密码服务资源按需高效调度方案

doi:10.11959/j.issn.1000-436x.2022092

通信学报 ›› 2022, Vol. 43 ›› Issue (6): 108-118.doi: 10.11959/j.issn.1000-436x.2022092

密码服务资源按需高效调度方案

寇文龙¹^,², 张宇阳¹, 李凤华¹^,²^,³, 曹晓刚²^,³, 李佳旻¹, 王竹²^,³, 耿魁²

¹ 西安电子科技大学网络与信息安全学院，陕西西安 710071
² 中国科学院信息工程研究所，北京100093
³ 中国科学院大学网络空间安全学院，北京 100049

修回日期:2022-03-12 出版日期:2022-06-01 发布日期:2022-06-01
作者简介:寇文龙（1990- ），男，河南许昌人，西安电子科技大学博士生，主要研究方向为信息安全
张宇阳（1995- ），男，山东淄博人，西安电子科技大学硕士生，主要研究方向为电子与通信工程
李凤华（1966- ），男，湖北浠水人，博士，中国科学院信息工程研究所研究员、博士生导师，主要研究方向为网络与系统安全、信息保护、隐私计算
曹晓刚（1996- ），男，河北邢台人，中国科学院信息工程研究所博士生，主要研究方向为信息安全
李佳旻（1993- ），男，山西吕梁人，西安电子科技大学博士生，主要研究方向为隐私计算、机器学习、联邦学习
王竹（1972- ），女，山西太原人，博士，中国科学院信息工程研究所研究员，主要研究方向为密码理论与技术、安全协议
耿魁（1989- ），男，湖北红安人，博士，中国科学院信息工程研究所高级工程师、硕士生导师，主要研究方向为网络安全、信息保护
基金资助:
国家重点研发计划基金资助项目(2018YFB0803903);陕西省重点研发计划基金资助项目(2019ZDLGY12-09)

On-demand and efficient scheduling scheme for cryptographic service resource

Wenlong KOU¹^,², Yuyang ZHANG¹, Fenghua LI¹^,²^,³, Xiaogang CAO²^,³, Jiamin LI¹, Zhu WANG²^,³, Kui GENG²

¹ School of Cyber Engineering, Xidian University, Xi’an 710071, China
² Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
³ School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China

Revised:2022-03-12 Online:2022-06-01 Published:2022-06-01
Supported by:
The National Key Research and Development Program of China(2018YFB0803903);The Key Research and Development Program of Shannxi Province(2019ZDLGY12-09)

摘要/Abstract

摘要：

目的：网络技术的普及使得越来越多的企业和个人加入到互联网的浪潮中，数据呈现出爆炸式的指数级增长趋势。数据安全传输和细粒度认证需求的日益增长，各类应用对密码服务的使用愈发频繁，如何处理随机交叉且峰值差异大的密码服务请求逐渐成为制约各种网络安全应用的瓶颈问题。本文提出密码服务调度系统模型，探索密码服务资源的差异化动态按需调度。

方法：利用优化熵值法和密码资源重构技术，为接入服务体系的用户和设备提供动态可扩展的密码服务资源。首先，提出密码设备服务能力评价方法，通过获取密码设备的密码资源使用率、网络吞吐率等运行状态信息，采用优化熵值法对数据进行处理，结合密码设备的密码资源配置，对密码设备提供的密码服务能力进行描述，为密码作业调度提供支撑。进而，提出了按需高效的密码作业调度策略，提出密码服务请求期望，通过计算密码设备的负载距离来判断是否满足密码服务需求，以此来生成密码作业调度策略。此外，还可以根据调度算法需要对密码设备进行重构，适应密码服务在服务质量、服务效率等方面的差异化需求。

