WO2019148562A1 - 内容分发网络中握手请求的加速方法、设备及边缘节点 - Google Patents
内容分发网络中握手请求的加速方法、设备及边缘节点 Download PDFInfo
- Publication number
- WO2019148562A1 WO2019148562A1 PCT/CN2018/077430 CN2018077430W WO2019148562A1 WO 2019148562 A1 WO2019148562 A1 WO 2019148562A1 CN 2018077430 W CN2018077430 W CN 2018077430W WO 2019148562 A1 WO2019148562 A1 WO 2019148562A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- domain name
- server
- acceleration
- client
- target
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
- H04L67/1004—Server selection for load balancing
- H04L67/1008—Server selection for load balancing based on parameters of servers, e.g. available memory or workload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0643—Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Definitions
- the present invention relates to the field of Internet technologies, and in particular, to an acceleration method, device, and edge node for a handshake request in a content distribution network.
- HTTP Hyper Text Transfer Protocol
- the HTTP protocol sends content in clear text and usually does not provide any form of data encryption. If an attacker intercepts a transmission message between a web browser and a web server, the information can be directly identified, so HTTP is not suitable for transmitting private information.
- HTTPS Hypertext Transfer Protocol over Secure Socket Layer
- SSL/TLS Transport Layer Security
- HTTPS also brings a large overhead to the server.
- the HTTPS-based communication process requires a cumbersome handshake process, and the handshake process also includes an asymmetric decryption process that consumes a lot of time and resources.
- the aforementioned cumbersome handshake process is usually done in an edge node. In this way, if the edge node needs to handle the handshake request of multiple clients at the same time, the load of the server in the edge node is high, so that the speed of processing the handshake request is slow, and even the risk of downtime is generated. Therefore, in the traditional content distribution network, the edge node usually has lower efficiency when processing the HTTPS handshake request.
- the purpose of the present application is to provide an acceleration method, a device, and an edge node for a handshake request in a content distribution network, which can improve the processing efficiency of an HTTPS handshake request.
- the present application provides an acceleration method for a handshake request in a content distribution network, where the method is applied to a service server in an edge node, where the service server stores multiple certificates bound to a domain name.
- the method includes: receiving a handshake request sent by the client to the target domain name, and feeding back, to the client, a target certificate bound to the target domain name, where the target certificate includes the specified public key, so that the The client encrypts the session key of the session by using the specified public key; receives the encrypted session key provided by the client, and sends a decryption request to the acceleration server, where the decryption request includes the An encrypted session key, such that the acceleration server decrypts the encrypted session key according to a private key bound to the target domain name; and receives and stores the decrypted session fed back by the acceleration server Key to complete the handshake process this time.
- another aspect of the present application further provides a service server, where the service server is in an edge node of a content distribution network, the service server includes a memory and a processor, and the memory stores the computer program and the plurality of And a certificate bound to the domain name, when the computer program is executed by the processor, the following steps are performed: receiving a handshake request from the client to the target domain name; and feeding back to the client with the target domain name a target certificate, the target certificate includes a specified public key, so that the client encrypts the session key of the session by using the specified public key; and receives the encrypted session secret provided by the client Key, and sending a decryption request to the acceleration server, the decryption request including the encrypted session key, so that the acceleration server pairs the encrypted session according to a private key bound to the target domain name Decrypting the key; receiving and storing the decrypted session key fed back by the acceleration server to complete the handshake process.
- another aspect of the present application provides a method for accelerating a handshake request in a content distribution network, where the method is applied to an acceleration server in an edge node, where the acceleration server stores multiple bindings to a domain name.
- the private key includes: receiving a decryption request sent by the service server, where the decryption request includes a target domain name and a session key encrypted by the specified public key; wherein the specified public key is included in the And acquiring, in the target certificate, the target certificate, the private key bound to the target domain name, and decrypting the encrypted session key by using the obtained private key;
- the service server feeds back the decrypted session key; the decrypted session key is used to encrypt communication data transmitted between the service server and the client.
- another aspect of the present application is to provide an acceleration server in an edge node of a content distribution network, the acceleration server including a memory and a processor, wherein the memory stores a computer program and a plurality of a private key bound to the domain name, when the computer program is executed by the processor, implementing the following steps: receiving a decryption request sent by the service server, where the decryption request includes the target domain name and the encrypted by the specified public key a session key; wherein the specified public key is included in a target certificate that is bound to the target domain name stored in the service server; acquires a private key bound to the target domain name, and uses the obtained location Decrypting the encrypted session key by the private key; feeding back the decrypted session key to the service server; the decrypted session key is used to transmit between the service server and the client The communication data is encrypted.
- another aspect of the present application further provides an edge node in a content distribution network, where the edge node includes a service server and an acceleration server.
- the technical solution provided by the present application includes an acceleration server in addition to a common service server in the edge node.
- the certificate of each domain name may be stored in the service server, and the private key of each domain name may be stored in the acceleration server.
- the service server can interact with a client of the user. After receiving the handshake request from the client to the target domain name, the service server may feed back the certificate corresponding to the target domain name to the client.
- the certificate may contain the public key corresponding to the target domain name. In this way, the client can extract the public key from the received certificate and use the public key to encrypt the session key of the session. The client can then provide the encrypted session key to the business server.
- the subsequent decryption process requires more resources, so the service server can send a decryption request carrying the encrypted session key to the acceleration server.
- the acceleration server may first obtain the private key corresponding to the target domain name, and use the private key to decrypt.
- the decrypted session key can be fed back to the service server by the acceleration server.
- the service server can store the decrypted session key to complete the handshake process.
- the data communicated between the subsequent business server and the client can be encrypted using the session key.
- an acceleration card of SSL/TLS can be installed in the acceleration server, and the above decryption process can be accelerated by the acceleration card, thereby reducing the time required for decryption.
- the service server can continue to process the subsequent algorithm suite negotiation process, so that after the decryption request in the handshake process is separated, the decryption process and the algorithm suite can be guaranteed.
- the negotiation process can be performed simultaneously, further reducing the time required for the handshake process. It can be seen from the above that the technical solution provided by the present application can improve the processing efficiency of the HTTPS handshake request, thereby reducing the waiting time of the user.
- FIG. 1 is a schematic structural diagram of an edge node in an embodiment of the present invention.
- FIG. 2 is a flowchart of an acceleration method of a handshake request on a service server side in an embodiment of the present invention
- FIG. 3 is a schematic diagram of interaction between a client, a service server, and an acceleration server in an embodiment of the present invention
- FIG. 4 is a schematic diagram of a service server in an embodiment of the present invention.
- FIG. 5 is a flowchart of an acceleration method for accelerating a handshake request on a server side in an embodiment of the present invention
- FIG. 6 is a schematic diagram of an acceleration server in an embodiment of the present invention.
- FIG. 7 is a schematic structural diagram of a computer terminal according to an embodiment of the present invention.
- the present application provides an acceleration method for a handshake request in a content distribution network, and the method can be applied to a service server in an edge node.
- the edge node may include a service server and an acceleration server.
- the service server may be a server that interacts with a client of the user, and the acceleration server may be used to process a decryption process in the HTPPS handshake process.
- a plurality of service servers may be included, and the service servers may selectively receive requests from clients of the user according to a load balancing policy.
- an acceleration server may be included, and the acceleration server may be connected to multiple service servers in the edge node, so that the decryption request sent by multiple service servers can be processed.
- the service server may store a certificate bound to each domain name.
- the certificate can represent the domain name/website that the user visits as a legitimate domain name/website.
- the certificate bound to the domain name can contain a public key, which can be used to encrypt the data.
- an acceleration method applied to a handshake request in a service server may include the following steps.
- S11 Receive a handshake request from the client to the target domain name.
- the client may be a terminal device used by the user.
- the client can establish a connection with the source server through the content distribution network, and the requests sent by the client are received by the nearest edge node.
- the user can enter the target domain name of the target website in the client to access the target website through the client.
- the handshake process needs to be completed between the client and the nearest edge node.
- the client may send a handshake request to the target domain name, where the target domain name may be carried in the handshake request.
- the handshake request can be received by the nearest edge node after it is sent.
- a load balancing policy may be adopted to determine which service server receives the handshake request sent by the client.
- load parameters of each service server in the edge node may be separately acquired.
- the load parameter may include parameters such as CPU usage, memory usage, and number of connections.
- the load values of the respective service servers may be determined. The higher the load value, the lower the performance of the business server processing the handshake request.
- the target service server with the smallest load can be determined, and then, the target service server can receive the handshake request from the client to the target domain name.
- S13 feed back, to the client, a target certificate bound to the target domain name, where the target certificate includes a specified public key, so that the client uses the specified public key to access the session key of the session. Encrypt.
- a certificate bound to each domain name may be stored in the service server that receives the handshake request.
- the certificate in the service server can be stored in association with the corresponding domain name.
- the domain name may be used as a key, and a certificate bound to the domain name is used as a value, thereby constituting a key value pair to be stored.
- the service server may query, according to the target domain name, the target certificate stored in association with the target domain name. In this way, the service server can feed back the target certificate to the client that sent the handshake request.
- the client may extract the specified public key from the target certificate.
- the client may generate a session key with the current session of the service server when issuing a handshake request to the target domain name. After the session key is generated, it can be stored locally on the client.
- the session key can encrypt data communicated between the client and the service server to ensure data transmission security.
- the client needs to provide the generated session key to the service server. However, if the session key is directly provided to the service server in clear text, there is a risk of being intercepted. Therefore, the client can encrypt the session key by using the specified public key extracted from the target certificate, and then send the encrypted session key to the service server, thereby ensuring the security of the session key.
- S15 Receive an encrypted session key provided by the client, and send a decryption request to the acceleration server, where the decrypted request includes the encrypted session key, so that the acceleration server is based on the target
- the private key bound to the domain name decrypts the encrypted session key.
- the service server after receiving the encrypted session key sent by the client, the service server needs to decrypt the session key.
