JP2007089028A - Communication interface device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To perform data transmission after establishing error tolerance easily and strongly in a transmission method of a physical layer, when connection is to be made between a plurality of communication networks via a communication line that adopts the transmission method of the physical layer. <P>SOLUTION: An encryption device 201 is designed to convert an Ethernet (R) signal received from a LAN 101 into a transmission data signal (RXD) consisting of a front portion and a data portion, and a MII (Media-Independent Interface) signal having an effective signal (RX_DV) indicating an effective zone of the transmission data. An encryption processing unit 22 is designed to detect the frame synchronization timing of the transmission data, based on the effective signal of the converted MII signal, to produce random numbers in synchronization with the frame synchronization timing, and to perform encryption about encryption objected zone of the transmission data. The encrypted transmission data signal (TXD) is to be outputted from a wireless interface unit 25 and is to be transmitted toward a LAN 102 by a wireless device 301. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a communication interface device used in a system for transferring transmission data between a plurality of communication networks via a communication line adopting a physical layer transmission method, for example.

  2. Description of the Related Art Conventionally, a communication system in which a plurality of LANs (Local Area Networks) are connected via a wireless line is provided. This type of system is configured, for example, such that each wireless device is connected to each LAN, and a data signal transmitted on the LAN is converted into a wireless signal by the wireless device and transmitted / received. However, if the data signal is directly converted into a radio signal and transmitted wirelessly, there is a risk that the confidentiality of the data signal is impaired.

  Therefore, it has been proposed that an encryption device is provided between the wireless device and the LAN, and the data signal is encrypted / decrypted by the encryption device. As an encryption method used for such transmission, encryption techniques such as IPsec (Security Architecture for Internet Protocol) and SSL (Secure Socket Layer) are known (see, for example, Non-Patent Document 1). .

IPsec specifications; RFC (Request for Comments) 1825 to RFC1829

  However, as described above, in a wireless device used in a system for connecting LANs via a wireless line, only a simple protocol of only a physical layer may be implemented. In contrast, IPsec is a cryptographic technique in the network layer, and SSL is a cryptographic technique in the application layer. For this reason, these encryption methods cannot be applied to a wireless device using the above-described physical layer protocol, and an encryption technique applicable to the physical layer protocol has been desired.

  The present invention has been made paying attention to the above circumstances, and the object of the present invention is to transfer transmission data to a physical layer when connecting a plurality of communication networks via a communication line adopting a physical layer transmission method. It is an object of the present invention to provide a communication interface device that can easily transmit data with strong error tolerance corresponding to the above transmission method.

In order to achieve the above object, a communication interface device according to the present invention provides a first communication network between a first communication network and a second communication network that employs a transmission method defined in a higher layer than the network layer. In a communication interface device used in a system for transferring a data signal transmitted in a network via a communication line adopting a transmission method defined in a physical layer, the data signal transmitted in the first communication network is Conversion means for converting into a frame signal corresponding to the transmission method of the physical layer, synchronization detection means for detecting frame synchronization timing from the converted frame signal, and generating a random number in synchronization with the detected frame synchronization timing Encryption means for encrypting an encryption target section of the frame signal based on the random number, and the encryption The frame signal is to a transmitting means for transmitting to the communication line.

  The communication interface device according to the present invention also provides data transmitted through the first and second communication networks between the first and second communication networks adopting a transmission method defined in an upper layer above the network layer. An encrypted frame signal transmitted from a second communication network via a communication line in a communication interface device used in a system for transferring the signal via a communication line adopting a transmission method defined in the physical layer Receiving means, synchronization detecting means for detecting frame synchronization timing from the received encrypted frame signal, and generating a random number in synchronization with the detected frame synchronization timing, based on the random number Decryption means for decrypting an encrypted section of the encrypted frame signal, and the decrypted frame signal is defined by the upper layer. Into a data signal corresponding to the transmission scheme that is a converted data signal which and means for transmitting to the first communication network.

  With this configuration, it is possible to perform encryption in units of frames at the physical layer level without implementing a protocol in an upper layer such as a network layer or an application layer. Thereby, it is possible to transmit the transmission data easily corresponding to the transmission method of the physical layer and with strong error tolerance.

Furthermore, the communication interface device of the present invention is also characterized by having the following various configurations.
In the first configuration, when the first and second communication networks are configured by a LAN (Local Area Network) adopting a CSMA / CD (Carrier Sense Multiple Access / Collision Detect) method, The data signal is converted into an MII (Media Independent Interface) signal having transmission data composed of a front part and a data part and an effective signal indicating an effective section of the transmission data, and the synchronization detection means And detecting the frame synchronization timing of the transmission data based on the valid signal, and the encryption means generates a random number in synchronization with the detected frame synchronization timing, and based on the random number, Encrypt the data part.

Further, the first and second communication networks are configured by a LAN adopting a CSMA / CD system, and the receiving means transmits transmission data comprising a prefix part and an encrypted data part as the encrypted frame signal. And the synchronization detection means detects the frame synchronization timing of the transmission data based on the valid signal of the MII signal, and when receiving an MII signal having a valid signal indicating a valid section of the transmission data, The decryption means generates a random number in synchronization with the detected frame synchronization timing, and decrypts an encrypted section in the transmission data based on the random number.
With this configuration, the data portion to be encrypted / decrypted is detected by the MII signal, so that complicated logic for detecting the data portion is not necessary and can be realized with a simple configuration.

  In the second configuration, the encryption means uses a random number generator, a bit group extracted from the encrypted frame signal preceding the frame signal, and an encryption key prepared in advance for each frame signal as input parameters. A means for initializing the random number generator to generate a random number from the random number generator, and by performing a logical operation on the generated random number and a code of an encryption target section of the frame signal, Means for encrypting the encryption target section.

Further, the decryption means includes, as input parameters, a random number generator, a bit group extracted from the encrypted frame signal preceding the encrypted frame signal, and an encryption key prepared in advance for each encrypted frame signal. Means for initializing a random number generator, generating a random number from the random number generator, and performing a logical operation on the generated random number and a code of an encrypted section of the encrypted frame signal, Means for decrypting the encrypted section of the signal.
With this configuration, a random number generator is initialized for each frame signal, and encryption / decryption is performed using the random number generated from the random number generator. Therefore, even when a transmission error occurs, it can be easily overcome in units of frames. it can.

  Therefore, according to the present invention, when a plurality of communication networks are connected via a communication line adopting a physical layer transmission method, transmission data can be simply and strongly error resistant corresponding to the physical layer transmission method. It is possible to provide a communication interface device that can be provided and transmitted.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
FIG. 1 is a schematic configuration diagram of a wireless communication system using a communication interface device (hereinafter referred to as an encryption device) according to the present invention. The wireless communication system includes local area networks (LANs) 101 and 102, encryption devices 201 and 202, and wireless devices 301 and 302. Transmission data from the LAN 101 to the LAN 102 is encrypted by the encryption device 201 and then transferred from the wireless device 301 to the wireless device 302. Further, the encrypted data received by the wireless device 302 is decrypted by the encryption device 202 and transmitted to the LAN 102. Data transfer from the LAN 102 to the LAN 101 is performed in the same procedure.

FIG. 2 is a block diagram showing an embodiment of the encryption device. In FIG. 1, since the encryption device 202 has the same configuration as the encryption device 201, the encryption device 201 will be described below.
The encryption device 201 includes an Ethernet (registered trademark) interface unit 21, an encryption processing unit 22, a common key memory 23, a decryption processing unit 24, and a wireless interface unit 25.

  The Ethernet interface unit 21 converts the received Ethernet signal from the LAN 101 into an MII signal having a received data signal (RXD) composed of a front part and a data part and a valid signal (RX_DV) indicating a valid section of the received data. . Then, the received data signal (RXD) and the received data valid signal (RX_DV) are supplied to the encryption processing unit 22. On the other hand, the transmission data signal (TXD of the decoded MII signal) supplied from the decoding processing unit 24 is converted into an Ethernet signal and transmitted to the LAN 101.

  Further, the wireless interface unit 25 converts the format of the encrypted reception signal supplied from the wireless device 301 into an MII signal and converts the received data signal (RXD of the encrypted MII signal) and the reception data valid signal (RX_DV). This is supplied to the decryption processing unit 24. Also, the transmission data signal (TXD of the encrypted MII signal) supplied from the encryption processing unit 22 is converted into a format suitable for wireless communication and supplied to the wireless device 301.

  The MII signal is a kind of Ethernet interface signal between a MAC (Media Access Control) layer and a physical layer, and the detailed specification is defined in the international standard specification IEEE 802.3. Since Ethernet interface devices having an MII interface are already on the market, the Ethernet interface unit 21 can configure the encryption device 201 at a low cost by using a commercially available device.

  FIG. 3 shows the configuration of the MII signal related to data transfer. There are four signals related to data transmission: transmission data TXD, transmission enable TX_EN, transmission error TX_ER, and transmission clock TX_CLK. There are four signals related to data reception: reception data RXD, reception data valid RX_DV, reception error RX_ER, and reception clock RX_CLK. In the present invention, the frame synchronization timing of the received data RXD is detected based on the received data valid RX_DV of the MII signal.

The encryption processing unit 22 performs encryption processing of the reception data signal using the reception data RXD of the MII signal supplied from the Ethernet interface unit 21, the reception data valid RX_DV, and the like. Here, the data structure in the encryption processing will be described with reference to FIG.
FIG. 4A shows received data RXD and shows a transmission frame configuration in the MII interface. FIG. 4B shows reception data valid RX_DV, which changes from “0” to “1” prior to reception of SFD (Start Frame Delimiter) after reception of the preamble. When detecting that RX_DV is changed from “0” to “1”, the encryption processing unit 22 detects SFD and performs encryption processing of the data portion after SFD. Then, the end of the MII frame is detected by a change in RX_DV from “1” to “0”, and the encryption process is ended. As described above, the encryption processing unit 22 detects the data part to be encrypted of the Ethernet signal based on the RX_DV signal. FIG. 4C shows a transmission frame configuration in the MII interface subjected to the encryption process. The encryption processing unit 22 outputs the encrypted MII transmission frame to the wireless interface unit 25 as transmission data TXD of the MII signal.

  On the other hand, the decryption processing unit 24 decrypts the encrypted received data signal using the received data RXD of the MII signal supplied from the wireless interface unit 25, the received data valid RX_DV, and the like. Here, the data configuration in the decoding process will be described with reference to FIG.

  FIG. 5A shows received data RXD with the data part encrypted, and shows a transmission frame configuration in the MII interface. FIG. 5B shows reception data valid RX_DV, which changes from “0” to “1” prior to reception of the SFD after reception of the preamble. After RX_DV changes from “0” to “1”, the decryption processing unit 24 detects the SFD and performs decryption processing of the encrypted data unit. Then, the end of the MII frame is detected by a change in RX_DV from “1” to “0”, and the decoding process ends. As described above, the decoding processing unit 24 detects a data part to be decoded based on the RX_DV signal, and performs a decoding process. FIG. 5C shows a transmission frame configuration in the MII interface on which decoding processing has been performed. The decoding processing unit 24 outputs the decoded MII transmission frame to the Ethernet interface unit 21 as transmission data TXD of the MII signal.

  By the way, in the communication system using this encryption device, it is necessary to share the encryption key between the encryption devices 201 and 202 facing each other. The common key memory 23 stores an encryption key common to the encryption devices 201 and 202, and is read according to requests from the encryption processing unit 22 and the decryption processing unit 24, respectively. This encryption key is set in advance at the time of system shipment, or set by a system administrator at the time of operation, for example.

  Next, encryption and decryption processing of the encryption apparatus 201 configured as described above will be described. In general, encryption schemes used for data encryption include block ciphers and stream ciphers that are common key ciphers. Of these, the block cipher encrypts the data to be encrypted in units of blocks, so it is necessary to add dummy bits if the data to be encrypted is less than the block length. On the other hand, the stream cipher is characterized in that additional bits are unnecessary because encryption is performed in bit units.

  Hereinafter, in the present embodiment, a case will be described in which MUGI, which is a stream cipher included in an e-government recommended cipher list, is applied as an encryption algorithm. MUGI outputs a random number sequence using a 128-bit encryption key (k) and a 128-bit initial vector (IV) as input parameters. The output random number sequence is uniquely determined by the combination of the encryption key k and the initial vector IV. Encryption is performed by calculating an exclusive OR of a random number sequence obtained from MUGI and plaintext.

First, encryption processing of the encryption processing unit 22 will be described. FIG. 6 is a diagram illustrating an encryption procedure in the encryption processing unit 22.
The cryptographic processing unit 22 initializes a random number generator using a preset value a0 as an initial vector IV, and the initial vector IV and the cryptographic key k read from the common key memory 23 as input values. Generate a random number sequence at In this state, the encryption processing unit 22 detects the data part to be encrypted from the MII frame supplied from the Ethernet interface part 21, and calculates the exclusive OR of the data part and the random number sequence to obtain the data part. Encrypt. Then, the encryption processing unit 22 extracts m bits from a predetermined bit position of the encrypted data part, and acquires data a1. Further, the encryption processing unit 22 outputs an encrypted MII frame in which the data part is encrypted to the wireless interface unit 25.

Next, the encryption processing unit 22 sets the previously obtained value a1 as the initial vector IV, inputs the initial vector IV and the encryption key k, initializes the random number generator, and generates a random number sequence in the random number generator. If m ≠ 128, a1 is expanded or cut out as necessary to generate a 128-bit initial vector IV.
Similarly, when the MII frame is supplied from the interface unit 21, the encryption processing unit 22 detects and encrypts the data portion. Further, a predetermined bit is extracted from the encrypted MII frame, and the extracted value is used as an initial vector IV for encryption of the next frame to perform an encryption process.

Next, the decoding process of the decoding processing unit 24 will be described. FIG. 7 is a diagram illustrating a procedure of the decoding process in the decoding processing unit 24.
The decryption processing unit 24 uses a preset value a0 as an initial vector IV, initializes a random number generator using the initial vector IV and the encryption key k read from the common key memory 23 as input values, and generates a random number generator. Generate a random number sequence at In this state, the decryption processing unit 24 detects the encrypted data part from the MII frame supplied from the wireless interface unit 25, extracts m bits from a predetermined bit position of the encrypted data part in advance, and acquires data a1. Keep it. Then, the decryption processing unit 24 generates a decrypted MII frame from the exclusive OR of the encrypted data unit and the random number sequence, and outputs the decrypted MII frame to the interface unit 21.

Next, the decryption processing unit 24 sets the previously obtained value a1 as the initial vector IV, inputs the initial vector IV and the encryption key k, initializes the random number generator, and generates a random number sequence in the random number generator. If m ≠ 128, a1 is expanded or cut out as necessary to generate a 128-bit initial vector IV.
Similarly, when the encrypted MII frame is supplied from the wireless interface unit 25, the decryption processing unit 24 detects the encrypted data portion, extracts a predetermined bit in advance, and then decrypts the encrypted data portion. To do. Then, the next frame is decoded using the extracted value as the initial vector IV.

  As described above, in the above-described embodiment, the encryption device 201 uses the Ethernet interface unit 21 to convert the Ethernet signal arriving from the LAN 101 into the transmission data signal (RXD) including the front part and the data part, and the effective section of the transmission data. It is converted into a Media Independent Interface (MII) signal having a valid signal (RX_DV). The encryption processing unit 22 detects the frame synchronization timing of the transmission data based on the converted effective signal of the MII signal, generates a random number in synchronization with the detected frame synchronization timing, and encrypts the transmission data Encrypt the interval. The transmission data signal (TXD) encrypted in this way is output from the wireless interface unit 25 and transmitted to the LAN 102 by the wireless device 301.

  Therefore, in this embodiment, since the data part to be encrypted and decrypted is detected by the MII signal, complicated logic for detecting the data part becomes unnecessary, and the encryption apparatus can be realized with a simple configuration. Further, since the initial vector is derived from the encrypted data part, additional bits for the initial vector are not necessary, and encryption can be performed without changing the frame length. Since the initial vector is updated and the random number is generated in units of frames, even if a transmission error occurs, it is possible to return in units of frames. In addition, since the random number sequence used for the cryptographic process can be generated prior to the cryptographic process, parallel processing or the like is possible, and an efficient cryptographic process can be realized.

  The present invention is not limited to the above embodiment. For example, in FIG. 1, the function of the encryption device 201 can be provided in the wireless device 301 to configure as a wireless communication device having an encryption function. It is of course possible to configure a communication interface device including either the encryption processing unit 22 or the decryption processing unit 24.

  In addition, various processes performed in the cryptographic apparatus, the communication system, etc. according to the present invention are executed by a processor executing a control program stored in a ROM (Read Only Memory) in a hardware resource including a processor, a memory, and the like. May be used, and for example, each functional unit for executing the processing may be configured as an independent hardware circuit.

  The present invention can also be understood as a computer-readable recording medium or program such as a floppy (registered trademark) disk or a CD (Compact Disc) -ROM storing the control program. Then, the processing according to the present invention can be performed by inputting to the computer and causing the processor to execute it.

Furthermore, in the above-described embodiment, the case where the stream cipher MUGI is applied has been described. However, the cipher algorithm is not limited to this, and other stream ciphers, block ciphers and other cipher algorithms and random number generation algorithms may be used.
In addition, although the present embodiment has been described with respect to the MII signal, it is of course applicable to a GMII (Gigabit Media Independent Interface) signal that is a gigabit interface. In addition, the configuration of the encryption device 201, the processing procedures of the encryption processing unit 22 and the decryption processing unit 24, and the processing contents thereof can be variously modified and implemented without departing from the gist of the present invention.

  In short, the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. In addition, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, you may combine suitably the component covering different embodiment.

The schematic block diagram of the radio | wireless communications system using the encryption apparatus concerning this invention. The block block diagram which shows one Embodiment of the encryption apparatus shown in FIG. The figure which shows the structure of the data transfer signal of an MII interface. The figure which shows the frame structure in an encryption process. The figure which shows the frame structure in a decoding process. The figure which shows the procedure of the encryption process in the encryption apparatus shown in FIG. The figure which shows the procedure of the decoding process in the encryption apparatus shown in FIG.

Explanation of symbols

  101, 102 ... LAN, 201, 202 ... encryption device, 301, 302 ... wireless device, 21 ... Ethernet interface unit, 22 ... encryption processing unit, 23 ... common key memory, 24 ... decryption processing unit, 25 ... wireless interface unit.

Claims (6)

Data signals transmitted on the first and second communication networks between the first and second communication networks adopting a transmission method defined on the upper layer above the network layer are transmitted on the physical layer. In a communication interface device used in a system for transferring via a communication line adopting a method,
Conversion means for converting a data signal transmitted in the first communication network into a frame signal corresponding to the transmission method of the physical layer;
Synchronization detection means for detecting frame synchronization timing from the converted frame signal;
An encryption unit that generates a random number in synchronization with the detected frame synchronization timing, and encrypts an encryption target section of the frame signal based on the random number;
A communication interface apparatus comprising: a transmission unit configured to transmit the encrypted frame signal to the communication line. When the first and second communication networks are configured by a LAN (Local Area Network) adopting a CSMA / CD (Carrier Sense Multiple Access / Collision Detect) method,
The converting means converts the data signal into an MII (Media Independent Interface) signal having transmission data composed of a front part and a data part and an effective signal indicating an effective section of the transmission data,
The synchronization detection means detects a frame synchronization timing of the transmission data based on a valid signal of the MII signal,
The communication interface according to claim 1, wherein the encryption unit generates a random number in synchronization with the detected frame synchronization timing, and encrypts a data portion of the transmission data based on the random number. apparatus. The encryption means includes
A random number generator;
For each frame signal, the random number generator is initialized using the bit group extracted from the encrypted frame signal preceding the frame signal and the encryption key prepared in advance as input parameters, and a random number is generated from the random number generator. Means to
2. The means for encrypting the encryption target section of the frame signal by performing a logical operation on the generated random number and the code of the encryption target section of the frame signal. Communication interface device. Data signals transmitted on the first and second communication networks between the first and second communication networks adopting a transmission method defined on the upper layer above the network layer are transmitted on the physical layer. In a communication interface device used in a system for transferring via a communication line adopting a method,
Receiving means for receiving an encrypted frame signal transmitted from the second communication network via the communication line;
Synchronization detection means for detecting frame synchronization timing from the received encrypted frame signal;
Decryption means for generating a random number in synchronization with the detected frame synchronization timing, and decrypting an encrypted section of the encrypted frame signal based on the random number;
Means for converting the decoded frame signal into a data signal corresponding to a transmission method defined in the higher layer, and transmitting the converted data signal to the first communication network. Communication interface device. The first and second communication networks are configured by a LAN adopting a CSMA / CD method, and the receiving means includes, as the encrypted frame signal, transmission data including a prefix portion and an encrypted data portion; When receiving an MII signal having an effective signal indicating an effective interval of the transmission data,
The synchronization detection means detects a frame synchronization timing of the transmission data based on a valid signal of the MII signal,
5. The communication interface apparatus according to claim 4, wherein the decrypting means generates a random number in synchronization with the detected frame synchronization timing, and decrypts an encrypted section in the transmission data based on the random number. . The decoding means includes
A random number generator;
For each of the encrypted frame signals, the random number generator is initialized by using, as input parameters, a group of bits extracted from the encrypted frame signal preceding the encrypted frame signal and an encryption key prepared in advance. Means for generating random numbers from
5. The apparatus according to claim 4, further comprising: means for performing a logical operation on the generated random number and a code of an encrypted section of the encrypted frame signal to decrypt the encrypted section of the encrypted frame signal. The communication interface device described.

Images