JPH10215243A - Encryption communication method using agent, and mobile code storage medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To obtain the strength of encryption and the speed not practically being a problem in the case of encryption communication of real time data with respect to encryption communication method using an agent and to allow terminals of communication to attain encryption communication even when they have no program of the same encryption method in advance. SOLUTION: An encryption method is integrated in a software called an agent and described in mobile codes 11, a server sends the agent (trusted agent 17) to a client to which the server is going to start communication. Then an encryption communication channel 18 is reserved between a trusted agent 14 being a resident program in the server and the trusted agent 17 received by the client and encryption communication is conducted by the private encryption system.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION The present invention relates to a computer-to-computer communication in which eavesdropping, interception and alteration of information are impossible.
The present invention relates to an encrypted communication method using an agent.

[0002]

2. Description of the Related Art In recent years, the importance of information security has been increasing with the explosive spread of the Internet. Conventionally, in information communication security, terminals perform encryption using a common encryption key. For example, information is encrypted using DES (Data Encryption Standard) to perform communication, or public keys are exchanged for public communication. It has been secured by encrypting information using a key encryption method (for example, RSA) and performing communication.

In order to enhance the security of the encryption system,
For example, a method of changing an encryption key and an encryption method with time as described in Japanese Patent Application Laid-Open No. 1-212041 is known.

[0004]

In a conventional general cryptographic communication system, a method of encrypting the encryption method itself is disclosed, and in order to secure the encryption strength, a key required for encryption is used. The bit length had to be increased.
If the bit length of the key required for encryption is long, the processing time of encryption is inevitably long, and when encrypting a real-time application (audio / image, etc.),
Conventional DES and RSA have a problem in processing speed.

[0005] Further, in a system in which the combination of an encryption key and an encryption system is changed with time between a terminal and a host attempting to perform encrypted communication, an encryption system previously used for the terminal and the host is used. And key must be registered. Therefore, there is a problem that it is necessary to install a plurality of used encryption methods and encryption keys each time a new terminal is added.

SUMMARY OF THE INVENTION It is an object of the present invention to provide a speed and a cryptographic strength which have no practical problem even when a real-time application is encrypted when performing cryptographic communication of real-time data. Still another object of the present invention is to enable encrypted communication even if the communicating terminals do not have the same encryption program in advance.

[0007]

According to the present invention, an encryption method is incorporated in software called an agent, and the agent is realized by a mobile code (a language system movable on a network) to perform encrypted communication. Encrypted communication is performed by sending / receiving this agent to / from the terminal. When sending / receiving an agent, the agent itself is encrypted and sent.

When this method is adopted, encrypted communication is possible only by sending an agent having encryption means necessary for performing encrypted communication to the terminal of the other party or by bringing the agent to the terminal itself. You do not need to be aware of the encryption method used for In addition, the encryption method may be kept secret, and the encryption strength can be secured by changing the key required for encryption synchronously and irregularly or periodically between the agents, thereby ensuring the encryption method itself. , It is possible to adopt a lightly processed one.

More specifically, the present invention relates to an encrypted communication method for communicating encrypted information between information processing apparatuses, wherein a software called an agent in which an encryption method described in a mobile code is incorporated in advance is used to perform encrypted communication. The method includes a step of sending to the communication partner device to be performed, and a step of performing cryptographic communication using the encryption method between the agent sending to the communication partner device and the agent of the own device. Hereinafter, an agent that performs cryptographic communication according to the method of the present invention will be referred to as a trusted agent.

Further, in the present invention, parameters required for the encryption method are changed between the trusted agents irregularly or periodically in synchronization. Alternatively, a plurality of encryption methods may be provided to the trusted agent, and the encryption methods used irregularly or periodically may be synchronously switched between the trusted agents.

In addition, an encryption method selection server for instructing the encryption method to be used for a trusted agent having a plurality of encryption methods is provided on a network, and the encryption method selection server indicates the encryption method to be used for the trusted agent. Thus, the encryption method used between the trusted agents may be synchronously switched.

Further, a means for selecting an encryption method to be used for a trusted agent having a plurality of encryption methods is provided with a synchronization function, so that an encryption method used without performing communication between agents attempting to perform encrypted communication is synchronized. May be switched irregularly.

As a cryptographic method to be incorporated in the trusted agent, for example, a pseudo-random number whose processing is light is used for decryption. The seed of the pseudo-random number is generated, for example, by a trusted agent on the server side, and the seed is changed irregularly or periodically.

A seed server for generating the seed of the pseudorandom number is provided separately from the device on which the trusted agent operates, and the seed generated by the seed server irregularly or periodically is transmitted in synchronization with the trusted agent. It may be.

The seed generating means for generating the seed of the pseudorandom number may be provided with a synchronization function so that the seeds are synchronously and irregularly switched without performing communication between agents attempting to perform cryptographic communication. .

In particular, when encrypted information is to be communicated between three or more information processing apparatuses, for example, an agent distribution server having a mobile code of a trusted agent is provided. The mobile code of the trusted agent is transmitted to a plurality of information processing apparatuses that intend to perform cryptographic communication, and the trusted agent transmitted between the plurality of information processing apparatuses performs the cryptographic communication. The parameters required for the encryption method of the trusted agent may be changed synchronously, or the encryption method used by the trusted agent for the encryption communication may be switched in synchronization with a different encryption method. This method can be applied to an electronic conference system or the like.

As described above, the mobile code for realizing software called an agent in which a cryptographic method is incorporated in advance can be stored in an appropriate storage medium readable by a server of an information processing apparatus that requires cryptographic communication. it can.

[0018]

FIG. 1 is a schematic explanatory diagram of the present invention. In FIG. 1, reference numeral 10 denotes a server-side information processing device for performing cryptographic communication, 11 denotes a mobile code of a trusted agent described in a language system movable on a network, and 12 denotes a mobile device of a trusted agent to a client information processing device. A trusted agent sending means for sending a code, 13 is an application program for transmitting and receiving data and performing predetermined processing, 14 is a resident trusted agent, 15 is a client side information processing device, 16 is an application program, and 17 is a trusted agent The trusted agent 18 based on the mobile code sent from the sending means 12 represents an encrypted communication path for communication of encrypted information.

The information processing apparatus 10 on the server side includes an application program 13, a trusted agent 14 incorporating a resident encryption system, a storage means for a mobile agent 11 of a trusted agent incorporating a mobile encryption system, It comprises a trusted agent sending means 12 for sending the mobile code to the information processing device 15 of the communication partner.
And a trusted agent 17 based on a mobile code 11 incorporating the encryption system transferred from the information processing apparatus 10.

The operation of the system shown in FIG. 1 is as follows. First, prior to the communication, the trusted agent mobile unit 12 sends the mobile code 11 of the trusted agent from the information processing device 10 on the server side to the information processing device 15 on the client side. At this time, the mobile code 11 is encrypted and transferred using a conventional encryption method such as RSA or RSA + DES.
The conventional encryption such as RSA or DES for data that requires real-time properties, such as voice or image data, has a problem in processing speed. However, the mobile code 11 of the trusted agent can be converted to RSA or DES. Even if the encryption is performed, the encryption and decryption need only be performed once at the first time, and the data amount is not so large as the voice and image data, so that the processing speed does not matter.

Next, the resident trusted agent 14 of the information processing device 10 and the trusted agent 17 of the information processing device 15 establish an encryption communication path 18 by a unique encryption method. Thereafter, the trusted agent 14 and the trusted agent 17 intercept the eavesdropping in cooperation with the application programs 13 and 16, respectively.
Perform encrypted communication of data that you do not want to be tampered with. Also,
The key required for the secret encryption system is secured from the resident trusted agent 14 or the mobile trusted agent 17 synchronously and irregularly or periodically between agents to secure the encryption strength.

FIG. 2 is a configuration diagram of a trusted agent described in a mobile code. The mobile code 11 of the trusted agent 17 is shown in FIG.
As shown in FIG. 1A, the interface section 11-1 includes an application interface section 11-1 and an encryption section 11-2. Interface section 11-1 with application
Plays a role in mediating the exchange of signals between the normal application program 16 and the encryption unit 11-2, and the encryption unit 11-2 encrypts / decrypts the signal from the interface unit 11-1 with the application. A chemical treatment is performed.

As shown in FIG. 2B, an application program unit 11-3 is stored in the mobile code 11.
And the application program itself can be described in mobile code and included in the trusted agent.

FIG. 3 is a diagram showing another embodiment of the present invention. The cryptographic communication system shown in FIG. 3 includes a workstation A20, an application program 21, a trusted agent 22 incorporating a cryptosystem, another workstation B30, and a workstation B30.
Application program 31, a trusted agent 32 using a mobile code transmitted from the workstation A20, and the Internet (In).
ternet) 19.

The trusted agent 22 operating on the workstation A 20 comprises an interface 23 with an application, an encryption method selection means 24, an encryption method selection control means 25, and means for implementing a plurality of encryption methods 26 to 29. The trusted agent 32 operating on the workstation B30 includes an interface 33 with an application, an encryption method selection unit 34,
It is constituted by means for realizing a plurality of cryptosystems 35-38.

The operation of the cryptographic communication system shown in FIG. 3 is as follows. First, a mobile code describing the mobile trusted agent 32 is encrypted and transferred from the workstation A20 to the workstation B30.

Next, the encryption method selection control means 25 of the workstation A 20 determines the encryption method required for the encrypted communication, and the encryption method selection means 2 of the workstation A 20.
4 and the encryption system selection means 34 of the workstation B30, information on which encryption system to use is transferred. As a result, an encrypted communication path is secured.

The communication data required by the application program 21 is encrypted using the encryption system selected by the encryption system selection means 24 via the interface 23 with the application. FIG. 3 shows a state where the first encryption method 26 is selected.

The encrypted information is transmitted to the Internet 19
To the work station B30. The information received by the workstation B30 is decrypted by the encryption method (in this example, the first encryption method 35) selected by the encryption method selection means 34, and is transmitted to the application of the workstation B30 via the interface 33 with the application. Delivered to the program 31.

The transmission of information from the application program 31 of the workstation B30 to the application program 21 of the workstation A20 is also performed in exactly the same manner as encrypted.

The encryption system selection control means 25 of the workstation A 20 selects a new encryption system at irregular intervals in order to make it difficult to break the encryption, and the workstation A 20
Encryption system selection means 24 and workstation B3
The encryption strength is increased by transferring the information of the selected encryption method to the 0 encryption method selection means 34.

In this embodiment, the encryption system selection control means 25 is provided in the workstation A20.
A server such as an encryption system selection server may be provided on the network, and another device in the network may control the selection of the encryption system. In addition, the encryption method itself is not installed in the agent in advance, but a server such as an encryption method delivery server is provided on the network.
The means for implementing the mobile code-based encryption method may be delivered to the agent.

FIG. 4 is a diagram showing a configuration example of another embodiment of the present invention. In this cryptographic communication system, those having the same reference numerals as those in FIG. 3 described above are the same as those shown in FIG. In this example, the mobile trusted agent 3
Instead of setting the selection of encryption method 2 from the transfer information from the encryption method selection control means 25 in the resident trusted agent, the encryption method selection control means 39 is provided in the mobile trusted agent 32. , Differs from the example of FIG.

The operation of this system is as follows. First, a mobile code describing the mobile trusted agent 32 is encrypted and transferred from the workstation A20 to the workstation B30.

Next, the encryption method selection control means 25 of the workstation A 20 and the encryption method selection control means 39 of the workstation B 30 determine the encryption method required for the encryption communication, and the encryption method selection means 24 of the workstation A 20 Information on which encryption method is to be used is transferred to the encryption method selection means 34 of the workstation B30. At this time, the encryption system selection control means 25 of the workstation A20 and the workstation B30
Since the encryption system selection control means 39 has a synchronization function in the encryption system selection, the workstation A 20
In the workstation B30, the same encryption method is always selected without exchanging information between the workstations. As a result, an encrypted communication path is secured.

The communication data required by the application program 21 is encrypted by using the encryption method selected by the encryption method selection means 24 via the interface 23 with the application. FIG. 4 shows a state where the first encryption method 26 is selected.

The encrypted information is transmitted to the Internet 19
To the work station B30. The information received by the workstation B30 is decrypted by the encryption method (in this example, the first encryption method 35) selected by the encryption method selection means 34, and is transmitted to the application of the workstation B30 via the interface 33 with the application. Delivered to the program 31.

The transmission of information from the application program 31 of the workstation B 30 to the application program 21 of the workstation A 20 is also performed in exactly the same manner as encrypted.

The encryption method selection control means 25 of the workstation A 20 and the encryption method selection control means 39 of the workstation B 30 select a new encryption method at random to make decryption difficult, and select the encryption method of the workstation A 20. The encryption strength is increased by synchronously transferring the information of the selected encryption method to the means 24 and the encryption method selection means 34 of the workstation B30.

FIG. 5 is a diagram showing an example of the configuration of the encryption system. The encryption system portion is logically composed of an exclusive OR generator 40 and a pseudorandom number generator 41 having a variable period, as shown in FIG. 5A, for example. The encryption information is generated by inputting a random number from the pseudo-random number generator 41 and a signal input as non-encryption information to the exclusive OR generator 40.

FIG. 5B shows another example of the encryption system. In this example, in addition to the exclusive-OR generator 40 and the pseudo-random number generator 41 having a variable period, the encryption system part includes a seed (SEED) unit 42 for generating pseudo-random numbers and a seed (SEED) irregularly. To change to SEE (SEE
D) It comprises a change unit 43.

The generation of the encryption information is performed by the pseudo random number generator 41.
5 by inputting a random number from the input and a signal input as non-encrypted information to the exclusive OR generator 40, as shown in FIG.
Same as the method (A), except that the seed of the pseudo-random number generated by the seed changing unit 43 is irregularly sent to the seed unit 42 to change the period of the pseudo-random number and further increase the encryption strength. I can do it.

FIG. 6 is a diagram showing an example of a hardware-based pseudo-random number generator, FIG. 7 is a diagram showing the configuration of a three-stage pseudo-random number generator for generating an M-sequence, and FIG. It is a figure showing an example of a generation method.

A method of changing the period of the pseudo random number will be described. The period of the pseudo-random number generator can be realized in hardware, for example, by changing the number of stages and connections of a linear feedback shift register system that generates pseudo-random numbers.

FIG. 6 shows an example. In FIG.
Is a shift register, 45 is a path control unit, s0 to s12 and sa to sl are switches for path connection, x1 to
x12 represents an exclusive OR circuit, and r1 to r13 represent bit elements of the shift register 44. By controlling the path connection / disconnection by the switches s0 to s12 and sa to sl by the path control unit 45, the feedback of r1 to r13 in the shift register 44 can be controlled, and the period of the pseudorandom number can be changed.

Now, consider realizing a pseudo-random number generator that generates three stages of M-sequences. A primitive polynomial that generates a three-stage M sequence is represented by x ³ + x + 1, and the hardware configuration is as shown in FIG. In FIG. 7, reference numeral 44 denotes a shift register, and 46 denotes an exclusive OR circuit. Therefore, in order to realize the configuration shown in FIG. 7 in the pseudo random number generator shown in FIG.
And switch sb are turned on, and the remaining switches are turned off
Can be realized.

The number of stages n and primitive polynomials and periods for generating M sequences are shown below. For example, to realize a pseudo-random number generator with six stages,
Since it is sufficient to add r6 and r1 shown in FIG. 6 and feed back to r6, the switches s5 and se are turned on.
What should I do?

FIG. 8 shows a variation of the pseudo-random number generation method combining the above-described pseudo-random number generators.
FIG. 8A is an example in which the output of the pseudo random number generator 41 realized by the method shown in FIG. In FIG. 8B, two outputs of a pseudo random number generator 41a and a pseudo random number generator 41b are input to an exclusive OR circuit 47, and the output is used as a pseudo random number. FIG. 8C shows three pseudo random number generators 41c, 41d, 4
1e and a switch 48, two pseudo random number generators 4
The outputs from 1c and 41d are input to the switch 48, and the output from another pseudorandom number generator 41e is used to perform switching by the switch 48.
It is configured to select the output of 41d.

In the trusted agent according to the present embodiment, in order to generate a pseudo random number, a mobile code for realizing the above operation may be described in software.

FIG. 9 shows the encryption system selection control means 25 and 39.
5 is a flowchart showing the operation of the synchronization function of FIG. This function uses a feature that if the given initial seed is the same, such as a pseudo-random number, the pseudo-random numbers generated thereafter will be the same.

First, an initial seed is created from the time, date, day of the week, etc. of the workstation, and the encryption system selection control means 2 for the resident and mobile trusted agents is provided.
It is set to 5, 39 (step S1). In each of the encryption method selection control means 25 and 39, a pseudo random number is generated from the initial seed by a pseudo random number generator (step S2). Next, an encryption method to be selected from the generated pseudo random numbers is determined (step S3). Next, information on the selected encryption method is transferred to the encryption method selection means 24, 34 (step S4). Further, a timing for changing the method is determined (step S5). This timing is, for example, the number of packets to be transmitted or the time. When the timing for changing the encryption method comes (step S6), a new pseudo-random number is generated using the previously generated pseudo-random number as a seed (step S7), and the above processing is repeated thereafter.

FIG. 10 shows a configuration example of a cryptographic communication system for changing a seed (SEED) for generating a pseudo-random number. This cryptographic communication system uses a workstation A5
0, an application program 51, a trusted agent 52 incorporating a cryptosystem, another workstation B54, an application program 55 of the workstation B54, a trusted agent 56 incorporating a cryptosystem, and the Internet 58.

The trusted agent 52 comprises an interface 53 with an application, an exclusive OR generator 40, a pseudorandom number generator 41, a seed unit 42, and a seed generator 43. The trusted agent 56 is realized by a mobile code transmitted from the workstation A 50, and includes an interface 57 with an application, an exclusive OR generator 40 ', a pseudorandom number generator 41', and a seed unit 42 '. .

The operation of the system shown in FIG. 10 is as follows. First, the trusted agent 56 described in the mobile code is transmitted to the workstation A5.
0 to the workstation B54.

Next, the seed generated by the seed generation unit 43 of the workstation A 50 is transferred to the seed unit 4 of the workstation A 50 and the workstation B 54.
2 and 42 ', and an encrypted communication path is secured. The necessary communication data of the application program 51 is sent to the exclusive-OR generator 40 via the interface 53 with the application, and the exclusive-OR is calculated with the pseudo-random number generated by the pseudo-random number generator 41. Encrypted. The encrypted information is sent to the Internet 58
Is sent to the workstation B54.

The information received by the workstation B54 is decrypted by the exclusive OR generator 40 'and transferred to the application program 55 of the workstation B54 via the interface 57 with the application.

The seed generation unit 43 of the workstation A 50 generates a new seed at irregular intervals in order to make the decryption of the encryption difficult, and transfers the seed to the seed units 42 and 42 ′ of the workstation A 50 and the workstation B 54. Strength has been increased.

FIG. 11 is a diagram showing a configuration example of another embodiment of the present invention. In this cryptographic communication system, those having the same reference numerals as those in FIG. 10 described above are the same as those shown in FIG. In this example, the workstation A50 does not have the seed generation unit 43, but a seed server 59 for generating a seed for pseudorandom number generation is provided separately from the workstations A50 and B54 that actually perform the cryptographic communication. Is different from the example of FIG.

The operation of this system is as follows. First, the trusted agent 56 described in the mobile code is transferred from the workstation A50 to the workstation B54.

Next, a seed necessary for encrypted communication is supplied from the seed unit 42 of the workstation A 50 to the seed server 59.
Request to. The seed server 59 generates a seed, and transfers the generated seed to the seed units 42 and 42 ′ of the workstation A50 and the workstation B54. As a result, an encrypted communication path is secured.

The necessary communication data of the application program 51 is sent to the exclusive OR generator 40 via the interface 53 with the application, and the exclusive OR of the pseudorandom number generated by the pseudorandom number generator 41 is calculated. Taken and encrypted. The encrypted information is sent to the workstation B54 via the Internet 58.

The information received by the workstation B 54 is decoded by the exclusive OR generator 40 ′ and transferred to the application program 55 of the workstation B 54 via the interface 57 with the application.

In the seed server 59, a new seed is generated at irregular intervals in order to make decryption difficult, and is transferred to the seed units 42 and 42 'of the workstations A50 and B54, thereby increasing the encryption strength. .

FIG. 12 is a diagram showing a configuration example of still another embodiment of the present invention. In this cryptographic communication system, the same reference numerals as those in FIGS.
This is the same as that shown in FIGS. 10 and 11. This example differs from the examples of FIGS. 10 and 11 in that the seed generation units 43 and 43 ′ having a synchronization function are provided in the workstation A50 and the workstation B54, respectively.

The operation of the system shown in FIG. 12 is as follows. First, the trusted agent 56 described in the mobile code is transmitted to the workstation A5.
0 to the workstation B54.

Next, the seeds generated by the seed generator 43 of the workstation A50 and the seed generator 43 'of the workstation B54 are transferred to the seed generator 4 of the workstation A50 and the workstation B54.
2 and 42 ', and an encrypted communication path is secured. At this time, since the seed generator 43 of the workstation A50 and the seed generator 43 'of the workstation B54 have a synchronization function, the seed generator 4 of the workstation A50 and the workstation B54 has a synchronous function.
The seeds transferred to 2, 42 'are the same.

The communication data required by the application program 51 is sent to the exclusive OR generator 40 via the interface 53 with the application, and the exclusive OR of the pseudorandom number generated by the pseudorandom number generator 41 is calculated. Taken and encrypted. The encrypted information is sent to the workstation B54 via the Internet 58.

The information received by the workstation B 54 is decoded by the exclusive OR generator 40 ′ and transferred to the application program 55 of the workstation B 54 via the interface 57 with the application.

The seed generators 43 and 43 'of the workstations A50 and B54 generate new seeds synchronously and irregularly in order to make decryption difficult, and the seeds 42 and 43' of the workstations A50 and B54. , 42 ′ to increase the signal strength.

FIG. 13 is a flowchart showing the operation of the synchronization function of the seed generators 43 and 43 '. This function uses a feature that if the given initial seed is the same, such as a pseudo-random number, the pseudo-random numbers generated thereafter will be the same.

First, an initial seed is created from the time, date, day of the week, etc. of the workstation, and seed generators 43 and 4 of the resident and mobile trusted agents are created.
It is set to 3 '(step S11). In each of the seed generators 43 and 43 ', a pseudo random number is generated from the initial seed by a pseudo random number generator (step S1).
2). Next, the generated pseudo-random numbers are used as adaptive seeds (step S13), and information is transferred to the respective seed units 42 and 42 '(step S14). Further, the timing for changing the seed is determined (step S15). This timing is, for example, the number of packets to be transmitted or the time. When it is time to change the seed of the pseudo-random number (step S16), a new pseudo-random number is generated using the previously generated pseudo-random number as a seed (step S17), and the above process is repeated thereafter.

FIG. 14 is a configuration diagram in the case where a trusted agent incorporating a cryptosystem is applied to the application of the WWW (World Wide Web). The server side is composed of a WWW server 60, a trusted agent 61 resident on the server side and incorporating an encryption system, and an applet (Applet) 62 incorporating an encryption system in advance. On the client side, a WWW browser 63 is configured. The applet 62 corresponds to the mobile trusted agent described in the above example.

The operation of this system is as follows. First, on the WWW browser 63 on the client side,
When the WWW server 60 is accessed, the applet 62 in which the encryption method is installed from the server side is installed in the WWW browser 63 on the client side.

Next, the applet 62 makes a request for information to the WWW server 60, which is performed via the trusted agent 61 incorporating a resident encryption system. The request information sent from the WWW server 60 from the client side is encrypted by the trusted agent 61 incorporating the resident encryption method using, for example, the encryption method described above, and sent to the client side. It is.

On the other hand, since the applet 62 that has received the encrypted information knows in advance the method of decrypting the encrypted information on the server side, the applet 62 decrypts the encrypted information received from the WWW server 60 according to the procedure. And WWW
By passing the information to the browsing software of the browser 63, desired information can be received via the encryption communication path 64.

FIG. 15 is a diagram showing another embodiment of the present invention, and shows a configuration example in the case where the present invention is applied to an image transmission system or an audio transmission system. In this example, a trusted agent incorporating a cryptosystem is incorporated in an application for image transmission and audio transmission.

The workstation 70 on the image and audio transmitting side includes a camera 71, an analog / digital (A / D) converter 72, a frame buffer 73, a microphone 74, an analog / digital (A / D) converter 75, It comprises a buffer 76 and a trusted agent 77 incorporating a resident encryption method, and has a mobile trusted agent 78 mobile code incorporating an image reproduction / audio reproduction encryption method.

The workstation 80, which is the receiving side of the image / sound, includes the mobile trusted agent 78, the frame buffer 82, and the encryption system for the image / sound reproducing sent from the workstation 70 on the transmitting side. Digital / analog (D / A) converter 83,
The display 84 and the buffer 8 for receiving audio data
5, a digital / analog (D / A) converter 86 and a speaker 87.

The operation of this system when transmitting and receiving images is as follows. First, the workstation 80 on the image receiving side issues a transmission request to the workstation 70 on the image transmitting side from the mobile trusted agent 78 incorporating the encryption method for image reproduction. Then, the workstation 70 on the image transmitting side moves the trusted agent 78 necessary for receiving the image to the workstation 80 on the receiving side. Thus, the reception preparation is completed.

The transmitting workstation 70 converts the image data captured from the camera 71 into a digital signal by the analog / digital converter 72 and sends it to the frame buffer 73. The frame buffer 73 stores the image data from the analog / digital converter 72, and a trusted agent 77 incorporating encryption.
Absorbs the difference in processing speed for encryption processing.

Next, the output signal from the frame buffer 73 is encrypted by the trusted agent 77 incorporating the encryption method and transmitted to the network. At the receiving workstation 80, the trusted image 78 receives the encrypted image signal and decrypts it. The decoded image signal is returned to an analog signal by a digital / analog converter 83 via a frame buffer 82 on the receiving side, and is displayed on a display 84.

The operation for transmitting voice in the system shown in FIG. 15 is almost the same as the above description. Real-time data replaces the image information with audio information,
The input part of the real-time data is from the camera 71 to the microphone 7
The basic operation is the same as that of FIG. 4 except that the output unit is replaced with the speaker 87 from the display 84, and the detailed description is omitted.

FIG. 16 is a block diagram showing a case where an agent incorporating a cryptosystem is incorporated in an application of an electronic conference system. The electronic conference system according to the present embodiment
It comprises an agent distribution station 90, a plurality of hosts 91 to 94, a network 95, and a multicast communication path 96. Network 95 and multicast communication path 9
6 may be realized by one local area network (LAN) or the like. First, the host participating in the electronic conference communicates with the agent distribution station 9 to form an encrypted communication path.
For 0, an agent delivery request is made. The agent distribution station 90 distributes the mobile code of the mobile trusted agent 97 incorporating the encryption method to the host that has made the request.

Next, an encrypted communication path using the multicast communication path 96 is secured between the trusted agents 97, and an encrypted electronic conference is started. Agent Distribution Bureau 9
0 is an encryption method selection server, an encryption method distribution server, or the seed server 59 shown in FIG.
It is possible to have functions such as the above.

Next, the interface between the trusted agent and the application will be described. FIG.
FIG. 7 is an explanatory diagram of a change of a communication target of an application program for using the trusted agent according to the present invention.

For example, as shown in FIG. 17A, a general case is considered where the information processing apparatus 10 of the host A and the information processing apparatus 15 of the host B are communicating. As the setting of the application program 13 of the host A, the information processing device of the communication partner is specified as the host B, and the communication port is specified as the port that the application program 16 of the host B receives. In the setting of the application program 16 of the host B, the information processing apparatus of the communication partner is specified as the host A, and the communication port is specified as the port that the application program 13 of the host A receives.

When the trusted agents 14 and 17 are used to implement the present invention as shown in FIG. 17B, the setting of the application program 13 of the host A is performed by setting the information processing device of the communication partner to its own device. The host A is designated, and the communication port is designated as the port that the trusted agent 14 of the host A receives. The settings of the application program 16 of the host B include:
Designate the information processing device of the communication partner as the host B of the own device,
Change the communication port to Trusted Agent 17 of Host B
Specify the port to receive. By making such a change, it is possible to communicate encrypted information between the application programs 13 and 16 without changing the application programs 13 and 16 at all, and by making the communication path via the trusted agents 14 and 17.

The setting of the proxy (port via communication) is also
This is essentially the same as the change of the communication partner described above. If the application program has a proxy setting function, set the trusted agent host and port there.

Application Interface (AP
Regarding I), the API prepared by the trusted agent is used instead of the API prepared for communication by the system. Usually, this method requires modifying and compiling the program source.

For example, when there is no trusted agent, the portion described as "open ();" is replaced by "op" when the trusted agent is used.
enTrusted (); "and recompile.

For example, the trusted agent may be realized as a kernel module of an operating system (OS) and incorporated as appropriate. This method uses the trusted agent 1 shown in FIG.
4 is implemented at the kernel level.

FIGS. 18 to 24 show examples of the program of the agent for transmitting the encrypted image described in the mobile code. This program is compatible with WWW (World Wide W
eb) is a trusted agent program that uses mobile code to read files from servers and display animations.
va (object-oriented language for the Internet developed by Sun Microsystems, USA).

In this program, bitmap image information (T0 to T9.ppm) is read from the server for each 2048 bytes (b []) and displayed as an applet. The function of this program is to display a total of ten image files one after another and repeat this. The outline of the display method is as follows. Creates a communication path with the server and requests a required image file. Next, the image file is received using the communication path, and the image is displayed. The following is a brief supplementary explanation according to the drawings.

(A) First, a class path is defined. (B) Specify the variables to be used. (C) The init function is a function for performing initial settings for starting communication with the server. Specify the name of the server to be connected, the port number of the server, and the required file name. In addition, the specification for generating pseudo-random numbers is specified.

(D) A connection request is issued to the server using the makesocket function to generate a communication path. (E) The width of the image (width),
Get height information from the server. This information is
This information is necessary for reproducing an image on the client side.

(F) As a process of the makesocket function, a process of issuing a connection request to the server and setting a communication path is described. (G) The sendimagefile function is a function that sends a required image file name to the server using a communication path.

(H) The getimage function is a function for receiving an image file from a server using a communication path and generating an image. (I) When the contents of the image file are exhausted, the processing ends.

(J) Decryption of image information for each byte. (K) One pixel is generated every four bytes.
One pixel has four components of luminance, red, green, and blue.

(L) Generate an image from pixels. (M) Specify encryption. (N) When starting a program, this program is executed as a thread. By using a thread, a plurality of processes can be operated in parallel in one program.

(O) This is a step for defining the function of the thread. After creating a communication path with the init function, the following contents are actually executed. (P) A process of displaying a total of ten image files one after another is performed, and this is repeated.

(Q) The required image file name is sent to the server using the communication path. Use the sendimagefile function for this process. (R) An image file is received from a server using a communication path, and an image is generated. Use getimage function.

(S) The generated image is displayed.

[0103]

As described above, the present invention enables encryption communication by sending or receiving an agent implementing the encryption method to a partner who intends to perform the encryption communication. Can be kept secret and the use of an agent makes it possible to easily take measures to increase the encryption strength, such as irregular or periodic changes in the encryption method and parameter changes. Therefore, there is an effect that an encryption method with a light processing suitable for real-time communication can be adopted.

[Brief description of the drawings]

FIG. 1 is a schematic explanatory diagram of the present invention.

FIG. 2 is a configuration diagram of a trusted agent described in a mobile code.

FIG. 3 is a diagram showing another embodiment of the present invention.

FIG. 4 is a diagram showing another embodiment of the present invention.

FIG. 5 is a diagram illustrating a configuration example of an encryption method part.

FIG. 6 is a diagram illustrating an example of a hardware-based pseudo-random number generator.

FIG. 7 is a diagram illustrating a configuration of a three-stage pseudo random number generator that generates an M sequence.

FIG. 8 is a diagram illustrating an example of a pseudo-random number generation method.

FIG. 9 is a flowchart illustrating a synchronization function of an encryption method selection control unit.

FIG. 10 is a diagram illustrating a configuration example of a cryptographic communication system that changes a seed for generating pseudorandom numbers.

FIG. 11 is a diagram showing a configuration example of another embodiment of the present invention.

FIG. 12 is a diagram showing a configuration example of another embodiment of the present invention.

FIG. 13 is a flowchart illustrating a synchronization function of a seed generation unit.

FIG. 14 is a configuration diagram in a case where a trusted agent incorporating a cryptosystem is adapted to WWW applications.

FIG. 15 is a configuration diagram when the present invention is applied to an image transmission / audio transmission system.

FIG. 16 shows a configuration diagram in a case where an agent incorporating a cryptosystem is incorporated in an application of an electronic conference system.

FIG. 17 is an explanatory diagram of a change of a communication target of an application program for using the trusted agent according to the present invention.

FIG. 18 is a diagram illustrating an example of a program of an agent for transmitting an encrypted image described in a mobile code.

FIG. 19 is a diagram illustrating an example of a program of an agent for transmitting an encrypted image described in a mobile code.

FIG. 20 is a diagram illustrating an example of a program of an agent for transmitting an encrypted image described in a mobile code.

FIG. 21 is a diagram illustrating an example of a program of an agent for transmitting an encrypted image described in a mobile code.

FIG. 22 is a diagram illustrating an example of a program of an agent for transmitting an encrypted image described in a mobile code.

FIG. 23 is a diagram illustrating an example of a program of an agent for transmitting an encrypted image described in a mobile code.

FIG. 24 is a diagram illustrating an example of a program of an agent for transmitting an encrypted image described in a mobile code.

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 10 Information processing apparatus (server) 11 Mobile code 12 Trusted agent sending means 13 Application program 14 Trusted agent 15 Information processing apparatus (client) 16 Application program 17 Trusted agent 18 Cryptographic communication path

 ──────────────────────────────────────────────────続 き Continuing from the front page (72) Inventor Ichiro Iida 4-1-1, Kamidadanaka, Nakahara-ku, Kawasaki City, Kanagawa Prefecture Inside Fujitsu Limited (72) Inventor Hiroshi Takada 4-1-1, Kamiodanaka, Nakahara-ku, Kawasaki City, Kanagawa Prefecture No. 1 Inside Fujitsu Limited

Claims (12)

[Claims] In an encrypted communication method for communicating encrypted information between information processing apparatuses, a communication partner attempting to perform encrypted communication of software called an agent in which a cryptographic method described in a mobile code is incorporated in advance. Sending to the device of the communication partner, and performing a cryptographic communication using the encryption method between the agent sending to the device of the communication partner and the agent of the device itself. . 2. An agent for performing said cryptographic communication,
2. The encrypted communication method using an agent according to claim 1, wherein parameters required for the encryption method are changed irregularly or periodically synchronously. 3. The method according to claim 1, wherein the agent performing the cryptographic communication has a plurality of cryptosystems, and switches the cryptosystem to be used between the agents performing the cryptographic communication irregularly or periodically. An encrypted communication method using the described agent. 4. An encryption method selection server for instructing an encryption method to be used for an agent having a plurality of encryption methods is provided on a network, and the encryption method selection server uses an encryption method to be used for an agent performing the encryption communication. 4. The encrypted communication method using an agent according to claim 3, wherein the encryption method used between the agents performing the encrypted communication is synchronously switched by the instruction. 5. An encryption method selecting means for designating an encryption method to be used for an agent having a plurality of encryption methods has a synchronization function for changing the encryption method, and is used without performing communication between the agents performing the encryption communication. 4. The encrypted communication method using an agent according to claim 3, wherein the encryption method to be used is switched synchronously. 6. The encrypted communication method using an agent according to claim 1, wherein a pseudo-random number is used for the incorporated encryption method. 7. The method according to claim 7, wherein the server that sends the agent incorporating the encryption method to a communication partner device generates a seed of the pseudo-random number and changes the seed irregularly or periodically. Item 7. An encrypted communication method using the agent according to Item 6. 8. A seed server for generating a seed of the pseudorandom number is provided separately from a device on which the agent performing the cryptographic communication operates, and the agent operates the seed irregularly or periodically by the seed server. 7. The encrypted communication method using an agent according to claim 6, wherein the encrypted communication is sent to the device. 9. The method according to claim 1, wherein the seed generator of the pseudo-random number has a seed synchronization function, and the seed of the pseudo-random number used without performing communication between the agents performing cryptographic communication is synchronously and irregularly switched. An encrypted communication method using the agent according to claim 7. 10. An encrypted communication method for communicating encrypted information between a plurality of information processing apparatuses, comprising an agent distribution server having software called an agent in which an encryption method described in a mobile code is incorporated in advance. Then, the agent distribution server sends an agent incorporating the encryption method to a plurality of information processing apparatuses that intend to perform encrypted communication, and causes the agent to perform encrypted communication between the plurality of information processing apparatuses. Wherein the parameters necessary for the encryption method possessed by the agent are changed synchronously or irregularly or the encryption method used by the agent for encryption communication is switched in synchronization with a different encryption method. An encrypted communication method using an agent. 11. A mobile code storage medium storing a mobile code for realizing software called an agent in which the encryption method according to claim 1 is incorporated in advance. 12. A mobile code storage medium storing a mobile code for realizing software called an agent in which the encryption method according to claim 10 is incorporated in advance.