结果：实验采用增强型负载均衡Min-Min算法、动态一致性哈希的集群负载均衡算法和本文所提调度算法作对比，通过发送密码服务请求的方式，分别测试3种调度算法的密码作业最大完成时间、单位时间可服务请求数量和现场可编程门阵列（FPGA,field programmable gate array）密码计算单元平均负载。从图7中可以看出，在密码服务请求数量较少时，3种调度算法的差异不太明显，但是随着密码服务请求数量的增加，FPGA计算单元的负载逐渐增大，另外两种调度算法由于不考虑密码作业迁移和FPGA计算单元动态配置，密码作业排队时间增加显著，与本文调度算法的差距越来越大。从图8中可以看出，在密码服务请求数量较少时，3种调度算法的差异不太明显，都能够满足大部分的密码服务请求，但是随着密码服务请求数量的增加，3种调度算法的单位时间可服务请求数量均达到峰值，由于本文调度算法实现了密码作业迁移和FPGA计算单元动态配置，使单位时间可服务请求数量要高于另外两种调度算法。从图9中可以看出，本文调度算法在尽量减少密码作业迁移和FPGA计算单元重构的前提下，将密码作业优先调度到同一个FPGA计算单元，因此在密码服务请求数量较少时只有一个FPGA计算单元有负载，并且随着密码服务请求数量的增加，同时工作的FPGA计算单元数量也随之增加。从图10~图11中可以看出，其他2种算法的FPGA负载相对比较均衡，在密码服务请求数量较大的情况下，每个FPGA的负载均较高，当新的密码服务请求到来时，由于不考虑密码作业迁移和FPGA计算单元动态配置，FPGA计算单元剩余计算能力不足以满足密码服务需求。

结论：本文提出了一种高效的密码服务资源按需调度方案。通过使用基于优化熵值法的密码设备归一化评价模型实现对密码服务能力的描述和动态监测；同时，提出适用不同需求的密码作业调度策略，并结合密码资源重构策略，实现对密码资源的差异化配置与调度；实现了将动态可扩展的密码服务资源提供给任何接入服务体系的用户和设备。

关键词: 密码资源, 按需调度, 高吞吐量, 评价模型

Abstract:

Objective: The popularity of network technology makes more and more enterprises and individuals join the wave of the Internet, and data presents an explosive exponential growth trend.With the increasing demand for data security transmission and fine-grained authentication, the use of cryptographic services in various applications is becoming more frequent. How to deal with random cross and large peak difference cryptographic service requests has gradually become a bottleneck problem restricting various network security applications.A model of cryptographic service scheduling system is proposed to explore the differential dynamic on-demand scheduling of cryptographic service resources.

Methods: Optimized entropy method and cryptographic resource reconstruction technology were used to provide dynamic and extensible cryptographic service resources for users and devices accessing service system. Firstly, the evaluation method of cryptographic device service ability is proposed. By obtaining the operating state information such as the utilization rate of cryptographic resources and network throughput of cryptographic devices,the optimized entropy method is used to process the data. Combined with the cryptographic resource allocation of cryptographic devices, the cryptographic service ability provided by cryptographic devices is described,which provides support for cryptographic job scheduling.Then, an efficient on-demand cryptographic job scheduling strategy is proposed, and the cryptographic service request expectation is proposed. By calculating the load distance of the cryptographic device to determine whether to meet the requirements of the cryptographic service, the cryptographic job scheduling strategy is generated. In addition,the cryptographic devices can be reconstructed according to the scheduling algorithm to meet the differentiated needs of cryptographic services in terms of service quality and service efficiency.

Results:The enhanced Min-Min load balancing algorithm,the cluster load balancing algorithm based on dynamic consistent hashing and the proposed on-demand scheduling algorithm are used for comparison. By sending cryptographic service requests, the maximum completion time of cryptographic operations, the number of serviceable requests per unit time and the average load of FPGA(field programmable gate array)cryptographic computing unit of the three scheduling algorithms are tested respectively.Fig.7 shows that when the number of cryptographic service requests is small,the difference among the three scheduling algorithms is not obvious.However, with the increase of the number of cryptographic service requests,the load of FPGA computing unit gradually increases. The other two scheduling algorithms do not consider the migration of cryptographic jobs and the dynamic configuration of FPGA computing unit, and the queuing time of cryptographic jobs increases significantly, and the gap between the other two scheduling algorithms and the on-demand scheduling algorithm is getting bigger and bigger.Fig.8 shows that when the number of cryptographic service requests is small, the difference of the three scheduling algorithms is not obvious,which can meet most of the cryptographic service requests. However, with the increase of the number of cryptographic service requests, the number of service requests per unit time of the three scheduling algorithms reaches the peak.Because the on-demand scheduling algorithm realizes the cryptographic job migration and the dynamic configuration of FPGA computing units, the number of service requests per unit time is higher than the other two scheduling algorithms.Fig. 9 shows that under the premise of minimizing the migration of cryptographic operations and the reconstruction of FPGA computing units, the on-demand scheduling algorithm prioritizes the cryptographic operations to the same FPGA computing unit.Therefore,only one FPGA computing unit has load when the number of cryptographic service requests is small, and with the increase of the number of cryptographic service requests, the number of FPGA computing units working also increases. Figs. 10 – 11 show that the FPGA load of the other two algorithms is relatively balanced.When the number of cryptographic service requests is large, the load of each FPGA is high.When the new cryptographic service request arrives,the residual calculation ability of FPGA calculation unit is insufficient to meet the cryptographic service demand because the migration of cryptographic jobs and the dynamic configuration of FPGA calculation unit are not considered.

Conclusions: An efficient on-demand scheduling scheme for cryptographic service resources is proposed. The description and dynamic monitoring of cryptographic service capability are realized by using the normalized evaluation model of cryptographic devices based on optimized entropy method. At the same time, a cryptographic job scheduling strategy suitable for different requirements is proposed, and combined with the cryptographic resource reconstruction strategy,the differential configuration and scheduling of cryptographic resources are realized. The dynamic and extensible cryptographic service resources are provided to users and devices of any access service system.

Key words: cryptographic resource, demand-based resource scheduling, high throughput, evaluation model

中图分类号:

TN92

寇文龙, 张宇阳, 李凤华, 曹晓刚, 李佳旻, 王竹, 耿魁. 密码服务资源按需高效调度方案[J]. 通信学报, 2022, 43(6): 108-118.

Wenlong KOU, Yuyang ZHANG, Fenghua LI, Xiaogang CAO, Jiamin LI, Zhu WANG, Kui GENG. On-demand and efficient scheduling scheme for cryptographic service resource[J]. Journal on Communications, 2022, 43(6): 108-118.

图/表 13

图1

图2

图3

图4

图5

图6

表1

表2

图7

图8

图9

图10

图11

参考文献 19

[1]	IBM. Cost of a data breach report 2021[R]. 2022.
[2]	万佳. Facebook新漏洞：4.19亿用户手机号码可公开访问，或遭遇重大安全风险[EB]. 2019.
[3]	云数据安全. 云上密码应用最佳实践[EB]. 2020.
[4]	焦扬, 陈喆, 梁员宁 ,等. 基于马尔可夫过程的云服务组合QoS量化评估方法研究[J]. 计算机科学, 2015,42(9): 127-133.
	JIAO Y , CHEN Z , LIANG Y N ,et al. Research on QoS quantitative evaluation method of cloud service composition based on Markov process[J]. Computer Science, 2015,42(9): 127-133.
[5]	WANG Y B , WEN J H , WANG X B ,et al. Cloud service evaluation model based on trust and privacy-aware[J]. Optik, 2017,134: 269-279.
[6]	JIANG W X , GU C Z , WU J J . A quality-of-service evaluation method based on the cloud model for routing protocols in wireless sensor network[J]. International Journal of Distributed Sensor Networks. 2017:doi.org/10.1177/1550147717731247.
[7]	林闯, 胡杰, 孔祥震 . 用户体验质量(QoE)的模型与评价方法综述[J]. 计算机学报, 2012,35(1): 1-15.
	LIN C , HU J , KONG X Z . Survey on models and evaluation of quality of experience[J]. Chinese Journal of Computers, 2012,35(1): 1-15.
[8]	阳小兰, 钱程, 朱福喜 . 基于云计算的大数据服务资源评价方法[J]. 计算机科学, 2018,45(5): 295-299.
	YANG X L , QIAN C , ZHU F X . Evaluation method of big data service resources based on cloud computing[J]. Computer Science, 2018,45(5): 295-299.
[9]	LI M F , LEE C Y . A cost-effective and real-time QoE evaluation method for multimedia streaming services[J]. Telecommunication Systems, 2015,59(3): 317-327.
[10]	SONG J R , YANG F Z , ZHOU Y C ,et al. QoE evaluation of multimedia services based on audiovisual quality and user interest[J]. IEEE Transactions on Multimedia, 2016,18(3): 444-457.
[11]	PRASSANNA J , VENKATARAMAN N . Threshold based multi-objective memetic optimized round robin scheduling for resource efficient load balancing in cloud[J]. Mobile Networks and Applications, 2019,24(4): 1214-1225.
[12]	PATEL G , MEHTA R , BHOI U . Enhanced load balanced Min-Min algorithm for static meta task scheduling in cloud computing[J]. Procedia Computer Science, 2015,57: 545-553.
[13]	GRANDL R , CHOWDHURY M , AKELLA A ,et al. Altruistic scheduling in multi-resource clusters[C]// Proceedings of the 12th USENIX Conference on Operating Systems Design and Implementation. Berkeley:USENIX Association, 2016: 65-80.
[14]	苏命峰, 王国军, 李仁发 . 基于利益相关视角的多维QoS云资源调度方法[J]. 通信学报, 2019,40(6): 102-115.
	SU M F , WANG G J , LI R F . Multidimensional QoS cloud computing resource scheduling method based on stakeholder perspective[J]. Journal on Communications, 2019,40(6): 102-115.
[15]	马小晋, 许华虎, 卞敏捷 ,等. 基于改进模拟退火算法的虚拟机调度优化方法[J]. 通信学报, 2018,39(S1): 278-287.
	MA X J , XU H H , BIAN M J ,et al. Virtual machine scheduling optimization method based on improved simulated annealing algorithm[J]. Journal on Communications, 2018,39(S1): 278-287.
[16]	JANA B , CHAKRABORTY M , MANDAL T . A task scheduling technique based on particle swarm optimization algorithm in cloud environment[C]// Soft Computing:Theories and Applications. Berlin:Springer, 2019: 525-536.
[17]	JIANG X M , YANG H M , YANG Y ,et al. Cluster load balancing algorithm based on dynamic consistent hash[J]. Journal of Intelligent＆ Fuzzy Systems, 2021,41(3): 4461-4468.
[18]	李莉, 史国振, 耿魁 ,等. 基于负载均衡的随机作业流密码服务调度算法[J]. 通信学报, 2018,39(6): 11-19.
	LI L , SHI G Z , GENG K ,et al. Scheduling algorithm for stochastic job stream cipher service based on load balancing[J]. Journal on Communications, 2018,39(6): 11-19.
[19]	LI F L , JI H F , ZHOU H W ,et al. A cryptographic resource management framework and dynamic migration method based on virtualization[C]// Proceedings of 2021 7th International Conference on Computer and Communications (ICCC). Piscataway:IEEE Press, 2021: 560-564.

配置	SM2 IP核/个	SM3 IP核/个	SM4 IP核/个
配置A	4	3	1
配置B	6	1	1
配置C	0	8	1

配置	SM2签名性能/（次·秒^-1）	SM2验签性能/（次·秒^-1）	SM3哈希性能/(Gbit·s^-1)	SM4ECB性能/(Gbit·s^-1)
单核性能	5 000	2 000	1.0	7.0
配置A	20 000	8 000	3.0	7.0
配置B	30 000	12 000	1.0	7.0
配置C	0	0	7.0	7.0

密码服务资源按需高效调度方案

On-demand and efficient scheduling scheme for cryptographic service resource

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 13

参考文献 19

相关文章 2

Metrics

推荐阅读 0

[1]	葛文堂，张兆心，李斌. 基于模拟运行时间的拓扑划分评价模型[J]. 通信学报, 2013, 34(6): 15-127.
[2]	葛文堂,张兆心,李斌. 基于模拟运行时间的拓扑划分评价模型[J]. 通信学报, 2013, 34(6): 122-127.