Detailed explanation of HTTPS encryption protocol: HTTPS performance and optimization

News 2023-09-09 02:03:28 views: null

1. HTTPS performance loss

The previous article discussed the principles and advantages of HTTPS: identity authentication, information encryption, integrity verification, etc., without any modifications to the TCP and HTTP protocols. However, adding new protocols to achieve more secure communication will inevitably come at a cost. The performance loss of the HTTPS protocol is mainly reflected in the following:

(1).Increase delay

Analyzing the previous handshake process, a complete handshake requires at least two back-and-forth communications between the two ends, increasing the delay by at least 2*RTT. Using session caching to reuse the connection, the delay is also at least 1*RTT*.

(2).Consume more CPU resources

In addition to data transmission, HTTPS communication mainly includes symmetric encryption and decryption, and asymmetric encryption and decryption (the server mainly uses private keys to decrypt data); Stress test single-core CPU of TS8 model: symmetric encryption algorithm AES-CBC-256 throughput 600Mbps , asymmetric RSA private key decryption 200 times/s. Not considering other software-level overheads, a 10G network card consumes about 17 CPU cores for symmetric encryption, and a 24-core CPU can access up to 4800 HTTPS connections;

The HTTP single-machine access capability of the current 10G network card TS8 model of the static node is about 10w/s. If all HTTP connections are changed to HTTPS connections, it is obvious that RSA decryption becomes the bottleneck first. Therefore, the decryption capability of RSA is the main problem currently plaguing HTTPS access.

2. HTTPS access optimization

(1).CDN access

The delay increased by HTTPS is mainly the transmission delay RTT. The characteristic of RTT is that the closer the node is, the smaller the delay is. CDN is naturally closest to the user, so choosing to use CDN as the entry point for HTTPS access will greatly reduce the access delay. . CDN nodes greatly reduce the delay caused by HTTPS by maintaining long connections with business servers, session reuse, link quality optimization and other controllable methods.

(2). Session cache

Although it was mentioned earlier that HTTPS requires at least 1*RTT delay even if session caching is used, but at least the delay has been reduced to half of the original, which is an obvious delay optimization; at the same time, HTTPS connections established based on session caching do not require the server to use RSA Decrypting the private key to obtain the Pre-master information can save CPU consumption. If business access connections are concentrated and the cache hit rate is high, the access capability of HTTPS will be significantly improved. The cache hit rate of the current TRP platform is greater than 30% during the peak period, and the 10k/s access resource can actually carry 13k/s access, and the effect is very impressive.

(3).Hardware acceleration

Install a dedicated SSL hardware accelerator card for the access server, which functions like a GPU and frees up the CPU to have higher HTTPS access capabilities without affecting business programs. It was tested that a single hardware accelerator card can provide 35k decryption capability, which is equivalent to a 175-core CPU and at least equivalent to seven 24-core servers. Considering the cost of accessing other programs on the server, one hardware card can achieve close to 10 servers. access capabilities.

(4).Remote decryption

Local access consumes too much CPU resources and wastes resources such as network cards and hard disks. Consider transferring the RSA decryption calculation task that consumes the most CPU resources to other servers. This way you can give full play to the server's access capabilities and make full use of bandwidth and network cards. resource. The remote decryption server can be a machine with a low CPU load to reuse machine resources, or it can be a specially optimized server with high computing performance. It is currently one of CDN’s solutions for large-scale HTTPS access.

(5).SPDY/HTTP2

The previous methods improve HTTPS access performance by reducing transmission delay and single-machine load respectively, but the methods are all based on optimization methods proposed without changing the HTTP protocol. SPDY/HTTP2 takes advantage of the advantages brought by TLS/SSL and modifies Protocol methods to improve the performance of HTTPS, increase download speed, etc.

Guess you like

Origin blog.csdn.net/WoTrusCA/article/details/132734211
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com