- the process of decrypting the encrypted session key requires a lot of resources.
- the process of decrypting the encrypted session key needs to be completed with the private key paired with the specified public key.
- only the certificate containing the public key is stored in the service server, and the corresponding private key is not stored, and the private key matching the public key is stored in the acceleration server. Therefore, the process of decryption can be done by the acceleration server.
- the service server may generate a decryption request including the encrypted session key, and send the decryption request to the acceleration server.
- the encryption request may further include an identifier of the target domain name.
- the acceleration server receives the encryption request, the encrypted session key can be extracted therefrom, and it can be identified which domain name the encrypted session key is initiated for.
- Each private key bound to the domain name can be stored in the acceleration server. That is to say, the public key-private key pair bound to the same domain name is split and stored in the service server and the acceleration server respectively.
- the private key in the acceleration server can be stored in the specified path.
- the specified path can be associated with a domain name corresponding to the private key.
- the target specified path pointed to by the target domain name can be determined.
- Stored under the target specified path is a private key that matches the specified public key. In this way, by reading the private key stored in the target specified path, the acceleration server can obtain the private key bound to the target domain name.
- the private key may be used to decrypt the session key encrypted by the specified public key, thereby obtaining the decrypted Session key.
- the decryption process can be split and sent to the acceleration server for processing.
- the service server splits the decryption process and sends the decryption request to the acceleration server
- the current handshake process is not suspended, but the handshake process is continued with the client.
- the algorithm suite negotiation process Specifically, in the process of negotiating the algorithm suite, the client can report the TLS version, cipher suites, and Compression Methods supported by the client to the service server. After receiving the information reported by the client, the service server can feed back the selected TLS version and cipher suite to the client in combination with the cryptographic infrastructure supported by both parties.
- the service server can also determine with the client the algorithm suite employed in the current session. In this way, the negotiation and decryption processes of the algorithm suite can be performed simultaneously in the service server and the acceleration server, thereby reducing the time required for the entire handshake process.
- the client may continue to initiate other access requests for the target domain name for a period of time.
- a persistent connection between the client and the business server, and between the business server and the acceleration server can be maintained.
- the long connection between the business server and the acceleration server can be optimized through HTTP2.0 to avoid a large number of repeated handshake processes.
- the service server may receive the handshake request sent by the client by using the first process, and further, the data exchange between the service server and the acceleration server may be performed by using the second process.
- a mapping relationship may be established between the first process and the second process, and the mapping relationship may be represented by a form of a hash table.
- the access request may still be received by the service server by using the first process, and according to the A mapping relationship between the first process and the second process.
- the service server and the acceleration server may still process the access request by using the second process.
- S17 Receive and store the decrypted session key fed back by the acceleration server to complete the handshake process.
- the decrypted session key can be sent to the service server.
- the business server can store the session key locally, thus completing the handshake process.
- the session key of the session is stored in the service server of the client.
- the session key can be used to encrypt and decrypt the transmitted communication data.
- the present application further provides a service server, where the service server is in an edge node of a content distribution network, where the service server includes a memory and a processor, where the memory stores a computer program and multiple domain names.
- a bound certificate that, when executed by the processor, implements the following steps:
- S11 Receive a handshake request from the client to the target domain name.
- S13 feed back, to the client, a target certificate bound to the target domain name, where the target certificate includes a specified public key, so that the client uses the specified public key to access the session key of the session.
- S15 Receive an encrypted session key provided by the client, and send a decryption request to the acceleration server, where the decrypted request includes the encrypted session key, so that the acceleration server is based on the target Decrypting the encrypted session key by a private key bound to the domain name;
- S17 Receive and store the decrypted session key fed back by the acceleration server to complete the handshake process.
- the memory may include physical means for storing information, typically by digitizing the information and then storing it in a medium that utilizes electrical, magnetic or optical methods.
- the memory according to the embodiment may further include: a device for storing information by using an electric energy method, such as a RAM, a ROM, etc.; a device for storing information by using a magnetic energy method, such as a hard disk, a floppy disk, a magnetic tape, a magnetic core memory, a magnetic bubble memory, and a USB flash drive; A device that optically stores information, such as a CD or a DVD.
- an electric energy method such as a RAM, a ROM, etc.
- a magnetic energy method such as a hard disk, a floppy disk, a magnetic tape, a magnetic core memory, a magnetic bubble memory, and a USB flash drive
- a device that optically stores information such as a CD or a DVD.
- quantum memory graphene memory, and the like.
- the processor can be implemented in any suitable manner.
- the processor can take the form of, for example, a microprocessor or processor and computer readable media, logic gates, switches, and special-purpose integrations for storing computer readable program code (eg, software or firmware) executable by the (micro)processor.
- ASIC Application Specific Integrated Circuit
- programmable logic controller programmable logic controller and embedded microcontroller form.
- the application further provides an acceleration method for a handshake request in a content distribution network, where the method can be applied to an acceleration server in an edge node, and the acceleration server can be connected to multiple service servers, and the acceleration server can store more A private key bound to the domain name, and the public key corresponding to the private key may be included in a certificate stored in the service server.
- the method may include the following steps.
- S21 Receive a decryption request sent by the service server, where the decryption request includes a target domain name and a session key encrypted by the specified public key, where the specified public key is included in the service store stored in the service server.
- the target certificate is bound to the target certificate.
- the service server after the service server receives the encrypted session key sent by the client, it may need to decrypt it.
- the process of decrypting the encrypted session key requires a lot of resources.
- the process of decrypting the encrypted session key needs to be completed with the private key paired with the specified public key.
- only the certificate containing the public key is stored in the service server, and the corresponding private key is not stored, and the private key matching the public key is stored in the acceleration server. Therefore, the process of decryption can be done by the acceleration server.
- the acceleration server may receive the decryption request through a predefined listening port.
- the listening port on the acceleration server may be associated with a domain name, and the decryption request for a different domain name may be received by a different listening port.
- the association between the listening port and the domain name may be specified in a communication protocol between the acceleration server and the service server. In this way, when the service server sends a decryption request to the target domain name, the target domain name in the decryption request can be identified, thereby determining the target listening port that should receive the decryption request. In this way, the acceleration server can thus receive the decryption request through a target listening port associated with the target domain name.
- the acceleration server may also have only one listening port, and the listening port may be used to receive a decryption request directed to each domain name. After receiving the decryption request, the corresponding private key may be obtained according to the domain name included in the decryption request.
- an acceleration component of the specified protocol may be installed in the acceleration server.
- the acceleration component can be, for example, an SSL acceleration card or a TLS accelerator card.
- the acceleration server processes the decryption request, it can be optimized by the acceleration card, thereby improving the processing efficiency of the decryption request.
- the acceleration component can be bound to a specified process in the acceleration server. For example, if there are 8 processes in the acceleration server, then the 8 processes can be bound to the acceleration component. When the decryption request needs to be processed, the decryption request can be processed by the 8 processes bound.
- the service server may generate a decryption request including the encrypted session key, and send the decryption request to the acceleration server.
- the target domain name may also be included in the encryption request.
- the encrypted session key can be extracted therefrom, and it can be identified which domain name the encrypted session key is initiated for.
- Each private key bound to the domain name can be stored in the acceleration server. That is to say, the public key-private key pair bound to the same domain name is split and stored in the service server and the acceleration server respectively.
- the private key in the acceleration server can be stored in the specified path.
- the specified path can be associated with a domain name corresponding to the private key.
- the target specified path pointed to by the target domain name can be determined.
- Stored under the target specified path is a private key that matches the specified public key. In this way, by reading the private key stored in the target specified path, the acceleration server can obtain the private key bound to the target domain name.
- the private key stored in the acceleration server may be encrypted.
- the private key stored in the acceleration server can be encrypted by the MD5 code.
- the acceleration server can decrypt the encrypted IP key by using the corresponding MD5 code, thereby obtaining the decrypted private key.
- the private key may be used to decrypt the session key encrypted by the specified public key, thereby obtaining the decrypted Session key.
- S25 feed back the decrypted session key to the service server; the decrypted session key is used to encrypt communication data transmitted between the service server and the client.
- the decrypted session key can be sent to the service server.
- the business server can store the session key locally, thus completing the handshake process.
- the session key of the session is stored in the service server of the client.
- the session key can be used to encrypt and decrypt the transmitted communication data.
- a disaster prevention system can also be installed in the acceleration server.
- the edge node may be composed of a primary node and a standby node.
- the edge node in the foregoing embodiment may be a primary node, and data synchronization may be maintained between the standby node and the primary node.
- the performance indicator may be, for example, a key indicator such as CPU usage, memory usage, TCP connection number, and input/output bus data. When the performance indicator exceeds the allowable range, it indicates that the acceleration server load is too high or a fault may occur.
- the service in the edge node may be switched to the standby node. So that the HTTPS request can continue to be processed in the standby node.
- prompt information for characterizing the node switching may be issued to overhaul the master node by the manager.
- the present application further provides an acceleration server, which is in an edge node of a content distribution network, where the acceleration server includes a memory and a processor, where the computer program and a plurality of domain names are stored in the memory.
- the bound private key when the computer program is executed by the processor, implements the following steps:
- S21 Receive a decryption request sent by the service server, where the decryption request includes a target domain name and a session key encrypted by the specified public key, where the specified public key is included in the service store stored in the service server.
- S25 feed back the decrypted session key to the service server; the decrypted session key is used to encrypt communication data transmitted between the service server and the client.
- the memory may include physical means for storing information, typically by digitizing the information and then storing it in a medium that utilizes electrical, magnetic or optical methods.
- the memory according to the embodiment may further include: a device for storing information by using an electric energy method, such as a RAM, a ROM, etc.; a device for storing information by using a magnetic energy method, such as a hard disk, a floppy disk, a magnetic tape, a magnetic core memory, a magnetic bubble memory, and a USB flash drive; A device that optically stores information, such as a CD or a DVD.
- an electric energy method such as a RAM, a ROM, etc.
- a magnetic energy method such as a hard disk, a floppy disk, a magnetic tape, a magnetic core memory, a magnetic bubble memory, and a USB flash drive
- a device that optically stores information such as a CD or a DVD.
- quantum memory graphene memory, and the like.
- the processor can be implemented in any suitable manner.
- the processor can take the form of, for example, a microprocessor or processor and computer readable media, logic gates, switches, and special-purpose integrations for storing computer readable program code (eg, software or firmware) executable by the (micro)processor.
- ASIC Application Specific Integrated Circuit
- programmable logic controller programmable logic controller and embedded microcontroller form.
- acceleration server its processor and the memory provided by the embodiments of the present specification can be explained in comparison with the foregoing embodiments in the present specification.
- the present application further provides an edge node in a content distribution network, where the edge node includes a service server and an acceleration server, where the service server stores multiple certificates bound to a domain name, The acceleration server stores multiple private keys bound to the domain name, where:
- the service server is configured to receive a handshake request sent by the client to the target domain name, and feed back, to the client, a target certificate bound to the target domain name, where the target certificate includes the specified public key, And causing the client to encrypt the session key of the session by using the specified public key; receiving the encrypted session key provided by the client, and sending a decryption request to the acceleration server, where the decryption request includes The encrypted session key; receiving and storing the decrypted session key fed back by the acceleration server to complete the handshake process;
- the acceleration server is configured to receive the decryption request sent by the service server, acquire a private key bound to the target domain name, and perform the encrypted session key by using the obtained private key. Decrypting; feeding back the decrypted session key to the service server.
- Computer terminal 10 may include one or more (only one of which is shown) processor 102 (processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), for storing data.
- processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), for storing data.
- FIG. 7 is merely illustrative and does not limit the structure of the above electronic device.
- computer terminal 10 may also include more or fewer components than shown in FIG. 7, or have a different configuration than that shown in FIG.
- the memory 104 can be used to store software programs and modules of application software, and the processor 102 executes various functional applications and data processing by running software programs and modules stored in the memory 104.
- Memory 104 may include high speed random access memory, and may also include non-volatile memory such as one or more magnetic storage devices, flash memory, or other non-volatile solid state memory.
- memory 104 may further include memory remotely located relative to processor 102, which may be coupled to computer terminal 10 via a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.
- Transmission device 106 is for receiving or transmitting data via a network.
- the network specific examples described above may include a wireless network provided by a communication provider of the computer terminal 10.
- the transmission device 106 includes a Network Interface Controller (NIC) that can be connected to other network devices through a base station to communicate with the Internet.
- the transmission device 106 can be a Radio Frequency (RF) module for communicating with the Internet wirelessly.
- NIC Network Interface Controller
- RF Radio Frequency
- the technical solution provided by the present application includes an acceleration server in addition to a common service server in the edge node.
- the certificate of each domain name may be stored in the service server, and the private key of each domain name may be stored in the acceleration server.
- the service server can interact with a client of the user. After receiving the handshake request from the client to the target domain name, the service server may feed back the certificate corresponding to the target domain name to the client.
- the certificate may contain the public key corresponding to the target domain name. In this way, the client can extract the public key from the received certificate and use the public key to encrypt the session key of the session. The client can then provide the encrypted session key to the business server.
- the subsequent decryption process requires more resources, so the service server can send a decryption request carrying the encrypted session key to the acceleration server.
- the acceleration server may first obtain the private key corresponding to the target domain name, and use the private key to decrypt.
- the decrypted session key can be fed back to the service server by the acceleration server.
- the service server can store the decrypted session key to complete the handshake process.
- the data communicated between the subsequent business server and the client can be encrypted using the session key.
- an acceleration card of SSL/TLS can be installed in the acceleration server, and the above decryption process can be accelerated by the acceleration card, thereby reducing the time required for decryption.
- the service server can continue to process the subsequent algorithm suite negotiation process, so that after the decryption request in the handshake process is separated, the decryption process and the algorithm suite can be guaranteed.
- the negotiation process can be performed simultaneously, further reducing the time required for the handshake process. It can be seen from the above that the technical solution provided by the present application can improve the processing efficiency of the HTTPS handshake request, thereby reducing the waiting time of the user.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Power Engineering (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims (12)
- 一种内容分发网络中握手请求的加速方法,其特征在于,所述方法应用于边缘节点中的业务服务器,所述业务服务器中存储有多个与域名相绑定的证书,所述方法包括:接收客户端发来的指向目标域名的握手请求;向所述客户端反馈与所述目标域名相绑定的目标证书,所述目标证书中包含指定公钥,以使得所述客户端利用所述指定公钥对本次会话的会话密钥进行加密;接收所述客户端提供的加密后的会话密钥,并向加速服务器发送解密请求,所述解密请求中包括所述加密后的会话密钥,以使得所述加速服务器根据与所述目标域名相绑定的私钥对所述加密后的会话密钥进行解密;接收并存储所述加速服务器反馈的解密后的会话密钥,以完成本次的握手过程。
- 根据权利要求1所述的方法,其特征在于,所述边缘节点中所述业务服务器的数量为至少两个;相应地,接收客户端发来的指向目标域名的握手请求包括:分别获取所述边缘节点中各个所述业务服务器的负载参数,并基于获取的所述负载参数,从至少两个业务服务器中确定负载最小的目标业务服务器;通过所述目标业务服务器接收客户端发来的指向目标域名的握手请求。
- 根据权利要求1所述的方法,其特征在于,在向加速服务器发送解密请求时,所述方法还包括:与所述客户端确定在本次会话中采用的算法套件。
- 根据权利要求1所述的方法,其特征在于,在接收客户端发来的指向目标域名的握手请求之后,所述业务服务器与所述客户端之间通过第一进程保持长连接,所述业务服务器与所述加速服务器之间通过第二进程保持长连接;相应地,所述方法还包括:建立所述第一进程和所述第二进程之间的映射关系,以使得所述客户端在指定时长内再次发起指向所述目标域名的访问请求时,所述访问请求通过所述第一进程被所述业务服务器接收,并且所述业务服务器与所述加速服务器之间通过所述第二进程处理所述访问请求。
- 一种业务服务器,其特征在于,所述业务服务器处于内容分发网络的边缘节点中,所述业务服务器包括存储器和处理器,所述存储器中存储计算机程序和多个与域名相绑定的证书,所述计算机程序被所述处理器执行时,实现以下步骤:接收客户端发来的指向目标域名的握手请求;向所述客户端反馈与所述目标域名相绑定的目标证书,所述目标证书中包含指定公钥,以使得所述客户端利用所述指定公钥对本次会话的会话密钥进行加密;接收所述客户端提供的加密后的会话密钥,并向加速服务器发送解密请求,所述解密请求中包括所述加密后的会话密钥,以使得所述加速服务器根据与所述目标域名相绑定的私钥对所述加密后的会话密钥进行解密;接收并存储所述加速服务器反馈的解密后的会话密钥,以完成本次的握手过程。
- 一种内容分发网络中握手请求的加速方法,其特征在于,所述方法应用于边缘节点中的加速服务器,所述加速服务器中存储有多个与域名相绑定的私钥,所述方法包括:接收业务服务器发来的解密请求,所述解密请求中包括目标域名以及经过指定公钥加密后的会话密钥;其中,所述指定公钥包含于在所述业务服务器中存储的与所述目标域名相绑定的目标证书中;获取所述目标域名绑定的私钥,并利用获取的所述私钥对所述加密后的会话密钥进行解密;向所述业务服务器反馈解密后的会话密钥;所述解密后的会话密钥用于对所述业务服务器与客户端之间传输的通信数据进行加密。
- 根据权利要求6所述的方法,其特征在于,所述加速服务器中安装有指定协议的加速组件,所述加速组件与所述加速服务器中的指定进程相绑定,以使得通过所述指定进程处理所述解密请求。
- 根据权利要求6所述的方法,其特征在于,所述加速服务器中的私钥存放于指定路径下;相应地,获取所述目标域名绑定的私钥包括:确定所述目标域名指向的目标指定路径,并读取所述目标指定路径下存放的私钥。
- 根据权利要求6所述的方法,其特征在于,所述加速服务器中设置有与域名相关联的监听端口;相应地,接收业务服务器发来的解密请求包括:识别业务服务器发来的解密请求中的目标域名,并通过与所述目标域名相关联的目标监听端口接收所述解密请求。
- 根据权利要求6所述的方法,其特征在于,所述边缘节点具备备用节点,相应地,所述方法还包括:检测所述加速服务器当前的性能指标,当所述性能指标超出允许范围时,将所述边缘节点中的业务切换至所述备用节点中,并发出用于表征节点切换的提示信息。
- 一种加速服务器,其特征在于,所述加速服务器处于内容分发网络的边缘节点中,所述加速服务器包括存储器和处理器,所述存储器中存储计算机程序和多个与域名相绑定的私钥,所述计算机程序被所述处理器执行时,实现以下步骤:接收业务服务器发来的解密请求,所述解密请求中包括目标域名以及经过指定公钥加密后的会话密钥;其中,所述指定公钥包含于在所述业务服务器中存储的与所述目标域名相绑定的目标证书中;获取所述目标域名绑定的私钥,并利用获取的所述私钥对所述加密后的会话密钥进行解密;向所述业务服务器反馈解密后的会话密钥;所述解密后的会话密钥用于对 所述业务服务器与客户端之间传输的通信数据进行加密。
- 一种内容分发网络中的边缘节点,其特征在于,所述边缘节点中包括业务服务器与加速服务器,其中:所述业务服务器,用于执行权利要求1至4中任一项所述的加速方法;所述加速服务器,用于执行权利要求6至10中任一项所述的加速方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP18765531.1A EP3541051B1 (en) | 2018-01-30 | 2018-02-27 | Acceleration method for handshake request in content delivery network, device and edge node |
US16/070,448 US20210211504A1 (en) | 2018-01-30 | 2018-02-27 | Acceleration method for handshake request, device, and edge node in content delivery network |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810089242.0A CN108401011B (zh) | 2018-01-30 | 2018-01-30 | 内容分发网络中握手请求的加速方法、设备及边缘节点 |
CN201810089242.0 | 2018-01-30 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019148562A1 true WO2019148562A1 (zh) | 2019-08-08 |
Family
ID=63095215
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2018/077430 WO2019148562A1 (zh) | 2018-01-30 | 2018-02-27 | 内容分发网络中握手请求的加速方法、设备及边缘节点 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20210211504A1 (zh) |
EP (1) | EP3541051B1 (zh) |
CN (1) | CN108401011B (zh) |
WO (1) | WO2019148562A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113347218A (zh) * | 2020-02-18 | 2021-09-03 | 北京沃东天骏信息技术有限公司 | 模块下载方法和装置 |
CN113660328A (zh) * | 2021-08-13 | 2021-11-16 | 京东科技信息技术有限公司 | 通信连接的建立方法及装置、存储介质及电子设备 |
Families Citing this family (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109040318B (zh) * | 2018-09-25 | 2021-05-04 | 网宿科技股份有限公司 | Cdn网络的https连接方法及cdn节点服务器 |
CN109818736A (zh) * | 2018-12-24 | 2019-05-28 | 顺丰科技有限公司 | Ssl解密装置、解密系统、解密方法 |
CN110061996A (zh) * | 2019-04-25 | 2019-07-26 | 深圳市元征科技股份有限公司 | 一种数据传输方法、装置、设备及可读存储介质 |
EP4074013A1 (en) * | 2019-12-10 | 2022-10-19 | Telefonaktiebolaget LM Ericsson (publ) | Mechanism to enable third party services and applications discovery in distributed edge computing environment |
CN111600855A (zh) * | 2020-04-30 | 2020-08-28 | 福州吉诺网络科技有限公司 | 一种拖车救援订单信息的加密方法及系统 |
CN114338056B (zh) * | 2020-09-24 | 2023-07-28 | 贵州白山云科技股份有限公司 | 基于云分发的网络访问方法及其系统、介质、设备 |
CN112565210A (zh) * | 2020-11-24 | 2021-03-26 | 创盛视联数码科技(北京)有限公司 | Cdn节点推荐方法、系统、电子设备及存储介质 |
CN112839108B (zh) * | 2021-03-02 | 2023-05-09 | 北京金山云网络技术有限公司 | 连接建立方法、装置、设备、数据网络及存储介质 |
CN115460084B (zh) * | 2021-06-09 | 2024-05-24 | 贵州白山云科技股份有限公司 | 安全加速服务部署方法、装置、介质及设备 |
CN115460083B (zh) * | 2021-06-09 | 2024-04-19 | 贵州白山云科技股份有限公司 | 安全加速服务部署方法、装置、介质及设备 |
CN114257503A (zh) * | 2021-11-19 | 2022-03-29 | 网宿科技股份有限公司 | 加速域名部署方法、服务器、系统和存储介质 |
CN115297179B (zh) * | 2022-07-25 | 2024-03-08 | 天翼云科技有限公司 | 一种数据传输方法及装置 |
CN117119449B (zh) * | 2023-10-20 | 2024-01-19 | 长江量子(武汉)科技有限公司 | 车云安全通信方法及系统 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7502884B1 (en) * | 2004-07-22 | 2009-03-10 | Xsigo Systems | Resource virtualization switch |
CN106027646A (zh) * | 2016-05-19 | 2016-10-12 | 杜在东 | 一种加速https的方法及装置 |
CN106161449A (zh) * | 2016-07-19 | 2016-11-23 | 青松智慧(北京)科技有限公司 | 无密钥认证传输方法及系统 |
CN106341417A (zh) * | 2016-09-30 | 2017-01-18 | 贵州白山云科技有限公司 | 一种基于内容分发网络的https加速方法和系统 |
CN106789026A (zh) * | 2016-12-30 | 2017-05-31 | 上海帝联信息科技股份有限公司 | Cdn服务器及其与客户端连接方法、私钥服务器及系统 |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101079884B (zh) * | 2007-03-27 | 2010-11-10 | 腾讯科技(深圳)有限公司 | 一种客户端登陆业务服务器的方法、系统及设备 |
CN101459836B (zh) * | 2008-12-29 | 2011-04-20 | 中兴通讯股份有限公司 | 交互式网络电视的内容分发网络中的业务处理方法及系统 |
CN102291394B (zh) * | 2011-07-22 | 2014-06-11 | 网宿科技股份有限公司 | 基于网络加速设备的安全防御系统 |
US9647835B2 (en) * | 2011-12-16 | 2017-05-09 | Akamai Technologies, Inc. | Terminating SSL connections without locally-accessible private keys |
US9015348B2 (en) * | 2013-07-19 | 2015-04-21 | Limelight Networks, Inc. | Dynamically selecting between acceleration techniques based on content request attributes |
CN103401946B (zh) * | 2013-08-19 | 2016-07-13 | 网宿科技股份有限公司 | Http上传加速方法和系统 |
WO2015153383A1 (en) * | 2014-03-29 | 2015-10-08 | Akamai Technologies, Inc. | Traffic on-boarding for acceleration through out-of-band security authenticators |
CN104410691B (zh) * | 2014-11-27 | 2018-06-08 | 网宿科技股份有限公司 | 一种基于内容分发网络的网站加速方法及系统 |
CN106341375B (zh) * | 2015-07-14 | 2021-01-01 | 腾讯科技(深圳)有限公司 | 实现资源加密访问的方法及系统 |
-
2018
- 2018-01-30 CN CN201810089242.0A patent/CN108401011B/zh active Active
- 2018-02-27 US US16/070,448 patent/US20210211504A1/en not_active Abandoned
- 2018-02-27 EP EP18765531.1A patent/EP3541051B1/en active Active
- 2018-02-27 WO PCT/CN2018/077430 patent/WO2019148562A1/zh active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7502884B1 (en) * | 2004-07-22 | 2009-03-10 | Xsigo Systems | Resource virtualization switch |
CN106027646A (zh) * | 2016-05-19 | 2016-10-12 | 杜在东 | 一种加速https的方法及装置 |
CN106161449A (zh) * | 2016-07-19 | 2016-11-23 | 青松智慧(北京)科技有限公司 | 无密钥认证传输方法及系统 |
CN106341417A (zh) * | 2016-09-30 | 2017-01-18 | 贵州白山云科技有限公司 | 一种基于内容分发网络的https加速方法和系统 |
CN106789026A (zh) * | 2016-12-30 | 2017-05-31 | 上海帝联信息科技股份有限公司 | Cdn服务器及其与客户端连接方法、私钥服务器及系统 |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113347218A (zh) * | 2020-02-18 | 2021-09-03 | 北京沃东天骏信息技术有限公司 | 模块下载方法和装置 |
CN113660328A (zh) * | 2021-08-13 | 2021-11-16 | 京东科技信息技术有限公司 | 通信连接的建立方法及装置、存储介质及电子设备 |
CN113660328B (zh) * | 2021-08-13 | 2024-02-06 | 京东科技信息技术有限公司 | 通信连接的建立方法及装置、存储介质及电子设备 |
Also Published As
Publication number | Publication date |
---|---|
US20210211504A1 (en) | 2021-07-08 |
EP3541051A4 (en) | 2019-09-18 |
CN108401011B (zh) | 2021-09-24 |
EP3541051A1 (en) | 2019-09-18 |
CN108401011A (zh) | 2018-08-14 |
EP3541051B1 (en) | 2020-07-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2019148562A1 (zh) | 内容分发网络中握手请求的加速方法、设备及边缘节点 | |
US11108748B2 (en) | Systems and methods for secure multi-party communications using a proxy | |
US10785261B2 (en) | Techniques for secure session reestablishment | |
US10341118B2 (en) | SSL gateway with integrated hardware security module | |
US11303431B2 (en) | Method and system for performing SSL handshake | |
JP2020202594A (ja) | セキュアセッションの確立と暗号化データ交換のためのコンピュータ利用システム及びコンピュータ利用方法 | |
US20210266303A1 (en) | Method and system for secure communications | |
CN102315945A (zh) | 基于私有协议的统一身份认证方法 | |
US10291600B2 (en) | Synchronizing secure session keys | |
US20160277372A1 (en) | Optimization of a secure connection with enhanced security for private cryptographic keys | |
CN101860546A (zh) | 一种改进ssl握手协议的方法 | |
CN110808834B (zh) | 量子密钥分发方法和量子密钥分发系统 | |
US9961055B1 (en) | Inaccessibility of data to server involved in secure communication | |
CA2938166A1 (en) | Method and system for protecting data using data passports | |
CN110581829A (zh) | 通信方法及装置 | |
KR101448866B1 (ko) | 웹 보안 프로토콜에 따른 암호화 데이터를 복호화하는 보안 장치 및 그것의 동작 방법 | |
CN102780702A (zh) | 文件安全传输系统及方法 | |
US10931662B1 (en) | Methods for ephemeral authentication screening and devices thereof | |
EP3220604B1 (en) | Methods for client certificate delegation and devices thereof | |
WO2016134631A1 (zh) | 一种OpenFlow报文的处理方法及网元 | |
WO2016000473A1 (zh) | 一种业务访问方法、系统及装置 | |
Shaikh et al. | A survey on SSL packet structure | |
US20180324258A1 (en) | Direct connection limitation based on a period of time | |
CA3219175A1 (en) | Protocol translation for encrypted data traffic | |
CN113539523A (zh) | 一种基于国产商用密码算法的物联网设备身份认证方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 2018765531 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2018765531 Country of ref document: EP Effective date: 20180918 |
|
ENP | Entry into the national phase |
Ref document number: 2018765531 Country of ref document: EP Effective date: 20180918 |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18765531 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |