request that levels is sent out, and after waiting for that the request having received is disposed, current state is revised as to state 2 from state 1.After modification, send and convert reply to start end switching controller, the first stage converts.

Second stage is that start end switching controller sends state conversion command to destination end transducer.Destination end transducer receives after state conversion command, send state conversion command to destination end encryption and decryption device, destination end encryption and decryption device is received after state conversion command, and current state is converted to state 2 from state 1, and sends and convert reply to destination end transducer.Destination end transducer receives after this reply, then converts reply to start end switching controller transmission destination end state.Start end switching controller receives that the state of destination end converts after reply, again send to start end encryption and decryption device the order that recovers to carry out upper strata I/O, start end encryption and decryption device is received the rear Recovery processing upper strata I/O of this order, and send to start end switching controller the reply that recovery runs succeeded, start end switching controller receives the rear modification system of this reply global information, and second stage converts.

In transfer process, if there is overtime etc. any abnormal, need state of termination conversion, and return to original state.Above-mentioned two stages have guaranteed the strong consistency of data in start end and destination end state conversion process, thereby avoid the catastrophic effects such as data None-identified.

Those skilled in the art will readily understand; the foregoing is only preferred embodiment of the present invention; not in order to limit the present invention, all any modifications of doing within the spirit and principles in the present invention, be equal to and replace and improvement etc., within all should being included in protection scope of the present invention.

Claims (8)

1. the self adaptation encryption and decryption safe storage system based on iSCSI, is characterized in that, described system comprises interconnected start end and destination end,

Described start end comprises the start end load calculator, start end switching controller and the start end encryption and decryption device that connect successively, and described start end load calculator, for collecting start end load information every the Δ T1 time, calculates start end load value; Described start end switching controller is for collecting the load value of start end and destination end, and every the load average at Δ T2 Time Calculation two ends, judge whether to carry out state conversion according to the load average at described two ends, if do not carry out state conversion, hold mode is constant, if carry out state conversion, send respectively state conversion command to destination end and start end encryption and decryption device, make the encryption and decryption task of high capacity one end can partly or entirely move to low load one end; Described start end encryption and decryption device, for iSCSI data are carried out encryption and decryption and accepted described state conversion command, is realized state conversion, the migration of finishing the work;

Described destination end comprises the destination end load calculator, destination end transducer and the destination end encryption and decryption device that connect successively, and described destination end load calculator, for collecting destination end load information every the Δ T1 time, calculates destination end load value; Described destination end transducer, for destination end load value is sent to start end, receives described state conversion command and described state transitions order is sent to destination end encryption and decryption device; Described destination end encryption and decryption device, for iSCSI data are carried out encryption and decryption and accepted described state conversion command, is realized state conversion, the migration of finishing the work.

2. the self adaptation encryption and decryption safe storage system based on iSCSI as claimed in claim 1, it is characterized in that, judge whether to carry out state conversion according to the load average at described two ends, and generate state conversion command, its process is followed following encryption and decryption state transition rules:

(1) if L (Initiator) differs and is less than Δ d with L (Target) load value, encryption and decryption task status remains unchanged;

(2) if L (Initiator) differs by more than Δ d with L (Target) load value, but two ends load value is all less than LTH, and encryption and decryption task status remains unchanged;

(3) if L (Initiator) differs by more than Δ d with L (Target) load value, but two ends load value is all greater than LTH, and encryption and decryption task status remains unchanged;

(4) if while not meeting (1) (2) (3) bar and L (Initiator) >L (Target):

Be state 2 if <1> is current, state conversion command is for to convert state 2 to state 1

Be state 3 if <2> is current, state conversion command is for to convert state 3 to state 1

Be state 4 if <3> is current, state conversion command is for to be converted to state 3 by state 4

Be state 1 if <4> is current, encryption and decryption task status remains unchanged

(5) if while not meeting (1) (2) (3) bar and L (Initiator) <L (Target):

Be state 1 if <1> is current, state conversion command is for to convert state 1 to state 2

Be state 2 if <2> is current, state conversion command is for to convert state 2 to state 4

Be state 3 if <3> is current, state conversion command is for to be converted to state 4 by state 3

Be state 4 if <4> is current, encryption and decryption task status remains unchanged

(6) if (1) (2) (3) (4) (5) situation in addition, encryption and decryption task status remains unchanged;

Δ d is start end and the poor threshold values of destination end load, and L (Initiator) is start end load average in the Δ T2 time, and L (Target) is Δ T2 time internal object end load average, and LTH is start end and destination end load threshold values;

Described state 1 be start end without task, destination end encryption and decryption; State 2 is encrypted for start end, and destination end is deciphered; State 3 is start end deciphering, and destination end is encrypted; State 4 is start end encryption and decryption, and destination end is without task.

3. the self adaptation encryption and decryption safe storage system based on iSCSI as claimed in claim 1, is characterized in that, described start end switching controller state of a control transfer process, and in Guarantee Status transfer process, transmit the strong consistency of data.

4. the self adaptation encryption and decryption safe storage system based on iSCSI as claimed in claim 1, is characterized in that, described start end load value, load average and destination end load value, load average obtain according to following load calculation model:

$\stackrel{\&OverBar;}{L}\left(\mathrm{CPU}\right)=\left\{\right[\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{L}_i\left(\mathrm{CPU}\right)]/k\}\&times;100=\left\{\right[L_1\left(\mathrm{CPU}\right)+L_2\left(\mathrm{CPU}\right)+...+L_k\left(\mathrm{CPU}\right)]/k\}\&times;100$

$\stackrel{\&OverBar;}{L}\left(M\right)=[C\left(\mathrm{Used}\right)/C\left(\mathrm{All}\right)]\&times;100$

$L\left(\mathrm{Server}\right)=\stackrel{\&OverBar;}{L}\left(\mathrm{CPU}\right)\&times;W\left(\mathrm{CPU}\right)+\stackrel{\&OverBar;}{L}\left(M\right)\&times;W\left(M\right)$

W(CPU)+W(M)＝1

$\stackrel{\&OverBar;}{L}\left(\mathrm{Server}\right)=\left[\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}\left(L_j\left(\mathrm{Server}\right)\right)\right]/n=[L_1\left(\mathrm{Server}\right)+L_2\left(\mathrm{Server}\right)+...+L_n\left(\mathrm{Server}\right)]/n$

Described L (Server) is server overall load amount, and wherein k is the core amounts of CPU core in server,

for the average load amount of server CPU, C (Used) is the current internal memory use amount of server, C (All) is the physics size of all internal memories of server, W (CPU) accounts for the proportion of whole server load amount for cpu load amount, and W (M) accounts for the proportion of whole server load amount for memory negative carrying capacity;

for the average load amount of server in Δ T2, Δ T2 is the time interval that switching controller is changed judgement, and Δ T1 is the time interval that load calculator is collected server load, L _j(Server) be server overall load amount in j Δ T1 time; Described server is start end server or destination end server.

5. the self adaptation encryption and decryption method for secure storing based on iSCSI, is characterized in that, described method comprises the steps:

S1, iSCSI start end are collected start end server load information every Δ T1, calculates start end load value, and is passed to start end switching controller;

S2, iscsi target end are collected the load information of destination end server every Δ T1, calculate destination end load value, and passed to start end;

S3, iSCSI start end are obtained described start end load value and destination end load value, and every the Δ T2 time, calculate the load average of interior start end of Δ T2 time and destination end;

S4, iSCSI start end switching controller judge whether to carry out state conversion according to the load average at described two ends, if do not need executing state conversion, perform step S1; If need state conversion, send state conversion command to start end encryption and decryption device and destination end, carry out state conversion, make the encryption and decryption task of high capacity one end can partly or entirely move to low load one end.

6. the self adaptation encryption and decryption method for secure storing based on iSCSI as claimed in claim 5, it is characterized in that, judge whether to carry out state conversion according to the load average at described two ends, and generate state conversion command, its process is followed following encryption and decryption state transition rules:

(1) if L (Initiator) differs and is less than Δ d with L (Target) load value, encryption and decryption task status remains unchanged;

(2) if L (Initiator) differs by more than Δ d with L (Target) load value, but two ends load value is all less than LTH, and encryption and decryption task status remains unchanged;

(3) if L (Initiator) differs by more than Δ d with L (Target) load value, but two ends load value is all greater than LTH, and encryption and decryption task status remains unchanged;

(4) if while not meeting (1) (2) (3) bar and L (Initiator) >L (Target):

Be state 2 if <1> is current, state conversion command is for to convert state 2 to state 1

Be state 3 if <2> is current, state conversion command is for to convert state 3 to state 1

Be state 4 if <3> is current, state conversion command is for to be converted to state 3 by state 4

Be state 1 if <4> is current, encryption and decryption task status remains unchanged

(5) if while not meeting (1) (2) (3) bar and L (Initiator) <L (Target):

Be state 1 if <1> is current, state conversion command is for to convert state 1 to state 2

Be state 2 if <2> is current, state conversion command is for to convert state 2 to state 4

Be state 3 if <3> is current, state conversion command is for to be converted to state 4 by state 3

Be state 4 if <4> is current, encryption and decryption task status remains unchanged

(6) if (1) (2) (3) (4) (5) situation in addition, encryption and decryption task status remains unchanged;

Δ d is start end and the poor threshold values of destination end load, and L (Initiator) is start end load average in the Δ T2 time, and L (Target) is Δ T2 time internal object end load average, and LTH is start end and destination end load threshold values;

Described state 1 be start end without task, destination end encryption and decryption; State 2 is encrypted for start end, and destination end is deciphered; State 3 is start end deciphering, and destination end is encrypted; State 4 is start end encryption and decryption, and destination end is without task.

7. the self adaptation encryption and decryption method for secure storing based on iSCSI as claimed in claim 5, is characterized in that, described step S4 also comprises following sub-step:

If S41 need to carry out state conversion, start end switching controller sends state conversion command to start end encryption and decryption device, and waits for that start end encryption and decryption device state converts reply;

S42, start end encryption and decryption device receive after described state conversion command, first suspend and process the I/O request that upper strata issues, and then judge the current I/O request of carrying out that whether has, and have the I/O request of carrying out if current, perform step S43; The I/O request of not carrying out if current, execution step S44;

There is the I/O carrying out to ask if S43 is current, wait for after it is finished and perform step S44;

S44, start end encryption and decryption device are corresponding state according to described state conversion command by current start end encryption and decryption task state transition;

After S45, start end encryption and decryption task state transition complete, start end encryption and decryption device sends to start end switching controller the reply that start end state converts; Start end switching controller receives after the reply that described start end state converts, and sends state conversion command, and wait for that destination end state converts reply to destination end transducer;

S46, destination end transducer receive after described state conversion command, send described state conversion command to destination end encryption and decryption device, and wait for that destination end encryption and decryption device state converts reply; Destination end encryption and decryption device receives after described state conversion command, is corresponding state according to described state conversion command by current encryption and decryption task state transition, and the reply converting to destination end transducer transmission state;

S47, destination end transducer receive after the successful reply of destination end encryption and decryption device state conversion, the state information of modifying target end transducer, and convert reply to start end switching controller transmission destination end state;

S48, start end switching controller receive described destination end state and convert after reply, send the order of Recovery processing upper strata I/O request to start end encryption and decryption device; Start end encryption and decryption device receives after described order, and the I/O on Recovery processing upper strata asks, and is sent completely the reply of the I/O request on Recovery processing upper strata to start end switching controller;

Described in S49, start end switching controller receive, complete the reply of the I/O request on Recovery processing upper strata, now whole encryption and decryption task state transition all completes, execution step S1.

8. the self adaptation encryption and decryption method for secure storing based on iSCSI as claimed in claim 5, is characterized in that, described start end load value, load average and destination end load value, load average obtain according to following load calculation model:

$\stackrel{\&OverBar;}{L}\left(\mathrm{CPU}\right)=\left\{\right[\underset{i=1}{\overset{k}{\mathrm{\&Sigma;}}}{L}_i\left(\mathrm{CPU}\right)]/k\}\&times;100=\left\{\right[L_1\left(\mathrm{CPU}\right)+L_2\left(\mathrm{CPU}\right)+...+L_k\left(\mathrm{CPU}\right)]/k\}\&times;100$

$\stackrel{\&OverBar;}{L}\left(M\right)=[C\left(\mathrm{Used}\right)/C\left(\mathrm{All}\right)]\&times;100$

$L\left(\mathrm{Server}\right)=\stackrel{\&OverBar;}{L}\left(\mathrm{CPU}\right)\&times;W\left(\mathrm{CPU}\right)+\stackrel{\&OverBar;}{L}\left(M\right)\&times;W\left(M\right)$

W(CPU)+W(M)＝1

$\stackrel{\&OverBar;}{L}\left(\mathrm{Server}\right)=\left[\underset{j=1}{\overset{n}{\mathrm{\&Sigma;}}}\left(L_j\left(\mathrm{Server}\right)\right)\right]/n=[L_1\left(\mathrm{Server}\right)+L_2\left(\mathrm{Server}\right)+...+L_n\left(\mathrm{Server}\right)]/n$

Described L (Server) is server overall load amount, and wherein k is the core amounts of CPU core in server,

for the average load amount of server CPU, C (Used) is the current internal memory use amount of server, C (All) is the physics size of all internal memories of server, W (CPU) accounts for the proportion of whole server load amount for cpu load amount, and W (M) accounts for the proportion of whole server load amount for memory negative carrying capacity;

for the average load amount of server in Δ T2, Δ T2 is the time interval that switching controller is changed judgement, and Δ T1 is the time interval that load calculator is collected server load, L _j(Server) be server overall load amount in j Δ T1 time; Described server is start end server or destination end server.

Images