JP2007019633A - Relay connector device and semiconductor circuit device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent "leakage", "alteration" of data, "spoofing", "invasion" and "attack" on the Internet in communication with the outside without imposing burden such as installation of software or hardware on a personal computer. <P>SOLUTION: A relay connector device 100 is provided with a first PCI interface controller 1 for connecting to a PCMICA bus 20 from a PCMICA slot 200 and a second PCI interface controller 2 for connecting to a PCMICA bus 30 from a mobile data card 300, and these are connected to an internal bus 3. A configuration 4 including memory means such as a CPU 41, a flash ROM 42, an SDRAM 43 and an EEPROM 44 which are used for realizing functions of "TCP2" is connected to the internal bus 3. Thus, the configuration 4 realizes the functions of "TCP2". <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a relay connector device and a semiconductor circuit device suitable for use when, for example, electronic information is communicated by adding an encryption function to a TCP or UDP protocol located in a transport layer. More specifically, it is intended to prevent a security system in communication, in particular, “leakage” and “tampering” of data on the Internet, as well as “spoofing”, “entry” or “attack”.

  The inventor of the present application does not change the program of the upper application first, and in order to strengthen the function of preventing data leakage, falsification, impersonation, entry and attack, the encryption / decryption logic of the transmission side and the reception side A new encryption system TCP2 that provides an agreement and applies it to the payload of a protocol corresponding to TCP or UDP existing in the transport layer is provided (see, for example, Patent Document 1).

  In recent years, communication using the Internet has spread rapidly in society because anyone can access a computer on a network by connecting it to a network as long as it has a Windows PC. On the other hand, with the spread of Internet communication, social problems such as hackers and crackers intruding into other people's computer systems, seeing software and data, tampering with and destroying them. It is getting bigger.

  As a specific case of illegal interference, first of all, there is a system interference in which a large number of messages are sent from the network and the operation of the computer system is interrupted so that the central system cannot be used. If the host is overloaded due to this interference, the system may go down.

  In addition, there is an illegal interception of “illegal access and impersonation” that illegally obtains a host password, steals confidential information, or alters or destroys information. Some of these obstructions mean that the information held by the computer can be rewritten and the person can fall. In addition, fraudulent acts called spyware that sneak into specific computers and exploit personal sensitive data such as email addresses and passwords have also occurred. In this way, it is impossible to deny the possibility that so-called eavesdropping is frequently performed in which the contents of a database held by a computer connected to a network are illegally stolen.

  In addition, there is no risk of cyber terrorism caused by intentional stealing of personal information or cyber terrorism lurking inside the company at the site or server operator.

  In addition, fraudulent disturbances such as sending "viruses" that are programs that cause computer problems to other people's computers have recently been increasing. This sent virus infects a computer that used e-mail at home, and when it is connected to the company, the entire company computer is infected, or the virus destroys files in the computer. There are also problems such as bringing down the entire network.

  For this reason, as a function for preventing data “leakage”, “tampering”, etc. in communication on the Internet using conventional Transmission Control Protocol / Internet Protocol (TCP / IP) or User Datagram Protocol (UDP), IPsec ( IPSEC: Encrypted communication called Security Architecture for Internet Protocol (SSL) or Secure Socket Layer (SSL) is used.

  In general, encrypted communication includes a common key (also referred to as a secret key) encryption method and a public key encryption method, and IPsec often uses a common key encryption method. The common key cryptosystem has a feature that the encryption / decryption speed is faster than the public key cryptosystem. The common key encryption method used for IPsec is a method in which encryption and decryption are performed with the same key, and the key may be generated on either the transmission side or the reception side. In order to use a common key, it is necessary to pay close attention not to leak the contents to the outside when exchanging keys.

  A typical algorithm used in the common key cryptosystem is DES (Data Encryption Standard: a common key (secret key) encryption algorithm developed by IBM Corporation, USA). IPsec also uses this DES as one of the encryption algorithms. IPsec is standardized by the Internet Engineer Task Force (IETF), and this feature encrypts all communications sent from the host at the IP level, not just a specific application. In the point.

  As a result, the user can perform secure communication without being aware of the application. In addition, IPsec can change the encryption algorithm to be used without changing its own mechanism so that it can be used in the future. A 32-bit code called SPI (Security Pointer Index) is used as a common encryption key used in IPsec, and IKE (Internet Key Exchange) is used as a key exchange protocol. Furthermore, in IPsec, a protocol AH (Authentication Header) for integrity authentication is prepared.

  SSL is an HTTP protocol with security function developed by Netscape Corporation (currently merged with AOL). By using this protocol, the client and server can authenticate each other on the network, and credit card information It is possible to exchange highly confidential information such as. This prevents data eavesdropping, replay attacks (attack of eavesdropping on data flowing over the network and repeatedly sending data), spoofing (communication by pretending to be the person), data tampering, etc. be able to.

  6A shows an example of a protocol stack when performing encrypted communication using conventional IPsec, and FIG. 6B shows an example of a protocol stack when performing encrypted communication using conventional SSL. Yes.

  In the OSI reference model, the lowest layer (first layer) is the physical layer, the second layer is the data link layer, the third layer is the network layer, the fourth layer is the transport layer, the fifth layer is the session layer, and the sixth layer is The presentation layer and the top layer (seventh layer) are application layers. Seven layers in the OSI reference model are obtained by dividing the communication function into seven stages, and standard function modules are defined for each layer. In FIG. 6A, up to the fifth session layer is shown. The protocol stack is a software group in which protocols for realizing functions in each layer of the network are selected and stacked in a hierarchical manner.

  First, an outline of the OSI reference model will be described. The physical layer of the first layer is a layer that defines physical electrical characteristics of a signal line, a code modulation method, and the like. However, this layer alone is rarely defined and implemented alone, and is usually defined as, for example, the Ethernet standard together with the data link layer of the second layer.

  The data link layer of the second layer is a layer that defines data packetization, physical node address, packet transmission / reception method, and the like. This layer defines a protocol for exchanging packets between two nodes through a physical communication medium. Each node is assigned some address, and the packet destination is based on that address. And the packet is transmitted on the communication medium.

  There are various communication media such as copper wiring, radio, and optical fiber. Also, there are many types of connections (topologies) such as a bus type, a star type, and a ring type as well as a one-to-one facing connection. When the packet transmitted on the communication medium arrives at the receiving node, the packet is taken into that node and passed to a higher protocol layer.

