JP2008199391A - Encryption communication system and encryption communication device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To reinforce the security of communication data about multicast communication in a multiaccess network. <P>SOLUTION: In this encryption communication system 1 for encrypting communication data between encryption communication devices during multicast distribution on a multiaccess network 2 in which a plurality of encryption communication devices 3 can simultaneously connect and communicate with each other, the encryption communication device has: a multicast key table 15 storing a multicast key; an encryption processing part 19 for encrypting communication data on the basis of the multicast key and transmitting the encrypted communication data to the opposite side encryption communication device when detecting the communication data to the opposite side encryption communication device; and a decryption processing part 20 for decrypting communication data on the basis of the multicast key when the opposite side encryption communication device detects the encrypted communication data. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an encryption communication system and an encryption communication device for encrypting communication data between the encryption communication devices on a multi-access network in which a plurality of encryption communication devices can be simultaneously connected to each other.

  In recent years, communication using multi-access networks such as the Internet using IP technology, IP-VPN (Internet Protocol-Virtual Private Network), and wide area Ethernet using Ethernet (registered trademark) technology (hereinafter simply referred to as wide area network). In the system, there is a service that connects a plurality of communication devices such as personal computers on the multi-access network, establishes communication between the plurality of communication devices via the multi-access network, and distributes content such as video and music. Widely used.

  However, according to the video distribution service using the Internet, which is widely used nowadays, the video is transmitted by a one-to-one communication device in spite of the broadcast station type transmission form for distributing video to a plurality of service users. In reality, video is being distributed to service users using unicast communication, but in the future, with the spread of services, the amount of data distribution will increase, and as a result, the amount of communication traffic will increase. Is expected to increase.

  Therefore, in order to cope with such a situation, although it is not used in the currently popular Internet, one communication device among a plurality of communication devices is simultaneously distributed with a plurality of communication devices in a specific group. Actually, it is desired to use multicast communication on the Internet (see, for example, Non-Patent Document 1).

In recent years, security has been strengthened not only for communication data via the Internet but also for communication data via networks classified as dedicated lines such as IP-VPN in accordance with the enforcement of the Personal Information Protection Law and the promotion of corporate compliance. As a result, security technology for encrypting communication data has become widespread, and IPsec (Internet Protocol security) is widely known as a technology for encrypting communication data for unicast communication (for example, non-security). (See Patent Document 2).
“Product Catalog of Ethernet Interface Compatible Cryptographic Device DATAX COMMCIPHER FeL2B”, [online], NEC Magnus Communications, [December 21, 2006 search], Internet <URL: http: // www. nec. co. jp / access / prod / fel2b / index. html> Shuwa System Publishing Co., Ltd. “Illustration / Standard Latest VPN Handbook” (issued on May 26, 2003) Chapter 4 VPN and Peripheral Technologies 4-5 IPsec (P.134-P.173)

  However, in the case of a public service network where the expected use of multicast communication is possible, a technology to encrypt communication data for multicast communication is desired to enhance information security, but it is expected in the future. In fact, there is no technology for encrypting communication data for multicast communication, not only for public service networks, but also for multi-access networks such as IP-VPN that can use multicast communication at present.

  Therefore, the present invention has been made in view of the above points, and the object of the present invention is not only a public service network capable of multicast communication expected in the future, but also an IP-VPN or the like capable of multicast communication at present. An object of the present invention is to provide an encryption communication system and an encryption communication device capable of enhancing the security of communication data between communication devices involved in multicast communication even in a multi-access network.

