CN115801236A - Encryption agent method, encryption agent module, agent device and storage medium - Google Patents

Encryption agent method, encryption agent module, agent device and storage medium Download PDF

Info

Publication number
CN115801236A
CN115801236A CN202211331745.7A CN202211331745A CN115801236A CN 115801236 A CN115801236 A CN 115801236A CN 202211331745 A CN202211331745 A CN 202211331745A CN 115801236 A CN115801236 A CN 115801236A
Authority
CN
China
Prior art keywords
layer
encryption
data
client
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211331745.7A
Other languages
Chinese (zh)
Inventor
张结辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202211331745.7A priority Critical patent/CN115801236A/en
Publication of CN115801236A publication Critical patent/CN115801236A/en
Pending legal-status Critical Current

Links

Images

Abstract

The embodiment of the invention is suitable for the technical field of computers, and provides an encryption agent method, an encryption agent module, agent equipment and a storage medium, wherein the encryption agent method is applied to the agent equipment, the method is realized by the encryption agent module working in a user mode in the agent equipment, the encryption agent module comprises an encryption layer, a network protocol stack layer and a network card driving layer, and the network protocol stack comprises a transmission layer and a network layer; the method comprises the following steps: data transmission is carried out on the basis of the network card driving layer and at least one of the client side and the server side; the data received from the network card driving layer is sent to the encryption layer after being subjected to network protocol decapsulation based on the network protocol stack layer, or the data sent by the encryption layer is sent to the network card driving layer after being subjected to network protocol encapsulation; and respectively carrying out encryption handshake with the client and the server based on the encryption layer so as to respectively negotiate a communication key with the client and the server.

Description

Encryption agent method, encryption agent module, agent device and storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to an encryption agent method, an encryption agent module, an agent device, and a storage medium.
Background
In the related art, in order to implement audit management and control of a client and a server under encrypted transmission (such as an HTTPS protocol), a proxy server is generally used as a broker to handshake with the client and a service respectively, and negotiate a communication key with the client and the server respectively, so that the proxy server can obtain plaintext data of communication between the client and the server, thereby auditing and managing communication information. Therefore, the data transmission safety of enterprises is guaranteed, and the key information leakage is prevented.
However, the proxy server needs to establish an encrypted handshake connection and communicate with a large number of clients, and also needs to establish an encrypted handshake connection and communicate with a large number of servers (such as hundredths, fox, etc.), which may cause the resource consumption of the proxy server to be very large, further affecting the performance of the proxy server, and causing the communication between the clients and the servers to be affected.
Therefore, how to reduce resource consumption of the proxy server is an urgent technical problem to be solved in the present application.
Disclosure of Invention
In order to solve the above problem, embodiments of the present invention provide an encryption agent method, an encryption agent module, an agent device, and a storage medium, so as to at least solve the problem that the performance of the agent server is limited in the related art.
The technical scheme of the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides an encryption agent method, which is applied to an agent device, and is implemented by an encryption agent module operating in a user mode in the agent device, where the encryption agent module includes an encryption layer, a network protocol stack layer and a network card driver layer, and the network protocol stack includes a transmission layer and a network layer;
the method comprises the following steps:
performing data transmission based on the network card driving layer and at least one of a client and a server;
the data received from the network card driving layer is sent to the encryption layer after being subjected to network protocol decapsulation based on the network protocol stack layer, or the data sent by the encryption layer is sent to the network card driving layer after being subjected to network protocol encapsulation;
and respectively carrying out encryption handshake with the client and the server based on the encryption layer so as to respectively negotiate a communication key with the client and the server.
In the above scheme, the transport layer is a transmission control protocol TCP layer; the TCP layer includes: a communication sequence number mechanism, a data packet reassembly mechanism and a data packet segmentation mechanism to realize a data forwarding function between the client and the server.
In the above scheme, the TCP layer has no congestion control mechanism specified in the TCP protocol.
In the above solution, the TCP layer does not have a sliding window mechanism specified in the TCP protocol; and the TCP layer forwards a receiving window rwnd field sent by the client or the server to an opposite terminal.
In the above scheme, the TCP layer further includes: a data packet timeout retransmission mechanism.
In the above scheme, the TCP layer consists of the following four mechanisms: a communication sequence number mechanism, a data packet recombination mechanism, a data packet segmentation mechanism and a data packet overtime retransmission mechanism.
In the above solution, the specific steps of the communication sequence number mechanism include:
receiving first encrypted data sent by a client through the encryption layer, and decrypting the first encrypted data by adopting a first key to obtain decrypted first data; wherein the first key is a communication key negotiated with the client;
encrypting the decrypted first data by adopting a second key through the encryption layer to obtain second encrypted data; the second key is a communication key negotiated with the server;
performing network protocol encapsulation on the second encrypted data through the network protocol stack, determining a serial number of each TCP data packet, and sending the serial number to the server; the sequence number of each TCP data packet is determined according to an initial sequence number negotiated during handshaking with a server TCP;
receiving third encrypted data sent by a server through the encryption layer, and decrypting the third encrypted data by adopting the second key to obtain decrypted third data;
encrypting the decrypted third data by the encryption layer by adopting the first key to obtain fourth encrypted data;
performing network protocol encapsulation on the fourth encrypted data through the network protocol stack, determining a serial number of each TCP data packet, and sending the serial number to the client; the sequence number of each TCP data packet is determined according to an initial sequence number negotiated during handshake with the client.
In a second aspect, an embodiment of the present invention provides an encryption agent module, which is applied to an agent device, where the encryption agent module operates in a user mode, the encryption agent module includes an encryption layer, a network protocol stack layer, and a network card driver layer, and the network protocol stack includes a transmission layer and a network layer;
the network card driving layer is used for carrying out data transmission with at least one of the client and the server;
the network protocol stack layer is used for decapsulating the data received from the network card drive layer by a network protocol and then transmitting the decapsulated data to the encryption layer, or encapsulating the data transmitted by the encryption layer by the network protocol and then transmitting the encapsulated data to the network card drive layer;
and the encryption layer is used for respectively carrying out encryption handshake with the client and the server so as to respectively negotiate a communication key with the client and the server.
In a third aspect, an embodiment of the present invention provides a proxy device, including a processor and a memory, where the processor and the memory are connected to each other, where the memory is used to store a computer program, and the computer program includes program instructions, and the processor is configured to call the program instructions to execute the steps of the encryption proxy method provided in the first aspect of the embodiment of the present invention.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, including: the computer-readable storage medium stores a computer program. Which when executed by a processor performs the steps of the encryption proxy method as provided in the first aspect of the embodiment of the invention.
The embodiment of the invention is realized by an encryption agent module working in a user state in the agent equipment, wherein the encryption agent module comprises an encryption layer, a network protocol stack layer and a network card driving layer, and the network protocol stack comprises a transmission layer and a network layer. And data transmission is carried out on the basis of at least one of the network card driving layer and the client side and the server side, data received from the network card driving layer is sent to the encryption layer after network protocol de-encapsulation is carried out on the basis of the network protocol stack layer, or data sent by the encryption layer is sent to the network card driving layer after network protocol encapsulation is carried out on the data. And respectively carrying out encryption handshake with the client and the server based on the encryption layer so as to respectively negotiate a communication key with the client and the server. In the embodiment, the encryption layer, the network protocol stack layer and the network card driver layer in the encryption agent module can be implemented in the application layer, for example, the encryption agent module is deployed in the agent device in the form of APP, compared with the related art in which the functions are implemented by the kernel of the operating system, the embodiment does not involve data copy between the kernel state and the user state, and avoids context switching between the kernel state and the user state, so that resource consumption of the agent device can be reduced, and the performance of the agent device can be improved. And the network protocol stack deployment of the user mode is more flexible, the platform portability is strong, and the method can be realized on most platforms/systems.
Drawings
Fig. 1 is a schematic diagram of an agent system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of an encryption agent module according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an encryption proxy module provided by an embodiment of the present invention;
fig. 4 is a schematic flow chart illustrating an implementation of an encryption agent method according to an embodiment of the present invention;
fig. 5 is a schematic flow chart of a process of transmitting data in an encryption agent module according to an embodiment of the present invention;
fig. 6 is a flow chart of a handshake phase according to an embodiment of the present invention;
fig. 7 is a flowchart of a TCP three-way handshake according to an embodiment of the present invention;
fig. 8 is a schematic diagram of a proxy device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, belong to the protection scope of the present invention.
Fig. 1 is a schematic diagram of an agent system according to an embodiment of the present invention, and as shown in fig. 1, an agent acts as an intermediary between a client and a server, and for the client, the agent plays a role of a server, performs Secure Socket Layer (SSL) handshake with the client, receives a request packet, and returns a response packet. For the server, the proxy plays the role of the client, performs SSL handshake with the server, sends a request message, and receives a response message.
In the related art, SSL connections between the proxy and the client and between the proxy and the server are implemented by using a kernel protocol stack provided by an operating system (windows or linux) itself, and are implemented based on a TCP protocol stack in combination with a socket. Taking linux operating system as an example, linux TCP stack is implemented in kernel mode, and socket is an interface provided for user mode, so that each time the SSL proxy receives a packet, the SSL proxy will experience a process of copying data from kernel mode to user mode, and then copying user mode to kernel mode, and multiple times of context switching from kernel mode to user mode, which may cause SSL proxy to have a large performance bottleneck and SSL proxy performance to be poor.
In view of the above disadvantages of the related art, embodiments of the present invention provide an encryption agent method and an encryption agent module, which can solve the problem that the performance of an agent device is limited. In order to explain the technical means of the present invention, the following description will be given by way of specific examples.
Fig. 2 is a schematic diagram of an encryption proxy module applied to a proxy device, where the encryption proxy module operates in a user state, the encryption proxy module includes an encryption layer, a network protocol stack layer, and a network card driver layer, and the network protocol stack includes a transmission layer and a network layer;
the network card driving layer is used for carrying out data transmission with at least one of the client and the server;
the network protocol stack layer is used for decapsulating the data received from the network card drive layer by a network protocol and then transmitting the decapsulated data to the encryption layer, or encapsulating the data transmitted by the encryption layer by the network protocol and then transmitting the encapsulated data to the network card drive layer;
and the encryption layer is used for respectively carrying out encryption handshake with the client and the server so as to respectively negotiate a communication key with the client and the server. Wherein the encryption layer may be embodied as an SSL layer (the latter referred to as an SSL proxy layer).
In practical application, the network card driver layer may be a user-mode network card driver such as a DPDK (Data Plane Development Kit) and a Netmap. The DPDK bypasses the processing process of a Linux kernel protocol stack on the data packet, and realizes a set of data planes in a user space to receive, send and process the data packet. From the kernel perspective, the DPDK is a common user mode process, and its compiling, connecting and loading modes are not the same as those of a common program. The DPDK application program runs in the User Space of the operating system, and performs packet receiving and sending processing by using a data plane library provided by the DPDK application program, so that the Linux kernel mode protocol stack is bypassed, and the message processing efficiency is improved. The DPDK can directly take over the physical network card of the proxy equipment, and the network card receiving and sending packets do not need to pass through a Linux kernel.
The user Mode I/O (UIO) driving technology of the DPDK provides support for a user Mode-based polling mechanism PMD (Poll Mode Driver). The main function is to intercept the interrupt and reset the interrupt callback behavior, thereby bypassing the subsequent processing flow of the kernel protocol stack. It maps hardware operations to user space, providing a file interface to user space.
UIO (Userspace I/O) is an I/O technology running in a user space, general driving equipment in a Linux system runs in a kernel space, and only needs to be called by an application program in the user space, the UIO runs a small part of driving in the kernel space, most functions of driving are realized in the user space, and the problem that the driving program of the equipment needs to be updated along with updating of a kernel can be solved by using the UIO.
The UIO technology ensures that the memory interaction of the kernel space and the user space does not need to be copied, but only does control right transfer, thereby reducing the copying process of the message. Namely, the method has the advantages of zero copy and no system call, and the Cache miss brought by context switching is reduced by synchronous processing. The resources and time delay saved from interruption and copying are effectively applied to the message processing flow, and the message processing and forwarding efficiency is improved.
In summary, the DPDK discards kernel interrupts, provides a drive of a full user mode, has an efficient memory management mechanism, and directly transmits a message to a user mode for processing through Direct Memory Access (DMA), thereby reducing the memory copy frequency.
The network protocol stack layer may be a protocol stack provided by a self-developed non-operating system kernel. If the transport layer of the network protocol stack is specifically a TCP layer, the network protocol stack layer needs to support the basic functions of the TCP protocol stack (for example, only includes a reassembly segment ordering mechanism), and considering that some complicated functions of the TCP protocol, such as a congestion control mechanism and a sliding window mechanism, may be eliminated in order to further reduce resource consumption.
The encryption layer can be an SSL agent, and the SSL agent can complete SSL handshake with the client and the server and functions of data encryption and decryption based on the network protocol stack layer.
Referring to fig. 3, fig. 3 is a schematic diagram of an encryption agent module provided in an application embodiment of the present invention, where the encryption agent module is deployed in an APP mode in a user mode, and the encryption agent module includes:
and the SSL agent module can complete SSL handshake with the client and the server and the function of data decryption based on the network protocol stack layer.
And the self-developed protocol stack module can simultaneously support the basic functions (including reorganization and order preservation) of the TCP protocol stack.
And the DPDK module is driven by the user mode network card, and can directly take over the NIC of the physical network card, so that the network card receiving and transmitting packet is directly zero-copied to the memory space of the APP without passing through a Linux kernel. Besides the physical network card NIC, the DPDK module can also take over virtual network cards such as tap and veth.
The self-developed protocol stack of the embodiment is a simplified TCP protocol stack, and compared with a traditional protocol stack, the simplified TCP protocol stack only keeps basic functions such as recombination order preservation and the like, does not have complex characteristics such as plug avoidance and sliding window, can have better performance, and further reduces resource consumption. The encryption agent module provided by the embodiment works in the user mode, the SSL agent module does not need to copy the data packet from the kernel mode to the user mode and then copy the data packet from the user mode to the kernel mode, and zero copy of the data packet is realized. Due to the context switching from the kernel-free state to the user state, the performance of the proxy equipment is not limited by the kernel state any more, so that the performance of the proxy equipment is improved, and the data processing efficiency of the proxy equipment is higher. And the encryption agent module can be deployed in the agent device in the form of APP, so that the deployment is more flexible, the platform portability is strong, and the encryption agent module can be implemented on most platforms/systems.
Fig. 4 is a schematic diagram of an implementation flow of an encryption agent method according to an embodiment of the present invention, where the encryption agent method is applied to an agent device, and the method is implemented by an encryption agent module operating in a user mode in the agent device, where the encryption agent module includes an encryption layer, a network protocol stack layer, and a network card driver layer, and the network protocol stack includes a transmission layer and a network layer. Referring to fig. 4, the encryption proxy method includes:
s401, data transmission is carried out based on the network card driving layer and at least one of the client side and the server side.
In this embodiment, data transmission is performed between the network card driver layer based on the encryption agent module and at least one of the client and the server, where the data transmission includes: the method comprises the steps of receiving a data packet of a client or a server, sending the data packet of the server to the client, and sending the data packet of the client to the server.
The network card driver layer of the embodiment receives and transmits the data packets of the client and the server without passing through the kernel, and the data does not need to be copied from the kernel space to the user space.
In practical application, the network card driver layer may be a user-mode network card driver such as DPDK, netmap, and the like.
S402, based on the network protocol stack layer, sending the data received from the network card driving layer to the encryption layer after performing network protocol decapsulation, or sending the data issued by the encryption layer to the network card driving layer after performing network protocol encapsulation.
For example, the network card driving layer receives data of a client or a server, the network card driving layer sends the data to the network protocol stack layer, and the network protocol stack layer decapsulates the data by a network protocol and sends the decapsulated data to the encryption layer.
The encryption layer encrypts or decrypts the received data and then sends the data to the network protocol stack layer, the network protocol stack layer packages the data sent by the encryption layer through a network protocol and then sends the data to the network card driving layer, and the network card driving layer sends the data to a client or a server.
The transmission of data in a network requires encapsulation of the data, i.e. the addition of header information corresponding to each network layer, which is mainly used to help an intermediate transmission system to transmit the data to a correct destination, which is not intended to be seen by a receiving party. When the data arrives at the receiver, the receiver does not care how the data is sent, the data is the most important for the receiver, so the data is unpacked, and some headers of the package are removed, which is the reverse of the packaging process.
In practical application, the network protocol stack layer can be divided into a network protocol stack layer at a client side and a network protocol stack layer at a server side, the network protocol stack layer at the client side and the client side perform data transmission based on the network card driver layer, and the network protocol stack layer at the server side and the server side perform data transmission based on the network card driver layer.
As shown in fig. 5, fig. 5 is a schematic flowchart of a process of transmitting data in an encryption agent module according to an embodiment of the present invention. The client side sends the encrypted data packet to a network protocol stack layer (client side) through a network card driving layer, and the network protocol stack layer (client side) sends the encrypted data packet to the encryption layer after network protocol decapsulation.
The encryption layer receives an encrypted data packet sent by the network protocol stack layer (the server side), decrypts the encrypted data packet, encrypts the encrypted data packet again by using a key negotiated with the server side, sends the encrypted data packet to the network protocol stack layer (the server side), and sends the encrypted data packet to the server side through the network card driving layer after the network protocol stack layer (the server side) encapsulates the encrypted data packet.
And S403, performing encryption handshake with the client and the server respectively based on the encryption layer to negotiate a communication key with the client and the server respectively.
Here, the encryption handshake may be an SSL handshake that is performed with the client and the server, respectively, based on the encryption layer, and negotiates a communication key with the client and the server, respectively, including: the encryption and decryption keys of the data packets communicated with the client are determined, and the encryption and decryption keys of the data packets communicated with the server are determined.
The essence of the SSL handshake process is to negotiate a symmetric encryption key, the security mechanism of the HTTPS protocol is implemented by the SSL layer, and in order to ensure the security of data, data needs to be encrypted before being sent. In the traditional symmetric encryption, if the key is leaked due to eavesdropping in the process of negotiating the key, the encrypted data becomes "public and transparent", and the mode using the asymmetric encryption is low in efficiency. Therefore, the data security is ensured by adopting a method of combining symmetric encryption and asymmetric encryption in the SSL, that is, asymmetric encryption performs negotiation of symmetric encryption keys, and this negotiation process can be regarded as SSL handshake.
The SSL handshake procedure includes:
step 1, the client sends a protocol version, an encryption algorithm supported by the client and a random number a to the server.
And 2, the server selects an encryption algorithm and sends a server digital certificate and a random number b to the client.
And 3, the client encrypts and sends the random number c to the server by using the public key in the digital certificate.
And 4, the server decrypts the random number c by using the private key.
And step 5, the server and the client encrypt the three random numbers through a pre-negotiated encryption algorithm to generate a session key, namely a symmetric encryption key, which is used for encrypting the whole session process.
When the encryption layer and the client side perform encryption handshake, the identity of the encryption layer is a 'server side'; when the encryption layer and the server side carry out encryption handshake, the identity of the encryption layer is 'client side'.
As shown in fig. 6, fig. 6 is a schematic flowchart of a handshake phase according to an embodiment of the present invention. The TCP protocol stack (client side) corresponds to the network protocol stack layer (client side) in the above embodiment, the TCP protocol stack (server side) corresponds to the network protocol stack layer (server side) in the above embodiment, and the SSL proxy corresponds to the encryption layer in the above embodiment.
When the client and the SSL agent carry out SSL handshake, the data transmission in the SSL handshake needs to be realized through a TCP protocol stack (client side); when the server side and the SSL proxy perform SSL handshake, the data transmission therein needs to be implemented by a TCP protocol stack (server side).
Before SSL handshake, the client and the TCP stack (client side) need to perform TCP handshake first, the server and the TCP stack (server side) need to perform TCP handshake first, and reliable data transmission can be performed based on the established TCP connection after the TCP handshake is completed. In order to achieve reliable data transmission, both communication parties of the TCP protocol must maintain a sequence number to identify which of the transmitted data packets have been received by the other party. The TCP three-way handshake process is a necessary step for the two communication parties to inform each other of the start value of the sequence number and confirm that the other party has received the start value of the sequence number.
The process of TCP three-way handshake is shown in fig. 7, and includes:
first handshake: setting a flag bit SYN to 1 by the Client, randomly generating a value seq = J, sending the data packet to the Server, and enabling the Client to enter a SYN _ SENT state to wait for the confirmation of the Server.
Second handshake: after the Server receives the data packet, the flag SYN =1 knows that the Client requests to establish connection, the Server sets the flag SYN and ACK to 1,ack = J +1, randomly generates a value seq = K, sends the data packet to the Client to confirm the connection request, and enters the SYN _ RCVD state.
Third handshake: after the Client receives the confirmation, whether ACK is J +1 or not and whether ACK is 1 or not are checked, if the ACK is correct, the flag bit ACK is 1, ACK = K +1, the data packet is sent to the Server, the Server checks whether ACK is K +1 or not and whether ACK is 1 or not, if the ACK is correct, connection establishment is successful, the Client and the Server enter an ESTABLISHED state, three-way handshake is completed, and then data transmission can be started between the Client and the Server.
When a Client side and a TCP protocol stack (Client side) carry out TCP handshake, a Client refers to the Client side, and a Server refers to the TCP protocol stack (Client side); when the Server side performs TCP handshake with a TCP protocol stack (Server side), the Client refers to the TCP protocol stack (Server side), and the Server refers to the Server side.
And respectively carrying out encryption handshake with the client and the server based on the encryption layer so as to respectively negotiate a communication key with the client and the server. After the key is obtained through encryption, the conversation content of the subsequent client and the server is encrypted by the key, so that the security of data transmission is improved.
The embodiment of the invention is realized by an encryption agent module working in a user state in the agent equipment, wherein the encryption agent module comprises an encryption layer, a network protocol stack layer and a network card driving layer, and the network protocol stack comprises a transmission layer and a network layer. And performing data transmission based on the network card driving layer and at least one of the client and the server, performing network protocol decapsulation on the data received from the network card driving layer based on the network protocol stack layer, and then sending the data to the encryption layer, or performing network protocol encapsulation on the data issued by the encryption layer and then sending the data to the network card driving layer. And respectively carrying out encryption handshake with the client and the server based on the encryption layer so as to respectively negotiate a communication key with the client and the server. In the embodiment, the encryption layer, the network protocol stack layer and the network card driver layer in the encryption agent module can be implemented in the application layer, for example, the encryption layer, the network protocol stack layer and the network card driver layer are deployed in the agent device in the form of APP, and compared with the related art in which the functions are implemented by the kernel of the operating system, the embodiment does not involve data conversion between the kernel mode and the user mode, so that the resource consumption of the agent device is low, and the performance of the agent device can be improved. And the network protocol stack deployment of the user mode is more flexible, the platform portability is strong, and the method can be realized on most platforms/systems.
In this application, considering that the proxy device needs to have a data forwarding function and needs to process plaintext of both sides communication, the TCP layer needs to include: a communication sequence number mechanism, a packet reassembly mechanism, and a packet fragmentation mechanism.
That is, in the process of data forwarding, in order to ensure the correctness of communication with the client and the server, a communication sequence number mechanism is necessary, which is to determine the sequence number of the currently sent datagram according to the initial sequence number negotiated in the TCP handshake and determine the correct acknowledgement sequence number.
The data packet recombination and data packet segmentation mechanism can be sent to an encryption layer for decryption through data packet recombination so as to realize functions of plaintext processing and the like, and the data packet segmentation is to segment a message after the encryption layer is encrypted so as to meet the requirement of a message length symbol of an opposite side and enable the opposite side to receive the message.
The data packet reassembly mechanism and the data packet segmentation mechanism are corresponding, an MSS (maximum segment size) is the maximum data segment that can be transmitted each time by a TCP data packet, and when the length of a TCP segment is greater than the MSS, segment transmission is performed to segment it into smaller data segments. And the sending end transmits the data fragments to the receiving end, and the receiving end performs data packet recombination on all the data fragments after receiving all the data fragments and recombines the data fragments to obtain the original data packet. During reassembly, sequencing reassembly is required according to sequence numbers in the data packets, and the sequence numbers can ensure that correct data packets are obtained through reassembly.
In addition, in the present application, in view of further reducing resource consumption of the proxy device, a congestion control mechanism and a sliding window mechanism (also referred to as a flow control mechanism) specified by the TCP protocol in the proxy device may be eliminated.
In the present application, although the congestion control mechanism and the sliding window mechanism are abandoned, the situation that the network is too congested or the client or the server cannot receive the traffic due to too large flow does not occur. The specific analysis is as follows:
discarding the congestion control mechanism does not cause the cause of network congestion: because the client and the server have congestion control mechanisms, the size of the sending window of the client and the server can be automatically adjusted, and the situation that the network is too congested cannot occur.
The reason why the discarding of the sliding window mechanism does not cause the client or the server to be unable to receive the message due to the overlarge traffic is as follows:
based on the data forwarding function of the proxy device, the client can be sent to the server, or the "receiving window field rwnd" sent by the server to the client is sent to the opposite end, so as to control the size of the sending window of the opposite end, thereby avoiding the situation that the client or the receiving end is not in time to receive data. Among them, the so-called rwnd is used to control the transmission window size.
The congestion discard control mechanism and the related technical feature of the sliding window discard mechanism described above are core parts of the customized network protocol stack of the present application and are also one of the inventions of the present application, and through the related technical feature, resource consumption of the proxy device can be further reduced.
In addition, the TCP protocol stack may further include: a timeout retransmission mechanism. Adding a timeout retransmission mechanism can further reduce resource consumption, and is analyzed as follows:
if the TCP protocol stack does not have a timeout retransmission mechanism, the proxy device can only wait for the opposite end (i.e. the server or the client) to retransmit the packet when the client or the server does not send an acknowledgement packet, and at this time, after receiving the retransmission packet, the proxy device determines the serial number of the other side connection corresponding to the timeout retransmission packet, and because the two sides are connected with different communication keys and the data lengths encrypted by different keys may be different, the retransmitted packet may not be in one-to-one correspondence with the packet really retransmitted by the other side, which obviously involves a large amount of complex data processing.
Therefore, in consideration of resource consumption, the TCP protocol stack includes not only a communication sequence number mechanism, a packet reassembly mechanism, and a packet fragmentation mechanism, but also a timeout retransmission mechanism. As will be readily understood by those skilled in the art, when the timeout retransmission mechanism is included, the TCP layer needs to maintain a history data buffer corresponding to each connection on both sides, so that when the timeout retransmission occurs, data is extracted from the buffer to implement data retransmission. In order to reduce resource consumption, the function of timeout retransmission of the data packet is added, which is another core invention point of the present application.
In order to simplify the network protocol stack, the TCP layer of the network protocol stack may include only the following four functions, and the remaining functions are eliminated: a communication sequence number mechanism, a data packet reassembly mechanism, a data packet fragmentation mechanism, and a data packet timeout retransmission mechanism. When the TCP layer has only these four mechanisms, the resource consumption of the proxy device can be reduced as much as possible.
Other functions of the TCP protocol stack, such as a packet check related mechanism, may be used as a mechanism of the network protocol stack in the present application, but after the mechanism is added, resource consumption may be increased to some extent.
The so-called packet check function is: the TCP data packet sent by the sender has a basic check bit, and the sender checks whether the received data packet has errors or not based on the basic check bit. For example, a TCP Checksum (Checksum) is included in a TCP packet, and the TCP Checksum (Checksum) is an end-to-end Checksum, which is calculated by the sender and then verified by the receiver. The purpose is to discover any changes that occur to the TCP header and data from sender to receiver. If the receiver detects a checksum error, the TCP packet is directly dropped.
Various mechanisms of the TCP layer are known in the prior art of this application, and related functions are described in this application. The "communication sequence number mechanism" is briefly described below. The communication sequence number mechanism is to set a sequence number for each TCP packet to be transmitted subsequently after the TCP connection is established. The position of the TCP data packet can be accurately determined by using the sequence number, and the problems of disorder of the IP data packet and retransmission of the TCP data packet can be effectively solved. When both communication parties establish TCP connection, data can be transmitted, and in the transmission process, each time a sender sends a data packet, a receiver needs to give a response. The precedence of the packets may be determined by the sequence number of the TCP header. The relationship between the serial numbers of both parties and the confirmation serial number is: setting the length of a data packet sent by a sender as N, the sequence number as SEQ and the acknowledgement sequence number ACK, and setting the sequence number of the next data packet to be sent as SEQ + N; the data packet sequence number responded by the receiving party is ACK, and the confirmation sequence number is SEQ + N, which represents the confirmation of the data packet with the sequence number SEQ and the length of N.
After TCP establishes a connection, an initial sequence number is set for subsequent transmission of TCP data. When a TCP packet containing valid data is transmitted later, the sequence number of a TCP packet transmitted next later is modified accordingly. The sequence number is designed for ensuring the sequential transmission of the TCP data packet, can effectively realize the complete transmission of the TCP data, and can effectively correct errors particularly when errors occur in the data transmission process. During the reassembly of a TCP session, we need to order the received packets according to their sequence numbers.
The above contents are all prior arts, and detailed description is not repeated.
In an embodiment, the communication sequence number mechanism includes the specific steps of:
receiving first encrypted data sent by a client through the encryption layer, and decrypting the first encrypted data by adopting a first key to obtain decrypted first data; wherein the first key is a communication key negotiated with the client;
encrypting the decrypted first data by adopting a second key through the encryption layer to obtain second encrypted data; the second key is a communication key negotiated with a server;
performing network protocol encapsulation on the second encrypted data through the network protocol stack, determining a serial number of each TCP data packet, and sending the serial number to the server; the sequence number of each TCP data packet is determined according to an initial sequence number negotiated during handshaking with a server TCP;
receiving third encrypted data sent by a server through the encryption layer, and decrypting the third encrypted data by adopting the second key to obtain decrypted third data;
encrypting the decrypted third data by the encryption layer by adopting the first key to obtain fourth encrypted data;
performing network protocol encapsulation on the fourth encrypted data through the network protocol stack, determining a serial number of each TCP data packet, and sending the serial number to the client; the sequence number of each TCP data packet is determined according to an initial sequence number negotiated during handshake with the client.
As shown in fig. 5, the encrypted data packet sent by the client reaches the encryption layer through the network card driver layer and the network protocol stack (client side), and after the encryption layer decrypts by using the first key negotiated with the client, the encryption layer re-encrypts by using the second key negotiated with the server side again. And the network protocol stack (the server side) packages the encrypted data packets by network protocol, determines the serial number of each encrypted data packet and sends the encrypted data packets to the server side through the network card driving layer.
The encrypted data packet sent by the server side reaches the encryption layer through the network card drive layer and the network protocol stack (the server side), and the encryption layer decrypts by adopting the second key and then re-encrypts by using the first key again. And the network protocol stack (client side) packages the encrypted data packets by network protocol, determines the serial number of each encrypted data packet and sends the encrypted data packets to the client through the network card driving layer.
The structure of the encryption agent module provided by the embodiment of the invention can refer to fig. 2, the encryption agent module is applied to agent equipment, the module works in a user mode, the encryption agent module comprises an encryption layer, a network protocol stack layer and a network card driving layer, and the network protocol stack comprises a transmission layer and a network layer;
the network card driving layer is used for carrying out data transmission with at least one of the client and the server;
the network protocol stack layer is used for decapsulating the data received from the network card drive layer by a network protocol and then transmitting the decapsulated data to the encryption layer, or encapsulating the data transmitted by the encryption layer by the network protocol and then transmitting the encapsulated data to the network card drive layer;
and the encryption layer is used for respectively carrying out encryption handshake with the client and the server so as to respectively negotiate a communication key with the client and the server.
In one embodiment, the transport layer is a transmission control protocol, TCP, layer; the TCP layer includes: a communication sequence number mechanism, a data packet reassembly mechanism and a data packet segmentation mechanism to realize a data forwarding function between the client and the server.
In an embodiment, the TCP layer is free of congestion control mechanisms specified in the TCP protocol.
In one embodiment, the TCP layer is free of a sliding window mechanism specified in the TCP protocol; and the TCP layer forwards a 'receiving window rwnd field' sent by the client or the server to an opposite terminal.
In one embodiment, the TCP layer further comprises: a data packet time-out retransmission mechanism.
In one embodiment, the TCP layer consists of four mechanisms: a communication sequence number mechanism, a data packet recombination mechanism, a data packet segmentation mechanism and a data packet overtime retransmission mechanism.
In an embodiment, the communication sequence number mechanism includes the specific steps of:
receiving first encrypted data sent by a client through the encryption layer, and decrypting the first encrypted data by adopting a first key to obtain decrypted first data; wherein the first key is a communication key negotiated with the client;
encrypting the decrypted first data by adopting a second key through the encryption layer to obtain second encrypted data; the second key is a communication key negotiated with the server;
performing network protocol encapsulation on the second encrypted data through the network protocol stack, determining a serial number of each TCP data packet, and sending the serial number to the server; the sequence number of each TCP data packet is determined according to an initial sequence number negotiated during handshaking with a server TCP;
receiving third encrypted data sent by a server through the encryption layer, and decrypting the third encrypted data by adopting the second key to obtain decrypted third data;
encrypting the decrypted third data by the encryption layer by adopting the first key to obtain fourth encrypted data;
performing network protocol encapsulation on the fourth encrypted data through the network protocol stack, determining a serial number of each TCP data packet, and sending the serial numbers to the client; the sequence number of each TCP data packet is determined according to an initial sequence number negotiated during handshake with the client.
The embodiment can be applied to products which need to do intermediary agent to the SSL data, such as routing, firewall, gateway and the like.
It should be understood that, the sequence numbers of the steps in the foregoing embodiments do not imply an execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
The technical means described in the embodiments of the present invention may be arbitrarily combined without conflict.
In addition, in the embodiments of the present invention, "first", "second", and the like are used for distinguishing similar objects, and are not necessarily used for describing a specific order or a sequential order.
In practical applications, the encryption agent module may be implemented by a Processor in an agent device, such as a Central Processing Unit (CPU), a Digital Signal Processor (DSP), a Micro Control Unit (MCU), or a Programmable Gate Array (FPGA).
It should be noted that: in the encryption agent module provided in the above embodiment, only the division of each module is exemplified when performing encryption agent, and in practical applications, the processing distribution may be completed by different modules as needed, that is, the internal structure of the device is divided into different modules to complete all or part of the processing described above. In addition, the encryption agent module and the encryption agent method embodiment provided by the above embodiments belong to the same concept, and the specific implementation process thereof is detailed in the method embodiment and will not be described herein again.
The encryption agent module is specifically a software module, and the software module may be deployed in an entity hardware device for execution, or may be deployed in a virtual machine for execution.
Based on the hardware implementation of the program module, and in order to implement the method according to the embodiment of the present application, an embodiment of the present application further provides a proxy device, where the encryption proxy module is disposed in the proxy device, and the method implemented by the encryption proxy module is implemented by a processor of the proxy device. Fig. 8 is a schematic diagram of a hardware composition structure of a proxy device according to an embodiment of the present application, and as shown in fig. 8, the proxy device includes:
the communication interface can carry out information interaction with other equipment such as network equipment and the like;
and the processor is connected with the communication interface to realize information interaction with other equipment, and is used for executing the method provided by one or more technical schemes at the proxy equipment side when running a computer program. And the computer program is stored on the memory.
Of course, in practice, the various components in the agent device are coupled together by a bus system. It will be appreciated that a bus system is used to enable communications among the components. The bus system includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as a bus system in fig. 8.
In this application, the agent device may be a single hardware device, or may be a cluster formed by multiple hardware devices, such as a cloud computing platform formed by a cluster. The cloud computing platform is a business form that uses a virtualization technology to pool resources of a plurality of terminals and then provides required virtual resources and services.
The memory in the embodiments of the present application is used to store various types of data to support the operation of the proxy device. Examples of such data include: any computer program for operating on a proxy device.
It will be appreciated that the memory can be either volatile memory or nonvolatile memory, and can include both volatile and nonvolatile memory. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a magnetic random access Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), synchronous Static Random Access Memory (SSRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), enhanced Synchronous Dynamic Random Access Memory (ESDRAM), enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), synchronous Dynamic Random Access Memory (SLDRAM), direct Memory (DRmb Access), and Random Access Memory (DRAM). The memories described in the embodiments of the present application are intended to comprise, without being limited to, these and any other suitable types of memory.
In an exemplary embodiment, a storage medium, specifically a computer-readable storage medium, for example, including a first memory storing a computer program, where the computer program is executable by a processor of an agent device to perform the steps of the foregoing method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. An encryption agent method is characterized in that the method is applied to agent equipment and is realized by an encryption agent module which works in a user state in the agent equipment, wherein the encryption agent module comprises an encryption layer, a network protocol stack layer and a network card driving layer, and the network protocol stack comprises a transmission layer and a network layer;
the method comprises the following steps:
performing data transmission based on the network card driving layer and at least one of a client and a server;
the data received from the network card driving layer is sent to the encryption layer after being subjected to network protocol decapsulation based on the network protocol stack layer, or the data sent by the encryption layer is sent to the network card driving layer after being subjected to network protocol encapsulation;
and respectively carrying out encryption handshake with the client and the server based on the encryption layer so as to respectively negotiate a communication key with the client and the server.
2. The method of claim 1, wherein the transport layer is a Transmission Control Protocol (TCP) layer; the TCP layer includes: a communication sequence number mechanism, a data packet reassembly mechanism and a data packet segmentation mechanism to realize a data forwarding function between the client and the server.
3. The method of claim 2, wherein the TCP layer is free of a congestion control mechanism specified in the TCP protocol.
4. The method of claim 2, wherein the TCP layer is free of a sliding window mechanism specified in the TCP protocol; and the TCP layer forwards a 'receiving window rwnd field' sent by the client or the server to an opposite terminal.
5. The method of claim 2, wherein the TCP layer further comprises: a data packet time-out retransmission mechanism.
6. The method according to claim 5, wherein the TCP layer consists of the following four mechanisms: a communication sequence number mechanism, a data packet reassembly mechanism, a data packet fragmentation mechanism, and a data packet timeout retransmission mechanism.
7. The method according to any of claims 2 to 6, wherein the specific steps of the communication sequence number mechanism comprise:
receiving first encrypted data sent by a client through the encryption layer, and decrypting the first encrypted data by adopting a first key to obtain decrypted first data; wherein the first key is a communication key negotiated with the client;
encrypting the decrypted first data by adopting a second key through the encryption layer to obtain second encrypted data; the second key is a communication key negotiated with the server;
performing network protocol encapsulation on the second encrypted data through the network protocol stack, determining a serial number of each TCP data packet, and sending the serial number to the server; the sequence number of each TCP data packet is determined according to an initial sequence number negotiated during handshaking with a server TCP;
receiving third encrypted data sent by a server through the encryption layer, and decrypting the third encrypted data by adopting the second key to obtain decrypted third data;
encrypting the decrypted third data by the encryption layer by adopting the first key to obtain fourth encrypted data;
performing network protocol encapsulation on the fourth encrypted data through the network protocol stack, determining a serial number of each TCP data packet, and sending the serial number to the client; the sequence number of each TCP data packet is determined according to an initial sequence number negotiated during handshake with the client.
8. An encryption agent module is applied to agent equipment, the module works in a user state, the encryption agent module comprises an encryption layer, a network protocol stack layer and a network card driving layer, and the network protocol stack comprises a transmission layer and a network layer;
the network card driving layer is used for carrying out data transmission with at least one of the client and the server;
the network protocol stack layer is used for decapsulating the data received from the network card drive layer by a network protocol and then transmitting the decapsulated data to the encryption layer, or encapsulating the data transmitted by the encryption layer by the network protocol and then transmitting the encapsulated data to the network card drive layer;
and the encryption layer is used for respectively carrying out encryption handshake with the client and the server so as to respectively negotiate a communication key with the client and the server.
9. A proxy device comprising a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor implements the proxy encryption method of any one of claims 1 to 7 when executing the computer program.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to perform the cryptographic proxy method of any one of claims 1 to 7.
CN202211331745.7A 2022-10-28 2022-10-28 Encryption agent method, encryption agent module, agent device and storage medium Pending CN115801236A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211331745.7A CN115801236A (en) 2022-10-28 2022-10-28 Encryption agent method, encryption agent module, agent device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211331745.7A CN115801236A (en) 2022-10-28 2022-10-28 Encryption agent method, encryption agent module, agent device and storage medium

Publications (1)

Publication Number Publication Date
CN115801236A true CN115801236A (en) 2023-03-14

Family

ID=85434187

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211331745.7A Pending CN115801236A (en) 2022-10-28 2022-10-28 Encryption agent method, encryption agent module, agent device and storage medium

Country Status (1)

Country Link
CN (1) CN115801236A (en)

Similar Documents

Publication Publication Date Title
US10419406B2 (en) Efficient forwarding of encrypted TCP retransmissions
CN109150688B (en) IPSec VPN data transmission method and device
US7913261B2 (en) Application-specific information-processing method, system, and apparatus
CN101517979B (en) Secure tunnel over https connection
JP4271451B2 (en) Method and apparatus for fragmenting and reassembling Internet key exchange data packets
US7684414B2 (en) System and method for using performance enhancing proxies with IP-layer encryptors
KR100255501B1 (en) Improving session and transport layer proxies via tcp glue
US7827404B1 (en) Secure sockets layer proxy architecture
JP2019528604A (en) System and method for virtual multipath data transport
US20030014624A1 (en) Non-proxy internet communication
US20030014650A1 (en) Load balancing secure sockets layer accelerator
US20030014623A1 (en) Secure sockets layer cut through architecture
US9055036B2 (en) Method and apparatus for transmitting a user datagram protocol message that is larger than a defined size
US10884960B2 (en) Offloading data movement for packet processing in a network interface controller
US10225239B2 (en) Method for in-line TLS/SSL cleartext encryption and authentication
CN109714292A (en) The method and apparatus of transmitting message
JP2020010326A (en) DATA TRANSMISSION METHOD, DATA RECEPTION METHOD, AND DATA COMMUNICATION METHOD USING WiFi MANAGEMENT FRAME
US7305450B2 (en) Method and apparatus for clustered SSL accelerator
CN115801236A (en) Encryption agent method, encryption agent module, agent device and storage medium
Seggelmann Sctp: Strategies to secure end-to-end communication
CN112104635B (en) Communication method, system and network equipment
EP3170291B1 (en) Transmission control protocol (tcp) acknowledgement (ack) packet suppression
US20220360644A1 (en) Packet Acknowledgment Techniques for Improved Network Traffic Management
Bernardo et al. Protecting Next Generation High Speed Network Protocol-UDT through Generic Security Service Application Program Interface-GSS-API
EP4346255A1 (en) Encrypted satellite communications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination