JPH10271106A - Cipher communication method and system equipment - Google Patents

Abstract

PROBLEM TO BE SOLVED: To perform the cipher communication of high safety by packaging and loading a secrecy protected ciphering/deciphering device to a computer card incorporated in a communication controller for connecting an information terminal equipment to a communication path and performing ciphering/ deciphering processings together for the transfer of the input/output of secret data between the information terminal equipment and the communication path. SOLUTION: Through the terminal and communication input/output parts 11 and 14 and communication control part 13 of a cipher communication equipment 9 packaged to the computer card 10 and by the control, the information terminal equipments are connected by the communication path 8. A random number generation part 12 generates a random number and generates a cipher key, a storage part 15 stores the secret key and program of a transmission side for ciphering/deciphering and the storage part 19 stores the public key of a reception opposite side. A ciphering/deciphering part 16 executes the processing of ciphering/deciphering by using the cipher key and the public key by the control of a control part 17 and the ciphering/deciphering device 18 physically protects the secrecy of the respective parts inside. Thus, without uselessly consuming hardware resources, safe communication is made possible.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a cryptographic communication method for mutually exchanging various types of cryptographic data through an information terminal device, and a system device directly used for implementing the method.

[0002]

2. Description of the Related Art In recent years, in remote access in an open network, an intranet, or the like, a method of coping with the threat of eavesdropping, falsification, and spoofing of information has been studied.

[0003] Conventionally, in a method of protecting information communicated over a network, as shown in FIG.
A system device α that holds the encryption / decryption device 3 and the encryption key 4 in the application system 2 therein, and a system device β that holds the encryption key 6 in an external storage device 5 such as a computer card as shown in FIG. Have been. In the figure, 7 is a communication control device, and 8 is a communication path.

[0004]

In the conventional encryption method described above, the method shown in FIG. 5 holds an encryption key 4 which is secret information in the information terminal device 1, and encrypts a message using the encryption key 4. This is a method using the system device α to be performed.
In this case, the encryption key 4 is normally stored by encrypting it with a secret key or the like. However, since the encryption key 4 used when actually performing the encryption processing is decrypted and expanded on the main memory, there is a danger of eavesdropping. There is a risk that the encryption key 4 is stolen or erased.

In the method shown in FIG. 6, the encryption key 6 is stored in the external storage device 5 and the information terminal device 1 reads and processes the encryption key 6 when performing encryption / decryption processing. is there. In this case, although the security against theft or erasure of the encryption key 6 is improved, the problem that the encryption key 6 is expanded on the main memory during the processing cannot be solved. In addition, since the external storage device 5 and the communication control device 7 are used at the same time, there is a problem of contention of hardware resources of the information terminal device 1.

Here, the main objects to be solved by the present invention are as follows. A first object of the present invention is to solve the above problem and provide a cryptographic communication method and a system device which are highly secure and can effectively use hardware resources of an information terminal device.

A second object of the present invention is to provide an encryption communication method and a system apparatus for performing an encryption / decryption process by incorporating an encryption / decryption device in a communication control device.

A third object of the present invention is to provide a cryptographic communication method and a system device that make full use of a triple key of an encryption key, a secret key, and a protection encryption key.

A fourth object of the present invention is to provide a cryptographic communication method and a system device in which an encryption / decryption device is mounted on a computer card provided in a communication control device with its secret protected and mounted.

[0010] Other objects of the present invention will become apparent from the description and drawings, particularly from the appended claims.

[0011]

In order to solve the above-mentioned problems, the present invention provides an encryption / decryption device whose secret is protected by a computer card built in a communication control device for connecting an information terminal device to a communication path. When the input / output of secret data between the information terminal device and the communication path is performed,
The decoding process is also performed.

At this time, data is encrypted with an encryption key created in the encryption / decryption device, and the protected encryption key obtained by encrypting the encryption key with the public key on the receiving side of the public key cryptosystem is converted to the encrypted data. And send it to the receiver. The receiving side extracts an encryption key from the protected encryption key with the receiving side private key associated with the public key and decrypts the encrypted data with the encryption key. It is as thorough. It is especially suitable for the transfer of electronic money.

[0013] More specifically, in solving the above-mentioned problems, the present invention achieves the above object by adopting each of the following novel characteristic construction techniques or means.

That is, the first feature of the method of the present invention is that, on the transmitting side, data received from the information terminal means is encrypted with an encryption key generated in a means protected by confidentiality, and then the public key encryption method is used. Transmitting a protected encryption key obtained by encrypting the encryption key with a receiving side public key and the data encrypted earlier to a communication path,
On the receiving side, after decrypting the encrypted protected encryption key received from the communication channel with the receiving side private key associated with the public key and extracting the transmitting side encryption key, The present invention resides in adopting a configuration of an encryption communication method for decrypting the received encrypted data.

According to a second aspect of the method of the present invention, there is provided a cryptographic communication method in which the security means in the first aspect of the present invention is provided in communication control means for connecting the information terminal means to a communication path. In the configuration adoption.

A third feature of the method of the present invention resides in the adoption of a configuration of an encryption communication method in which the security protection means in the first or second feature of the method of the present invention is mounted on a computer card.

A fourth feature of the method of the present invention is that the communication path in the first, second or third feature of the method of the present invention is any one of a telephone line, ISDN, LAN, wireless, optical communication, satellite communication and the like. Or the configuration of an encryption communication method which is a combination of these.

A fifth feature of the method of the present invention resides in that both the transmitting and receiving sides in the first or fourth feature of the method of the present invention are associated with their own public key in the computer card of the communication control means on both sides. Step 1 of storing the secret key, Step 2 of connecting the transmitting and receiving sides, Step 3 of transmitting the public key information of the sender to the receiving side and storing the public key information of the sender at the receiving side, Step 4 of transmitting the public key information to the transmitting side and storing the public key information of the receiver at the transmitting side, and the configuration of an encryption communication method which sequentially steps through the pre-processing steps.

A sixth feature of the method of the present invention is that the transmission to the communication path in the first, second, third, fourth or fifth feature of the method of the present invention is a packet communication. In the configuration adoption.

A seventh feature of the method of the present invention is that the protection encryption key in the first, second, third, fourth, fifth or sixth feature of the method of the present invention is attached to a packet header. The present invention resides in the configuration adoption of the encrypted communication method for transmission.

An eighth feature of the method of the present invention is that the transmitting side in the first, second, third, fourth, fifth, sixth or seventh feature of the method of the present invention is characterized in that the encrypted data and the protected After packet communication of the encryption key, transmission and reception are temporarily waited until the output of the decryption processing on the receiving side is completed, and after confirming that there is no mutual communication with the receiving side, the transmission is terminated. The configuration of the communication method is adopted.

A ninth feature of the method of the present invention resides in that the receiving side in the first, second, third, fourth, fifth, sixth, seventh or eighth feature of the method of the present invention decodes the decoded data. Is output to the terminal, transmission and reception are temporarily suspended until a margin for additional reception from the transmission side, communication is terminated after confirming that there is no mutual communication with the transmission side, and a post-processing step is sequentially performed. This is in the adoption of the configuration of the encryption communication method.

A tenth feature of the method of the present invention is that the communication path in the first, second, third, fourth, fifth, sixth, seventh, eighth or ninth feature of the method of the present invention is different from that of the first or second aspect. ,the Internet,
Intranet, extranet, OCN, ODN,
The present invention resides in adoption of a configuration of an encryption communication method in which an encryption data transmission path connected or used to a virtual private network, various exchange networks, VAN, or the like is formed.

A first feature of the apparatus of the present invention resides in the adoption of a configuration of a cryptographic communication system device which is built in a communication control device for connecting an information terminal device to a communication path and has an encryption / decryption device.

A second feature of the device of the present invention resides in the adoption of the configuration of a cryptographic communication system device in which the encryption / decryption device in the first feature of the above-described device of the present invention is a device whose security is protected.

A third feature of the present invention is that the encryption / decryption device according to the first or second feature of the present invention comprises a terminal input / output unit for controlling input / output with an information terminal, A storage unit for storing public key information on the side, a communication control unit for controlling input / output to / from a communication path, and a communication input / output unit for actually performing input / output to / from the communication path, The present invention resides in adopting a configuration of a cryptographic communication system device integrally mounted on a computer card built in a communication control device connected to a communication path.

A fourth feature of the device of the present invention is that the encryption / decryption device according to the first, second or third feature of the device of the present invention generates a random number for generating an encryption key, A storage unit that stores its own secret key and program for decryption, an encryption / decryption unit that encrypts / decrypts data using the encryption key, and a control unit that controls encryption / decryption processing. The present invention resides in the adoption of the configuration of the cryptographic communication system device provided.

A fifth feature of the device of the present invention is that the communication path in the first, second, third or fourth feature of the device of the present invention is such that a telephone line, ISDN, LAN, wireless, optical communication, satellite communication And the like or a combination thereof.

A sixth feature of the device of the present invention is that the communication path in the first, second, third, fourth or fifth feature of the device of the present invention is such that the Internet, intranet, extranet, OCN, ODN, Virtual private networks, various exchange networks,
The present invention resides in adopting a configuration of a cryptographic communication system device that forms a cryptographic data transmission path connected or used to a VAN or the like.

A seventh feature of the device of the present invention is that the information terminal device according to the first, second, third, fourth, fifth or sixth feature of the device of the present invention is a personal computer, a workstation,
The present invention resides in the adoption of a configuration of a cryptographic communication system device including an intelligent terminal, a telephone, a facsimile, an exchange, an e-mail terminal, a radio, a mobile communication terminal, and the like.

An eighth feature of the apparatus of the present invention resides in that the storage unit for storing the public key information of the receiving party in the third, fourth, fifth, sixth or seventh feature of the above-mentioned apparatus of the present invention is an encryption device. The present invention resides in adoption of a configuration of a cryptographic communication system device also serving as a storage unit for storing its own secret key and program for decryption in the decryption device.

A ninth feature of the device of the present invention resides in that the storage unit for storing the public key information of the receiving party in the third, fourth, fifth, sixth or seventh feature of the device of the present invention is an encryption device. The present invention resides in adoption of a configuration of a cryptographic communication system device which is juxtaposed separately from a storage unit for storing its own secret key and program for decryption in the decryption device.

[0033]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiments of the present invention will be described with reference to the drawings with respect to an example of an apparatus and an example of a method thereof. In this embodiment, the information terminal device as the information terminal means includes a personal computer, a workstation, an intelligent terminal, a telephone, a facsimile, an exchange, an e-mail terminal, a radio, a mobile communication terminal, and the like. Line, ISDN, LA
N, wireless, optical communication, satellite communication, etc., or a combination thereof, the Internet, intranet,
It forms an encrypted data transmission path connected or used to an extranet, OCN, ODN, virtual private network, various exchange networks, VAN, and the like.

(Example of Apparatus) FIG. 1 is a block diagram showing the configuration of a cryptographic communication system incorporating the present apparatus, and FIG. 2 is a block diagram showing the configuration of the present apparatus. The same devices and parts as those of the conventional cryptographic communication systems α and β shown in FIGS. 5 and 6 are denoted by the same reference numerals, and the description will not be repeated.

In the figure, γ is a cryptographic communication system equipped with the present device example, 9 is a cryptographic communication device of the present device example, 10 is a main body of a computer card on which the cryptographic communication device 9 is mounted, and 11 is an information terminal device 1 A terminal input / output unit for controlling the input / output of the computer card 10 with the encryption communication device 9;
Or, a random number generation unit that generates a random number for generating Ke2, 13 is a communication control unit that controls input and output to and from the communication path 8,
Reference numeral 14 denotes a communication input / output unit that actually performs input / output with the communication path 8.

Reference numeral 15 denotes a storage unit for storing a secret key and a program on the transmission side for encryption / decryption, and 16 denotes a storage unit using the encryption key Ke1 or Ke2, the public key Kp1 or Kp2, or a secret key (not shown). An encryption / decryption unit that actually performs encryption / decryption, 17 a control unit that controls encryption / decryption processing,
Reference numeral 18 denotes a random number generation unit 12, a storage unit 15, and an encryption / decryption unit 16.
And an encryption / decryption device for physically protecting the confidentiality of the control unit 17, and a storage unit 19 for storing the public key Kp2 information of the receiving party. Note that the storage unit 19 may be used also as the storage unit 15, or the storage unit 19 may coexist with the storage unit 15 in the encryption / decryption device 18.

(Example of Method) An execution procedure of the example of the method applied to the example of the present apparatus will be described with reference to the drawings. FIG. 3 is a flowchart showing an encryption communication processing procedure of this example of the method, and FIG.
It is a sequence chart.

(1) Communication Preprocessing Step X First, when the computer card 10 used in the method example is issued, the computer card 10 is associated with its own public key Kp1 (Kp2) of the public key cryptosystem, which is secret information of the card 10. The secret key not to be stored is stored in the storage unit 15, and the public key Kp1 (Kp2) is stored in the storage unit 19.
(ST1), and the public key Kp2 of the other party is stored.
(Kp1) is stored in the storage unit 19.

The user A and the user B have a telephone line, an ISD
N, LAN, wireless communication, optical communication, satellite communication, and the like, a mutual connection is established by a communication procedure between the connection request information S1 and the connection permission information S2 (ST2), and the computer card 10 used by the user A is connected. Public key information Kp1 and public key information Kp2 of computer card 10 used by user B
Are exchanged and stored (ST3, ST4).

(2) Encryption / Decryption Communication Processing Stage Y On the transmission side of user A, the transmission processing receives transmission data M1 from information terminal device 1 at terminal input / output unit 11 (ST).
5) Send the transmission data M1 and the public key Kp2 of the receiving side to the encryption / decryption device 18 which is physically protected. Encryption /
In the decryption device 18, first, the control unit 17 generates the encryption key Ke1 using the random number generated by the random number generation unit 12 (ST
6).

Next, the encryption program stored in the storage unit 15 is called, and the transmission data M1 is encrypted by the encryption / decryption unit 16 using the encryption key Ke1 (ST7). Further, the control unit 17 calls the public key encryption program stored in the storage unit 15, and encrypts the encryption key Ke1 in the encryption / decryption unit 16 using the public key Kp2 of the receiving side (S
T8). In addition, the communication control unit 13 transmits the data Ke1 [M1] obtained by adding the protection encryption key Kp2 [Ke1] encrypted as header information to the encrypted transmission data Ke1 [M1].
1] and sends it out of the communication input / output unit 14 to the communication path 8 (ST10).

On the other hand, on the receiving side of the user B, the communication control unit 13 on the computer terminal 10 on the receiving side operates the communication input / output unit 14
And the data Kp2 [Ke1] · Ke1 [M from the communication path 8
1] (ST6 ′) and sends it to the encryption / decryption device 18. In the encryption / decryption device 18, the control unit 17 converts the received data Kp2 [Ke1] · Ke1 [M1] from the protection encryption key Kp.
2 [Ke1] is extracted (ST7 ′), and the public key encryption program stored in the storage unit 15 and its own public key Kp are extracted.
A secret key (not shown) associated with No. 2 is called, and the protection encryption key Kp2 [Ke1] is decrypted to the encryption key Ke1 with its own secret key (ST8 ').

Further, the control unit 17 calls a decryption program from the storage unit 15, decrypts the transmission data Ke1 [M1] encrypted with the encryption key Ke1, and extracts the reception data M1 (ST9 '). Finally, the received data M1 extracted is output from the terminal input / output unit 11 to the information terminal device 1 (ST1).
0 ').

(3) Post-processing Step Z The transmitting side of the user A temporarily suspends transmission and reception until the output of the received data M1 subjected to the final decoding processing by the communication control device 7 on the receiving side to the information terminal device 1 is completed. (ST11) Then, after confirming that there is no mutual communication with the receiving side, the communication is terminated (ST12). Further, the receiving side of the user B temporarily waits for transmission and reception until a margin for additional reception from the transmitting side (ST11 '), ends communication after confirming that there is no mutual communication with the transmitting side (ST12). ').

[0045]

As described above, according to the present invention, a computer card has a communication device such as a telephone line, ISDN, LAN, wireless, optical communication, etc. and an encryption / decryption device. By performing the decryption processing only in a device whose confidentiality is protected, secure communication can be realized without affecting the application system such as a communication program and without wasting hardware resources.

[Brief description of the drawings]

FIG. 1 is a configuration block diagram of a cryptographic communication system device incorporating an example of a device showing an embodiment of the present invention.

FIG. 2 is a configuration block diagram of an example of the same device.

FIG. 3 is a flowchart showing a cryptographic communication processing procedure of an example method showing an embodiment of the present invention.

FIG. 4 is a sequence chart of the example of the method.

FIG. 5 is a configuration block diagram of a conventional cryptographic communication system device.

FIG. 6 is a configuration block diagram of another conventional cryptographic communication system device.

[Explanation of symbols]

 α, β, γ: Cryptographic communication system device 1: Information terminal device 2: Application system 3, 18: Encryption / decryption device 4, 6: Cryptographic key 5: External storage device 7: Communication control device 8: Communication path 9: Cryptography Communication device 10 Computer card 11 Terminal input / output unit 12 Random number generation unit 13 Communication control unit 14 Communication input / output unit 15, 19 Storage unit 16 Encryption / decryption unit 17 Control unit 18 Encryption / decryption device Kp1, Kp2: public key Ke1, Ke2: encryption key M1, M2: transmission / reception data Ke1 [M1], Ke2 [M2]: encryption data Kp1 [Ke2], Kp2 [Ke1]: protection encryption key

Claims (19)

