CN107257327B - High-concurrency SSL session management method - Google Patents
High-concurrency SSL session management method Download PDFInfo
- Publication number
- CN107257327B CN107257327B CN201710380964.7A CN201710380964A CN107257327B CN 107257327 B CN107257327 B CN 107257327B CN 201710380964 A CN201710380964 A CN 201710380964A CN 107257327 B CN107257327 B CN 107257327B
- Authority
- CN
- China
- Prior art keywords
- ssl
- session
- port
- dst
- src
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/04—Protocols for data compression, e.g. ROHC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/06—Notations for structuring of protocol data, e.g. abstract syntax notation one [ASN.1]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Technology Law (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a high-concurrency SSL session management method, which comprises the following steps: compressing the data field of the protocol session object, adopting quintuple to uniquely represent the session structure, and simplifying the SSL session object structure; a step of efficiently managing an SSL session object structure through a large hash table; and timing the SSL session by using a timer trigger mechanism. The invention can efficiently manage mass concurrent SSL sessions and meet the requirement of high-concurrency SSL session test.
Description
Technical Field
The invention relates to the field of SSL protocol product performance test, in particular to a high-concurrency SSL session management method.
Background
In recent years, the rapid development of networks brings convenience to people and brings a series of potential safety hazards. Because the traditional TCP/IP protocol family does not consider the security problem in design, and the information in the network is transmitted in an unencrypted form, the information in transmission may be subjected to various attacks, such as information theft, information tampering, unauthorized access, and the like, and the importance and urgency of network information security are increasingly highlighted.
In order to ensure the safe transmission of network information, network security protocols are developed. At present, SSL, STT and SET are the main network security protocols. The SSL protocol is a network security transmission protocol developed by the research of the cyber scene company, and provides security protection in multiple aspects such as integrity, confidentiality, identity authentication and the like for data by establishing a secure network transmission channel. Information transmission processes with high security requirements, such as personal e-mail, internet banking, e-commerce websites, etc., are all based on the SSL protocol. The SSL protocol has become an industry standard for secure communications over the internet and is widely used in the internet and in internet client and server products. Because the information protected by the SSL security protocol has extremely high security requirements, the SSL product needs to be tested in order to know whether the SSL product has the claimed security function during the protocol design.
The SSL record belongs to a session layer and is positioned between an application layer and a transmission layer. The SSL protocol is a secure data exchange protocol, and has been widely applied in networks, for example, to secure application services such as HTTP, FTP, Telnet, SMTP, POP3, and meanwhile, a large number of systems based on Deep Packet Inspection (DPI) technology also support the SSL protocol. However, the improvement of the security performance is accompanied by the decline of the transmission performance, and the large number of frequent SSL connection accesses can cause the performance of the heavily-loaded SSL server to be sharply reduced, and even cause the server to crash. Since encrypting and decrypting SSL data is a very CPU-resource consuming task, SSL data detection causes a significant performance problem for DPI systems.
In order to know the performance of the network service provided by the SSL protocol-based product and determine the quality of the service provided by the product, a certain method or standard is required to perform a performance test on the product. The SSL session generation is the key for the SSL protocol product performance test, and how to automatically and efficiently manage the high-concurrency SSL session is the key problem to be solved by the SSL protocol product performance test.
Disclosure of Invention
The invention aims to provide an automatic and efficient high-efficiency high-concurrency SSL session management method, which realizes the high-efficiency management of million-level concurrent SSL sessions and meets the requirement on the performance test of the high-concurrency SSL sessions.
The invention provides a high-concurrency SSL session management method, which comprises the following steps: simplifying SSL session object structure by compressing protocol session object data field; a step of efficiently managing an SSL session object structure through a large hash table; and timing the SSL session by using a timer trigger mechanism.
The steps for simplifying the SSL session object structure are specifically as follows:
representing each SSL client or server in the network by an SSL session structure;
all sessions are uniquely represented by adopting standard quintuple < type, src _ ip, src _ port, dst _ ip and dst _ port >;
judging a flow scene, and adopting a pair of session objects to respectively represent an SSL client and a server for a double-arm flow scene; for a single-arm flow scene, a session object is adopted for representation;
using SSL _ state, TCP _ state, type, src _ ip, src _ port, dst _ ip, dst _ port, SSL _ PCB, TCP _ PCB, input/output buffer queue, and session timer to represent a session basic structure, where the SSL _ state and TCP _ state are protocol state automata implemented based on finite state automata; the type marks the type of the session object class, and the default is the ssl type; the src _ ip, src _ port, dst _ ip and dst _ port respectively represent a source address, a source port, a destination address and a destination port; the SSL _ PCB and the TCP _ PCB are used for storing control and management data of a protocol; the input and output buffer queue respectively stores the flow input and output packet queues of the session; the session timer is used for timing the flow event on the session object.
The step of efficiently managing the SSL session object structure through the large hash table specifically comprises the following steps:
calculating the hash value of the hash table by quintuple, wherein the calculation formula is as follows:
key=hash(type,src_ip,src_port,dst_ip,dst_port)=(type+src_ip+src_port+dst_ip+dst_port)%
and positioning the hash value to the head of the linked list, if the head of the linked list is null, indicating that no corresponding session exists, and if the head of the linked list is not null, circularly judging the session quintuple in the linked list to find the required session.
By using a timer trigger mechanism, the steps of timing the SSL session specifically include:
installing one of a TCP retransmission timer, a delayed ACK timer, a keep alive timer, a TIME _ WAIT timer for the session, and waiting until the timer expires to trigger execution of the next action.
The SSL session management method has the advantages that the SSL session structure is simplified, the memory overhead of the protocol session object is reduced, the SSL protocol concurrent session quantity is increased, the SSL session object structure is managed through the large hash table, the session object searching overhead and session access conflict are greatly reduced, the concurrent access of massive session objects is supported, the SSL concurrent session performance of the system is improved, in addition, compared with the cyclic waiting triggering, the efficient and flexible management of the SSL session can be realized through installing the session timer, and the requirement for high-concurrent SSL session testing is met.
Drawings
FIG. 1 is a flow chart of a method for managing high concurrent SSL sessions according to the present invention;
FIG. 2 is a schematic diagram of SSL session structure in the implementation process of the high-concurrency SSL session management method of the present invention;
FIG. 3 is a design diagram of SSL session management based on hash table in the implementation process of the highly concurrent SSL session management method of the present invention;
fig. 4 is a schematic diagram of an SSL session triggering mechanism in the implementation process of the highly concurrent SSL session management method of the present invention.
Detailed Description
The first embodiment is as follows: with reference to fig. 1, the present embodiment is a method for managing a high-concurrency SSL session, including the following steps: simplifying SSL session object structure by compressing protocol session object data field; a step of efficiently managing an SSL session object structure through a large hash table; and timing the SSL session by using a timer trigger mechanism.
The second embodiment is as follows: the present embodiment is further limited to the first embodiment, wherein the step of simplifying the SSL session object structure by compressing the protocol session object data field comprises:
representing each SSL client or server in the network by an SSL session structure;
all sessions are uniquely represented by adopting standard quintuple < type, src _ ip, src _ port, dst _ ip and dst _ port >;
judging a flow scene, and adopting a pair of session objects to respectively represent an SSL client and a server for a double-arm flow scene; for a single-arm flow scene, a session object is adopted for representation;
using SSL _ state, TCP _ state, type, src _ ip, src _ port, dst _ ip, dst _ port, SSL _ PCB, TCP _ PCB, input/output buffer queue, and session timer to represent a session basic structure, where the SSL _ state and TCP _ state are protocol state automata implemented based on finite state automata; the type marks the type of the session object class, and the default is the ssl type; the src _ ip, src _ port, dst _ ip and dst _ port respectively represent a source address, a source port, a destination address and a destination port; the SSL _ PCB and the TCP _ PCB are used for storing control and management data of a protocol; the input and output buffer queue respectively stores the flow input and output packet queues of the session; the session timer is used for timing the flow event on the session object.
The third concrete implementation mode: in this embodiment, the second embodiment is further limited to the second embodiment, and the step of efficiently managing the SSL session object structure using the large hash table includes:
calculating the hash value of the hash table by quintuple, wherein the calculation formula is as follows:
key=hash(type,src_ip,src_port,dst_ip,dst_port)=(type+src_ip+src_port+dst_ip+dst_port)%
and positioning the hash value to the head of the linked list, if the head of the linked list is null, indicating that no corresponding session exists, and if the head of the linked list is not null, circularly judging the session quintuple in the linked list to find the required session.
The fourth concrete implementation mode: the present embodiment is further limited to the first to third embodiments, and the step of timing the SSL session by using a timer trigger mechanism includes:
installing one of a TCP retransmission timer, a delayed ACK timer, a keep alive timer, a TIME _ WAIT timer for the session, and waiting until the timer expires to trigger execution of the next action.
While the invention has been described with respect to specific embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (1)
1. A high concurrency SSL session management method is characterized by comprising the following steps: simplifying SSL session structure by compressing data field of SSL session structure; a step of efficiently managing an SSL session structure through a large hash table; a step of timing the SSL session by using a timer trigger mechanism;
wherein, the step of simplifying the SSL session structure by compressing the data field of the SSL session structure comprises the following steps:
representing each SSL client or server in the network by an SSL session structure;
all sessions are uniquely represented by adopting standard quintuple < type, src _ ip, src _ port, dst _ ip and dst _ port >;
judging a flow scene, and adopting a pair of sessions to respectively represent an SSL client and a server for a double-arm flow scene; for a single-arm flow scene, a session representation is adopted;
SSL _ state, TCP _ state, type, src _ ip, src _ port, dst _ ip, dst _ port, SSL _ PCB, TCP _ PCB, input/output buffer queue and session timer are used for representing SSL session structure, wherein the SSL _ state and the TCP _ state are protocol state automata realized based on finite state automata; the type marks the conversation type, and the default is the ssl type; the src _ ip, src _ port, dst _ ip and dst _ port respectively represent a source address, a source port, a destination address and a destination port; the SSL _ PCB and the TCP _ PCB are used for storing control and management data of a protocol; the input and output buffer queue respectively stores the flow input and output packet queues of the session; the session timer is used for timing the flow event on the session;
the steps for efficiently managing the SSL session structure through the large hash table are as follows:
calculating the hash value of the hash table by quintuple, wherein the calculation formula is as follows:
key=hash(type,src_ip,src_port,dst_ip,dst_port)=(type+src_ip+src_port+dst_ip+dst_port)%
the hash value is positioned at the head of the linked list, if the head of the linked list is null, the corresponding session does not exist, and if the head of the linked list is not null, the session quintuple in the linked list is circularly judged to find the required session;
the SSL session timing step by using a timer trigger mechanism comprises:
installing one of a TCP retransmission timer, a delayed ACK timer, a keep alive timer, a TIME _ WAIT timer for the session, and waiting until the timer expires to trigger execution of the next action.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710380964.7A CN107257327B (en) | 2017-05-25 | 2017-05-25 | High-concurrency SSL session management method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710380964.7A CN107257327B (en) | 2017-05-25 | 2017-05-25 | High-concurrency SSL session management method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107257327A CN107257327A (en) | 2017-10-17 |
CN107257327B true CN107257327B (en) | 2020-12-29 |
Family
ID=60027444
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710380964.7A Active CN107257327B (en) | 2017-05-25 | 2017-05-25 | High-concurrency SSL session management method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107257327B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8326839B2 (en) * | 2009-11-09 | 2012-12-04 | Oracle International Corporation | Efficient file access in a large repository using a two-level cache |
CN105359486A (en) * | 2013-05-03 | 2016-02-24 | 思杰系统有限公司 | Secured access to resources using a proxy |
CN106209775A (en) * | 2016-06-24 | 2016-12-07 | 深圳信息职业技术学院 | The application type recognition methods of a kind of SSL encryption network flow and device |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7447777B1 (en) * | 2002-02-11 | 2008-11-04 | Extreme Networks | Switching system |
CN102185723A (en) * | 2011-05-27 | 2011-09-14 | 杭州迪普科技有限公司 | Session management method and device |
CN105338095A (en) * | 2015-11-17 | 2016-02-17 | 中国建设银行股份有限公司 | Conversation data processing method and device |
CN106341417B (en) * | 2016-09-30 | 2019-11-05 | 贵州白山云科技股份有限公司 | A kind of HTTPS acceleration method and system based on content distributing network |
-
2017
- 2017-05-25 CN CN201710380964.7A patent/CN107257327B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8326839B2 (en) * | 2009-11-09 | 2012-12-04 | Oracle International Corporation | Efficient file access in a large repository using a two-level cache |
CN105359486A (en) * | 2013-05-03 | 2016-02-24 | 思杰系统有限公司 | Secured access to resources using a proxy |
CN106209775A (en) * | 2016-06-24 | 2016-12-07 | 深圳信息职业技术学院 | The application type recognition methods of a kind of SSL encryption network flow and device |
Also Published As
Publication number | Publication date |
---|---|
CN107257327A (en) | 2017-10-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11050786B2 (en) | Coordinated detection and differentiation of denial of service attacks | |
EP2850770B1 (en) | Transport layer security traffic control using service name identification | |
US8898451B2 (en) | Method and system for monitoring encrypted data transmissions | |
EP1854243B1 (en) | Mapping an encrypted https network packet to a specific url name and other data without decryption outside of a secure web server | |
WO2016082371A1 (en) | Ssh protocol-based session parsing method and system | |
US20100050229A1 (en) | Validating network security policy compliance | |
US11196712B1 (en) | Proxy scraper detector | |
US10237151B2 (en) | Attributing network address translation device processed traffic to individual hosts | |
US11240318B1 (en) | Systems and methods for virtual multiplexed connections | |
Masumi et al. | Towards efficient labeling of network incident datasets using tcpreplay and snort | |
CN111163102B (en) | Data processing method and device, network equipment and readable storage medium | |
CN107257327B (en) | High-concurrency SSL session management method | |
KR101971995B1 (en) | Method for decryping secure sockets layer for security | |
CN110035041B (en) | Method and equipment for identifying application attack source | |
CN113726757B (en) | Verification method and device of HTTPS protocol client | |
CA2592713C (en) | Method and system for monitoring encrypted data transmissions | |
TWI521928B (en) | Malicious access to intercept methods and systems | |
US20130286887A1 (en) | Communications flow analysis | |
CN117978447A (en) | System and method for cross-network and cross-domain transmission based on physical isolation | |
CN116366318A (en) | Network security engine acceleration method, device, equipment and storage medium | |
CN117319493A (en) | Data processing method and device | |
CN117729048A (en) | Communication transmission method, device, equipment and storage medium based on network protocol | |
CN111988319A (en) | Access control method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |