CN100502316C - System and method for encrypted communication - Google Patents
System and method for encrypted communication Download PDFInfo
- Publication number
- CN100502316C CN100502316C CNB200610085029XA CN200610085029A CN100502316C CN 100502316 C CN100502316 C CN 100502316C CN B200610085029X A CNB200610085029X A CN B200610085029XA CN 200610085029 A CN200610085029 A CN 200610085029A CN 100502316 C CN100502316 C CN 100502316C
- Authority
- CN
- China
- Prior art keywords
- terminal
- mentioned
- management server
- communication
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
In an encryption communication using VPN technologies, a load on a VPN system becomes large if the number of communication terminals increases. When an external terminal accesses via an internal terminal an application server , processes become complicated because it is necessary to perform authentication at VPN and authentication at the application server. A management server is provided for managing external terminals, internal terminals and application servers. The management server authenticates each communication terminal and operates to establish an encryption communication path between communication terminals. Authentication of each terminal by the management server relies upon a validation server. When the external terminal performs encryption communication with the application server via the internal terminal, two encryption communication paths are established and used between the external terminal and internal terminal and between the internal terminal and application server.
Description
Technical field
The present invention relates to carry out the technology of coded communication via communication networks such as internets.
Background technology
In order to connect safely each other and utilize VPN (Virtual Private Network: technology Virtual Private Network) from the information assets of suitably visiting enterprise from the communication terminal of residence or with the local area network (LAN) at each strong point of enterprise.
For example, carry out the situation of secure communication and describe being connected the intercommunication terminal (the following inside terminals that is called sometimes) on the network in the tissues such as external communications terminals (the following exterior terminal that is called sometimes) on the external network such as internet and Connected Corp..
At first, external communications terminals sends connection request to inner communication terminal from the internet to the VPN device that is in the inlet of network in the tissue.Here, the VPN device utilizes public key certificate (following note deposition) etc. to carry out the authentication of external communications terminals, and being confirmed to be can be to the terminal of inner communication terminal visit.In addition, external communications terminals certificate of utility etc. carries out the authentication of VPN device.
If external communications terminals and VPN device can authenticate mutually, public encryption key (secret signal Key) between communication terminal and VPN device externally then utilizes the encryption key will be in this data encryption that exchanges between the two.In addition, the VPN device connects, carries out the intermediary of the required data of external communications terminals to inner communication terminal.
Like this, external communications terminals can communicate via VPN device and intercommunication terminal.In addition, externally the data that exchange between communication terminal and the VPN device are owing to encrypted, so can carry out safe communication.
The function declaration of the equipment that VPN technologies are provided for example, is disclosed in non-patent literature 1.
[non-patent literature 1] NORTEL NETWORKS, " Alteon SSL VPN ", (online), NORTEL NETWORKS, P.2-3, (putting down into retrieval on May 11st, 17), internet<http://www.nortel.com/products/01/alteon/sslvpn/collateral/nn10 2960-073103.pdf 〉
In the safety communicating method that adopts VPN technologies in the past, because all data that exchanged are all via the transmitting-receiving of VPN device, so exist the load of VPN device to become big problem.
For example, there are many external communications terminals and intercommunication terminal, carrying out between each communication terminal under the situation of a plurality of secure communications, in the VPN device, carrying out the authentication processing of a plurality of external communications terminals and the encryption of all data of between communication terminal, exchanging.Therefore, there is the load in the VPN device to become big problem.
And then, as another problem, in tissue, be connected with under the situation of the application server (the following AP server that is called sometimes) that service application (application) and database etc. are provided on the network, need carry out a plurality of authentication processing when externally communication terminal is via intercommunication terminal access application server.
For example, be connected the intercommunication terminal on the network in the company and carry out under the situation of operation being connected external communications terminals remote access on the internet, utilize under the situation of the service of application server at communication terminal internally, the authentication processing in the VPN device, also need in the application server authentication processing, for example input user ID, password etc., the problem that exists the management of password to become miscellaneous.
In addition, in VPN technologies in the past, there is following problem, even do not consider in advance between VPN device and the intercommunication terminal and the communication encryption between intercommunication terminal and the AP server, but in order to ensure fail safe, communication path integral body between external communications terminals and the AP server is encrypted, and then processing for this reason is very loaded down with trivial details.
Summary of the invention
The present invention In view of the foregoing makes, its objective is provide a kind of disperse in the secure communication load, to the technology of communication path bulk encryption, with and/or making authentication oversimplify and can guarantee the technology of higher fail safe under the situation of communication terminal from external communications terminals in via tissues such as intercommunication terminal access application servers.
In order to realize above-mentioned order ground, in the present invention, provide a kind of communication system that is equipped with the management server that external communications terminals, intercommunication terminal and application server are managed.
In communication system of the present invention,, externally carry out secure communication between communication terminal and the intercommunication terminal by carrying out following step.In addition, also describe via the step that intercommunication terminal and application server carry out secure communication for external communications terminals.
At first, the situation that external communications terminals and intercommunication terminal begin secure communication is described.
External communications terminals is connected to the management server that is connected with the inlet of organizing interior network, and external communications terminals and management server authenticate mutually.In addition, as long as under the situation of the authentication of needs strictness, utilize the authentication of public key certificate just passable.
If mutual authentication success, then the shared encryption key that is used for the data encryption that will be exchanged between communication terminal and the management server is externally set up the coded communication path between external communications terminals and management server.
In addition, between intercommunication terminal and management server, also carry out in advance and above-mentioned same processing, set up the coded communication path between intercommunication terminal and management server.
External communications terminals sends connection request to inner communication terminal to management server after the coded communication path of having set up with management server.Management server is confirmed to have authenticated external communications terminals and intercommunication terminal respectively, is created on employed encryption key and set information in the coded communication between external communications terminals and the intercommunication terminal communication.And, by and the intercommunication terminal between the coded communication path set up, send connection request, encryption key and set information from external communications terminals to inner communication terminal.
Whether intercommunication terminal judges external communications terminals can connect to inner communication terminal, and its result is sent to management server.
Externally communication terminal and intercommunication terminal are under the attachable situation, and the message that management server can connect and the encryption key and the set information that externally use in the coded communication between communication terminal and the intercommunication terminal send to external communications terminals.
In addition, so-called set information for example is that the kind of algorithm of encryption key and bond distance, IP address and port etc. are in order to carry out the more than one arbitrarily combination in the required information of coded communication.
Utilize this encryption key and set information, externally set up the coded communication path between communication terminal and the intercommunication terminal, carry out safe communication.In addition, in the present invention, set up the coded communication path but the situation that 2 devices that communicate have the key of coded communication mutually regarded as.
Then, 2 methods of external communications terminals via intercommunication terminal access application server are described.For example, externally communication terminal remote access intercommunication terminal, communication terminal utilizes under the situation of application server internally, carry out some in 2 following methods and carry out secure communication.
First method is described.At first, externally set up not coded communication path between communication terminal and the intercommunication terminal by said method via management server.The coded communication path that the external communications terminals utilization has been set up sends content to inner communication terminal and is the key input information of indication to the connection request of application server.
The intercommunication terminal is by the operation of external communications terminals, for and application server between set up the coded communication path and carry out above-mentioned same step.That is intercommunication terminal, and application server are respectively and set up the coded communication path between the management server.In addition,, suppose that application server in advance and set up the coded communication path between the management server here.In addition, under the intercommunication terminal has been set up situation with the coded communication path of management server, do not need to set up once more the coded communication path.
After having set up each coded communication path, the intercommunication terminal is to the connection request of management server transmission to application server.The management server inspection whether authenticated application server, and application server between whether set up the coded communication path, if do not have, then, be created on employed encryption key and set information in the coded communication between intercommunication terminal and application server by authenticating with the same processing of the situation of intercommunication terminal and/or the foundation of coded communication path.And, via and application server between the coded communication path set up will send to application server from the connection request of intercommunication terminal and encryption key and set information.
Application server judges that whether the intercommunication terminal can be connected with application server, sends to management server with its result.
In the result is under the attachable situation, and the information that management server can connect, employed encryption key and set information send to the intercommunication terminal in the coded communication that intercommunication terminal and application server do not carry out via management server.
Utilize this encryption key and set information, application server and intercommunication terminal are set up not the coded communication path via management server.
Externally under the situation of communication terminal via intercommunication terminal access application server, utilize these 2 coded communication paths having set up (between external communications terminals-intercommunication terminal room and intercommunication terminal-application server), carry out safe communication.
Second method then is described.In second method, the exterior terminal new work that does not become the authentication object when application server access in first method is new authentication object.
At first, by the method same, externally set up not coded communication path between communication terminal and the intercommunication terminal via management server with first method.The coded communication path that the external communications terminals utilization has been set up sends content for indicating via the key input information of intercommunication terminal to the application server connection requests to inner communication terminal.
After receiving this information, the intercommunication terminal is carried out following step in order to set up the coded communication path between intercommunication terminal and application server.
Intercommunication terminal and application server are set up the coded communication path with management server respectively.In addition, suppose that here application server in advance and set up the coded communication path between the management server.In addition, under the intercommunication terminal has been set up situation with the coded communication path of management server, do not need to set up once more the coded communication path.
After having set up each coded communication path, the intercommunication terminal to management server based on the connection request that sends from the operation of external communications terminals above-mentioned application server.The content of being recorded and narrated in the connection request of Fa Songing is that the connection request source of subtend application server is an external communications terminals at this moment.The management server of receiving this connection request is confirmed the situation that the situation that authenticates external communications terminals, intercommunication terminal, application server respectively and external communications terminals and intercommunication terminal are in the coded communication.If management server has been confirmed these, then be created on employed encryption key and set information in the communicating by letter between intercommunication terminal and application server.And, via and application server between the coded communication path set up, communication terminal is internally received, send to application server from external communications terminals to application server connection requests and encryption key and set information via the intercommunication terminal.
Application server judges that whether external communications terminals can be connected with application server via the intercommunication terminal, sends to management server with its result.
In the result is under the attachable situation, promptly can authenticate under the two the situation of external communications terminals and intercommunication terminal at application server, the message that management server can connect, in the coded communication that intercommunication terminal and application server do not carry out via management server employed encryption key and set information, send to the intercommunication terminal.
Application server and intercommunication terminal utilize this encryption key to set up not coded communication path via management server.
Externally under the situation of communication terminal via intercommunication terminal access application server, utilize these 2 coded communication paths having set up (between external communications terminals-intercommunication terminal room and intercommunication terminal-application server) to carry out secure communication.
Here, intercommunication terminal and application server also can not carry out in advance but carry out and the authentication of management server and the foundation of coded communication path according to the connection request of external communications terminals.For example, can receive continually the application server of connection request from a plurality of communication terminals, set up the coded communication path with management server in advance, existed to management server under the situation of the connection request of application server, handled immediately at communication terminal internally.In addition, also can seldom receive the such application server of connection request, carry out authentication with management server, set up the coded communication path in the moment of carrying out connection request from the exterior terminal of determining.
In addition, the communication path between intercommunication terminal and the application server can not encrypted when there is no need yet.
And then, when management server carries out the authentication of external communications terminals, intercommunication terminal, application server, also the checking of certificate can be entrusted to the certificate validation server device (following note is made authentication server) of authentication certificate.Verify this certificate by authentication server, can carry out more reliable authentication.
In addition, management server also can be by third-party tissue operation.That is, management server also can be connected in the tissue different with the intercommunication terminal on the network.
According to technique scheme, behind the coded communication path of having set up between external communications terminals and intercommunication terminal room and intercommunication terminal and application server, can not carry out coded communication via management server.Therefore, compare, can alleviate load management server with conventional art.And then, owing to can encrypt,, can carry out safe communication more so compare with technology in the past to communication path integral body.
In addition, according to the present invention, externally under the situation of communication terminal via intercommunication terminal access application server, if carried out external communications terminals, the intercommunication terminal by management server, the authentication of application server, then can be based on this authentication result, operation by external communications terminals visits application server, and does not need to carry out in addition the intrinsic authentications of application server such as ID/ password.That is, the authentication of each communication terminal such as external communications terminals, intercommunication terminal, application server is carried out in the management server concentrated area, and each communication terminal no longer needs to carry out a plurality of authentication processing thus.Authentication is oversimplified.
In addition, in the authentication of being undertaken by management server, can carry out strictness authentication based on PKI.
According to the present invention, externally in the coded communication between communication terminal and intercommunication terminal room and intercommunication terminal and application server, can alleviate load to management server.And then, can the communication path integral body between from the external communications terminals to the application server in, carry out safe communication more.
In addition, according to the present invention, externally under the situation of communication terminal via intercommunication terminal access application server, application server does not need to carry out the authentication of external communications terminals.That is, authentication processing is oversimplified.
Description of drawings
Fig. 1 is the figure of structure of the communication system of illustration 2 execution modes of the present invention.
Fig. 2 is the figure of the schematic configuration of illustration exterior terminal 11, inside terminals 15, AP server 14.
Fig. 3 is the figure of the schematic configuration of illustration management server 12.
Fig. 4 is the figure of the schematic configuration of illustration authentication server 13.
Fig. 5 is the figure of illustration exterior terminal 11, inside terminals 15, AP server 14, management server 12, authentication server 13 hardware configuration example separately.
Fig. 6 is the flow chart of illustration processing sequence till authenticating mutually in order to set up coded communication path between exterior terminal-management server to exterior terminal 11 and management server 12.
Fig. 7 be illustration to exterior terminal 11 and management server 12 set up coded communication path between exterior terminal-management server, the flow chart of processing sequence till it is finished.
Fig. 8 is an illustration inside terminals 15 with the flow chart of the address registration of inside terminals 15 processing sequence in the management server 12.
The flow chart that Fig. 9 is an illustration when externally terminal 11 is carried out connection processing with inside terminals 15,12 pairs of inside terminals of management server carry out the processing sequence till the connection request.
Figure 10 is illustration when externally terminal 11 and inside terminals 15 carry out connection processing, set up the terminal-terminal room coded communication path of 15 of exterior terminal 11 and inside terminals, the flow chart of the processing sequence till it is finished.
Figure 11 be illustrated in the execution mode 1, to exterior terminal 11 via inside terminals 15 when AP server 14 connects, set up the flow chart of the processing sequence till the coded communication path between the inside terminals-AP server of 14 of 15 of exterior terminal 11-inside terminals and inside terminals-AP server.
Figure 12 be illustrated in the execution mode 1, to the flow chart of exterior terminal 11 via the processing sequence of inside terminals 15 when AP server 14 connects, till utilizing coded communication path transmission information.
Figure 13 be illustrated in the execution mode 2, to the flow chart of exterior terminal 11 via the processing sequence of inside terminals 15 when AP server 14 connects, till setting up terminal-terminal room coded communication path.
Figure 14 be illustrated in the execution mode 2, to exterior terminal 11 via inside terminals 15 when AP server 14 connects, set up the flow chart of the processing sequence till the coded communication path between inside terminals-AP server.
Figure 15 be illustrated in the execution mode 2, to the flow chart of exterior terminal 11 via the processing sequence of inside terminals 15 when AP server 14 connects, till utilizing coded communication path transmission information.
Figure 16 be illustrated in the execution mode 2, the figure of the content of authentication state table that management server kept.
Figure 17 be illustrated in the execution mode 2, the figure of the content of communications status table that management server kept.
Figure 18 be illustrated in the execution mode 2, illustration exterior terminal 11 via inside terminals 15 when AP server 14 connects, exterior terminal 11 via the figure of inside terminals 15 with the content of the connection request of AP server 14.
Embodiment
The following describes 2 execution modes of the present invention.
In addition, employed ID, address, domain name etc. are the titles of using for explanation of fabricating in following embodiment, and also it doesn't matter with it if physical presence person is arranged.
<execution mode 1 〉
Fig. 1 is the figure of structure of the communication system of the relevant one embodiment of the present invention of illustration.
The external communications terminals 11 that the communication system of present embodiment has external networks such as internet (being called the internet) 17, is connected with internet 17
1~external communications terminals 11
N(being referred to as " exterior terminal 11 ") with tissue that internet 17 is connected in network 16.Though diagram not, internet 17 and the interior network 16 of tissue also can via be called fire compartment wall prevent be connected carrying out wrongful communicating devices each other.In the case, communicating by letter between exterior terminal 11 and the management server 12 is not redefined for and can be cut off by fire compartment wall.In addition, each network is that any network in wired, wireless can.
In addition, in tissue on the network 16, connecting AP server 14, the keeping intercommunication terminal 15 of the interior data that the user utilized in a organized way that provides service application and database etc. to in-house user
1~intercommunication terminal 15
M(being referred to as " inside terminals 15 "), manage the management server 12 of the communication between each communication terminal, the authentication server 13 of authentication certificate in the authentication of communication terminal.In addition, management server 12 and/or authentication server 13 also can be to run, be connected structure on its hetero-organization Intranet network by the tissue different with inside terminals 15 and AP server 14.
Each device of the communication system of pie graph 1 then is described.
At first, utilize Fig. 2 that exterior terminal 11, inside terminals 15, AP server 14 are described.In addition, in the following description, when not distinguishing these devices, comprise that AP server 14 all singly is called " communication terminal " or " terminal ".
Communication terminal has handling part 20a, storage part 20b, communicate result's demonstration and from the 20c of input and output portion that accepts of user's indication be used for the Department of Communication Force 20d that communicates via network 16 in internet 17 and the tissue and other devices.
Handling part 20a has the address registration application portion 21 that is used for the address of the position on the network of determining this communication terminal is registered, carry out with the management server communication handling part 22 at communication process of management server 12, carry out with the communication process of the other side's communication terminal at terminal communication handling part 23 and control the control part 24 of the each several part of communication terminal uniformly.
Storage part 20b has key and key certificate maintaining part 25 that public key certificate keeps and the encryption key maintaining part of using 26 to this communication terminal that uses in communication encryption when management server 12 authenticates these communication terminals.
Then utilize Fig. 3 that management server 12 is described.
Handling part 30a has: address registration/search part 31, accept address registration application from communication terminal, with address registration in address D B37, or the address of retrieval communication terminal; Key generates distribution portion 32, generates the encryption key that is used for the communication encryption between communication terminal-communication terminal, distributes to communication terminal; At terminal communication handling part 33, carry out communication process with communication terminal; At authentication server communication process portion 34, carry out communication process with authentication server 13; Control part 34, the each several part of control and management server 12 uniformly.
Storage part 30b has the key of employed this management server 12 when authenticating this management server at communication terminal and key certificate maintaining part 36 that public key certificate keeps and keeps the address D B37 of the address of communication terminal.
Then utilize Fig. 4 that authentication server 13 is described.
Handling part 40a has: certification path search part 41, at the checking request of accepting from management server 12, retrieval certification path, this certification path are represented from the certificate of the certification authority that management server is trusted to as the relation of trust the certificate of the communication terminal of identifying object; Certification path proof department 42, the checking path that checking is retrieved by certification path search part 41; At management server communication handling part 43, carry out communication process with management server 12; Control part 44 is controlled the each several part of authentication server 13 uniformly.
Storage part 40b has keep the certificate obtained from certifying authority and the certificate maintaining part 45 of fail message when certification path search part 41 retrieval certification path.
In addition, the illustrated communication terminal of Fig. 2~Fig. 4, management server 12, each handling part of authentication server 13 for example can be in the general electronic computer of the illustrated such medium of Fig. 5, carry out the regulated procedure that is loaded on the memory 52 by CPU51 and come specific implementation, this general electronic computer possesses CPU51, memory 52, external memories such as hard disk 53, be used for the communicator 54 that communicates via network 16 in internet 17 and the tissue and other devices, input unit such as keyboard and mouse 55, output device such as display unit and printer 56, read the reading device 57 of information from storage medium 58 with mobility, with the intercommunication line 50 that will be connected between these each devices.
These programs also can be kept in above-mentioned the electronic computer interior memory 52 or external memory 53 in advance, when needed, also can import from other devices from the available removable storage medium 58 of above-mentioned electronic computer or via communication media (internet 17 or the interior network 16 of tissue etc. or carrier wave that on them, transmits or digital signal etc.).
In addition, in the present embodiment, communication terminal can be realized by structure as shown in Figure 5, but the present invention is not limited to this.The illustrated communication terminal of Fig. 2 also can be the equipment that possesses with function that can network 16 communicator that be connected in internet 17 and the tissue 54 is suitable.For example, by not only making router, PC, PDA but also making household electrical appliance such as television set, refrigerator, air-conditioning, electric stove also possess the structure that is similar to Fig. 5, also can become communication terminal.
In addition, also above-mentioned each handling part can be constituted as hardware.
The action of the communication system of present embodiment then is described.
The action of the communication system of present embodiment comprises coded communication path setting action and the action of the coded communication path setting between communication terminal-communication terminal between communication terminal-management server.
Fig. 6 and Fig. 7 are the flow charts that is used for illustrating the coded communication path setting action between the communication terminal-management server of present embodiment, are the examples of setting up the situation of coded communication path (being called coded communication path between communication terminal-management server) between inside terminals 15 and management server 12.
Inside terminals 15 management server 12 is sent the request (step 1001 of Fig. 6) of management servers 12 certificates for authentication management server 12 at management server communication handling part 22.Receive the taking out the certificate of these management servers and reply from key certificate maintaining part 26 of management server 12 of this request, and the certificate request of the other side's inside terminals 15 is sent (step 1003) to inside terminals 15 at terminal communication handling part 33 (step 1002).Receive this certificate request inside terminals 15 at management server communication handling part 22 (step 1004), from key certificate maintaining part 36, take out the certificate of this inside terminals 15, management server 12 is sent (step 1005).
Inside terminals 15 carry out checking (step 1007) at management server communication handling part 22 to the certificate of the management server 12 that in step 1004, receives, check that management server 12 does not pretend.Under the situation of the certification authentication of management server 12 failure (in the step 1008 not),, finish communication (step 11071) owing to can not manage the authentication of server.Under the certification authentication case of successful of management server 12 (being in the step 1008), enter next procedure.
The certification path retrieval process is carried out in certificate validation server 13 Receipt Validation requests (step 1010) in certification path search part 41, carry out the checking (step 1011) of this certification path that retrieves at certification path proof department 42.Under the situation about being proved to be successful of inside terminals 15 certificates (being in the step 1012), authentication server 13 at management server communication handling part 43 notice of the content of certification authentication success is sent to management server 12 (step 1013).Under the situation of the authentication failed of inside terminals 15 certificates (in the step 1012 not), the notice of the content of certification authentication failure is sent to management server 12 (step 1014) at management server communication handling part 43.
If inside terminals 15 can authenticate with management server 12 mutually (in step 1008 for being, and in step 1016 for being), then inside terminals 15 at management server communication handling part 22 and management server 12 at terminal communication handling part 33 mutual shared being used for to communication path encrypted secret key (step 1101 among Fig. 7, step 1102).As being used for the method for shared key, for example can use as RFC2246 by the TLS of ietf standardization (Transport Layer Security, Transport Layer Security).If shared key, then can carry out the authentication between inside terminals 15 and the management server 12 and the foundation of coded communication path, so the address registration/search part 31 of management server 12 is set up correspondence with the IP address and the authentication result (content of representing authentication success here) of inside terminals 15, is registered in the authentication state table 60 shown in Figure 16 (step 1103).Particularly, with the IP address registration of inside terminals 15 in the IP address 62 of terminal, with the message of the content of expression authentication success and be registered to authentication result 63 constantly and authentication constantly in 64.This authentication state table 60 is the tables of state that are used for managing the communication terminal of these management server 12 communications, is maintained among the address D B37 that management server 12 carries out.
By carrying out processing so far, coded communication path setting processing between inside terminals 15 and the management server 12 finishes (step 1104), inside terminals 15 utilize this key to carry out coded communication (step 1105,1106) at management server communication handling part 22 and management server 12 at terminal communication handling part 33.
After coded communication finishes, inside terminals 15 at management server communication handling part 22 and management server 12 at terminal communication handling part 33 open coded communication paths (step 1107).In addition, for example can realize open coded communication path by making the encryption key ineffective treatment that in coded communication, uses.
Then, deletion in the IP address of this intercommunication terminal 15 that will in step 1103, register of the address registration/search part 31 of management server 12 and the authentication state table 60 of authentication result from remain on address D B37.In addition, under the IP address with communication terminal is registered in situation in the authentication state table 60 regularly, the also IP address of deleting communication terminal not.
By carrying out such step, inside terminals 15 and management server 12 can be set up the coded communication path after confirming the other side mutually.
The then coded communication path setting action of explanation between communication terminal-communication terminal.
In order to be based upon the coded communication path between communication terminal-communication terminal, needs are registered in the address information of communication terminal in the management server 12 in advance.So-called address information is meant the information that will determine communication terminal (below be called Termination ID) and represents address (for example IP address) information corresponding in the place on the network.In Termination ID, can use ID at the territory internal fixation.Fixedly being meant of the ID of this moment can be determined terminal and do not change in the territory.For example, under the situation of portable terminal, the IP address might change according to the place that is connected on the network, but the MAC Address of information that can other are constant, for example communication terminal name, communication terminal is used as Termination ID.In addition, in the territory of in company, sealing like that, also the such information of the SIP-URI of the user's of communication terminal addresses of items of mail, communication terminal, the FQDN of communication terminal (qualification domain name, Fully Qualified Domain Name) fully can be used as Termination ID.In Fig. 8, carry out the explanation of address registration action.
Fig. 8 be used for illustrating communication terminal with oneself address to the flow chart of the action of management server 12 registrations, be the example of inside terminals 15 to the situation of management server 12 registered addresses.
At first, inside terminals 15 and management server 12 by implement from the step 1001 of Fig. 6 to step 1016, from the step 1101 of Fig. 7 to step 1104, set up coded communication path (step 2001) between inside terminals-management server.Behind coded communication path setting between inside terminals-management server, the address registration application portion 21 of inside terminals 15 sends to management server 12 (step 2002) with the application for registration of the address of this inside terminals 15.If the address registration/search part 31 of management server 12 receives application for registration (step 2003), then the Termination ID with inside terminals 15 is corresponding with the foundation of IP address, is registered in the authentication state table 60 that remains among the address D B37 (step 2004).Particularly, the IP address of this inside terminals 15 of retrieval from the IP address 62 of the terminal of authentication state table 60, with the IP address that retrieves set up corresponding, the Termination ID of this inside terminals is registered in the address 61 of terminal.In authentication state table 60, do not detect under the situation of IP address of this inside terminals, with the Termination ID of this inside terminals 15 and the new registration of IP address in the IP address 62 of the address 61 of terminal and terminal.After registration finishes, inside terminals 15 is sent registration end notification (step 2005).If inside terminals 15 receives registration end notification (step 2006), then inside terminals 15 and management server 12 are carried out the end process of coded communication path between inside terminals-management server.By carrying out above-mentioned steps, can be in management server 12 with the address registration of inside terminals 15.
Other communication terminals, for example exterior terminal 11 also can be by carrying out and the same step of Fig. 8, with the address registration of this exterior terminal 11 in management server 12.
And then communication terminal also can be with the address deletion that is registered in the management server 12.Under the situation of deletion, in processing shown in Figure 8, carry out " registration " replaced (change and read) processing for " deletion ".
In addition, under the situation that has taken place to change in the address of distributing to this communication terminal, need once more the address registration of execution graph 8 to handle.For example, dynamically accept at communication terminal under the situation of address assignment, if restart with the power-off of communication terminal, unlatching or with communication terminal, then the address might change.In addition, communication terminal be through with network be connected and under mobile destination was connected to situation on other networks, the address might change.Under these circumstances, communication terminal is by carrying out the location registration process of Fig. 8 once more, with up-to-date address registration in management server 12.
And then, under the situation of the IP address of setting this communication terminal regularly and Termination ID, as long as in advance with the address registration of this communication terminal just can, do not need to delete address information in the case.
Fig. 9 and Figure 10 be used for illustrating between communication terminal and communication terminal via management server carried out, set up not flow chart via the action of the coded communication path of management server, be that externally 15 of terminal 11-inside terminals are set up the example of coded communication path when (being called terminal-terminal room coded communication path).
At first, management server 12 and inside terminals 15 by implement in advance from the step 1001 of Fig. 6 to step 1016, from the step 1101 of Fig. 7 to step 1104, set up coded communication path (step 3001) between inside terminals-management server.And, also do not register at inside terminals 15 under the situation of address of self, by implementing step 2002 from Fig. 8, with the address registration of inside terminals 15 in the management server 12 (step 3002) to step 2006.
Externally terminal 11 is wanted moment that begins to communicate by letter with inside terminals 15 etc., exterior terminal 11 and management server 12 by implement from the step 1001 of Fig. 6 to step 1016, from the step 1101 of Fig. 7 to step 1104, set up coded communication path (step 3003) between exterior terminal-management server.And, externally terminal 11 is not also registered under self the situation of address or is carried out at needs under the more news of registered address, by implementing step, with the address registration of exterior terminal 11 in the management server 12 (step 3004) from the step 2002 of Fig. 8 to step 2006.
Setting up between exterior terminal-management server behind the coded communication path, exterior terminal 11 will send to management server 12 (step 3005) to the connection request of inside terminals 15 at management server communication handling part 22.In addition, in connection request, include the Termination ID that the information of connecting object (inside terminals 15) is determined in conduct.
Receive connection request management server 12 at terminal communication handling part 33 (step 3006) by address registration/search part 31, be the address (step 3007) of key mark retrieval inside terminals 15 from authentication state table 60 with the Termination ID.In authentication state table 60, with these intercommunication terminal 15 corresponding authentication results 63 under the situation of the message of registration expression authentication success content, i.e. under the situation of not setting up the coded communication path (in the step 3008 not), management server 12 at terminal communication handling part 33 and inside terminals 15 between carry out the coded communication path setting and handle (step 3009), enter step 3011.In authentication state table 60, with these intercommunication terminal 15 corresponding authentication results 63 in registration have under the situation of message of expression authentication success content (being in the step 3008), the key of management server 12 generate distribution portion 32 to be created on encryption key and the set information (step 3010) that is utilized during the communication path of two terminal rooms encrypted.Then, management server 12 sends from the encryption key and the set information (step 3011) of the connection request of 11 pairs of inside terminals 15 of exterior terminal and generation step 3010 at 33 pairs of inside terminals of terminal communication handling part 15.At this moment, connection request and encryption key etc. utilize that the coded communication path sends between inside terminals-management server.
To be saved in the encryption key maintaining part 26 from encryption key and the set information (step 3012) that management server 12 receives of inside terminals 15 at management server communication handling part 22.Then, judge that whether this exterior terminal 11 can be connected (step 3013) with this inside terminals 15, sends to management server 12 (step 3014) with this judged result.Management server 12 at terminal communication handling part 33 internally terminal 15 receive judged results (step 3015).
Externally terminal 11 can with situation that inside terminals 15 is connected under (being in the step 3101), management server 12 will represent to connect the judged result of content and the encryption key and the set information that generate send to exterior terminal 11 (step 3103) at terminal communication handling part 33 in step 3010.At this moment, encryption key uses that the coded communication path sends between exterior terminal-management server at least.
Exterior terminal 11 receive the judged result that whether can communicate by letter from management server 12 at management server communication handling part 22 with inside terminals 15, and then, this encryption key is saved in the encryption key maintaining part 26 (step 3104) receiving under the situation of encryption key.
Exterior terminal 11 and inside terminals 15, finish terminal-terminal room coded communication path setting and handle for (being not in the step 3105,3106) under the situation that can not connect in judged result.For (in the step 3105,3106 for being) under the situation about can communicate by letter, externally set up terminal-terminal room coded communication path (step 3107) in judged result between terminal 11 and the inside terminals 15.Utilize this terminal-terminal room coded communication path, exterior terminal 11 at terminal communication handling part 23 and inside terminals 15 can exchange message (step 3108) at terminal processes portion 23.
If no longer need the communication path of 15 of exterior terminal 11 and inside terminals, then can finish terminal-terminal room coded communication path.Under the situation that finishes terminal-terminal room coded communication path, carry out following step.
Exterior terminal 11 send cut-out request (step 3109) with the coded communication of inside terminals 15 at 22 pairs of management servers of management server communication handling part 12.This connection request that will receive at terminal communication handling part 33 (step 3110) of management server 12 transmits (step 3111) to inside terminals 15.If inside terminals 15 receive this cut-out request (step 3112) at management server communication handling part 22, then the cut-out corresponding with it replied to management server 12 transmissions (step 3113), at the terminal-terminal room coded communication path (step 3117) of terminal communication handling part 23 end with exterior terminal 11.In addition, if management server 12 at terminal communication handling part 33 internally terminal 15 receive to cut off and reply (step 3114), then this cut-out is replied to exterior terminal 11 and transmits (step 3115).Externally in the terminal 11, reply (step 3116) if receive cut-out from management server 12, then at the terminal-terminal room coded communication path (step 3117) of terminal communication handling part 23 end with inside terminals 15 at management server communication handling part 22.
In addition, also can not be to send the request of cut-out, but terminal 15 send internally from exterior terminal 11.In the case, just passable as long as exterior terminal 11 and inside terminals 15 are replaced the processing of carrying out from step 3109 to step 3117.
In addition, exterior terminal 11 and inside terminals 15 might not be necessary for and finish communicate by letter and carry out from step 3109 to step 3117, also can not carry out this step and finish to communicate by letter.
As illustrated in the flow chart of Fig. 9 and Figure 10, management server 12 authenticates exterior terminal 11 and inside terminals 15 respectively, under the situation of the legitimacy that can confirm this each communication terminal, sets up the coded communication path of 15 of exterior terminal 11 and inside terminals.And,, can management server 12 not applied load and carry out secure communication owing to after having set up terminal-terminal room coded communication path, can not carry out coded communication to each other at communication terminal via management server 12.And then, because terminal-terminal room coded communication path integral body is encrypted, so can carry out than safe communication more in the past.
In the present embodiment, when setting up terminal-terminal room coded communication path, communication terminal (being inside terminals 15 in the above-described embodiments) and management server 12 as communication counterpart are set up coded communication path between communication terminal-management server in advance, implement address registration and handle (step 3001, step 3002), but be not limited to this.Also can implement address registration in advance as the inside terminals 15 of communication counterpart, perhaps carrying out under the state of address registration statically, the communication terminal of communication sources (in the above-described embodiments for exterior terminal 11) has carried out communicating the coded communication path setting between destination communication terminal and the management server 12 behind the connection request of the communication terminal on communication objective ground (moment of the "Yes" in the step 3008) to management server 12.
