CN107257327B - High-concurrency SSL session management method - Google Patents

High-concurrency SSL session management method Download PDF

Info

Publication number
CN107257327B
CN107257327B CN201710380964.7A CN201710380964A CN107257327B CN 107257327 B CN107257327 B CN 107257327B CN 201710380964 A CN201710380964 A CN 201710380964A CN 107257327 B CN107257327 B CN 107257327B
Authority
CN
China
Prior art keywords
ssl
session
port
dst
src
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710380964.7A
Other languages
Chinese (zh)
Other versions
CN107257327A (en
Inventor
宋伟
张玉军
肖冬冬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Minzu University of China
Original Assignee
Minzu University of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Minzu University of China filed Critical Minzu University of China
Priority to CN201710380964.7A priority Critical patent/CN107257327B/en
Publication of CN107257327A publication Critical patent/CN107257327A/en
Application granted granted Critical
Publication of CN107257327B publication Critical patent/CN107257327B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/04Protocols for data compression, e.g. ROHC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/06Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Technology Law (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a high-concurrency SSL session management method, which comprises the following steps: compressing the data field of the protocol session object, adopting quintuple to uniquely represent the session structure, and simplifying the SSL session object structure; a step of efficiently managing an SSL session object structure through a large hash table; and timing the SSL session by using a timer trigger mechanism. The invention can efficiently manage mass concurrent SSL sessions and meet the requirement of high-concurrency SSL session test.

Description

High-concurrency SSL session management method
Technical Field
The invention relates to the field of SSL protocol product performance test, in particular to a high-concurrency SSL session management method.
Background
In recent years, the rapid development of networks brings convenience to people and brings a series of potential safety hazards. Because the traditional TCP/IP protocol family does not consider the security problem in design, and the information in the network is transmitted in an unencrypted form, the information in transmission may be subjected to various attacks, such as information theft, information tampering, unauthorized access, and the like, and the importance and urgency of network information security are increasingly highlighted.
In order to ensure the safe transmission of network information, network security protocols are developed. At present, SSL, STT and SET are the main network security protocols. The SSL protocol is a network security transmission protocol developed by the research of the cyber scene company, and provides security protection in multiple aspects such as integrity, confidentiality, identity authentication and the like for data by establishing a secure network transmission channel. Information transmission processes with high security requirements, such as personal e-mail, internet banking, e-commerce websites, etc., are all based on the SSL protocol. The SSL protocol has become an industry standard for secure communications over the internet and is widely used in the internet and in internet client and server products. Because the information protected by the SSL security protocol has extremely high security requirements, the SSL product needs to be tested in order to know whether the SSL product has the claimed security function during the protocol design.
The SSL record belongs to a session layer and is positioned between an application layer and a transmission layer. The SSL protocol is a secure data exchange protocol, and has been widely applied in networks, for example, to secure application services such as HTTP, FTP, Telnet, SMTP, POP3, and meanwhile, a large number of systems based on Deep Packet Inspection (DPI) technology also support the SSL protocol. However, the improvement of the security performance is accompanied by the decline of the transmission performance, and the large number of frequent SSL connection accesses can cause the performance of the heavily-loaded SSL server to be sharply reduced, and even cause the server to crash. Since encrypting and decrypting SSL data is a very CPU-resource consuming task, SSL data detection causes a significant performance problem for DPI systems.
In order to know the performance of the network service provided by the SSL protocol-based product and determine the quality of the service provided by the product, a certain method or standard is required to perform a performance test on the product. The SSL session generation is the key for the SSL protocol product performance test, and how to automatically and efficiently manage the high-concurrency SSL session is the key problem to be solved by the SSL protocol product performance test.
Disclosure of Invention
The invention aims to provide an automatic and efficient high-efficiency high-concurrency SSL session management method, which realizes the high-efficiency management of million-level concurrent SSL sessions and meets the requirement on the performance test of the high-concurrency SSL sessions.
The invention provides a high-concurrency SSL session management method, which comprises the following steps: simplifying SSL session object structure by compressing protocol session object data field; a step of efficiently managing an SSL session object structure through a large hash table; and timing the SSL session by using a timer trigger mechanism.
The steps for simplifying the SSL session object structure are specifically as follows:
representing each SSL client or server in the network by an SSL session structure;
all sessions are uniquely represented by adopting standard quintuple < type, src _ ip, src _ port, dst _ ip and dst _ port >;
judging a flow scene, and adopting a pair of session objects to respectively represent an SSL client and a server for a double-arm flow scene; for a single-arm flow scene, a session object is adopted for representation;
using SSL _ state, TCP _ state, type, src _ ip, src _ port, dst _ ip, dst _ port, SSL _ PCB, TCP _ PCB, input/output buffer queue, and session timer to represent a session basic structure, where the SSL _ state and TCP _ state are protocol state automata implemented based on finite state automata; the type marks the type of the session object class, and the default is the ssl type; the src _ ip, src _ port, dst _ ip and dst _ port respectively represent a source address, a source port, a destination address and a destination port; the SSL _ PCB and the TCP _ PCB are used for storing control and management data of a protocol; the input and output buffer queue respectively stores the flow input and output packet queues of the session; the session timer is used for timing the flow event on the session object.
The step of efficiently managing the SSL session object structure through the large hash table specifically comprises the following steps:
calculating the hash value of the hash table by quintuple, wherein the calculation formula is as follows:
key=hash(type,src_ip,src_port,dst_ip,dst_port)=(type+src_ip+src_port+dst_ip+dst_port)%
and positioning the hash value to the head of the linked list, if the head of the linked list is null, indicating that no corresponding session exists, and if the head of the linked list is not null, circularly judging the session quintuple in the linked list to find the required session.
By using a timer trigger mechanism, the steps of timing the SSL session specifically include:
installing one of a TCP retransmission timer, a delayed ACK timer, a keep alive timer, a TIME _ WAIT timer for the session, and waiting until the timer expires to trigger execution of the next action.
The SSL session management method has the advantages that the SSL session structure is simplified, the memory overhead of the protocol session object is reduced, the SSL protocol concurrent session quantity is increased, the SSL session object structure is managed through the large hash table, the session object searching overhead and session access conflict are greatly reduced, the concurrent access of massive session objects is supported, the SSL concurrent session performance of the system is improved, in addition, compared with the cyclic waiting triggering, the efficient and flexible management of the SSL session can be realized through installing the session timer, and the requirement for high-concurrent SSL session testing is met.
Drawings
FIG. 1 is a flow chart of a method for managing high concurrent SSL sessions according to the present invention;
FIG. 2 is a schematic diagram of SSL session structure in the implementation process of the high-concurrency SSL session management method of the present invention;
FIG. 3 is a design diagram of SSL session management based on hash table in the implementation process of the highly concurrent SSL session management method of the present invention;
fig. 4 is a schematic diagram of an SSL session triggering mechanism in the implementation process of the highly concurrent SSL session management method of the present invention.
Detailed Description
The first embodiment is as follows: with reference to fig. 1, the present embodiment is a method for managing a high-concurrency SSL session, including the following steps: simplifying SSL session object structure by compressing protocol session object data field; a step of efficiently managing an SSL session object structure through a large hash table; and timing the SSL session by using a timer trigger mechanism.
The second embodiment is as follows: the present embodiment is further limited to the first embodiment, wherein the step of simplifying the SSL session object structure by compressing the protocol session object data field comprises:
representing each SSL client or server in the network by an SSL session structure;
all sessions are uniquely represented by adopting standard quintuple < type, src _ ip, src _ port, dst _ ip and dst _ port >;
judging a flow scene, and adopting a pair of session objects to respectively represent an SSL client and a server for a double-arm flow scene; for a single-arm flow scene, a session object is adopted for representation;
using SSL _ state, TCP _ state, type, src _ ip, src _ port, dst _ ip, dst _ port, SSL _ PCB, TCP _ PCB, input/output buffer queue, and session timer to represent a session basic structure, where the SSL _ state and TCP _ state are protocol state automata implemented based on finite state automata; the type marks the type of the session object class, and the default is the ssl type; the src _ ip, src _ port, dst _ ip and dst _ port respectively represent a source address, a source port, a destination address and a destination port; the SSL _ PCB and the TCP _ PCB are used for storing control and management data of a protocol; the input and output buffer queue respectively stores the flow input and output packet queues of the session; the session timer is used for timing the flow event on the session object.
The third concrete implementation mode: in this embodiment, the second embodiment is further limited to the second embodiment, and the step of efficiently managing the SSL session object structure using the large hash table includes:
calculating the hash value of the hash table by quintuple, wherein the calculation formula is as follows:
key=hash(type,src_ip,src_port,dst_ip,dst_port)=(type+src_ip+src_port+dst_ip+dst_port)%
and positioning the hash value to the head of the linked list, if the head of the linked list is null, indicating that no corresponding session exists, and if the head of the linked list is not null, circularly judging the session quintuple in the linked list to find the required session.
The fourth concrete implementation mode: the present embodiment is further limited to the first to third embodiments, and the step of timing the SSL session by using a timer trigger mechanism includes:
installing one of a TCP retransmission timer, a delayed ACK timer, a keep alive timer, a TIME _ WAIT timer for the session, and waiting until the timer expires to trigger execution of the next action.
While the invention has been described with respect to specific embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (1)

1. A high concurrency SSL session management method is characterized by comprising the following steps: simplifying SSL session structure by compressing data field of SSL session structure; a step of efficiently managing an SSL session structure through a large hash table; a step of timing the SSL session by using a timer trigger mechanism;
wherein, the step of simplifying the SSL session structure by compressing the data field of the SSL session structure comprises the following steps:
representing each SSL client or server in the network by an SSL session structure;
all sessions are uniquely represented by adopting standard quintuple < type, src _ ip, src _ port, dst _ ip and dst _ port >;
judging a flow scene, and adopting a pair of sessions to respectively represent an SSL client and a server for a double-arm flow scene; for a single-arm flow scene, a session representation is adopted;
SSL _ state, TCP _ state, type, src _ ip, src _ port, dst _ ip, dst _ port, SSL _ PCB, TCP _ PCB, input/output buffer queue and session timer are used for representing SSL session structure, wherein the SSL _ state and the TCP _ state are protocol state automata realized based on finite state automata; the type marks the conversation type, and the default is the ssl type; the src _ ip, src _ port, dst _ ip and dst _ port respectively represent a source address, a source port, a destination address and a destination port; the SSL _ PCB and the TCP _ PCB are used for storing control and management data of a protocol; the input and output buffer queue respectively stores the flow input and output packet queues of the session; the session timer is used for timing the flow event on the session;
the steps for efficiently managing the SSL session structure through the large hash table are as follows:
calculating the hash value of the hash table by quintuple, wherein the calculation formula is as follows:
key=hash(type,src_ip,src_port,dst_ip,dst_port)=(type+src_ip+src_port+dst_ip+dst_port)%
the hash value is positioned at the head of the linked list, if the head of the linked list is null, the corresponding session does not exist, and if the head of the linked list is not null, the session quintuple in the linked list is circularly judged to find the required session;
the SSL session timing step by using a timer trigger mechanism comprises:
installing one of a TCP retransmission timer, a delayed ACK timer, a keep alive timer, a TIME _ WAIT timer for the session, and waiting until the timer expires to trigger execution of the next action.
CN201710380964.7A 2017-05-25 2017-05-25 High-concurrency SSL session management method Active CN107257327B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710380964.7A CN107257327B (en) 2017-05-25 2017-05-25 High-concurrency SSL session management method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710380964.7A CN107257327B (en) 2017-05-25 2017-05-25 High-concurrency SSL session management method

Publications (2)

Publication Number Publication Date
CN107257327A CN107257327A (en) 2017-10-17
CN107257327B true CN107257327B (en) 2020-12-29

Family

ID=60027444

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710380964.7A Active CN107257327B (en) 2017-05-25 2017-05-25 High-concurrency SSL session management method

Country Status (1)

Country Link
CN (1) CN107257327B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8326839B2 (en) * 2009-11-09 2012-12-04 Oracle International Corporation Efficient file access in a large repository using a two-level cache
CN105359486A (en) * 2013-05-03 2016-02-24 思杰系统有限公司 Secured access to resources using a proxy
CN106209775A (en) * 2016-06-24 2016-12-07 深圳信息职业技术学院 The application type recognition methods of a kind of SSL encryption network flow and device

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7447777B1 (en) * 2002-02-11 2008-11-04 Extreme Networks Switching system
CN102185723A (en) * 2011-05-27 2011-09-14 杭州迪普科技有限公司 Session management method and device
CN105338095A (en) * 2015-11-17 2016-02-17 中国建设银行股份有限公司 Conversation data processing method and device
CN106341417B (en) * 2016-09-30 2019-11-05 贵州白山云科技股份有限公司 A kind of HTTPS acceleration method and system based on content distributing network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8326839B2 (en) * 2009-11-09 2012-12-04 Oracle International Corporation Efficient file access in a large repository using a two-level cache
CN105359486A (en) * 2013-05-03 2016-02-24 思杰系统有限公司 Secured access to resources using a proxy
CN106209775A (en) * 2016-06-24 2016-12-07 深圳信息职业技术学院 The application type recognition methods of a kind of SSL encryption network flow and device

Also Published As

Publication number Publication date
CN107257327A (en) 2017-10-17

Similar Documents

Publication Publication Date Title
US11050786B2 (en) Coordinated detection and differentiation of denial of service attacks
EP2850770B1 (en) Transport layer security traffic control using service name identification
US8898451B2 (en) Method and system for monitoring encrypted data transmissions
EP1854243B1 (en) Mapping an encrypted https network packet to a specific url name and other data without decryption outside of a secure web server
WO2016082371A1 (en) Ssh protocol-based session parsing method and system
US20100050229A1 (en) Validating network security policy compliance
US11196712B1 (en) Proxy scraper detector
US10237151B2 (en) Attributing network address translation device processed traffic to individual hosts
US11240318B1 (en) Systems and methods for virtual multiplexed connections
Masumi et al. Towards efficient labeling of network incident datasets using tcpreplay and snort
CN111163102B (en) Data processing method and device, network equipment and readable storage medium
CN107257327B (en) High-concurrency SSL session management method
KR101971995B1 (en) Method for decryping secure sockets layer for security
CN110035041B (en) Method and equipment for identifying application attack source
CN113726757B (en) Verification method and device of HTTPS protocol client
CA2592713C (en) Method and system for monitoring encrypted data transmissions
TWI521928B (en) Malicious access to intercept methods and systems
US20130286887A1 (en) Communications flow analysis
CN117978447A (en) System and method for cross-network and cross-domain transmission based on physical isolation
CN116366318A (en) Network security engine acceleration method, device, equipment and storage medium
CN117319493A (en) Data processing method and device
CN117729048A (en) Communication transmission method, device, equipment and storage medium based on network protocol
CN111988319A (en) Access control method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant