JP2003195750A - Atm channel cipher device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an ATM channel cipher device capable of simplifying processing and securing data secrecy without lowering an information speed. <P>SOLUTION: A cipher key control part 34 performs control so as to generate ciphering information according to predetermined rules. A cipher/decipher execution part 35 ciphers ATM cells to be transmitted to an ATM channel by a frame unit according to the generated ciphering information and deciphers ciphered ATM cells received from the ATM channel by the frame unit. Also, the cipher key control part 34 stores the ciphering information such as a cipher key and a cipher encoding form into an undefined area of a time slot and reports it to an opposing ATM cipher device. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an ATM line encryption device, and more particularly to communication data encryption of an information network composed of ATM communication lines using ATM cells.

[0002]

2. Description of the Related Art An ATM network is a network of high speed data transfer method using ATM (Asynchronous Transfer Mode) technology. Asynchronous Transfer Mode (ATM) is a communication method that transfers data in a fixed length format called ATM cells, where a network node transfers this ATM cell to the network only when there is data to transfer.

The structure of this ATM cell will be described with reference to FIG. FIG. 5 shows a block diagram of an ATM cell.
In FIG. 5, an ATM cell 51, which is a transfer unit on the ATM network, is a 5-byte cell header 52 and 48.
This is a fixed-length data format of 53 bytes in total, which includes an information field (payload) 53 of bytes. 54 to 59 show the structure of the cell header 52 portion. VPI5
Reference numeral 5 is a virtual path identifier field, VCI 56 is a virtual channel identifier field, and these are identifiers indicating a destination. The network node refers to these values and transfers the ATM cell to a predetermined destination.

In the ATM network, as a method of concealing communication data transmitted between terminals, there has been a conventional method.
A method of encrypting an ATM cell is common.

As an example of this method, the information field 53 for storing the ATM cell communication data is encrypted. Upon encryption of the information field 53 of the ATM cell, encryption information such as a necessary encryption key and encryption coding format is encrypted with the terminal device using a part of the information field (payload) 53. In this case, the encrypted information generated by the transmitting terminal device is inserted into a part of the information field to encrypt the information field of the ATM cell,
It is transmitted to the opposite terminal device. The opposite terminal device decrypts the data stored in the information field using the encrypted information set in a part of the information field of the received ATM cell.

At this time, a portion in which the encryption information such as the encryption key and the encryption encoding format is stored, and the cell header portion 52.
Cannot be encrypted with. Further, in order to store the encryption information such as the encryption key and the encryption encoding format in a part of the information field 53, it is necessary to disassemble and assemble the information field and recalculate the ATM cell header.

[0007]

In the prior art, the AT
Since the encryption information such as the encryption key and the encryption encoding format is set in a part of the information field of the M cell, and the other information fields are encrypted and transmitted to the opposite side encryption device, the following four problems occur. Dots occur.

First, the information speed is lowered because the encryption key other than the data or the encryption information such as the encryption encoding format is set in the information field.

Secondly, by storing the encryption information such as the encryption key and the encryption encoding format in a part of the information field, the AT
This requires disassembling and assembling M cells, which complicates the process.

Thirdly, the content of the information field changes, so that it is necessary to recalculate the ATM cell header.

Fourth, since it is not possible to encrypt all ATM cells, if the information field is monitored, there is a high possibility that it will be decrypted by a third party other than the communication partner, and the confidentiality of communication data will increase. The problem is that it cannot be secured.

It is an object of the present invention to provide an ATM line encryption device which can secure the confidentiality of data without degrading the information speed.

[0013]

In order to solve the above-mentioned problems, the ATM line cipher device of the present invention has a structure in which ATM cells are transmitted and received according to a predetermined frame structure.
An encryption key control unit connected to the TM line and configured to control to generate encryption information to be used as an encryption key for encryption and / or decryption according to a predetermined rule, and the encryption key control unit. Encryption / decryption executing means for encrypting the ATM cell to be transmitted to the ATM line in the frame unit according to the encrypted information, and decrypting the encrypted ATM cell received from the ATM line in the frame unit.

For example, between an ATM terminal and an ATM switch,
Alternatively, by installing the ATM line encryption device of the present invention between the ATM exchanges, it is possible to reduce communication speed without lowering the information speed and eliminating the processing such as ATM cell disassembly, assembly, and cell header recalculation. The ATM cell to be transmitted can be completely concealed.

[0015]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of an ATM line encryption device according to the present invention will be described below.

First, an outline of the ATM network will be described below. An ATM network is a network that uses ATM (Asynchronous Transfer Mode) technology. In this ATM network, all information is ATM
It is divided into fixed length information units called cells and transferred. ATMs in effect when the need to transfer information arises
Because of the method of transferring only cells, the information transfer speed from low speed to high speed is realized.

The ATM cell will be described with reference to FIG. As described above, in the ATM network, all information is divided into fixed-length information units and transferred, and the divided units are called ATM cells. As shown in FIG.
The ATM cell 51 has a fixed length of 53 bytes, of which 5 bytes is an area called a cell header 52. The cell header 52 is a general flow control field GF.
C54, VPI which is a virtual path identifier field
55, VC which is a virtual channel identifier field
I56, payload type field PT57, cell loss priority field CLP58, and header error control field HEC59. The virtual path identifier field VPI55 and the virtual channel identifier field VCI56 are the identifiers indicating the destinations in the user / network interface. Each ATM cell is transferred to the destination using this identifier.
Further, data can be stored and transmitted in an area called a 48-byte information field 48.

In the present embodiment, the information rate is not lowered, the disassembling / assembling of the information field of the ATM cell and the recalculation of the cell header are unnecessary, and all the fields of the ATM cell can be kept secret. In order to realize the above, a frame structure configured on the ATM communication line is used. The frame structure used in this embodiment is TTC.
6.312 standardized in standard JT-G703-a
It is a frame structure of the secondary group velocity of Mbit / s.

Referring to FIG. 4, 6.312 Mbit / s
The frame structure of the secondary group velocity will be described.

In FIG. 4, the secondary group velocity frame of 6.312 Mbit / s has 98 time slots (4
1) and 5 bits of Fbit. The time slot (41) is 8 bits. Also, one frame is composed of four frames. 6.312 Mbit
In the case of / s, the cycle of one frame is 125 μs. The ATM cells described above are ITU-T G.264. This secondary group velocity frame structure is mapped by the method defined in 804.

An ATM cell mapping method will be described with reference to FIG. In FIG. 6, the ATM cell 51 can be mapped in the 768-bit ATM cell mapping area 61 from the time slots TS1 to TS96. One frame is composed of 98 time slots and 5 bits of F bits, which is 789 bits in total. In the case of this mapping method, the time slot TS9
16 bits of 7 and 98 are undefined areas 43.

In the present embodiment, the frame structure constructed on the ATM communication line is used to perform the encryption on a frame-by-frame basis. As the encryption / decryption method, for example, a block encryption method or a stream encryption method can be used. In the stream encryption method, encryption / decryption can be performed by operating the encryption key and EX-OR for each bit of one frame, and processing can be performed at higher speed. Further, the encryption information such as the encryption key and the encryption encoding format is not stored in a part of the information field of the ATM cell as in the prior art, but the undefined area 43 is preliminarily set at the stage of initialization.
By storing and transmitting the encryption information indicating the encryption key, the encryption encoding format, etc., the encryption information is notified to the opposite ATM line encryption device. On the opposite ATM line encryption device side, the data flowing in the secondary group velocity frame structure is decrypted based on this encryption information. Further, after that, the encryption information used for encryption of the next frame is stored in the undefined area 43 and transmitted, so that the encryption information can be sequentially changed. This undefined time slot TS97, TS98 (43) and Fbit (4
By inserting a predetermined synchronization confirmation bit as encryption information in 4), it is possible to encrypt and decrypt data using the same encryption information on the transmitting side and the receiving side. By using the undefined area, it is not necessary to store the encryption information such as the encryption key and the encryption encoding format in the information field, and it is possible to realize the encryption method that does not reduce the information speed. Further, since encryption is performed in frame units instead of ATM cell units, complicated processing such as information field disassembly and reassembly and recalculation of the cell header due to rewriting of the information field are unnecessary, and ATM cell processing is unnecessary. . Therefore, it is possible to realize an encryption method that does not require disassembly of the information field, assembly processing, and recalculation of the cell header.

FIG. 7 shows a secondary group velocity frame structure during encrypted communication when the encryption method according to this embodiment is used. Referring to FIG. 7, in the present embodiment, an ATM cell mapping area 61 in which ATM cells are mapped and undefined time slots TS97 and TS98.
The data in (43) can be encrypted. Therefore, the time slots TS1 to TS98 are the hidden area 71. Therefore, since the ATM cell is completely encrypted, it is impossible for a third party to identify the ATM cell. According to the present invention, it is possible to realize an encryption method that can sufficiently secure the confidentiality of communication data.

Next, the structure of this embodiment will be described. FIG. 1 is an explanatory diagram showing the connection relationship of the ATM line encryption system according to the present embodiment. AT shown in FIG.
The example of the M line encryption system shows a system applied when communication is performed between terminals. This ATM line encryption system comprises ATM line encryption devices 13A and B. In FIG. 1, terminals 11A and 11B are terminals or servers that send and receive ATM cells. ATM switch 12
A and B exchange ATM cells according to the destination. ATM
The line encryption devices 13A and 13B are provided facing each other on the ATM line and perform encryption / decryption for each frame. ATM
The exchanges 12A and B are connected to the ATM terminals 11A and B and establish a secondary group rate frame structure between the opposite side ATM exchanges 12A and B. The ATM exchanges 12A and B may be connected to a plurality of terminals, and the ATM Forum
UNI 3.1 (4.0) and TTC standard JT-G703
It performs protocol conversion with -a and band limitation. A
The TM line encryption device 13 is the opposite side ATM line encryption device 1
3 is connected to the encrypted communication. The ATM line encryption device 13A encrypts, for each frame, the ATM cells transmitted from the terminal 11A and framed by the ATM switch 12A, and at the same time, encrypts the encrypted frame transmitted from the opposite ATM line encryption device 13B. Cryptographic communication is realized by decrypting. Similarly, in the ATM line cipher device 13B, the ATM cells transmitted from the terminal 11B and framed by the ATM switch 12B are encrypted frame by frame, and at the same time, the ATM cell cipher device 13A oppositely encrypted. Decode the frame.

Next, the structure of the ATM line encryption device will be described. FIG. 3 shows a block diagram of the ATM line encryption device according to the present embodiment. In FIG. 3, the ATM line encryption device 13 includes an ATM conversion unit 31 for converting into a format standardized by the TTC standard JT-G703-a.
An encryption / decryption processing unit 32 that performs a predetermined encryption process. A
The TM conversion unit 31 limits the bandwidth and ATM Foru.
m UNI3.1 (4.0) and TTC standard JT-G7
The ATM switch 12A shown in FIG.
It has the same function as B. When the ATM exchange 12 is connected to the outside, the ATM conversion unit 31 may not be provided in the ATM line encryption device 130. The encryption / decryption processing unit 32
An encryption key control unit 34 that manages and controls an encryption key, an encryption / decryption execution unit 35 that executes encryption and decryption of data,
An interface switching unit 36 that converts a line interface with an ATM line is provided. The encryption key control unit 34 controls to generate encrypted information according to a predetermined rule. The encryption / decryption execution unit 35 encrypts the ATM cells to be transmitted to the ATM line by the encryption key control unit 34 in the frame unit, and decrypts the encrypted ATM cell received from the ATM line in the frame unit. Further, as shown in FIG. 7, the encryption key control unit 34 sets the encryption information in predetermined time slots 97 and 98 of the frame structure and notifies the opposite ATM line encryption device of the encryption information. In addition, the encryption key control unit 34
The encryption / decryption executing unit 3 extracts the encryption information from the time slots 97 and 98 in the frame received from the ATM line.
5 executes decryption according to the extracted encryption information.

Next, with reference to FIGS. 8, 9 and 10, an example of a procedure for notifying encrypted information in the present embodiment will be described. FIG. 8 is an explanatory diagram showing a flow until encrypted communication is performed using the ATM line encryption device. Figure 9
Shows an explanatory diagram of the contents stored in the encryption key control unit 34 when a plurality of encryption keys are stored, and FIG. 10 shows the relationship between the encryption information and the processing method.

In the present embodiment, a state in which encryption synchronization is established is a state in which communication data is encrypted and decrypted using the same encryption information on the transmitting side and the receiving side. In order to confirm that the encryption is synchronized with the opposite encryption device, the encryption key control unit 34 causes the ATM encryption device to set time slots TS97 and TS98 in which arbitrary values can be set.
A predetermined encryption synchronization confirmation bit is inserted into Fbit44 as encryption information. Further, as shown in FIG. 8, in order to exchange the time information and the initial setting information indicating the encryption key between the apparatuses, the time slot TS97, TS98, and Fbit are used as the initial setting to encrypt the encryption with the opposite side encryption apparatus. The inter-apparatus initial setting information bit 81 is transmitted by the non-encrypted communication 88 which does not take time. The initial setting information is exchanged without encryption when the device is installed. As the inter-apparatus initial setting information bit 81, predetermined information of the current time and the encryption key is transmitted.

For example, when the encryption key control unit 34 stores a plurality of encryption keys, as shown in FIG.
The encryption key and the contract number are stored in the encryption key control unit 34 of the line encryption device 13 in association with each other. As the inter-apparatus initial setting information bit 81, the corresponding encryption key can be read and used by transmitting the contract number shown in FIG. Since the agreement number is not transmitted and the encryption key is not directly transmitted, the encryption key can be kept secret.

In the case of the opposite side encryption device using the non-paired encryption key, encrypted communication is performed by using the encryption key paired with the opposite side encryption device by the inter-device initial setting information bit 81. The confidentiality of the communication data can be maintained by stopping the encrypted communication with the opposite side encryption device and stopping the transmission and reception of the communication data. On the other side encryption device,
After receiving the initial setting information bit 82, the initial setting of the local station is performed according to the initial setting information, and the sending of the initial setting information bit 81 to the transmitting side is started. The cryptographic device that first transmits the inter-device initial setting information bit 81 receives the inter-device initial setting information bit 81 from the opposite side cryptographic device, and then the ATM cryptographic device uses the time slots 97, 98 and Fbit 44 as the encrypted information. A cryptographic synchronization confirmation bit 83 determined in advance between opposing devices is inserted. The transmission side encrypts the synchronization confirmation bit 83 according to the encryption key transmitted in the initial setting. The receiving side also receives the synchronization confirmation bit 83, decrypts it according to the encryption key, and if the decrypted encryption synchronization confirmation bit can be correctly decrypted into the predetermined synchronization confirmation bit 83, the encryption synchronization is determined. Can be regarded as the established state.

While the encryption synchronization is being established, the information from the terminal is stored in the information field. As a result,
The ATM line cipher device shown in FIG. 6 can establish cipher synchronization between the cipher devices by inserting a predetermined synchronization confirmation bit 83 in the time slots TS97, 98 (43) and Fbit (44) described above. . When it is confirmed that the encryption synchronization with the opposite side encryption device is established, after transmitting a predetermined number of multiframes in which empty cells are stored, the communication data in the information field is encrypted, and both sides set the encrypted communication start bit 85. Then, the encrypted communication 89 is started.

Even after the encryption synchronization is established, it is possible to detect the encryption synchronization loss by monitoring the predetermined synchronization confirmation bit 83. When the loss of encryption synchronization is detected, the encryption synchronization can be established again by the method described in this embodiment. In addition, various information bits such as setting information and time information can be stored during encrypted communication, and various information can be exchanged with the opposite encryption device.

Further, the encryption key may be changed during the encrypted communication. In this case, as shown in FIG.
The encryption information and the processing method are stored in advance in the encryption key control unit 34 of the M-line encryption device. For example, the processing method “contract No. +10” is the contract No. +10 as shown in FIG. When the encryption key of No. 1 is set, the contract No. is set to (1 + 10). 11 indicates that the encryption key of 11 is used. In this case, by transmitting "1111" as the encryption information to the time slots TS97, 98 (43) and Fbit (44), the encryption key is set to the rule NO. 11
Can be changed to the encryption key. After the notification of the change of the encryption key, the changed encryption key can be used for both transmission and reception from the next frame.

As shown in FIG. 7, as shown in the secondary group frame structure during the cryptographic communication after the cryptographic synchronization is established, the AT
Since the ATM cell mapping area 71 in which the M cells are mapped and the undefined area of the time slots TS 97, 98 (43) are kept secret, the encryption key, which is a parameter for encrypting the communication data, can be safely and securely stored. It can be changed arbitrarily.

FIG. 2 shows an ATM according to the second embodiment.
The block diagram of a line encryption communication system is shown. It is possible to construct a network type ATM line system by providing a plurality of ATM exchanges 12 and an ATM line encryption device 13 as shown in FIG. 2 based on the opposite line ATM line encryption system shown in FIG. it can. In FIG. 2, ATM
The exchanges 12A, B, C, D have the same functions as the ATM exchanges 12A, B shown in FIG.
31A ・ B ・ C ・ D, 132A ・ B ・ C ・ D, 133A
B, C, and D are ATM line encryption devices 13A shown in FIG.
-It has the same function as B. By providing the ATM line encryption devices facing each other, it is possible to conceal communication data.

As described above, the encryption method according to the first and second embodiments makes it possible to carry out encrypted communication in which communication data is kept secret without modifying the communication system using the ATM line. Further, the information speed is not lowered, the disassembling and reassembling of the information field of the ATM cell and the recalculation of the cell header are unnecessary, and the encryption of all the fields of the ATM cell can be executed.

[0036]

According to the present invention, it is possible to realize an ATM line encryption device which can secure the confidentiality of data without deteriorating the information speed.

[Brief description of drawings]

FIG. 1 is a block diagram showing a system configuration in a case where opposite cryptographic communication is performed between terminals using an ATM line encryption method according to the present invention.

FIG. 2 is a block diagram showing a system configuration when network type ATM line encryption communication is performed using the ATM line encryption method according to the present invention.

FIG. 3 is a block diagram showing a configuration of an ATM line encryption device according to an embodiment of the present invention.

FIG. 4 is a T applied to the ATM line encryption method of the present invention.
It is explanatory drawing which shows the frame structure of the secondary group velocity standardized by TC standard JT-G703-a.

FIG. 5 is a configuration diagram showing an ATM cell format.

FIG. 6 ITU-T G. It is explanatory drawing which shows the method of ATM cell mapping prescribed | regulated in 804.

FIG. 7 is an explanatory diagram showing a frame structure of a secondary group velocity during cipher communication after establishment of cipher synchronization.

FIG. 8 is an explanatory diagram showing a flow until encrypted communication is performed using the ATM line encryption device according to the present invention.

FIG. 9 is an encryption key control unit 34 when storing a plurality of encryption keys.
3 is an explanatory diagram of contents stored in FIG.

FIG. 10 is an explanatory diagram showing a relationship between encrypted information and a processing method.

[Explanation of symbols] 11A / B ... ATM terminal 12A / B ... ATM switch 13A / B ... ATM line encryption device 31 ... ATM conversion unit 32 ... Encryption / decryption processing unit 33 ... Protocol converter 34 ... Encryption key control unit 35 ... Encryption / Decryption Execution Unit 36 ... Interface part 41 ... Time slot 42 ... Time slot configuration 1 bit 43 ... undefined area 44 ... Fbit 45 ... 1 frame (789 bits) 46 ... Multi-frame 51 ... ATM cell 52 ... Cell header 53 ... Information field 54 ... GFC (general flow control field) 55 ... VPI (virtual path identifier field) 56 ... VCI (virtual channel identifier field) 57 ... PT (payload type field) 58 ... CLP (Cell Loss Priority Field) 59 ... HEC (header error control field) 61 ... ATM cell mapping area (TS1 to TS96) 71 ... Hidden area 81 ... Start sending of initial setting information bit between devices 82 ... Reception of initial setting information bit between devices 83 ... Sending encryption synchronization confirmation bit 84 ... Receiving encryption synchronization confirmation bit 85 ... Sending encrypted communication start bit 86 ... Receiving encrypted communication start bit 87 ... Start encrypted communication 88 ... Non-encrypted communication 89 ... Encrypted communication.

   ─────────────────────────────────────────────────── ─── Continued front page    (72) Minoru Sato, Inventor             216 Totsuka Town, Totsuka Ward, Yokohama City, Kanagawa Prefecture             Ceremony Hitachi Defense Systems             Within the department (72) Inventor Yoichi Hayakawa             216 Totsuka Town, Totsuka Ward, Yokohama City, Kanagawa Prefecture             Ceremony company Hitachi Advanced Systems (72) Inventor Yasuo Moroishi             216 Totsuka Town, Totsuka Ward, Yokohama City, Kanagawa Prefecture             Ceremony company Hitachi Advanced Systems (72) Inventor Tatsuya Minamijima             216 Totsuka Town, Totsuka Ward, Yokohama City, Kanagawa Prefecture             Ceremony company Hitachi Advanced Systems F-term (reference) 5J104 AA01 AA16 EA18 JA03 JA12                       NA01                 5K030 GA15 HA10 KA19 LD19

Claims (5)

[Claims] 1. An A connected to an ATM line through which ATM cells are transmitted and received according to a predetermined frame structure.
A TM line encryption device, which encrypts and / or encrypts in accordance with a predetermined rule.
Alternatively, an encryption key control means for controlling to generate encryption information to be used as an encryption key for decryption, and the ATM according to the encryption information generated by the encryption key control means.
An ATM line encryption device, comprising: encryption / decryption executing means for encrypting an ATM cell to be transmitted to a line in the frame unit and decrypting an encrypted ATM cell received from the ATM line in the frame unit. 2. The ATM line encryption device according to claim 1, wherein the encryption key control means sets the encryption information in a predetermined time slot of the frame structure, and the time in the received frame. An ATM line encryption device characterized in that encryption information is extracted from a slot, and the encryption / decryption executing means executes decryption according to the extracted encryption information. 3. The ATM line encryption device according to claim 1, further comprising a storage unit for storing a plurality of the encrypted information in association with predetermined identification information, wherein the encryption key control unit is the encryption / decryption device. The ATM line encryption device that generates the encryption information by reading the encryption information stored in the storage means according to the convention used by the execution means according to the protocol and opposes the identification information corresponding to the encryption information. ATM line encryption device characterized by instructing to. 4. An A connected to an ATM line through which ATM cells are transmitted and received according to a predetermined frame structure.
A TM line encryption device, comprising: an encryption key control means for controlling to generate encryption information to be used as an encryption key for encryption according to a predetermined rule; and an encryption generated by the encryption key control means. And an encryption execution means for encrypting an ATM cell to be transmitted to the ATM line in units of the frame according to the encryption information. 5. An A connected to an ATM line through which an ATM cell is transmitted and received according to a predetermined frame structure.
A TM line encryption device, comprising encryption key control means for controlling to generate encryption information to be used as an encryption key for decryption according to a predetermined rule, and an encryption key generated by the encryption key control means. An ATM line encryption device, comprising: decryption executing means for decrypting, in frame units, an encrypted ATM cell received from the ATM line in accordance with encryption information.