WO2024139903A1 - Cluster cryptographic acceleration method and device for universal internet platform - Google Patents

Cluster cryptographic acceleration method and device for universal internet platform Download PDF

Info

Publication number
WO2024139903A1
WO2024139903A1 PCT/CN2023/133855 CN2023133855W WO2024139903A1 WO 2024139903 A1 WO2024139903 A1 WO 2024139903A1 CN 2023133855 W CN2023133855 W CN 2023133855W WO 2024139903 A1 WO2024139903 A1 WO 2024139903A1
Authority
WO
WIPO (PCT)
Prior art keywords
computing
cluster
cryptographic
central management
management node
Prior art date
Application number
PCT/CN2023/133855
Other languages
French (fr)
Chinese (zh)
Inventor
伦占群
贺明
李欣
张海阔
叶崛宇
Original Assignee
中国互联网络信息中心
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中国互联网络信息中心 filed Critical 中国互联网络信息中心
Publication of WO2024139903A1 publication Critical patent/WO2024139903A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/2895Intermediate processing functionally located close to the data provider application, e.g. reverse proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/041Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 using an encryption or decryption engine integrated in transmitted data
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Definitions

  • the present invention provides a cluster cryptography acceleration method for a general Internet platform, comprising:
  • S3 includes:
  • S3-1 The central management node uses the coroutine mechanism to establish a handshake coroutine for the TLS handshake as an independent transaction.
  • the handshake coroutine runs to the point where asymmetric cryptographic operations are required, the handshake coroutine is suspended and resources are transferred to other coroutines or threads to achieve parallel processing.
  • S3-2 The central management node converts asymmetric cryptographic operations into independent computing tasks through the encryption engine mechanism and distributes them to the encryption process in the remote resource node. After the task results are returned, the handshake coroutine is awakened to continue executing the unfinished handshake transactions.
  • yT is the current moment
  • yT0 is the initial moment
  • yT+1 is the predicted response time of the next moment
  • yT-1 is the response time of the previous moment
  • is the smoothing factor, which is used to control the decay rate of the previous response time evaluation value over time.
  • the present invention also provides a cluster cryptographic acceleration device for a general Internet platform, comprising:
  • the cluster composition module is used to use the idle cryptographic computing resources of the back-end cluster server of the Internet platform as remote resource nodes to form a virtual cryptographic computing cluster, and use the front-end of the Internet platform as the central management node of the virtual cryptographic computing cluster;
  • a mechanism establishment module is used to establish a two-level asynchronous parallel mechanism based on the central management node and the remote resource node;
  • the task computing module is used to asynchronously offload the received computing tasks to the local cryptographic computing resources through the remote resource nodes according to the two-level asynchronous parallel mechanism for asynchronous parallel computing, and transmit the computing results back to the central management node.
  • the present invention also provides an electronic device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, the cluster cryptographic acceleration method for a general Internet platform as described in any one of the above is implemented.
  • the present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon.
  • the computer program is executed by a processor, the cluster cryptographic acceleration method for a general Internet platform as described in any one of the above is implemented.
  • FIG1 is a schematic diagram of a flow chart of a cluster cryptographic acceleration method for a general Internet platform provided by the present invention
  • FIG. 3 is a schematic diagram of a virtual cryptography computing cluster architecture of a cluster cryptography acceleration method for a general Internet platform provided by the present invention
  • FIG4 is a schematic diagram of the implementation and deployment of the cluster cryptographic acceleration method for a general Internet platform provided by the present invention.
  • FIG5 is a schematic diagram of the structure of a cluster cryptographic acceleration device for a general Internet platform provided by the present invention.
  • FIG. 6 is a schematic diagram of the structure of an electronic device provided by the present invention.
  • a cluster cryptographic acceleration method for a general Internet platform in this embodiment specifically includes the following steps (the numbering of each step in the present invention is only used to distinguish the steps, and does not limit the specific execution order of each step):
  • S1 Use the idle cryptographic computing resources of the back-end cluster server of the Internet platform as remote resource nodes to form a virtual cryptographic computing cluster, and use the front-end of the Internet platform as the central management node of the virtual cryptographic computing cluster.
  • the present invention is combined with the actual construction scenario of the general Internet platform, as shown in Figure 2.
  • the left side of Figure 2 shows the mainstream architecture of the current Internet platform.
  • the front end establishes an HTTPS connection with the client through a reverse proxy server, and uses a load balancing strategy to forward customer requests to the back end.
  • the back end adopts a distributed architecture, and the application layer is vertically divided into different business subsystems according to different business needs.
  • the subsystem is composed of a business cluster composed of several containers in multiple servers to form a high-performance business processing capability; the service layer provides public services for the application layer; and the resource layer provides data storage support for the upper layer.
  • the idle cryptographic computing resources of the servers in each business cluster of the back end of the Internet platform are used as remote resource nodes to form a virtual cryptographic computing cluster, referred to as a cluster.
  • the front end is used as the central management node of the cluster, and the cryptographic operations in the TLS handshake are converted into computing tasks, which are dispatched to the remote resource nodes for high-performance parallel computing using a two-level asynchronous parallel mechanism.
  • This embodiment uses the Nginx software, which is widely used on the Internet platform, as a reverse proxy tool, and the Openssl software library, which has a high underlying application deployment rate, as an encryption tool.
  • Cluster acceleration is implemented using proxy software, which is specifically divided into central management node proxy and remote resource node proxy.
  • the Nginx software is deployed on the front end of the platform, and parameters such as the service IP address, port number, number of work processes, and forwarding strategy are configured according to the actual needs of the user.
  • the central management node agent is also deployed on the front end and is attached to Nginx in a low-intrusive manner.
  • the back end is connected to multiple cluster servers with integrated cryptographic hardware acceleration instructions or acceleration cards. Each server deploys a remote resource node agent based on the original business system. Users can set encryption based on the size of the business volume and the specific operation of the business system. The number of processes and their binding relationship with CPU logical cores.
  • the two-level asynchronous parallel mechanism includes a first-level asynchronous parallel mechanism and a second-level asynchronous parallel mechanism;
  • the first-level asynchronous parallel mechanism is deployed on the central management node, and implements asynchronous parallel distribution of computing tasks based on the coroutine mechanism, and establishes independent computing tasks for asymmetric cryptographic operations based on the encryption engine mechanism;
  • the second-level asynchronous parallel mechanism is deployed on the remote resource node, and offloads computing tasks to local cryptographic computing resources based on the coroutine mechanism, and calls third-party cryptographic acceleration solutions for asynchronous parallel computing based on the encryption engine mechanism.
  • the central management node is deployed at the front end of the platform to implement the first-level asynchronous parallel mechanism and dynamic load balancing algorithm. It is responsible for transactionalizing each TLS handshake in a coroutine manner, and converting the asymmetric cryptographic operations in the transaction into independent computing tasks, asynchronously scheduling them to remote resource nodes for execution, and realizing asynchronous parallel computing of massive TLS handshake cryptographic operations, improving the platform's concurrent connection processing capabilities.
  • the scheduling process applies a dynamic balancing algorithm to ensure a high degree of matching between computing tasks and node performance and balanced allocation of computing resources.
  • the remote resource node is deployed in the back-end cluster server of the platform, and a second-level asynchronous parallel mechanism is implemented through multiple parallel encryption processes. The encryption process asynchronously offloads the multiple computing tasks received to the local idle software and hardware cryptographic acceleration resources for asynchronous parallel computing, and finally transmits the calculation results back to the central management node.
  • S3-1 The central management node uses the coroutine mechanism to establish a handshake coroutine for the TLS handshake as an independent transaction.
  • the handshake coroutine runs to the point where asymmetric cryptographic operations are required, the handshake coroutine is suspended and resources are given to other coroutines or threads to achieve parallel processing.
  • the first-level asynchronous parallel mechanism is deployed on the central management node, and the asynchronous parallel distribution of computing tasks is realized based on the coroutine mechanism.
  • Asynchronous distribution first establishes a handshake coroutine for each TLS handshake as an independent transaction.
  • the coroutine mechanism is a standardized, lightweight asynchronous communication mechanism established within the thread. When the handshake coroutine runs to the point where asymmetric cryptographic operations are required, the handshake coroutine is suspended and resources are given to other coroutines or threads to achieve high-performance parallel processing.
  • yT is the current moment
  • yT0 is the initial moment
  • yT+1 is the predicted response time of the next moment
  • yT-1 is the response time of the previous moment
  • is the smoothing factor, which is used to control the decay rate of the previous response time evaluation value over time.
  • the encryption engine mechanism is a set of methods based on its own encryption scheme mounted on the user platform and encryption software library in a low-intrusion or zero-intrusion manner.
  • it provides an asynchronous acceleration service interface as an insertion point, embedded in the user platform encryption data processing flow, to achieve the migration of cryptographic operations to the backend and achieve a low-intrusion design;
  • the computing task is encapsulated as a third-party application entity, directly mounted on the user encryption software library, replacing the original cryptographic operations to achieve zero intrusion.
  • the mechanism establishment module 520 is used to establish a two-level asynchronous parallel mechanism based on the central management node and the remote resource nodes.
  • the task computing module 540 is used to asynchronously offload the received computing tasks to the local cryptographic computing resources through the remote resource nodes according to the two-level asynchronous parallel mechanism for asynchronous parallel computing, and transmit the computing results back to the central management node.
  • S3 The cryptographic operations in the TLS handshake are converted into independent computing tasks through the central management node, and the computing tasks are asynchronously scheduled to the remote resource nodes according to the two-level asynchronous parallel mechanism.
  • the logic instructions in the above-mentioned memory 630 can be implemented in the form of software functional units and can be stored in a computer-readable storage medium when sold or used as an independent product.
  • the technical solution of the present invention, or the part that contributes to the prior art or the part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present invention.
  • the aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), disk or optical disk and other media that can store program codes.
  • S1 Use the idle cryptographic computing resources of the back-end cluster server of the Internet platform as remote resource nodes to form a virtual cryptographic computing cluster, and use the front-end of the Internet platform as the central management node of the virtual cryptographic computing cluster.
  • S2 Establish a two-level asynchronous parallel mechanism based on the central management node and the remote resource nodes.
  • S2 Establish a two-level asynchronous parallel mechanism based on the central management node and the remote resource nodes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a cluster cryptographic acceleration method for a universal Internet platform, comprising: S1: taking idle cryptographic calculation resources of servers in backend clusters of a platform as remote resource nodes to form a virtual cryptographic calculation cluster, and taking a front end of the platform as a central management node of the cluster; S2, establishing a two-stage asynchronous parallel mechanism; S3, converting cryptographic operations in a TLS handshake into independent calculation tasks by means of the central management node, and asynchronously scheduling the calculation tasks to the remote resource nodes according to the two-stage asynchronous parallel mechanism; and S4: by means of the remote resource nodes, and according to the two-stage asynchronous parallel mechanism, asynchronously unloading the received calculation tasks to local cryptographic calculation resources for asynchronous parallel calculation, and then returning the result to the central management node. The method overcomes the defect in the prior art of imbalance of calculation resources between the front end and the back end of the Internet platform, achieves balance of calculation resources and maximization of calculation efficiency, and effectively improves the service capability of the platform.

Description

一种面向通用互联网平台的集群密码加速方法及装置A cluster cryptographic acceleration method and device for a general Internet platform 技术领域Technical Field
本发明涉及互联网通信技术领域,尤其涉及一种面向通用互联网平台的集群密码加速方法及装置。The present invention relates to the field of Internet communication technology, and in particular to a cluster cryptography acceleration method and device for a general Internet platform.
背景技术Background technique
超文本传输协议(Hyper Text Transfer Protocol,HTTP)被用于在Web浏览器和网站服务器之间传递信息,HTTP协议以明文方式发送内容,不提供任何方式的数据加密,如果攻击者截取了Web浏览器和网站服务器之间的传输报文,就可以直接读懂其中的信息,因此,使用HTTP协议传输隐私信息非常不安全。Hyper Text Transfer Protocol (HTTP) is used to transmit information between Web browsers and website servers. HTTP sends content in plain text and does not provide any form of data encryption. If an attacker intercepts the transmission message between the Web browser and the website server, he can directly read the information in it. Therefore, using HTTP to transmit private information is very unsafe.
当今通用互联网平台广泛应用超文本传输安全协议(Hypertext Transfer Protocol Secure,HTTPS)实现加密通信以确保信息与数据安全,而安全传输层协议(Transport Layer Security,TLS)作为HTTPS协议的安全核心,通过在TCP与HTTP间增加基于密码学的安全加密机制,有效地保证了网络传输层的安全可靠,已成为互联网安全通信的必选项。Today's general Internet platforms widely use Hypertext Transfer Protocol Secure (HTTPS) to implement encrypted communications to ensure information and data security. Transport Layer Security (TLS), as the security core of the HTTPS protocol, effectively ensures the security and reliability of the network transmission layer by adding a cryptography-based security encryption mechanism between TCP and HTTP. It has become a must for secure Internet communications.
通常互联网平台在前端部署反向代理服务器,与客户端建立HTTPS连接,运用负载均衡策略将客户请求转发至后端。对于大型互联网平台而言,前端代理在单位时间内需处理海量并发HTTPS连接请求,在首次连接时需执行完整的TLS握手协议,其是客户端与服务器间建立连接最复杂的过程,完成了对称加密通信密钥的协商与双方身份验证,性能消耗在整个TLS通信中占据相当比重,握手协议需要服务器侧应用非对称密码算法保证数据安全,如对自身DH参数、通信双方生成的随机数(TLS1.2)甚至所有握手消息(TLS1.3)等关键信息进行数字签名,以确保协商消息不被篡改。业务高峰时服务器单机吞吐量激增,TLS握手中大量复杂非对称密码的计算将消耗大量系统资源,降低前端代理并发处理性能,无法应对高并发服务场景。Usually, Internet platforms deploy reverse proxy servers at the front end, establish HTTPS connections with clients, and use load balancing strategies to forward client requests to the back end. For large Internet platforms, the front-end proxy needs to handle a large number of concurrent HTTPS connection requests per unit time. The complete TLS handshake protocol needs to be executed at the first connection. This is the most complex process for establishing a connection between the client and the server. It completes the negotiation of symmetric encryption communication keys and the identity authentication of both parties. The performance consumption accounts for a considerable proportion of the entire TLS communication. The handshake protocol requires the server to apply asymmetric cryptographic algorithms to ensure data security, such as digitally signing key information such as its own DH parameters, random numbers generated by both parties (TLS1.2), and even all handshake messages (TLS1.3) to ensure that the negotiation messages are not tampered with. During peak business hours, the single-machine throughput of the server surges. The calculation of a large number of complex asymmetric cryptographic codes in the TLS handshake will consume a lot of system resources, reduce the concurrent processing performance of the front-end proxy, and cannot cope with high-concurrency service scenarios.
而现有互联网平台后端分布式集群服务器中蕴含的大量高性能密码计算学资源未被充分利用,一方面高性能密码学加速技术已成为主流集群服务器的标准配置,以服务器中应用较为广泛的英特尔志强系列处理器为例,早在2010年已配备高级加密标准指令AES-IN,后又陆续集成VAES、GFNI、IFMA等加速指令和支持QAT卡等性能优异的密码学硬件加速技术;另一方面,部分业务集群功能较少涉及密码学计算操作,存在大量空闲计算资源。However, the large amount of high-performance cryptographic computing resources contained in the existing Internet platform back-end distributed cluster servers have not been fully utilized. On the one hand, high-performance cryptographic acceleration technology has become a standard configuration of mainstream cluster servers. Taking the Intel Xeon series processors, which are widely used in servers, as an example, they were equipped with the Advanced Encryption Standard instruction AES-IN as early as 2010, and later integrated acceleration instructions such as VAES, GFNI, IFMA, and supported QAT cards and other high-performance cryptographic hardware acceleration technologies; on the other hand, some business cluster functions rarely involve cryptographic computing operations, and there are a large number of idle computing resources.
综上,现有大型互联网站均存在前端代理高并发TLS连接处理密码学计算压力大、计算资源使用不均衡的问题,成为构建高性能互联网平台服务能力的制约因素之一。而现有解决方案主要依赖第三方提供的本地软硬件加速服务提升前端计算性能,导致增加平台建设成本,安全性上无法实现自主可控,同时也未能解决计算资源使用不均 的问题。In summary, existing large-scale Internet sites all have the problem of high pressure on cryptographic calculations and uneven use of computing resources in front-end proxy high-concurrency TLS connection processing, which has become one of the constraints on the ability to build high-performance Internet platform services. Existing solutions mainly rely on local software and hardware acceleration services provided by third parties to improve front-end computing performance, which increases the cost of platform construction, cannot achieve independent control in terms of security, and also fails to solve the uneven use of computing resources. The problem.
发明内容Summary of the invention
本发明提供一种面向通用互联网平台的集群密码加速方法,用以解决现有技术中互联网平台前端和后端计算资源不均衡的缺陷,实现计算资源使用的均衡化与计算效能的最大化,有效提升平台服务能力。The present invention provides a cluster cryptography acceleration method for a general Internet platform, which is used to solve the defect of unbalanced computing resources between the front-end and back-end of the Internet platform in the prior art, realize balanced use of computing resources and maximize computing efficiency, and effectively improve the platform service capability.
本发明提供一种面向通用互联网平台的集群密码加速方法,包括:The present invention provides a cluster cryptography acceleration method for a general Internet platform, comprising:
S1:将互联网平台后端集群服务器的闲置密码学计算资源作为远端资源节点,组成虚拟密码学计算集群,将互联网平台前端作为所述虚拟密码学计算集群的中心管理节点;S1: Use the idle cryptographic computing resources of the back-end cluster server of the Internet platform as remote resource nodes to form a virtual cryptographic computing cluster, and use the front-end of the Internet platform as the central management node of the virtual cryptographic computing cluster;
S2:根据中心管理节点和远端资源节点建立两级异步并行机制;S2: Establish a two-level asynchronous parallel mechanism based on the central management node and remote resource nodes;
S3:通过中心管理节点将TLS握手中的密码学操作转化为独立计算任务,根据所述两级异步并行机制将计算任务异步调度至远端资源节点;S3: converting cryptographic operations in the TLS handshake into independent computing tasks through the central management node, and asynchronously scheduling the computing tasks to remote resource nodes according to the two-level asynchronous parallel mechanism;
S4:通过远端资源节点,根据所述两级异步并行机制将收到的计算任务异步卸载至本地密码学计算资源中进行异步并行计算,将计算结果回传至中心管理节点。S4: Through the remote resource node, according to the two-level asynchronous parallel mechanism, the received computing tasks are asynchronously unloaded to the local cryptographic computing resources for asynchronous parallel computing, and the computing results are transmitted back to the central management node.
根据本发明提供的一种面向通用互联网平台的集群密码加速方法,所述两级异步并行机制包括:一级异步并行机制和二级异步并行机制;所述一级异步并行机制部署于中心管理节点,基于协程机制实现计算任务的异步并行分发,基于加密引擎机制实现为非对称密码操作建立独立计算任务;所述二级异步并行机制部署于远端资源节点,基于协程机制将计算任务卸载至本地密码学计算资源,基于加密引擎机制调用第三方密码加速方案进行异步并行计算。According to a cluster cryptographic acceleration method for a general Internet platform provided by the present invention, the two-level asynchronous parallel mechanism includes: a first-level asynchronous parallel mechanism and a second-level asynchronous parallel mechanism; the first-level asynchronous parallel mechanism is deployed on a central management node, and asynchronous parallel distribution of computing tasks is realized based on a coroutine mechanism, and independent computing tasks are established for asymmetric cryptographic operations based on an encryption engine mechanism; the second-level asynchronous parallel mechanism is deployed on a remote resource node, and computing tasks are offloaded to local cryptographic computing resources based on a coroutine mechanism, and a third-party cryptographic acceleration solution is called based on an encryption engine mechanism for asynchronous parallel computing.
根据本发明提供的一种面向通用互联网平台的集群密码加速方法,所述加密引擎机制基于自有加密方案挂载于用户平台和加密软件库。According to a cluster cryptographic acceleration method for a general Internet platform provided by the present invention, the encryption engine mechanism is mounted on a user platform and an encryption software library based on a proprietary encryption scheme.
根据本发明提供的一种面向通用互联网平台的集群密码加速方法,所述S3包括:According to a cluster cryptography acceleration method for a general Internet platform provided by the present invention, S3 includes:
S3-1:中心管理节点通过协程机制将TLS握手作为独立事务为其建立握手协程,当握手协程运行到需进行非对称密码操作时,握手协程挂起,将资源让与其他协程或线程,实现并行处理;S3-1: The central management node uses the coroutine mechanism to establish a handshake coroutine for the TLS handshake as an independent transaction. When the handshake coroutine runs to the point where asymmetric cryptographic operations are required, the handshake coroutine is suspended and resources are transferred to other coroutines or threads to achieve parallel processing.
S3-2:中心管理节点同时通过加密引擎机制将非对称密码操作学转化为独立计算任务,并分发至远端资源节点中的加密进程,待任务结果返回后唤醒握手协程继续执行未完成的握手事务。S3-2: The central management node converts asymmetric cryptographic operations into independent computing tasks through the encryption engine mechanism and distributes them to the encryption process in the remote resource node. After the task results are returned, the handshake coroutine is awakened to continue executing the unfinished handshake transactions.
根据本发明提供的一种面向通用互联网平台的集群密码加速方法,所述中心管理节点至远端资源节点的异步调度过程应用动态负载均衡算法;所述动态负载均衡算法基于计算任务响应时间配合加权策略实现,所述计算任务响应时间为中心管理节点发出计算任务至收到任务结果的时间间隔,所述动态负载均衡算法以下一时刻响应时间预测值作为加密进程的评估值,所述评估值与分配的权重成反比。 According to a cluster cryptographic acceleration method for a general Internet platform provided by the present invention, a dynamic load balancing algorithm is applied to the asynchronous scheduling process from the central management node to the remote resource node; the dynamic load balancing algorithm is implemented based on the computing task response time in conjunction with a weighted strategy, the computing task response time is the time interval from the central management node issuing a computing task to receiving the task result, the dynamic load balancing algorithm uses the predicted value of the response time at the next moment as the evaluation value of the encryption process, and the evaluation value is inversely proportional to the assigned weight.
根据本发明提供的一种面向通用互联网平台的集群密码加速方法,所述计算任务响应时间的评估应用简单指数平滑预测法,将下一个时间预测值建模为先前时间观测值的指数加权线性函数,权重随观测值变老而衰减,表示如下式:
yT+1|T=αyT+α(1-α)yT-1+α(1-α)2yT-2+α(1-α)3yT-3+…+α(1-α)T-T0yT0According to a cluster cryptography acceleration method for a general Internet platform provided by the present invention, the evaluation of the computing task response time applies a simple exponential smoothing prediction method, and the next time prediction value is modeled as an exponentially weighted linear function of the previous time observation value, and the weight decays as the observation value becomes older, which is expressed as follows:
y T+1|T =αy T +α(1-α)y T-1 +α(1-α) 2 y T-2 +α(1-α) 3 y T-3 +…+α(1-α) T-T0 y T0 ;
式中,yT为当前时刻,yT0为初始时刻,yT+1为预测下一时刻的响应时间,yT-1为上一时刻响应时间,α为平滑因子,用于控制先前响应时间评估值随时间向前推移的衰减速率。Where yT is the current moment, yT0 is the initial moment, yT+1 is the predicted response time of the next moment, yT-1 is the response time of the previous moment, and α is the smoothing factor, which is used to control the decay rate of the previous response time evaluation value over time.
根据本发明提供的一种面向通用互联网平台的集群密码加速方法,所述两级异步并行机制基于加密引擎机制建立低侵入集群构架,所述低侵入集群架构包括平台级低侵入和算法级零侵入。According to a cluster cryptographic acceleration method for a general Internet platform provided by the present invention, the two-level asynchronous parallel mechanism establishes a low-intrusion cluster architecture based on an encryption engine mechanism, and the low-intrusion cluster architecture includes platform-level low-intrusion and algorithm-level zero-intrusion.
本发明还提供一种面向通用互联网平台的集群密码加速装置,包括:The present invention also provides a cluster cryptographic acceleration device for a general Internet platform, comprising:
集群组成模块,用于将互联网平台后端集群服务器的闲置密码学计算资源作为远端资源节点,组成虚拟密码学计算集群,将互联网平台前端作为所述虚拟密码学计算集群的中心管理节点;The cluster composition module is used to use the idle cryptographic computing resources of the back-end cluster server of the Internet platform as remote resource nodes to form a virtual cryptographic computing cluster, and use the front-end of the Internet platform as the central management node of the virtual cryptographic computing cluster;
机制建立模块,用于根据中心管理节点和远端资源节点建立两级异步并行机制;A mechanism establishment module is used to establish a two-level asynchronous parallel mechanism based on the central management node and the remote resource node;
任务调度模块,用于通过中心管理节点将TLS握手中的密码学操作转化为独立计算任务,根据所述两级异步并行机制将计算任务异步调度至远端资源节点;A task scheduling module, used to convert the cryptographic operations in the TLS handshake into independent computing tasks through the central management node, and asynchronously schedule the computing tasks to the remote resource nodes according to the two-level asynchronous parallel mechanism;
任务计算模块,用于通过远端资源节点,根据所述两级异步并行机制将收到的计算任务异步卸载至本地密码学计算资源中进行异步并行计算,将计算结果回传至中心管理节点。The task computing module is used to asynchronously offload the received computing tasks to the local cryptographic computing resources through the remote resource nodes according to the two-level asynchronous parallel mechanism for asynchronous parallel computing, and transmit the computing results back to the central management node.
本发明还提供一种电子设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时实现如上述任一种所述面向通用互联网平台的集群密码加速方法。The present invention also provides an electronic device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, the cluster cryptographic acceleration method for a general Internet platform as described in any one of the above is implemented.
本发明还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现如上述任一种所述面向通用互联网平台的集群密码加速方法。The present invention also provides a non-transitory computer-readable storage medium having a computer program stored thereon. When the computer program is executed by a processor, the cluster cryptographic acceleration method for a general Internet platform as described in any one of the above is implemented.
本发明提供的一种面向通用互联网平台的集群密码加速方法,通过在平台前端部署中心管理节点,以及在平台后端集群服务器部署远端资源节点,建立两级异步并行机制,将平台前端代理TLS握手过程中的复杂密码学计算异步调度至后端业务集群服务器中,利用集群服务器闲置密码学计算资源进行高性能异步并行计算,构建虚拟高性能计算集群,能够有效缓解前端业务压力,提升平台并发连接处理能力。实现计算资源使用的均衡化与计算效能的最大化,有效提升平台服务能力。并且能够解决现有加速解决方案依赖于第三方服务造成的建设成本高、无法自主可控的问题,有效降低平台建设运营成本,提升平台自主可控能力。 The present invention provides a cluster cryptographic acceleration method for a general Internet platform. By deploying a central management node at the front end of the platform and deploying a remote resource node at the back end cluster server of the platform, a two-level asynchronous parallel mechanism is established, and the complex cryptographic calculations in the TLS handshake process of the platform front end proxy are asynchronously scheduled to the back end business cluster server, and the idle cryptographic computing resources of the cluster server are used for high-performance asynchronous parallel computing to build a virtual high-performance computing cluster, which can effectively alleviate the pressure of the front end business and improve the platform's concurrent connection processing capabilities. The balanced use of computing resources and the maximization of computing efficiency are achieved, and the platform service capabilities are effectively improved. In addition, it can solve the problems of high construction costs and lack of autonomous control caused by the existing acceleration solutions relying on third-party services, effectively reduce the platform construction and operation costs, and improve the platform's autonomous and controllable capabilities.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
图1是本发明提供的面向通用互联网平台的集群密码加速方法的流程示意图;FIG1 is a schematic diagram of a flow chart of a cluster cryptographic acceleration method for a general Internet platform provided by the present invention;
图2是本发明提供的面向通用互联网平台的集群密码加速方法的虚拟密码学计算集群组建示意图;FIG2 is a schematic diagram of the virtual cryptography computing cluster assembly of the cluster cryptography acceleration method for a general Internet platform provided by the present invention;
图3是本发明提供的面向通用互联网平台的集群密码加速方法的虚拟密码学计算集群架构示意图;3 is a schematic diagram of a virtual cryptography computing cluster architecture of a cluster cryptography acceleration method for a general Internet platform provided by the present invention;
图4是本发明提供的面向通用互联网平台的集群密码加速方法的实施部署示意图;FIG4 is a schematic diagram of the implementation and deployment of the cluster cryptographic acceleration method for a general Internet platform provided by the present invention;
图5是本发明提供的面向通用互联网平台的集群密码加速装置的结构示意图;FIG5 is a schematic diagram of the structure of a cluster cryptographic acceleration device for a general Internet platform provided by the present invention;
图6是本发明提供的电子设备的结构示意图。FIG. 6 is a schematic diagram of the structure of an electronic device provided by the present invention.
具体实施方式Detailed ways
下面结合图1-图4描述本发明第一实施例的面向通用互联网平台的集群密码加速方法。The following describes the cluster cryptography acceleration method for a general Internet platform according to the first embodiment of the present invention in conjunction with Figures 1 to 4.
如图1所示,本实施例的一种面向通用互联网平台的集群密码加速方法,具体包括以下步骤(本发明对各步骤的编号仅做步骤区分作用,不限制各步骤的具体执行顺序):As shown in FIG1 , a cluster cryptographic acceleration method for a general Internet platform in this embodiment specifically includes the following steps (the numbering of each step in the present invention is only used to distinguish the steps, and does not limit the specific execution order of each step):
S1:将互联网平台后端集群服务器的闲置密码学计算资源作为远端资源节点,组成虚拟密码学计算集群,将互联网平台前端作为所述虚拟密码学计算集群的中心管理节点。S1: Use the idle cryptographic computing resources of the back-end cluster server of the Internet platform as remote resource nodes to form a virtual cryptographic computing cluster, and use the front-end of the Internet platform as the central management node of the virtual cryptographic computing cluster.
本发明结合通用互联网平台实际建设场景,如图2所示,图2左侧展示了当今互联网平台主流架构,前端通过反向代理服务器与客户端建立HTTPS连接,运用负载均衡策略将客户请求转发至后端。后端采用分布式架构,应用层根据不同业务需求垂直拆分为不同业务子系统,子系统内由多台服务器中的若干容器组成业务集群,形成高性能业务处理能力;服务层为应用层提供公共服务;资源层为上层提供数据存储支撑。本步骤将互联网平台后端各业务集群中服务器的闲置密码学计算资源作为远端资源节点,组成虚拟密码学计算集群,简称集群。将前端作为集群的中心管理节点,将TLS握手中的密码学操作转化为计算任务,运用两级异步并行机制调度至远端资源节点进行高性能并行计算。The present invention is combined with the actual construction scenario of the general Internet platform, as shown in Figure 2. The left side of Figure 2 shows the mainstream architecture of the current Internet platform. The front end establishes an HTTPS connection with the client through a reverse proxy server, and uses a load balancing strategy to forward customer requests to the back end. The back end adopts a distributed architecture, and the application layer is vertically divided into different business subsystems according to different business needs. The subsystem is composed of a business cluster composed of several containers in multiple servers to form a high-performance business processing capability; the service layer provides public services for the application layer; and the resource layer provides data storage support for the upper layer. In this step, the idle cryptographic computing resources of the servers in each business cluster of the back end of the Internet platform are used as remote resource nodes to form a virtual cryptographic computing cluster, referred to as a cluster. The front end is used as the central management node of the cluster, and the cryptographic operations in the TLS handshake are converted into computing tasks, which are dispatched to the remote resource nodes for high-performance parallel computing using a two-level asynchronous parallel mechanism.
本实施例使用互联网平台应用较为广泛的Nginx软件作为反向代理工具,底层应用部署率较高的Openssl软件库作为加密工具,集群加速采用代理软件方式实现,具体分为中心管理节点代理和远端资源节点代理。如图4所示,平台前端部署Nginx软件,按用户实际需求配置服务IP地址、端口号、work进程数、转发策略等参数。中心管理节点代理同样部署于前端,通过低侵入方式挂接于Nginx之后。后端连接多个集成密码学硬件加速指令或加速卡的集群服务器,每台服务器在原有业务系统基础上,部署远端资源节点代理,用户可根据业务量大小及业务系统运行具体情况,设定加密 进程数量及与CPU逻辑核的绑定关系。This embodiment uses the Nginx software, which is widely used on the Internet platform, as a reverse proxy tool, and the Openssl software library, which has a high underlying application deployment rate, as an encryption tool. Cluster acceleration is implemented using proxy software, which is specifically divided into central management node proxy and remote resource node proxy. As shown in Figure 4, the Nginx software is deployed on the front end of the platform, and parameters such as the service IP address, port number, number of work processes, and forwarding strategy are configured according to the actual needs of the user. The central management node agent is also deployed on the front end and is attached to Nginx in a low-intrusive manner. The back end is connected to multiple cluster servers with integrated cryptographic hardware acceleration instructions or acceleration cards. Each server deploys a remote resource node agent based on the original business system. Users can set encryption based on the size of the business volume and the specific operation of the business system. The number of processes and their binding relationship with CPU logical cores.
S2:根据中心管理节点和远端资源节点建立两级异步并行机制。S2: Establish a two-level asynchronous parallel mechanism based on the central management node and the remote resource nodes.
两级异步并行机制包括一级异步并行机制和二级异步并行机制;一级异步并行机制部署于中心管理节点,基于协程机制实现计算任务的异步并行分发,基于加密引擎机制实现为非对称密码操作建立独立计算任务;二级异步并行机制部署于远端资源节点,基于协程机制将计算任务卸载至本地密码学计算资源,基于加密引擎机制调用第三方密码加速方案进行异步并行计算。The two-level asynchronous parallel mechanism includes a first-level asynchronous parallel mechanism and a second-level asynchronous parallel mechanism; the first-level asynchronous parallel mechanism is deployed on the central management node, and implements asynchronous parallel distribution of computing tasks based on the coroutine mechanism, and establishes independent computing tasks for asymmetric cryptographic operations based on the encryption engine mechanism; the second-level asynchronous parallel mechanism is deployed on the remote resource node, and offloads computing tasks to local cryptographic computing resources based on the coroutine mechanism, and calls third-party cryptographic acceleration solutions for asynchronous parallel computing based on the encryption engine mechanism.
如图3所示,中心管理节点部署于平台前端,实现一级异步并行机制和动态负载均衡算法,负责将每个TLS握手以协程方式事务化,并将事务中的非对称密码操作转化为独立计算任务,异步调度至远端资源节点执行,实现海量TLS握手密码学操作的异步并行计算,提升平台并发连接处理能力。调度过程应用动态均衡算法,保证计算任务与节点性能的高度匹配和算力资源的均衡分配。远端资源节点部署于平台后端集群服务器中,通过多个并行的加密进程实现二级异步并行机制,加密进程将收到的多个计算任务异步卸载至本地闲置软硬件密码学加速资源中进行异步并行计算,最终将计算结果回传至中心管理节点。As shown in Figure 3, the central management node is deployed at the front end of the platform to implement the first-level asynchronous parallel mechanism and dynamic load balancing algorithm. It is responsible for transactionalizing each TLS handshake in a coroutine manner, and converting the asymmetric cryptographic operations in the transaction into independent computing tasks, asynchronously scheduling them to remote resource nodes for execution, and realizing asynchronous parallel computing of massive TLS handshake cryptographic operations, improving the platform's concurrent connection processing capabilities. The scheduling process applies a dynamic balancing algorithm to ensure a high degree of matching between computing tasks and node performance and balanced allocation of computing resources. The remote resource node is deployed in the back-end cluster server of the platform, and a second-level asynchronous parallel mechanism is implemented through multiple parallel encryption processes. The encryption process asynchronously offloads the multiple computing tasks received to the local idle software and hardware cryptographic acceleration resources for asynchronous parallel computing, and finally transmits the calculation results back to the central management node.
S3-1:中心管理节点通过协程机制将TLS握手作为独立事务为其建立握手协程,当握手协程运行到需进行非对称密码操作时,握手协程挂起,将资源让与其他协程或线程,实现并行处理。S3-1: The central management node uses the coroutine mechanism to establish a handshake coroutine for the TLS handshake as an independent transaction. When the handshake coroutine runs to the point where asymmetric cryptographic operations are required, the handshake coroutine is suspended and resources are given to other coroutines or threads to achieve parallel processing.
如图3所示,一级异步并行机制部署于中心管理节点,基于协程机制实现计算任务的异步并行分发。异步分发首先将每个TLS握手作为一个独立事务为其建立握手协程,协程机制是一种建立于线程内部的标准化、轻量级异步通信机制,当握手协程运行到需进行非对称密码操作时,握手协程挂起,将资源让与其他协程或线程,实现高性能并行处理。As shown in Figure 3, the first-level asynchronous parallel mechanism is deployed on the central management node, and the asynchronous parallel distribution of computing tasks is realized based on the coroutine mechanism. Asynchronous distribution first establishes a handshake coroutine for each TLS handshake as an independent transaction. The coroutine mechanism is a standardized, lightweight asynchronous communication mechanism established within the thread. When the handshake coroutine runs to the point where asymmetric cryptographic operations are required, the handshake coroutine is suspended and resources are given to other coroutines or threads to achieve high-performance parallel processing.
S3-2:中心管理节点同时通过加密引擎机制将非对称密码操作学转化为独立计算任务,并分发至远端资源节点中的加密进程,待任务结果返回后唤醒握手协程继续执行未完成的握手事务。S3-2: The central management node converts asymmetric cryptographic operations into independent computing tasks through the encryption engine mechanism and distributes them to the encryption process in the remote resource node. After the task results are returned, the handshake coroutine is awakened to continue executing the unfinished handshake transactions.
同时通过加密引擎机制为非对称密码操作建立独立计算任务,通过动态负载均衡算法分发至远端资源节点中的加密进程,待任务结果返回后唤醒握手协程继续执行未完成的握手事务。其中加密进程用于将多个计算任务卸载至远端资源节点本地计算资源上执行。At the same time, the encryption engine mechanism is used to establish independent computing tasks for asymmetric cryptographic operations, which are distributed to the encryption process in the remote resource node through a dynamic load balancing algorithm. After the task result is returned, the handshake coroutine is awakened to continue to execute the unfinished handshake transaction. The encryption process is used to offload multiple computing tasks to the local computing resources of the remote resource node for execution.
两级异步并行选用较为成熟的协程机制实现异步操作,其作为一种比建立于线程之内的轻量级异步机制,具有效率高、开销少、简单实用等优点。中心管理节点将单次TLS握手看作独立事务,为其建立协程,协程内顺次完成单次握手所有事件,如密钥协商、身份认证等,大量并行协程用于处理海量TLS并发握手过程,完成握手实例化。Two-level asynchronous parallelism uses a more mature coroutine mechanism to implement asynchronous operations. As a lightweight asynchronous mechanism compared to those built within threads, it has the advantages of high efficiency, low overhead, simplicity and practicality. The central management node regards a single TLS handshake as an independent transaction and establishes a coroutine for it. All events of a single handshake are completed in sequence within the coroutine, such as key negotiation and identity authentication. A large number of parallel coroutines are used to handle massive TLS concurrent handshake processes and complete handshake instantiation.
一次完整的握手实例将涉及多次密码学操作,通过单次密码学操作将被模型化为 独立的计算任务实体,涉及对原始数据提取、密码学算法结构创建、任务及密钥全生命周期管理等。当TLS握手实例运行至密码学操作时,将密码学操作转换为计算任务实体,实现与握手实例的解耦。计算任务将提交至动态负载均衡模块分发到远端资源节点,与此同时,对应协程被挂起,将资源让予其他协程处理并行TLS握手。待任务完成后,协程被唤醒,远端资源节点上报计算结果,中心管理节点获取计算结果后继续执行后续握手事件,并回收任务资源,完成一级异步并行。A complete handshake instance will involve multiple cryptographic operations, which can be modeled as Independent computing task entities involve the extraction of raw data, the creation of cryptographic algorithm structures, and the management of the entire life cycle of tasks and keys. When the TLS handshake instance runs to cryptographic operations, the cryptographic operations are converted into computing task entities to achieve decoupling from the handshake instance. The computing task will be submitted to the dynamic load balancing module and distributed to the remote resource node. At the same time, the corresponding coroutine is suspended, and the resources are given to other coroutines to handle parallel TLS handshakes. After the task is completed, the coroutine is awakened, and the remote resource node reports the calculation results. After the central management node obtains the calculation results, it continues to execute subsequent handshake events and recycles task resources to complete the first level of asynchronous parallelism.
本实施例中Nginx软件将客户端HTTPS请求转发到中心管理节点代理,代理为每个TLS握手建立握手协程,通过加密引擎机制将TLS握手中的非对称签名操作转化为计算任务,实现握手协程的暂停与唤醒,并提交至动态负载均衡算法处理。In this embodiment, the Nginx software forwards the client HTTPS request to the central management node agent. The agent establishes a handshake coroutine for each TLS handshake, converts the asymmetric signature operation in the TLS handshake into a computing task through the encryption engine mechanism, realizes the suspension and wake-up of the handshake coroutine, and submits it to the dynamic load balancing algorithm for processing.
动态负载均衡算法基于计算任务响应时间配合加权策略实现,既满足计算任务尽量分发至高性能加密进程以保证计算效率,又避免计算任务过于集中导致计算资源利用不均。计算任务响应时间是指中心管理节点发出计算任务至收到任务结果的时间间隔,算法以下一时刻响应时间预测值作为加密进程的评估值,评估值越小说明计算性能越高,分配的权重越高,反之分配的权重越低。任务分发时,以权重大小为依据选取远端资源节点加密进程,权重高的选中机率大,反之选中机率小。计算任务响应时间的评估应用简单指数平滑预测法,其适用于预测没有明确趋势或季节性模式的单变量时间序列数据。将下一个时间预测值建模为先前时间观测值的指数加权线性函数,权重随观测值变老而衰减,表示如下式:
yT+1|T=αyT+α(1-α)yT-1+α(1-α)2yT-2+α(1-α)3yT-3+…+α(1-α)T-T0yT0The dynamic load balancing algorithm is implemented based on the computing task response time and weighted strategy. It can not only satisfy the distribution of computing tasks to high-performance encryption processes to ensure computing efficiency, but also avoid uneven utilization of computing resources due to excessive concentration of computing tasks. The computing task response time refers to the time interval from the central management node issuing a computing task to receiving the task result. The algorithm uses the predicted response time value at the next moment as the evaluation value of the encryption process. The smaller the evaluation value, the higher the computing performance and the higher the weight assigned. Conversely, the lower the weight assigned. When distributing tasks, the encryption process of the remote resource node is selected based on the weight. The probability of selection is high for a high weight, and vice versa. The evaluation of the computing task response time uses the simple exponential smoothing prediction method, which is suitable for predicting univariate time series data without clear trends or seasonal patterns. The next time prediction value is modeled as an exponentially weighted linear function of the previous time observation value. The weight decays as the observation value becomes older, expressed as follows:
y T+1|T =αy T +α(1-α)y T-1 +α(1-α) 2 y T-2 +α(1-α) 3 y T-3 +…+α(1-α) T-T0 y T0 ;
式中,yT为当前时刻,yT0为初始时刻,yT+1为预测下一时刻的响应时间,yT-1为上一时刻响应时间,α为平滑因子,用于控制先前响应时间评估值随时间向前推移的衰减速率。Where yT is the current moment, yT0 is the initial moment, yT+1 is the predicted response time of the next moment, yT-1 is the response time of the previous moment, and α is the smoothing factor, which is used to control the decay rate of the previous response time evaluation value over time.
本实施例中,算法根据远端资源节点加密进程权重所对应的概率,计算出当前计算任务应去往的目标节点加密进程,并通过发送模块进行分发。中心管理节点代理将实时测量、评估并记录发往每个加密进程的各个计算任务响应时间的历史值,依据历史值序列,结合简单指数平滑预测法,预测下一时刻响应时间值,据此设置加密进程权重及对应的概率。In this embodiment, the algorithm calculates the target node encryption process to which the current computing task should go based on the probability corresponding to the encryption process weight of the remote resource node, and distributes it through the sending module. The central management node agent will measure, evaluate and record the historical values of the response time of each computing task sent to each encryption process in real time, and predict the response time value at the next moment based on the historical value sequence combined with the simple exponential smoothing prediction method, and set the encryption process weight and corresponding probability accordingly.
S4:通过远端资源节点,根据所述两级异步并行机制将收到的计算任务异步卸载至本地密码学计算资源中进行异步并行计算,将计算结果回传至中心管理节点。S4: Through the remote resource node, according to the two-level asynchronous parallel mechanism, the received computing tasks are asynchronously unloaded to the local cryptographic computing resources for asynchronous parallel computing, and the computing results are transmitted back to the central management node.
远端资源节点将建立多个加速服务实例,同时接收处理中心管理结点分发的大量计算任务,并为其建立协程,与计算任务迁移相同,利用协程机制实现计算任务在本地硬件计算资源上的异步并行处理,计算结果上报中心管理结节,完成二级异步并行。The remote resource node will establish multiple acceleration service instances, and at the same time receive a large number of computing tasks distributed by the processing center management node, and establish a coroutine for it. Similar to the migration of computing tasks, the coroutine mechanism is used to realize asynchronous parallel processing of computing tasks on local hardware computing resources, and the computing results are reported to the central management node to complete the second-level asynchronous parallelism.
如图3所示,二级异步并行机制由远端资源节点加密进程实现,加密进程与CPU逻辑核绑定,绑定关系可由用户依据自身需求指定。二级异步与一级异步实现机制类似,通过协程机制和加密引擎机制实现将计算任务卸载至本地计算资源中异步执行,并在远端资源节点建立多个加密进程实现计算任务的高性能并行处理。其中本地密码 学计算资源可以是CPU中集成的硬件加密指令,也可以是灵活插拔的硬件加密卡,如QAT加密卡等。As shown in Figure 3, the secondary asynchronous parallel mechanism is implemented by the encryption process of the remote resource node. The encryption process is bound to the CPU logic core, and the binding relationship can be specified by the user according to his own needs. The secondary asynchronous mechanism is similar to the primary asynchronous implementation mechanism. The computing tasks are offloaded to the local computing resources for asynchronous execution through the coroutine mechanism and the encryption engine mechanism, and multiple encryption processes are established in the remote resource node to realize high-performance parallel processing of computing tasks. The computing resources can be hardware encryption instructions integrated in the CPU or flexibly pluggable hardware encryption cards, such as QAT encryption cards.
本实施例中,远端资源节点代理的多个加密进程将同时接收中心管理节点代理发来的大量计算任务,采用与一级异步机制类似的方法将计算任务卸载至本地密码学加速资源,运用加密引擎机制透明调用第三方密码加速方案执行异步并行计算。计算任务完成后,代理将计算结果回传至中心管理节点代理,由其唤醒对应握手协程进行执行后续握手操作。In this embodiment, multiple encryption processes of the remote resource node agent will simultaneously receive a large number of computing tasks sent by the central management node agent, and use a method similar to the first-level asynchronous mechanism to offload the computing tasks to the local cryptographic acceleration resources, and use the encryption engine mechanism to transparently call the third-party cryptographic acceleration solution to perform asynchronous parallel computing. After the computing task is completed, the agent will return the calculation result to the central management node agent, which will wake up the corresponding handshake coroutine to perform subsequent handshake operations.
加密引擎机制是基于自有加密方案以低侵入或零侵入方式挂载于用户平台和加密软件库的一套方法,其在架构层面,提供异步加速服务接口作为插入点,嵌入至用户平台加密数据处理流程中,实现对密码学操作向后端的迁移,实现低侵入设计;在算法层,将计算任务封装为一第三方应用实体,直接挂接于用户加密软件库之上,替换原密码学操作,实现零侵入。The encryption engine mechanism is a set of methods based on its own encryption scheme mounted on the user platform and encryption software library in a low-intrusion or zero-intrusion manner. At the architectural level, it provides an asynchronous acceleration service interface as an insertion point, embedded in the user platform encryption data processing flow, to achieve the migration of cryptographic operations to the backend and achieve a low-intrusion design; at the algorithm level, the computing task is encapsulated as a third-party application entity, directly mounted on the user encryption software library, replacing the original cryptographic operations to achieve zero intrusion.
本发明的两级异步并行机制均基于加密引擎机制建立低侵入集群构架,其中,低侵入集群架构包括平台级低侵入和算法级零侵入。对原平台实施轻量级改造后,即可快速实现集群加速。本发明方法在平台层向用户提供简单易用的事务管理服务接口,嵌入平台中即可实现集群加速在平台上的挂载,达成平台级低侵入。在算法层支持将协程暂停、任务分发等操作封装为独立引擎挂载于底层加密软件库之上,以零侵入方式实现计算任务的分发或与卸载,使用户无需更换原有底层加密软件库,即可实现集群加速,达成算法级零侵入。The two-level asynchronous parallel mechanism of the present invention both establishes a low-intrusion cluster architecture based on the encryption engine mechanism, wherein the low-intrusion cluster architecture includes platform-level low-intrusion and algorithm-level zero-intrusion. After a lightweight transformation of the original platform, cluster acceleration can be quickly achieved. The method of the present invention provides users with a simple and easy-to-use transaction management service interface at the platform layer, which can be embedded in the platform to achieve cluster acceleration on the platform, achieving platform-level low-intrusion. At the algorithm layer, it supports encapsulating operations such as coroutine suspension and task distribution as an independent engine mounted on the underlying encryption software library, and realizes the distribution or unloading of computing tasks in a zero-intrusion manner, so that users do not need to replace the original underlying encryption software library to achieve cluster acceleration and achieve algorithm-level zero-intrusion.
本实施例中,将事务暂停、唤醒和任务收发等管理服务接口嵌入Nginx软件处理流程中,实现中心管理节点代理在主流反向代理软件上的挂载。同时考虑到现有互联网平台较为广泛地使用OpenSSL加密软件库实现密码操作,本发明方法将协程暂停、任务分发等操作封装为一个独立的引擎(Engine)挂载于OpenSSL之上,以零侵入方式实现计算任务向远端的发送或在远端本地的卸载,使用户无需更换原有底层加密软件库,即可实现集群加速。其中OpenSSL Engine机制的目的是使用户能透明使用第三方软硬件加密方案,将方案以Engine形式挂载于OpenSSL之上,用户调用通用加密接口透明使用第三方加密资源与方法。In this embodiment, management service interfaces such as transaction suspension, wake-up, and task sending and receiving are embedded in the Nginx software processing flow to realize the mounting of the central management node agent on the mainstream reverse proxy software. At the same time, considering that the existing Internet platforms widely use the OpenSSL encryption software library to implement cryptographic operations, the method of the present invention encapsulates operations such as coroutine suspension and task distribution into an independent engine (Engine) mounted on OpenSSL, and implements the sending of computing tasks to the remote end or the unloading of computing tasks at the remote end in a zero-intrusive manner, so that users can achieve cluster acceleration without replacing the original underlying encryption software library. The purpose of the OpenSSL Engine mechanism is to enable users to transparently use third-party software and hardware encryption solutions, mount the solutions on OpenSSL in the form of Engine, and users call the general encryption interface to transparently use third-party encryption resources and methods.
下面对本发明提供的面向通用互联网平台的集群密码加速装置进行描述,下文描述的面向通用互联网平台的集群密码加速装置与上文描述的面向通用互联网平台的集群密码加速方法可相互对应参照。The cluster cryptographic acceleration device for a general Internet platform provided by the present invention is described below. The cluster cryptographic acceleration device for a general Internet platform described below and the cluster cryptographic acceleration method for a general Internet platform described above can be referenced to each other.
如图5所示,本发明第二实施例还提供一种面向通用互联网平台的集群密码加速装置,包括:As shown in FIG5 , the second embodiment of the present invention further provides a cluster cryptographic acceleration device for a general Internet platform, including:
集群组成模块510,用于将互联网平台后端集群服务器的闲置密码学计算资源作为远端资源节点,组成虚拟密码学计算集群,将互联网平台前端作为所述虚拟密码学计算集群的中心管理节点。The cluster composition module 510 is used to use the idle cryptographic computing resources of the Internet platform backend cluster server as remote resource nodes to form a virtual cryptographic computing cluster, and use the Internet platform front end as the central management node of the virtual cryptographic computing cluster.
机制建立模块520,用于根据中心管理节点和远端资源节点建立两级异步并行机制。 The mechanism establishment module 520 is used to establish a two-level asynchronous parallel mechanism based on the central management node and the remote resource nodes.
任务调度模块530,用于通过中心管理节点将TLS握手中的密码学操作转化为独立计算任务,根据所述两级异步并行机制将计算任务异步调度至远端资源节点。The task scheduling module 530 is used to convert the cryptographic operations in the TLS handshake into independent computing tasks through the central management node, and asynchronously schedule the computing tasks to the remote resource nodes according to the two-level asynchronous parallel mechanism.
任务计算模块540,用于通过远端资源节点,根据所述两级异步并行机制将收到的计算任务异步卸载至本地密码学计算资源中进行异步并行计算,将计算结果回传至中心管理节点。The task computing module 540 is used to asynchronously offload the received computing tasks to the local cryptographic computing resources through the remote resource nodes according to the two-level asynchronous parallel mechanism for asynchronous parallel computing, and transmit the computing results back to the central management node.
图6示例了一种电子设备的实体结构示意图,如图6所示,该电子设备可以包括:处理器(processor)610、通信接口(Communications Interface)620、存储器(memory)630和通信总线640,其中,处理器610,通信接口620,存储器630通过通信总线640完成相互间的通信。处理器610可以调用存储器630中的逻辑指令,以执行面向通用互联网平台的集群密码加速方法,该方法包括:FIG6 illustrates a schematic diagram of the physical structure of an electronic device. As shown in FIG6 , the electronic device may include: a processor 610, a communications interface 620, a memory 630, and a communication bus 640, wherein the processor 610, the communications interface 620, and the memory 630 communicate with each other through the communication bus 640. The processor 610 may call the logic instructions in the memory 630 to execute the cluster cryptographic acceleration method for the general Internet platform, and the method includes:
S1:将互联网平台后端集群服务器的闲置密码学计算资源作为远端资源节点,组成虚拟密码学计算集群,将互联网平台前端作为所述虚拟密码学计算集群的中心管理节点。S1: Use the idle cryptographic computing resources of the back-end cluster server of the Internet platform as remote resource nodes to form a virtual cryptographic computing cluster, and use the front-end of the Internet platform as the central management node of the virtual cryptographic computing cluster.
S2:根据中心管理节点和远端资源节点建立两级异步并行机制。S2: Establish a two-level asynchronous parallel mechanism based on the central management node and the remote resource nodes.
S3:通过中心管理节点将TLS握手中的密码学操作转化为独立计算任务,根据所述两级异步并行机制将计算任务异步调度至远端资源节点。S3: The cryptographic operations in the TLS handshake are converted into independent computing tasks through the central management node, and the computing tasks are asynchronously scheduled to the remote resource nodes according to the two-level asynchronous parallel mechanism.
S4:通过远端资源节点,根据所述两级异步并行机制将收到的计算任务异步卸载至本地密码学计算资源中进行异步并行计算,将计算结果回传至中心管理节点。S4: Through the remote resource node, according to the two-level asynchronous parallel mechanism, the received computing tasks are asynchronously unloaded to the local cryptographic computing resources for asynchronous parallel computing, and the computing results are transmitted back to the central management node.
此外,上述的存储器630中的逻辑指令可以通过软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, the logic instructions in the above-mentioned memory 630 can be implemented in the form of software functional units and can be stored in a computer-readable storage medium when sold or used as an independent product. Based on this understanding, the technical solution of the present invention, or the part that contributes to the prior art or the part of the technical solution, can be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for a computer device (which can be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method described in each embodiment of the present invention. The aforementioned storage medium includes: U disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), disk or optical disk and other media that can store program codes.
另一方面,本发明还提供一种计算机程序产品,所述计算机程序产品包括计算机程序,计算机程序可存储在非暂态计算机可读存储介质上,所述计算机程序被处理器执行时,计算机能够执行上述各方法所提供的面向通用互联网平台的集群密码加速方法,该方法包括:On the other hand, the present invention further provides a computer program product, the computer program product includes a computer program, the computer program can be stored on a non-transitory computer-readable storage medium, when the computer program is executed by a processor, the computer can execute the cluster cryptographic acceleration method for a general Internet platform provided by the above methods, the method includes:
S1:将互联网平台后端集群服务器的闲置密码学计算资源作为远端资源节点,组成虚拟密码学计算集群,将互联网平台前端作为所述虚拟密码学计算集群的中心管理节点。S1: Use the idle cryptographic computing resources of the back-end cluster server of the Internet platform as remote resource nodes to form a virtual cryptographic computing cluster, and use the front-end of the Internet platform as the central management node of the virtual cryptographic computing cluster.
S2:根据中心管理节点和远端资源节点建立两级异步并行机制。S2: Establish a two-level asynchronous parallel mechanism based on the central management node and the remote resource nodes.
S3:通过中心管理节点将TLS握手中的密码学操作转化为独立计算任务,根据所述两级异步并行机制将计算任务异步调度至远端资源节点。 S3: The cryptographic operations in the TLS handshake are converted into independent computing tasks through the central management node, and the computing tasks are asynchronously scheduled to the remote resource nodes according to the two-level asynchronous parallel mechanism.
S4:通过远端资源节点,根据所述两级异步并行机制将收到的计算任务异步卸载至本地密码学计算资源中进行异步并行计算,将计算结果回传至中心管理节点。S4: Through the remote resource node, according to the two-level asynchronous parallel mechanism, the received computing tasks are asynchronously unloaded to the local cryptographic computing resources for asynchronous parallel computing, and the computing results are transmitted back to the central management node.
又一方面,本发明还提供一种非暂态计算机可读存储介质,其上存储有计算机程序,该计算机程序被处理器执行时实现以执行上述各方法提供的面向通用互联网平台的集群密码加速方法,该方法包括:In another aspect, the present invention further provides a non-transitory computer-readable storage medium having a computer program stored thereon, which is implemented when the computer program is executed by a processor to execute the cluster cryptographic acceleration method for a general Internet platform provided by the above methods, the method comprising:
S1:将互联网平台后端集群服务器的闲置密码学计算资源作为远端资源节点,组成虚拟密码学计算集群,将互联网平台前端作为所述虚拟密码学计算集群的中心管理节点。S1: Use the idle cryptographic computing resources of the back-end cluster server of the Internet platform as remote resource nodes to form a virtual cryptographic computing cluster, and use the front-end of the Internet platform as the central management node of the virtual cryptographic computing cluster.
S2:根据中心管理节点和远端资源节点建立两级异步并行机制。S2: Establish a two-level asynchronous parallel mechanism based on the central management node and the remote resource nodes.
S3:通过中心管理节点将TLS握手中的密码学操作转化为独立计算任务,根据所述两级异步并行机制将计算任务异步调度至远端资源节点。S3: The cryptographic operations in the TLS handshake are converted into independent computing tasks through the central management node, and the computing tasks are asynchronously scheduled to the remote resource nodes according to the two-level asynchronous parallel mechanism.
S4:通过远端资源节点,根据所述两级异步并行机制将收到的计算任务异步卸载至本地密码学计算资源中进行异步并行计算,将计算结果回传至中心管理节点。 S4: Through the remote resource node, according to the two-level asynchronous parallel mechanism, the received computing tasks are asynchronously unloaded to the local cryptographic computing resources for asynchronous parallel computing, and the computing results are transmitted back to the central management node.

Claims (10)

  1. 一种面向通用互联网平台的集群密码加速方法,其特征在于,包括:A cluster cryptographic acceleration method for a general Internet platform, characterized by comprising:
    S1:将互联网平台后端集群服务器的闲置密码学计算资源作为远端资源节点,组成虚拟密码学计算集群,将互联网平台前端作为所述虚拟密码学计算集群的中心管理节点;S1: Use the idle cryptographic computing resources of the back-end cluster server of the Internet platform as remote resource nodes to form a virtual cryptographic computing cluster, and use the front-end of the Internet platform as the central management node of the virtual cryptographic computing cluster;
    S2:根据中心管理节点和远端资源节点建立两级异步并行机制;S2: Establish a two-level asynchronous parallel mechanism based on the central management node and remote resource nodes;
    S3:通过中心管理节点将TLS握手中的密码学操作转化为独立计算任务,根据所述两级异步并行机制将计算任务异步调度至远端资源节点;S3: converting cryptographic operations in the TLS handshake into independent computing tasks through the central management node, and asynchronously scheduling the computing tasks to remote resource nodes according to the two-level asynchronous parallel mechanism;
    S4:通过远端资源节点,根据所述两级异步并行机制将收到的计算任务异步卸载至本地密码学计算资源中进行异步并行计算,将计算结果回传至中心管理节点。S4: Through the remote resource node, according to the two-level asynchronous parallel mechanism, the received computing tasks are asynchronously unloaded to the local cryptographic computing resources for asynchronous parallel computing, and the computing results are transmitted back to the central management node.
  2. 根据权利要求1所述的面向通用互联网平台的集群密码加速方法,其特征在于,所述两级异步并行机制包括:一级异步并行机制和二级异步并行机制;所述一级异步并行机制部署于中心管理节点,基于协程机制实现计算任务的异步并行分发,基于加密引擎机制实现为非对称密码操作建立独立计算任务;所述二级异步并行机制部署于远端资源节点,基于协程机制将计算任务卸载至本地密码学计算资源,基于加密引擎机制调用第三方密码加速方案进行异步并行计算。According to claim 1, the cluster cryptographic acceleration method for a general Internet platform is characterized in that the two-level asynchronous parallel mechanism includes: a first-level asynchronous parallel mechanism and a second-level asynchronous parallel mechanism; the first-level asynchronous parallel mechanism is deployed on a central management node, and asynchronous parallel distribution of computing tasks is realized based on a coroutine mechanism, and independent computing tasks are established for asymmetric cryptographic operations based on an encryption engine mechanism; the second-level asynchronous parallel mechanism is deployed on a remote resource node, and computing tasks are offloaded to local cryptographic computing resources based on a coroutine mechanism, and a third-party cryptographic acceleration solution is called based on an encryption engine mechanism for asynchronous parallel computing.
  3. 根据权利要求2所述的面向通用互联网平台的集群密码加速方法,其特征在于,所述加密引擎机制基于自有加密方案挂载于用户平台和加密软件库。The cluster cryptographic acceleration method for a general Internet platform according to claim 2 is characterized in that the encryption engine mechanism is mounted on the user platform and encryption software library based on its own encryption scheme.
  4. 根据权利要求3所述的面向通用互联网平台的集群密码加速方法,其特征在于,所述S3包括:The cluster cryptography acceleration method for a general Internet platform according to claim 3, characterized in that S3 comprises:
    S3-1:中心管理节点通过协程机制将TLS握手作为独立事务为其建立握手协程,当握手协程运行到需进行非对称密码操作时,握手协程挂起,将资源让与其他协程或线程,实现并行处理;S3-1: The central management node uses the coroutine mechanism to establish a handshake coroutine for the TLS handshake as an independent transaction. When the handshake coroutine runs to the point where asymmetric cryptographic operations are required, the handshake coroutine is suspended and resources are transferred to other coroutines or threads to achieve parallel processing.
    S3-2:中心管理节点同时通过加密引擎机制将非对称密码操作学转化为独立计算任务,并分发至远端资源节点中的加密进程,待任务结果返回后唤醒握手协程继续执行未完成的握手事务。S3-2: The central management node converts asymmetric cryptographic operations into independent computing tasks through the encryption engine mechanism and distributes them to the encryption process in the remote resource node. After the task results are returned, the handshake coroutine is awakened to continue executing the unfinished handshake transactions.
  5. 根据权利要求3所述的面向通用互联网平台的集群密码加速方法,其特征在于,所述中心管理节点至远端资源节点的异步调度过程应用动态负载均衡算法;所述动态负载均衡算法基于计算任务响应时间配合加权策略实现,所述计算任务响应时间为中 心管理节点发出计算任务至收到任务结果的时间间隔,所述动态负载均衡算法以下一时刻响应时间预测值作为加密进程的评估值,所述评估值与分配的权重成反比。The cluster cryptographic acceleration method for a general Internet platform according to claim 3 is characterized in that the asynchronous scheduling process from the central management node to the remote resource node applies a dynamic load balancing algorithm; the dynamic load balancing algorithm is implemented based on the computing task response time in conjunction with a weighted strategy, and the computing task response time is The dynamic load balancing algorithm uses the predicted value of the response time at the next moment as the evaluation value of the encryption process, and the evaluation value is inversely proportional to the assigned weight.
  6. 根据权利要求5所述的面向通用互联网平台的集群密码加速方法,其特征在于,所述计算任务响应时间的评估应用简单指数平滑预测法,将下一个时间预测值建模为先前时间观测值的指数加权线性函数,权重随观测值变老而衰减,表示如下式:
    yT+1|T=αyT+α(1-α)yT-1+α(1-α)2yT-2+α(1-α)3yT-3+…+α(1-α)T-T0yT0    According to claim 5, the cluster cryptography acceleration method for a general Internet platform is characterized in that the evaluation of the computing task response time applies a simple exponential smoothing prediction method, and the next time prediction value is modeled as an exponentially weighted linear function of the previous time observation value, and the weight decays as the observation value becomes older, which is expressed as follows:
    y T+1|T =αy T +α(1-α)y T-1 +α(1-α) 2 y T-2 +α(1-α) 3 y T-3 +…+α(1-α) T-T0 y T0 ;
    式中,yT为当前时刻,yT0为初始时刻,yT+1为预测下一时刻的响应时间,yT-1为上一时刻响应时间,α为平滑因子,用于控制先前响应时间评估值随时间向前推移的衰减速率。Where yT is the current moment, yT0 is the initial moment, yT+1 is the predicted response time of the next moment, yT-1 is the response time of the previous moment, and α is the smoothing factor, which is used to control the decay rate of the previous response time evaluation value over time.
  7. 根据权利要求1所述的面向通用互联网平台的集群密码加速方法,其特征在于,所述两级异步并行机制基于加密引擎机制建立低侵入集群构架,所述低侵入集群架构包括平台级低侵入和算法级零侵入。According to the cluster cryptographic acceleration method for a general Internet platform according to claim 1, it is characterized in that the two-level asynchronous parallel mechanism establishes a low-intrusion cluster architecture based on the encryption engine mechanism, and the low-intrusion cluster architecture includes platform-level low-intrusion and algorithm-level zero-intrusion.
  8. 一种面向通用互联网平台的集群密码加速装置,其特征在于,包括:A cluster cryptographic acceleration device for a general Internet platform, comprising:
    集群组成模块,用于将互联网平台后端集群服务器的闲置密码学计算资源作为远端资源节点,组成虚拟密码学计算集群,将互联网平台前端作为所述虚拟密码学计算集群的中心管理节点;The cluster composition module is used to use the idle cryptographic computing resources of the back-end cluster server of the Internet platform as remote resource nodes to form a virtual cryptographic computing cluster, and use the front-end of the Internet platform as the central management node of the virtual cryptographic computing cluster;
    机制建立模块,用于根据中心管理节点和远端资源节点建立两级异步并行机制;A mechanism establishment module is used to establish a two-level asynchronous parallel mechanism based on the central management node and the remote resource node;
    任务调度模块,用于通过中心管理节点将TLS握手中的密码学操作转化为独立计算任务,根据所述两级异步并行机制将计算任务异步调度至远端资源节点;A task scheduling module, used to convert the cryptographic operations in the TLS handshake into independent computing tasks through the central management node, and asynchronously schedule the computing tasks to the remote resource nodes according to the two-level asynchronous parallel mechanism;
    任务计算模块,用于通过远端资源节点,根据所述两级异步并行机制将收到的计算任务异步卸载至本地密码学计算资源中进行异步并行计算,将计算结果回传至中心管理节点。The task computing module is used to asynchronously offload the received computing tasks to the local cryptographic computing resources through the remote resource nodes according to the two-level asynchronous parallel mechanism for asynchronous parallel computing, and transmit the computing results back to the central management node.
  9. 一种电子设备,包括存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,其特征在于,所述处理器执行所述程序时实现如权利要求1至8任一项所述面向通用互联网平台的集群密码加速方法。An electronic device comprises a memory, a processor and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, the cluster cryptographic acceleration method for a general Internet platform as claimed in any one of claims 1 to 8 is implemented.
  10. 一种非暂态计算机可读存储介质,其上存储有计算机程序,其特征在于,所述计算机程序被处理器执行时实现如权利要求1至8任一项所述面向通用互联网平台的集群密码加速方法。 A non-transitory computer-readable storage medium having a computer program stored thereon, characterized in that when the computer program is executed by a processor, the cluster cryptographic acceleration method for a general Internet platform as described in any one of claims 1 to 8 is implemented.
PCT/CN2023/133855 2022-12-28 2023-11-24 Cluster cryptographic acceleration method and device for universal internet platform WO2024139903A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211700532.7 2022-12-28
CN202211700532.7A CN116132420B (en) 2022-12-28 2022-12-28 Cluster password acceleration method and device for universal Internet platform

Publications (1)

Publication Number Publication Date
WO2024139903A1 true WO2024139903A1 (en) 2024-07-04

Family

ID=86302116

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/133855 WO2024139903A1 (en) 2022-12-28 2023-11-24 Cluster cryptographic acceleration method and device for universal internet platform

Country Status (2)

Country Link
CN (1) CN116132420B (en)
WO (1) WO2024139903A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116132420B (en) * 2022-12-28 2024-07-12 中国互联网络信息中心 Cluster password acceleration method and device for universal Internet platform
CN118584547B (en) * 2024-08-06 2024-10-22 吉林大学 Adaptive gain transient electromagnetic receiving system and method based on exponential prediction

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10218682B1 (en) * 2016-01-19 2019-02-26 Amazon Technologies, Inc. Secure network protocol cryptographic processing
CN110071933A (en) * 2019-04-28 2019-07-30 深圳前海微众银行股份有限公司 Secure Socket Layer accelerated method, device, equipment and readable storage medium storing program for executing
CN110213338A (en) * 2019-05-09 2019-09-06 国家计算机网络与信息安全管理中心 A kind of clustering acceleration calculating method and system based on cryptographic calculation
CN110324365A (en) * 2018-03-28 2019-10-11 网易(杭州)网络有限公司 Without key front end cluster system, application method, storage medium, electronic device
CN114172644A (en) * 2021-12-03 2022-03-11 三未信安科技股份有限公司 Method and system for optimizing elliptic curve public key password of PCI (peripheral component interconnect) password card
CN116132420A (en) * 2022-12-28 2023-05-16 中国互联网络信息中心 Cluster password acceleration method and device for universal Internet platform

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20220006490A (en) * 2021-12-29 2022-01-17 케이웨어 (주) Hybrid cloud resource allocation method for workload dynamic resource placement and optimization performance management
CN115328645A (en) * 2022-06-27 2022-11-11 国网冀北电力有限公司信息通信分公司 Computing task scheduling method, computing task scheduling device and electronic equipment

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10218682B1 (en) * 2016-01-19 2019-02-26 Amazon Technologies, Inc. Secure network protocol cryptographic processing
CN110324365A (en) * 2018-03-28 2019-10-11 网易(杭州)网络有限公司 Without key front end cluster system, application method, storage medium, electronic device
CN110071933A (en) * 2019-04-28 2019-07-30 深圳前海微众银行股份有限公司 Secure Socket Layer accelerated method, device, equipment and readable storage medium storing program for executing
CN110213338A (en) * 2019-05-09 2019-09-06 国家计算机网络与信息安全管理中心 A kind of clustering acceleration calculating method and system based on cryptographic calculation
CN114172644A (en) * 2021-12-03 2022-03-11 三未信安科技股份有限公司 Method and system for optimizing elliptic curve public key password of PCI (peripheral component interconnect) password card
CN116132420A (en) * 2022-12-28 2023-05-16 中国互联网络信息中心 Cluster password acceleration method and device for universal Internet platform

Also Published As

Publication number Publication date
CN116132420B (en) 2024-07-12
CN116132420A (en) 2023-05-16

Similar Documents

Publication Publication Date Title
WO2024139903A1 (en) Cluster cryptographic acceleration method and device for universal internet platform
US20210399996A1 (en) Virtual computing services deployment network
US10659371B1 (en) Managing throttling limits in a distributed system
Rath Resource provision and QoS support with added security for client side applications in cloud computing
US11442928B2 (en) Multi-tenant provider network database connection management and governance
US11924326B2 (en) Blockchain platform service
CN107734004A (en) A kind of high concurrent SiteServer LBS based on Nginx, Redis
Rani et al. An implementation of modified blowfish technique with honey bee behavior optimization for load balancing in cloud system environment
CN100440891C (en) Method for balancing gridding load
US9621399B1 (en) Distributed caching system
CN110457337A (en) Link aggregation method, system and equipment
US20230136612A1 (en) Optimizing concurrent execution using networked processing units
US20210232440A1 (en) Execution of functions by clusters of computing nodes
Muthurajkumar et al. Optimal and energy efficient scheduling techniques for resource management in public cloud networks
US11861386B1 (en) Application gateways in an on-demand network code execution system
CN118337786A (en) Service container scheduling method and system based on Kubernetes under cloud edge cooperation
Kadhim et al. Hybrid load-balancing algorithm for distributed fog computing in internet of things environment
CN117573310A (en) Software service providing method based on decentralization calculation scheduling and execution
Islam et al. An architecture and a dynamic scheduling algorithm of grid for providing security for real‐time data‐intensive applications
CN112866395A (en) Service request processing system and method and computing device
Sultan et al. Challenges of Load Balancing Techniques in Cloud Environment: A Review
Wu et al. Microservices architectural based secure and failure aware task assignment schemes in fog‐cloud assisted Internet of things
Yan et al. Service Differentiation Strategy Based on User Demands for Https Web Servers
Lo et al. An efficient resource allocation scheme for cross-cloud federation
Kalele Time Variant Resource Allocation With Secured Dynamic Priority Weighted Scheduling Process Based On Virtualized Subnet Transmission Support Factor In Cloud Computing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23909835

Country of ref document: EP

Kind code of ref document: A1