[Claims] 1. A transmitting side encrypts data received from an information terminal means with an encryption key generated in a confidentially protected means, and then encrypts the data with a receiving side public key of a public key cryptosystem. Transmitting the encrypted protection encryption key and the previously encrypted data to a communication path, and receiving the encrypted protection encryption key received from the communication path with the public key on the reception side; And decrypting the encrypted data received with the encryption key after extracting with the secret key and extracting the encryption key on the transmission side. 2. The encryption communication method according to claim 1, wherein the security protection means is provided in communication control means for connecting the information terminal means to a communication path. 3. The encryption communication method according to claim 1, wherein the security protection means is mounted on a computer card. 4. The communication path according to claim 1, wherein the communication path is any one of a telephone line, ISDN, LAN, wireless, optical communication, satellite communication, or a combination thereof. Encryption communication method. 5. The transmitting / receiving side includes: a step 1 for storing a public key and a secret key associated therewith in a computer card of the communication control means on both sides; a step 2 for connecting the transmitting / receiving side; Transmitting the public key information of the receiver to the receiving side and storing the public key information of the sender on the receiving side; and transmitting the public key information of the receiver to the transmitting side and transmitting the public key information of the receiver on the transmitting side. The encryption communication method according to claim 1, wherein the storage step and the preprocessing step are sequentially performed. 6. The encrypted communication method according to claim 1, wherein the transmission to the communication path is packet communication. 7. The encryption communication method according to claim 1, wherein the protection encryption key is attached to a packet header and transmitted. 8. The transmitting side, after packet communication of the encrypted data and the protection encryption key, temporarily waits for transmission and reception until output of decryption processing on the receiving side is completed, and confirms that there is no mutual communication with the receiving side. The transmission is terminated above, and a post-processing step is sequentially performed.
The cryptographic communication method described in 1. 9. The receiving side, after outputting the decoded data to the terminal, temporarily waits for transmission and reception until a margin for additional reception from the transmitting side, and confirms that there is no mutual communication with the transmitting side. The cryptographic communication method according to claim 1, wherein the communication is terminated, and a post-processing step is sequentially performed. 10. The communication path includes the Internet, an intranet, an extranet,
The cryptographic data transmission path connected or used to OCN, ODN, virtual private network, various exchange networks, VAN, etc. is formed, The cryptographic data transmission path of Claim 1, 2, 3, 4, 5, 6, 7,
10. The encryption communication method according to 8 or 9. 11. A cryptographic communication system device, which is built in a communication control device that connects an information terminal device to a communication path, and includes an encryption / decryption device. 12. The encryption communication system device according to claim 11, wherein the encryption / decryption device is a device whose security is protected. 13. An encryption / decryption device, comprising: a terminal input / output unit for controlling input / output with an information terminal device; a storage unit for storing public key information of a receiving party; and an input / output with a communication path. A communication control unit, and a communication input / output unit that actually performs input / output with a communication path, are both integrally mounted on a computer card built in a communication control device that connects the information terminal device to the communication path, The cryptographic communication system according to claim 11 or 12, wherein: 14. An encryption / decryption device comprising: a random number generation unit for generating a random number for generating an encryption key; a storage unit for storing its own secret key and a program for decryption; Encryption / decryption of data
14. The cryptographic communication system device according to claim 11, further comprising: a decryption unit; and a control unit that controls encryption / decryption processing. 15. The communication path according to claim 11, 12, 13 or 14, wherein the communication path is any one of a telephone line, ISDN, LAN, wireless, optical communication, satellite communication, or a combination thereof. The cryptographic communication system device according to claim 1. 16. The communication path may be the Internet, an intranet, an extranet,
The encrypted data transmission path connected or used to an OCN, an ODN, a virtual private network, various exchange networks, a VAN, or the like is formed.
6. The cryptographic communication system device according to 5. 17. The information terminal device includes a personal computer, a workstation, an intelligent terminal, a telephone, a facsimile, a switch, an e-mail terminal, a radio, a mobile communication terminal, and the like. 13, 14, 15
Or the cryptographic communication system device according to 16. 18. The storage unit for storing the public key information of the receiving party is also used as a storage unit for storing its own private key and program for decryption in the encryption / decryption device. Item 13, 14, 15, 16 or 1
8. The cryptographic communication system device according to 7. 19. A storage unit for storing public key information of a receiving party is provided separately from a storage unit for storing its own private key and program for decryption in an encryption / decryption device. Claim 13, 14, 15, 16 or 1
8. The cryptographic communication system device according to 7.