JP2020058028A - Secret information transmission/reception system - Google Patents

Abstract

To provide a secret information communication system that securely transmits and receives files in substantially real time.SOLUTION: A secret information communication system includes: a server 11; a network connection terminal 13 connected with the server via a network 12; a data processing device 21; a first FIFO memory 16connected between the network connection terminal 13 and the data processing device 21; a data part compulsory encryption/decryption device 19 connected between the first FIFO memory 16and the data processing device 21; and a second FIFO memory 16connected between the data processing device 21 and the network connection terminal 13. The network connection terminal 13 and the data processing device 21 independently access the FIFO memories. The data processing device 21, the network connection terminal 13, and the data part compulsory encryption/decryption device 19 operate in a non-Neumann method. The first and second FIFO memories are of an asynchronous type.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a secret information transmission / reception system for transmitting / receiving files via a network while maintaining security.

  Hackers take over smartphones and personal computers connected to the Internet, falsify government offices and famous companies' websites, illegally transfer virtual currency from fund management servers, and steal large amounts of credit card information from databases For this reason, hacking has become a serious problem in the information society.

  Hacking is also an issue for IoT (Internet of Things) devices ("things" such as home appliances connected to the Internet and exchanging information) (hereinafter "IoT devices"). “Connected cars”, which can be said to be typical of IoT devices, have been attracting attention in connection with automatic driving. However, a car connected to the Internet has been hijacked by a hacker, and driving from a remote location against the driver's intention has made driving difficult. It was reported in an investigation by a US lawmaker that it was operated without permission.

  When the on-board controller and the external network are directly connected, hackers can exploit the vulnerabilities in the software for car control equipment to run the car out of control or to operate the car by operating the accelerator / brake handle without permission. Steal information or driving information, or infect with viruses. There is a need to eliminate vulnerabilities in the software of these in-vehicle control devices or their network connection terminals. However, it is known from experience with personal computers and the like that it is not easy to prevent intrusion from the Internet by applying a security patch to software.

  Hacking is performed by taking advantage of the fact that the current computer architecture relies on the Neumann method. The Neumann method means that a processing program code and data handled by the code are mixed and arranged in a main memory, and the CPU transfers all data between the main memory and a device connected thereto via a bus. Is a calculation processing method. Addresses are assigned to the processing program codes and data, and it is impossible to determine whether these are instruction codes, addresses, or variable values only by looking at the values. In the Neumann system, a processing program handled by a computer is handled in a main memory without being distinguished from data. Since the program and external data are stored in main memory, if there is a slight bug in the original program, the hacker sends malicious program code disguised as data over the network, and the bug is removed. It can be used to execute malicious program code. As described above, as long as the computer architecture adopts the Neumann method, malicious program code and data are arranged in the main memory, so that hacking due to execution of the malicious program code cannot be prevented (see Non-Patent Document 1). As an architecture in which hacking does not occur, a Harvard system is known (see Non-Patent Document 2).

  The inventor can completely eliminate hacking through the public network by using a two-port storage and processing the program by hardware or firmware even when connected to the public network. An application for a file transmission / reception system was made (see Patent Document 1).

Patent Document 1 discloses, as shown in FIG. 1, a server 3, a network 4, a network connection terminal 2, a data processing device 1, and a relay 2 between the network connection terminal 2 and the data processing device 1. A file transmission / reception system including a port storage 5 is disclosed. Storage 5 and the first I / O ports A6 ₁ which is connected between the network connection terminal 2 is function limited to "write added only", and to decrypt the encrypted file. 2 Port storage 5 and the data processing apparatus first I / O port B7 ₁ which is connected between the 1 "read only" and "file deletion" for deleting unnecessary files of the two-port storage 5 The operation is restricted to these two functions. These functional restrictions are realized by hardware or firmware built in or directly connected to the two-port storage 5.

  Since the I / O port A is written in hardware or firmware that is built in or directly connected to the two-port storage and has its functions restricted for exclusive use, even if a hacker infects the two-port storage with a virus file, the I / O port A is not affected. Since the O port A cannot perform any operation other than writing, it does not read the virus file.

  Since the two-port storage is not readable to the network connection terminal, a virus intruding from the network is completely prevented. Even if any malicious programs exist in the memory of the network connection terminal, the malicious programs can be removed by restarting the network connection terminal.

  In this way, the file transmission / reception system disclosed in Patent Literature 1 completely removes an unauthorized program (software) that a hacker invades through a network using hardware called two-port storage.

JP-A-2017-92722

[Online] Cyber Security 59-61, Cyber Security and Management Strategy, edited by NTT Publishing, ISBN code: 978-4-7571-0345-0, [Searched on September 18, 1980], Internet <http : //www.nttpub.co.jp/search/books/detail/100002295.html> [Online] Harvard Architecture: Basic Knowledge of Computer Terminology Computer Technology Terminology (TCYOGO) [Search on September 18, 1980] Internet <https://www.wdic.org/w/TECH/Harvard Architects Char> [Online] Digital circuit design: General knowledge of digital circuits: Asynchronous clock transfer: How to make an asynchronous FIFO, [Search on September 18, 1980], Internet <http://zakii.la.coocan.jp/digital /18_async_fifo.htm> [Online] Techno Create: IP core for FPGA, standard AES encryption / decryption engine for common key encryption, [Searched on September 18, 1980], Internet <http://www.techno-create.com/ product / crypt / aes.php> [Online] Verilog is a hardware description language standardized as IEEE 1364: Wikipedia, [Search on September 18, 1980], Internet <https://en.wikipedia.org/wiki/Verilog > [Online] What is TCP protocol: picfun, [searched on September 18, 1980], Internet <http://www.picfun.com/lan19a.html> [Online] Queue (searched on September 18, 1980), Internet <https://en.wikipedia.org/wiki/queue_ (computer)> [Online] Repeater on Ethernet <registered trademark>: [searched on September 24, 1980], Internet <https://en.wikipedia.org/wiki/repeater> [Online] TPM chip [Search on September 24, 1980], Internet <http://e-words.jp/w/TPM.html>

  In the file transmission / reception system of Patent Document 1, a two-port storage is used as a storage mechanism. In this two-port storage, communication is accumulated in a file and then written and read out in file units. In other words, when reading a file, the written file cannot be read until the FAT (File Allocation Table) is updated. This is a restriction on exclusive control based on basic rules regarding files performed by the multitask OS. For example, when writing a live broadcast video for one hour, the write file cannot be read until one hour later. For this reason, the file transmission / reception system disclosed in Patent Literature 1 is used in a situation where video files must be transmitted and received in real time, such as remote surgery, drone operation, live broadcast, and TV telephone. Can not.

  Accordingly, an object of the present invention is to provide a secure system capable of transmitting and receiving a relay moving image file in substantially real time, which can be used in situations such as remote surgery, drone operation, live broadcast, and TV telephone. .

The secret information communication system (Embodiment 1) of the present invention is:
Server and
A network connection terminal,
A network connected between the server and the network connection terminal;
A data processing device;
A first FIFO memory connected to the network connection terminal;
A data part forced encryption / decryption device connected between the first FIFO memory and the data processing device;
A second FIFO memory connected between the data processing device and the network connection terminal,
A secret information communication system comprising:
The network connection terminal and the data processing device independently access the first and second FIFO memories,
The first FIFO memory, the second FIFO memory and the data part forced encryption / decryption device operate in a non-Neumann manner;
The first and second FIFO memories are each asynchronous.
This solves the above problem.

  In this secret information communication system, an asynchronous FIFO memory is connected between the network connection terminal and the data processing device. The FIFO (First-In First-out) memory is a memory that performs a queue / buffer operation for reading out a previously written packet first. Queues in electronic circuits are described, for example, in Non-Patent Document 7. The fact that the FIFO memory is asynchronous means that writing is operated by the clock on the write port side, reading is operated by the clock on the read port side, and those clocks are not synchronized. In an asynchronous FIFO (also called dual port fifo) memory, a computer (network connection terminal or data processing device) connected to a write port and another computer (network connection terminal or data processing device) that operates independently and connected to a read port ) Are in an offline relationship. Therefore, neither computer can transmit a signal to the opposite computer. In other words, even if a malicious program reaches a computer (network connection terminal) connected to the network, the malicious program can access the computer (data processing device) connected to the other port. Does not exist.

  Communication packets from the network are written to the first FIFO memory via the write port of the first FIFO memory. Packets written to the first FIFO memory can be immediately read from the read port of the first FIFO memory when the internal queue is empty. As described above, since the writing and reading of the packet can be performed almost at the same time by employing the FIFO memory, this secret information communication system can be used in real time such as telesurgery, drone operation, live broadcast, and TV telephone. It can be used in situations where relay video files must be sent and received.

  Further, since the first and second FIFO memories and the data part forced encryption / decryption device operate in a non-Neumann system (hardware), even if an unauthorized program intrudes from a network, the unauthorized program will not transmit the secret information communication system. Does not operate at all inside the first FIFO and the second FIFO. In this way, the secret information communication system can prevent hackers from illegally entering the secret information communication system.

  In the secret information communication system according to the present invention (Embodiment 1), the data part forced encryption / decryption device may include a flash memory and a unit for updating the content of the flash memory.

  In the flash memory of the secret information communication system, an operation algorithm and / or an encryption key of the data part forced encryption / decryption device is stored, and the encryption key can be updated by updating means.

The secret information communication system (Embodiment 3) of the present invention is:
Server and
A network connection terminal,
A network connected between the server and the network connection terminal;
A data processing device connection terminal;
A data processing device connected to the data processing device connection terminal;
A first FIFO memory connected to the network connection terminal;
A packet forced encryption / decryption device connected between the first FIFO memory and the data processing device connection terminal;
A second FIFO memory connected between the network connection terminal and the data processing device connection terminal,
A secret information communication system comprising:
The network connection terminal and the data processing device independently access the first and second FIFO memories,
The first FIFO memory, the second FIFO memory, the packet forced encryption and decryption device, and the data processing device operate in a non-Neumann manner,
The first and second FIFO memories are each asynchronous.
This solves the above problem.

  This secret information communication system is different from the secret information communication system according to the first embodiment in that a packet forced encryption / decryption unit is provided instead of the data part forced encryption / decryption unit, and that the packet forced encryption / decryption unit, the network connection terminal, and the data processing device And a data processing device connection terminal connected between the data processing device and the data processing device. The packet forcible decryption unit separates a communication packet into a header part and a data part, temporarily stores the header part, and decrypts the data part. In the secret information communication system according to the first embodiment, the partner of the handshake communication of the server is the network receiving terminal, but in the third embodiment, the server is the data processing device. In the secret information communication system according to the first embodiment, only the data portion of the packet that has arrived at the network connection terminal passes to the first FIFO memory and thereafter. In the confidential information system according to the first embodiment, the network connection terminal generates a reply packet according to the Internet communication procedure, whereas in the third embodiment, the data processing device generates the reply packet. For this reason, in the secret information communication system according to the third embodiment, the data processing device can perform normal Internet communication processing. Therefore, the secret information communication system according to the third embodiment only needs to be inserted into the connector at the end of the network. , Can correspond to normal Internet communication.

  In the secret information communication system according to the present invention (Embodiment 3), the packet-portion forcible encryption / decryption unit may include a flash memory and means for updating the content of the flash memory.

  In the flash memory of the secret information communication system, an operation algorithm and / or an encryption key of the packet part forced encryption / decryption device is stored, and the encryption key can be updated by updating means.

FIG. 1 is a system configuration diagram of a secret information communication system according to a first embodiment. FIG. 3 is a diagram illustrating an operation principle of a FIFO memory. It is a block diagram of a data part forced encryption / decryption device. FIG. 10 is a system configuration diagram of a secret information communication system according to a second embodiment. FIG. 14 is a system configuration diagram of a secret information communication system according to a third embodiment. FIG. 13 is a system configuration diagram of a secret information communication system according to a third embodiment in which a microcomputer is mounted. It is a figure explaining the function of a packet forced encryption / decryption device. It is a block diagram of a packet forced encryption / decryption device. FIG. 4 is a diagram illustrating an operation of an output destination switching unit.

(Embodiment 1)
As shown in FIG. 1, the secret information communication system according to the first embodiment transmits a packet 11 encrypted with a common encryption key to a data part forced encryption / decryption device 19, a network 12, and an encrypted network. a network connection terminal 13 for receiving a packet over the network 12, the data to be processed ₁ and the first FIFO memory 16, a data unit forced encryption decoder 19 for decoding the data portion of the received packet, the decrypted packet It includes a processing unit 21, and a ₂ second FIFO memory 16. The network 12 is connected between the server 11 and the network connection terminal 13. The first FIFO memory 16 ₁ is connected between the network connection terminal 13 and a data part forced encryption decoder 19. Data unit forced encryption decoder 19 is connected between the first FIFO memory 16 ₁ and the data processing unit 21. Second FIFO memory 16 ₂ is connected to a direction opposite to the first FIFO memory 16 ₁ between the data processing apparatus 21 and the network connection terminal 13. The first and second FIFO memories 16 ₁ and 16 ₂ operate asynchronously. Network connection terminal 13, the data processing apparatus 21 and the data portion forced encryption decoder 19 accesses independently with respect to the FIFO memory ₁₆ 1, 16 _2, the data unit forced encryption decoder 19 and the first, second FIFO memories 16 ₁ and 16 ₂ operate in a non-Neumann manner.

The network connection terminal 13 divides the received communication packet into a data part and a header part. The header portion, the handshake procedure the network connection terminal 13 is defined at the internet packets communication protocol: using the (non-patent document 6 TCP session sequence), data portion ₁ and the first FIFO memory 16, The data packet of the received packet is sent to the data processing device 21 via the data portion forced encryption / decryption device 19 for decoding the data portion.

As shown in FIG. 2, the FIFO memory holds data in the order of input data until receiving a read request. The data initially written to the FIFO memory is later read out first from the FIFO memory and deleted at the same time. Data input / output (writing and reading) is always performed in the order of input. The first FIFO memory 16 _1, and a write port 17 ₁ and the read port 18 _1, the second FIFO memory 16 _2, and a _second read port 18 ₂ and the write port 17. The first FIFO memory 16 ₁ and the second FIFO memory 16 ₂ operates asynchronously. That is, these FIFO memories operate only when a read request or a write request is received from the network connection terminal 13, the data processing device 21, or the data part forced encryption / decryption device 19. This means that the network connection terminal 13 and the data processing device 21 access these FIFO memories independently. Since the FIFO memory is asynchronous, the computer (the network connection terminal 13 or the data processing device 21) connected to the write ports 17 ₁ and 17 ₂ and the computer (the network connection terminal 13) connected to the read ports 18 ₁ and 18 ₂ Alternatively, the data part forced encryption / decryption device 19 or the data processing device 21) is off-line. Therefore, neither computer can transmit a signal to the opposite computer. That is, even if the malicious program reaches the computer (the network connection terminal 13) connected to the network 12, the malicious program is not transferred to the computer (the data processing device 21) connected to the other port. The first FIFO memory 16 ₁ receives the checking Almost Full flag by the network connection terminal 13, if the result is Yes, data 9 of the communication packet is written into the first FIFO memory 16 _1, the data unit forced decryptor When read by 19 or data processor 21 is requested, the data 5 of a communication packet, is read from the first FIFO memory 16 _1.

  As the FIFO memory of the present invention, for example, asynchronous FIFO memories SN74ACT3632 and SN74ALS232B manufactured by Texas Instruments, and FIFO memories 7202LA25JHI and 7202LA12SOG manufactured by Integrated Device Technology Inc. can be used. Using these FIFO memories, a write cycle of 40 MHz and a read time of 20 ns can be realized.

  The FIFO memory of the present invention can be configured by Verilog-HDL as described in Non-Patent Document 5, and can be configured by FPGA as described in Non-Patent Document 3. Furthermore, the FIFO memory of the present invention can be mounted in a non-Neumann microcomputer as shown in Non-Patent Document 3.

  The FIFO memory is provided with two different ports for input (write) and output (read), forms a queue of input data in an input order until a read request is received, and holds the queue in response to a write request. When the data is read, it is deleted. A FIFO memory to which a processing device (computer) operating independently (operating asynchronously with each other) can be connected to each of the two ports is called an asynchronous type.

The first FIFO memory 16 ₁ operates the network connection terminal 13 writing, or from the data unit forced decryptor 19 when requested read, it until retains the data to form a queue.

The first FIFO memory 16 _1, and a write port 17 ₁ and the read port 18 _1, the second FIFO memory 16 _2, and a _second read port 18 ₂ and the write port 17. A network connection terminal 13 connected to the write port 17 _1, a read port 18 data portion forcing the encryption and decryption unit 19 connected to _one operates independently (clocks not common), offline. A data processing unit 21 connected to the write port 17 _2, the network connection terminal 13 connected to the read port 18 ₂ may operate independently (without clocks common), offline.

  In the FIFO memory, data transfer is strictly one-way, and no processing device (computer) can transmit a signal to a processing device connected to an opposite port. That is, even if an unauthorized program arrives at the network connection terminal 13 connected to the network 12, the unauthorized program accesses the data part forced encryption / decryption device 19 and the data processing device 21 connected to the opposite port. I can't do that. Since the encryption key is held in the data part forced encryption / decryption device 19 and the data transfer of the first FIFO is one-way, even if the hacker takes over the network connection terminal 13, the hacker can use the data part force encryption / decryption device 19. Cannot read the encryption key stored in the.

  The data part forced encryption / decryption unit 19 decrypts the data part of the received packet using the encryption key. In the data part forced encryption / decryption device 19, the decryption processing is performed by using wired logic, FPGA-Verilog-HDL (see Non-Patent Document 5), LSI (eg, Non-patent Document 9) in the data part forced encryption / decryption device 19. TPM chip). Alternatively, the data part forced encryption / decryption device 19 can be formed by a Harvard microcomputer. The processing program of the data part forced encryption / decryption device 19 is usually stored in a flash memory incorporated in the data part forced encryption / decryption device 19. In the data part forced encryption / decryption device 19, since the data and the program do not exist in the same memory (non-Neumann method), the data portion forced encryption / decryption device 19 is not affected by the data to be decrypted. As the encryption / decryption mechanism used in the forced encryption / decryption device, for example, an FPGA and an IP core (AES) are used (see Non-Patent Document 4).

Outbound Path Operation The server 11 encrypts the packet with the encryption key and sends it out to the network 12, and the network connection terminal 13 receives the sent packet from the network 12. The packet identified as received from the network 12 is separated into a header part and data. The source of this operation, that is, the identification mechanism is a network repeater or the like at the time the network became widespread (a signal identified as coming from the forward direction is amplified and sent out in the forward direction, and a signal identified as coming from the reverse direction). Is amplified and sent out in the reverse direction). The separated header portion is used by the network receiving terminal 13 to perform a handshake procedure defined in the Internet packet communication protocol for packet communication with the server. The handshake procedure of the packet communication is performed by the network connection terminal 13.

Receiving a check Almost Full flag from the first FIFO memory 16 ₁ is a network connection terminal 13, if yes, one data packet from the network connection terminal 13, the first FIFO memory 16 via the write port 17 ₁ Written to ₁ .

When the data unit forced encryption decoder 19 or the data processing apparatus 21 is decryption of the data portion of the packet received immediately before is completed, the read request is sent to the first FIFO memory 16 _1, the first FIFO memory 16 ₁ but passed from read ports 18 ₁ a data portion of the packet data unit forced encryption decoder 19.

The first FIFO memory 16 ₁ has a queuing operation for adjusting the time for decryption of the data unit. In addition, since data movement is strictly one-way, information leakage from the data part forced encryption / decryption device 19 is reliably prevented. The data portion of the decrypted packet passes to the data processing device 21. Signal from the FIFO memory 16 _1, the path to be transferred to the data processor 21 without passing through the data unit forced encryption decoder 19 is not present, hacker can not penetrate into this secret communication system.

Return to the operating data processing apparatus 21 checks the Almost Full flag of the second FIFO memory 16 _2, If yes, return (reply) data via the write port 17 ₂ for the second FIFO memory 16 ₂ Write to. Second FIFO memory 16 _2, while maintaining the order of writing, the reply data is sequentially moved from the write port 17 ₂ to the read port 18 _{and second} directions.

Second FIFO memory 16 _2, upon receiving a read request from the network connection terminal 13, and sends the data to the network connection terminal 13 through the read port 18 _2. This data is subjected to necessary processing by the network connection terminal 13, formed as a packet, and transmitted to the network 12.

  In this secret information communication system, a flash memory can be built in the data part forced encryption / decryption device 19. The configuration and function of the data part forced encryption / decryption device 19 will be described with reference to FIG. The data part forced encryption / decryption device 19 includes a flash memory 37, a data part decryption circuit 32, and an output destination switching unit 33. The flash memory 37 includes a program storage unit 38 and an encryption key storage unit 39.

Data sent from the first FIFO16 ₁ is applied to the decoding circuit 32. The decryption circuit 32 decrypts this data using the decryption key corresponding to the encryption key in the server 11 and read from the encryption key storage unit 39 of the flash memory 37. Next, the decrypted data is inspected by the output destination switching unit 33, and according to the type code of the original data, the encryption key, the program update data, and the like given by the server 11, the data processing device connection terminal 21, the flash It is sent to either the encryption key storage unit 39 of the memory or the program storage unit 38 of the flash memory 37. This type code may be described in a certain format in the data part so that it can be determined after decoding.

The operation of the output destination switching unit 33 will be described with reference to the flowchart of FIG. Packet data transmitted from the first FIFO memory 16 ₁ in the data portion signal circuit 32, in block 34, the type code is equal to or originally data are examined, in the case of Yes, the data processing device 21. In the case of No, it is sent to the block 35. At block 35, it is checked whether the type code is an encryption key. If yes, the type code is sent to the encryption key storage unit 39 in the flash memory 37, and if no, it is sent to block 36. At block 36, it is checked whether the type code is program update data, and if yes, it is sent to the program storage unit 38 in the flash memory. In the case of No, the data may be discarded or replaced with empty data and transmitted to the data processing device 21. As described above, according to the flowchart of FIG. 9, when the server 11 transmits the encrypted data to which the type code is added, such as the original data, the encryption key, and the program update data, the output switching unit 33 The output destination can be changed to a flash memory accordingly.

As described above, in the secret information communication system according to the first embodiment, the asynchronous FIFO memory is provided between the network connection terminal 13 and the data processing device 21. Packet data such as a file from a network 12 via a write port 17 ₁ of the asynchronous first FIFO memory 16 ₁ is written asynchronously first FIFO memory 16 _1. Data written asynchronously first FIFO memory 16 ₁ can be sequentially read from the read port 18 ₁ of the asynchronous first FIFO memory 16 ₁ only by the delay caused by queuing eliminated and decryption.

In order to realize sequential transmission and reception of a file such as a relay moving image, the packet transfer speed of the first FIFO memory and the decoding speed of the encryption / decryption decoder 19 must be higher than the packet transmission speed of the server 11. In the reverse direction, the packet transfer speed of the second FIFO memory must be equal to or greater than the packet transmission speed of the network connection terminal 13. The network connection terminal 13, the asynchronous FIFO memories 16 ₁ and 16 ₂ , the data part forced encryption / decryption device 19, and the data processing device 21 are connected by a bus connection, RS232C, or the like.

  As described above, the secret information communication system according to the first embodiment employs the asynchronous FIFO memory, so that the reception of each packet and the reading by the data processing device 21 can be sequentially and almost simultaneously performed. The data processing device 21 can perform, for example, time-shift reproduction and chase reproduction with respect to the data of the relay moving image. Reverse playback is also possible. For this reason, the secret information communication system according to the first embodiment can cope with a situation in which photographing itself takes time and data transmission / reception is not completed in a short time, such as remote surgery, drone operation, live broadcast, and TV telephone. I can do it.

Further, in the secret information communication system according to the first embodiment, since the data part forced encryption / decryption device 19 operates in the non-Neumann system, it is impossible to intrude an unauthorized program from the network connection terminal 13. In the first FIFO memory 16 _1, since the data transfer is one-way, information leakage from the data unit forced encryption decoder 19 to the network connection terminal 13 is completely blocked. Data transfer one way of the second FIFO memory 16 ₂ prevents intrusion from the network connection terminal 13 to the data processing unit 21. In this manner, the secret information communication system according to the first embodiment can prevent an unauthorized entry by a hacker via the secret information communication system.

(Embodiment 2)
Secret communication system of embodiment 2 shown in FIG. 4, the secret communication system of embodiment 1, 'and _1, the second additional FIFO memory 16' first additional FIFO memory 16 and _2, the first additional force decryption This is a system suitable for transmitting and receiving confidential information in a vehicle, in which a device 23, a second additional forced encryption / decryption device 25, and a vehicle-mounted computer are added. 'And _1, the second additional FIFO memory 16' first additional FIFO memory 16 of the _2, a first additional force decryptor 23, the onboard computer 29, respectively, the first FIFO memory 16 _1, the second the FIFO memory 16 _2, and the first data unit forced decryptor 19, in response to the data processing unit 21 functions similarly to those.

  The on-board computer 29 processes information collected from sensors in the car through the CAN and controls the car. The CAN (Controlled Area Network) is an international communication standard serial communication protocol connected to the vehicle-mounted computer 29. The data processing device 21 includes a remote monitor, a drive recorder, a car navigation system, and the like.

  The first additional forced encryption / decryption device 23 and the second additional forced encryption / decryption device 25 also have a filtering function for protecting confidential information. The first additional forced encryption / decryption device 23 and the second additional forced encryption / decryption device 25 are connected to an on-board computer 29 via an OBD2 connector 27. The OBD2 connector is a connector for using a self-diagnosis function (On-board Diagnostics) from outside the vehicle.

When the manager of the vehicle 30 wants to know the maintenance data such as the mileage, the battery voltage, the engine temperature or the like of the vehicle 30 or the data of the drive recorder via the Internet, the manager obtains the data. Is transmitted to the network connection terminal 13 via the network 12. The request is sent to the data processing device 21, the first FIFO memory 161 _{, and} the first additional forced encryption / decryption device 23. The rule of what kind of request is allowed is set in the ROM in the first additional forced encryption / decryption device 23. The manufacturer of the automobile 30 is set so that an inquiry request for information that the user does not want to be known to outside is not permitted. If the inquiry request from the user is permitted, the request is sent to the in-vehicle computer 29 via the OBD2 connector 27. The in-vehicle computer 29 generates data (distance, engine temperature, etc.) responding to the contents of the request, and stores the data in the OBD2 connector 27, the first FIFO memory 16 ′ ₂ , the data processing device 21, the second FIFO memory 16 _2. Send to the administrator via the network connection terminal 13 and the network 12.

Hacker, the unauthorized program such as to runaway car 30, when that has put feed network connection terminal 13 via the network 12, the first FIFO memory 16 ₁ and the data unit forced encryption decoder 19 is programmed in hardware Therefore, the unauthorized program does not reach the data processing device 21. Therefore, this unauthorized program is not sent to the on-board computer 29, and the car 30 does not run away.

  The data that the maker of the automobile 30 wants to keep confidential is filtered out by the second additional forced encryption / decryption unit 25 according to the rules set in the ROM. Therefore, among the data of the vehicle 30 collected through the CAN by the on-board computer 29, the data to be kept secret is not disclosed to the data processing device 21.

(Embodiment 3)
As shown in FIG. 5, the secret information communication system differs from the secret information communication system of the first embodiment in that a packet forced encryption / decryption unit 31 is The difference is that a decoder 31 and a data processing device connection terminal 22 connected between the network connection terminal 13 and the data processing device 21 are provided. The encryption / decryption process is performed by the data part forced encryption / decryption device 19 in the secret information communication system of the first embodiment, but is performed by the packet forced encryption / decryption device 31 in the secret information communication system of the third embodiment. As shown in FIG. 7, the packet forcing encryption / decryption unit 31 includes a data part decoding circuit 32 for decoding the data part of the packet, a header separation unit 40 for separating the header of the packet, and a header integration unit for integrating the header into the packet. And a unit 41. The data processing device connection terminal 22 switches between the input destination and the output destination, and sends the packet decrypted by the packet forcible encryption / decryption unit 31 to the data processing device 21.

  The packet forced encryption / decryption unit 31 receives a packet received by the network connection terminal 13. As shown in FIG. 7, in the packet forced encryption / decryption unit 31, first, the data header separation unit 40 divides a communication packet into a header part and a data part, temporarily stores the header part, and the data part decryption circuit 32 , Decrypts the data portion. The packet data header integration unit 41 reconstructs the encrypted and decrypted data portion as a communication packet by connecting it to the temporarily stored header portion, and sends it to the data processing device 21 via the data processing device connection terminal 22. When the encrypted and decrypted data portion is connected to the temporarily stored header portion and reconstructed as a communication packet, as shown in Non-Patent Document 6: TCP frame format, the header portion includes data length and the like. Some corrections are needed.

In the secret information communication system 1, in which communication according to the Internet procedure, so completed in the network terminal 13, the packets arriving to the network connection terminal 13 does not pass only the data portion in the first FIFO memory 16 _or later . That is, in the secret information communication system according to the first embodiment, the partner of the handshake communication with the server 11 according to the Internet communication protocol is the network receiving terminal 13. In the secret information communication system according to the first embodiment, the reply packet according to the Internet communication procedure is generated by the network connection terminal 13.

  On the other hand, in the secret information communication system according to the third embodiment, the partner of the handshake communication is the data processing device 21. A reply packet according to the Internet communication procedure is generated by the data processing device 21. The handshake communication according to the Internet protocol is performed between the server 11 and the data processing device 21, and an Internet packet passes between the network connection terminal 13 and the data processing device connection terminal 22, and the type of packet communication is performed. Is brought into the data processing device 21, so that the data processing device 21 can perform normal Internet communication processing. Between the network connection terminal 13 and the data processing device connection terminal 22, a network repeater (see, Non-Patent Document 8: Ethernet repeater) is a network connection. That is, the signal received by the network connection terminal 13 is an Internet packet, and the signal output by the data processing device connection terminal 22 is an Internet packet. The provision of the network repeater enables the data processing device 21 of the secret information communication system according to the third embodiment to perform normal Internet communication processing. For this reason, the connector to the data processing device at the end of the network is unplugged, and the secret information communication system according to the third embodiment is only interposed between the connectors. Communication support can be used as it is, and security can be strengthened. Also, for so-called streaming, the technology that has been used on the Internet can be used as it is.

  On the other hand, in the secret information communication system according to the first embodiment, since the partner of the handshake communication with the server 11 according to the Internet communication protocol is the network receiving terminal 13, the data processing device 21 performs the normal Internet communication processing. You can't do it. In the case of the data processing device 21, since existing streaming software cannot be used, chase reproduction and time shift reproduction software must be separately prepared.

Outbound Path Operation The server 11 encrypts the communication packet with the encryption key and sends it out to the network 12, and the network connection terminal 13 receives the packet sent out to the network 12.

Receiving a check Almost Full flag from the first FIFO memory 16 ₁ is a network connection terminal 13, if yes, one communication packet from the network connection terminal 13, the first FIFO memory 16 via the write port 17 _{1 1} Is written to.

Packet forced encryption decoder 31 or the data processing device connected terminal 22 has completed processing the communication packet received immediately before (decryption, etc.), to request a read on the first FIFO memory 16 _1. In response to the read request, the first FIFO memory 16 _1, the communication packet from the read port 18 _1, and passes the packet forced encryption decoder 31.

  As shown in FIG. 7, the communication packet is separated into a header part and a data part by a packet data header separation unit 40, the data part is decrypted by the data part decryption circuit 32, and the header part integration unit 41 re-headers the header part. And passed to the data processing device connection terminal 22. By being packetized again, the data processing device 21 (not the network receiving terminal 13) performs a handshake procedure for packet communication with the server 11. There is no path for the signal from the network connection terminal 13 to go to the data processing device connection terminal 22 without passing through the packet forced encryption / decryption unit 31.

Generation of Reply Packet When the data processing device 21 receives the decrypted communication packet from the network 12 via the network connection terminal 13, the packet forced encryption / decryption device 31, and the data processing device connection terminal 22, the data processing device 21 generates a reply packet. The data part of the reply packet should be encrypted if necessary. The reply packet is sent from the data processing device 21 to the data processing device connection terminal 22.

Return to the operating data processing apparatus connected terminal 22 checks the Almost Full flag of the second FIFO memory 16 _2, written in the second FIFO memory 16 ₂ the reply packet through the write port 17 _2. Second FIFO memory 16 _2, while maintaining the order of writing, a reply packet, sequentially moved from the write port 17 ₂ to the read port 18 _{and second} directions.

Second FIFO memory 16 ₂ is the read request from the network connection terminal 13, and sends the second FIFO memory 16 ₂ the reply packet, via the read port 18 ₂ to the network connection terminal 13. This reply packet is transmitted to the network 12 by the network connection terminal 13.

  In this secret information communication system, a flash memory can be built in the packet forced encryption / decryption unit 31. The configuration and function of the packet part forced encryption / decryption unit 31 will be described with reference to FIG. The packet forced encryption / decryption unit 31 includes a flash memory 37, a data part decryption circuit 32, an output destination switching part 33, a header part separation part 40, and a header part integration part 41. The flash memory 37 stores a processing program of the packet forcible encryption / decryption unit 31 and an encryption key.

The packets read out from the first FIFO16 _1, header is divided into the data part and the header in the header portion separating unit 40 is temporarily stored, the data unit is added to the data unit decoding circuit 32. The data part corresponds to the encryption key in the server 11, and is decrypted with the decryption key read from the encryption key storage part of the flash memory. The output data switching unit 33 inspects the decrypted data, and branches according to the type code such as the original data, the encryption key, and the program update data added by the server 11 according to the flow sheet of FIG. Are sent to the encryption key storage unit 39 of the flash memory and the program storage unit 38 of the flash memory. The original data that has arrived at the header integration unit 41 is integrated with the temporarily stored header, converted into an Internet packet again, and sent to the data processing apparatus connection terminal 22.

The data sent from the first FIFO16 _1, applied to the decoding circuit 32, wherein the response to the encryption key at the server 11, is decoded by the decoding key read from the encryption key storage portion of the flash memory. The output data switching unit 33 checks the decrypted data, and uses the type codes of the original data, the encryption key, the program update data, and the like assigned by the server 11 according to the flow sheet of FIG. It is branched and sent to the encryption key storage unit 39 of the flash memory and the program storage unit 38 of the flash memory. The description of the branch operation of the output destination switching unit 33 is the same as the description of the paragraph 0044 based on the flowchart of FIG.

As described above, in the secret information communication system according to the third embodiment, the asynchronous FIFO memory is provided between the network connection terminal 13 and the data processing device 21. Communication packet network 12 is received via the write port 17 ₁ of the asynchronous first FIFO memory 16 ₁ is written asynchronously first FIFO memory 16 _1. Packet written asynchronously first FIFO memory 16 ₁ can be read only by the delay of the queue eliminated from the read port 18 ₁ of the asynchronous first FIFO memory 16 _1.

In order to realize the sequential transmission and reception of the relay moving image file data in real time, the packet transfer speed of the first FIFO memory and the decoding speed of the encryption must be higher than the packet transmission speed from the server 11. In the reverse direction, the packet transfer speed of the second FIFO memory must be higher than the packet transmission speed of the network connection terminal 13. The network connection terminal 13, the asynchronous FIFO memories 16 ₁ and 16 ₂ packet forced encryption / decryption unit 31, and the data processing device 21 are connected by a bus connection, RS232C, or the like.

  As described above, in the secret information communication system according to the third embodiment, the reception of the communication packet and the reading by the data processing device 21 are sequentially and almost simultaneously performed by employing the packet forced encryption / decryption device 31 and the data processing device connection terminal 22. Therefore, the data processing device 21 enables streaming reproduction even with a large amount of data. Further, this secret information communication system can cope with a situation in which photographing itself takes time and data transmission / reception is not completed in a short time, such as remote surgery, drone operation, live broadcast, and TV telephone.

Further, in the secret information communication system according to the third embodiment, since the packet forcible encryption / decryption unit 31 operates in the non-Neumann system, even if an unauthorized program attempts to enter from the network connection terminal 13, the entry operation cannot be performed. Furthermore the first FIFO memory 16 ₁ On the other hand prevents so way that even leakage of information from the packet forced encryption decoder 31 to the network connection terminal 13. One way of the second FIFO memory 16 ₂ prevents intrusion from the network connection terminal 13 to the data processing unit 21. In this manner, the secret information communication system according to the third embodiment can prevent an unauthorized entry by a hacker through the secret information communication system.

  The operation algorithm (FPGA configuration, Harvard microcomputer program) and encryption key of the data part forced encryption / decryption device 19 and the packet forced encryption / decryption device 31 are stored in the flash memory incorporated in the two forced encryption / decryption devices 19 and 31. Is stored in When the compulsory encryption / decryption devices 19 and 31 also incorporate this flash memory updating means, the server sends the encrypted update data to the compulsory encryption / decryption devices 19 and 31 within the validity period of the encryption key. Thus, after decryption, the flash memory can be updated only inside the forced decryption device.

  The encryption / decryption key or the forced encryption / decryption program may be updated via the data processing device 21 once, using a USB cable or the like (not shown). However, it is more secure to add an updating mechanism to the forced encryption / decryption itself. This is because the data processing device may be maliciously modified depending on the usage mode. Even if the data processing device is abused by a hacker like a car, it can be expected to be resistant.

  The secret information communication system of the invention of the present application can also have a function of inspecting a targeted attack mail or the like. If the server 11 adds a copy of the header part of the original packet or a digest function of the data part to the data part, the data processing device can use the data part for authentication.

  When the function of the first FIFO memory is expanded as follows, a honey trap is obtained. If the read data is read from the read port of the first FIFO, and the read data is separately stored without being deleted, malicious packets can be stored in a raw state without hindering secure operation.

By using two commercially available Ethernet controllers (choose one with a built-in FIFO) and a microcomputer, the functions such as packet separation / integration, queuing, and encryption / decryption can be realized in an integrated form. As shown in Fig. 6, _two commercially available Ethernet controllers 42 ₁ and 42 ₂ (DingDong W5500: with built-in FIFO) are used, and packet forced encryption / decryption is performed by a commercially available microcomputer (ARM MCU: with built-in flash memory). To implement the secret information communication system of the third embodiment. The microcomputer 43 has a flash memory, an arithmetic circuit, a dynamic memory, and an input / output circuit, and realizes functions such as packet forced decoding, data section separation, and data section integration.

  A method of writing hardware in the FPGA by writing an operation algorithm in Verilog-HDL and converting it into configuration data and burning it to a flash memory can also be adopted. In this case, the present invention is suitable for making the whole of the present invention into an IC.

11 Server 12 Network 13 Network Connection Terminal 16 ₁ First FIFO Memory 16 ₂ Second FIFO Memory 17 ₁ Write Port 17 of First FIFO Memory ₂ Write Port 18 of Second FIFO Memory ₁ Read Port 18 of First FIFO Memory 18 _2nd Second FIFO memory read port 19 Data section forced encryption / decryption device 21 Data processing device 16 ' ₁ First additional FIFO memory 16' ₂ Second additional FIFO memory 22 Data processing device connection terminal 23 First additional forced encryption / decryption device 25 Second additional forced encryption / decryption device 27 OBD2 connector 29 In-vehicle computer 30 Automobile 31 Packet forced encryption / decryption device 32 Data unit decryption circuit 33 Output destination switching unit 34 Data processing device connection terminal switching unit 35 Encryption key update switching unit 36 Program update switching unit 37 Flash memory 38 Grams housing section 39 encryption key storing unit 40 packet data header separating unit 41 packet data header integrating unit 42 ₁ Ethernet controller 42 ₂ Ethernet controller 43 microcomputer

Claims (4)

Server and
A network connection terminal,
A network connected between the server and the network connection terminal;
A data processing device;
A first FIFO memory connected to the network connection terminal;
A data part forced encryption / decryption device connected between the first FIFO memory and the data processing device;
A second FIFO memory connected between the data processing device and the network connection terminal,
A secret information communication system comprising:
The network connection terminal and the data processing device independently access the first and second FIFO memories,
The first FIFO memory, the second FIFO memory and the data part forced encryption / decryption device operate in a non-Neumann manner;
The first and second FIFO memories are each asynchronous.
Secret information communication system.   2. The secret information communication system according to claim 1, wherein the data part forced encryption / decryption unit includes a flash memory and means for updating contents of the flash memory. Server and
A network connection terminal,
A network connected between the server and the network connection terminal;
A data processing device connection terminal;
A data processing device connected to the data processing device connection terminal;
A first FIFO memory connected to the network connection terminal;
A packet forced encryption / decryption device connected between the first FIFO memory and the data processing device connection terminal;
A second FIFO memory connected between the network connection terminal and the data processing device connection terminal,
A secret information communication system comprising:
The network connection terminal and the data processing device independently access the first and second FIFO memories,
The first FIFO memory, the second FIFO memory, and the packet forcible decryptor operate in a non-Neumann manner;
The first and second FIFO memories are each asynchronous.
Secret information communication system. 4. The secret information communication system according to claim 3, wherein the packet forcible decryption unit includes a flash memory, and means for updating contents of the flash memory.

Images