CN-122027631-A - Double-machine hot standby data synchronization method and system based on cryptographic algorithm

Abstract

The invention discloses a double-machine hot standby data synchronization method and system based on a cryptographic algorithm, and relates to the technical field of computer network security. The method adopts a double-master mode, and both end servers operate as independent master nodes to establish TCP service so as to form a peer-to-peer network. Unlike the unidirectional duplication of the traditional master-slave mode, the method ensures that when any one party fails, the other party takes over seamlessly by realizing bidirectional synchronization. Synchronization is only one thread responsible, greatly reducing system complexity. The certificate and key data to be synchronized are first persisted to the local synchronization file and then transmitted via the encrypted TCP channel. No external dependence (such as database or middleware), pure code implementation, and convenient deployment.

Inventors

• TANG FEILONG
• WU DI
• Leng Hechen
• WU CHUNQING

Assignees

• 济南龙麦电子科技有限公司

Dates

Publication Date

20260512

Application Date

20251202

Claims (10)

1. 1. A double-machine hot standby data synchronization method based on a cryptographic algorithm is characterized by comprising the following steps: s1, obtaining connection request data of a client, and performing connection establishment processing through TCP three-way handshake operation according to the connection request data to obtain a connected TCP socket object; S2, performing connection verification processing through port monitoring and handshake confirmation according to the TCP socket object to obtain a TCP communication channel; S3, according to the public key certificate of the server, carrying out negotiation request processing through key exchange initialization operation of an SM2 algorithm to obtain temporary key pair data generated by the client; S4, carrying out shared key calculation processing on the data through an elliptic curve according to the temporary key pair data to obtain preliminary shared secret data; s5, carrying out key material exchange processing on the data through encryption transmission according to the temporary key pair data to obtain a key negotiation packet received by the server; S6, carrying out integrity verification processing through an SM3 hash function according to the key negotiation packet, and obtaining key material data through verification; S7, processing through an SM4 key derivative function according to the preliminary secret sharing data to obtain a symmetrical session key; S8, carrying out key enhancement processing through random number injection according to the symmetric session key to obtain safe session key data; S9, according to the secure session key data, carrying out negotiation confirmation processing through encryption challenge response to obtain consistency verification results of the server and the client; s10, according to the verification result, processing is carried out through abnormal reset, and a complete key negotiation completion state is obtained.
2. 2. The method according to claim 1, wherein in S2, comprising: S21, establishing TCP service through a double-master mode according to the server and the client, and synchronizing the public key certificate and the key data by using a single synchronization thread; s22, according to the data format, CRUD synchronization is carried out by setting the integrated state of the synchronization file and the index file as an extension.
3. 3. The method according to claim 2, wherein in S3, comprising: S31, according to the synchronous file and the index file, the temporary key pair data are distinguished into synchronous and unsynchronized data through a synchronous state bit; s32, performing binary search according to index items in the index file to obtain O (log n) time complexity.
4. 4. A method according to claim 3, wherein S9 includes querying the opposite offset, extracting the local delta data, and detecting by setting an intelligent recovery based on the secure session key data.
5. 5. A double-machine hot standby data synchronization system based on a cryptographic algorithm is characterized by comprising: The communication connection module is used for acquiring connection request data of the client, and carrying out connection establishment processing through TCP three-way handshake operation according to the connection request data to obtain a connected TCP socket object; the channel construction module is used for carrying out connection verification processing through port monitoring and handshake confirmation according to the TCP socket object to obtain a TCP communication channel; The request processing module is used for carrying out negotiation request processing through key exchange initialization operation of an SM2 algorithm according to the public key certificate of the server to obtain temporary key pair data generated by the client; The key processing module is used for carrying out shared key calculation processing on the data through an elliptic curve according to the temporary key pair data to obtain preliminary shared secret data; The key conversion module is used for carrying out key material exchange processing on the data through encryption transmission according to the temporary key pair, and obtaining a key negotiation packet received by the server; The key verification module is used for carrying out integrity verification processing through an SM3 hash function according to the key negotiation packet, and obtaining key material data through verification; The key encryption processing is used for processing through an SM4 key derivation function according to the preliminary secret sharing data to obtain a symmetric session key; the key optimization module is used for carrying out key enhancement processing through random number injection according to the symmetric session key to obtain safe session key data; the verification processing module is used for carrying out negotiation confirmation processing through encryption challenge response according to the secure session key data to obtain consistency verification results of the server and the client; And the synchronous optimization module is used for processing through abnormal reset according to the verification result to obtain a complete key negotiation completion state.
6. 6. The system of claim 5, wherein the channel building module comprises: The data processing unit is used for establishing TCP service through a double-master mode according to the server and the client, and synchronizing the public key certificate and the key data by utilizing a single synchronization thread; and the data synchronization unit is used for performing CRUD synchronization by setting the integrated state of the synchronization file and the index file as an extension according to the data format.
7. 7. The system of claim 6, wherein the request processing module comprises: The index establishing unit is used for distinguishing the synchronized and unsynchronized data of the temporary key through the synchronization status bit according to the synchronization file and the index file; And the index optimization unit is used for performing binary search according to the index items in the index file to obtain O (log n) time complexity.
8. 8. The system of claim 7, wherein the authentication processing module is further configured to query the partner offset, extract local delta data, and detect by setting an intelligent recovery based on the secure session key data.
9. 9. An electronic device comprising a memory and a processor, the memory configured to store one or more computer instructions, wherein the one or more computer instructions when executed by the processor implement the method of any of claims 1-4.
10. 10. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program which, when executed by a processor, is adapted to carry out the method according to any of the preceding claims 1-4.

Description

Double-machine hot standby data synchronization method and system based on cryptographic algorithm Technical Field The invention discloses a double-machine hot standby data synchronization method and system based on a cryptographic algorithm, and relates to the technical field of computer network security. Background In a distributed system, dual hot standby (Dual-Machine Hot Standby) is a core mechanism for guaranteeing high availability and data consistency of the system, and particularly in the fields of finance, government and security, the management of certificates (such as digital certificates) and keys (such as encryption keys) is required to be extremely safe and reliable. Certificates typically include public keys, signatures, and expiration information for authentication, and keys for encryption/decryption operations. Loss or inconsistency of such data may lead to system paralysis, security holes, or compliance violations. The existing dual-machine hot standby scheme mostly adopts a Master-Slave (Master-Slave) mode, wherein a Master node is responsible for main data operation, and a Slave node only passively copies data. This mode, while simple, has the significant disadvantage that the need to manually or automatically switch the slave node to the master node in the event of a failure, can result in a brief service interruption (typically seconds to minutes) and data inconsistency (e.g., a loss of write operation during the switch). Furthermore, existing schemes typically rely on multi-thread synchronization mechanisms to handle data transfers, which increases thread management overhead, potential deadlock risks, and system instability. For example, multithreading may cause synchronization delays or crashes due to resource contention, which is particularly prominent in high concurrency scenarios. In terms of data format, conventional schemes often use simple database logs (such as MySQL Binlog) or JSON/XML files to store synchronized data, and lack of efficient indexing mechanisms, resulting in a need for full-scale scanning when looking up synchronized/unsynchronized data, inefficiency, and failure to support fast recovery (e.g., querying the synchronization state of a particular certificate may require traversing the entire file). Referring to open source message queues such as Kafka, although they provide Log storage (Partition Log of Kafka), these formats are not optimized for the structured nature of the certificates/keys (e.g., nested structure of the certificates or binary representation of the keys) and do not integrate cryptographic algorithms, resulting in non-compliance in environments with high localization requirements. In terms of transmission security, the prior art relies on international encryption standards (such as TLS based on RSA/AES), but in a scenario requiring localized encryption (such as chinese national standards), a national encryption algorithm (SM 2, SM3, SM 4) is required to ensure compliance. However, key agreement is often embedded in TLS protocol in the present solution, and custom lightweight state-secret agreement is not provided, resulting in compatibility problems and overhead (e.g., computational burden of certificate chain verification). The disconnection recovery mechanism is also a pain point, and the existing system usually needs full synchronization or manual intervention after the node is disconnected for a short time, can not catch up with the progress automatically, and is easy to cause data backlog particularly under the high-frequency deletion and correction operation. For example, in a certificate management system, if there is a new certificate issue during a node drop, the entire data set may need to be transmitted for recovery, causing network burden and time delay. In addition, synchronization supporting the operation of adding and deleting and Checking (CRUD) is often implemented through database replication (e.g. PostgreSQL Streaming Replication) in the existing scheme, but the processing of unstructured data such as certificates/keys is not optimized, the stability is not enough, and zero data loss (e.g. power failure or network jitter) in an extreme scene cannot be ensured. Disclosure of Invention Aiming at the problems in the prior art, the invention provides a double-machine hot standby data synchronization method and a system based on a cryptographic algorithm, and the adopted technical scheme is as follows: in a first aspect, a dual-machine hot standby data synchronization method based on a cryptographic algorithm includes: s1, obtaining connection request data of a client, and performing connection establishment processing through TCP three-way handshake operation according to the connection request data to obtain a connected TCP socket object; S2, performing connection verification processing through port monitoring and handshake confirmation according to the TCP socket object to obtain a TCP communication channel; S3, according to