  A NIC (Network Interface Card) driver arranged across the physical layer and the data link layer is an expansion board for connecting a personal computer, a printer, and the like to a local area network (LAN). If it is simply a network card, it is often connected to Ethernet.

  With this NIC driver, a node (device) that wants to transmit data monitors the availability of the cable and starts transmission when the cable is available. At this time, if a plurality of nodes start transmission at the same time, data collides in the cable and is destroyed, so both stop transmission and wait for a random time to resume transmission. Thus, a plurality of nodes can share a single cable and communicate with each other.

  The network layer of the third layer is a layer that defines a communication method between any two nodes. TCP / IP corresponds to the IP layer. In the data link layer, communication between nodes on the same network medium can be performed, but communication is performed while performing routing between any two nodes existing on the network by using the function. This is the role of this network layer.

  Here, routing refers to selecting and transmitting an optimum route when transmitting a packet to a target host in a TCP / IP network. For example, in Ethernet, only nodes on the same segment can communicate with each other. However, in the network layer, communication is performed by routing packets between two Ethernet segments.

  In addition, routing to a dial-up PPP (Point to Point Protocol) line that connects a computer to a network (Ethernet) through a telephone line, and routing to a dedicated line using optical fiber, regardless of the physical network medium. Packets can be routed to For this purpose, an address independent of a physical medium (IP address in the case of TCP / IP) is normally assigned to each node, and routing is performed based on this.

  Since IPsec encrypts all communications transmitted from the host at this network layer, that is, at the IP level, the user can enable secure communications without being aware of the application.

  The transport layer of the fourth layer is a layer that provides a function of performing communication between two processes executed on each node, and is a protocol layer. TCP corresponds to TCP / IP. Also, the network layer provides a function to perform communication between two nodes. By using this function, a virtual communication path without error can be provided between two processes (applications). It is the role of TCP.

  In other words, data can be sent at the network layer, but there is no guarantee that the data will reach the other party. There is no guarantee that the data will arrive correctly in the order of transmission. Therefore, in order to make it easy for applications to use, TCP provides an error-free communication path. If necessary, resend / restore data.

  In addition to TCP, UDP is also placed in this transport layer. The difference between UDP and TCP is that TCP is slower than UDP because it is a protocol that compensates for data. Is faster because there is no data compensation. TCP is used when mainly sending data as in communication between computers, and UDP is often used when sending voice and images like IP telephones. This communication system was first proposed in Patent Document 1 by the present inventor.

  The session layer of the fifth layer is a layer that defines the procedure of a session (from the start to the end of communication), and is a layer that establishes a connection between applications and enables communication. A socket arranged in this layer means a network address that combines an IP address corresponding to an address in the network of the computer and a port number that is a sub-address of the IP address.

  When connecting computers, be sure to specify a socket (a pair of IP address and port number). As shown in FIG. 6B, SSL, which is a conventional typical encrypted communication technology, realizes encrypted communication in this session layer.

  The sixth presentation layer is a layer that prescribes a representation method, encoding, encryption, and the like of data exchanged in a session (from the start to the end of communication). In the TCP / IP protocol, there is no portion corresponding to this layer, and normally, the application itself handles stream data processing.

  The application layer of the seventh layer is a layer for defining data exchange between applications, and there is no portion corresponding to this layer in the TCP / IP protocol. For example, it is a layer that defines a common data structure and the like necessary for exchanging data between applications such as an e-mail format and an internal structure of a document.

  6A is a standard protocol stack equipped with IPsec. First, NIC (Network Interface Card) drivers are provided in the physical layer (first layer) and the data link layer (second layer). This driver is a driver for an interface card for connecting hardware such as a computer to a network, and its contents are data transmission / reception control software. For example, a LAN board or a LAN card for connecting to Ethernet corresponds to this.

  The network layer of the third layer has an IP emulator partially extending to the transport layer (fourth layer). A function as a transport is not mounted on the portion extending to the transport layer. It only provides network layer functionality to the session layer. This IP emulator functions to switch between a protocol that performs encrypted communication by IPsec and an IP that is a protocol that does not perform encrypted communication, depending on the application.

  An ARP (Address Resolution Protocol) is arranged in the third network layer. This ARP is a protocol used to obtain a MAC (Media Access Control) address, which is an Ethernet physical address, from an IP address. The MAC is a transmission control technique used in a LAN or the like called medium access control, and is used as a technique for specifying a frame transmission / reception method, a frame format, error correction, and the like as a data transmission / reception unit.

  In addition, to this network layer, in order to efficiently deliver the same data to a plurality of hosts or to receive the delivery, there is ICMP (Internet Control Message Protocol) which is a protocol for transferring IP error messages and control messages. IGMP (Internet Group Management Protocol), which is a protocol for controlling a group of configured hosts, is provided. TCP and UDP are arranged in the transport layer above the network layer, and a socket interface is arranged in the session layer which is the upper layer.

  B of FIG. 6 is an example of a standard protocol having SSL as an encryption processing protocol. SSL is mounted on a socket (session layer) instead of mounting IPsec on the network layer. Other protocols are the same as those shown in FIG.

  Among typical encryption communication technologies in the past, IPsec is a method for encrypting and transmitting and receiving IP packets. Therefore, IPsec is used as application software that uses higher-level protocols such as TCP and UDP. There is no need to be aware that

  On the other hand, in SSL, digital certificates using RSA (Rivest Shamir Adleman: an acronym for three developers of public key cryptography) public key cryptography are used at the mutual authentication level, and DES is used for data encryption. Common key encryption technology is used. Since this SSL is in the session layer of the fifth layer, it depends on a specific application.

  IPsec is realized as a function for preventing data “leakage” and “tampering” in the third layer (network layer) lower than the fourth layer (transport layer) in OSI (see Non-Patent Document 1). ). On the other hand, SSL is an encryption technology in the session layer of the fifth layer, and encrypts data such as WWW (World Wide Web) and FTP (File Transfer Protocol) that are widely used in the Internet at present, It is for safely transmitting and receiving information related to privacy and confidential business information.

  Table 1 shown in FIG. 7 shows a comparison between IPsec and SSL functions. As can be seen from this table, IPsec and SSL have advantages and disadvantages that conflict with each other.

  For example, in the communication between the client and the client, in the case of SSL, since the command system and the communication content become a master-slave relationship, that is, a client / server, communication between the client and the client cannot be performed without going through the server. It was. That is, when secret data is sent from terminal A to terminal B after being encrypted by SSL, a server must be interposed between them. On the other hand, since there is no such restriction in IPsec, direct communication is possible.

  In addition, in a PPP (Point to Point Protocol) mobile environment or an ADSL (Asymmetric Digital Subscriber Line) environment, IPsec performs encryption determination, key exchange, and mutual authentication before starting encrypted data communication. In communication using the IKE (Internet Key Exchange) protocol, which is a protocol to be used, the other party is authenticated.

  Therefore, in the PPP mobile environment (remote client) or ADSL environment, the IP address cannot be fixed, so the IKE main mode that is most used between the IPsec gateways, that is, the IP address information of the communication partner at the time of authentication. Cannot use the mode to use.

  As a solution, by using the Aggressive mode, it is not necessary to use an IP address for ID information. For example, user information is used for ID information, and a user password is used for a known shared key. The partner can be specified. However, in the Aggressive mode, since the ID of the connection partner is transmitted in the same message as the key exchange information, the ID is transmitted as plain text without being encrypted.

  In addition, by using XAUTH (Extended Authentication within IKE), the problem of authentication can be solved. However, since the IP address is unknown for access from a remote client in the firewall setting, IKE and IPsec are not used. All must be allowed, leaving a security problem. SSL can communicate even in this environment.

  Further, IPsec has a problem that it cannot cope with NAT (Network Address Translation) or IP masquerade. In order to deal with these, it must be used in combination with other functions such as loading on the UDP payload.

  NAT is a technology that allows companies connected to the Internet to share a single global IP address among multiple computers. An IP address (local address) that can be used only within an organization and an Internet address (global address) are used. It is a technology for mutual conversion. NAT cannot be supported because the IP header is within the authentication range of AH (Authentication Header), so it is not possible to convert global addresses from each other, and communication between local addresses in different subnets becomes impossible. is there.

  IP masquerade is a mechanism that allows a plurality of clients having private addresses in the LAN to access the Internet. When this is used, IP masquerade operates from the outside (Internet). It can be said that it is desirable from the viewpoint of security because only the terminal that is present can be seen. The reason why IPsec cannot cope with IP masquerading is that the IPsec ESP (Encapsulating Security Payload) header is immediately after the IP header.

  A normal router equipped with IP masquerading determines that there is a TCP / UDP port number immediately after the IP header. Therefore, since this port number is changed when passing through a router equipped with IP masquerade, IPsec determines that it has been tampered with, and there arises a problem that the host cannot be authenticated. This problem can be avoided by using a product that supports NAT-T (NAT-Traversal) for mounting on the UDP payload.

  However, if the draft version of NAT-T is different, even NAT-T compatible products cannot be connected. SSL can communicate even in this environment.

  On the other hand, SSL is ineffective against various attacks on TCP / IP by unauthorized intruders of networks called hackers and crackers, so-called DoS attacks (Denial of Service). When a DoS attack to the TCP / IP protocol stack, for example, a TCP disconnection attack is performed, the TCP session is cut and the SSL service is stopped.

  Since IPsec is implemented in the third layer (IP layer), since the IP layer has a security function, it is possible to prevent a DoS attack on TCP / IP (fourth layer, third layer). However, since SSL is an encryption protocol implemented in a layer (fifth layer) above TCP / IP (fourth layer, third layer), it cannot prevent a DoS attack on TCP / IP. .

  Furthermore, SSL is more effective than IPsec for communication in a poor communication environment where there are many physical noises and many communication errors occur. In other words, when IPsec detects an error, it leaves the retransmission operation to the upper TCP. TCP sends retransmission data to IPsec, but IPsec cannot recognize that it is this retransmission data and re-encrypts it. Since SSL performs error recovery processing with TCP, the same data is not re-encrypted.

  Also, communication between different LANs is not possible with IPsec. That is, since distribution management of subnet addresses in the LAN is managed by a DHCP (Dynamic Host Configuration Protocol) server in the LAN, the same subnet address is not allocated in the LAN, but different LANs. In the case of communication between the two, the DHCP server in each other's LAN individually assigns a subnet address, so there is a possibility that the same address is assigned.

  When the same address is assigned in this way, communication cannot be performed by IPsec. However, if an IPsec-DHCP server is set up separately and managed so as not to have the same address, communication is possible. Since SLL is located in the fifth layer (session layer) of the OSI reference model as described above, it can perform error recovery processing with lower layer TCP and communicate even in the above-mentioned poor environment. Is possible.

  Also, for communication under different network environments, IPsec has to manage all the nodes through which it has to change settings so that IPsec can pass through. Even under the environment, it is possible to communicate without being aware of the environment of the node through which it passes.

  In addition, since SSL does not support UDP communication, it is not possible to perform encrypted communication of UDP. Since TCP also supports only a specific port, it is impossible to perform cryptographic communication on all TCP ports. On the other hand, IPsec can perform encrypted communication using either UDP or TCP.

  Furthermore, SSL is problematic in that it is not compatible with applications. An application uses a socket (5th layer) as a program interface when performing Internet communication. For this reason, when an application uses SSL (5th layer), this socket interface must be changed to an SSL interface. Therefore, SSL does not have application compatibility.

  On the other hand, since IPsec is located below the socket (5th layer), the application can use the socket (5th layer) as a program interface as it is, so that the application is compatible. In addition, IPsec can be controlled in units of IP addresses, whereas SSL is controlled in units of sources (URL units, folder units).

  Further, IPsec has a problem that the maximum segment size becomes small. In other words, since the ESP header and ESP trailer are used in IPsec, the payload becomes small, so that fragments (packet division) occur and throughput decreases. In addition, since fragmentation is prohibited in a TCP packet, it is necessary to grasp the environment through which IPsec passes at the end end and set the maximum segment size at which no fragment occurs. On the other hand, since SSL does not need to grasp the environment through which it passes, it is not necessary to set the maximum segment size.

  The function comparison between IPsec and SSL has been described with reference to Table 1 (FIG. 7). However, as described above, IPsec and SSL have both strengths and weaknesses that conflict with each other. In contrast, the inventor of the present application has previously proposed TCP2, which is an epoch-making encryption communication protocol that includes all the advantages of IPsec and SSL and has many other merits (see Patent Document 1). .)

  That is, in the invention described in Patent Document 1, it is not necessary to implement an “encryption function” for preventing unauthorized entry into a computer terminal in each application program, and therefore it is necessary to recreate the application program itself. In addition, communication with a communication partner that does not support the above-mentioned encryption function can be performed in the conventional plaintext, and further, the benefits of encryption and authentication can be obtained even in an environment where IPsec cannot be used (or a situation where it is not desired to use). .

  FIG. 8 shows a protocol stack used in an embodiment of the encrypted communication system previously proposed by the present inventor in Patent Document 1. In FIG.

  As shown in FIG. 8, the protocol stack used in the invention described in Patent Document 1 includes a NIC (Network) in a layer corresponding to the physical layer (first layer) and the data link layer (second layer) of the OSI 7 layer. Interface Card) driver 11 is arranged. As described above, this driver is a driver for an interface card for connecting hardware such as a computer to a network, and its contents are data transmission / reception control software. For example, a LAN board or a LAN card for connecting to Ethernet corresponds to this.

  In the third network layer, there is an IP emulator 3 partially extending to the transport layer (fourth layer). A function as a transport is not mounted on the extended portion. It only provides the network layer functions for the session layer. The IP emulator 3 functions to switch between “IPsec on CP” 13b and “IP on CP” 13a, which are protocols for performing encrypted communication, depending on the application. Here, “on CP” means that it is subject to monitoring, destruction, disconnection or passage restriction of “entry” and “attack” by a cracking protector (CP), or that can be set. Show.

  In the network layer, “ARP on CP (Address Resolution Protocol on Cracking Protector)” is arranged. This “ARP on CP” is a protocol used to obtain a MAC (Media Access Control) address, which is an Ethernet physical address, from an IP address provided with a protection measure against a cracker. The MAC is a transmission control technique used in a LAN or the like called medium access control, and is used as a technique for specifying a frame transmission / reception method, a frame format, error correction, and the like as a data transmission / reception unit.

  Here, the IP emulator 13 is software or firmware for matching various security functions according to the present invention with a conventional IP peripheral stack. That is, ICMP (Internet Control Message Protocol) 14a, which is a protocol for transferring IP error messages and control messages, and a group of hosts configured to efficiently deliver or receive the same data to a plurality of hosts Software (IGMP) 14b, TCP15, UDP16, and software for matching with the socket interface 17 or firmware or hardware (electronic circuit, electronic component) is there. This IP emulator 13 can perform adaptation processing before and after IPsec encryption / decryption and addition / authentication of necessary authentication information.

  In the upper transport layer (fourth layer) of the IP emulator 13, a TCP emulator 15 and a UDP emulator 16 are arranged. The TCP emulator 15 functions to switch between “TCPsec on CP” 15b, which is a protocol for performing encrypted communication, and “TCP on CP” 15a, which is a normal communication protocol. Similarly, the UDP emulator 16 functions to switch between “UDPsec on CP” 16b, which is a protocol for performing encrypted communication, and “UDP on CP” 16a, which is a normal communication protocol.

  The most characteristic feature of Patent Document 1 is that the transport layer (fourth layer) is equipped with encrypted communication protocols of TCPsec 15b and UDPsec 16b. TCPsec15b and UDPsec16b will be described later.

  In the session layer (fifth layer), which is an upper layer of the transport layer (fourth layer), a socket interface 17 for exchanging data with protocols such as TCP and UDP is provided. The meaning of this socket is a network address that combines an IP address corresponding to an address in the network of a computer and a port number that is a sub-address of the IP address as described above. It consists of a single software program module (execution program, etc.) or a single hardware module (electronic circuit, electronic component, etc.) that is added or deleted collectively.

  The socket interface 17 provides a unified access method from a higher-level application, and maintains the same interface as in the past, such as the types and types of arguments.

  The TCP emulator 15 has a function of preventing data leakage / falsification in the transport layer, that is, a TCPsec 15b having functions such as encryption, integrity authentication and partner authentication, and such encryption, integrity authentication, and partner It has a function of distributing packets to any one of the normal protocols TCP15a having no function such as authentication. Further, since both the TCPsec 15b and the TCP 15a are provided with a cracking protector (CP), it is possible to realize a function of protecting against “entrance” and “attack” by a cracker, regardless of which one is selected. The TCP emulator 15 also serves as an interface with a socket, which is an upper layer.

  Further, as described above, TCP has an error compensation function, whereas UDP does not have an error compensation function, but has a feature that the transfer speed is correspondingly faster and a broadcast function is provided. As with the TCP emulator 15, the UDP emulator 16 has a function of preventing data leakage / falsification, that is, a UDPsec 16b having functions such as encryption, integrity authentication and counterpart authentication, and such encryption, integrity authentication, And has a function of distributing the packet to any one of the normal protocols UDP 16a having no function such as counterpart authentication.

  As shown in FIG. 8, socket 17, TCP emulator 15, UDP emulator 16, "TCPsec on CP" 15b, "UDPsec on CP" 16b, "TCP on CP" 15a, "UDP on CP" 16a, "ICMP on CP" ”14 a,“ IGMP on CP ”14 b, IP emulator 13,“ IP on CP ”13 a, and“ ARP on CP ”12 are protocol stacks for performing the encryption processing of the present invention. This protocol stack is generically called TCP2.

  Note that “IPsec on CP” 13b is not included as essential in TCP2, but TCP2 including “IPsec on CP” 13b may be used.

  TCP2 disclosed in Patent Document 1 includes standard protocol stacks of TCP, UDP, IP, IPsec, ICMP, IGMP, and ARP, in addition to the protocol stack for performing the above-described encryption processing. And, CP (cracking protection) is implemented in these standard protocols, attacks from communication against each protocol stack, and attacks from application programs (Trojan horse, program tampering, unauthorized use by authorized users, etc.) To be able to defend.

  Also, in TCP2, a TCP emulator 15 is mounted, and this TCP emulator 15 is outwardly mounted in order to maintain compatibility when viewed from the socket 17 in the session layer and the IP emulator 13 in the network layer. It can look the same as standard TCP. Actually, the TCP2 function is executed by switching between TCP and TCPsec. TCPsec is an encryption and authentication function in the transport layer according to the present invention.

  Similarly, in TCP2, the UDP emulator 16 is mounted, and the UDP emulator 16 is compatible with the socket 17 that is a session layer and the IP emulator 13 that is a network layer in order to maintain compatibility. From the outside, it can be shown as standard UDP. Actually, as a function of TCP2, UDP and UDPsec are switched and executed. UDPsec is an encryption and authentication function in the transport layer, which is the invention described in Patent Document 1.

  Next, TCPsec15b and UDPsec16b, which are functions that prevent “data leakage”, which is a particularly important function in TCP2, will be described.

  As an encryption / decryption method (algorithm, logic (logic)) for TCPsec15b and UDPsec16b, a known secret key (common key) encryption algorithm is used. For example, DES (Data Encryption Standard), which is a secret key encryption algorithm developed by IBM in the 1960s, and 3DES as an improved version thereof are used.

  As another encryption algorithm, IDEA (International Data Encryption Algorithm) announced by James L. Massey and Xuejia Lai of Swiss Institute of Technology in 1992 is also used. In this encryption algorithm, data is divided into 64-bit blocks and encrypted, and the length of the encryption key is 128 bits. It is designed to have sufficient strength for linear cryptanalysis and differential cryptanalysis that efficiently decrypt private key cryptography.

  In addition, as encryption methods of TCPsec15b and UDPsec16b used in the invention described in Patent Document 1, encryption methods such as FEAL (Fast Data Encipherment Algorithm), MISTY, and AES (Advanced Encryption Standard) are also used, and they are created independently. A secret encryption / decryption algorithm can be used. Here, FEAL is an encryption method developed by Nippon Telegraph and Telephone Corporation (at that time), and is a secret key type encryption method that uses the same key for encryption and decryption. This FEAL has an advantage that encryption and decryption can be performed at a higher speed than DES.

  Next, MISTY, which is also an encryption method used in the invention described in Patent Document 1, is a secret key type encryption method developed by Mitsubishi Electric Corporation, and divides data into 64-bit blocks as in IDEA. To encrypt. The key length is 128 bits. The same program is used for encryption and decryption as in DES. This method is also designed to have sufficient strength against linear cryptanalysis and differential cryptanalysis that efficiently decrypt private key cryptography.

  AES is the next-generation standard encryption method of the US government, which is being selected by the US Department of Commerce's Standard Technology Bureau, as the next-generation encryption standard to replace DES, which is the current standard encryption method. Development has been advanced. Among a number of ciphers that were collected by public recruitment around the world, in October 2000, the Rijndael method developed by Belgian crypto developers Joan Daemen and Vincent Rijmen was adopted.

  As described above, as the TCPsec15b and UDPsec16b encryption methods applied to the invention described in Patent Document 1, various known secret key encryption algorithms can be adopted, and the user has independently developed the encryption methods. A secret key (common key) encryption method can also be used.

  Furthermore, as a method of “other party authentication” and “integrity authentication” for preventing so-called “spoofing” and “data falsification”, an algorithm using a public key or pre-shared, for example, MD5 Authentication algorithms such as (Message Digest 5) and SHA1 (Secure Hash Algorithm 1) are used. An algorithm using a unique one-way function may be employed instead of such a known authentication algorithm.

  This MD5 is one of hash functions (one-way summarization functions) used for authentication and digital signatures, generates a fixed-length hash value based on the original text, and compares it at both ends of the communication path. It is possible to detect whether the original text has been tampered with during communication. This hash value takes a value like a pseudo random number, and based on this value, the original text cannot be reproduced. It is also difficult to create another message that generates the same hash value.

  SHA1 is also one of hash functions used for authentication, digital signatures, etc., and generates a 160-bit hash value from the original text of 2 <64> bits or less and compares it at both ends of the communication path. It detects the alteration of the original text. This authentication algorithm is also employed in IPsec, which is a typical example of conventional encrypted communication on the Internet.

These authentication algorithms are designed to enable secure key exchange using the DH (Diffie-Hellman) public key distribution method or the IKE (Internet Key Exchange) protocol (UDP 500) similar to IPsec. Moreover, it is scheduled by a protocol driver program (TCPsec15b, UDPsec16b, etc.) so that the encryption / integrity authentication algorithm (logic) itself and the key set / domain for that purpose are changed periodically.
International Publication WO 2005/015825 A1 R. Atkinson, August 1995 `` Security Architecture for the Internet Protocol '' RFC1825

  As described above, in the invention described in Patent Document 1, by using TCP2 proposed by the present inventor, data leakage, falsification, spoofing, intrusion, and attack prevention functions without changing the upper application program The encryption and decryption logic is negotiated between the transmission side and the reception side, and a new encryption system that applies this to the payload of the protocol corresponding to TCP or UDP existing in the transport layer is realized. can do.

  However, in the invention described in Patent Document 1 described above, TCP2 proposed by the present inventor is mounted on a personal computer in the form of software or hardware. However, in order to implement such software or hardware on a personal computer, it is necessary to carry out the work for the implementation, and the implementation of such software or hardware causes the personal computer itself to be implemented. The burden will also increase.

  That is, in order to mount software or hardware on a personal computer, as described above, work for the mounting is necessary, and the burden on the personal computer itself increases. On the other hand, the above-described encryption system using TCP2 is intended to prevent “leakage” and “tampering” of data on the Internet, as well as “spoofing”, “entry” or “attack”, and is exclusively for personal use. It is used in communication between a computer and the outside.

  The present invention has been made in view of such problems, and an object of the present invention is to provide a personal computer without burdening the personal computer with software or hardware. In the communication with the outside, the TCP2 function previously proposed by the present inventor can be realized by simple means.

  In order to solve the above-mentioned problems and achieve the object of the present invention, the invention described in claim 1 adds an encryption function to the TCP or UDP protocol located in the transport layer to communicate electronic information. A relay connector device for use in performing, wherein a first connection means connected to a media connection means of a computer main body and a second connection means connected to an external medium are provided, and opposite counterparts A protocol encryption unit that negotiates a corresponding encryption and decryption logic with the device, and a protocol encryption that is encrypted and transmitted according to the encryption logic determined by the protocol determination unit at least among the packets as information units to be transmitted and received And the received encrypted TCP or UDP protocol payload by the determining means. A relay connector device characterized in that it comprises a protocol decrypting means for decrypting according to the decryption logic and performs communication based on the encryption and decryption logic using the TCP or UDP protocol of the transport layer .

  Further, in the relay connector device according to claim 2, encryption and decryption logic that can be an agreement candidate by the encryption and decryption logic decision means is stored in a memory or a circuit, and this arrangement is stored or implemented. It further comprises logic changing means for periodically changing encryption and decryption logic which can be candidates.

  In the relay connector device according to the third aspect, the means for determining the encryption and decryption logic can determine that the plaintext is handled without encryption in relation to the encryption and decryption logic. It is a thing.

  Furthermore, in order to achieve the object of the present invention, the invention described in claim 4 is used when communicating electronic information by adding an encryption function to the TCP or UDP protocol located in the transport layer. A semiconductor circuit device, an agreement means for negotiating corresponding encryption and decryption logic with a counterpart device, and an encryption decided at least by a protocol payload among packets as information units to be transmitted and received A transport layer comprising: protocol encryption means for encrypting and transmitting in accordance with the encryption logic; and protocol decryption means for decrypting the received encrypted TCP or UDP protocol payload according to the decryption logic negotiated by the decision means Encryption and decryption logic using TCP or UDP protocol A semiconductor circuit device characterized by performing communication based on click.

  Further, in the semiconductor circuit device according to claim 5, encryption and decryption logic that can be an agreement candidate by the means for determining encryption and decryption logic is stored in a memory or a circuit, and this arrangement is stored or implemented. It further comprises logic changing means for periodically changing encryption and decryption logic which can be candidates.

  In the semiconductor circuit device according to the sixth aspect of the invention, the means for determining the encryption and decryption logic can determine that the plaintext is handled without encryption in relation to the encryption and decryption logic. It is a thing.

  As described above, according to the present invention, the TCP2 function previously proposed by the present inventor is installed in a relay connector device or formed as a semiconductor circuit device, so that software for personal computers can be provided. "Leakage" and "tampering" of data on the Internet, as well as "spoofing", "entrance" or "intrusion" in communication between a personal computer and the outside, without incurring the burden of installing hardware or hardware. "Attack" can be prevented.

  Embodiments of the present invention will be described below with reference to the drawings. FIG. 1A shows a configuration of an embodiment of a relay connector device to which the present invention is applied. That is, in FIG. 1A, the relay connector device 100 of this example is provided between, for example, a PCMICA (Personal Computer Memory Card International Association) slot 200 of a computer and an existing mobile data card 300 connected thereto. However, as shown in FIG. 1B, it is provided between the PCMICA slot 200 of the computer and the mobile data card 300 which are conventionally directly connected.

  Therefore, in this relay connector device 100, a first PCI (Peripheral Component Interconnect) interface controller 1 for connecting to the PCMICA bus 20 from the PCMICA slot 200 and a PCMICA bus 30 from the mobile data card 300 are connected. A second PCI interface controller 2 is provided. The first and second PCI interface controllers 1 and 2 are connected to the internal bus 3.

  Further, a configuration 4 (enclosed by a broken line) for realizing the function of “TCP2” is provided for the internal bus 3. That is, the configuration 4 includes a CPU 41 and memory means such as a flash ROM 42, eg, SDRAM (Synchronous DRAM) 43, eg, EEPROM (Electrically Erasable Programmable ROM) 44, and these configurations 4 are connected to the internal bus 3. Is done. With these configurations 4, the above-described “TCP2” function is realized.

  Here, in the relay connector device 100, the configuration 4 for realizing the function of “TCP2” emulates the mobile data card 300. For this reason, when the communication program of the computer main body establishes an interface with the mobile data card 300, it simply determines that communication is being performed from the mobile data card 300 via, for example, Ethernet, and communication is started. .

  At this time, the configuration 4 for realizing the function of “TCP2” emulating the mobile data card 300 encrypts transmission data received from the communication program of the computer main body via the PCMICA slot 200 and the PCMICA bus 20. The encrypted data is transmitted from the mobile data card 300 via, for example, Ethernet.

  In addition, when the mobile data card 300 receives encrypted communication data from, for example, Ethernet, the mobile data card 300 decrypts the data with the configuration 4 for realizing the function of “TCP2”, and the computer data via the PCMICA slot 200 and the PCMICA bus 20 Output as received data to the communication program. When communication is started, there is a function of authenticating each other with the opposite TCP 2. If authentication cannot be performed here, it is possible to select in advance whether to forcibly terminate communication or connect.

  That is, the relay connector device 100 itself has a function equivalent to that of a personal computer that realizes the function of “TCP2”. Therefore, this relay connector device 100 is provided with controllers 1 and 2 connected to PCMICA buses 20 and 30 that form a network, respectively, and PCMICA is connected to the relay application layer including these controllers 1 and 2. A network layer and a transport layer including “TCP / IP” for defining a communication method for performing communication while performing routing between any two nodes existing on the extension of the buses 20 and 30 are provided. .

  A function of “TCP2” previously proposed by the present inventor can be provided between the relay application layer and the network layer. That is, in this case, the function of “TCP2” can be provided as software or hardware of the CPU 41 incorporated in the configuration 4, and further, the function of “TCP2” can be controlled, and encryption and decryption can be performed. Means for periodically changing the logic or making an arrangement for handling plaintext without encryption as necessary can be provided as the memories 42-44.

  Therefore, in this embodiment, by mounting the function “TCP2” previously proposed by the present inventor on the relay connector device 100, the burden of installing software or hardware on the personal computer main body is provided. In the communication between the personal computer and the outside, it is possible to prevent “leakage” and “tampering” of data on the Internet, and “spoofing”, “entry” or “attack”.

  That is, the relay connector device 100 of the present invention is realized as a relay connector device 100 that connects TCP2 on a communication line for performing encryption communication and authentication as shown in a conceptual diagram of FIG. In FIG. 2, the relay connector device 100 including the TCP 2 does not depend on the interface below the data link layer, and can be connected to various interfaces.

  Accordingly, the interface A which is the internal bus 20 from the communication software 201 of the computer main body and the interface B which is the internal bus 30 from the communication module 301 such as the mobile data card 300 are PCI (Peripheral Component Interconnect), ISA (Industry). Various communication interfaces including Standard Architecture (EISA), Extended Industry Standard Architecture (EISA), PCMCIA, and Universal Serial Bus (USB) are used. The interface C, which is the external network 300 connected to the opposite communication device 400, includes various communication interfaces including Ethernet, FDDI (Fiber Distributed Data Interface), PPP (Point-to-Point Protocol), wireless LAN, and IEEE1394. Is used.

  Then, the relay connector device 100 receives the existing communication data from the interface A, encrypts it with TCP2, and outputs it as encrypted data to the interface B. Also, the encrypted communication data from the interface B is input, decrypted by TCP2, and output to the interface A as existing communication data. The relay connector device 100 has a function of authenticating each other's TCP2 with the opposite communication device 400 when communication is started. If authentication is not possible here, whether the communication is forcibly terminated or connected. It can be selected in advance.

  Therefore, in such a communication system, existing communication data is exchanged between the existing communication software 201 and the relay connector device 100, but encrypted communication data is exchanged between the relay connector device 100 and the counter communication device 400. Therefore, it is possible to prevent “leakage” and “tampering” of data in this part, and further “spoofing”, “entry” or “attack”.

  In such a communication network, the range of the internal bus 20 is exchanged by existing communication data, and the exchange of encrypted communication data is performed in the internal bus 30 and the external network 40. For this reason, it is possible to prevent “leakage” and “tampering” of data in the portion of the external network 40, and further “spoofing”, “entry” or “attack”. The communication network 40 can employ various forms such as a power line, a wireless LAN, a wired LAN, and a dedicated line.

  Thus, according to the relay connector device of the present invention, it is used when communication of digitized information is performed by adding an encryption function to the TCP or UDP protocol located in the transport layer. A first connection means connected to the means and a second connection means connected to the external medium, and an agreement means for negotiating corresponding encryption and decryption logic with a counterpart device Protocol encryption means for encrypting and transmitting at least the protocol payload among the packets as information units to be transmitted and received according to the encryption logic decided by the decision means, and the received encrypted TCP or UDP protocol payload Protocol that decrypts according to the decryption logic negotiated by the negotiating means Such as implementing software or hardware on a personal computer by performing communication based on encryption and decryption logic using the transport layer TCP or UDP protocol. It can prevent "leakage" and "tampering" of data on the Internet, as well as "spoofing", "entry" or "attack" in communication between a personal computer and the outside without imposing a burden. .

  By the way, in the relay connector device of the present invention described above, each circuit block constituting the device can be formed as a whole in one semiconductor circuit device. Therefore, the present invention also includes a semiconductor circuit device formed as a whole in this way. In other words, the above-described relay connector device is a semiconductor circuit device used when electronic information is communicated by adding an encryption function to the TCP or UDP protocol located in the transport layer, and is connected to a counterpart device. An agreement means for negotiating corresponding encryption and decryption logic, and a protocol encryption means for encrypting and transmitting at least the payload of the protocol according to the encryption logic decided by the agreement means among packets as information units to be transmitted and received Protocol decrypting means for decrypting the received encrypted TCP or UDP protocol payload according to the decryption logic negotiated by the negotiating means, and encrypting and decrypting using the transport layer TCP or UDP protocol To communicate based on logic. Those which can be a semiconductor circuit device according to symptoms.

  Such a semiconductor circuit device 101 of the present invention is realized, for example, as a semiconductor circuit device 101 that connects TCP2 on a communication line for performing encryption communication and authentication as shown in a conceptual diagram in FIG. That is, in the conceptual diagram of FIG. 3, the interface A, which is the internal bus 20 from the communication software 201 of the computer main body, is connected to the semiconductor circuit device 101 including TCP2, and the interface B, which is the internal bus 31 from this semiconductor circuit device 101, is connected. Connected to the communication physical layer chip 302. In FIG. 3, the semiconductor circuit device 101 including the TCP 2 does not depend on the interface below the data link layer, and can be connected to various interfaces.

  Therefore, in the conceptual diagram of FIG. 3, various communication interfaces including PCI, ISA, EISA, PCMCIA, and USB are used as the interface A described above. For the interface B, various communication interfaces including MII (Media Independent Interface) are used. Furthermore, various communication interfaces including Ethernet, FDDI, PPP, wireless LAN, and IEEE1394 are used for the interface C that is the external network 300 connected to the opposite communication device 400.

  Here, the semiconductor circuit device 101 inputs the existing communication data from the interface A, encrypts it with TCP2, and outputs it to the interface B as encrypted data. Also, the encrypted communication data from the interface B is input, decrypted by TCP2, and output to the interface A as existing communication data. The encrypted data sent to the interface B is sent to the opposite communication device 400 via the communication physical layer chip 302 and the interface C. The semiconductor circuit device 101 has a function of authenticating each other's TCP2 when starting communication with the opposing communication device 400. If authentication is not possible here, whether the communication is forcibly terminated or connected. It can be selected in advance.

  Therefore, in such a communication system, existing communication data is exchanged between the existing communication software 201 and the semiconductor circuit device 101, but encrypted communication data is exchanged between the semiconductor circuit device 101 and the counter communication device 400. Therefore, it is possible to prevent “leakage” and “tampering” of data in this part, and further “spoofing”, “entry” or “attack”.

  In such a communication network, the range of the internal bus 20 is exchanged by existing communication data, and the exchange of encrypted communication data is performed in the internal bus 31 and the external network 40. In addition, it is possible to prevent “leakage” and “tampering” of data in the portion of the external network 40, and further “spoofing”, “entry” or “attack”. The communication network 40 can employ various forms such as a power line, a wireless LAN, a wired LAN, and a dedicated line.

  Thus, according to the semiconductor circuit device of the present invention, it is a semiconductor circuit device that is used when electronic information is communicated by adding an encryption function to the TCP or UDP protocol located in the transport layer. A protocol encryption unit that negotiates a corresponding encryption and decryption logic with the device, and a protocol encryption that is encrypted and transmitted according to the encryption logic determined by the protocol determination unit at least among the packets as information units to be transmitted and received Encryption means and protocol decryption means for decrypting the received encrypted TCP or UDP protocol payload according to the decryption logic negotiated by the agreement means, and encrypting using the transport layer TCP or UDP protocol And communication based on decryption logic In this way, data is leaked and falsified on the Internet in communication between the personal computer and the outside without burdening the personal computer with software or hardware. Can prevent "spoofing", "entry" or "attack".

  According to the semiconductor circuit device of the present invention, by providing this semiconductor circuit device in front of any communication physical layer chip, data “leakage” on the Internet in communication performed through this communication physical layer chip and “Tampering”, “spoofing”, “entry” or “attack” can be prevented. Therefore, such a semiconductor circuit device is extremely effective when used for, for example, cellular phones, IP phones, image distribution, and communication of control information in FA (Factory Automation).

  That is, by applying the semiconductor circuit device of the present invention to such mobile phones and IP phones, further image distribution, communication of control information in FA, etc., "leakage" and "tampering" of data in these communications, Furthermore, “spoofing”, “entry” or “attack” can be prevented. Therefore, the safety of these communications can be improved, and the reliability of communications can be greatly improved even for communications via the Internet, for example. Alternatively, such reliable communication can be performed via a simple Internet.

  Finally, how the TCP 2 of the present invention is superior to the conventional IPsec or SSL will be described with reference to Table 2 and FIG. 5 shown in FIG. Table 2 in FIG. 4 shows the TCP2 function added to the IPsec and SSL function comparison table in Table 1 in FIG. 7 described above.

  As is apparent from Table 2, it can be seen that various problems (which are shown in the background art) of IPsec and SSL are solved by adopting TCP2. For example, client-client communication, TCP / IP protocol DoS attack, secure communication of all UDP ports or TCP ports, and applications that had to change socket programs, which were difficult to handle with SSL TCP2 is fully compatible with the restrictions in the above.

  Also, it is difficult to cope with IPsec, communication in a poor environment with frequent errors, communication between different LANs, connection via multiple carriers, communication in PPP mobile environment, ADSL environment TCP2 is fully supported. Furthermore, for the Internet using VoIP (Voice over Internet Protocol) in a mobile environment or an ADSL environment, both IPsec and SSL have problems as shown in Tables 1 and 2, but according to TCP2 of the present invention. Can be used in either environment.

  Also, Internet telephones using VoIP between different LANs cannot be handled by IPsec and SSL, but can be completely handled by TCP2 of the present invention.

  FIG. 5 is a diagram for explaining the superiority of TCP2, but a case (b) in which conventional SSL is applied to a protocol stack (a) without security, a case (c) in which IPsec is applied, A case (d) in which TCP2 (TCPsec / UDPsec) of the present invention is applied is shown in comparison.

  As described above, the SSL of FIG. 5B is provided in the socket of the session layer (fifth layer), so that it is not compatible with the upper application. For this reason, SSL itself has the above-mentioned problems. 5C is in the network layer (third layer) and is not compatible with the IP layer, it is subject to various restrictions as described above in configuring the network.

  On the other hand, TCP2 (TCPsec / UDPsec) in FIG. 5 (d) is an encryption technique introduced into the transport layer (fourth layer), and therefore, the socket can be used as it is from the viewpoint of the application. Also, when viewed from the network, the IP can be used as it is, so there are no restrictions on configuring the network.

  As described above, the communication board device and the communication method of the present invention use TCP2 previously proposed by the inventor of the present invention, in particular, data leakage, falsification, and spoofing compared to the existing encryption processing system. It has extremely high security functions against entry and attack.

  The present invention is not limited to the embodiment described above, and it goes without saying that the present invention includes more embodiments without departing from the gist of the present invention described in the claims.

It is a block diagram which shows the structure of one Embodiment of the communication board apparatus to which this invention is applied. It is a conceptual diagram which implement | achieves TCP2 as a relay connector apparatus connected on the communication line which performs encryption communication and authentication. It is a conceptual diagram which implement | achieves TCP2 as a semiconductor circuit apparatus connected on the communication line which performs encryption communication and authentication. It is a table | surface for demonstrating the comparison with a prior art. It is explanatory drawing for demonstrating the comparison with a prior art. It is a figure which shows the protocol stack of the standard communication using the conventional IPsec and SSL. It is a table | surface figure for demonstrating the prior art. It is a figure which shows the protocol stack of TCP2 which this inventor proposed previously.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 100 ... Relay connector apparatus, 200 ... PCMICA slot, 300 ... Mobile data card, 1, 2 ... PCI interface controller, 3 ... Internal bus, 4 ... Configuration for implement | achieving "TCP2" function, 41 ... CPU, 42 ... Flash ROM, 43 ... SDRAM, 44 ... EEPROM

Claims (6)

A relay connector device used for communication of digitized information by adding an encryption function to the TCP or UDP protocol located in the transport layer,
First connection means connected to the media connection means of the computer body;
A second connection means connected to the external medium, and
Arrangement means for negotiating corresponding encryption and decryption logic with the opposite device,
Protocol encryption means for encrypting and transmitting at least the payload of the protocol according to the encryption logic negotiated by the agreement means, among packets as information units to be transmitted and received,
Protocol decrypting means for decrypting the received encrypted TCP or UDP protocol payload according to the decryption logic negotiated by the negotiating means,
A relay connector device that performs communication based on the encryption and decryption logic using a TCP or UDP protocol of the transport layer. The encryption and decryption logic that can be an agreement candidate by the encryption and decryption logic agreement means is stored in a memory or a circuit,
The relay connector device according to claim 1, further comprising logic changing means for periodically changing encryption and decryption logic that can be stored or implemented arrangement candidates. The relay according to claim 1 or 2, wherein the encryption / decryption logic decision means can decide to handle plaintext without encryption in relation to the encryption / decryption logic. Connector device. A semiconductor circuit device used when communicating electronic information by adding an encryption function to a TCP or UDP protocol located in a transport layer,
Arrangement means for negotiating corresponding encryption and decryption logic with the opposite device,
Protocol encryption means for encrypting and transmitting at least the payload of the protocol according to the encryption logic negotiated by the agreement means, among packets as information units to be transmitted and received,
Protocol decrypting means for decrypting the received encrypted TCP or UDP protocol payload according to the decryption logic negotiated by the negotiating means,
A semiconductor circuit device that performs communication based on the encryption and decryption logic using a TCP or UDP protocol of the transport layer. The encryption and decryption logic that can be an agreement candidate by the encryption and decryption logic agreement means is stored in a memory or a circuit,
5. The semiconductor circuit device according to claim 4, further comprising logic changing means for periodically changing encryption and decryption logic that can be stored or implemented arrangement candidates. 6. The semiconductor according to claim 4 or 5, wherein said encryption and decryption logic decision means can decide to handle plain text without encryption in relation to said encryption and decryption logic. Circuit device.

Images