CN107634950A - A kind of method that unloading SSL/TLS agreements are designed using pipeline hardware - Google Patents
A kind of method that unloading SSL/TLS agreements are designed using pipeline hardware Download PDFInfo
- Publication number
- CN107634950A CN107634950A CN201710858441.9A CN201710858441A CN107634950A CN 107634950 A CN107634950 A CN 107634950A CN 201710858441 A CN201710858441 A CN 201710858441A CN 107634950 A CN107634950 A CN 107634950A
- Authority
- CN
- China
- Prior art keywords
- hardware
- data
- design
- module
- data block
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
For hardware-accelerated novel I/O paths design in being applied the invention discloses a kind of https, designed mainly for the I/O paths of data transfer between hardware function in secure communication and each module.The design mainly includes new types of data transmission and the design of related hardware configuration interface;With the design that corresponding function and the New Hardware of polymerization encryption function are realized instead of ssl protocol;The design of data structure needed for New Hardware;The design that asynchronous parallel works between each module pipeline working forms of New Hardware and module.Initial data is submitted directly to New Hardware by upper layer application by new data transmission interface.Hardware needs to carry out data sectional and space to be preserved operation according to task, and in hardware engine layer, each functional module can maximize the function of playing hardware unloading cpu load with the working method of streamline and asynchronous parallel.This design will simplify service logic of the upper layer application during safety data transmission, while reduce the process that CPU participates in MAC value addition and request data encryption, system load be reduced, to improve systematic entirety energy.
Description
Technical field
The present invention relates to field of information security technology, more particularly to a kind of hardware design using the flow work formula to unload
The method of SSL/TLS agreements.
Background technology
In order to protect safety of the sensitive data in transmit process, increasing government, enterprise, bank start to dispose base
Communicated in SSL https.Security sockets SSL protocol (Secure Socket Layer) is to use public key and private key techniques group
The secure network communications protocol of conjunction.Ssl protocol is the security protocol based on Web applications that Netscape is released, and ssl protocol is specified
One kind provides data safety in application protocol (such as Http, Telenet, NMTP and FTP) between ICP/IP protocol
Property layering mechanism, it provides data encryption, server authentication, message integrity and optional client computer for TCP/IP connections
Certification, it is mainly used in the security of data between raising application program, the data of transmission is encrypted and hidden, make client
Communication between end/server application is not eavesdropped by attacker, it is ensured that data are not changed in transmission, that is, ensure the complete of data
Whole property.
OpenSSL is the item security of an Open Source Code, target be realized with powerful AES it is safe
Security (the Transport Layer of Socket layers (Secure Sockets Layer, SSL v2/v3) and transport layer
Security,TLS vl).It contains complete AES, Digital Signature Algorithm and certificate signature algorithm etc..Can be fine
Guarantee data integrality, confidentiality and correctness.
The design for being currently based on the hardware encryption/decryption system in WebServer fields is divided into five levels:WebServer should
With layer, OpenSSL layers, CryptoDev layers, hardware encryption/decryption driving layer, and hardware encryption/decryption engine layers.As shown in figure 1,
Wherein WebServer application layers and OpenSSL layers is operated in user's space.WebServer itself is maintained using multithreading
System load balancing, the connection request of monitoring users, and the request to client responds.In processing client request process
In, WebServer needs the enciphering/deciphering function of being provided by OpenSSL, completes the work(such as authentication and the safety inspection of user
Energy.After enabling https transmission, WebServer will need the data transmitted to be carried out by OpenSSL after SSL data processings again
It is transferred to client.Enciphering/deciphering request and informative abstract request are sent to CryptoDev by OpenSSL.CryptoDev layers and
Hardware driving layer is operated in kernel spacing.The request that OpenSSL layers issue is converted to hardware encryption/decryption driving by CryptoDev
The request of identification is sent to hardware encryption/decryption driving.Request is configured to hardware encryption/decryption engine energy by hardware encryption/decryption driving
The data structure enough identified, and be filled up in the request queue of hardware encryption/decryption engine.When hardware encryption/decryption engine is complete
Interruption, asynchronous returning result are produced after into enciphering/deciphering or informative abstract operation.
OpenSSL respond upwards upper strata Web application submit various enciphering/decipherings, informative abstract request, pass downwardly through with firmly
Part driving interaction, the calling and result for realizing hardware encryption/decryption engine return.
Upper strata Web applies is handed down to OpenSSL by enciphering/deciphering request, and OpenSSL is carried out at SSL data to initial data
After reason, enciphering/deciphering request is handed down to hardware, so as to call hardware encryption/decryption engine implementation enciphering/deciphering computing.If OpenSSL
In the upper strata enciphering/deciphering request received, when initial data size is more than SSL recording layer maximum source data lengths, OpenSSL will
By original data division, into multiple data blocks, (last data block is likely less than SSL in units of SSL maximum source data lengths
Maximum source data length),
One initial data size is asked for the encryption and decryption of n × SSL maximum source data lengths, it is necessary to be split as n
The data block of SSL maximum source data lengths is encrypted, each data block can be produced in calculating process twice kernel state with
User space handover overhead (Mode Switch) and context handover overhead (Context Switch), then conventional solution is deposited
In following defect:The CIPHERING REQUEST that upper strata WebServer is handed down to OpenSSL needs repeatedly to call hardware engine to complete to encrypt
Operation so that the pattern switching expense and context handover overhead of a large amount of hardware are produced in https ciphering process, is reduced
WebServer https application performances, the utilization rate of hardware cryptographic engine is caused to decline.
The content of the invention
It is contemplated that under https application scenarios, a kind of I/O paths for better profiting from hardware are designed.This path will
Hash operations originally etc. and data monoblock cryptographic operation all transfer to hardware to complete.To realize this path, it is necessary to design one kind
New Hardware, the function of function and the data aggregate encryption of this combination of hardware ssl protocol, is realized straight for data waiting for transmission
Connect and completed by hardware in ssl protocol by the function of software completion.This design will simplify the flow of upper layer application safe transmission, subtract
Few participations of the CPU in whole process, reduces system load, improves systematic function.
The invention provides the design philosophy for New Hardware during Security Data Transmission and corresponding I/O paths:
In an operating system, there is provided the new upper layer application interface for being mutually applied to hardware setting;
The modification mode of upper layer application code;
Design the new hardware with unloading ssl protocol and Data Integration encryption function;
Design the data structure required for New Hardware.
The upper layer application interface of the hardware, on the basis of original data transmission interface, there is provided extra upper strata should
With interface, for setting the information such as key and initial vector used in hardware encryption process.
Upper layer application legacy data transfer process is changed accordingly, simplifies existing procedure.In the first of safe transmission
During beginningization, required key is encrypted to hardware and initial vector is configured, in data transmission procedure, by initial data
MAC value addition, Character Filling and a variety of operations of addition random number etc. merge into a kind of operation, then completed by data encryption module
Data encryption, the preparation finally returned to before upper strata is transmitted.
New hardware has the function of replacing upper-layer protocol to complete Hash operations and data encryption, wherein adding random number
Close relation is encrypted with Character Filling and data monoblock, thus hardware capability is mainly divided into MAC value addition, addition random number
With four functional modules of Character Filling and data encryption, as shown in Figure 3.
Hardware Hash modules, each divide according to the key decided through consultation in client connection procedure and selected Hash function pairs
Data blocks of the Duan great little equal to 16KB calculates and added MAC operation.
Random number and Character Filling module are added, according to selected DEA, to segment data in reserved sky
Between be added explicit IV and Pading operation, for follow-up data encryption module can normally encrypt entirely please
Seek data.
Data encryption module, encryption function module is called to complete encryption together the segmented data block for completing first three operation
Operation, then interrupt and return to upper strata.
New hardware functionally realizes merging of the ssl protocol unloading with Data Integration encryption, it is necessary to be directed to two kinds of work(
Data structure required for hardware can be designed.The data structure needs to include completing Hash operations, addition random number, word
The information of the operation such as symbol filling and polymerization encryption.
The present invention more importantly realizes the mode of operation of pipeline system between the functional module of hardware engine so that preceding
Between three functional modules can with concurrent working, in the case where request data is very big, the pipeline system design of hardware module and
Asynchronous operation mode between module can be very good to accelerate the speed of hardware handles, so as to improve hardware unloading CPU on the whole
Effect.
Brief description of the drawings
The hardware-accelerated system of enciphering/decipherings of the Fig. 1 based on WebServer fields
Data flow and hardware module schematic diagram in Fig. 2 embodiment of the present invention
The flow chart handled during technical solution of the present invention initial data is used in Fig. 3 embodiment of the present invention
Embodiment
To become apparent from the object, technical solutions and advantages of the present invention, the present invention is done into one below in conjunction with accompanying drawing 2
The explanation of step, the embodiment do not form the restriction to the embodiment of the present invention.
The embodiment of the present invention illustrates by taking Nginx server applications as an example.
Nginx consults to encrypt first during shaking hands during https agreements transmission data are carried out with client computer
The information such as the algorithm of use and corresponding key, initial vector.After using the new I/O flows designed herein, shaking hands
Needed in journey according to protocol results, the control interface sent by the data that newly provide, corresponding algorithm, key, initial is set
The information such as vector.
Nginx directly gives the request of data of client to New Hardware by API, also includes the key consulted certainly
With some initialization informations.Need to be segmented request data and headspace in hardware driving layer, i.e., according to negotiation plus
Close algorithm reserves 16 bytes of storage space to the addition explicit IV in segment data processing procedure, MAC value is calculated and reserved
Go out 48 bytes of storage space, while corresponding memory space is reserved for padding bytes operation.
Call hardware engine to start working, calculate each segment data MAC value respectively, and MAC value is filled into reserved
Corresponding space, complete MAC operation after data sectional can call addition random number module added in corresponding headspace
Explicit IV, and without waiting for all data all finish Character Filling before encrypting again after MAC operation and with
The addition of machine number.Equally, complete addition random number data segment can according to specified in the AES of negotiation encryption data
Length requirement completes Character Filling.Finally, data encryption module can polymerize to the request of data that SSL data processings are completed with hardware
Encryption, such hardware complete its all function, and interruption returns to upper layer application.
The SSL and CIPHERING REQUEST data of server are disposably sent to hardware by the present invention, rather than with MAC operation unit
16KB transmits data, therefore when transferring data to hardware, a request of data only produces cutting for a User space and kernel state
Change.Inside hardware, continuously worked between modules, will not produce before design in occur frequently on
The expense hereafter switched.In addition, the design of the asynchronism and concurrency of the working method of streamline and hardware module all causes newly between module
Hardware can preferably be competent at the task of unloading ssl protocol.
Embodiment described above is not intended to limit the invention, all any modifications within the principle of the present invention, made,
Equivalent substitution, improvement etc., should be included within the scope of protection of the invention.
Claims (5)
- A kind of 1. hardware discharging method of SSL/TLS agreements, it is characterised in that:N*16KB pending data is disposably issued to hardware layer by server when responding Https requests.The hardware can be with Pipeline system concurrently performs the work(for replacing upper strata ssl layer to do Hash operations and encryption monoblock data manipulation to data block Energy.
- 2. a kind of method for implementing hardware effort described in claim 1, it is characterized in that, including following functions:A) hardware engine of bottom includes Hash computings, addition random number, padding bytes and monoblock four functional modules of encryption;B) hardware driving layer can will work between hardware do some preparations to independent parallel:Split data into N number of size 16KB Small data block, be each data block according to predetermined Hash and AES correct position reserve prescribed level sky Between;C) data monoblock passes to hardware rather than small data block is each passes to hardware, so only produces a User space and kernel state Conversion, reduce handover overhead.
- 3. according to the method for claim 2, it is characterised in that the operation of the hardware driving layer is specially:A) the enciphering/deciphering request data that OpenSSL layers hand down is segmented into the small data block that N number of size is 16KB;B) Hash operations, addition random number are reserved in defined position according to default Hash and AES to each data block And the address space of padding bytes;C) hardware engine module is called to start working.
- 4. according to the method for claim 2, it is characterised in that the operation of the hardware engine is specially:A) driving calls the Hash operation modules of hardware to add MAC value to each data block first, adds random number and word afterwards Symbol filling module can also be successively performed corresponding operating, link up between modules and perform, without the expense of context switching;B) data block by three modules and then completes Hash computings, random number addition and Character Filling behaviour in the form of streamline Make,;C) encrypting module is interrupted after being encrypted together to the N*16KB data for completing first three operation and returns to upper strata.
- 5. according to the method for claim 4, it is characterised in that first three functional module of whole hardware engine supports flowing water The working forms of line;In cases where an amount of data is large, it is such concurrently to perform the operating efficiency that improve hardware well, from Generally also improve the effect of hardware unloading.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710858441.9A CN107634950A (en) | 2017-09-19 | 2017-09-19 | A kind of method that unloading SSL/TLS agreements are designed using pipeline hardware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710858441.9A CN107634950A (en) | 2017-09-19 | 2017-09-19 | A kind of method that unloading SSL/TLS agreements are designed using pipeline hardware |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107634950A true CN107634950A (en) | 2018-01-26 |
Family
ID=61101471
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710858441.9A Pending CN107634950A (en) | 2017-09-19 | 2017-09-19 | A kind of method that unloading SSL/TLS agreements are designed using pipeline hardware |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107634950A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111159780A (en) * | 2019-12-30 | 2020-05-15 | 普联技术有限公司 | Hardware encryption method, hardware decryption method and hardware decryption device |
| CN112433824A (en) * | 2020-12-28 | 2021-03-02 | 郑州信大先进技术研究院 | Virtualization implementation architecture of password equipment |
| CN114489848A (en) * | 2022-01-19 | 2022-05-13 | 华中科技大学 | Task unloading method based on computable storage architecture and computable storage system |
| CN114546527A (en) * | 2022-02-22 | 2022-05-27 | 复旦大学 | Longitudinal multi-party data aggregation calculation solution system |
-
2017
- 2017-09-19 CN CN201710858441.9A patent/CN107634950A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111159780A (en) * | 2019-12-30 | 2020-05-15 | 普联技术有限公司 | Hardware encryption method, hardware decryption method and hardware decryption device |
| CN112433824A (en) * | 2020-12-28 | 2021-03-02 | 郑州信大先进技术研究院 | Virtualization implementation architecture of password equipment |
| CN114489848A (en) * | 2022-01-19 | 2022-05-13 | 华中科技大学 | Task unloading method based on computable storage architecture and computable storage system |
| CN114489848B (en) * | 2022-01-19 | 2024-02-02 | 华中科技大学 | Task unloading method based on computable storage architecture and computable storage system |
| CN114546527A (en) * | 2022-02-22 | 2022-05-27 | 复旦大学 | Longitudinal multi-party data aggregation calculation solution system |
| CN114546527B (en) * | 2022-02-22 | 2023-10-03 | 复旦大学 | Longitudinal multiparty data aggregation calculation solution system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107634950A (en) | A kind of method that unloading SSL/TLS agreements are designed using pipeline hardware | |
| CN108377189A (en) | User's communication encrypting method, device, terminal device and storage medium on block chain | |
| CN109660555A (en) | Content safety sharing method and system based on proxy re-encryption | |
| CN107533471A (en) | Virtualization applications performance is improved by disabling unnecessary function | |
| US11716206B2 (en) | Certificate based security using post quantum cryptography | |
| CN107426193A (en) | For hardware-accelerated novel I/O paths design in a kind of https applications | |
| CN109800588A (en) | Bar code dynamic encrypting method and device, bar code dynamic decryption method and device | |
| CN102065021B (en) | IPSecVPN (Internet Protocol Security Virtual Private Network) realizing system and method based on NetFPGA (Net Field Programmable Gate Array) | |
| CN109257347A (en) | Communication means and relevant apparatus, storage medium suitable for data interaction between bank | |
| WO2021129003A1 (en) | Password management method and related device | |
| WO2021129470A1 (en) | Polynomial-based system and method for fully homomorphic encryption of binary data | |
| CN105635114B (en) | A kind of password method of calibration and system | |
| CN117081736A (en) | Key distribution method, key distribution device, communication method, and communication device | |
| CN101789939B (en) | Effective realization method for credible OpenSSH | |
| CN103607417A (en) | Network server supporting SSL protocol | |
| US20210281608A1 (en) | Separation of handshake and record protocol | |
| CN113645235A (en) | Distributed data encryption and decryption system and encryption and decryption method | |
| CN107277018A (en) | The method that a kind of utilization request/data aggregate improves WebServer https application performances | |
| CN111901335A (en) | Block chain data transmission management method and system based on middle station | |
| KR101881117B1 (en) | Security gateway that implements multiple communication cryptographic operation parallelism | |
| CN102420740A (en) | Method and system for managing keys of routing protocol | |
| CN112906032B (en) | File secure transmission method, system and medium based on CP-ABE and block chain | |
| CN114611129A (en) | Data privacy protection method and system | |
| CN107135226A (en) | Transport-layer proxy communication means based on socks5 | |
| CN107171786A (en) | Network agent account control method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180126 |
|
| WD01 | Invention patent application deemed withdrawn after publication |