For example, receive situation of the such communication terminal of connection request etc. continually from a plurality of communication terminals at application server that service is provided for other-end etc., also can be same with the situation of the inside terminals shown in the above-mentioned execution mode, set up coded communication path in advance with management server 12, have under the situation of connection request in terminal 15 internally, similarly set up communication path with the situation of terminal-terminal room, thereby service can be provided at once.
Relative therewith, receiving from exterior terminal 11 under the lower situation of the frequency of connection requests at inside terminals 15, also can be in the mode of carrying out inside terminals 15 and the coded communication path setting processing of 12 of management servers from exterior terminal 11 to the moment that this inside terminals 15 has carried out connection request.
Then, in the communication system of present embodiment, the action of exterior terminal 11 via the situation of inside terminals 15 visit AP servers 14 is described.For example, carry out under the situation of operation being connected the inside terminals 15 that exterior terminal 11 remote accesses on the internet are connected on the network in the company, exist terminal 15 internally to utilize the situation etc. of the service of AP server 14.In the case, send the input information of keyboards and mouse from 11 pairs of inside terminals of exterior terminal 15, according to this information, inside terminals 15 and AP server 14 between carry out information exchange.In addition, inside terminals 15 will and AP server 14 between carry out information exchange the result image information etc. internally terminal 15 send to exterior terminal 11, offer the user.
Figure 11 and Figure 12 are the flow charts that is used for illustrating the action when exterior terminal 11 is visited AP servers 14 via inside terminals 15 in the present embodiment.
In the processing of Figure 11, Figure 12, just passable as long as AP server 14 is regarded one of inside terminals 15 as.Thereby, AP server 14 and management server 12 at first the management server 12 by implementing Fig. 6, Fig. 7 and inside terminals 15 from step 1001 to step 1016, from step 1101 to step 1104, set up the coded communication path (being called coded communication path between management server-AP server) (step 4001) between management server-AP server in advance.And, also do not register at AP server 14 under the situation of address of self, by implementing step 2002 from Fig. 8, with the address registration of AP server 14 in the management server 12 (step 4002) to step 2006.
Equally, inside terminals 15 and management server 12 by implement from the step 1001 of Fig. 6 to step 1016, from the step 1101 of Fig. 7 to step 1104, set up coded communication path (step 4003) between inside terminals-management server in advance.And, also do not register at inside terminals 15 under the situation of address of self, by implementing step 2002 from Fig. 8, with the address registration of inside terminals 15 in the management server 12 (step 4004) to step 2006.
Equally, exterior terminal 11 is carried out following step in order to set up with the terminal-terminal room coded communication path of inside terminals 15.
Exterior terminal 11 and management server 12 by implement respectively from the step 1001 of Fig. 6 to step 1016, from the step 1101 of Fig. 7 to the processing of the inside terminals shown in the step of step 1,104 15 with management server 12, set up coded communication path (step 4005) between exterior terminal-management server.And externally terminal 11 is not also registered under the situation of address of self, by implementing step 2002 from Fig. 8 to step 2006, with the address registration of exterior terminal 11 in the management server 12 (step 4006).
Setting up between exterior terminal-management server behind the coded communication path, exterior terminal 11 will send to management server 12 (step 4007) to the connection request of inside terminals 15 at management server communication handling part 22.Management server 12, exterior terminal 11, inside terminals 15 is by implementing from Fig. 9, step 3007 shown in Figure 10 to set up the terminal-terminal room coded communication path (step 4008) between exterior terminal 11 and the inside terminals 15 to step 3107.
Then, exterior terminal 11 at terminal communication handling part 23 in order to communicate by letter with AP server 14 via inside terminals 15, inside terminals 15 is sent contents is the key input information (step 4009) of indication the connection request of AP server 14.Terminal-terminal room coded communication path that utilization is set up in step 4008 sends this connection request.
If the receiving content at terminal communication handling part 23 from exterior terminal 11 and be the key input information of indication of inside terminals 15 to the connection request of AP server 14, then in order to set up coded communication path (being called coded communication path between inside terminals-AP server) between inside terminals 15 and the AP server 14, from step 4007 to step 4008, inside terminals 15 and AP server 14 are equivalent to the processing of exterior terminal 11 and inside terminals 15 respectively.This coded communication path can be regarded terminal-terminal room coded communication path of setting up as between inside terminals 15 and AP server 14.
That is the connection request (step 4010) at 12 transmissions of 22 pairs of management servers of management server communication handling part and AP server 14 of inside terminals 11.If management server 12 terminal 15 internally receives connection request to AP server 14, then management server 12, inside terminals 15, AP server 14 set up coded communication path (step 4011) between inside terminals-AP server by implementing Fig. 9, shown in Figure 10 from step 3007 to step 3107.In addition, owing in step 4001 and step 4003, set up between inside terminals-management server coded communication path between coded communication path and AP server-management server, so do not need to set up once more the coded communication path here.
2 the coded communication paths of utilization by carrying out above step and set up, be coded communication path between coded communication path between exterior terminal-inside terminals, inside terminals-AP server, exterior terminal 11 can carry out coded communication with AP server 14 via inside terminals 15.
Promptly, exterior terminal 11 at terminal communication handling part 23 utilize and inside terminals 15 between terminal-terminal room coded communication path of setting up, inside terminals 15 is sent contents is the key input information (step 4101) of indication to the processing request of AP server 14.If the receiving content at terminal communication handling part 23 from exterior terminal 11 and be the key input information of indication of inside terminals 15 to the processing request of AP server 14, then utilize and AP server 14 between coded communication path between inside terminals-AP server of setting up, will send to AP server 14 (step 4102) based on the processing request of received key input.If AP server 14 at terminal communication handling part 23 internally terminal 15 receive the request handled, then AP server 14 is carried out institute's processing of request.Then, AP server 14 utilize coded communication path between inside terminals-AP server at terminal communication handling part 23, the execution result of institute's processing of request is sent to inside terminals 15 (step 4103).Inside terminals 15 receive this result at terminal communication handling part 23, with this result or according to the output information that this result generates, utilize terminal-terminal room coded communication path to send to exterior terminal 11 (step 4104) to picture etc.Exterior terminal 11 receive these output informations at terminal communication handling part 23, from the 20c of input and output portion to outputs such as pictures.
By carrying out above step, exterior terminal 11 can carry out safe communication via inside terminals 15 and AP server 14.
<execution mode 2 〉
The following describes second execution mode.
Carry out Figure 13, Figure 14, action as shown in Figure 15 when in the present embodiment, externally terminal 11 is via inside terminals 15 visit AP servers 14.
As shown in figure 13, AP server 14 and management server 12 respectively by implement Fig. 6, inside terminals 15 shown in Figure 7 and management server 12 from step 1001 to step 1016, from step 1101 to step 1104, set up coded communication path (step 5001) between terminal-server in advance.And, also do not register at AP server 14 under the situation of address of self, shown in Figure 8 by implementing respectively from step 2002 to step 2006, with the address registration of AP server 14 in the management server 12 (step 5002).
Under the situation that step 5001 and 5002 is normally carried out, the address information and the authentication result of AP server 14 is registered in the authentication state table 60.Particularly, the address information of AP server 14 is as the address 61 of terminal and IP address 62 registrations of terminal, and as the authentication result corresponding with it, the message of expression authentication success content and the moment thereof are registered to authentication result 63 and authenticate in the moment 64.
This authentication state table 60 is tables of the state registration that authenticated and accepted address information of this management server 12, that be used to register various terminals, remains among the storage part 30b of management server 12.
Equally, inside terminals 15 and management server 12 inside terminals 15 by implementing Fig. 6, Fig. 7 respectively and management server 12 from step 1001 to step 1016, from step 1101 to step 1104, set up coded communication path (step 5003) between inside terminals-management server in advance.And, also do not register at inside terminals 15 under the situation of address of self, shown in Figure 8 by implementing respectively from step 2002 to step 2006, with the address registration of inside terminals 15 in the management server 12 (step 5004).
Under the situation that step 5003 and 5004 is normally carried out, the address information and the authentication result of inside terminals 15 is registered in the authentication state table 60.
Exterior terminal 11 is in order to set up terminal-terminal room coded communication path and to carry out following step with inside terminals 15.
Exterior terminal 11 and management server 12 inside terminals 15 by implementing Fig. 6, Fig. 7 respectively and management server 12 from step 1001 to step 1016, from step 1101 to step 1104, set up coded communication path (step 5005) between exterior terminal-management server in advance.And externally terminal 11 is not also registered under the situation of address of self, and is shown in Figure 8 from step 2002 to step 2006 by implementing respectively, with the address registration of exterior terminal 11 in the management server 12 (step 5006).
Under the situation that step 5005 and 5006 is normally carried out, the address information and the authentication result of exterior terminal 11 is registered in the authentication state table 60.
Then, exterior terminal 11 will send to management server 12 (step 5007) to the connection request of inside terminals 15 at management server communication handling part 22.Management server 12 receive connection request at terminal communication handling part 33 from inside terminals 15, confirm the authentication state (step 5008) of exterior terminal 11, inside terminals 15.Particularly, management server 12 at terminal communication handling part 33 with reference to authentication state table 60, registration is had the situation of address information of exterior terminal 11 and inside terminals 15 and authentication result block in registration have the situation of the content of authentication success to confirm.If under the unregistered situation that address information arranged, 12 pairs of exterior terminals 11 of management server are replied the content of refusal connection request.In addition, though address information is arranged but in the authentication result hurdle under the situation of the unregistered content that authentication success arranged in registration, management server 12 at terminal communication handling part 33 and inside terminals 15 between carry out the coded communication path setting and handle, and carry out the affirmation of authentication state.If can not carry out the affirmation of authentication state once more, then 12 pairs of exterior terminals 11 of management server are replied the content of refusal connection request.
If carried out the affirmation of authentication state, then the key of management server 12 generates distribution portion 32 and is created on the encryption key (step 5009) that utilizes in terminal-terminal room coded communication path.Then, management server 12 will send to inside terminals 15 (step 5010) to the encryption key and the set information of the connection request of inside terminals 15 and generation step 5009 from exterior terminal 11 at terminal communication handling part 33.
Receive these inside terminals 15 judge that at management server communication handling part 22 whether this exterior terminal 11 can be connected with inside terminals 15, could judged result send to management server 12 (step 5011) with this connection.Management server 12 at terminal communication handling part 33 with this connection could judged result with the situation of representing in judged result to be connected under the encryption key and the set information that in step 5009, generate send to exterior terminal 11 (step 5012).If exterior terminal 11 receive these at management server communication handling part 22, then set up terminal-terminal room coded communication path, exterior terminal 11 can utilize the encryption key that in step 5010 and step 5012, receives respectively to carry out coded communication (step 5013) at terminal communication handling part 23 and inside terminals 15 at terminal communication handling part 23.
The situation of externally having set up terminal-terminal room coded communication path between terminal 11 and the inside terminals 15 at terminal communication handling part 33 of management server 12 is registered in as shown in Figure 17 the communications status table 70 (step 5014).Particularly, the address registration in connection request source (being exterior terminal 11 here) is in the communication sources address 71 of communications status table 70, in communication objective way address 72, the moment (for example two terminals receive the moment of encryption key and set information) that the encryption path of this terminal-terminal room is set up was registered in the zero hour 73 of communicating by letter with the address registration of connection request destination (being inside terminals 15 here).
The registration of this communications status table 70 has management server 12 authentications and generates encryption key and each state of terminal-terminal room coded communication path of setting up, remains among the storage part 30b.
Then, exterior terminal 11 at terminal communication handling part 23 in order to communicate by letter with AP server 14 via inside terminals 15, inside terminals 15 is sent contents is the key input information (step 5101) of indication to the connection request of AP server 14.In addition, this connection request utilizes terminal-terminal room coded communication path of setting up in step 5106, sends to inside terminals 15.
If the receiving content at terminal communication handling part 23 from exterior terminal 11 and be the key input information of indication to the connection request of AP server 14, the then action below carrying out of inside terminals 15 in order between inside terminals 15 and AP server 14, to set up coded communication path between inside terminals-AP server.
Inside terminals 15 at the management server communication handling part to management server 12 send exterior terminals 11 via the connection request (step 5102) of inside terminals 15 with AP server 14.That is, this connection request is exterior terminal 11 foundation of coded communication path between the inside terminals-AP server between request inside terminals 15 and the AP server 14 in order to connect to AP server 14, so also comprise exterior terminal 11 as certified object.Thereby, as this connection request, send the connection request 80 that except communication sources information 81 and communication objective ground information 82, also comprises certified object information 83 as shown in Figure 18 with certified object information.In addition, also comprise information that other signal posts need, and application message 84.
Present embodiment since also with exterior terminal 11 as certified object, if so carried out the affirmation of authentication state, then management server 12 sets up coded communication path and the situation of communicating by letter confirm (step 5104) with reference to communications status table 70 pair being recorded in the communication sources in the connection request 80 of certified object information (inside terminals 15) and the terminal room of certified object (exterior terminal 11) at terminal communication handling part 33.Particularly, management server 12 at terminal communication handling part 33 with reference to communications status table 70, confirm that inside terminals 15 and exterior terminal 11 are recorded in communication sources address and the communication objective way address respectively and are in communications status.If carried out the affirmation of authentication state and communications status, then the key of management server 12 generates the encryption key (step 5105) that utilizes in the coded communication path between inside terminals-AP server that distribution portion 32 is created between inside terminals 15 and the AP server 14.Then, management server 12 sends to AP server 14 (step 5106) with exterior terminal 11 via inside terminals 15 and the connection request of AP server 14 and the encryption key and the set information that generate at terminal communication handling part 33 in step 5105.Receive these AP server 14 judge that at management server communication handling part 22 whether exterior terminal 11 can be connected with AP server 14 via this inside terminals 15, could judged result send to management server 12 (step 5107) with this connection.Management server 12 at terminal communication handling part 33 with this connection could judged result with the situation of representing in judged result to communicate by letter under the encryption key and the set information that in step 5105, generate send to inside terminals 15 (step 5108).Inside terminals 15 receive these at management server communication handling part 22 after, just set up coded communication path between inside terminals-AP server, inside terminals 15 can utilize the encryption key that in step 5106 and step 5108, receives respectively to carry out coded communication (step 5109) at terminal communication handling part 23 and AP server 14 at terminal communication handling part 23.
The situation that to set up coded communication path between inside terminals-AP server at terminal communication handling part 33 between inside terminals 15 and AP server 14 of management server 12 is registered in as shown in Figure 17 the communications status table 70 (step 5110).Thus, even also obtain under the such situation of result to other communication terminal distribution processing requests and from these other communication terminals at AP server 14, also can external communications terminals as certified object, be set up the coded communication path by repeating and above-mentioned same processing.
In addition, by reference communications status table 70, it is corresponding that management server 12 can make 2 coded communication paths (15 of exterior terminal 11-inside terminals, 14 of inside terminals 15-AP servers) of having set up set up, and can grasp which 3 device and carry out related processing.
If inside terminals 15 set up terminal-terminal room coded communication path with exterior terminal 11 at terminal communication handling part 23, then reply and connect result's (step 5111) to exterior terminal 11.
2 coded communication paths (15 of exterior terminal 11-inside terminals, 14 of inside terminals 15-AP servers) that utilization is established by carrying out above step, exterior terminal 11 can carry out coded communication with AP server 14 via inside terminals 15.That is, exterior terminal 11 at terminal communication handling part 23 utilize and inside terminals 15 between terminal-terminal room coded communication path of setting up, it be to handle the key input information (step 5201) of asking to 14 indications of AP server that inside terminals 15 is sent contents.
If inside terminals 15 receive content for handle the key input information of request to AP server 14 indication at terminal communication handling part 23 from exterior terminal, then utilize and AP server 14 between coded communication path between inside terminals-AP server of setting up, will send to AP server 14 (step 5202) based on the processing request of received key input.If AP server 14 receive processing request at terminal communication handling part 23 from inside terminals 15, then carry out institute's processing of request.Then, AP server 14 utilize coded communication path between inside terminals-AP server at terminal communication handling part 23, the execution result of institute's processing of request is sent to inside terminals 15 (step 5203).Inside terminals 15 receive this result at terminal communication handling part 23, utilize terminal-terminal room coded communication path, send to exterior terminal 11 (step 5204) with this result or according to the output information that this result generates to picture etc.Exterior terminal 11 receive this output information at terminal communication handling part 23, by the 20c of input and output portion to outputs such as pictures.
By carrying out above step, exterior terminal 11 can carry out safe communication via inside terminals 15 and AP server 14.
In addition, in the communication system of above-mentioned 2 execution modes, as long as each communication terminal of exterior terminal 11, inside terminals 15, AP server 14 carries out once just can intercoming mutually based on this result with the authentication of management server 12, do not need to carry out in addition the intrinsic authentications of application server such as ID/ password.Promptly, management server 12 carries out the authentication of exterior terminal 11, inside terminals 15, AP server 14 by the concentrated area, no longer as in the past externally terminal 11 when AP server 14 connects, carry out multiple authentication via inside terminals 15, the management of authentication information is oversimplified.
In addition, the structure of embodiment 1 does not comprise communications status table 70, but in embodiment 1, also can be by possessing and with reference to communications status table 70, management server 12 can be set up 2 coded communication paths (15 of exterior terminal 11-inside terminals, 14 of inside terminals 15-AP servers) of having set up corresponding, is which 3 device is carrying out related processing thereby can grasp.
And then, no matter in which embodiment, even externally terminal 11, inside terminals 15, AP server 14 at least a has a plurality of and carries out mutually under the state of coded communication, these communications status also can be managed, be grasped to management server 12 by possessing authentication state table 60 and communications status table 70.
In addition, has following feature: when AP server 14 carries out authentication processing, use at needs under the situation based on the strictness authentication of PKI of IC-card that the user had etc., in the structure of embodiment 1, need by inside terminals 15 operation IC-cards, but in present embodiment 2, do not need, can operate by the exterior terminal that in fact user uses.Promptly, externally terminal 11 via inside terminals 15 under the situation that AP server 14 connects, authentication result based on the IC-card that the user had of operating exterior terminal 11, can connect to AP server 14, can under this user's authority, connect so in fact become to AP server 14, thereby safer, and the user can utilize the various exterior terminals that are positioned at each strong point to connect to AP server 14, has the feature that has improved convenience.
In execution mode 1 and execution mode 2, illustration specified the communication of communication terminal, but also can will utilize the user of communication terminal to be appointed as communication counterpart.Be appointed as the user that will utilize communication terminal under the situation of communication counterpart, as long as just constitute as follows can: public key certificate that the user held and user ID are packed in the storage medium 58 with mobility in advance, communication terminal detects the situation in the reading device 57 that storage medium 58 is inserted into communication terminal, thereby reads attribute of user and storage.By this structure, communication terminal can be determined the user that utilizing to accept the appointment as communication object.And, can constitute, the storage medium 58 that will have mobility the user is when reading device 57 is extracted, and communication terminal is deleted attribute of user from communication terminal.
If attribute of user is stored in the communication terminal, then carrying out the address registration of Fig. 8 handles, if attribute of user is deleted from communication terminal, then carry out " registration " of Fig. 8 replaced with the processing of " deletion ", thus, utilize the address of management server 12 leading subscriber ID and communication terminal, like this, management server 12 is when the connection request that has from other communication terminals, whether judgement is utilizing communication terminal as the user of destination, under situation about utilizing, can judge utilizing which communication terminal, and can not become easy feature so have connection processing as the user of other communication terminals that carry out connection request.
In addition, no matter in which embodiment, can both utilize a plurality of AP servers 14 via inside terminals 15 from exterior terminal 11.For example, on inside terminals, carry out a plurality of application programs of visiting different AP servers respectively sometimes, come to operate them from exterior terminal by the transmission of input informations such as keyboard and the reception of multi-window picture information.
In the case, the coded communication path between exterior terminal-inside terminals have one just passable, the coded communication path is a plurality of between inside terminals-AP server.Promptly, as long as just constitute as follows can: in Figure 11, to each AP server implementation step 4001~4004, carry out in each application program that the later processing of step 4009 is moved on inside terminals, the image information of in step 4104 a plurality of application program being exported sends as a picture.
In addition, no matter in which embodiment, all illustrated the input information that by exterior terminal 11 remote operation inside terminals 15, promptly exchanges keyboard and mouse etc. and picture etc. output information, come to accept the structure that service provides from AP server 14.But being not limited to this structure, also can be the mode that 11 pairs of inside terminals of exterior terminal 15 are issued the processing result information (return value of for example representing the order of result) of the information exchange of handling request commands, receiving inside terminals 15 and AP server 14.
In addition, inside terminals 15 is illustrated as the terminal of carrying out coded communication path setting and address registration in advance.But, as application examples, also can carried out from 11 pairs of exterior terminals management server 12 by the connection request of the inside terminals 15 of address registration after, management server 12 carries out handling with the coded communication path setting of inside terminals 15.
In addition, in above-mentioned execution mode 1,2, management server 12 also sends set information when sending encryption keys, but just passable as long as send the required information of the coded communication that newly begins, for example also can not send under the situation that has pre-determined algorithm and bond distance.
And then, in above-mentioned execution mode 1,2,, but can under the situation that there is no need to encrypt, not encrypt always with the communication encryption between communication terminal and communication terminal yet.For example, owing to communicating by letter of inside terminals 15 and 14 of AP servers exchanges in the network 16 in tissue, so also can under situation about there is no need, not encrypt.At this moment, send in the set information of each communication terminal at management server 12 and set the message that expression " is not encrypted " as the information of expression cryptographic algorithm.
In addition, also above-mentioned execution mode 1,2 suitably can be made up and implement.
Claims (12)
1, a kind of communication system, have be connected the intercommunication terminal on the network in the tissue, in organize the above-mentioned intercommunication terminal of external reference of network external communications terminals and manage the management server of above-mentioned intercommunication terminal and said external communication terminal, it is characterized in that
The coded communication path comprises between intercommunication terminal-management server coded communication path between coded communication path and external communications terminals-management server between communication terminal-management server;
Above-mentioned intercommunication terminal and management server between authenticate in advance, set up the coded communication path, promptly set up coded communication path between intercommunication terminal-management server;
Set up coded communication path between external communications terminals-management server between said external communication terminal and the management server;
The said external communication terminal is to the connection request of management server transmission to above-mentioned intercommunication terminal;
Above-mentioned management server generates and is used for coded communication key that external communications terminals and communicating by letter of intercommunication terminal room are encrypted, utilize coded communication path between intercommunication terminal-management server of setting up in advance, will send to the intercommunication terminal to the connection request of inner communication terminal and the coded communication that is generated with key from external communications terminals;
Above-mentioned intercommunication terminal will to from the connection request of external communications terminals could judgement reply to management server;
The judged result that above-mentioned management server is received at communication terminal internally is under the attachable situation, utilizes coded communication path between external communications terminals-management server of setting up in advance, and the coded communication that is generated is sent to external communications terminals with key;
Said external communication terminal and above-mentioned intercommunication terminal are utilized the coded communication key of receiving from management server respectively, and externally communication terminal and intercommunication terminal room are set up the coded communication path, promptly set up first terminal-terminal room coded communication path;
The said external communication terminal is via aforementioned tube reason server, and and carry out coded communication between the intercommunication terminal;
The structure of above-mentioned communication system is, newly is connected with the application server that service application is provided on the network in tissue,
First terminal that the utilization of said external communication terminal is set up-terminal room coded communication path is to the connection request of inner communication terminal transmission application server;
Set up second terminal-terminal room coded communication path between above-mentioned intercommunication terminal and the application server;
The said external communication terminal utilizes the coded communication path of external communications terminals and intercommunication terminal room and the coded communication path between intercommunication terminal and application server, communicates via intercommunication terminal and application server.
2, communication system as claimed in claim 1 is characterized in that,
Newly be provided with the authentication server of the checking of carrying out certificate;
When carrying out the authentication of each communication terminal in the foundation of above-mentioned management server coded communication path between communication terminal-management server, above-mentioned authentication server is entrusted in the certification authentication of this communication terminal;
The result that above-mentioned authentication server will have been implemented the checking processing of this certificate replys to management server;
Above-mentioned management server is under the case of successful in the checking result who replys from authentication server only, is judged as the authentication success of this communication terminal.
3, communication system as claimed in claim 1 is characterized in that,
Above-mentioned intercommunication terminal for and above-mentioned application server between set up second terminal-terminal room coded communication path, connection request with certified object information is sent to management server, and this connection request with certified object information records above-mentioned intercommunication terminal information as the communication sources end message, as the information of the above-mentioned application server of communication objective ground end message with as the information of the said external communication terminal of certified object information;
Above-mentioned management server is from receiving above-mentioned connection request with certified object information, carry out affirmation to following situation, promptly by above-mentioned management server to as the above-mentioned intercommunication terminal of communication sources, as the above-mentioned application server on communication objective ground and situation about authenticating, and as the above-mentioned intercommunication terminal of communication sources and the situation of having set up above-mentioned first terminal-terminal room coded communication path as the said external communication terminal of certified object as the said external communication terminal of certified object;
If above-mentioned management server has carried out above-mentioned affirmation, then generate the coded communication key of communicating by letter and encrypting be used between above-mentioned intercommunication terminal and above-mentioned application server, utilize coded communication path between application server-management server of setting up in advance, the coded communication that being used for of being generated encrypted communicating by letter between above-mentioned intercommunication terminal and above-mentioned application server sends to above-mentioned application server with key and above-mentioned connection request with certified object information;
Above-mentioned application server to send from above-mentioned intercommunication terminal as could the judging of the connection request of external communications terminals, judged result is replied to management server;
Above-mentioned management server is under the attachable situation in the above-mentioned judged result that receives from above-mentioned application server, utilize coded communication path between above-mentioned intercommunication terminal-management server of setting up in advance that being used for of being generated sent to above-mentioned intercommunication terminal with the coded communication of encrypting of communicating by letter between above-mentioned application server with key to above-mentioned intercommunication terminal, set up above-mentioned second terminal-terminal room coded communication path;
The said external communication terminal utilizes above-mentioned first terminal-terminal room coded communication path and above-mentioned second terminal-terminal room coded communication path, communicates via above-mentioned intercommunication terminal and above-mentioned application server.
