JP2002208921A - Vpn data communication method and private network construction system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a VPN construction system which can construct a VPN without restriction by an IP address and access to a VPN server. SOLUTION: In a portable data transmission device 300, a coding key used for coding treatment by a VPN client 200, a decoding key specific information for specifying a decoding key for decoding data coded by the VPN client 200, if received by a VPN server 100, and VPN transmission base data including an IP address of a VPN server are stored. The VPN client 200 reads transmission foundation data and stores it in a memory when the data transmission device 300 is connected. Thereby, transmission base data is not transferred on internet and data transmission is possible while keeping privacy.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

TECHNICAL FIELD The present invention relates to a VPN,
In particular, a VPN that does not depend on the IP address of a computer
Regarding client computers.

[0002]

2. Description of the Related Art At present, a virtual private network (hereinafter abbreviated as VPN) is receiving attention. This is a technology for building a highly confidential network on an individual basis even via a network. This will be briefly described with reference to FIG.

A company's accounting server computer 500
Is connected to the VPN server computer 50 via the in-house LAN.
3 are connected. A VPN client program is installed on the terminal computer 603 of Company B. Both the VPN server computer 503 and the terminal computer 603 have V for forming a VPN.
PN data is stored. The operator of the terminal is a VPN
The client program is executed, and an instruction to construct a VPN is given to the terminal computer 603 with the VPN server computer 503. Terminal computer 603
Receives such an instruction and communicates with the VPN server computer 503 using the stored VPN data.
Build a network virtually. Specifically, the exchange of data between the terminal 503 and the accounting server computer 500 is executed after being encrypted using the encryption processing data included in the VPN data. Thus, the data transmission between the pre-registered computers is V
By performing the transmission via the PN server computer, highly confidential transmission at the individual level is possible even via a network.

[0004]

However, VPNs
Has the following problems. For example, when the operator of the terminal computer 603 causes highly confidential data transmission between another computer and the accounting processing server computer 500 for a business trip, the computer and the accounting processing server computer 50 must be configured in advance.
The VPN data must be stored at 0.

To solve such a problem, Japanese Patent Laid-Open Publication No.
As disclosed in Japanese Patent Application Laid-Open No. 0-59357, an IC card in which an ID and a password are recorded for each user is issued, a management server computer is accessed using the ID and the password, and a public key and a public key used in a VPN server computer are used. Get own secret key, VP
It is also conceivable to construct a VPN by acquiring N information.
However, in this case, when constructing a VPN, the user's own private key is transferred over the network, and thus there is a possibility that the user's own private key may be obtained by a third party. In particular, when an open network called the Internet is interposed as a network, leakage of information to a third party becomes a problem.

Further, it is necessary to access the management server computer every time a VPN is constructed, and if the management server computer is congested, it takes time to construct the VPN.

According to the present invention, it is possible to construct a virtual private network using a network in which the flexibility of a computer which is a target of the virtual private network is improved while maintaining the confidentiality of the construction information of the virtual private network. The purpose is to provide a private network construction system. It is another object of the present invention to provide a virtual private network construction system capable of easily constructing a virtual private network.

[0008]

Means for Solving the Problems and Effects of the Invention 1) In the VPN data communication method according to the present invention, A) V
A method of constructing a VPN via a network between a PN server computer and a VPN client computer for data communication, wherein B) data transmission between the VPN client computer and the portable computer is possible. The device includes VPN transmission basic data used by the VPN client computer for VPN transmission with the VPN server computer, and at least 1) V
VPN encryption key used for encryption processing at the PN client computer or V identifying the VPN encryption key
PN encryption key specifying information, 2) VP for specifying a VPN decryption key used for decryption processing by the VPN server computer
N) decryption key specifying information and 3) VPN transmission basic data including an IP address of a VPN server computer are stored, and C) the data transmission device is connected to a VPN client computer which desires to construct a VPN, and D) the data. The VPN transmission basic data is read from a transmission device, and a VP is communicated with the VPN server computer.
N, when there is a data transmission request to the VPN server computer, the data to be transmitted is encrypted using the VPN encryption key, and the data is transmitted to the IP address of the VPN server computer together with the VPN decryption key specifying information. E) the VPN server computer identifies a key for decrypting the encrypted data based on the VPN decryption key identification information, and performs a decryption process.

As described above, the VPN transmission basic data is stored in the portable data transmission device, and the VPN transmission basic data is connected to the VPN client computer which desires to construct the VPN.
By constructing a PN, a VPN can be constructed even by a VPN client computer that does not previously store VPN transmission basic data. Further, since the encryption key is stored in the data transmission device, there is no problem of security deterioration due to the encryption key used in the VPN client computer being transferred on the network. Also, VPN decryption key specifying information and VP
Since the IP address of the N server computer is stored, a VPN can be constructed without accessing the VPN server computer.

2) The virtual private network system according to the present invention comprises: A) a virtual private network server computer; B) a virtual private network client computer connected to the virtual private network server computer via a network; The virtual private network server computer and the virtual private network client computer store a decryption key for receiving and decrypting the encrypted data with each other, and transmit the data to the virtual private network construction system. And D) virtual private network transmission basic data used when the virtual private network client computer establishes a virtual private network with the virtual private network server computer, wherein the portable data transmission device includes at least d1)
A virtual private network encryption key or virtual private network encryption key specifying information for specifying a virtual private network encryption key used for encryption processing by a virtual private network client computer, d2) a virtual private network server used for decryption processing Virtual private network decryption key identification information identifying the private network decryption key, and d
3) The virtual private network transmission basic data including the computer specific data of the virtual private network server computer is stored, and E) the virtual private network client computer comprises:
When the data transmission device is connected, the virtual private network transmission basic data is read and a virtual private network is constructed with the virtual private network server computer.

As described above, by storing virtual private network transmission basic data in a portable data transmission device and connecting to a virtual private network client computer that desires to construct a virtual private network, a virtual private network is constructed. In addition, a virtual private network client computer that does not previously store virtual private network transmission basic data can construct a virtual private network. Further, since the encryption key is stored in the data transmission device, there is no problem of security deterioration due to the transfer of the encryption key over the network.
Further, since the virtual private network decryption key specifying information and the computer specifying data of the virtual private network server computer are stored, the virtual private network can be constructed without accessing the virtual private network server.

3) The virtual private network system according to the present invention comprises: A) a virtual private network server computer; B) a virtual private network client computer connected to the virtual private network server computer via a network; The virtual private network server computer and the virtual private network client computer store a decryption key for receiving and decrypting the encrypted data with each other, and transmit the data to the virtual private network construction system. And D) virtual private network transmission basic data used when the virtual private network client computer establishes a virtual private network with the virtual private network server computer, wherein the portable data transmission device includes at least d1)
Virtual private network encryption / decryption key specifying information for specifying a virtual private network encryption key and a virtual private network decryption key used for encrypted data transmission between the virtual private network client computer and the virtual private network server computer, and d2) virtual The virtual private network transmission basic data including the computer specific data of the private network server computer is stored. E) The virtual private network client computer transmits the virtual private network transmission basic data when the data transmission device is connected. A virtual private network is constructed by reading and specifying a virtual private network encryption key and a virtual private network decryption key used for encrypted data transmission with the virtual private network server computer.

As described above, the virtual private network transmission basic data is stored in the portable data transmission equipment, and connected to the virtual private network client computer that desires to construct the virtual private network, thereby constructing the virtual private network. In addition, a virtual private network client computer that does not previously store virtual private network transmission basic data can construct a virtual private network. Further, since the data transmission device stores the specific information for specifying the encryption key, there is no problem of security deterioration due to the transfer of the encryption key over the network.

4) In the virtual private network system according to the present invention, when there is a data transmission request to the virtual private network server computer, the virtual private network client computer transmits the transmission target data to the virtual private network encryption key. The data is transferred to the virtual private network server together with the virtual private network decryption key specifying information,
The virtual private network server computer identifies a key for decrypting the encrypted data based on the virtual private network decryption key identification information, and performs a decryption process. As a result, data communication using VPN becomes possible.

5) The virtual private network client computer according to the present invention includes: A) a virtual private network client computer connected to the virtual private network server computer via a network, wherein the virtual private network client computer is connected to the virtual private network server computer. A virtual private network client computer that stores a decryption key capable of decrypting the received encrypted data and transmits data, and B) the virtual private network client computer is provided in a portable data transmission device. Virtual private network transmission basic data used when constructing a virtual private network with the virtual private network server computer, at least b1) a virtual private network encryption key or a virtual private network specifying a virtual private network encryption key. Encryption key identification information, b2) virtual private network decryption key identification information, and b3) virtual private network The virtual private network transmission basic data including the computer specific data of the network server computer is stored. C) The virtual private network client computer reads the virtual private network transmission basic data when the data transmission device is connected. To construct a virtual private network with the virtual private network server computer.

As described above, the virtual private network transmission basic data is stored in the portable data transmission device, and connected to the virtual private network client computer for which the virtual private network is desired to be constructed, thereby constructing the virtual private network. In addition, a virtual private network client computer that does not previously store virtual private network transmission basic data can construct a virtual private network. Further, since the encryption key is stored in the data transmission device, there is no problem of security deterioration due to the transfer of the encryption key over the network.
Further, since the virtual private network decryption key specifying information and the computer specifying data of the virtual private network server computer are stored, the virtual private network can be constructed without accessing the virtual private network server.

7) In the VPN communication system according to the present invention, a VPN client function is provided inside the client computer or between the client computer and the network in communication between the client computer and a specific server computer or a specific LAN. A VPN communication system that deploys a VPN server function inside the specific server or between a specific server or a specific LAN and a network, and encrypts and transfers data transferred between the VPN client and the VPN server function. Wherein A) the network is a public network such as the Internet or a LAN, and B) a VPN client function comprises a portable data transmission device and a driver program for operating the data transmission device.
C) The driver program for the VPN client function is
When the data transmission device is connected to a client computer for VPN communication, the data transmission device
The PN transmission basic data is read out to the client computer so as to be operable, and D) the portable data transmission equipment is provided with VPN transmission basic data as d1) VPN.
Client identification information, d2) encryption key information necessary for encryption / decryption processing, d3) an IP address indicating a VPN server function, d4) an IP address indicating the specific server or an IP subnet address indicating a specific LAN. ) V
The PN server function incorporates VPN server identification information, all VPN client identification information for encrypted communication, and encryption key information necessary for encryption / decryption processing.
When the client computer transmits data to a specific server computer or a specific LAN, the client computer communicates with each other between the VPN server functions.
A VPN is established by exchanging PN transmission basic data, data to be transmitted is encrypted using the VPN transmission basic data, and data is transferred to an IP address indicating the VPN server function. G) The VPN server function ,
Based on VPN transmission basic data for communicating with the VPN client function, decrypt the encrypted data using an encryption key for decrypting the data, and then transfer the data to the specific server computer or a specific LAN. .

As described above, the VPN transmission basic data is stored in the portable data transmission device, and the VPN is constructed by connecting to the client computer desiring the VPN construction.
There is no problem of security degradation due to the transfer of the encryption key required for communication over the network. In addition, since VPN transmission basic data is carried, V
There is no need to access the VPN server function from the PN client function, and the processing load of the VPN server function can be reduced.

8) In the virtual private network system according to the present invention, the data transmission device stores a program for a virtual private network client computer,
The virtual private network client computer reads the program and executes construction of the virtual private network. Therefore, even a computer in which a program for the virtual private network client computer is not recorded can function as a virtual private network client computer only by connecting the data transmission device.

9) In the recording medium according to the present invention,
A virtual private network client that stores a decryption key for receiving and decrypting encrypted data between a computer and a virtual private network server computer connected via a network, and transmits the data. A recording medium recording a program for causing the computer to function as a computer, wherein the computer is configured such that, when a recording medium recording the program is connected, the virtual private network client computer communicates with the virtual private network server computer. Virtual private network transmission basic data used when constructing a virtual private network, at least 1) a virtual private network encryption key or virtual private network encryption key specifying information used for encryption processing at a virtual private network client computer, 2) Specify the virtual private network decryption key to be used for decryption processing by the virtual private network server. Virtual private network decryption key identification information, and 3) virtual private network transmission basic data including the computer identification data of the virtual private network server computer, are read out from the recording medium, and read from the virtual private network server computer. Build a private net. Therefore,
Even if the computer does not have the virtual private network transmission basic data, a virtual private network can be constructed by connecting the data transmission device.

10) In the recording medium according to the present invention, a program for a virtual private network client computer is recorded, and the virtual private network client computer reads the program and executes construction of the virtual private network. I do. Therefore, even a computer in which a program for the virtual private network client computer is not recorded can function as a virtual private network client computer only by connecting the data transmission device.

11) In the recording medium according to the present invention, the recording medium includes a virtual private network-related data storage section in which a program for a virtual private network client computer and virtual private network transmission basic data are recorded; A read program recording unit in which a read program for reading network-related data is recorded,
The virtual private network related data storage unit is recorded with a data structure different from the file system of the client computer. When the user identification information is given, the readout program checks the collation state with collation information stored in advance, and in the case of collation, a program for a virtual private network client computer and virtual private network transmission basic data And executes the construction of the virtual private network. In this way, the virtual private network transmission basic data is recorded in a data structure different from the file system of the computer, and the virtual private network transmission basic data and the program for the virtual private network client computer are stored via the readout program. By reading the information, it is possible to prevent the virtual private network transmission basic data and its program from being stolen. In particular,
When a program for a virtual private network client computer is recorded on the recording medium, confidentiality can be further enhanced by making such a program not directly readable.

11) In the method for constructing a virtual private network according to the present invention, a recording medium on which data is recorded is connected to a computer, so that an operating system program of the computer is stored on the virtual medium recorded on the recording medium. A method for starting a private network construction program, reading virtual private network construction data recorded on the recording medium by the virtual private network construction program, and constructing a virtual private network with the virtual private network server computer. The virtual private network construction data is stored in a hidden data area from which data cannot be read only by the operating system program, and when the virtual private network construction program is given user identification information, Check the collation status with the stored collation information If the match, the reads a virtual private network configuration data from the hidden data area, a program for constructing the virtual private network. In this way, the virtual private network construction data is stored in a hidden data area from which data cannot be read only by the operating system program, and the virtual private network construction program reads the virtual private network construction data. In addition, it is possible to prevent the virtual private network construction data from being stolen. In particular, when a program for a virtual private network client computer is recorded on the recording medium, the confidentiality can be further improved by making such a direct reading impossible.

12) In a computer-readable recording medium on which a program according to the present invention is recorded, a virtual private network client which has constructed a virtual private network between a computer and a virtual private network server computer connected via a network. A recording medium recording a program for functioning as a computer, wherein the recording medium has 1) the virtual private network construction data recorded in a hidden data area from which data cannot be read only by the operating system program. 2) When the user identification information is given, the collation state with the collation information stored in advance is checked, and in the case of collation, the virtual private network construction data is read from the hidden data area, The program for constructing a virtual private network is the operating system The program is recorded in an area where the data format of the recorded data can be separated. In this way, the virtual private network construction data is stored in a hidden data area from which data cannot be read only by the operating system program, and the virtual private network construction program reads the virtual private network construction data. In addition, it is possible to prevent the virtual private network construction data from being stolen. In particular, when a virtual private network construction program is recorded on the recording medium and a virtual private network can be constructed as long as the recording medium is available, the direct readability is reduced to further enhance confidentiality. be able to.

The communication from the VPN server function to the VPN client function may be performed in the reverse procedure.

In this embodiment, as the virtual private network decryption key specifying information, the VPN server identifier and the VPN
The client identifier was used. Thereby, one VP
A plurality of VPN server identifiers can be set for N servers. However, as the virtual private network decryption key specifying information, any information may be used as long as it can specify which of the decryption keys stored in the VPN server should be used for decryption. , A decryption key number or the like. In this case, the VPN server identifier becomes unnecessary.

If the VPN encryption system is determined to be one system, there is no need to store it in the VPN transmission basic data.

The "reading program" corresponds to the starting program 411a in the embodiment. The “user identification information” corresponds to an ID and a password in the embodiment. The “virtual private network related data storage unit” and the “read program recording unit” correspond to the area 412 and the area 411, respectively. The “hidden data area” corresponds to the area 412 in the embodiment.

[0029]

BEST MODE FOR CARRYING OUT THE INVENTION Outline and description of functional block An embodiment of the present invention will be described with reference to the drawings. The virtual private network data transmission system shown in FIG. 1 includes a VPN server computer (hereinafter abbreviated as a VPN server) 100,
It comprises a client computer (hereinafter abbreviated as VPN client) 200 and a data transmission device 300.

The VPN server 100 is connected to a web server computer 110 via a LAN. The VPN client 200 is connected to the VPN server 100 via a network such as the Internet. A data transmission device 300 is connected to the VPN client 200.

Detailed functional blocks of the main part of the present system will be described with reference to FIG.

The data transmission device 300 includes a transmission / reception unit 1
1. determination means 12, VPN transmission basic data storage means 10
It has.

The VPN transmission basic data storage means 10 stores the V
PN transmission basic data is stored. The VPN transmission basic data includes at least 1) a VPN encryption key used for encryption processing in the VPN client 200, and 2) data encrypted by the VPN client 200 as the VPN server 1
When 00 is received, V used to decode it
VPN decryption key specifying information for specifying a PN decryption key,
And 3) contains the IP address of the VPN server.

The VPN client 200 includes a connection state control unit 6, a read data storage unit 4, a notification unit 7, and an input unit 8. When the data transmission device 300 is connected, the VPN client 200 operates as follows. The VPN transmission basic data stored in the transmission basic data storage means 10 is read and stored in the read data storage means 4.

The connection state control means 6 includes the data transmission equipment 3
When 00 is connected, this is detected, and the notification means 7 notifies the operator that the operator ID and password can be input. The operator inputs an operator ID and a password from the input unit 8. The connection state control unit 6 transmits the input operator ID and password to the transmission / reception unit 11 of the data transmission device 300. The transmission / reception unit 11 gives the operator ID and the password to the determination unit 12. The determining means determines whether or not the given operator ID and password match, and when they match, sends a matching determination signal to the transmitting / receiving means 11. Note that the determining means may determine that the operator is a valid user of the data transmission device instead of the ID and the password. Fingerprint,
Discrimination using a voiceprint or the like can be adopted.

The transmission / reception means 11 receives the coincidence determination signal and transmits a read permission signal for VPN transmission basic data to the connection state control means 6. When receiving the read permission signal, the connection state control means 6 outputs a VPN transmission basic data acquisition request to the transmission / reception means 11. The transmission / reception means 11 reads out the VPN transmission basic data from the VPN transmission basic data storage means 10 and outputs it to the connection state control means 6. The connection state control means 6 reads out the given VPN transmission basic data and stores it in the data storage means 4.

By writing to the read data storage means 4, data transmission can be performed between the VPN server 100 and the VPN server 100 via a network while maintaining confidentiality of data to be transmitted. In this specification, such a state is referred to as a VPN established.

The data transmission will be described. Upon receiving the data to be subjected to the encryption processing from the processing means 2, the encryption means 3 uses the VPN encryption key used for the encryption processing in the VPN client 200 among the VPN transmission basic data stored in the read data storage means 4. And encrypt the VP
The data encrypted by the N client 200 is
When it is received by the PN server 100, it is transferred to the IP address of the VPN server 100 together with VPN decryption key specifying information for specifying a VPN decryption key to be used for decrypting it.

The VPN server 100 includes a decryption unit 15,
It comprises a VPN transmission basic data storage means 14 and an encryption means 13. The decryption means 15 is a VPN transmission basic data storage means 14 based on the VPN decryption key specifying information.
A key to be used for decryption processing is specified from the plurality of decryption keys stored in the VPN client 200, and data encrypted by the VPN client 200 is decrypted and output to another computer.

The VPN transmission basic data storage means 14 stores the V
When the VPN client 200 receives the VPN encryption key used for the encryption processing in the PN server 100 and the data encrypted by the VPN server 100,
It stores VPN transmission basic data including VPN decryption key specifying information for specifying a VPN decryption key to be used when decrypting it. The encryption unit 13 encrypts data given from another computer using the encryption key stored in the VPN transmission basic data storage unit 14,
The transmission data is transferred to the IP address of the computer that has received the transmission data (in this case, the IP address of the VPN client 200), together with the VPN decryption key specifying information stored in the N transmission basic data storage unit 14.

Decryption means 5 of VPN client 200
Specifies the key to be used for the decryption processing among the decryption keys stored in the read data storage unit 4 based on the VPN decryption key identification information received from the VPN server 100, and transmits the data encrypted by the VPN server 100. The data is decrypted and output to the processing means 2.

In the above example, the VPN client 2
The case of data transmission from 00 has been described.
Data transmission from the N server 100 is also possible.
Since the processing in this case is the same, the description is omitted.

Note that the IP address of the VPN client is, for example,
It can be acquired when data is transmitted to the PN server 100.

Also, by storing the IP address of the VPN client in advance in the VPN transmission basic data storage means of the VPN server,
N transmission is also possible.

When the range of computers selected by the user as the VPN client is determined, a plurality of VPN client IP address candidates may be stored in the VPN server. In this case, VP
It is also possible to construct a VPN from N servers.

Further, in the above-described embodiment, the case has been described in which the VPN transmission basic data includes the VPN encryption key, the VPN decryption key specifying information, and the IP address of the VPN server. It may be VPN encryption key specifying information for specifying a VPN encryption key. In this case, a program for specifying the VPN encryption key is stored, and the VPN encryption key is stored.
VP alone or in conjunction with a VPN server
N encryption keys may be determined (generated).

Further, at least VPN key specifying information and the IP address of the opposite VPN server are stored as VPN transmission basic data of the VPN client,
VPN encryption key and VPN in cooperation with VPN server
The decryption key may be determined. Note that VPN
At least VP as the VPN transmission basic data of the server
N key identification information and I of the opposite VPN client
The P address may be stored, and the VPN encryption key and the VPN decryption key may be determined in cooperation with the VPN client.

For generating the VPN encryption key and the VPN decryption key, for example, IKE (internet key exchange) of the standard key exchange system of IPSEC may be used.

As described above, the VP which enables highly confidential data transmission even through a non-closed network
N is in the construction state.

2. Hardware Configuration The hardware configuration of the VPN server 100 shown in FIG. 2 will be described with reference to FIG. FIG. 3 shows the VPN server 10
0 is an example of a hardware configuration using a CPU. In the following, IPsec is used as the VPN standard protocol.
A case where a manual key method, which is one of the key exchange methods of c (Security Architect for Internet Protocol), will be described.

The VPN server 100 includes a CPU 23, a memory 27, a hard disk 26, a CRT 30, and a CDD (C
DROM drive) 25, keyboard 28, mouse 3
1, a network management unit 32 and a bus line 29. The CPU 23 controls each unit via the bus line 29 according to a program stored in the hard disk 26. As the operating system, for example, Windows NT (trademark) or the like may be adopted.

The hard disk 26 has an operating program (OS) 26o, a VPN server program 26p, and a VPN data storage section 26d.

These programs are read from the CD ROM 25a in which the programs are stored via the CDD 25 and installed on the hard disk 26. In addition to the CDROM, a program such as a flexible disk (FD) or an IC card may be installed on a hard disk from a computer-readable recording medium. Furthermore, you may make it download using a communication line.

In this embodiment, the program is stored on a CD.
By installing the program from the ROM to the hard disk 26, the program stored in the CD ROM is indirectly executed by the computer. But,
Without being limited to this, the program stored in the CDROM may be directly executed from the CDD 25. Note that, as a program executable by a computer, not only a program that can be directly executed by simply installing it as it is, but also a program that needs to be temporarily converted into another form (for example, decompresses a data-compressed program) Etc.), and also includes those which can be executed in combination with other module parts.

The data structure of the VPN data storage unit 26d will be described with reference to FIG. VPN data storage unit 2
6d includes a VPN client identifier, a VPN server identifier, a VPN encryption method, a VPN decryption key, and V
A PN encryption key is stored.

The VPN client identifier and the VPN server identifier are used to determine which data should be used for decrypting data transmitted after being encrypted between the VPN server and the VPN client.
N decryption key identification information. Details will be described later. VP
The N decryption key is a key for decrypting data encrypted by the VPN client by the VPN server. The VPN encryption method is data indicating an encryption method to be encrypted in a VPN client and a VPN server. The VPN encryption key is an encryption key for transmitting to the VPN client.

For example, the VPN client identifier "A
C101 ", VPN server identifier" AS105 ", VP
N encryption method “xxx1”, VPN decryption key “595”
xxx5 "and the VPN encryption key" 325yyy7 ", the VPN client identifier" AC101 "
The data transmitted to the PN server identifier “AS105” is converted to the VP using the VPN decryption key “595xxx5”.
It is decrypted by the N encryption method “xxx1”. Also, VP
The data transmitted from the VPN server identifier “AS105” to the N client identifier “AC101”
It is encrypted by the VPN encryption method “xxx1” using the encryption key “325yyy7”.

As described above, the VPN server 100 stores the V
A plurality of pieces of data for specifying a VPN transmission method with the PN client are stored.

The network management section 32 can transmit and receive data on the trust side (internal LAN side) and data on the untrust side (internet side) separately.

The VPN program 26p will be described later.

The hardware configuration of the VPN client 200 shown in FIG. 2 will be described with reference to FIG. VPN
The client 200 has almost the same hardware configuration as the VPN server 100, but further has a USBIF 133.
have. The USBIF 133 is a USB (universal)
serial bus) interface. Also, the data stored in the hard disk 126 is different,
It has a PN client program 126s and an application program 126a.

Each program will be described later.

The hardware configuration of the data transmission device 300 shown in FIG. 2 will be described with reference to FIG. The data transmission device 300 includes a CPU 223, a ROM 225, a flash memory 227, a password determination unit 233, a USBIF
232 and a bus line 229. In the present embodiment, by inserting a USB plug into a USB terminal (not shown) provided in the VPN client 200 as the data transmission device 300, data internally contained can be transmitted to and from the VPN client 200. USB equipment (USB key) was adopted. ROM 225
Records a control program for controlling communication with the outside and each unit. In the flash memory 227, VP
An N data storage area 228 is provided. The VPN data storage area 228 will be described with reference to FIG. VPN
The data storage area 228 stores a user ID, a password,
The expiration date, the IP address of the VPN server, the IP address of the destination server, the VPN encryption method, the VPN encryption key, the VPN decryption key, the VPN client identifier, and the VPN server identifier are stored. The destination server indicates, for example, a web server.

The user ID and the password are data for determining that the user is permitted to use the data transmission device 300. The expiration date is
This represents a period in which the data transmission device 300 can be used. V
The IP address of the PN server is a transfer destination of the data encrypted by the VPN encryption method and the VPN encryption key, and the IP address of the destination server indicates a transfer destination of the data decrypted by the VPN server. The VPN decryption key is a key for decrypting the encrypted data provided from the VPN server. The VPN client identifier and the VPN server identifier are identifiers of two computers relatively determined with the VPN server. This is the same as the VPN server.

The password judgment unit 233 determines whether the given ID
The hardware logic determines whether or not the password and the password match the ID and the password stored in advance, and outputs a match determination signal if they match, and outputs a mismatch determination signal if they do not match.

3. Flowchart Hereinafter, as described above, a case will be described in which a manual key method, which is one of the key exchange methods of IPSec, is adopted as a standard protocol of VPN.

The VPN server 10 will be described with reference to FIGS.
The data transmission process using VPN in the VPN client 200 will be described. In the following, data output based on the application program 26a shown in FIG. 5 is transmitted to the VPN server 100 while being encrypted, and is decrypted by the web server 110 connected to the VPN server 100 shown in FIG. A case in which the data is transferred as described above will be described as an example.

First, the construction process of the VPN will be described with reference to FIG. Between the data transmission device 300 and the VPN client 200, VPN basic data is read out and written into the memory 127 as follows.

First, the user sets the data transmission device 300 to V
It is inserted into the USB terminal of the PN client 200. VP
The N client 200 detects whether or not the data transmission device 300 is inserted into its own USB terminal (not shown) based on the OS 126o.
It judges whether it is within the expiration date, and if it is within the expiration date, displays a user ID and password input screen in order to judge whether the user is a user who is permitted to use the data transmission device 300. (Step S1 in FIG. 8). The user inputs a user ID and a password from the keyboard 128.

The CPU 123 determines whether or not a user ID and a password have been input (step S).
3) When the user ID and password are input, the user ID and password input to the data transmission device 300 are transmitted via the USBIF 132 (step S5).

The CPU 223 of the data transmission device 300
It is determined whether or not to receive a user ID and a password via the USBIF 232 (step S21). When such data is received, the received user ID and password are given to the password determination unit 233 (see FIG. 6) (step S23). ). As described above, the password determination unit 233 outputs a match signal when the input user ID and password match the previously recorded user ID and password, and outputs a match signal when the user ID and password do not match. Outputs a mismatch signal. The CPU 223
It is determined whether or not a match signal is provided from the password determination unit 233 (step S25). When the match signal is provided, the match signal is transmitted to the VPN client 200 via the USB IF 232 (step S27).

The CPU 123 of the VPN client 200
Determines whether or not to receive a match signal via the USBIF 132 (step S7), and upon receiving the match signal, issues a request command to acquire the VPN transmission basic data stored in the data transmission device 300 to the USBIF 132 (Step S)
9).

The CPU 223 of the data transmission device 300
It is determined whether or not the request command is given via the USBIF 232 (step S31). When the request command is given, the data stored in the VPN data storage area is sent to the VPN client 200 via the USBIF 232. It transmits (step S33).

The CPU 123 of the VPN client 200
Determines whether there is a response (step S1).
1) When there is a response, the received VPN transmission basic data is written into the memory 127 (step S13).

The memory 12 for such VPN transmission basic data
By writing to 7, a state in which transmission using a VPN is possible as described later becomes possible. In the present specification, this is referred to as VP
Call N built.

When receiving the mismatch signal in step S25, the CPU 223 transmits the mismatch signal to the VPN client 200 via the USBIF 232 (step S35). CPU 12 of client 200
3 receives the mismatch signal in step S7, for example,
An alarm message "User ID or password is incorrect. Enter correct user ID and password." Is displayed (step S15). Then, the processing from step S1 is repeated.

The transmission processing between the VPN client 200 and the VPN server 100 is basically the same as the transmission using the conventional VPN. Hereinafter, with reference to FIG.
A transmission process using is described.

The CPU 123 of the VPN client 200
Refers to the IP address of the transmission destination computer described in the header of the packet to be transmitted and determines whether there is a transmission request from inside to outside (step S4 in FIG. 9).
1). In this case, since the data output based on the application program 26a is transmitted to the web server 110 shown in FIG. 1, refer to the IP address of the web server 110 described in the header of the packet to be transmitted. Perform such a determination.

Next, the CPU 123 determines that the transmission destination is a VPN.
It is determined whether or not the transmission destination performs transmission using (step S43). That is, it is determined whether or not the IP address of the transmission destination computer matches the IP address of the destination server of the VPN transmission basic data read out to the memory 127 with reference to the header information of the transmission target packet. I just need.

If they match, the CPU 123 sets the VPN
The data is encrypted and transmitted using the transmission basic data (step S45). Specifically, a packet to be transmitted is encrypted by a VPN encryption method using a VPN encryption key, and packetized. The IP address, VPN client identifier, and VPN server identifier of the VPN server to which the packet is to be transmitted are embedded in the header of the packet and transmitted. Note that, similarly to the normal transmission, the IP address of the VPN client 200 that is the transmission source is also embedded in the header. On the other hand, if they do not match in step S43, the transmission using the VPN is not performed, and the transmission target packet is discarded (step S47). Note that the data may be transmitted to the computer at the designated IP address without encryption. In this case, step S4
5 and may be transmitted without being encrypted.

The CPU 23 of the VPN server 100 determines whether or not a request (request) from outside to inside has been received (step S61). Whether or not the request is from outside may be determined by determining whether or not the request is given to the untrust side of the network management unit. Whether the request is an internal request may be determined by determining whether or not its own IP address is specified as a transfer destination in the header of the transmission packet.

When a request from the outside to the inside is received, the CP
U23 determines whether the designated destination exists in the data list of the VPN data storage unit shown in FIG. 4 (step S23).
63). Specifically, it is determined whether or not it is present in the list, using the VPN client identifier and VPN server identifier present in the header as search keys. In this case, since it is present in the list, the source VPN
The IP address of the client 200 is read, and the immediately preceding VPN client IP address is rewritten to the IP address (step S64). In this case, the VPN client identifier “AC101” and the VPN server identifier “AS105” are read out as the header information and are present in the list shown in FIG. 4, so that the IP address of the source VPN client 200 is changed to the immediately preceding VPN client IP address. Rewrite to As described above, by storing the VPN client IP address in association with the VPN decryption key specifying information, the VPN client I
Even when the P address dynamically changes, data communication using the VPN can be performed.

The CPU 23 specifies the VPN decryption key, decrypts it according to the encryption method, extracts the IP address of the transfer destination server from the decrypted data, and
The address is transferred to the server (step S65). In this case, the decryption is performed by the VPN encryption method using the corresponding VPN decryption key “595xxx5”. Referring to the header information of the decrypted data, the IP address of the destination server of this packet is "202.xxx.xxx".
Therefore, the decrypted packet is transmitted to the computer.

As described above, V embedded in the header information
The PN client identifier and the VPN server identifier are
It functions as data for specifying a decryption key when decrypting a packet transmitted by the VPN server 100.

When data processing is executed in the transmission destination web server 110 and a response is transmitted to the VPN client 200, the following is executed.

The CPU 23 of the VPN server 100 determines whether a request from inside to outside has been received (step S71). In addition, whether it is a request from inside or not
What is necessary is just to judge whether it was given to the trust side of the network management unit. Therefore, upon receiving the transmission data from the web server 110 to the VPN client 200, it is determined whether or not the transmission destination exists in the VPN list (step S73). In this case, as the transmission destination of the transmission data, the web server 110 may determine whether or not the IP address specified as the request source received by itself is stored as the immediately preceding VPN client IP address.

In this case, since the transmission destination exists in the VPN list, the transmission destination is encrypted using the corresponding VPN encryption key and the VPN encryption method, and transmitted to the immediately preceding VPN client IP address (step S75). At this time, the VPN client identifier and the VPN server identifier are embedded in the header information. To embed such data, V
This is for specifying a decryption key when decrypting a packet transmitted by the PN client 200. In addition, you may make it transmit, without encrypting in step S75.

The CPU 123 of the VPN client 200
Determines whether a request from outside to inside has been received (step S51). This may be determined from the IP address of the source VPN server and the IP address of the destination VPN client stored in the header information of the packet to be transmitted.

The CPU 123 determines whether or not to decode with the VPN transmission basic data read into the memory 127 (step S53). Specifically, it is determined whether or not the VPN client identifier and the VPN server identifier existing in the header information of the transmission target packet match the VPN client identifier and the VPN server identifier of the VPN transmission basic data read into the memory 127. I just need.

In this case, since they match, decryption is performed using the VPN decryption key of the VPN transmission basic data read out to the memory 127, and the decryption is passed to the application program (step S55). Hereinafter, such processing is repeated.

If the values do not match in step S53, the transmission is not performed using the VPN, and is discarded (step S57). If the data is transmitted without being encrypted in step S75, it may be passed to the application program without decryption in step S55.

In this embodiment, the IP address of the VPN client is not fixed. Therefore, FIG.
In step S64, if it exists in the list shown in FIG. 4, it is stored as the immediately preceding VPN client IP address. Thus, the VPN can be freely constructed without being restricted by the IP address of the VPN client. When the data transmission device 300 is removed from the VPN client 200,
V read from the memory of the PN client 200
It only erases the PN transmission basic data and does not transmit to the VPN server that the data transmission device 300 has been removed. Even in this case, next, when the same or different computer is used as a VPN client for VPN transmission, the IP address of the VPN client is dynamically stored. can do.

In step S73 in FIG. 9, if the data does not exist in the list, it is discarded (ignored) because it is not a transmission using VPN (step S77).

The VPN disconnection process will be described with reference to FIG. The CPU 123 of the VPN client 200
Based on the OS 126o, it is determined whether the connection state of the USB terminal changes. The CPU 123 of the VPN client 200 is executing the program shown in FIG. 10 and “the data transmission device has been removed from the USB terminal”.
(Step S81), and when the data transmission device 300 is removed from the USB terminal, the VPN transmission basic data in the memory 127 is deleted (step S83). As a result, VPN transmission becomes impossible. This is called a VPN disconnected state.

As described above, the VPN transmission basic data is recorded in the portable connection device and inserted into a necessary terminal, whereby a VPN not restricted by the IP address of the computer can be constructed. Also, by removing the connected device, the VPN transmission basic data is automatically deleted.
It is possible to reliably prevent transmission using N.

4. Other Embodiments In the present embodiment, a USB key is used as a transmission device. However, any device that can exchange data stored inside with a client computer can be used. Alternatively, a recording medium such as a compact flash (registered trademark) or a PC card may be employed. In addition, not only when connecting to a terminal provided on the computer by wire, but also for infrared data communication (for example, Ir
DA (Infrared Data Association) standards) and Bluetoo
It is also possible to connect with th or the like.

For issuing data transmission equipment and changing recording data, a separate issuing processing management computer may be provided. Further, by inputting an ID and a password, the VPN client may be made editable.

When performing encryption and decryption in a public key format such as RSA, the public key of the VPN server 100 must be stored in the VPN transmission basic data storage means 10 of the data transmission device 300. Instead, when encrypting, the VPN server 100 may be accessed and acquired. The same applies to the public key of the VPN client 200.

In the present embodiment, all basic data for VPN transmission is stored in the data transmission device and is carried around. This eliminates the need to transfer the VPN transmission basic data from the VPN server, thereby improving confidentiality. However, instead of storing all the VPN transmission basic data in the data transmission device, a part thereof may be stored and the remaining data may be downloaded from the VPN server. In this case, as a method of dividing the data, the data may be divided so as to be meaningful only after being combined. For example, when the VPN encryption key is composed of 12 bytes, the first 6 bytes are transferred to the data transmission device and the second 6 bytes are transferred from the VPN server, and the VPN encryption key can be known only after combining the two. do it. The same applies to other item data. In this case, the division ratio is not limited.

In the above embodiment, the case where the VPN program 126c is installed on the hard disk of the VPN client 11 as shown in FIG. 5 has been described. However, the flash memory chip and the controller chip are used for the VPN program. The program may be stored in a recording medium such as a mounted compact flash (CF), and the program may be read from the recording medium. As a result, even if the computer does not have the VPN program installed in advance, VPN communication can be performed. Hereinafter, an embodiment in which a VPN program described in the VPN client shown in FIG. 5 is incorporated in a data transmission device will be described.

FIG. 11 shows a PD as a VPN client.
The hardware configuration when A (Personal Digital Assistants) is adopted is shown. Thus, the PDA 40
0 has a CF slot 433 and CF slot 4
A compact flash 433a to be described later is inserted into 33. The ROM 425 stores an operating system program (OS).

The data structure of the compact flash 433a will be described with reference to FIG. Compact Flash 4
33a is divided into an area that can be recognized by the OS by the CPU 423 of the PDA 400 and an area that cannot be recognized by the OS. As a result, it is possible to protect VPN basic data such as VPN personal information from unauthorized duplication.

As shown in FIG. 12, the compact flash 400 has an area 41 in which the OS of the PDA 400 can be recognized.
1 and an area 412 where the OS of the PDA 400 cannot be recognized. Specifically, the area 41
No. 1 has a FAT, but the partition of the area 412 may be divided as a hidden FAT. FIG.
VPN data 412d shown in FIG.
VPN program 41 for performing VPN communication with a server
2v is recorded in a predetermined data format. In the area 412, the OS of the PDA 400 is stored in a data format different from the data format of a normal file system.
12, a start program 412a for starting the program recorded in the program 12 is recorded.

The start program 411a and the VP
Data processing by the N program 412v will be described with reference to FIG.

First, the operator operates the compact flash 43.
3a is inserted into the CF slot 433. CPU 423
Determines whether the compact flash is inserted into the CF slot 433 based on the OS stored in the ROM 425 (step S101 in FIG. 13), and when it is inserted, the definition file for automatic execution is stored in the compact flash 433a. Is read (step S105). In this case, as shown in FIG. 12, the definition file 411b is read from the compact flash. Definition file 411b
Contains the startup program 411a stored in the area 411.
Are executed (not shown), and the CPU
423 loads the startup program 411a into the RAM 427 (step S107). As a result, the processing by the startup program 411a is executed.

The CPU 423 displays a password input screen on the liquid crystal display 430 based on the startup program 411a (step S109). When such a display is made,
The operator inputs a password from the input unit 428. CP
U423 determines whether or not a password has been input (step S111), and when a password has been input, reads out the VPN program 412v stored in the area 412 (step S115). As described above, data is recorded in the area 412 in a format different from that of the file management system of the OS of the CPU 423 of the PDA 400. Therefore, data cannot be read only by the OS. However, the start program 411a has previously stored in the area 412.
Stores information for reading the data stored in the VPN program 412v.
Can be read. The CPU 423 decrypts the VPN program 412v read using the password (Step S117). The CPU 423 refers to the decryption result to determine whether or not decryption is possible (step S119). If it is determined that decryption is possible, the CPU 423 loads the decrypted VPN program 412v into the RAM 427 (step S120). It should be noted that whether or not the decoding has been successfully performed may be determined, for example, by determining whether or not the judgment code embedded in a predetermined position can be read by decoding. Thereby, the processing by the VPN program 412v is executed.

The CPU 423 executes the VPN program 412
Based on v, the VPN data 412d is read (step S121). Reading of the VPN data 412d is the same as that of the VPN program 412v. C
PU423 uses the password to read the read VP.
The N data 412d is decrypted (step S123).
The CPU 423 refers to the decryption result and determines whether or not decryption is possible (step S125). If it determines that decryption is successful, the CPU 423 converts the decrypted VPN data 412d into RA data.
A VPN is constructed with the VPN server using M427 (step S127). After that, the transmission processing shown in FIG. 9 is executed as in the above embodiment.

If decryption is not possible in step S119, an error message such as "Please enter a correct password" is displayed and step S10 is performed.
9 and the following processing are repeated.

If decryption is not possible in step S125, an error message such as "Data may be corrupted. Please contact the administrator" is displayed (step S128), and processing is performed. To end.

Note that, similarly to the above embodiment, the PDA 40
0, based on the OS, the CF slot 4
It is determined whether or not the compact flash 433a inserted in the memory 33 has been removed (processing similar to the processing shown in FIG. 10). When it is removed, the program and VPN data loaded in the RAM 427 are erased. Thus, after removing the compact flash 433a, there is no possibility that a VPN can be constructed without permission from the PDA.

As described above, the compact flash is used.
This allows a PDA device without a USB terminal to be
A VPN can be built as a client. What
Oh, VPN client even on computers with different OS
The region 411 is further divided into a plurality of
And remember the same startup program for each
The startup program is read from some area
It would be better if the VPN program could be started
No. For example, compact flash area 411 ₁To
Is the OS for Palm (trademark), area 411₂Has a win
OS for dows (TM) CE, area 411₃...
What is necessary is just to memorize it.

In this example, the case where the PDA is a VPN client has been described. However, the present invention can be similarly applied to a portable terminal such as a notebook personal computer.

When the portable terminal temporarily stores the data once stored in a recording medium such as a hard disk, the read VPN program or the read VPN program may be used.
A program for erasing data not only from the memory but also from the recording medium may be stored in the CF or the like and automatically executed.

In FIG. 13, a case has been described in which the startup program 411a is automatically executed from the definition file when the compact flash is inserted into the CF slot. However, the operator may manually execute the startup program 411a. it can. In this case, in FIG. 13, instead of steps S101 and S105, the determination may be made based on whether or not a start program execution command is given.

In the VPN transmission basic data shown in FIG. 7, an IP subnet address may be specified instead of the IP address of the destination server. in this case,
In step S43 in FIG. 9, it may be determined whether or not the IP address of the transmission destination computer matches the IP subnet address of the destination server of the VPN transmission basic data read into the memory 127. That is, other server identification information such as a domain name that can uniquely identify the other server can be used.

In this embodiment, the VPN server and the V
Although the Internet has been adopted as a network between the PN client and the PN client, the present invention is not limited to this. Even if another network is used, it is possible to maintain the confidentiality of other users.

It should be noted that even if the recording medium does not record a VPN processing program for reading VPN basic data,
The VPN basic data may be stored in an area that the OS of the VPN client cannot recognize, such as the area 412. In this case, the read program may be stored in the VPN client in advance.

Further, in the present embodiment, TCP / IP is used as a communication protocol, but another communication protocol may be used.

In the present embodiment, the functions shown in FIG. 2 are realized by using a CPU and software. However, part or all of it,
It may be realized by hardware such as a logic circuit.

Note that some processing of the program is further
An operating system (OS) may be used.

[Brief description of the drawings]

FIG. 1 schematically shows a VPN transmission system according to the present invention.

FIG. 2 is a functional block diagram of a VPN transmission system according to the present invention.

FIG. 3 is a diagram illustrating an example of a hardware configuration in which the VPN server 100 illustrated in FIG. 2 is implemented using a CPU.

FIG. 4 shows a data structure of VPN transmission basic data.

FIG. 5 shows a VPN client 200 shown in FIG.
FIG. 3 is a diagram illustrating an example of a hardware configuration realized using the above.

FIG. 6 is a diagram illustrating an example of a hardware configuration in which the data transmission device 300 illustrated in FIG. 1 is implemented using a CPU.

FIG. 7 shows a data structure of VPN transmission basic data.

FIG. 8 is a flowchart showing a VPN construction process.

FIG. 9 is a flowchart showing a VPN transmission process.

FIG. 10 is a flowchart showing a VPN disconnection process.

FIG. 11 shows a case where a PDA is used as a VPN client.
FIG. 2 is a diagram illustrating an example of a hardware configuration of a PDA.

FIG. 12 is a diagram for explaining a data management method of the compact flash 433a.

FIG. 13 is a flowchart showing VPN data read processing.

FIG. 14 is a diagram showing an outline of a conventional VPN system.

[Explanation of symbols]

 23 CPU 27 Memory 100 VPN server 123 CPU 127 Memory 200 VPN client 223 CPU 227 Memory 300 Data connection device

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Yuko Shibayama 3-19-2 Nishi Shinjuku, Shinjuku-ku, Tokyo East Japan Nippon Telegraph and Telephone Corporation (72) Inventor Kenichi Okada 2 Uchihoncho, Chuo-ku, Osaka-shi, Osaka No. 4-16, Hitachi System & Services Co., Ltd. (72) Inventor Tatsuya Kosaka 3-19-2 Nishi-Shinjuku, Shinjuku-ku, Tokyo Inside Nippon Telegraph and Telephone Corporation (72) Inventor Koichi Genda Shinjuku-ku, Tokyo Nishi Shinjuku 3-chome 19-2 Tohoku Nippon Telegraph and Telephone Corporation (72) Inventor Keiji Ueno 2-4-1-16 Uchihonmachi, Chuo-ku, Osaka-shi, Osaka F-term in Hitachi System and Service Corporation (reference) 5B085 AA01 AE00 AE29 BE01 BG07 5J104 AA07 AA16 EA04 EA16 EA26 KA01 NA02 NA05 PA07

Claims (13)

[Claims] 1. A method for constructing a VPN between a VPN server computer and a VPN client computer via a network for data communication, and B) enabling data transmission between the VPN client computer and the VPN client computer. VPN for portable data transmission equipment
VPN transmission basic data used by the client computer for VPN transmission with the VPN server computer, and at least 1) a VPN encryption key or VPN used for encryption processing at the VPN client computer.
VPN encryption key specifying information for specifying an encryption key, 2) V
VPN decryption key specifying information for specifying a VPN decryption key to be used for decryption processing by the PN server computer; and
3) VP including IP address of VPN server computer
N) storing basic transmission data; C) connecting the data transmission device to a VPN client computer which desires to construct a VPN; and D) reading the VPN transmission basic data from the data transmission device and communicating with the VPN server computer. When a data transmission request is sent to the VPN server computer, data to be transmitted is transmitted to the VPN server computer.
The IP address of the VPN server computer is encrypted by using an encryption key, and together with the VPN decryption key specifying information.
E) the VPN server computer specifies a key for decrypting the encrypted data based on the VPN decryption key specifying information, and performs a decryption process. VPN data communication method. 2. A virtual private network server computer, comprising: a virtual private network client computer connected to the virtual private network server computer via a network, wherein the virtual private network server computer and the virtual private network client computer are connected to each other. A virtual private network construction system for mutually storing and storing decryption keys for receiving and decrypting encrypted data, wherein the virtual private network client is provided in a portable data transmission device. Virtual private network transmission basic data used when the computer constructs a virtual private network with the virtual private network server computer, and at least 1) virtual private network encryption used for encryption processing at the virtual private network client computer. Encryption key or virtual private network encryption key identification information, 2)
The virtual private network server stores virtual private network decryption key specifying information for specifying a virtual private network decryption key used for decryption processing, and 3) virtual private network transmission basic data including computer specific data of the virtual private network server computer. When the data transmission device is connected, the virtual private network client computer reads the virtual private network transmission basic data and constructs a virtual private network with the virtual private network server computer. A virtual private network construction system, characterized in that: 3. A virtual private network server computer, comprising: a virtual private network client computer connected to the virtual private network server computer via a network, wherein the virtual private network server computer and the virtual private network client computer are connected to each other. A virtual private network construction system for mutually storing and storing decryption keys for receiving and decrypting encrypted data, wherein the virtual private network client is provided in a portable data transmission device. Virtual private network transmission basic data used when the computer constructs a virtual private network with the virtual private network server computer, and at least 1) encrypted data between the virtual private network client computer and the virtual private network server computer. Virtual private network encryption key used for transmission and virtual private network The virtual private network encryption / decryption key specifying information for specifying the encryption key, and 2) the virtual private network transmission basic data including the computer specifying data of the virtual private network server computer are stored. When the data transmission device is connected, the virtual private network transmission basic data is read out, and a virtual private network encryption key and a virtual private network decryption key used for encrypted data transmission with the virtual private network server computer are read. A virtual private network is constructed by specifying the virtual private network. 4. The virtual private network system according to claim 2, wherein the virtual private network client computer performs encryption using the virtual private network encryption key, and the virtual private network decryption key specifying information. And data transfer to the virtual private network server computer, wherein the virtual private network server computer specifies a key for decrypting the encrypted data based on the virtual private network decryption key specifying information, and performs a decryption process. To do. 5. A decryption key for decrypting received encrypted data between a virtual private network client computer and a virtual private network server computer connected to the virtual private network server computer via a network. In a virtual private network client computer for transmitting data, a portable private data transmission device is used when the virtual private network client computer constructs a virtual private network with the virtual private network server computer. The virtual private network transmission basic data including at least the virtual private network encryption key, the virtual private network decryption key identification information, and the computer identification data of the virtual private network server computer is stored. The virtual private network client computer comprises: When over data transmission devices are connected, between said virtual private network transmission basic data reading the virtual private network server computer, a virtual private network client computer, wherein, to build a virtual private network. 6. A computer stores a decryption key capable of decrypting encrypted data received from a virtual private network server computer and transmits data to and from a virtual private network server computer connected via a network. A computer-readable program for functioning as a virtual private network client computer, the program executing the following processing, when the virtual private network client computer establishes a virtual private network with the virtual private network server computer: A mobile phone storing virtual private network transmission basic data including at least a virtual private network encryption key, virtual private network decryption key identification information, and computer identification data of a virtual private network server computer. When a possible data transmission device is connected, the temporary A computer-readable program for reading virtual private network transmission basic data and constructing a virtual private network with the virtual private network server computer. 7. Communication between a client computer and a specific server computer or a specific LAN,
A VPN client function is provided inside the client computer or between the client computer and the network, a VPN server function is provided inside the specific server or between the specific server or the specific LAN and the network, and the VPN client function and the VPN server function are provided. A) A VPN communication system for encrypting and transferring data transferred between A and B. A) The network is a public network such as the Internet or a LAN. B) The VPN client function is a portable data transmission device and a data transmission device. And C) a driver program for the VPN client function,
When the data transmission device is connected to a client computer for VPN communication, the data transmission device
PN transmission basic data is read out by a client computer to be in an operable state. D) The portable data transmission device is provided with VPN transmission basic data as d1) VPN client identification information, d2).
The encryption key information necessary for the encryption / decryption processing, d3) the IP address indicating the VPN server function, d4) the IP address indicating the specific server or the IP subnet address indicating the specific LAN, and E) the VPN server function includes , VPN server identification information, identification information of all VPN clients for encrypted communication, and encryption key information necessary for encryption / decryption processing. F) The VPN client function is such that the client computer has a specific server computer or a specific server computer. L
When transmitting data to the AN, a VPN is established by exchanging mutual VPN transmission basic data with a VPN server function, the transmission target data is encrypted using the VPN transmission basic data, and the VPN server is encrypted. G) the VPN server function uses an encryption key for decrypting the encrypted data based on VPN transmission basic data for communicating with the VPN client function. And transmitting the data to the specific server computer or the specific LAN after decrypting. 8. The virtual private network system according to claim 2, wherein a program for a virtual private network client computer is recorded on the data transmission device, and the virtual private network client computer is configured to execute the program. And executing the construction of the virtual private network. 9. A data transmission system in which a decryption key for receiving and decrypting encrypted data is stored between the computer and a virtual private network server computer connected via a network. A recording medium storing a program for causing the virtual private network client computer to function as a virtual private network client computer, wherein when the recording medium storing the program is connected, the virtual private network client computer is connected to the virtual private network server. Virtual private network transmission basic data used when constructing a virtual private network with a computer, at least 1) a virtual private network encryption key or virtual private network encryption used for encryption processing at a virtual private network client computer. Key specification information, 2) Virtual private network decryption used for decryption processing by virtual private network server Virtual private network decryption key specifying information for specifying a key, and 3) virtual private network transmission basic data including computer specific data of the virtual private network server computer, from the recording medium, and reading between the virtual private network server computer and the virtual private network server computer A virtual private network, wherein the computer readable program is recorded on a recording medium. 10. A recording medium on which the program according to claim 9 is recorded, wherein a program for a virtual private network client computer is recorded on the recording medium, and the virtual private network client computer reads the program and reads the program. Executing the construction of the virtual private network. 11. A recording medium on which the program according to claim 10 is recorded, wherein said recording medium is a virtual private network-related data storage unit in which a program for a virtual private network client computer and virtual private network transmission basic data are recorded; A read program recording unit in which a read program for reading the virtual private network-related data is recorded, wherein the virtual private network-related data storage unit records in a data structure different from a file system of the client computer. When the user identification information is given, the readout program checks the collation state with collation information stored in advance, and when collation is performed, a program for a virtual private network client computer and a virtual private network The network transmission basic data is read and the virtual private network is read. Performing a built, those characterized by. 12. When a recording medium storing data is connected to a computer, an operating system program of the computer activates a virtual private network construction program recorded on the recording medium, and the virtual private network construction program A method for reading virtual private network construction data recorded on the recording medium and constructing a virtual private network with a virtual private network server computer, wherein the virtual private network construction data comprises the operating system The virtual private network construction program is stored in a hidden data area where data cannot be read only by the program, and when the user identification information is given, the virtual private network construction program checks a collation state with collation information stored in advance, In case of collation, the virtual private network construction data is hidden. It is read from the data area, wherein it is a program for constructing a virtual private network, a method of constructing a virtual private network, characterized in that. 13. A recording medium recording a program for causing a computer to function as a virtual private network client computer that has constructed a virtual private network with a virtual private network server computer connected via a network, In the recording medium, 1) the virtual private network construction data is recorded in a hidden data area from which data cannot be read only by the operating system program, and 2) when the user identification information is given, it is stored in advance. In the case of inspecting the collation state with the collation information, and collating, the virtual private network construction data is read from the hidden data area, and the operating system program is recorded as a program for constructing the virtual private network. Data is recorded in an area where the data format can be separated The computer readable recording medium recording a program, characterized in that.