阅读说明：本技术 安全服务调用方法和安全服务调用系统 (Security service calling method and security service calling system ) 是由 滕志章 于 2019-10-25 设计创作，主要内容包括：本申请公开了一种安全服务调用方法和安全服务调用系统。其中该方法包括：在业务系统欲向加密机代理系统发送数据处理请求时,业务系统从第一连接池中获取预先建立的目标第一TCP连接；其中,第一连接池设置于业务系统；业务系统基于目标第一TCP连接将数据处理请求发送至加密机代理系统,其中,数据处理请求包括待处理数据；加密机代理系统从第二连接池中获取预先建立的目标第二TCP连接；其中,第二连接池设置于加密机代理系统；加密机代理系统基于目标第二TCP连接将待处理数据发送至对应的目标加密机,以使目标加密机对待处理数据进行计算处理。该方法可以减少整体的通信耗时,实现加密机代理到加密机之间TCP连接的复用,从而提升了加密机代理性能。(The application discloses a security service calling method and a security service calling system. Wherein the method comprises the following steps: when a service system wants to send a data processing request to an encryptor proxy system, the service system acquires a pre-established target first TCP connection from a first connection pool; the first connection pool is arranged in the service system; the service system sends a data processing request to the encryption machine proxy system based on the target first TCP connection, wherein the data processing request comprises data to be processed; the encryption machine proxy system acquires a pre-established target second TCP connection from the second connection pool; the second connection pool is arranged in the encryption machine proxy system; and the encryptor proxy system sends the data to be processed to the corresponding target encryptor based on the target second TCP connection, so that the target encryptor performs calculation processing on the data to be processed. The method can reduce the overall communication time consumption, and realize the multiplexing of the TCP connection between the encryption machine proxy and the encryption machine, thereby improving the encryption machine proxy performance.)

1. A security service invocation method, characterized by comprising the steps of:

when a service system wants to send a data processing request to an encryption machine proxy system, the service system acquires a pre-established target first TCP connection from a first connection pool; the first connection pool is arranged in the service system;

the business system sends the data processing request to the encryption machine proxy system based on the target first TCP connection, wherein the data processing request comprises data to be processed;

the encryption machine proxy system acquires a pre-established target second TCP connection from a second connection pool; the second connection pool is arranged in the encryption machine proxy system;

and the encryption machine proxy system sends the data to be processed to a corresponding target encryption machine based on the target second TCP connection, so that the target encryption machine performs calculation processing on the data to be processed.

2. The method of claim 1, wherein before the service system is to send a data processing request to the encryptor proxy system, the method further comprises:

pre-establishing a first TCP connection between the service system and the encryption machine proxy system;

putting the pre-established first TCP connection into the first connection pool on the service system for management;

pre-establishing a plurality of second TCP connections between the encryption machine proxy system and a plurality of encryption machines;

and putting the pre-established second TCP connections into the second connection pool on the encryption machine proxy system for management.

3. The method of claim 1, wherein the service system obtaining a pre-established target first TCP connection from a first connection pool comprises:

determining, by the first connection pool, a first TCP connection in an idle state in the first connection pool;

and selecting one of the first TCP connections in the idle state as the target first TCP connection.

4. The method of claim 1, wherein the data processing request further includes identification information of a target encryption engine; the method for acquiring the pre-established target second TCP connection from the second connection pool by the encryption machine proxy system comprises the following steps:

and the encryption machine proxy system acquires a target second TCP connection between the encryption machine proxy system and the target encryption machine from the second connection pool according to the identification information in the data processing request.

5. The method according to any one of claims 1 to 4, wherein after the target encryption engine performs calculation processing on the data to be processed, the method further comprises:

the target encryption machine returns the response data of the calculation processing result to the encryption machine proxy system through the target second TCP connection;

when the encryption machine proxy system receives response data returned by the target encryption machine, returning the target second TCP connection to the second connection pool, and returning the response number to the service system through the target first TCP connection;

and when receiving response data returned by the encryption machine proxy system, the service system returns the target first TCP connection to the first connection pool.

6. A secure service invocation system, comprising: a service system, an encryptor proxy system and an encryptor, wherein,

the service system is used for acquiring a pre-established target first TCP connection from a first connection pool when a data processing request is to be sent to the encryption machine proxy system, and sending the data processing request to the encryption machine proxy system based on the first TCP connection; the first connection pool is arranged in the service system; the data processing request comprises data to be processed;

the encryption machine proxy system is used for acquiring a pre-established target second TCP connection from a second connection pool and sending the data to be processed to a corresponding target encryption machine based on the target second TCP connection so that the target encryption machine carries out calculation processing on the data to be processed; and the second connection pool is arranged in the encryption machine proxy system.

7. The system of claim 6,

the service system is further configured to pre-establish a first TCP connection between the service system and the encryption machine proxy system before a data processing request is to be sent to the encryption machine proxy system, and place the pre-established first TCP connection into the first connection pool on the service system for management;

the encryption machine agent system is also used for pre-establishing a plurality of second TCP connections between the encryption machine agent system and a plurality of encryption machines and putting the pre-established second TCP connections into the second connection pool on the encryption machine agent system for management.

8. The system of claim 6, wherein the business system is specifically configured to:

determining, by the first connection pool, a first TCP connection in an idle state in the first connection pool;

and selecting one of the first TCP connections in the idle state as the target first TCP connection.

9. The system of claim 6, wherein the data processing request further includes identification information of a target encryption engine; the encryption machine proxy system is specifically configured to:

and acquiring a target second TCP connection between the encryption machine proxy system and the target encryption machine from the second connection pool according to the identification information in the data processing request.

10. The system according to any one of claims 6 to 9,

the target encryption machine is used for returning response data of a calculation processing result to the encryption machine proxy system through the target second TCP connection after the calculation processing is carried out on the data to be processed;

the encryption machine proxy system is further configured to return the target second TCP connection to the second connection pool and return the response number to the service system through the target first TCP connection when receiving response data returned by the target encryption machine;

and the service system is further used for returning the target first TCP connection to the first connection pool when response data returned by the encryption machine proxy system is received.

Technical Field

The present application relates to the field of data processing technologies, and in particular, to a security service invoking method and a security service invoking system.

Background

The encryptor proxy system is a layer of function and service proxy system to the encryptor hardware facility. As shown in fig. 1, the encryption machine proxy system adapts to the proprietary protocols of different encryption machine manufacturers, provides a general interface for each service group, which is not related to a specific manufacturer, simplifies the service system security service calling mode and removes the dependence of the service system on the encryption machine of the specific manufacturer.

Since security service invocation (such as data encryption and decryption, digital signature verification and the like) is a basic security requirement, the business system can be involved in the encryption and decryption of signature verification and sensitive information of a message in the interaction process with other external systems. The digital signature technology is used for verifying the source of the request message, preventing repudiation and solving the credibility problem of data. The encryption and decryption technology is used for preventing stealing in the communication process and after storage, and the problem of confidentiality of data is solved. The business system is located at the transaction transfer location between the payment institution and the bank, and the following steps are generally involved in a normal transaction: the method comprises the steps of checking a signature of a message from a payment mechanism, decrypting sensitive information in the message, encrypting the sensitive information and signing the message sent to a bank. It can be seen that a transaction will have multiple security calls, and therefore the encryptor and the encryptor proxy system should be able to provide several times the concurrent access and throughput capabilities of each business system. The encryption machine agent system is arranged between the service system and the encryption machine, and a link is added on a calling link, so that the increase of transaction time consumption brought by increasing the agent layer is weakened as much as possible by technical means, and great benefits are obtained.

Disclosure of Invention

The object of the present application is to solve at least to some extent one of the above mentioned technical problems.

To this end, a first object of the present application is to provide a secure service invocation method. The method can greatly reduce the whole communication time consumption by reducing the establishment of the TCP connection each time, and realizes the multiplexing of the TCP connection between the encryption machine proxy and the encryption machine, thereby improving the proxy performance of the encryption machine.

A second object of the present application is to provide a secure service invocation system.

In order to achieve the above object, an embodiment of the first aspect of the present application provides a security service invoking method, including: when a service system wants to send a data processing request to an encryption machine proxy system, the service system acquires a pre-established target first TCP connection from a first connection pool; the first connection pool is arranged in the service system; the business system sends the data processing request to the encryption machine proxy system based on the target first TCP connection, wherein the data processing request comprises data to be processed; the encryption machine proxy system acquires a pre-established target second TCP connection from a second connection pool; the second connection pool is arranged in the encryption machine proxy system; and the encryption machine proxy system sends the data to be processed to a corresponding target encryption machine based on the target second TCP connection, so that the target encryption machine performs calculation processing on the data to be processed.

The embodiment of the second aspect of the present application provides a security service invoking system, including: the encryption equipment comprises a service system, an encryption equipment proxy system and an encryption equipment, wherein the service system is used for acquiring a pre-established target first TCP connection from a first connection pool when a data processing request is to be sent to the encryption equipment proxy system, and sending the data processing request to the encryption equipment proxy system based on the first TCP connection; the first connection pool is arranged in the service system; the data processing request comprises data to be processed; the encryption machine proxy system is used for acquiring a pre-established target second TCP connection from a second connection pool and sending the data to be processed to a corresponding target encryption machine based on the target second TCP connection so that the target encryption machine carries out calculation processing on the data to be processed; and the second connection pool is arranged in the encryption machine proxy system.

According to the security service calling method and system, when a business system wants to send a data processing request to an encryptor proxy system, a pre-established target first TCP connection is obtained from a first connection pool through the business system, the business system sends the data processing request to the encryptor proxy system based on the target first TCP connection, wherein the data processing request comprises data to be processed, the encryptor proxy system obtains a pre-established target second TCP connection from a second connection pool, and sends the data to be processed to a corresponding target encryptor based on the target second TCP connection, so that the target encryptor performs calculation processing on the data to be processed. The method includes that a pre-established TCP connection from a service system to an encryption machine agent system and a pre-established TCP connection from the encryption machine agent system to an encryption machine are placed into corresponding connection pools by a connection pool technology to be managed, so that corresponding connection is obtained from the corresponding connection pools before data is sent each time, and compared with the fact that time consumption for establishing TCP connection is in the millisecond order in the prior art, the method for establishing TCP connection from the connection pools is called for a local method, and time consumption is in the nanosecond level. By reducing the establishment of the TCP connection each time, the overall communication time consumption is greatly reduced, and the multiplexing of the TCP connection between the encryption machine proxy and the encryption machine is realized, so that the proxy performance of the encryption machine is improved.

Additional aspects and advantages of the present application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present application.

Drawings

The above and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which,

FIG. 1 is a diagram illustrating a connection relationship between a proxy system of an encryption engine and a service system and an encryption engine in the prior art;

FIG. 2 is a diagram of an example of data interaction of a secure service invocation system in the prior art;

FIG. 3 is a diagram illustrating the establishment of a client-to-server TCP connection according to the prior art;

FIG. 4 is a prior art close-up of a client to server TCP connection;

FIG. 5 is a flow diagram of a secure service invocation method according to one embodiment of the present application;

FIG. 6 is a flow diagram of a security service invocation method according to another embodiment of the present application;

FIG. 7 is an interaction flow diagram of a secure service invocation system according to one embodiment of the present application;

fig. 8 is a schematic structural diagram of a secure service invocation system according to an embodiment of the present application.

Detailed Description

Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary and intended to be used for explaining the present application and should not be construed as limiting the present application.

It should be noted that, the existing service system and the encryption machine proxy system, and the encryption machine proxy system and the encryption machine, generally adopt the TCP technology to perform communication, that is, a TCP connection between both communication parties needs to be established in the first step, the establishment process needs 3 handshaking processes, and after the connection is established, data transmission is performed through the connection. For example, as shown in fig. 2, a security service call to the encryption engine through the proxy system of the encryption engine can be divided into the following steps: 1) the service system establishes TCP connection to the encryptor proxy system; 2) the service system sends data to the encryption machine proxy system through connection; 3) the encryption machine proxy system establishes a TCP connection to the encryption machine; 4) the encryption machine proxy system sends data to the encryption machine; 5) the encryption machine performs calculation processing data; 6) the encryptor responds the calculated result to the encryptor proxy system; 7) closing the TCP connection to the encryptor after the encryptor proxy system receives the data; 8) the encryptor proxy system transmits the result to the service system; 9) and the service system closes the connection between the encryption machine proxy system after receiving the result.

It can be seen that the long TCP connection is established before each communication between the nodes, and disconnected after the communication is completed. As shown in fig. 3, there is a three-way handshake process for establishing the TCP connection from the client to the server, and as shown in fig. 4, there is a four-way hand-waving process for closing the TCP connection from the client to the server. In the existing scheme, the TCP connection is established between a service system and an encryption machine proxy system, and from the encryption machine proxy system to the encryption machine, so that the interaction between a client and a server is more, and the time consumption is longer.

Therefore, the application provides a security service calling method and a security service calling system. Specifically, a security service invocation method and a security service invocation system according to embodiments of the present application are described below with reference to the accompanying drawings.

FIG. 5 is a flow diagram of a security service invocation method according to one embodiment of the present application. It should be noted that the security service invoking method according to the embodiment of the present application may be applied to the security service invoking system according to the embodiment of the present application. The security service invoking system can comprise a business system, an encryption machine proxy system and an encryption machine. In this embodiment, a call link of the secure service call system is a service system- > an encryptor proxy system- > an encryptor, where the encryptor directly provides a service for the encryptor proxy system, the encryptor proxy system directly provides a service for the service system, and the encryptor proxy system is a client of the encryptor and is a service provider of the service system.

As shown in fig. 5, the security service calling method may include:

step 510, when the service system intends to send a data processing request to the encryptor proxy system, the service system obtains a pre-established target first TCP connection from the first connection pool; the first connection pool is arranged in the service system.

Optionally, in the service processing stage, when the service system wants to perform some kind of security processing (e.g., data encryption and decryption processing, or digital signature and verification) on the service data through the security service call, the service system may send a data processing request to the encryptor proxy system, and obtain a pre-established target first TCP connection from the first connection pool. It should be noted that, the first connection pool may be preset in the service system. As an example, RPC (remote procedure call abstraction, supporting load balancing, disaster tolerance, and clustering functions) communication can be performed between the service system and the encryption engine proxy system by using an open-source dubbo (a high-performance and excellent service framework) framework, and the dubbo framework uses a netty connection pool technology, that is, a connection pool for taking charge of TCP connection management between the service system and the encryption engine proxy system can be created in the service system by the netty connection pool technology.

As an example, before the service system intends to send a data processing request to the encryptor proxy system, a first TCP connection between the service system and the encryptor proxy system may be pre-established, and the pre-established first TCP connection may be put into a first connection pool on the service system for management, and a plurality of second TCP connections between the encryptor proxy system and a plurality of encryptors may be pre-established, and the pre-established second TCP connections may be put into a second connection pool on the encryptor proxy system for management.

For example, when the security service invoking system is in an initial stage of starting, or if the security service invoking system adopts a lazy loading mode, before the first invocation, a first TCP connection between the service system and the encryption machine proxy system may be pre-established, second TCP connections between the encryption machine proxy system and each encryption machine may be pre-established, the pre-established first TCP connection may be placed in the first connection pool for management, and the pre-established second TCP connections may be placed in the second connection pool for management. That is to say, at the initial stage of starting the security service invoking system, or if the security service invoking system adopts the lazy loading mode, before the first invocation, TCP connections from a plurality of clients to the server may be established in advance, and the established connections are put into the corresponding connection pools for management, so as to be used at the subsequent service processing stage.

In an embodiment of the present application, a specific implementation process of the service system obtaining a pre-established target first TCP connection from the first connection pool may be as follows: and determining first TCP connections in an idle state in the first connection pool through the first connection pool, and randomly selecting one of the first TCP connections in the idle state as a target first TCP connection. For example, the first connection pool has a plurality of first TCP connections established in advance, and the service system may select one first TCP connection from the first connection pool as the TCP connection from the current service system to the encryptor proxy system, so that the service system sends the current data processing request to the encryptor proxy system through the TCP connection.

Step 520, the service system sends a data processing request to the encryptor proxy system based on the target first TCP connection, where the data processing request includes data to be processed.

That is to say, the service system may obtain the target first TCP connection from the first connection pool, and further may send the data processing request to the encryptor proxy system through the target first TCP connection, so that the encryptor proxy system forwards the request to the corresponding encryptor, so that the corresponding encryptor performs corresponding calculation processing on the data to be processed in the request.

Step 530, the encryptor proxy system acquires a pre-established target second TCP connection from the second connection pool; the second connection pool is arranged in the encryption machine proxy system.

As an example, the data processing request may further include: identification information of the target encryption machine. In this example, the encryptor proxy system obtains a target second TCP connection between the encryptor proxy system and the target encryptor from the second connection pool according to the identification information in the data processing request. That is, the encryptor proxy system may correspond to a plurality of encryptors, and when receiving a data processing request sent by the service system, the encryptor proxy system may obtain, according to the identification information in the data processing request, a second TCP connection applicable to the encryptor corresponding to the identification information from the second connection pool, and use the second TCP connection as a TCP connection from the encryptor proxy system to the target encryptor.

It should be noted that, in the embodiment of the present application, the second connection pool in the encryption machine proxy system can be implemented using the open source apache-common 2 (which provides a canonical interface and implemented general logic for a set of pool technologies) as the underlying technology.

And 540, the encryptor proxy system sends the data to be processed to the corresponding target encryptor based on the target second TCP connection, so that the target encryptor performs calculation processing on the data to be processed.

That is, when the encryption engine proxy system acquires the target second TCP connection from the second connection pool, the encryption engine proxy system may send the data to be processed in the data processing request to the corresponding target encryption engine through the target second TCP connection. When receiving the data to be processed, the target encryption device can perform calculation processing on the data to be processed based on the self security service function.

In an embodiment of the present application, after the target encryption device performs calculation processing on the to-be-processed data, as shown in fig. 6, on the basis of fig. 5, the security service invoking method may further include:

and step 610, the target encryption machine returns the response data of the calculation processing result to the encryption machine proxy system through the target second TCP connection.

That is, after the target encryption device performs calculation processing on the data to be processed based on its own security service function, response data of the calculation processing result may be returned to the encryption device proxy system through the target second TCP connection.

And step 620, returning the target second TCP connection to the second connection pool and returning the response number to the service system through the target first TCP connection when the encryption machine proxy system receives the response data returned by the target encryption machine.

That is, when receiving the response data returned by the target encryption device, the encryption device proxy system can return the target second TCP connection to the second connection pool for subsequent service processing and use, so as to achieve connection multiplexing; at the same time, the response number can also be returned to the service system through the target first TCP connection.

In step 630, when the service system receives the response data returned by the encryption machine proxy system, the target first TCP connection is returned to the first connection pool for subsequent service processing and use, so as to achieve connection multiplexing.

To facilitate a better understanding of the present application by those skilled in the art, reference will now be made to FIG. 7.

As shown in fig. 7, the call link of the secure service call system according to the embodiment of the present application may be: the system comprises a service system, an encryption machine proxy system and an encryption machine, wherein the encryption machine directly provides service for the encryption machine proxy system, the encryption machine proxy system directly provides service for the service system, and the encryption machine proxy system is a client side of the encryption machine and a service provider of the service system.

In the embodiment of the application, in order to implement connection multiplexing of TCP, a connection pool is added to the service system and the agent system of the encryption machine, respectively. The connection pool in the service system is responsible for the TCP connection management from the service system to the encryption machine proxy system, and the connection pool in the encryption machine proxy system is responsible for the TCP connection management from the encryption machine proxy system to the encryption machine. In the initial stage of starting the security service calling system (before the first calling if a lazy loading mode is adopted), TCP connections from a plurality of clients to a server are established, and the established connections are put into a connection pool for management. In the subsequent service processing stage, the communication between the client and the server firstly obtains the connection from the connection pool, sends data through the connection, and returns the connection to the connection pool for the subsequent service processing to use after the response of the server is obtained, so that the multiplexing of the connection is realized.

According to the security service calling method of the embodiment of the application, when a business system wants to send a data processing request to an encryptor proxy system, a pre-established target first TCP connection is obtained from a first connection pool through the business system, the business system sends the data processing request to the encryptor proxy system based on the target first TCP connection, wherein the data processing request comprises data to be processed, the encryptor proxy system obtains a pre-established target second TCP connection from a second connection pool, and sends the data to be processed to a corresponding target encryptor based on the target second TCP connection, so that the target encryptor performs calculation processing on the data to be processed. The method includes that a pre-established TCP connection from a service system to an encryption machine agent system and a pre-established TCP connection from the encryption machine agent system to an encryption machine are placed into corresponding connection pools by a connection pool technology to be managed, so that corresponding connection is obtained from the corresponding connection pools before data is sent each time, and compared with the fact that time consumption for establishing TCP connection is in the millisecond order in the prior art, the method for establishing TCP connection from the connection pools is called for a local method, and time consumption is in the nanosecond level. By reducing the establishment of the TCP connection each time, the overall communication time consumption is greatly reduced, and the multiplexing of the TCP connection between the encryption machine proxy and the encryption machine is realized, so that the proxy performance of the encryption machine is improved.

Corresponding to the security service invoking methods provided in the above embodiments, an embodiment of the present invention further provides a security service invoking system, and since the security service invoking system provided in the embodiment of the present invention corresponds to the security service invoking methods provided in the above embodiments, the implementation method of the security service invoking method is also applicable to the security service invoking system provided in this embodiment, and is not described in detail in this embodiment. Fig. 8 is a schematic structural diagram of a secure service invocation system according to an embodiment of the present application. As shown in fig. 8, the secure service invocation system 800 may include: business system 810, encryptor proxy system 820 and encryptor 830.

Specifically, the service system 810 may be configured to, when a data processing request is to be sent to the encryptor proxy system 820, obtain a pre-established target first TCP connection from the first connection pool, and send the data processing request to the encryptor proxy system 820 based on the first TCP connection; the first connection pool is arranged in the service system; the data processing request includes data to be processed.

The encryptor proxy system 820 is configured to obtain a target second TCP connection established in advance from the second connection pool, and send the to-be-processed data to the corresponding target encryptor 830 based on the target second TCP connection, so that the target encryptor 830 performs calculation processing on the to-be-processed data; wherein the second connection pool is disposed in the encryptor agent system 820.

As an example, the service system 810 is further configured to pre-establish a first TCP connection between the service system 810 and the encryption machine proxy system 820 before sending the data processing request to the encryption machine proxy system 820, and place the pre-established first TCP connection into a first connection pool on the service system 810 for management. The encryptor proxy system 820 is further configured to pre-establish a plurality of second TCP connections between the encryptor proxy system 820 and the plurality of encryptors 830, and to place the pre-established plurality of second TCP connections into the illustrated second connection pool on the encryptor proxy system 820 for management.

In an embodiment of the present application, a specific implementation process of the service system 810 obtaining the pre-established target first TCP connection from the first connection pool may be as follows: and determining first TCP connections in an idle state in the first connection pool through the first connection pool, and randomly selecting one of the first TCP connections in the idle state as a target first TCP connection.

In one embodiment of the present application, the data processing request may further include identification information of the target encryption machine. In this embodiment of the present application, a specific implementation process of the encryptor proxy system 820 acquiring the pre-established target second TCP connection from the second connection pool may be as follows: and acquiring a target second TCP connection between the encryption machine proxy system and the target encryption machine from the second connection pool according to the identification information in the data processing request.

In an embodiment of the present application, the target encryptor 830 is configured to return response data of a result of the computation processing to the encryptor proxy system 820 through the target second TCP connection after performing the computation processing on the data to be processed. The encryptor proxy system 820 is further configured to, upon receiving the response data returned by the target encryptor 830, return the target second TCP connection to the second connection pool, and return the response number to the service system 810 via the target first TCP connection. The business system 810 is further configured to return the target first TCP connection to the first connection pool upon receiving the response data returned by the encryptor proxy system 820.

According to the security service invoking system of the embodiment of the application, when a data processing request is to be sent to the encryptor proxy system through the service system, a pre-established target first TCP connection is obtained from the first connection pool, and the data processing request is sent to the encryptor proxy system based on the target first TCP connection, wherein the data processing request includes data to be processed, the encryptor proxy system obtains a pre-established target second TCP connection from the second connection pool, and sends the data to be processed to a corresponding target encryptor based on the target second TCP connection, so that the target encryptor performs calculation processing on the data to be processed. The method includes that a pre-established TCP connection from a service system to an encryption machine agent system and a pre-established TCP connection from the encryption machine agent system to an encryption machine are placed into corresponding connection pools by a connection pool technology to be managed, so that corresponding connection is obtained from the corresponding connection pools before data is sent each time, and compared with the fact that time consumption for establishing TCP connection is in the millisecond order in the prior art, the method for establishing TCP connection from the connection pools is called for a local method, and time consumption is in the nanosecond level. By reducing the establishment of the TCP connection each time, the overall communication time consumption is greatly reduced, and the multiplexing of the TCP connection between the encryption machine proxy and the encryption machine is realized, so that the proxy performance of the encryption machine is improved.

In the description of the present application, it is to be understood that the terms "first", "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implying any number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present application, "plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.

In this application, unless expressly stated or limited otherwise, the terms "mounted," "connected," "secured," and the like are to be construed broadly and can include, for example, fixed connections, removable connections, or integral parts; can be mechanically or electrically connected; they may be directly connected or indirectly connected through intervening media, or they may be connected internally or in any other suitable relationship, unless expressly stated otherwise. The specific meaning of the above terms in the present application can be understood by those of ordinary skill in the art as appropriate.

In the description herein, reference to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.

Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and the scope of the preferred embodiments of the present application includes other implementations in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.

The logic and/or steps represented in the flowcharts or otherwise described herein, e.g., an ordered listing of executable instructions that can be considered to implement logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via for instance optical scanning of the paper or other medium, then compiled, interpreted or otherwise processed in a suitable manner if necessary, and then stored in a computer memory.

It should be understood that portions of the present application may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.

It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.

In addition, functional units in the embodiments of the present application may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.

The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc. Although embodiments of the present application have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present application, and that variations, modifications, substitutions and alterations may be made to the above embodiments by those of ordinary skill in the art within the scope of the present application.