Java Keystore 出现性能问题? [英] Java Keystore is giving performance issue?

问题描述

我们开发了一个应用程序来加密/解密来自/发送到服务器的请求/响应.我们正在做性能测试加密/解密应用程序，我们观察到加密/解密过程需要时间，而许多线程正在同时做.为了识别问题，我们记录了加密/解密过程中的每个方法.从记录器中，我们发现密钥提取过程占用了整个过程时间的 70-80%.

We have developed an application to encrypt/decrypt a request/response from/to server. We were doing performance testing of encryption/decryption application where we have observed that encryption/decryption process is taking time, while many threads are doing it at the same time. To identify an issue, we have logged every methods that are part of encryption/decryption process. From logger we have found that Key Fetching process is taking 70-80% of time from overall time of process.

1. 我们使用 AES 算法进行加密/解密
2. AES 密钥存储在具有唯一 ID 的密钥库中.
3. 在加密/解密过程之前，我们从密钥库中获取针对唯一 ID 存储的 AES 密钥.执行加密/解密.
4. 随着密钥存储区大小的增加，性能越来越差.

进一步分析，我们发现Key store内部使用的是HashTable.这是性能问题吗?

On further analysis, we have found that Key store is internally using HashTable. Is this giving performance issue?

当密钥存储大小为 2002 时 --- TPS 为 85密钥存储大小为 14007 -- TPS 为 38

When Key store size is 2002 --- TPS is 85 Key store size is 14007 -- TPS is 38

请帮忙.

推荐答案

注意:此答案基于假设，因为您没有提供有关所用密钥库格式(JKS、BKS、JCEKS 等)的任何详细信息.

Note: This answer bases on assumptions as you do not provide any details on the used keystore format (JKS, BKS, JCEKS, ...).

我假设每次需要密钥时，都从文件(JKS 格式)加载 Java 密钥库.

I assume that every time you need the key, you load the Java keystore from file (JKS format).

密钥库受密码保护，即使您不使用它(空密码)，密码字符串也用于生成保护 Java 密钥库的加密密钥.

The key store is protected by a password and even if you don't use it (empty password) the password string is used to generate the encryption key that protects the Java keystore.

您的主要问题是密码的密钥派生过程结合了反暴力算法，该算法对密码执行 1000 次或更多次 SHA1 迭代.这会消耗大量时间，这是预期的结果，因为它存在用于减缓蛮力攻击.

Your main problem is that the key derivation process from the password incorporates an anti-brute-force algorithm which performs 1000 or more iterations of SHA1 on the password. This consumes a lot of time which is the intended result as it exists for slowing down brute-force attacks.

似乎 JKS 格式不仅在加载时执行此操作，而且在加载密钥时也执行此操作.

It seems like the JKS format not only performs this operation when loading but also when loading a key.

结论:不要每次都加载 Java Keystore 或密钥.它的设计目的是在一分钟内加载一次以上.

Conclusion: Don't load the Java Keystore or the key every time. It is not designed to be loaded more than once in a minute.

这篇关于Java Keystore 出现性能问题?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！