JP2002247032A - Cipher communication device and its method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve the packet throughput of a cipher communication device provided with a plurality of ciphering/deciphering processing parts allowed to be driven in parallel. SOLUTION: A main control part 43 copies fixed information not to be updated in each packet processing out of definition information concerned with a packet ciphering/deciphering processing method to respective security processing parts 44 for executing ciphering/deciphering processing. Respective securing processing parts 4 are allowed to execute the generation of additional information and the adding processing of the additional information to each packet. On the other hand, the main control part 43 calculates variable information to be updated in each packet processing executed by each security processing part 44 and updates a definition information mater table 4351.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an encryption communication device for encrypting and / or decrypting communication packets,
In particular, the present invention relates to an encryption communication device including a plurality of encryption and / or decryption processing units that can operate in parallel.

[0002]

2. Description of the Related Art An encryption / decryption apparatus for encrypting / decrypting a packet storing communication data has its encryption / decryption processing performance greatly affecting communication performance. For this reason, conventionally, a method of improving the encryption / decryption processing performance by preparing a plurality of dedicated hardware capable of executing the packet encryption / decryption processing at high speed and operating them in parallel has been used.

As such an apparatus, for example, Japanese Patent Application Laid-Open
There is one described in JP-A-315997. The cryptographic communication device described in the above publication includes a plurality of security processors that perform encryption / decryption processing of packets, a security database, and a central processing unit (CPU).

Here, the security database includes:
For each type of packet to be subjected to encryption / decryption processing, an encryption algorithm and an encryption key applied to the packet are stored. Also, which type of packet each security processor processes is statically associated in advance.

[0005] In the cipher communication device described in the above publication, when a main control unit receives a packet, it determines the type of the packet. Then, by checking whether or not an encryption algorithm, an encryption key, and the like corresponding to the type of the packet are stored in the security database, it is determined whether encryption / decryption processing is required for the packet. As a result, if encryption / decryption processing is necessary, the packet is
It notifies the security processor statically associated with the type of the packet in advance and causes the security processor to perform encryption / decryption processing on the packet. Next, the main control unit receives the processed packet from the security processor and transmits this to the destination of the packet. Here, the plurality of security processors are configured to be able to operate in parallel. The main control unit operates these security processors in parallel, thereby improving the encryption / decryption processing performance and, consequently, the packet processing performance of the entire cryptographic communication device.

[0006]

By the way, in the encryption communication device, it is necessary to perform additional processing other than the encryption / decryption processing of the packet. Specifically, in the encrypted packet, identification information for enabling the encryption communication device of the communication partner to determine the type of the encrypted packet, that is, in the decryption processing of the encrypted packet. Identification information for identifying the encryption algorithm and encryption key to be applied, replay attacks (an unauthorized third party picking up a packet and sending the same packet to the destination of the packet many times), etc. It is necessary to generate a sequence management number or the like for preventing the above, and to add additional information including such information to the encrypted packet.

In the cipher communication device described in the above publication, such additional processing is performed by the main control unit. Therefore, even if a plurality of security processors are operated in parallel to improve the encryption / decryption processing performance, the packet processing performance of the entire cryptographic communication device may not be improved due to the processing capability of the main control unit. This tendency becomes more remarkable as the number of security processors operated in parallel increases.

[0008] By increasing the function of each of a plurality of security processors to be operated in parallel and allowing each security processor to perform the above additional processing, the processing in the main control unit can be reduced, and the encryption communication apparatus can be reduced. A method for improving the overall packet processing performance can be considered.

However, the security database of the cryptographic communication device described in the above-mentioned publication includes, in addition to information (such as an encryption algorithm and an encryption key) that does not need to be updated for each packet encryption / decryption process (referred to as fixed information), It contains information (called variable information) that needs to be updated for each packet encryption / decryption process, such as a sequence management number and a total processing data amount for estimating the life of the encryption algorithm and encryption key.

For this reason, when the above method is applied to the cryptographic communication device described in the above publication, a plurality of security processors access the security database, and the management of access rights becomes complicated. Exclusive control of access must be performed efficiently so that access to the security database from a plurality of security processors does not conflict. further,
2. Description of the Related Art In recent years, information used in encryption / decryption processing has increased due to complexity of encryption algorithms, increase in bit length of encryption keys, and the like.
Therefore, access to the security database from the security processor must be accelerated.

Further, in the cipher communication device described in the above publication,
Which type of packet each security processor processes is statically associated in advance. Therefore, each security processor cannot be operated flexibly.

For example, when the type of the packet to be encrypted / decrypted is biased, the plurality of security processors do not operate equally, and the plurality of security processors cannot be used effectively.

Further, for example, when a security processor is added, the user must associate which type of packet is to be processed by the security processor, and it is necessary to reconstruct a security database and the like.

Further, for example, when a certain security processor fails, it becomes impossible to perform encryption / decryption processing for a packet of a type associated with the security processor.

Further, for example, if the user does not know the encryption algorithm and the encryption key bit length that can be processed by each security processor, there is a mistake in associating a certain security processor with a type of packet that cannot be processed by the security processor. May occur. That is, unless the user knows the encryption algorithm, the encryption key bit length, and the like that can be processed by each security processor, each security processor cannot operate properly.

The present invention has been made based on the above circumstances, and an object of the present invention is to improve the packet processing performance in a cryptographic communication device having a plurality of encryption and / or decryption processing units capable of operating in parallel. It is to be able to aim at. Another object is to flexibly operate each of the plurality of encryption and / or decryption processing units.

[0017]

In order to achieve the above object, a first aspect of the present invention provides a method for encrypting and / or decrypting a packet in accordance with definition information defining an encryption and / or decryption processing method. A security processing unit;
A cryptographic communication device comprising: a main control unit that notifies a packet to the security processing unit, receives a processed packet from the security processing unit, and transmits the processed packet.

In the case where the encryption communication device is to perform a process of encrypting a packet received from the first information transmission medium and transmitting the encrypted packet to the second information transmission medium, each of the main control and the security processing unit Includes at least the following configuration.

In other words, the main control unit stores, for each type of packet, variable information of the definition information that needs to be updated for each packet encryption process (sequence management for managing a packet to be transmitted to a communication partner). A variable information holding unit for holding a packet, and a packet notifying unit for notifying the security processing unit of a packet together with the variable information corresponding to the type of the packet held in the variable information holding unit. Variable information updating means for updating the variable information corresponding to the type of the packet notified by the packet notifying means, which is held in the variable information holding means.

Further, the security processing unit includes a fixed information which does not need to update the packet notified by the main control unit in the definition information corresponding to the type of the packet every time the packet is encrypted. Main processing means for performing encryption processing according to an encryption algorithm or an encryption key used for encryption processing), and additional information generated using the variable information notified together with the packet from the main control unit. Additional processing means for adding to the processed packet and notifying the main control unit.

Further, when the cryptographic communication device is to perform processing for decrypting an encrypted packet received from a second information transmission medium and transmitting the decrypted packet to the first information transmission medium, the main control and the security processing section Include at least the following configurations.

That is, the main control unit performs, for each type of packet, variable information that needs to be updated for each packet decoding process in the definition information (for example, the total processing data amount of the packet processed by this definition information, etc.). ), Packet notifying means for notifying a packet to the security processing unit, and predetermined information (such as the processing data length of the packet) notified together with the packet from the security processing unit. Variable information updating means for updating the variable information corresponding to the type of the packet held in the variable information holding means.

[0023] The security processing unit includes a fixed information (this information, which does not need to be updated for each packet decoding process) in the definition information corresponding to the type of the packet, notified by the main control unit. A main processing unit that performs a decoding process according to an encryption algorithm or a decoding key used for the decoding process), and the predetermined information is generated in accordance with the packet that has been subjected to the decoding process by the main processing unit. Additional processing means for notifying the section;
Is provided.

In the present aspect, the processing of generating additional information, adding the additional information to the packet, and calculating predetermined information such as the processing data length is performed by the security processing unit. On the other hand, the main control unit updates the variable information such as the sequence management number and the total processing data amount held in the variable information holding unit.

Therefore, according to this aspect, most of the additional processing other than the encryption and / or decryption processing of the packet can be performed by the security processing unit.
Further, a situation in which access from each of the security processing units to the variable information holding unit collides does not occur. Therefore, the packet processing performance of the entire cryptographic communication device can be improved as compared with the conventional cryptographic communication device.

According to a second aspect of the present invention, there is provided at least one security processing unit for encrypting and / or decrypting a packet in accordance with definition information defining an encryption and / or decryption processing method. When,
A cryptographic communication device comprising: a main control unit that notifies the security processing unit of the packet, receives a processed packet from the security processing unit, and transmits the processed packet.

The main control unit is provided with packet notifying means for notifying the security processing unit of a packet together with identification information of the definition information defining an encryption or decryption processing method to be applied to the packet.

Further, the security control unit, for each of the identification information, a first definition information holding unit for holding the definition information corresponding to the identification information, and a packet notified from the main control unit. Main processing means for performing encryption or decryption processing according to the definition information held in the first definition information holding means in association with the identification information notified together with a packet, and notifying the main control unit of the encryption or decryption processing; Is provided.

In this aspect, each of the security control units is provided with the first definition information holding means. Then, the packet notified from the main control unit is encrypted or decrypted according to the fixed information held in the first definition information holding unit in association with the identification information notified together with the packet. I have to.

Therefore, according to this aspect, the security processing unit determines the encryption or decryption processing to be applied to the packet notified together with the identification information according to the identification information notified from the main control unit. Therefore, a plurality of security processing units can be operated more flexibly than a conventional cryptographic communication device.

In this embodiment, the main control unit includes:
An unprocessed packet monitoring means for monitoring the unprocessed packets, which have been notified to the security processing unit, for each security processing unit may be provided. And
The packet notifying unit may cause the security processing unit, in which the result of monitoring by the unprocessed packet monitoring unit indicates that the number of unprocessed packets is the least, to determine a notification destination of the packet. If you do this,
Since the plurality of security processing units can be operated more evenly, the plurality of security processing units can be effectively used.

In this aspect, the security processing section is configured to be insertable into and removable from the cryptographic communication device, and the cryptographic communication device is further provided with a mounting detection means for detecting the mounted security processing section. Is also good. Then, the packet notifying unit may determine a packet notification destination from among the security processing units detected by the attachment detecting unit. With this configuration, when the number of the security processing units is increased or decreased, the cryptographic communication device can be operated without redesigning or reconstructing the cryptographic communication device.

[0033] In this aspect, the cryptographic communication device may further include failure detection means for detecting a failure of the security processing unit. Then, the packet notifying unit may be configured to determine a packet notification destination from among the security processing units in which a failure has not been detected by the failure detecting unit. In this way, when a certain security processing unit breaks down, a situation in which encryption or decryption processing defined by certain definition information cannot be performed does not occur.

Further, in this aspect, the security processing section has function information capable of specifying a processing method which can be processed by the security processing section, and the main control section has the identification information for each of the identification information. A second definition information holding means for holding the corresponding definition information may be further provided. Then, the packet notifying means may notify the destination of the packet that the method of processing the definition information held in the second definition information holding means in association with the identification information of the packet can be processed. It may be determined from among the security processing units that hold the indicated function information. This allows each security processing unit to process a packet even if the user does not know the encryption algorithm, encryption key bit length, and the like that can be processed by each security processing unit.

In order to achieve the above object, a third aspect of the present invention provides a cryptographic communication device having both the features of the first and second aspects.

[0036]

Embodiments of the present invention will be described below.

First, a first embodiment of the present invention will be described.

FIG. 1 shows a configuration example of a communication system using an encryption communication device to which the first embodiment of the present invention is applied.

[0039] In the figures, reference numeral 1 designates a communication wide area network (WAN), a reference numeral 2 ₁ to 2 _n may be a local area network (LAN), a reference numeral 3 ₁ to 3 _n is connected to the LAN2 ₁ to 2 _n Terminals and symbols 4 ₁ to 4 _n are cryptographic communication devices to which the present embodiment is applied.

The cryptographic communication devices 4 ₁ to 4 _n
2 ₁ to 2 _n (hereinafter, housing LAN2 and called) is connected via the communication terminal 3 ₁ to 3 _n (hereinafter, referred to as a receiving terminal 3) encrypts the packet received from, and transmits on WAN1.
Also, receiving a packet addressed to the accommodation terminal 3 from the WAN 1,
This is decrypted and transmitted to the accommodation LAN 2.

For example, in FIG. 1, when the communication terminal 3 ₁ and the communication terminal 3 ₂ perform data communication, the communication terminal 3 ₁
A packet addressed to the communication terminal 3 ₂ transmitted from the LAN _{2 1}
Through the received encrypted communication apparatus 4 _1. Encrypted communication device 4 _1, the received packet is transmitted to the upper WAN1 encrypted. Encrypted communication device 4 _2, communication from WAN1 terminal 3 ₂
Receiving a packet addressed decrypts it transmits on LAN2 _2. As a result, the communication terminal 3 ₂ communicates with the communication terminal 3 ₁
Receives the packet sent from. Similarly, packets addressed to ₂ communication terminal 3 transmitted from the communication terminal 3 ₁ also encrypted with encryption communication device 4 ₂ is decoded by the encryption communication apparatus 4 _1.

As described above, the encryption communication device 4 of the present embodiment
_In a communication system using ₁ to 4 _n , packets transmitted and received between the communication terminals 3 ₁ to 3 _n flow on the WAN 1 in an encrypted state. Thereby, the encryption communication device 4 ₁
To 4 _n are realized.

[0043] FIG. 2 shows an example of the configuration of the present embodiment is applied cryptographic communication device 4 ₁ to 4 _n.

In the figure, reference numeral 41 denotes a WAN interface (I / F) for transmitting and receiving packets to and from the WAN 1;
Reference numeral 2 denotes a LAN interface (I / F) unit for transmitting and receiving packets to and from the accommodation LAN 2, and reference numeral 43 denotes a WAN I / F unit 4.
1 or a packet received by the LAN I / F unit 42, if necessary.
1 or a main control unit that outputs to the LAN I / F unit 42, and reference numeral 44 denotes an encryption / decryption process and an additional process required for encryption communication other than the encryption / decryption process on the packet received from the main control unit 43. And a security processing unit that performs the following.

Each security processing unit 44 is connected to the main control unit 43 via a system bus (SBUS) 45, and exchanges packets with the main control unit 43 via the SBUS 45. Also, each security processing unit 44 can operate independently and in parallel. Although the number of security processing units is two in the example shown in FIG. 2, any number of security processing units may be used.

The main control unit 43 includes a processing unit selection unit 431,
It includes an I / F unit selection unit 432, a definition information update unit 433, a processing unit state monitoring unit 434, and a data storage unit 435.

The data storage section 435 has a definition information master table 4351, a path information table 4352, and a processing section status information table 4353.

In the definition information master table 4351, for each encryption and decryption processing method, definition information defining the processing method is registered. FIG. 3 shows an example of registered contents of the definition information master table 4351. As illustrated, the definition information 4351a is registered in the definition information master table 4351 for each encryption and decryption processing method. Each definition information 4
351a includes entries 4351b to 4351i.

The entry 4351b contains the definition information 4
351a, processing target definition information that defines the type of packet to which the encryption or decryption processing method is to be applied (for example, the communication destination 3
_{1 to} 3 _n ) are registered. Also, entry 43
51c, the other party's cryptographic communication device 4 that performs cryptographic communication.
An encrypted communication partner address defining ₁ to 4 _n is registered.
The entry 4351d includes the definition information 4351
A definition information identification number for identifying “a” is registered. The entry 4351e contains the definition information 4351a.
Is registered as a usage type that defines whether or not is for encryption or decryption.

In the entry 4351f, a sequence management number for managing the same packet so as not to be received repeatedly is registered. The replay attack as described above can be prevented by using the sequence management number to manage the same packet so that it is not received repeatedly. When the definition information 4351a defines an encryption processing method, one entry of the sequence management number of the latest packet encrypted by the encryption processing method is registered in the entry 4351f. In contrast, the definition information 4351
If a defines the decryption processing method, entry 4351f
In the sequence management number of the packet decrypted by the decryption processing method, from the latest to the past,
Up to a predetermined maximum number of registrations are registered.

In the entry 4351g, the total processing data length of a packet processed according to the encryption or decryption processing method defined by the definition information 4351a is registered. In the entry 4351h, an encryption algorithm adopted by the encryption or decryption processing method defined by the definition information 4351a is registered. In the entry 4351i, an encryption or decryption key used for the encryption or decryption processing method defined by the definition information 4351a is registered.

The definition information master table 4351
Can be accessed from a terminal of a user having a predetermined authority (for example, a password) via the LAN I / F unit 42 or an input / output unit (not shown), and the user can execute the total processing registered in the entry 4351g. Using the data length, it is possible to estimate the encryption algorithm registered in the entry 4351h, the lifetime (update time) of the key registered in the entry 4351i, and the like. Updates (changes) the encryption algorithm and key information as necessary
can do.

Here, the processing target definition information, the encrypted communication partner address, the definition information identification number, the application type, the encryption algorithm, and the key are fixed information that is not updated every time a packet is encrypted or decrypted. is there. on the other hand,
The sequence management number and the total processing data length are variable information updated each time a packet is subjected to encryption or decryption processing.

[0054] In order to establish the encryption communication between the encrypted communication device 4 ₁ to 4 _n, in the definition information master table 4351 for each encryption communication device 4 ₁ to 4 _n, defined for encryption to be used for certain cryptographic communication Entry 4351 of information 4351a
d and the entry 43 of the definition information 4351a for decryption used for the encrypted communication.
The definition information identification number registered in 51d is set to have the same value.

In the path information table 4352, path information necessary for determining which one of the WAN I / F unit 41 and the LAN I / F unit 42 to send a packet is registered. FIG. 4 shows an example of registered contents of the route information table 4352. As shown, the route information master table 43
52, the route information 4352a is registered for each specific address range in which communication is possible via the WAN 1 or the accommodation LAN 2. Each route information 4352a has an entry 4352
b, 4352c.

In the entry 4352b, a destination address range indicating a specific address range in which communication is possible via the WAN 1 or the accommodation LAN 2 is registered. In addition, the entry 4352b includes an entry 4352b from the main control unit 43.
When a packet is transmitted to an address included in the destination address range registered in, the output destination I / F unit information that specifies one of the WAN I / F unit 41 and the LAN I / F unit to which the packet should be passed is be registered.

The processing section status information table 4353 includes, for each security processing section 44,
Is registered as processing unit status information indicating the processing status in the process. FIG.
Shows an example of registration contents of the processing unit status information table 4353. As shown, the processing unit status information table 4353
Contains the processing unit status information 43 for each security processing unit 44.
53a is registered. Each processing unit status information 4353a includes:
It includes entries 4353b and 4353c.

In the entry 4353b, a security processing unit identification number for identifying the security processing unit 44 is registered. The entry 4353c includes a packet that the main control unit 43 has passed to the security processing unit 44 having the security processing unit identification number registered in the entry 4353b,
The unprocessed data amount, which is the total data amount of unprocessed packets possessed by the security processing unit 44, is registered.

The processing section selection section 431 is provided for the WAN I / F section 4
1 or a packet received from the LAN I / F unit 42, the type of the packet and the definition information master table 4
The security processing unit 44 to process the packet using the definition information 4351a registered in the security information processing unit 351
Select Then, the selected security processing unit 44
Hand over the packet.

The I / F section selecting section 432 is a destination I / F of a packet transmitted from the security processing section 44 or a packet determined to have no security processing section 44 to be processed by the processing section selection 431. (WANI / F
Unit 41 or the LAN I / F unit 42), the destination address of the packet and the route information table 4352.
Is determined using the route information 4352a registered in the. Then, the packet is transferred to the determined I / F unit.

The definition information updating section 433 is a section for updating each definition information 4351 registered in the definition information master table 4351.
The variable information a (the sequence management number registered in the entry 4351f and the total processing data length registered in the entry 4351g) is updated.

The processing unit status monitoring unit 434 includes, for each security processing unit 44, the number of packets transmitted from the main control unit 43 to the security processing unit 44 and the number of packets transmitted from the security processing unit 44 to the main control unit 43. Monitor the difference from the number of packets. Then, the unprocessed data amount is obtained from the difference, and the processing unit state information table 4353 is updated.

The main control unit 43 having the above-described configuration includes, for example, a CPU, a memory, and an SBU.
And an interface for connecting to S45. In this case, the processing unit selection unit 431, the I / F unit selection unit 432, the definition information update unit 433, and the processing unit state monitoring unit 434
U is embodied as a process by executing a program in memory. Further, a memory is used for the data storage unit 435.

The security processing section 44 has an encryption / decryption processing section 441, an additional processing section 442, and a data storage section 443.

The data storage section 443 has a definition information slave table 4431. FIG. 6 shows an example of registered contents of the definition information slave table 4431. As illustrated, definition information 4431a is registered in the definition information master table 4431 for each encryption and decryption processing method. Each definition information 4431a is the definition information 4351a shown in FIG.
Entries 4351b to 3351e, 4351h, 43
51i. That is, fixed information of various types of information registered in the definition information 4351a illustrated in FIG. 3 is registered in each definition information 4431a.

The definition information slave table 4431
For example, when the cryptographic communication devices 4 ₁ to 4 _n are initialized, the main control unit 43 reads the fixed information registered in each definition information 4351a from the definition information master table 4351,
These are stored in the data storage unit 443 of the security processing unit 44.
It is formed by copying to

The encryption / decryption processing unit 441 encrypts or decrypts the packet passed from the main control unit 43 by using the definition information 4431a whose definition information identification number passed with the packet is registered in the entry 4351d. Become

The additional processing section 442 performs additional processing necessary for encrypted communication other than encryption / decryption processing. Specifically, when the process on the packet in the encryption / decryption processing unit 441 is encryption, additional information including the definition information identification number and the sequence management number passed from the main control unit 43 together with the packet is generated. Is added to the encrypted packet. Then, the encrypted packet to which the additional information is added is transferred to the main control unit 43 together with the definition information identification number and the data length of the packet. On the other hand, when the processing for the packet in the encryption / decryption processing unit 441 is decoding,
The decrypted packet is passed to the main control unit 43 together with the definition information identification number and the data length of the packet.

The security processing unit 44 having the above configuration
Similarly to the main control unit 43, for example, it can be realized using a system including a CPU, a memory, and an interface for connecting the CPU and the memory to the SBUS 45. In this case, the encryption / decryption processing unit 441 and the additional processing unit 442 are embodied as processes by the CPU executing a program in the memory. Further, a memory is used for the data storage unit 443.

Next, the operation of the cryptographic communication devices 4 ₁ to 4 _{n having} the above configuration will be described.

First, the cryptographic communication devices 4 ₁ to 4 _n
The packet received from the accommodation terminal 3 via N2 is WAN
1 will be described.

FIG. 7 is a diagram for explaining an operation procedure when the cryptographic communication devices 4 ₁ to 4 _n transmit a packet received from the accommodation terminal 3 via the accommodation LAN 2 to the WAN ₁ in the present embodiment. It is.

First, the main control unit 43 sets the LAN I / F unit 42
When a packet is received from the accommodation LAN 2 via the
001), the processing unit selection unit 431 determines the type of the packet (for example, the destination and transmission source communication terminal 3 _{1 of the} packet).
３3 _n addresses). Then, the type of the packet is defined in the definition information 4 registered in the entry 4351b.
It is further checked whether or not 351a is stored in the definition information master table 4351. Thereby, it is determined whether or not the packet requires encryption processing (S7002).

In S7002, the type of the packet is the definition information 435 registered in the entry 4351b.
If 1 a is not stored in the definition information master table 4351, the processing unit selection unit 431 determines that the packet is not a packet requiring encryption processing, and passes this to the I / F selection unit 432.

In response to this, the I / F selection unit 432 searches the route information table 435 for the entry 4 in which the destination address range including the destination address of the packet is registered.
The route information 4352a having 352b is searched (S70).
03). Then, the packet is transmitted to the output destination I / F registered in the entry 4352c of the detected route information 4352a (S7004). Here, the output destination I / F
The WAN I / F unit 41 is selected as the unit, and the packet is transmitted on WAN1.

On the other hand, in step S7002, when the definition information 4351a in which the type of the packet is registered in the entry 4351b is stored in the definition information master table 4351, the processing unit selection unit 431 performs encryption processing on the packet. Judge as a required packet,
Referring to the processing unit status information table 4353, the processing unit status information 4353a having the smallest unprocessed data amount registered in the entry 4353c is searched (S700).
5).

Then, the processing unit selection unit 431 sends the packet to the security processing unit 44 having the security processing unit identification number registered in the entry 4352b of the detected processing unit state information 4353a.
The definition information identification number registered in the entry 4351d of the entry 51a and the sequence management number registered in the entry 4351f are passed along with a new sequence management number incremented by one (S7006).

Further, the processing section selecting section 431 passes the definition information identification number and the new sequence management number to the definition information updating section 433. In response to this, the definition information updating unit 433 determines from the definition information master table 4351 that the definition information identification number notified from the processing unit selection unit 431 is registered in the entry 4351d.
Search for. Then, when it is confirmed that the use type registered in the entry 4351e of the detected definition information 4351a is for encryption, the sequence management number registered in the entry 4351f of the definition information 4351a is replaced with the new sequence management number. (S70)
07).

Now, the security processing unit 44 determines that the SBUS
When a packet is received from the main control unit 43 through 45,
The encryption / decryption processing unit 441 includes the definition information slave table 44
In step S7008, a search is made for the definition information 4431a in which the definition information identification number received from the main control unit 43 together with the packet is registered in the entry 4351d.
Then, the packet is encrypted using various information (encryption algorithm and key) of the detected definition information 4431a (S7009). Here, examples of the encryption method include a method of encrypting only the payload of the packet, and a method of replacing the payload of the packet with a result of encryption of the entire packet. It is assumed that such a difference in the encryption method can be specified from the encryption algorithm registered in the entry 4351h.

On the other hand, when confirming that the use type registered in the entry 4351e of the definition information 4431a detected in S7008 is for encryption, the addition processing unit 442 receives the definition information received together with the packet from the main control unit 43. The additional information including the identification number and the sequence management number is generated. When the encryption / decryption processing unit 441 completes the encryption processing on the packet, the generated additional information is added to the packet on which the encryption processing has been completed (S7010). For example, the additional information is added to the head of the encrypted data stored in the payload of the packet. Then, the additional processing unit 442 calculates the data length of the encrypted data. Then, the encrypted packet to which the additional information is added is transferred to the main control unit 43 together with the definition information identification number and the data length (S70).
11).

When the main control unit 43 receives a packet from the security processing unit 44 via the SBUS 45,
The definition information updating unit 433 searches for the definition information 4351a in which the definition information identification number received from the security processing unit 44 together with the packet is registered in the entry 4351e. Then, the data length received from the security processing unit 44 together with the packet is added to the total processing data length registered in the entry 4351g of the detected definition information 4351a to update the registered content of the entry 4351g (S7012).

On the other hand, the I / F section selecting section 432 determines from the path information table 435 the path information 4 having the entry 4352b in which the destination address range including the destination address of the packet received from the security processing section 44 is registered.
352a is searched (S7013). Then, the packet is transmitted to the output destination I / F registered in the entry 4352c of the detected route information 4352a (S701).
4). Here, the WAN I / F unit 4 is used as the output destination I / F unit.
1 is selected and the packet is transmitted on WAN1.

Next, the encryption communication devices 4 ₁ to 4 _n
The operation when the received packet is transmitted to the accommodation LAN 2 will be described.

FIG. 8 is a block diagram showing an embodiment in which the cryptographic communication devices 4 ₁ to 4 _n store packets received from the WAN _{1 in the} LA.
It is a figure for explaining the operation procedure at the time of transmitting on N2.

First, the main control unit 43 sets the WAN I / F unit 41
When a packet is received from WAN 1 via
1) The processing unit selection unit 431 checks whether or not additional information is added to the packet. For example, it is determined whether or not the additional information has been added to the head of the data stored in the payload of the packet. This allows
It is determined whether the packet requires a decoding process (S8002).

If it is determined in S8002 that the additional information has not been added to the packet, the processing unit selection unit 431 determines that the packet is not a packet requiring a decoding process, F selection unit 43
Hand over to 2.

In response to this, the I / F selection unit 432 searches the route information table 435 for the entry 4 in which the destination address range including the destination address of the packet is registered.
The route information 4352a having 352b is searched (S80).
03). Then, it sends it to the output destination I / F registered in the entry 4352c of the detected route information 4352a (S8004). Here, L is used as the output destination I / F unit.
The ANI / F unit 42 is selected, and the packet is
Sent on N2.

On the other hand, if it is determined in S8002 that the additional information has been added to the packet, the processing unit selector 431 determines that the packet is a packet requiring decoding processing, and The information master table 4351 searches the definition information 4351a in which the definition information identification number included in the additional information is registered in the entry 4351d. Then, the detected definition information 43
The registration content of the entry 4351f of the entry 51a is compared with the sequence management number included in the additional information, and it is determined whether or not the packet has been sent repeatedly (S8005). As described above, the entry 4351f of the definition information 4351a that defines the decoding processing method includes
The sequence management numbers of the packets decoded by the decoding processing method are registered up to a predetermined maximum registration number toward the latest past. Therefore, the processing unit selection unit 431
If the sequence management number included in the additional information is already registered in the entry 4351f, it is determined that the packet is a packet that an unauthorized third party has repeatedly sent by a replay attack or the like, Discard the packet.

Next, the processing unit selection unit 431 proceeds to S8005
If it is confirmed that the packet is not the one sent in duplicate by the processing in step 4, the processing unit state information table 4353 is referred to and the processing with the least amount of unprocessed data registered in the entry 4353c is performed. Department status information 4
353a is searched (S8006). Then, the packet is passed to the additional information together with the definition information identification number to the security processing unit 44 having the security processing unit identification number registered in the entry 4352b of the detected processing unit state information 4353a (S8007). In addition, the definition information identification number and the sequence management number included in the additional information are passed to the definition information updating unit 433.

Now, the security processing unit 44 determines that the SBUS
When a packet is received from the main control unit 43 through 45,
The encryption / decryption processing unit 441 includes the definition information slave table 44
31 is searched for the definition information 4431a in which the definition information identification number received from the main control unit 43 together with the packet is registered in the entry 4351d (S8008).
Then, the packet is decrypted using various information (encryption algorithm and key) of the detected definition information 4431a (S8009). Here, as a decryption method, for example, the encrypted data stored in the payload of the packet is decrypted, the data of the payload of the original packet is restored, and the data of the payload is replaced with the restored data. And a method of restoring the original packet by decrypting the encrypted data of the entire original packet stored in the payload of the packet. Such a difference in the decoding method is also reflected in the entry 435.
It can be specified from the encryption algorithm registered in 1h.

On the other hand, upon confirming that the use type registered in the entry 4351e of the definition information 4431a detected in S8008 is for decoding, the additional processing unit 442 calculates the data length of the decoded data. Then, the main control unit 4 stores the packet decoded by the encryption / decryption processing unit 441 together with the definition information identification number and the data length.
3 (S8010).

When the main control unit 43 receives a packet from the security processing unit 44 via the SBUS 45,
The definition information updating unit 433 searches for the definition information 4351a in which the definition information identification number received from the security processing unit 44 together with the packet is registered in the entry 4351e. Then, by adding the data length received from the security processing unit 44 together with the packet to the total processing data length registered in the entry 4351g of the detected definition information 4351a, the registered content of the entry 4351g is updated (S8011).

When the definition information updating unit 433 confirms that the use type registered in the entry 4351e of the detected definition information 4351a is for decryption, the processing unit selection unit 431 sends the definition information identification number together with the definition information identification number in advance. The received sequence management number is stored in the definition information 4351a.
Is added to the entry 4351f (S8012). As a result, if the number of registered sequence management numbers in the entry 4351f exceeds the predetermined maximum registration number, the sequence management numbers are sequentially arranged from the oldest (lowest value) sequence management number so that the registration number falls within the predetermined maximum registration number. To delete.

On the other hand, the I / F section selecting section 432 determines from the path information table 435 the path information 4 having the entry 4352b in which the destination address range including the destination address of the packet received from the security processing section 44 is registered.
352a is searched (S8013). Then, the packet is transmitted to the output destination I / F registered in the entry 4352c of the detected route information 4352a (S801).
4). Here, the LAN I / F unit 4 is used as the output destination I / F unit.
2 is selected, and the packet is transmitted on the accommodation LAN 2.

The first embodiment of the present invention has been described.

In the present embodiment, the processing of generating additional information, adding the additional information to the packet, and calculating the processing data length is performed by the security processing unit 44. On the other hand, updating of variable information such as the sequence management number and the total processing data length registered in the definition information 4351a of the definition information master table 4351 is performed by the main control unit 43. Therefore, according to the present embodiment, each of the security processing units 44 can perform most of the additional processing other than the encryption / decryption processing of the packet. Further, a situation in which access from each security processing unit 44 to the definition information master table 4351 does not collide does not occur. Therefore, the packet processing performance of the entire cryptographic communication device can be improved as compared with the conventional cryptographic communication device.

In this embodiment, the main control unit 43
Determines that the security processing unit 44 that should perform encryption / decryption processing on a received packet is the security processing unit 44 with the smallest number of unprocessed packets. And
The received packet is sent to the determined security processing unit 44.
This is notified together with the definition information identification number for identifying the definition information of the encryption / decryption processing method to be applied to the received packet. Then, the security processing unit 44 reads definition information specified by the definition information identification number received together with the packet from the main control unit 43 from the definition information slave table 443, and performs encryption / decryption processing on the packet according to the definition information.

Therefore, according to the present embodiment, a plurality of security processing sections can be operated more evenly, so that a plurality of security processing sections can be effectively used, and compared with a conventional cryptographic communication apparatus. A plurality of security processing units can be operated flexibly.

Next, a second embodiment of the present invention will be described.

[0100] The present embodiment, in the first embodiment described above, and to allow hot swapping the security processing unit 44 to the encryption communication device 4 ₁ to 4 _n.

FIG. 9 shows a configuration example of cryptographic communication devices 4 ₁ to 4 _n to which the second embodiment of the present invention is applied. In the figure, components having the same functions as the cryptographic communication device of the first embodiment shown in FIG. 2 are denoted by the same reference numerals.

As shown in FIG. 9, the cryptographic communication devices 4 ₁ to 4 _n according to the present embodiment are mounted on the cryptographic communication device according to the first embodiment shown in FIG. It has a configuration in which a hot-swap controller 47 for controlling hot-swap of the security processing unit 44 to the mounting unit 46 is added. Here, the hot-swap controller 47 may be provided in the main controller 43. Also, as shown in FIG. 10, each processing unit status information 4353a stored in the processing unit status information table 4353
Entry 435 for registering usability information indicating whether the security processing unit 44 is in the usable state.
3d is added.

[0103] In the cryptographic communication device 4 ₁ to 4 _n having the above structure, when the security processing unit 44 is mounted to the mounting portion 46, the hot-swap controller 47 detects this. Then, the processing unit state monitoring unit 434 adds the processing unit state information 4353a for the attached security processing unit 44 to the processing unit state information table 4353.

FIG. 11 is a diagram for explaining an operation procedure when the security processing unit 44 is mounted on the mounting unit 46 in the present embodiment.

When the security processing section 44 is mounted on the mounting section 46, the security processing section 44 transmits a mounting signal including the security processing section identification number stored in the data storage section 443 in advance to S.
The data is transmitted to the hot-swap unit 47 via the BUS 45 (S1).
101).

When receiving the mounting signal, the hot-swap unit 47 detects that the security processing unit 44 has been newly mounted (S1102). Then, a request for creating processing unit state information including the security processing unit identification number included in the mounting signal is transmitted to the main control unit 43 via the SBUS 45 (S1103).

When the main control unit 43 receives the processing unit status information creation request, the processing unit status monitoring unit 434 sets the security processing unit identification number included in the request to entry 4.
The processing unit status information 4353a registered in the processing unit status information table 433b is created (S1104).
53 (S1105). At this time, entry 4
The availability information of 353d is set to “unavailability”.

Then, the processing unit status monitoring unit 434
Issue an initialization instruction to the security processing unit 44 having the security processing unit identification number via the BUS 45;
It waits until the initialization of the security processing unit 44 is completed (S1106). Here, the initialization process includes, for example,
The main control unit 43 reads the fixed information registered in each definition information 4351a from the definition information master table 4351, and stores them in the data storage unit 4 of the security processing unit 44.
43 is also included.

Next, when the initialization of the security processing section 44 is completed, the processing section state monitoring section 434 sets the use permission information registered in the entry 4353d of the processing section state information 4353a of the security processing section 44 to “use”. The status is changed from "impossible" to "usable" (S1107).

Further, in the cryptographic communication devices 4 ₁ to 4 _{n having} the above configuration, the hot-swap controller 47
When the removal request is received, the processing unit status monitoring unit 434 is notified of the request. The processing unit state monitoring unit 434 stores the processing unit state information 4353a for the security processing unit 44 whose removal has been requested into the processing unit state information table 4353.
Remove from.

FIG. 12 is a diagram for explaining an operation procedure when the security processing unit 44 is detached from the mounting unit 46 in the present embodiment.

Upon receiving the removal request of the security processing unit 44 (S1201), the hot-swap control unit 47 analyzes the contents of the removal request and identifies the security processing unit of the security processing unit 44 that has been requested to remove. The number is specified (S1202). Here, as a specific instruction method of the removal request, for example, a removal instruction command input from a terminal of a user having a predetermined authority (for example, a password) via the LAN I / F unit 42 or an input / output unit (not shown). Is received, and the hot-swap controller 4
7 and a method of causing the hot-swap controller 47 to detect a press-down signal of the removal request button provided in the security processing unit 44.

Next, the hot-swap controller 47 controls the SBUS4
Then, a request to delete the processing unit status information including the security processing unit identification number is transmitted to the main control unit 43 via the server 5 (S1203).

When the main control unit 43 receives the processing unit state information deletion request, the processing unit state monitoring unit 434 reads the security processing unit identification number included in the request from the processing unit state information table 4353 into the entry 4353b. The registered processing unit state information 4353a is searched (S120).
4), entry 4 of detected processing unit state information 4353a
"Usable" for the usability information registered in 353d
Is changed to "unusable" (S1205).

Next, the processing unit status monitoring unit 434 waits until the amount of unprocessed data registered in the entry 4353c of the processing unit status information 4353a is exhausted (S1206).
Then, when there is no unprocessed data, SBUS4
5, a stop instruction is issued to the security processing unit 44 having the security processing unit identification number, and the operation of the security processing unit 44 is stopped (S120).
7). Then, the processing unit status monitoring unit 434 stores the processing unit status information 4353a in the processing unit status information table 435.
3 (S1208), and transmits a removal preparation completion notification including the security processing unit identification number to the hot-swap controller 47 via the SBUS 45 (S1).
209).

Upon receiving the notice of completion of removal preparation, the hot-swap controller 47 sends a removal command to, for example, the mounting section 46 to which the security processing section 44 having the security processing section identification number is mounted. Then, the mounting section 46 is operated so that the mounted security processing section 44 can be physically separated. Then, the hot-swap controller 47 displays that the security processor 44 is removable (S1210). Here, as a method of indicating that the device can be removed, for example, LANI /
And how to display to that effect to the user's terminal with the F portion 42 or shown to have no predetermined connected via the input-output unit rights (eg password) provided to the encryption processing unit 4 ₁ to 4 _n There is a method of lighting a removable lamp.

It should be noted that the cryptographic communication devices 4 ₁ to 4 _{n according to the} present embodiment.
In S7006 and S8006, the operation procedure for transmitting a packet received from the accommodation terminal 3 via the accommodation LAN 2 to the WAN 1 and the operation procedure for transmitting a packet received from the WAN 1 to the accommodation LAN 2 are described in S7006 and S8006.
, The processing unit selection unit 431 selects the security processing unit 44 from the processing unit state information 4353a in which the availability information registered in the entry 4353d is available.
Is the same as the operation procedure of the first embodiment shown in FIGS. 7 and 8 except that is selected.

The second embodiment of the present invention has been described.

In this embodiment, the security processing unit 44
Together configured to removably inserted in the cryptographic communication unit 4 ₁ to 4 _n, and
Encrypted communication apparatus 4 ₁ to 4 _n, are provided hot-swap controller 47 to detect the security processing unit 44 that is mounted. Therefore, according to the present embodiment, when increasing or decreasing the security processing unit 44, even without a redesign and restructuring of the encryption communication apparatus 4 ₁ to 4 _n, the encryption communication apparatus 4 ₁ to 4 _n
Can be operated.

In the present embodiment, the cryptographic communication device 4 ₁
The processor status information 4353a for security processing unit 44 has been removed from to 4 _n, it is to be deleted from the processing unit status information table 4353. However, the processing unit status information 4353a is stored in the processing unit status information table 43
Instead of deleting the processing unit status information 435,
The availability information of the entry 4353d of the entry 3a may be changed from “available” or “unavailable” to “not mounted”. Further, when the encryption processor 44 is newly attached to the encrypted communication device 4 ₁ to 4 _n, processor status information 4353a for the security processing unit 44
Is retrieved from the processing unit state information table 4353, and if it can be detected, the availability information of the entry 4353d of the processing unit state information 4353a is changed from "not mounted" to "available" or "unavailable". The processing unit status information 4353a for the security processing unit 44 is stored only when the detection is not detected.
53 may be newly added.

Next, a third embodiment of the present invention will be described.

This embodiment is different from the above-described second embodiment in that the processing unit status monitoring unit 434 is provided with the security processing unit 44.
Is provided with an abnormality detection function.

FIG. 13 is a diagram for explaining an operation procedure when an abnormality of the security processing unit 44 is detected in the present embodiment.

The processing unit status monitoring unit 434 checks the entry 43
For each of the security processing units 44 corresponding to the processing unit state information 4353a in which “available” or “unavailable” is registered in 53d, the main control unit 43 transmits a packet to the security processing unit 44 last. , The response time until the main control unit 43 receives a new packet from the security processing unit 44 is monitored. If the security processing unit 44 that has not responded within a predetermined time is detected (S1301), the security processing unit 4
Entry 435 of the processing unit status information 4353a for No. 4
3d from "usable" or "unusable" to "abnormal"
(S1302) and entry 4353c
Clears the unprocessed data amount registered in (S13)
03).

Then, the processing unit status monitoring unit 434
A re-initialization command is issued to the security processing unit 44 via the BUS 45 (S1304), and a response to the re-initialization command from the security processing unit 44 is waited (S1).
305).

If the response indicates that the reinitialization has been completed normally, the entry 4353d of the processing unit status information 4353a for the security processing unit 44 is changed from "abnormal" to the original status ("usable"). Alternatively, it is changed to “unusable” (S1306). On the other hand, if the response indicates an abnormal end of re-initialization, or if the response is not received within a predetermined time, it is determined that the security processing unit 44 has failed, and the processing unit state monitoring unit 434 is determined.
Deletes the processing unit status information 4353a for the security processing unit 44 from the processing unit status information table 4353, or changes the entry 4353d of the processing unit status information 4353a from “abnormal” to “not mounted”. . Then, a failure detection notification including the security processing unit identification number of the security processing unit 44 is transmitted to the hot-swap controller 47 via the SBUS 45 (S130).
7).

When the hot-swap controller 47 receives the failure detection notification, the hot-swap controller 47, for example, mounts the security processing unit 44 having the security processing unit identification number.
6 is sent a removal command. Then, the mounting portion 46
Then, the operation is performed so that the attached security processing unit 44 can be physically separated. Then, the hot-swap controller 47 displays that the security processor 44 has failed (S1308). Here, as a display method of the failure, for example, a terminal of a user having a predetermined authority (for example, a password) connected via the LAN I / F unit 42 or an input / output unit (not shown) is used. to a method of displaying to that effect, and a method for lighting the failure detection lamp provided in the cryptographic processing unit 4 ₁ to 4 _n.

The other operation procedures of the present embodiment are as follows.
This is the same as in the first and second embodiments.

The third embodiment of the present invention has been described above.

In this embodiment, the security processing unit 44
Is detected, and the security processing unit 44 to be subjected to the encryption / decryption processing is selected from the security processing units 44 in which no abnormality is detected. Therefore, according to the present embodiment, when a certain security processing unit 44 breaks down, a situation in which encryption or decryption processing defined by certain definition information cannot be performed does not occur.

Next, a fourth embodiment of the present invention will be described.

In this embodiment, in the second embodiment, the main control unit 43 selects the security processing unit 44 to process a packet in consideration of the encryption / decryption method that can be processed by each security processing unit 44. I can do it.

[0133] FIG. 14 shows a configuration example of the fourth embodiment is applied cryptographic communication device 4 ₁ to 4 _n of the present invention. In the figure, FIG.
Those having the same functions as the cryptographic communication device of the second embodiment shown in FIG.

As shown in FIG. 14, a function definition table 4432 is added to the data storage unit 443 of the security processing unit 44 in the cryptographic communication devices 4 ₁ to 4 _n of the present embodiment. The function definition table 4432 stores a list of encryption algorithms (algorithm list) that can be processed by the security processing unit 44. As shown in FIG. 15, an entry 4353e for registering the algorithm list of the security processing unit 44 is added to each processing unit status information 4353a stored in the processing unit status information table 4353.

In the cryptographic communication devices 4 ₁ to 4 _{n having the} above configuration, the operation is performed at the time of initial operation of the mounted security processing unit 44 when power is turned on or when the security processing unit 44 is newly mounted. At the time of the initial operation of the security processing unit 44 (S1106 in FIG. 11),
The processing unit state monitoring unit 434 reads the algorithm list stored in the function definition table 4432 from the data storage unit 443 of the security processing unit 44 to be initially operated. Then, the read algorithm list is stored in the entry 4353e of the processing unit status information 4353a for the security processing unit 44 stored in the processing unit status information table 4353. Further, the processing unit status monitoring unit 434 reads out only the fixed information of the definition information 4351a in which the encryption algorithm included in the algorithm list is registered in the entry 4351h from the definition information master table 4351, and reads them. 44 to the data storage unit 443.

Further, in the cryptographic communication devices 4 ₁ to 4 _{n having} the above configuration, when transmitting a packet received from the accommodation terminal 3 via the accommodation LAN 2 to the WAN 1, or
When the security processing unit 44 performs the selection process (S7005 in FIG. 7 and S8006 in FIG. 8) performed when transmitting the packet received from the LAN 1 to the accommodation LAN 2, the processing unit selection unit 431 applies the packet to the processing target packet. Entry 43 of definition information 4351a that defines a power encryption or decryption method
The encryption algorithm registered in 51h searches the processing unit state information 4353a described in the algorithm list registered in the entry 4353e. Then, it selects from the security processing unit 44 having the detected processing unit state information 4353a.

As described above, the fourth embodiment of the present invention has been described.

In this embodiment, the security processing unit 44
Holds a list of encryption algorithms that can be processed by the security processing unit 44. Then, the security processing unit 44 that should cause the processing unit selection unit 431 to perform encryption / decryption processing on a new packet is determined from the security processing units 44 in which the encryption algorithm used for the encryption / decryption processing is registered in the list. Let me. Therefore, according to the present embodiment, it is possible to cause each security processing unit 44 to perform packet encryption / decryption processing even if the user does not know the encryption algorithm that can be processed by each security processing unit 44.

The present invention is not limited to the above embodiments, and various modifications are possible within the scope of the invention.

For example, in each of the above embodiments, when the cryptographic communication devices 4 ₁ to 4 _n do not perform an operation of receiving a packet from the WAN ₁ and transmitting it to the accommodation LAN 2, the security processing unit 44 The function necessary for performing the decoding process and the additional process accompanying the decoding process is unnecessary. On the other hand, the encryption communication devices 4 ₁ to 4 _n
When the operation of receiving a packet from the accommodation terminal 3 via the LAN and transmitting the packet to the WAN 1 is not performed, each of the security processing units 44 has a function required to perform a packet encryption process and an additional process accompanying the encryption process. Is unnecessary.

In each of the above embodiments, for example, the main control unit 43 copies the fixed information of each processing unit status information 4351a of the definition information master table 4351 to the definition information slave table 4431 of each security processing unit 44. Like that. However, each security processing unit 4
The fixed information of each processing unit status information 4351a may be stored in advance in the definition information slave table 4431 of No.4.

Alternatively, as in the case of the cryptographic communication device described in the related art, the security processing unit 44 that should process a packet may be associated in advance for each type of packet. Even in this case, the encryption and / or decryption processing and the additional processing accompanying the processing (generation of additional information,
The addition of the additional information to the packet and the calculation of the processing data length) can be performed by each security processing unit 44. In addition, the main control unit 43 can cause the variable information updated every time a packet is processed to be updated to the definition information master table 4353. Therefore, the packet processing performance of the entire cryptographic communication device can be improved as compared with the conventional cryptographic communication device.

In the above embodiment, as in the case of the cryptographic communication apparatus described in the background art, the encryption and / or decryption processing and all the additional processing (the generation of additional information, Each of the security processing units 44 may add the security information to the definition information master table 4353 (addition to the definition information master table 4353).
In this case as well, the processing unit selection unit 431 of the main control unit 43 dynamically selects the security processing unit 44 to process a packet, so that a plurality of security processing units can be operated flexibly and efficiently. it can.

The present invention is naturally applicable to an embodiment obtained by arbitrarily combining the above embodiments.

[0145]

As described above, according to the present invention,
In an encryption communication device including a plurality of encryption and / or decryption processing units that can operate in parallel, it is possible to improve packet processing performance. In addition, each of the plurality of encryption and / or decryption processing units can be operated flexibly and efficiently.

[Brief description of the drawings]

FIG. 1 is a diagram illustrating a configuration example of a communication system using an encryption communication device to which a first embodiment of the present invention has been applied.

FIG. 2 is a diagram illustrating a configuration example of an encryption communication device to which the first embodiment of the present invention has been applied;

FIG. 3 is a diagram showing an example of registered contents of a definition information master table used in the encryption communication device according to the first embodiment of the present invention.

FIG. 4 is a diagram showing an example of registration contents of a path information table used in the encryption communication device according to the first embodiment of the present invention.

FIG. 5 is a diagram illustrating an example of registered contents of a processing unit state information table used in the encryption communication device according to the first embodiment of the present invention.

FIG. 6 is a diagram showing an example of registered contents of a definition information slave table used in the cryptographic communication device according to the first embodiment of the present invention.

FIG. 7 is a diagram for explaining an operation procedure when the cryptographic communication device transmits a packet received from an accommodation terminal via an accommodation LAN to a WAN in the first embodiment of the present invention.

FIG. 8 is a diagram illustrating an operation procedure when the cryptographic communication device transmits a packet received from the WAN to the accommodation LAN in the first embodiment of the present invention.

FIG. 9 is a diagram illustrating a configuration example of an encryption communication device to which a second embodiment of the present invention has been applied.

FIG. 10 is a diagram showing an example of registered contents of a processing unit state information table used in the encryption communication device according to the second embodiment of the present invention.

FIG. 11 is a diagram illustrating an operation procedure when the security processing unit is mounted on the mounting unit in the encryption communication device according to the second embodiment of the present invention.

FIG. 12 is a diagram illustrating an operation procedure when the security processing unit is removed from the mounting unit in the encryption communication device according to the second embodiment of the present invention.

FIG. 13 is a diagram illustrating an operation procedure when an abnormality of a security processing unit is detected in the encryption communication device according to the third embodiment of the present invention.

FIG. 14 is a diagram illustrating a configuration example of an encryption communication device to which a fourth embodiment of the present invention has been applied.

FIG. 15 is a diagram illustrating an example of registered contents of a processing unit status information table used in the encryption communication device according to the fourth embodiment of the present invention.

[Explanation of symbols]

1 WAN, 2 ₁ to 2 _n ... LAN, 3 _{1 to} 3 _n ... communication terminals,
4 ₁ to 4 _n ... encryption communication device, 41 ... WAMI / F section 42
... LAN I / F part, 45 ... SBUS, 46 ... Mounting part, 4
7 hot-swap controller, 435, 443 data storage unit
431 ... Processing unit selecting unit, 432 ... I / F unit selecting unit, 43
3 ... definition information updating unit, 434 ... processing unit status monitoring unit, 44
DESCRIPTION OF SYMBOLS 1 ... Encryption / decryption unit, 442 ... Additional processing unit, 4351 ... Definition information master table, 4352 ... Route information table, 43
53: processing unit status information table, 4431: definition information slave table

 ──────────────────────────────────────────────────の Continuing from the front page (72) Inventor Mariko Kasai 1099 Ozenji Temple, Aso-ku, Kawasaki City, Kanagawa Prefecture Inside Hitachi, Ltd. Systems Development Laboratory (72) Inventor Hidemitsu Higuchi 1 Horiyamashita, Hadano-shi, Kanagawa Japan F-term (reference) in the Enterprise Server Division, Ritsusei Seisakusho 5J104 AA33 PA07 5K030 GA15 HA08 HC01 HC14 HD06 KA05 LB05 MB13

Claims (13)

[Claims] 1. A plurality of security processing units for encrypting a packet according to definition information defining an encryption processing method,
A main control unit for notifying a packet to the security processing unit, receiving an encrypted packet from the security processing unit, and transmitting the encrypted packet, the main control unit comprising: A variable information holding unit that holds variable information that needs to be updated for each packet encryption process of the definition information; and a packet corresponding to the type of the packet held in the variable information holding unit. Packet notifying means for notifying the security processing unit together with the variable information; and variable information updating for updating the variable information corresponding to the type of the packet notified by the packet notifying means and held in the variable information holding means. Means, and the security processing unit, the packet notified from the main control unit, the type of the packet A main processing unit that performs encryption processing in accordance with fixed information that does not need to be updated every time a packet is encrypted in the corresponding definition information; and generates additional information using the variable information notified together with the packet from the main control unit. And an additional processing unit that adds the packet to the packet that has been encrypted by the main processing unit and notifies the main control unit of the packet. 2. A plurality of security processing units for decrypting an encrypted packet in accordance with definition information defining a decryption processing method; and notifying the security processing unit of the encrypted packet, receiving the packet from the security processing unit, A main control unit for transmitting the same, wherein the main control unit holds, for each type of packet, variable information that needs to be updated for each packet decryption process in the definition information. Variable information holding means, a packet notifying means for notifying a packet to the security processing unit, and the packet held in the variable information holding means using predetermined information notified together with the packet from the security processing unit. And a variable information updating unit that updates the variable information corresponding to the type of the security processing unit. A main processing unit that decodes the packet notified from the main control unit according to fixed information that does not need to be updated for each packet decoding process among the definition information corresponding to the type of the packet; and The predetermined information is generated in accordance with the decrypted packet, and the predetermined information is generated together with the packet.
And an additional processing means for notifying the main control unit. 3. The encryption communication device according to claim 1, wherein the variable information holding unit holds, for each type of packet, the variable information and identification information of the definition information including the variable information. The packet notifying unit notifies the security processing unit of the identification information held in the variable information holding unit in association with the type of the packet together with the packet. And a fixed information holding unit for holding the fixed information of the definition information corresponding to the identification information for each of the identification information, wherein the main processing unit transmits the packet notified from the main control unit to the A cryptographic communication process according to the fixed information held in the fixed information holding means in association with the identification information notified together with a packet. Location. 4. A plurality of security processing units for encrypting a packet according to definition information defining an encryption processing method,
And a main control unit for notifying the security processing unit of the packet and receiving the processed packet from the security processing unit and transmitting the processed packet. A cryptographic communication method for encrypting a packet and transmitting the packet to a second information transmission medium, wherein the main control unit defines a cryptographic processing method to be applied to the packet. A step of notifying the security processing unit together with the previously held variable information that needs to be updated every time, and a step of updating the previously stored variable information. The processing unit may include a packet notified from the main control unit in the definition information that defines an encryption processing method to be applied to the packet. A step of performing encryption processing according to fixed information held in advance, which does not need to be updated every time the packet is encrypted, generating additional information using the variable information notified together with a packet from the main control unit, And sending the packet to the main control unit by notifying the main control unit of the encrypted packet. 5. A plurality of security processing units for decrypting an encrypted packet in accordance with definition information defining a decryption processing method, notifying the security processing unit of the encrypted packet, receiving the packet from the security processing unit, And a main control unit for transmitting the encrypted communication packet. The encrypted communication method includes: decoding an encrypted packet received from the first information transmission medium and transmitting the decrypted packet to the second information transmission medium using Notifying the main control unit of an encrypted packet to the security processing unit; and using a predetermined information notified together with the packet from the security processing unit, a decryption processing method applied to the decryption processing of the packet. A process for updating previously held variable information that needs to be updated for each packet decoding process in the definition information to be defined. The security processing unit, for each packet decryption process in the definition information defining the decryption process method to be applied to the encrypted packet notified from the main control unit. No need to update,
Performing a decoding process according to fixed information held in advance, and generating the predetermined information in accordance with the decoded packet, and notifying the generated information together with the packet to the main control unit. A cryptographic communication method, characterized in that: 6. A plurality of security processing sections for encrypting a packet according to definition information defining an encryption processing method,
A main control unit that notifies the security processing unit of the packet, receives the encrypted packet from the security processing unit, and transmits the encrypted packet, and the main control unit transmits the packet to the security processing unit. A packet notifying unit that notifies the security processing unit together with identification information of the definition information that defines an encryption processing method to be applied to the packet, wherein the security control unit corresponds to the identification information for each of the identification information A first definition information holding unit for holding the definition information; and a packet notified from the main control unit, held in the first definition information holding unit in association with the identification information notified together with the packet. Main processing means for performing a cryptographic process in accordance with the defined definition information and notifying the main control unit of the cryptographic process. Communication apparatus. 7. A plurality of security processing units for decrypting an encrypted packet in accordance with definition information defining a decryption processing method, notifying the security processing unit of the encrypted packet, receiving the packet from the security processing unit, A main control unit for transmitting the encrypted packet, wherein the main control unit transmits the encrypted packet together with identification information of the definition information defining a decryption processing method to be applied to the encrypted packet. A packet notifying unit for notifying the security processing unit, wherein the security processing unit, for each of the identification information, a first definition information holding unit for holding the definition information corresponding to the identification information; The encrypted packet notified by the unit is associated with the identification information notified together with the encrypted packet and the first definition And decoding in accordance with the definition information stored in the broadcast holding means, the cryptographic communication device according to claim this to have a main processing means for notifying the main control unit. 8. The encryption communication device according to claim 6, wherein the main control unit monitors, for each security processing unit, an unprocessed packet that is a packet notified to the security processing unit. Further comprising an unprocessed packet monitoring unit, wherein the packet notification unit notifies the security processing unit that the result of monitoring by the unprocessed packet monitoring unit indicates that the number of unprocessed packets is the least. An encryption communication device for determining a destination. 9. The encryption communication device according to claim 8, wherein the security processing unit is configured to be insertable into and removable from the encryption communication device, and the security communication unit is attached to the security processing unit. An encryption communication device, further comprising: mounting detection means for detecting a packet, wherein the packet notification means determines a notification destination of a packet from among the security processing units detected by the mounting detection means. 10. The cryptographic communication device according to claim 8, further comprising: failure detection means for detecting a failure of said security processing unit, wherein said packet notification means detects a failure by said failure detection means. An encryption communication device, wherein a destination of a packet notification is determined from among the security processing units that are not performed. 11. The encryption communication device according to claim 9, 9 or 10, wherein the security processing unit holds function information capable of specifying a processing method that can be processed by the security processing unit. The control unit further includes, for each of the identification information, a second definition information holding unit that holds the definition information corresponding to the identification information, and the packet notification unit determines a notification destination of the packet by identifying the packet. It is determined from the security processing unit that holds function information indicating that the processing method of the definition information held in the second definition information holding unit in association with the information can be processed. Encryption communication device. 12. A plurality of security processing units for encrypting a packet in accordance with definition information defining an encryption processing method, notifying the packet to the security processing unit, receiving an encrypted packet from the security processing unit,
And a main control unit for transmitting the packet. The cryptographic communication method includes: encrypting a packet received from a first information transmission medium and transmitting the encrypted packet to a second information transmission medium using an encryption communication device having the main control unit. Causing the control unit to notify the security processing unit of a packet together with identification information of the definition information that defines a cryptographic processing method to be applied to the packet; Encrypting the received packet in accordance with the definition information held in advance in association with the identification information notified together with the packet, and informing the main control unit of the encryption processing. Communication method. 13. A plurality of security processing units for decrypting an encrypted packet in accordance with definition information defining a decryption processing method, notifying the security processing unit of the encrypted packet, receiving the packet from the security processing unit, And a main control unit for transmitting the encrypted communication packet. The encrypted communication method includes: decoding an encrypted packet received from the first information transmission medium and transmitting the decrypted packet to the second information transmission medium using Causing the main control unit to notify the security processing unit of an encrypted packet together with identification information of the definition information defining a decryption processing method to be applied to the encrypted packet; The encrypted packet notified from the main control unit is previously associated with the identification information notified together with the encrypted packet. Decoding processing according to the held definition information,
A step of notifying the main control unit of this fact.