4, communication system as claimed in claim 3 is characterized in that,
Above-mentioned management server admin authentication state table, registration has address information, authentication state, the authentication moment of said external communication terminal and above-mentioned intercommunication terminal and above-mentioned application server in this authentication state table;
Above-mentioned management server will and the terminal of said external communication terminal, above-mentioned intercommunication terminal and above-mentioned application server between set up the authentication result registered in advance implemented in the coded communication path between communication terminal-management server in above-mentioned authentication state table;
If above-mentioned management server receives above-mentioned connection request with certified object information from above-mentioned intercommunication terminal, then whether the terminal of above-mentioned communication sources terminal, above-mentioned communication objective ground terminal and the above-mentioned certified object situation of success identity is registered in the above-mentioned authentication state table and confirms.
5, communication system as claimed in claim 3 is characterized in that,
Set up in the step that the situation of coded communication path between communication terminal-communication terminal confirms in the terminal of communication sources terminal that above-mentioned management server is put down in writing to the connection request with certified object information that receives from above-mentioned intercommunication terminal and certified object
Above-mentioned management server has with above-mentioned first terminal of having set up-terminal room coded communication path registration and manages with the communication sources address information of above-mentioned second terminal-terminal room coded communication path, communication objective way address information and the communications status table of the zero hour of communicating by letter;
If above-mentioned management server receives above-mentioned connection request with certified object information from above-mentioned intercommunication terminal, then, confirm above-mentioned intercommunication terminal and whether set up above-mentioned first terminal-terminal room coded communication path as the said external communication terminal of certified object by with reference to above-mentioned communications status table.
6, a kind of communication system, have be connected the intercommunication terminal on the network in the tissue, in organize the outside of network to the management server of external communications terminals, the above-mentioned intercommunication terminal of management and the said external communication terminal of above-mentioned intercommunication terminal access with the application server of service is provided, it is characterized in that
Above-mentioned management server is by generating encryption key and sending to the said external communication terminal and above-mentioned intercommunication terminal, set up first terminal-terminal room coded communication path, this encryption key is used for making said external communication terminal and above-mentioned intercommunication terminal to carry out not coded communication via this management server;
The said external communication terminal utilizes above-mentioned first terminal-terminal room coded communication path, sends control information to above-mentioned intercommunication terminal, and this control information begins the processing request to above-mentioned application server;
Above-mentioned intercommunication terminal is according to the above-mentioned beginning control information of receiving from the said external communication terminal, to the connection request of above-mentioned management server transmission to above-mentioned application server;
Above-mentioned management server:
By generating encryption key and sending to above-mentioned intercommunication terminal and above-mentioned application server, set up second terminal-terminal room coded communication path, this encryption key is used for making above-mentioned intercommunication terminal and above-mentioned application server to carry out not coded communication via this management server;
Reply the beginning control information of receiving, will set up the advisory of second terminal-terminal room coded communication path and give the said external communication terminal from the said external communication terminal;
The said external communication terminal is replied above-mentioned notice, and above-mentioned intercommunication terminal is sent control information, and this control information is used for handling to above-mentioned application server request;
Above-mentioned intercommunication terminal is utilized above-mentioned second terminal-terminal room coded communication path according to the processing control information of receiving from the said external communication terminal, above-mentioned application server request handled,
Receive above-mentioned processing of request result from above-mentioned application server,
Utilize above-mentioned first terminal-terminal room coded communication path to the processing result information of above-mentioned external communications terminals transmission based on above-mentioned result.
7, communication system as claimed in claim 6 is characterized in that,
Above-mentioned processing control information is to be used for operating from the said external communication terminal input operation information of above-mentioned intercommunication terminal;
Above-mentioned processing result information is the picture display message that is generated by above-mentioned intercommunication terminal for the result that shows above-mentioned application server in the display frame of said external communication terminal.
8, communication system as claimed in claim 6 is characterized in that,
Above-mentioned processing control information is the processing request command of said external communication terminal to above-mentioned intercommunication terminal distribution;
Above-mentioned processing result information is the return value of following order, the result of the above-mentioned processing request command of the above-mentioned application server of this order expression.
9, communication system as claimed in claim 6 is characterized in that,
Above-mentioned intercommunication terminal is when the connection request that sends above-mentioned application server, transmission is with the connection request of certified object information, this connection request with certified object information represent the said external communication terminal certified, and above-mentioned intercommunication terminal between set up above-mentioned first terminal-terminal room coded communication path.
10, communication system as claimed in claim 7 is characterized in that,
When above-mentioned management server is used for setting up the encryption key of first terminal-terminal room coded communication path and second terminal-terminal room coded communication path respectively in generation,
Authenticate said external communication terminal, above-mentioned intercommunication terminal, above-mentioned application server respectively,
And administrative authentication result.
11, communication system as claimed in claim 6 is characterized in that,
Above-mentioned management server authenticates the user of said external communication terminal when authentication said external communication terminal.
12, communication system as claimed in claim 6 is characterized in that,
Above-mentioned management server is set up related the management with the communications status of above-mentioned first terminal-terminal room coded communication path with the communications status of above-mentioned second terminal-terminal room coded communication path.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| JP147488/2005 | 2005-05-20 | ||
| JP2005147488 | 2005-05-20 | ||
| JP096410/2006 | 2006-03-31 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1866876A CN1866876A (en) | 2006-11-22 |
| CN100502316C true CN100502316C (en) | 2009-06-17 |
Family
ID=37425766
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB200610085029XA Expired - Fee Related CN100502316C (en) | 2005-05-20 | 2006-05-22 | System and method for encrypted communication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100502316C (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8296450B2 (en) * | 2006-03-21 | 2012-10-23 | Fortinet, Inc. | Delegated network management system and method of using the same |
| CN103220257B (en) * | 2012-01-19 | 2016-01-06 | 中国石油天然气集团公司 | A kind of method of compunication, network host and system |
| CN110995564B (en) * | 2019-12-31 | 2021-11-12 | 北京天融信网络安全技术有限公司 | Message transmission method, device and secure network system |
-
2006
- 2006-05-22 CN CNB200610085029XA patent/CN100502316C/en not_active Expired - Fee Related
Also Published As
| Publication number | Publication date |
|---|---|
| CN1866876A (en) | 2006-11-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7984290B2 (en) | System and method for encrypted communication | |
| AU2021206913B2 (en) | Systems and methods for distributed data sharing with asynchronous third-party attestation | |
| US10475273B2 (en) | Architecture for access management | |
| CN100456739C (en) | Remote access vpn mediation method and mediation device | |
| US6883100B1 (en) | Method and system for dynamic issuance of group certificates | |
| CN104160653B (en) | For providing method, apparatus, medium and the equipment of multifactor digital security certificate | |
| CN101162994A (en) | Method for encrypted communication with a computer system and system therefor | |
| US20040078573A1 (en) | Remote access system, remote access method, and remote access program | |
| US8112790B2 (en) | Methods and apparatus for authenticating a remote service to another service on behalf of a user | |
| US7213262B1 (en) | Method and system for proving membership in a nested group using chains of credentials | |
| US20100058058A1 (en) | Certificate Handling Method and System for Ensuring Secure Identification of Identities of Multiple Electronic Devices | |
| JP2010114869A (en) | Access control system and method based on hierarchical key | |
| JPH11317735A (en) | Centrarized certificate management system for two-way interactive communication device in data network | |
| CN108123930A (en) | Access the host in computer network | |
| CN100502316C (en) | System and method for encrypted communication | |
| Sudarsan et al. | A model for signatories in cyber-physical systems | |
| KR102118556B1 (en) | Method for providing private blockchain based privacy information management service | |
| Al-Karkhi et al. | Privacy, trust and identity in pervasive computing: a review of technical challenges and future research directions | |
| Zhou et al. | An Approach for Multi-Level Visibility Scoping of IoT Services in Enterprise Environments | |
| WO2007105342A1 (en) | Identifier authenticating system | |
| Nancy Ambritta et al. | Proposed identity and access management in future internet (IAMFI): a behavioral modeling approach | |
| CN117675217A (en) | Cross-domain trust management platform | |
| Lippert et al. | Life-cycle management of X. 509 certificates based on LDAP directories | |
| Främling et al. | The compromise between Security and Usability in the Internet of Things | |
| Pan et al. | Research on Private and Seamless Roaming Cloud Service Authentications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090617 Termination date: 20150522 |
|
| EXPY | Termination of patent right or utility model |