JP2005086597A - Communication connection method, program for making computer execute that method, communication connecting device, and lan controller - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To perform connection of data communication, to keep data which are transmitted and received secret, and to prevent unauthorized accesses. <P>SOLUTION: A terminal device 103 sets a private key for a management server 102 in a TCP header, and sends a request packet for communication connection with respect to a terminal device 104. The management server 102 sets a private key for the terminal device 104 in the TCP header, and performs transfer to the terminal device 104. When this transfer is performed, a private key for the terminal device 103 is passed to a card 104a of the terminal device 104. The terminal device 104 sets a private key for the management server 102 in the TCP header, and sends a response packet to the management server102. The management server 102 sets a private key for the terminal device 103 in the TCP header and performs transfer, and a private key for the terminal device 104 is passed to a card 103a of the terminal device 103. Consequently, it becomes possible to start data communication between the terminal device 103 and the terminal device 104. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a communication connection method for transmitting and receiving data via a network, a program for causing a computer to execute the method, a communication connection device, and a LAN control device, and more particularly, to a partner for performing data communication from a plurality of terminals. TECHNICAL FIELD The present invention relates to a communication connection method capable of preventing unauthorized access by selecting and restricting data to be transmitted / received and maintaining confidentiality of data to be transmitted / received, and a program for causing a computer to execute the method, a communication connection device, and a LAN control device .

  When data is transmitted / received via a network such as the Internet or a LAN, data is encrypted in order to prevent unauthorized access such as wiretapping of communication or impersonation. Data encryption is used when data and mail are sent and received in a configuration such as between servers connected between networks, between servers / clients, and between clients. A method such as a public key method is adopted.

  However, when the encryption process is performed by the shared key method described above, it is necessary to use the same key at the transmission source and the reception destination. Therefore, a distribution method in which the key to be used is handed over to the other party in a safe manner in advance. Must be taken into account. In addition, the public key cryptosystem using a public key does not need to consider the key distribution method, but has a problem that it takes a long time to process data encryption and decryption.

  In addition, if data or packets to be transmitted / received are simply encrypted, there is a risk that the contents of the data will be leaked only by decrypting the data if it is illegally obtained by a third party by eavesdropping on communication. Therefore, high confidentiality is required for data transmission / reception performed by a server or a terminal device connected via a network.

  In addition, when data communication is performed between a server or a plurality of terminals arranged on a network, unauthorized access or leakage of data caused by unauthorized access is also a problem, and its prevention is desired. Note that it is desirable that a specific terminal device that is permitted to access be configured so that a special operation for access permission is not required and the access can be easily performed.

  In order to solve the above-described problems caused by the prior art, the present invention executes a communication connection method capable of connecting data communication, maintaining confidentiality of data at the time of transmission / reception, and preventing unauthorized access, and a computer executing the method. An object of the present invention is to provide a program, a communication connection device, and a LAN control device.

  In order to solve the above-described problems and achieve the object, a communication connection method according to the invention of claim 1 is a communication connection method for connecting data communication between terminals via a management device, and the management device includes: The encryption key defined for each of the first terminal that is the connection source of the data communication and the second terminal that is the connection destination is selected from the encryption keys previously determined for each of the terminals. The encryption key selection step to be selected, and the different encryption keys respectively determined for the first and second terminals selected by the encryption key selection step are used when performing the data communication. A connection establishing step for setting in a data packet and establishing a connection between the first and second terminals.

  According to the first aspect of the present invention, when a data communication connection is established, an encryption key predetermined for permitting reception by the data transmission destination can be acquired from the management apparatus that manages the data communication. Therefore, it is not necessary to hold the encryption key defined in the other terminal device for each terminal device, and it is not necessary to distribute the encryption key of each terminal device in advance.

  A communication connection method according to a second aspect of the present invention is the communication connection method according to the first aspect, wherein the connection establishment request data transmitted from the first terminal is received and the connection establishment request data is received. A connection request receiving step of transmitting the information of the first and second terminals included to the encryption key selection step is included.

  According to the second aspect of the present invention, when data communication is connected between terminals, each terminal device can be started by transmitting a connection request to the management device instead of the communication partner. Since only the encryption key for allowing the management device to receive data can be held, data communication can be connected, and confidentiality can be maintained during data communication.

  According to a third aspect of the present invention, there is provided the communication connection method according to the second aspect, wherein the connection establishing step includes the connection establishment request data received from the first terminal by the connection request receiving step. A connection request transmission step for transmitting the encryption key selected for the first terminal by the encryption key selection step to the second terminal, and the connection request transmission step by the connection request transmission step. In response to the connection establishment request data transmitted to the second terminal, the connection confirmation receiving step of receiving connection confirmation response data returned from the second terminal, and the connection confirmation receiving step 2 connection confirmation data received from the terminal 2 and the encryption key selection step A serial the encryption key that has been chosen for the second terminal, characterized in that it contains a connection confirmation transmission step of transmitting to the first terminal.

  According to the third aspect of the present invention, in the connection process of data communication, a connection establishment request for exchanging data between terminals and a connection confirmation response can be collectively performed via the management device. Information on a terminal to which communication is connected can be held only in the management device, so that unauthorized access can be prevented and confidentiality can be maintained. Further, since the management apparatus performs data communication connection processing, it is possible to reduce the burden of packet processing normally performed by individual terminals.

  According to a fourth aspect of the present invention, there is provided a communication connection method according to the second or third aspect, wherein the connection request receiving step receives data of the connection establishment request from the first terminal, and A reception refusal step of determining whether or not to permit reception based on the presence or absence of the encryption key in each packet when the connection confirmation response data is received from the second terminal in the connection confirmation reception step. It is characterized by including.

  According to the fourth aspect of the present invention, it becomes possible to set the reception permission of the transmitted data by judging whether or not the encryption key is set, and the reception from the general user is not permitted. The reception of data from a specific transmission side can be permitted, and the confidentiality of data contents to be transmitted and received can be maintained. Further, it is possible to prevent unauthorized connection and transmission of unauthorized packets, and to retain data confidentiality on the receiving side.

  The communication connection method according to a fifth aspect of the present invention is the communication connection method according to the fourth aspect, wherein the reception refusal step receives the connection establishment request data from the first terminal by the connection request reception step. And when the connection confirmation reception data is received from the second terminal in the connection confirmation reception step, the encryption key defined for the management device is included in each packet. If it is included, reception is permitted.

  According to the invention of claim 5, since transmission of data is permitted only when the transmission destination holds the encryption key permitted to be received, reception from a user who does not hold is prohibited, and unauthorized access is made. Can be prevented.

  The communication connection method according to a sixth aspect of the present invention is the communication connection method according to any one of the second to fifth aspects, wherein the connection establishing step includes the connection request transmitting step with respect to the second terminal. When transmitting connection establishment request data, the TCP header part in the data is encrypted using the encryption key determined for the second terminal based on the TCP / IP procedure, and When the connection confirmation response data is transmitted to the first terminal in the connection confirmation transmission step, a TCP header portion in the data is determined for the first terminal based on a TCP / IP procedure. The connection is received from the first terminal by the encryption step and the connection request receiving step. A TCP data portion based on the TCP / IP procedure of each packet when receiving the connection establishment request data and when receiving the connection confirmation data from the second terminal in the connection confirmation receiving step On the other hand, a decryption step of performing decryption using the encryption key determined for the management device is included.

  According to the sixth aspect of the present invention, confidentiality of data transmitted and received from the stage of data communication connection can be maintained by encrypting or decrypting data to be transmitted and received using an encryption key. In addition, since the data to be transmitted can be kept confidential for each packet, the confidentiality of the data can be improved.

  A communication connection method according to a seventh aspect of the present invention is the communication connection method according to any one of the first to sixth aspects, wherein the connection between the first and second terminals is established by the connection establishing step. And a packet transmitted from the first terminal is set with header information routed to the second terminal and an encryption key defined for the second terminal, while the second terminal In the packet transmitted from the terminal, header information routed to the first terminal and an encryption key defined in the first terminal are set, so that the first and second terminals It is characterized in that the management device is not interposed in data communication performed between them.

  According to the seventh aspect of the present invention, after the connection by data communication is established and the data communication between the terminals is connected, the encryption key permitted to be received by the other party between the connected terminals is acquired. Therefore, data can be directly transmitted / received to / from a partner terminal that cannot be directly accessed at the time of connection.

  According to an eighth aspect of the present invention, there is provided a communication connection method according to the seventh aspect of the present invention, wherein the connection is established between the first and second terminals by the connection establishing step, and packets are transmitted and received. The TCP segment part based on the TCP / IP procedure of packets transmitted and received between the first and second terminals encrypts with the encryption key determined for the destination terminal at the time of transmission In the reception, decryption is performed using the encryption key.

  According to the eighth aspect of the invention, since the entire TCP segment of the data to be transmitted can be encrypted using the encryption key, the confidentiality of the data can be maintained. Further, since it is not possible to determine whether or not the TCP segment is encrypted from the contents of the IP header at this time, the data can be made more difficult to decipher.

  A program according to the invention of claim 9 can cause a computer to execute the method described in any one of claims 1 to 8.

  The communication connection apparatus according to the invention of claim 10 is a communication connection apparatus that manages connection of data communication between terminals, and establishes a connection transmitted from a first terminal that is a connection source of the data communication. Request response receiving means for receiving request data and connection confirmation response data transmitted from the second terminal to which the first terminal is connected, and the request response receiving means for receiving the first response data. Address information uniquely identifying the first terminal included in the connection establishment request data received from the second terminal, and the second confirmation information included in the connection confirmation data received from the second terminal. Encryption keys of the first and second terminals from among encryption keys predetermined for each of the terminals based on address information for uniquely identifying the terminal of An encryption key selecting means for selecting each of the connections, and the encryption key of the first terminal selected by the encryption key selecting means for the connection establishment request data received from the first terminal. The establishment request data is transmitted to the second terminal, and the connection confirmation response data received from the second terminal is selected by the encryption key selection means in the second terminal. Request response transmission means for transmitting the encryption key to the first terminal by including it in the data of the connection confirmation response received from the second terminal.

  According to the tenth aspect of the present invention, each terminal device can start a data communication connection by holding only the encryption key defined in the management device, and is a data communication connection process. Since connection establishment requests and connection confirmation responses can be performed in a lump in the management device, it is possible to retain information between terminals that connect data communications only to the management device, and unauthorized access Can be prevented and confidentiality can be maintained. In addition, since the management apparatus collectively performs the data communication connection processing, it is possible to reduce the burden of packet processing that needs to be performed when each terminal connects.

  According to an eleventh aspect of the present invention, in the communication connection device according to the tenth aspect, when the request response receiving means receives data of the connection establishment request from the first terminal, and When the data of the acknowledgment of the connection is received from the second terminal, the reception is permitted only when there is the encryption key in each packet of the data, and the reception is performed when there is no encryption key. A reception refusal means for refusing is provided.

  According to the eleventh aspect of the present invention, it is possible to set the reception permission of the transmitted data by determining whether or not the encryption key is set, and the reception from the general user is not permitted. The reception of data from a specific transmission side can be permitted, and the confidentiality of data contents to be transmitted and received can be maintained. In addition, it is possible to prevent illegal connection and transmission of illegal packets, and to maintain data confidentiality on the receiving side.

  A communication connection device according to a twelfth aspect of the present invention is the communication connection device according to the tenth or eleventh aspect, wherein the request response receiving means receives the connection establishment request data from the first terminal. And when the connection confirmation response data is received from the second terminal, the encryption key defined for the communication connection device is included in each of the data packets. And an encryption key authenticating means for permitting reception only.

  According to the invention of claim 12, since transmission of data is permitted only when the transmission destination holds the encryption key permitted to be received, reception from other users is prohibited and unauthorized access is prevented. Can be prevented.

  A communication connection device according to a thirteenth aspect of the present invention is the communication connection device according to any one of the tenth to twelfth aspects, wherein the request response transmission means sends a request for establishing the connection to the second terminal. When transmitting data, the TCP header part in the data is encrypted using the encryption key determined for the second terminal based on the TCP / IP procedure, and the first terminal When transmitting the connection confirmation response data, a cipher that encrypts a TCP header portion in the data using the encryption key determined for the first terminal based on a TCP / IP procedure. It is characterized by having a conversion means.

  According to the invention of claim 13, the data content itself to be transmitted is encrypted by using the encryption key determined for each, thereby maintaining the confidentiality of the data transmitted and received from the connection stage of the data communication. Can do. Further, since the data to be transmitted can be kept confidential for each packet, the confidentiality of the data can be improved.

  The communication connection device according to a fourteenth aspect of the present invention is the communication connection device according to the thirteenth aspect, wherein the request response receiving means receives the connection establishment request data received from the first terminal, and the first Decrypting the TCP data part based on the TCP / IP procedure of each packet of the connection acknowledgment data received from the terminal 2 using the encryption key determined for the communication connection device It is characterized by comprising a decoding means for performing the conversion.

  According to the fourteenth aspect of the present invention, confidentiality of data transmitted and received from the stage of connection of data communication is achieved by decrypting the received data content itself using an encryption key determined for each. Can do. Further, since the data to be transmitted can be kept confidential for each packet, the confidentiality of the data can be improved.

  In the LAN control device according to the fifteenth aspect of the present invention, the transmission source device and the reception destination device have the same configuration, and the LAN control device that transmits and receives data between them allows reception of data to be transmitted. For this purpose, the encryption key for preliminarily communicating to the receiving device is used as the advance encryption key, and the advance encryption key is selected at random from a plurality of encryption keys prepared in advance. Key selection means, advance notice encryption key storage means for storing the advance notice encryption key selected by the advance notice encryption key selection means for setting in data of data to be transmitted thereafter, and When storing the notice encryption key by the notice encryption key storage means, if the notice encryption key already stored by the notice encryption key storage means exists, the notice encryption key already stored is stored. Conversion A temporary storage means for temporarily storing the advance notice encryption key as an authentication encryption key when the advance notice encryption key is stored in the temporary storage means, and the advance notice encryption key in the temporary storage means. Is stored as an authentication encryption key, the authentication encryption key setting means set in the packet of data to be transmitted, and the notice encryption key selection means selected by the advance encryption key selection means An encryption key transmission unit configured to set a notice encryption key in a packet of the data to be transmitted and transmit the packet to the reception destination device is provided.

  According to the fifteenth aspect of the present invention, when performing data transmission, the encryption key used for permitting reception when performing the next data transmission is transmitted in advance to the transmission destination, and the encryption key used for permitting reception is replaced each time. As a result, the confidentiality of the data to be transmitted can be improved.

  A LAN control device according to a sixteenth aspect of the present invention is the LAN control device according to the fifteenth aspect, wherein the encryption key transmitting unit receives data transmitted from the transmission source device; Data reception refusal means for judging permission / non-permission of reception based on the presence / absence of the authentication encryption key included in the data received by the data receiving means, and reception of the data received by the data reception refusal means. When the notice encryption key is set in the reception notice encryption key storage means for storing the notice encryption key, and when the notice encryption key is stored by the reception notice encryption key storage means When the notice encryption key already stored by the reception notice encryption key storage means exists, the already stored notice encryption key is temporarily stored. Reception temporary storage means, reception authorization by the data reception refusal means, the authentication encryption key included in the received data, and a notice encryption key stored in the reception temporary storage means or a predetermined encryption key And a data reception authentication means for comparing the encryption key and permitting the reception of data only when they match.

  According to the sixteenth aspect of the present invention, an encryption key for permitting reception of data to be received is obtained from the previously received data, held, and used to permit reception, thereby permitting reception. The encryption key to be used can be made different every time, and the confidentiality at the time of reception can be improved.

  A LAN control device according to a seventeenth aspect of the present invention is the LAN control device according to the sixteenth aspect, wherein the encryption key transmitting means transmits a packet of the data based on a TCP / IP procedure of the packet. The segment part is encrypted with the authentication encryption key set by the authentication encryption key setting means, and the data receiving means receives the packet of data transmitted by the encryption key transmitting means, The TCP segment part based on the TCP / IP procedure of the packet is decrypted with the notice encryption key stored in the reception temporary storage means.

  According to the invention of claim 17, since the entire TCP segment of the data to be transmitted can be encrypted using the encryption key, the confidentiality of the data can be maintained. Further, since it is not possible to determine whether or not the TCP segment is encrypted from the contents of the IP header at this time, the data can be made more difficult to decipher.

  According to an eighteenth aspect of the present invention, in the LAN control device according to any one of the fifteenth to seventeenth aspects, the card having the means is inserted into an expansion slot of the information terminal device. And

  According to the invention of claim 18, the LAN control device of the present invention is inserted into an expansion slot such as PCI or ISA prepared in an information terminal such as a personal computer, thereby performing data communication with convenience. You can do it.

  According to a nineteenth aspect of the present invention, in the LAN control device according to the eighteenth aspect of the invention, the means is configured such that the CPU of the information terminal device executes the program stored in the erasable storage means. It is characterized by being configured.

  According to the nineteenth aspect of the present invention, setting data and programs can be rewritten and executed by using an erasable ROM.

  A LAN control device according to a twentieth aspect of the present invention is the LAN control device according to the nineteenth aspect, further comprising an insertion / removal detection means for detecting an insertion / removal state of the card mounted in the expansion slot of the information terminal device, The insertion / removal detection means erases the contents of the storage means when the removal of the card is detected while the information terminal device is powered off.

  According to the twentieth aspect of the present invention, the data or program written in the internal ROM is erased by removing the network interface card from the information terminal device with the power of the information terminal device such as a personal computer turned off. Therefore, when the network interface card is stolen, it can be prevented from being reused by another information terminal device. Moreover, it is possible to prevent internal data and programs from being analyzed after being extracted.

  As described above, the invention according to claim 1 is a communication connection method for connecting data communication between terminals via a management device, and the management device is predetermined for each of the terminals. An encryption key selection step of selecting an encryption key determined for each of the first terminal as a connection source of the data communication and the second terminal as a connection destination from among the encryption keys; Different encryption keys respectively determined for the first and second terminals selected by the encryption key selection step are set in the respective data packets when the data communication is performed, and the first And a connection establishment step for establishing a connection between the first terminal and the second terminal. Therefore, when data communication is connected, a data transmission destination is predetermined for permitting reception. Since the encryption key can be obtained from the management device that manages data communication, it is not necessary to hold the encryption key defined for the other terminal device for each terminal device, and the encryption key of each terminal device can be stored. There is an effect that it is not necessary to distribute in advance.

  According to a second aspect of the present invention, in the first aspect of the present invention, the connection establishment request data transmitted from the first terminal is received, and the connection establishment request data is included in the connection establishment request data. Since the connection request receiving step for transmitting the information of the first and second terminals to the encryption key selection step is included, when data communication is connected between the terminals, the communication destination is not the communication partner. Since it can be started by sending a connection request to the device, each terminal device can connect data communication by holding only the encryption key for allowing the management device to receive, There is an effect that confidentiality can be achieved during data communication.

  The invention according to claim 3 is the invention according to claim 2, wherein the connection establishment step includes the connection establishment request data received from the first terminal in the connection request reception step, and A connection request transmission step for transmitting the encryption key selected for the first terminal to the second terminal by an encryption key selection step, and the second request by the connection request transmission step. In response to the connection establishment request data transmitted to the terminal, a connection confirmation receiving step of receiving connection confirmation response data returned from the second terminal, and the second terminal through the connection confirmation receiving step. And the connection confirmation response data received from the second terminal by the encryption key selection step. And a connection confirmation transmission step for transmitting the selected encryption key to the first terminal. Therefore, in the connection process of data communication, the connection between the terminals is exchanged. Since establishment requests and connection confirmation responses can be sent collectively via the management device, information on the terminal to which data communication is connected can be held only in the management device, preventing unauthorized access. And maintain confidentiality. In addition, since the management apparatus performs data communication connection processing, it is possible to reduce the burden of packet processing normally performed by individual terminals.

  The invention according to claim 4 is the invention according to claim 2 or 3, wherein the connection request receiving step receives data of the connection establishment request from the first terminal, and the connection. A configuration including a reception refusal step of determining whether or not to permit reception based on the presence or absence of the encryption key in each packet when data of the connection confirmation response is received from the second terminal in the confirmation reception step Therefore, by determining whether or not an encryption key has been set, it is possible to set permission to receive data to be transmitted, disallowing reception from general users, and from a specific sending side. Data can be permitted to be received, and the confidentiality of the data contents to be transmitted and received can be maintained. Further, it is possible to prevent illegal connection and transmission of illegal packets, and to maintain data confidentiality on the receiving side.

  The invention according to claim 5 is the invention according to claim 4, wherein the reception rejection step receives the connection establishment request data from the first terminal by the connection request reception step. And when the connection confirmation response data is received from the second terminal in the connection confirmation receiving step, the encryption key defined for the management device is included in each packet. In such a case, it is allowed to receive data only when holding the encryption key that is permitted to be received by the transmission destination. There is an effect that unauthorized access can be prevented.

  The invention according to claim 6 is the invention according to any one of claims 2 to 5, wherein the connection establishment step establishes the connection to the second terminal by the connection request transmission step. When transmitting the requested data, the TCP header portion in the data is encrypted using the encryption key determined for the second terminal based on the TCP / IP procedure, and the connection When transmitting the confirmation response data of the connection to the first terminal by the confirmation transmission step, the TCP header portion in the data is determined for the first terminal based on the TCP / IP procedure. Encryption is performed using an encryption key, and the connection is established from the first terminal by the encryption step and the connection request reception step. When the request data is received, and when the connection confirmation response data is received from the second terminal by the connection confirmation reception step, the TCP data portion based on the TCP / IP procedure of each packet And a decryption step of performing decryption using the encryption key determined for the management device, so that data to be transmitted / received is encrypted or decrypted using the encryption key By doing so, it is possible to maintain confidentiality of data transmitted and received from the connection stage of data communication. Further, since the data to be transmitted can be kept secret for each packet, there is an effect that the confidentiality of the data can be improved.

  Further, in the invention according to claim 7, in the invention according to any one of claims 1 to 6, when the connection between the first and second terminals is established by the connection establishing step, the The packet transmitted from the first terminal is set with header information routed to the second terminal and the encryption key defined for the second terminal, while being transmitted from the second terminal. The packet to be transmitted is set between the first and second terminals by setting header information routed to the first terminal and an encryption key defined for the first terminal. Since the management device is not used for data communication to be performed, a connection by data communication is established, and after data communication between terminals is connected, reception is permitted to the other party between the connected terminals. Obtain the encryption key It is possible to, achieve a partner terminal which can not be directly accessed when the connection, the effect of making it possible to transmit and receive data directly.

  The invention according to claim 8 is the invention according to claim 7, wherein when the connection between the first and second terminals is established by the connection establishing step and packets are transmitted and received, The TCP segment part based on the TCP / IP procedure of packets transmitted and received between the first and second terminals encrypts with the encryption key determined for the destination terminal at the time of transmission, and at the time of reception Since the decryption is performed using the encryption key, the entire TCP segment of the data to be transmitted can be encrypted using the encryption key, so that the confidentiality of the data can be maintained. Moreover, since it is not possible to determine whether or not the TCP segment is encrypted from the contents of the IP header at this time, there is an effect that the data can be made more difficult to decipher.

  Further, according to the invention described in claim 9, there is an effect that a program capable of causing a computer to execute the method described in any one of claims 1 to 8 is obtained.

  According to a tenth aspect of the present invention, there is provided a communication connection device that manages connection of data communication between terminals, and connection establishment request data transmitted from a first terminal that is a connection source of the data communication. , And connection confirmation response data transmitted from the second terminal to which the first terminal is connected, request response receiving means for receiving the data, and the request response receiving means from the first terminal. Address information for uniquely identifying the first terminal included in the received connection establishment request data, and the second terminal included in the connection confirmation response data received from the second terminal. Based on the uniquely identified address information, the encryption keys of the first and second terminals are respectively selected from the encryption keys predetermined for each of the terminals. An encryption key selection means, and the connection establishment request using the encryption key of the first terminal selected by the encryption key selection means in the connection establishment request data received from the first terminal. The encryption of the second terminal selected by the encryption key selection means in the connection confirmation response data received from the second terminal and transmitted to the second terminal. Request response transmission means for transmitting the key to the first terminal by including the key in the connection acknowledgment data received from the second terminal, so that each terminal device is defined as a management device. Data communication connection can be started by holding only the encryption key, and connection establishment request and connection confirmation that is the data communication connection process can be started. Answers can be sent in a lump in the management device, so information between terminals that connect data communications only to the management device can be held, preventing unauthorized access and maintaining confidentiality be able to. In addition, since the management apparatus performs the data communication connection process in a lump, it is possible to reduce the burden on the packet processing that each terminal needs to perform at the time of connection.

  The invention according to claim 11 is the invention according to claim 10, wherein the request response receiving means receives the connection establishment request data from the first terminal, and the second When the connection acknowledgment data is received from the terminal, the reception is permitted only when there is the encryption key in each packet of the data, and the reception is refused when there is no encryption key Since it has a refusal means, it becomes possible to set the reception permission of the data to be transmitted by judging the presence or absence of the encryption key setting. It is possible to permit reception of data from the transmission side, and it is possible to maintain confidentiality of data contents to be transmitted and received. In addition, it is possible to prevent unauthorized connection and transmission of unauthorized packets, and to maintain data confidentiality on the receiving side.

  The invention according to claim 12 is the invention according to claim 10 or 11, wherein the request response receiving means receives data of the connection establishment request from the first terminal, and Received only when the connection confirmation response data is received from the second terminal and each of the data packets includes the encryption key determined for the communication connection device. Since the encryption key authentication means that permits the transmission is permitted, it is permitted to transmit data only when the transmission destination holds the encryption key that is permitted to receive, so the reception from other users is not permitted, There is an effect that unauthorized access can be prevented.

  The invention according to claim 13 is the invention according to any one of claims 10 to 12, wherein the request response transmission means transmits data of the connection establishment request to the second terminal. When encrypting, a TCP header part in the data is encrypted using the encryption key determined for the second terminal based on a TCP / IP procedure, and the connection is made to the first terminal. When transmitting the confirmation response data, encryption means for encrypting the TCP header portion in the data using the encryption key determined for the first terminal based on the TCP / IP procedure Since the data content itself to be transmitted is encrypted using the encryption key determined for each, the confidentiality of the data transmitted and received from the connection stage of data communication can be maintained.Moreover, since the data to be transmitted can be kept secret for each packet, there is an effect that the confidentiality of the data can be improved.

  The invention according to claim 14 is the invention according to claim 13, wherein the request response receiving means receives the connection establishment request data received from the first terminal, and the second terminal. The TCP data part based on the TCP / IP procedure of each packet of the connection acknowledgment data received from the server is decrypted using the encryption key determined for the communication connection device. Since the decryption means is provided, it is possible to maintain confidentiality of data transmitted and received from the connection stage of data communication by decrypting the received data content itself using the encryption key defined for each. . Moreover, since the data to be transmitted can be kept secret for each packet, there is an effect that the confidentiality of the data can be improved.

  Further, in the invention according to claim 15, the LAN control device that transmits and receives data between the transmission source device and the reception destination device has the same configuration, and receives the data to permit reception. A pre-encryption encryption key selection means for selecting a pre-encryption encryption key to be communicated in advance to the previous device as a pre-encryption encryption key and randomly selecting one of the pre-encryption encryption keys from a plurality of encryption keys prepared And a notice encryption key storage means for storing the notice encryption key selected by the notice encryption key selection means for setting in data of data to be transmitted next time, and the notice encryption. When storing the notice encryption key by the key storage means, if the notice encryption key already stored by the notice encryption key storage means exists, the notice encryption key already stored is stored. Temporarily remember And the temporary encryption unit is used as an authentication encryption key, and the preliminary encryption key is not stored in the temporary storage unit. In this case, a predetermined encryption key is used as an authentication encryption key, the authentication encryption key setting means set in a packet of data to be transmitted, and the notice encryption key selected by the notice encryption key selection means And an encryption key transmitting means that is set in the packet of the data to be transmitted and is transmitted to the receiving device, and is used for receiving permission when performing the next data transmission when performing the data transmission. By transmitting the encryption key to the transmission destination in advance and replacing the encryption key used for reception permission every time, the confidentiality of the data to be transmitted can be improved.

  The invention according to claim 16 is the data receiving means according to claim 15, wherein the encryption key transmitting means receives data transmitted from the transmission source device, and the data receiving means. The data reception refusal means for judging whether or not to permit the reception depending on the presence or absence of the authentication encryption key included in the data received by the data, and the data reception refusal means permits the reception, and the received data includes the data When the notice encryption key is set, the reception notice encryption key storage means for storing the notice encryption key, and when the notice encryption key is stored by the reception notice encryption key storage means, the reception notice key is stored. Receiving temporary storage means for temporarily storing the notice encryption key already stored when the notice encryption key already stored by the notice encryption key storage means exists , The authentication encryption key that is permitted to be received by the data reception refusal means and included in the received data, the advance encryption key stored in the reception temporary storage means or a predetermined encryption key, And a data reception authentication unit that permits data reception only when there is a match, so that an encryption key for permitting reception of the received data is obtained from the previous received data and held. In addition, by using this to permit reception, the encryption key used for reception permission can be made different each time, and it is possible to improve the confidentiality at the time of reception.

  The invention according to claim 17 is the invention according to claim 16, wherein when the encryption key transmitting means transmits the packet of data, the TCP segment part based on the TCP / IP procedure of the packet is set. Encryption is performed with the authentication encryption key set by the authentication encryption key setting means, and when the data receiving means receives the packet of the data transmitted by the encryption key transmitting means, Since the TCP segment part based on the TCP / IP procedure is configured to be decrypted with the notice encryption key stored in the temporary reception storage means, the entire TCP segment of the data to be transmitted is encrypted using the encryption key. Data confidentiality can be maintained. Moreover, since it is not possible to determine whether or not the TCP segment is encrypted from the contents of the IP header at this time, there is an effect that the data can be made more difficult to decipher.

  The invention according to claim 18 is the invention according to any one of claims 15 to 17, wherein the card having the means is inserted into an expansion slot of the information terminal device. The LAN control device of the invention is advantageous in that it can perform data communication with convenience by being inserted into an expansion slot such as PCI or ISA prepared in an information terminal such as a PC.

  Further, in the invention described in claim 19 according to the invention described in claim 18, since each of the means is configured such that the CPU of the information terminal device executes a program stored in the erasable storage means. By using an erasable ROM, the setting data and program can be rewritten and executed.

  The invention according to claim 20 is the invention according to claim 19, further comprising insertion / removal detection means for detecting the insertion / removal state of the card mounted in the expansion slot of the information terminal device. Is configured to erase the contents of the storage means when the removal of the card is detected in a state where the power of the information terminal device is off, so that the information terminal device such as a personal computer is turned off, By removing the network interface card from the information terminal device, the data and programs written in the internal ROM are erased, preventing the network interface card from being reused by another information terminal device when it is stolen. be able to. In addition, it is possible to prevent analysis of internal data and programs after being extracted.

  Exemplary embodiments of a communication connection method according to the present invention and a program for causing a computer to execute the method, a communication connection device, and a LAN control device will be described below in detail with reference to the accompanying drawings.

  FIG. 1 is a diagram showing an arrangement configuration using a LAN control device according to this embodiment of the present invention. As illustrated, a LAN 101 including a management server 102 and terminal devices 103, 104,... Connected to the management server 102 is connected to a network 100. Further, LANs 101a, 101b,... Having the same configuration as in the LAN 101 are connected.

  The LAN 101 is configured as a departmental LAN for work and management, such as a company department. The management server 102 installed in the LAN 101 and the terminal devices 103, 104,... Are connected using a connection method such as Ethernet (R), and data according to the TCP / IP communication procedure. Can be sent and received.

  The management server 102 is a server that manages communication connections between the respective terminal devices in the LAN 101, and performs communication connections with the respective terminal devices installed inside the other external LANs 101a, 101b,. Also manage the occasion. The management server 102 is loaded with a card 102a that is a LAN control device of the present invention. The card 102a is a so-called network interface card (NIC), and the same applies to the cards 103a, 104a,... Attached to the terminal devices 103, 104,.

  And it is the structure which can transmit / receive data only between the terminal devices provided with the network interface card which is the LAN control device of the present invention. What is a terminal device equipped with other general network interface cards? Data transmission / reception and access are prohibited.

  The management server 102 and the terminal devices 103, 104,... Are composed of, for example, various personal computers and workstations, and the cards 103a, 104a,. Assume that data is transmitted / received in an expansion slot such as a slot.

  FIG. 2 is a block diagram showing the internal configuration of the LAN control device according to this embodiment of the present invention. As shown in the figure, the cards 102a, 103a, and 104a are attached to the management server 102, the terminal device 103, and the terminal device 104, respectively.

  The card 102a includes an encryption key selection unit 202 that selects an encryption key defined for each terminal device, and a transmission unit 201 that transmits data including the encryption key selected by the encryption key selection unit 202. A receiving unit 203 that receives data from each terminal device is provided. Further, the cards 103a and 104a notify the advance encryption key selection unit 204 for selecting an encryption key for notifying the other party of the encryption key used for permitting reception of data received at the next reception. The notice encryption key storage unit 205 that stores the encryption key, the transmission unit 206 that transmits data including the encryption key to be notified in advance, the reception unit 208 that receives data, and other terminal devices are notified in advance. A reception notice encryption key storage unit 207 for storing the encryption key.

  Data transmitted / received among the management server 102, the terminal device 103, and the terminal device 104 is encrypted when transmitted from the transmission unit 201 and the transmission unit 206, respectively, and the reception unit It is assumed that decryption processing is performed when the data is received at 203 and the reception unit 208, respectively. The encryption and decryption functions described above are realized by hardware using a chip such as an FPGA.

  Further, when performing these encryption and decryption processes, ROM data (not shown) is read. The ROM stores in advance a key for performing encryption, which will be described later, and a table of key collections. The encryption key selection unit 202 of the management server 102 selects a key necessary for data communication with the terminal device 103 and the terminal device 104 from the table of the key collection, and transmits the transmission unit. It transmits through 201.

  FIG. 3 is an explanatory diagram showing a data structure for each layer in TCP / IP. The communication protocol includes an OSI reference model as an international standard model, but TCP / IP is used as a standard protocol for the Internet. A part of the TCP / IP layer has a content that combines a plurality of layers of the OSI reference model, and is implemented as a protocol stack based on a hierarchical structure as shown in the figure.

  The application layer 301 generates the transmission data 302 by performing processing depending on the business. The transport layer 303 generates information such as identification of destination and source application, error control, sequence control (arrival order guarantee) as a TCP header 304 and adds it to the head of the transmission data 302 to generate a packet.

  The Internet layer 305 generates a transmission source, a transmission destination IP address, and the like as an IP header 306 and adds the IP header 306 to the head of the TCP header 304 generated by the transport layer 303. The data link layer 307 generates an Ethernet header 308 as an interface to a physical medium or device, and adds it to the head of the IP header 306 generated by the Internet layer 305. The physical layer 309 actually transmits packet (frame) data generated up to the data link layer 307 based on the physical specification of the transmission path.

  As described above, when data is passed from each upper layer to the lower layer, a header peculiar to the layer is generated and added to the head of the data. On the contrary, when packet data is received, when the data is transferred from the lower layer to the upper layer, the header added by the same source layer is referred to and deleted. Hereinafter, in the present embodiment, data necessary for data communication is set in the above-described TCP or IP header, and the data is transferred between terminal devices. Although not shown in the figure, a TCP header and TCP data concatenated is called a TCP segment and is used in this embodiment.

  FIG. 4 is a flowchart showing an example of processing at the start of communication connection of the terminal device according to the embodiment of the present invention. In general, when data is transmitted / received using a TCP / IP processing procedure, first, a process for establishing a communication connection called negotiation is performed between the terminals that perform transmission / reception, and the data transmission / reception process is performed after the connection is established. To start. In FIG. 4, a transition of negotiation performed between the terminal device 103 illustrated in FIG. 1 and the terminal device 104 is illustrated as a flowchart.

  First, the terminal apparatus 103 transmits a connection establishment request for communication connection with the terminal apparatus 104 from the transmission unit 206 to the management server 102 (step S401). The management server 102 determines from the contents of the packet received from the terminal device 103, and transmits a connection establishment request from the transmission unit 201 to the terminal device 104 which is the counterpart (step S402).

  The terminal device 104 that has received the connection establishment request transmitted from the terminal device 103 from the management server 102 does not connect to the requesting terminal device 103 but to the management server 102 that is the packet transmission source. The confirmation response is transmitted from the transmission unit 206 (step S403), and the process ends. The management server 102 that has received the connection confirmation response from the terminal device 104 transmits a connection confirmation response to the terminal device 103 from the transmission unit 201 (step S404), and ends the process.

  Then, when the terminal device 103 receives the connection confirmation response from the terminal device 104 by the receiving unit 208, the connection between the terminal device 103 and the terminal device 104 is established, and the negotiation is completed. Thereby, the data communication between the terminal device 103 and the terminal device 104 can be started (step S405). After the negotiation is completed, data transmission / reception performed between the terminal device 103 and the terminal device 104 is performed directly without using the management server 102 as described above. This data transmission / reception flow is shown in the flowchart of FIG.

  The above-described negotiation of the present invention is different from general TCP / IP communication connection negotiation in that the terminal device 103 and the terminal device 104 do not negotiate directly, but are performed via the management server 102. The point through the management server 102 will be further described with reference to FIG.

  FIG. 5 is an explanatory diagram showing various data set in a packet transmitted / received at the time of negotiation according to the embodiment of the present invention. FIG. 5 describes each transmission timing at which the connection request or response of FIG. 4 is transmitted and the contents of the packet transmitted at that time.

  An item 501 in the table indicates symbols of transmission timings of various packets transmitted and received by the terminal device 103, the terminal device 104, and the management server 102 illustrated in FIG. An item 502 indicates an encryption key set in the TCP header by the transmission source at the transmission timing indicated in the item 501. An item 503 indicates the content of processing performed by the transmission source on the data area of the TCP segment at the transmission timing similarly indicated in the item 501.

  Here, the above-mentioned key generally refers to a key used for encryption when data communication is performed via a network. In the present invention, encryption algorithms such as Triple-DES and AES are used for encryption processing. Consider.

  A plurality of such keys are held in the network interface card which is the LAN control device of the present invention. A group of keys held in plural is used as a table. The table can hold a number of keys that can uniquely identify a terminal device installed in the LAN 101, and a different table is used for each LAN.

  First, transmission timing (a) indicates the timing when a connection establishment request packet is transmitted from the terminal device 103 of FIG. 4 to the management server 102. A key S determined in advance as a dedicated key of the management server 102 is set in the TCP header of the packet transmitted at the transmission timing (a).

  Here, the dedicated key refers to a unique key determined for each of the management server 102 and each terminal device. In an initial state where data communication is not started, each terminal device such as the terminal device 103 and the terminal device 104 holds only a dedicated key determined by itself and a dedicated key of the management server 102, When negotiating, the dedicated key of the management server 102 is set in a packet and transmitted.

  This indicates that each terminal device managed by the management server 102 can access only the management server 102 before the negotiation is completed. In other words, until the negotiation is completed, the clients cannot directly transmit packets to other terminal devices, which means that they cannot recognize each other.

  Then, the data in the data area of the packet transmitted at the transmission timing (a) is encrypted with the key S that is the dedicated key of the management server 102 described above. The management server 102 that has received the packet at the transmission timing (a) identifies that the packet is transmitted to itself because the key S is set in the TCP header, and the data area is stored in the key S. Therefore, the decryption process is performed with the key S, which is its own dedicated key. Then, since the content of the decrypted data is a request for establishing a connection to the terminal device 104 by the terminal device 103, the fact that the packet has been transmitted to the management server 102 is identified.

  Next, the transmission timing (b) indicates the timing when the management server 102 transfers the packet received at the transmission timing (a) to the terminal device 104. A key B, which is a dedicated key of the terminal device 104, is set in the TCP header of the packet transmitted at the transmission timing (b). The data in the data area of the packet transmitted at the transmission timing (b) is encrypted with the key B.

  The terminal device 104 that has received the packet at the transmission timing (b) identifies the packet transmitted to itself because the key B is set in the TCP header. Further, since the data content is encrypted with the key B, the decryption process is performed with the key B which is its own dedicated key. Then, the fact that the connection establishment request has been received from the terminal device 103 is identified by the decrypted data content. At this time, the dedicated key A of the terminal device 103 is also received from the management server 102.

  Next, the transmission timing (c) indicates the timing when the terminal device 104 returns the packet received at the transmission timing (b) to the management server 102. A key S that is a dedicated key of the management server 102 is set in the TCP header of the packet transmitted at the transmission timing (c). Further, data encrypted with the key S is set in the data area of the packet transmitted at the transmission timing (c).

  The management server 102 that has received the packet at the transmission timing (c) identifies the packet transmitted to itself because the key S is set in the TCP header. Further, since the data content is encrypted with the key S, the decryption process is performed with the key S which is its own dedicated key. The terminal device 104 identifies that the terminal device 104 has transmitted a connection confirmation response to the terminal device 103 based on the decrypted data content.

  The transmission timing (d) indicates the timing when the management server 102 transfers the packet received at the transmission timing (c) to the terminal device 103. A key A which is a dedicated key of the terminal device 103 is set in the TCP header of the packet transmitted at the transmission timing (d). The data in the data area of the packet transmitted at the transmission timing (d) is encrypted with the key A.

  The terminal device 103 that has received the packet at the transmission timing (d) identifies the packet transmitted to itself because the key A is set in the TCP header. Further, since the data content is encrypted with the key A, the decryption process is performed with the key A which is its own dedicated key. Then, the fact that the connection confirmation response has been received from the terminal device 104 is identified by the decrypted data content. At this time, the dedicated key B of the terminal device 104 is also received from the management server 102.

  In addition, in order for the management server 102 to identify where the packet received at the transmission timings (a) and (c) described above is transmitted from, the dedicated terminal devices 103 and 104 serving as transmission sources are dedicated. In addition to using a key, it may be possible to use information such as a MAC address and an OS serial number. The management server 102 only needs to be able to uniquely identify that the transmission source of the packet is one of the terminal devices that it manages.

  Further, information such as the MAC address and OS serial number described above as information for identifying each terminal device is stored in the management server 102 in advance, or can be registered in the management server 102 when communication is performed. To. In this way, for example, when the card 103a is removed from the terminal device 103 and used in another terminal device, the management server 102 checks the MAC address of the terminal device that has been used again and the serial number of the OS. By doing so, illegal use such as theft can be prevented.

  By performing the processing shown in FIGS. 4 and 5, the negotiation for data communication according to the present invention is completed. As a result, the key A that is a dedicated key of the terminal device 103 is passed to the terminal device 104, and the key B that is a dedicated key of the terminal device 104 is passed to the terminal device 103. After the completion of the negotiation, the terminal device 103 and the terminal device 104 directly transmit and receive data using the other party's dedicated key received from each other.

  FIG. 6 is a flowchart showing an example of the data communication process after the negotiation is completed according to the embodiment of the present invention. As shown in FIG. 4, when the negotiation between the terminal device 103 and the terminal device 104 is completed, data transmission / reception is started.

  When data is transmitted / received, packets are directly transmitted / received between the terminal device 103 and the terminal device 104 without going through the management server 102. FIG. 6 shows a flowchart of data transmission / reception processing performed between the terminal device 103 and the terminal device 104 following the completion of the negotiation shown in FIG.

In the following description, two types of encryption keys called a first key and a second key are used. The first key is a key used for encryption or decryption of the data area of the TCP segment in the packet to be transmitted / received. Further, the first key is also used as authentication information for determining whether or not the packet received by the receiving terminal device has been transmitted to itself. On the other hand, the second key is a key for use as the first key when the next transmission / reception is performed,
This is the encryption key selected by the notice encryption key selection unit 204 in FIG. The second key is a key used for encryption or decryption of the data area of the TCP segment in the packet.

  At the start of data communication processing, the first key used in the very first transmission / reception is the dedicated key of the other party that established the connection in FIG. Specifically, if a packet is transmitted from the terminal device 103, the key B that is a dedicated key of the terminal device 104 is used, and if a packet is transmitted from the terminal device 104, the key that is a dedicated key of the terminal device 103 is used. Each A is used as the first key.

  First, for the IP packet transmitted from the terminal device 103, the card 103a encrypts the data area of the TCP segment using the first key (key B) (step S601), and the first key ( Key B) is set (step S602).

  Next, the terminal device 103 randomly determines the encryption key used for encryption at the time of the next packet transmission process as the second key by the notice encryption key selection unit 204, and sets the second key in the IP header. (Step S603). The randomly determined second key is stored in the notice encryption key storage unit 205. When the generation of the packet is completed, the generated packet is transmitted from the transmission unit 206 to the terminal device 104 (step S604), and the data transmission processing from the terminal device 103 is terminated.

  On the other hand, when the card 104a of the terminal device 104 receives the packet transmitted from the terminal device 103 at the receiving unit 208 (step S605), it determines whether or not the second key is set in the IP header (step S606). ). If the second key is not set (step S606: No), the packet is discarded (step S607), and the process ends.

  When the second key is set in the IP header (step S606: Yes), the second key set in the IP header is acquired (step S608). Since the second key acquired here is used as the first key of the next packet transmitted from the terminal device 103, it is held in the reception notice encryption key storage unit 207 in the card 104a. Next, it is determined whether or not the first key is set in the TCP header (step S609). If the first key is not set (step S609: No), the packet is discarded (step S607), and the process is terminated.

  When the first key is set in the TCP header (step S609: Yes), the first key set in the TCP header is acquired (step S610), and the data area of the TCP segment is decrypted using the first key. (Step S611), and the process ends.

  After the series of transmission / reception processes described above, the flow of processing when a reply is made from the terminal device 104 to the terminal device 103 is the same. In this case, the first key is a dedicated key of the terminal device 103. Key A is used. Thereafter, when a packet is further transmitted from the terminal device 103 to the terminal device 104, the first key at that time is randomly determined in step S603 and stored in the notice encryption key storage unit 205. The second key is used.

  FIG. 7 is a schematic diagram illustrating data processing performed in the data communication processing according to the present embodiment of the present invention using a packet data format. FIG. 7 supplements the flow of data communication processing shown in FIG. 6 using a format diagram of packet data, and further shows an example of a method for improving the confidentiality of packet data.

  First, the packet data format 701 indicates a TCP segment in which the TCP header 304 is added to the transmission data 302. An encryption key 702 is set in an area 704 shown in the TCP header 304. The encryption key 702 at this time is the first key shown in FIG. An area 703 is a part of the data in the TCP header 304, and is used as data for determining the packet transmission source at the transmission destination. For example, a sequence number in the TCP header 304 or a reception notification number is used.

  The packet data format 705 is obtained by adding an IP header 306 to the TCP segment shown in the packet data format 701. In the area 710 shown in the IP header 306, the encryption key 706 encrypted by the encryption 707 process is set. The encryption key 706 at this time is the second key shown in FIG. 6, and the encryption 707 is encrypted with the encryption key 702 that is the first key.

  In the area 711 shown in the IP header 306, the area 703 encrypted by the encryption 708 process is set. The transmission data 302 is encrypted by the encryption 709 process. The encryption 708 and the encryption 709 performed at this time both use the encryption key 702 that is the first key.

  Next, when the packet data format 705 arrives at the transmission destination, the following processing is performed. First, the area 710 in the IP header 306 is decrypted by the process of decryption 712 and returned to the encryption key 706. Decryption 712 at this time is performed by the encryption key 702 that is the first key set in the area 704.

  Then, the area 711 is decoded by the process of decoding 713. Using the decrypted data in the area 711, the data in the area 703 is compared with the comparison 714. If they do not match in this comparison process, it is determined that the packet transmission source cannot be confirmed, and the packet is discarded. If it is determined in the comparison process that the data match, the transmission data 302 is decoded by the decoding 715 and received in the form of a packet data format 716.

  In the above description, along with the supplement of the flowchart shown in FIG. 6, the encryption key 706 as the second key is encrypted and set by the processing of the encryption 707, or the data in the area 703 and the data in the area 711 are set. A method for improving the confidentiality of packet data by comparison at the time of reception is also shown.

  When the packet data format 705 described above is transmitted, not only the data area of the TCP segment but also the entire TCP segment may be encrypted with the first key. By encrypting the entire TCP segment, all packet data other than the IP header 306 are encrypted, and confidentiality can be further improved. Even if the entire TCP segment is encrypted, there is no information indicating whether or not the TCP segment is encrypted in the IP header 306, so it is even determined whether or not the TCP segment portion is encrypted. I can't do it.

  FIG. 8 is an explanatory diagram showing various data set in a packet when performing data communication processing according to the embodiment of the present invention. In FIG. 8, a direction in which data communication processing is started and a packet is transmitted and received between the terminal device 103 and the terminal device 104 and the content of the packet transmitted at that time will be described.

  An item 801 in the table indicates a transmission direction of a packet exchanged between the terminal device 103 and the terminal device 104 illustrated in FIG. An item 802 indicates a key set in the IP header when a packet is transmitted in the transmission direction indicated in the item 801. An item 803 indicates a key set in the TCP header when a packet is sent in the transmission direction indicated in the item 801.

  An item 804 indicates processing performed on the data area of the TCP segment when a packet is transmitted in the transmission direction indicated by the item 801. Further, the flow of packet transmission is performed in chronological order from the top in the direction indicated by the item 801. The transmission of the packet indicated by the direction (1) is the first packet transmission that is performed immediately after the negotiation shown in FIGS. 4 and 5 is completed.

  First, in the direction (1), packet transmission is performed from the terminal device 103 to the terminal device 104. At this time, data encrypted with the key B, which is the first key of the terminal device 104 shown in FIG. Further, a key B, which is a dedicated key for the terminal device 104, is set in the TCP header, and a key C, which is a key used at the next packet transmission, is set in the IP header. The key C is a key determined at random as described with reference to FIG.

  The terminal device 104 that has received this packet identifies that the packet is addressed to itself because the key B, which is its own dedicated key, is set in the TCP header, and the data content is encrypted with the key B. Therefore, decryption is performed. Then, it is identified that the packet is transmitted from the terminal device 103 based on the decrypted data content.

  Next, in the direction (2), packet transmission is performed from the terminal device 104 to the terminal device 103. At this time, data encrypted with the key A, which is the first key of the terminal device 103 shown in FIG. Further, a key A that is a dedicated key of the terminal device 103 is set in the TCP header, and a key D that is a key to be used at the next packet transmission is set in the IP header. The key D is a randomly determined key as in (1).

  The terminal device 103 that has received this packet identifies that the packet is addressed to itself because the key A which is its own dedicated key is set in the TCP header, and the data content is encrypted with the key A. Therefore, decryption is performed. Then, it is identified that the packet is transmitted from the terminal device 104 based on the decrypted data content.

  Next, the direction (3) is the second packet transmission from the terminal device 103 to the terminal device 104. At this time, data encrypted with the key C determined in the direction (1) is set as data in the data area of the packet. Similarly, a key C is set in the TCP header, and a key E that is a key to be used at the next packet transmission is set in the IP header. The key E is a randomly determined key as in (1).

  Receiving this packet, the terminal device 104 identifies that the packet is addressed to itself because the key C specified in the previous packet is set in the TCP header, and the data content is encrypted with the key C. Therefore, the decryption process is performed. Then, it is identified that the packet is transmitted from the terminal device 103 based on the decrypted data content.

  Next, the direction (4) is the second packet transmission from the terminal device 104 to the terminal device 103. At this time, data encrypted with the key D determined in the direction (2) is set in the data area of the packet. Similarly, a key D is set in the TCP header, and a key F, which is a key used at the next packet transmission, is set in the IP header. The key F is a randomly determined key as in (1).

  After the negotiation is completed between the terminal apparatus 103 and the terminal apparatus 104, packet data is transmitted and received between the terminal apparatus 103 and the terminal apparatus 104 in the order of directions (1) to (4) as described above. It is. Even after the packet data is transmitted in the direction (4), the packet transmission can be continued using the next key to be used.

  FIG. 9 is a schematic diagram showing the transmission / reception range of data according to this embodiment of the present invention using a TCP / IP hierarchy. In FIG. 9, a difference between data communication between terminals using the LAN control device of the present invention and data communication with a terminal using another general LAN control device will be described using a TCP / IP hierarchy. .

  The terminal device 103 shown in the figure and the terminal device 104 are mounted with the cards 103a and 104a, which are the LAN control devices of the present invention shown in FIG. The terminal devices 103 and 104 include an application layer 901 that performs business processing, a TCP layer 902 that generates TCP packets, an IP layer 903 that delivers packet data to a communication destination, and the LAN control device of the present invention. Each layer is composed of a card driver layer 904 that performs driver processing and an Ethernet layer 905 that performs physical connection.

  On the other hand, since the inside of the terminal device 900 to which a general network interface card is attached does not have the LAN control device of the present invention, the card driver located in the second layer from the bottom shown inside the terminal devices 103 and 104 The layer 904 is the same as that obtained by taking the layer 904, and includes an application layer 901, a TCP layer 902, an IP layer 903, and an Ethernet layer 905.

  A data path 906 indicates a data flow when, for example, a user using the terminal device 104 transmits a packet using a business application or the like. In this case, data is created in the application layer 901, a TCP packet is generated in the TCP layer 902, and an IP header is added in the IP layer 903. Then, the card driver layer 904 performs processing (encryption and the like) necessary for the data communication of the present invention described above with reference to FIGS. 6 to 8, and transmits the frame data from the Ethernet layer 905 to the terminal device 103.

  When the terminal device 103 receives the packet transmitted from the terminal device 104, the operation passes through the card driver layer 904 from the Ethernet layer 905 to the IP layer 903, the TCP layer, contrary to the operation performed at the time of transmission by the terminal device 104. In step 902, data is sequentially transferred to the application layer 901. The card driver layer 904 performs processing (decoding and the like) necessary for the data communication of the present invention described above with reference to FIGS. Therefore, the data path 906 indicates that data communication is normally performed between the terminal device 103 including the card 103a and the terminal device 104 including the card 104a, which are LAN control devices of the present invention.

  Next, a data path 907 indicates a data flow when a user using the terminal device 900 transmits a packet using a business application or the like. In this case, as shown in the figure, data is transferred from the application layer 901 to the TCP layer 902, the IP layer 903, and the Ethernet layer 905, and the frame data is transmitted to the terminal device 103.

  The frame data transmitted from the terminal device 900 first arrives at the Ethernet layer 905 and is subsequently passed to the card driver layer 904. However, since the processing (encryption etc.) necessary for data communication of the present invention is not performed by the card driver layer 904 when transmitted from the terminal device 900, the frame data is discarded. This is because the encryption key shown in FIG. 8 is not set and is not recognized by the card driver layer 904 of the terminal device 103. Therefore, the data path 907 indicates that data communication cannot be performed between the terminal device 103 including the card 103a which is the LAN control device of the present invention and a terminal using another general LAN control device.

  Note that when the functions of the LAN control device of the present invention described above are realized by executing a program stored in a rewritable ROM or the like, the setting data and the program such as encryption described above are switched. It is also possible to make a function of switching to a card having the same function as other general LAN control devices by rewriting or erasing the contents by applying a potential change by operation. In addition, by detecting a change in the state when the LAN control device is removed from the terminal device main body and adding a function such as erasing the setting data stored in the device or the program, it can be prevented from being reused if it is stolen. be able to.

  In the embodiment described above, in FIG. 5, the table is described as information obtained by simply collecting a plurality of encryption keys. However, by managing the keys in the table using an array, a matrix, or the like, it is possible to specify the key based on position information such as an array number or a matrix number set in the table. Since all the terminal devices installed in the same LAN use a common table, the key can be specified by passing the key position information in the table, and it is not necessary to transmit the key itself.

  The embodiment described above is realized by using a terminal device provided with a network interface card which is a LAN control device of the present invention. Further, it has been described that all processing performed in the data communication after the completion of the negotiation is processed in the network interface card. However, the above-described functions can be realized by using a network interface card, which is hardware, and software together.

  For example, a configuration in which the management server 102 includes a network interface card that is the LAN control device of the present invention, and the functions of other terminal devices connected to the management server 102 can be performed by software, or the like. Here, the reason why the management server 102 is provided with the network interface card is to make a connection with another similar LAN configured using the LAN control device of the present invention. In this case, the management server 102 has a role as a router, and when connecting to a terminal device installed in an external LAN, packets are exchanged with the management server installed in the LAN. It will be.

  In addition, the reason why the management server 102 is equipped with a network interface card is that it is generally possible to speed up the process by using hardware rather than using software to determine whether to allow data to be transmitted. This is because the influence on the CPU occupancy rate of the server body can also be reduced. However, all processing performed in the management server 102 can be realized by software.

  On the other hand, in a terminal device that performs processing using software, a TCP header, an encryption key set in an IP header, and the like, which are processing performed when data is transmitted and received, are included in the transport layer 303, the Internet layer 305, and the like. It is possible to do it in the application in the layer. In addition, data encryption / decryption processing or determination processing for determining whether the packet is transmitted to the own device can be realized by software.

  As described above, according to the communication connection method and the program for causing a computer to execute the method, the communication connection device, and the LAN control device, the terminal device 103 and the terminal device 104 perform data communication when the terminal device 103 performs data communication. Is requested from the transmission unit 201 to the terminal device 104 through the management server 102. In response to this, the terminal device 104 returns a connection confirmation response to the terminal device 103 through the management server 102. Thus, at the start of the session, it is only necessary to hold the encryption key for allowing data transmission to the management server 102, and it is not necessary to hold the encryption key of the other party that transmits and receives data.

  In addition, the management server 102 or the terminal device 104, which is the other party to which the packet is transmitted, encrypts the packet data in the authentication code used when determining whether or not to permit the packet reception. Use an encryption key. As a result, data can be encrypted from the start of the negotiation session. The confidentiality can be maintained by setting the encryption key for encrypting data in the header portion of the packet to be transmitted.

  In addition, the encryption key used to authenticate the packet to be sent next time and to encrypt the packet data is notified to the other party at the time of sending the previous packet, so that a different encryption key is used each time. Can be used, and security can be improved.

  The communication connection method described in this embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program is recorded on a computer-readable recording medium such as a hard disk, a flexible disk, a CD-ROM, an MO, and a DVD, and is executed by being read from the recording medium by the computer. The program may be a transmission medium that can be distributed via a network such as the Internet.

  As described above, a communication connection method according to the present invention, a program for causing a computer to execute the method, a communication connection device, and a LAN control device are useful for preventing unauthorized access when performing data communication. It is suitable for the construction of a LAN with a large number of clients.

It is a figure which shows the arrangement configuration using the LAN control apparatus concerning this Embodiment of this invention. It is a block diagram which shows the internal structure of the LAN control apparatus concerning this Embodiment of this invention. It is explanatory drawing which showed the data structure for every hierarchy in TCP / IP. It is a flowchart which shows an example of the process at the time of the communication connection start of the terminal device concerning this Embodiment of this invention. It is explanatory drawing which shows the various data set to the packet transmitted / received in the case of the negotiation concerning this Embodiment of this invention. It is a flowchart which shows an example of the data communication process after the negotiation completion concerning this Embodiment of this invention. It is the schematic explaining the data processing performed in the case of the data communication process concerning this Embodiment of this invention using the packet data format. It is explanatory drawing which shows the various data set to the packet at the time of performing the data communication process concerning this Embodiment of this invention. It is the schematic which showed the transmission / reception range of the data concerning this Embodiment of this invention using the hierarchy of TCP / IP.

Explanation of symbols

100 network 101, 101a, 101b LAN
DESCRIPTION OF SYMBOLS 102 Management server 103,104 Terminal device 103a, 104a Card 201 Transmission part 202 Encryption key selection part 203 Reception part 204 Notice encryption key selection part 205 Notice encryption key memory | storage part 206 Transmission part 207 Reception notice encryption key memory | storage part 208 Reception unit 301 Application layer 302 Data for transmission 303 Transport layer 304 TCP header 305 Internet layer 306 IP header 307 Data link layer 308 Ethernet header 309 Physical layer 900 Terminal device

Claims (20)

A communication connection method for connecting data communication between terminals via a management device,
The management device
From the encryption keys determined in advance for each of the terminals, the encryption keys determined for the first terminal that is the connection source of the data communication and the second terminal that is the connection destination are selected. Encryption key selection process to be performed,
The different encryption keys respectively determined for the first and second terminals selected in the encryption key selection step are set in the respective data packets when the data communication is performed, A connection establishment step for establishing a connection between the first and second terminals;
A communication connection method comprising:   A connection request for receiving connection establishment request data transmitted from the first terminal and transmitting information on the first and second terminals contained in the connection establishment request data to the encryption key selection step The communication connection method according to claim 1, further comprising a receiving step. The connection establishment step includes:
The connection establishment request data received from the first terminal in the connection request receiving step, and the encryption key selected for the first terminal in the encryption key selection step. A connection request transmission step for transmitting to the terminal of 2;
A connection confirmation receiving step of receiving connection confirmation response data returned from the second terminal in response to the connection establishment request data transmitted to the second terminal by the connection request transmitting step;
The connection confirmation data received from the second terminal in the connection confirmation reception step and the encryption key selected for the second terminal in the encryption key selection step A connection confirmation transmitting step for transmitting to one terminal;
The communication connection method according to claim 2, further comprising: The connection establishment step includes:
When receiving the connection establishment request data from the first terminal by the connection request receiving step, and when receiving the connection confirmation response data from the second terminal by the connection confirmation receiving step, 4. The communication connection method according to claim 2, further comprising a reception refusal step of determining whether or not to permit reception based on the presence or absence of the encryption key in each of the packets. The reception refusal step includes
When receiving the connection establishment request data from the first terminal by the connection request receiving step, and when receiving the connection confirmation response data from the second terminal by the connection confirmation receiving step, 5. The communication connection method according to claim 4, wherein reception is permitted when the encryption key defined for the management apparatus is included in each of the packets. The connection establishment step includes:
When transmitting the connection establishment request data to the second terminal by the connection request transmission step, a TCP header portion in the data is determined for the second terminal based on a TCP / IP procedure. When the encryption confirmation is performed using the encryption key and the connection confirmation response data is transmitted to the first terminal by the connection confirmation transmission step, the data in the data is based on a TCP / IP procedure. Encrypting the TCP header portion of the first header using the encryption key defined for the first terminal;
When receiving the connection establishment request data from the first terminal by the connection request receiving step, and when receiving the connection confirmation response data from the second terminal by the connection confirmation receiving step, A decryption step of decrypting the TCP data portion based on the TCP / IP procedure of each packet using the encryption key determined for the management device;
The communication connection method according to any one of claims 2 to 5, further comprising:   When a connection between the first and second terminals is established by the connection establishing step, a packet transmitted from the first terminal includes header information routed to the second terminal and the second On the other hand, a packet transmitted from the second terminal is set with header information routed to the first terminal and the first terminal. 7. The data communication between the first terminal and the second terminal is prevented from passing through the management device by setting an encryption key. The communication connection method described in 1.   When a connection between the first and second terminals is established by the connection establishing step and packets are transmitted / received, based on a TCP / IP procedure of packets transmitted / received between the first and second terminals. 8. The TCP segment unit performs encryption using the encryption key determined for a transmission destination terminal at the time of transmission, and performs decryption using the encryption key at the time of reception. The communication connection method described.   A program that causes a computer to execute the method according to any one of claims 1 to 8. A communication connection device for managing data communication connections between terminals,
Connection establishment request data transmitted from the first terminal as the connection source of the data communication, and connection confirmation response data transmitted from the second terminal as the connection destination of the first terminal, Request response receiving means for receiving each of them;
Address information for uniquely identifying the first terminal included in the connection establishment request data received from the first terminal by the request response receiving means, and confirmation of the connection received from the second terminal Based on the address information uniquely identifying the second terminal included in the response data, the encryption keys of the first and second terminals are selected from among encryption keys predetermined for each of the terminals. Encryption key selection means for selecting each,
The connection establishment request data received from the first terminal includes the encryption key of the first terminal selected by the encryption key selection means in the connection establishment request data. The encryption key of the second terminal selected by the encryption key selection means in the data of the connection confirmation response received from the second terminal is transmitted from the second terminal to the second terminal. Request response transmitting means for transmitting to the first terminal by including it in the received confirmation response data of the connection;
A communication connection device comprising: The request response receiving means includes:
The encryption in each packet of the data when the connection establishment request data is received from the first terminal and when the connection acknowledgment data is received from the second terminal 11. The communication connection apparatus according to claim 10, further comprising a reception refusal unit that permits reception only when a key is present and rejects reception when the encryption key is absent. The request response receiving means includes:
The communication is included in each of the data packets when the connection establishment request data is received from the first terminal and when the connection confirmation response data is received from the second terminal. 12. The communication connection device according to claim 10, further comprising an encryption key authenticating unit that permits reception only when the encryption key determined for the connection device is included. The request response transmission means includes:
When transmitting the connection establishment request data to the second terminal, the TCP header part in the data is set to the encryption key determined for the second terminal based on the TCP / IP procedure. When the connection confirmation response data is transmitted to the first terminal, a TCP header portion in the data is determined for the first terminal based on a TCP / IP procedure. The communication connection device according to claim 10, further comprising an encryption unit configured to encrypt using the encryption key. The request response receiving means includes:
For the TCP data part based on the TCP / IP procedure of each packet of the connection establishment request data received from the first terminal and the connection acknowledgment data received from the second terminal The communication connection device according to claim 13, further comprising decryption means for performing decryption using the encryption key determined for the communication connection device. In the LAN control device that has the same configuration as the transmission source device and the reception destination device, and transmits and receives data between them,
An encryption key for preliminarily transmitting to the receiving apparatus to allow transmission of data to be transmitted is a notice encryption key, and the notice encryption key is randomly selected from a plurality of encryption keys prepared in advance. A notice encryption key selection means for selecting one;
A notice encryption key storage means for storing the notice encryption key selected by the notice encryption key selection means in order to set in data of data to be transmitted thereafter;
When storing the notice encryption key by the notice encryption key storage means, if the notice encryption key already stored by the notice encryption key storage means exists, the notice notice already stored is stored. Temporary storage means for temporarily storing the encryption key;
When the notice encryption key is stored in the temporary storage means, the notice encryption key is used as an authentication encryption key, and when the notice encryption key is not stored in the temporary storage means, it is determined in advance. An authentication encryption key setting means for setting an encryption key as an authentication encryption key and setting it in a packet of data to be transmitted;
An encryption key transmitting means for setting the notice encryption key selected by the notice encryption key selecting means in a packet of the data to be transmitted and transmitting the packet to the receiving device;
A LAN control device comprising: Data receiving means for receiving data transmitted from the transmission source device by the encryption key transmitting means;
Data reception refusal means for judging whether or not to permit reception based on the presence or absence of the authentication encryption key included in the data received by the data receiving means;
When the data reception refusal means permits reception, and the notice encryption key is set in the received data, the reception notice encryption key storage means for storing the notice encryption key;
When storing the notice encryption key by the reception notice encryption key storage means, if the notice encryption key already stored by the reception notice encryption key storage means exists, it is already stored. Receiving temporary storage means for temporarily storing the notice encryption key;
The authentication encryption key that is permitted to be received by the data reception refusal means and included in the received data, and the advance encryption key or the predetermined encryption key that is stored by the reception temporary storage means, A data reception authentication means for comparing and permitting data reception only when they match,
The LAN control device according to claim 15, comprising: When transmitting the data packet, the encryption key transmitting means encrypts the TCP segment portion based on the TCP / IP procedure of the packet with the authentication encryption key set by the authentication encryption key setting means. Do it,
When the data receiving unit receives the packet of the data transmitted by the encryption key transmitting unit, the TCP segment portion based on the TCP / IP procedure of the packet is stored in the advance encryption stored in the reception temporary storage unit. The LAN control device according to claim 16, wherein decryption is performed using a key.   The LAN control device according to any one of claims 15 to 17, wherein a card having each means is inserted into an expansion slot of an information terminal device.   19. The LAN control apparatus according to claim 18, wherein each means is configured by a CPU of the information terminal apparatus executing a program stored in an erasable storage means. An insertion / extraction detecting means for detecting an insertion / extraction state of the card mounted in the expansion slot of the information terminal device;
20. The LAN control device according to claim 19, wherein the insertion / removal detection unit erases the contents of the storage unit when the removal of the card is detected in a state where the information terminal device is powered off.

Images