  In order to achieve the above object, the cryptographic communication system of the present invention includes a single cryptographic communication device of the plurality of cryptographic communication devices on a multi-access network in which a plurality of cryptographic communication devices can be simultaneously connected to each other. Is a cryptographic communication system that encrypts communication data between the cryptographic communication devices when performing multicast communication that simultaneously communicates with a plurality of cryptographic communication devices in a specific group, wherein the cryptographic communication device includes the multicast communication device Multicast key storage means for storing a multicast key used for encryption of communication data related to communication, and when the communication data to the opposite side encryption communication device among the plurality of encryption communication devices is detected, the multicast key storage Reading the multicast key from the means, and based on the read multicast key, the communication data An encryption communication unit that encrypts the encrypted communication data and transmits the encrypted communication data to the opposite side encryption communication device; and when the encrypted communication data is detected by the encryption communication unit of the opposite side encryption communication device, the multicast The multicast key is read from the key storage means, and based on the read multicast key, decryption communication means for decrypting the encrypted communication data on the opposite encryption communication apparatus side is provided.

  Therefore, according to the encryption communication system of the present invention, the encryption communication device stores a multicast key used for encryption of communication data related to the multicast communication, and transmits communication data to the opposite encryption communication device. When detected, the communication data is encrypted based on the multicast key, and the encrypted communication data is transmitted to the opposite side encryption communication device and encrypted by the encryption communication unit of the opposite side encryption communication device. When communication data is detected, the encrypted communication data is decrypted on the opposite encryption communication device side based on the multicast key, so that the public service network capable of multicast communication expected in the future is of course, Even if it is a multi-access network such as IP-VPN capable of multicast communication even at present, It is possible to enhance security of the communication data relating to the multicast communication using the No. communications device.

  The encryption communication system according to the present invention further includes a data distribution unit that distributes the communication data decrypted by the decryption communication unit to the communication device. A data transmission unit that transmits the communication data to a communication device; and a data reception unit that receives the communication data distributed by the data distribution unit, wherein the data transmission unit and the data reception unit include the encryption unit The communication data is transmitted / received to / from the opposite communication device that is housed and connected to the opposite encryption communication device via the communication device and the opposite encryption communication device.

  Therefore, according to the cryptographic communication system of the present invention, the communication device accommodated and connected to the cryptographic communication device is connected to the opposing cryptographic communication device via the multi-access network through the cryptographic communication device and the opposing cryptographic communication device. Since communication data is transmitted to and received from the communication device, even a communication device that does not have an encryption communication function can establish encrypted communication between the communication devices using the encryption communication device.

  Further, the cryptographic communication system of the present invention includes group information storage means for storing address information of cryptographic communication apparatuses belonging to the group for each group identification information for identifying the group classified by the predetermined condition by the cryptographic communication apparatus. , For each group identification information, the multicast key storage means for storing the multicast key used for encryption of communication data related to the group, and of the plurality of encryption communication devices to the opposite encryption communication device When detecting communication data, address information included in the communication data is identified, and when detecting communication data from the opposite encryption communication device, address information identifying means for identifying address information included in the communication data; Based on the identification result of this address information identification means, the group identification information for identifying the group identification information of this communication data And the encrypted communication means identifies the address information of the communication data by the address information identification means when detecting the communication data to the opposite encryption communication device, and the identification result The group identification means identifies the group identification information of the communication data, reads the multicast key corresponding to the group identification information from the multicast key storage means, and based on the read multicast key, the communication data is When the encrypted communication data is detected by the encrypted communication means on the opposite side encryption communication device side, the address information identification means obtains the address information of the communication data. Based on the identification result, the group identification means identifies the group identification information of the communication data, and Reads the multicast key corresponding to the group identification information from the multicast key storage means, based on the multicast key thus read out, and so as to decrypt the communication data.

  Therefore, according to the cryptographic communication system of the present invention, for each group identification information, the address information of the cryptographic communication device belonging to the same group and the multicast key related to the same group are stored, and When the communication data is detected, the address information of the communication data is identified, the group identification information of the communication data is identified based on the identification result, the multicast key corresponding to the group identification information is read, and the read multicast key And encrypting the communication data and detecting the encrypted communication data by the encrypted communication means on the opposite side encryption communication device side, identifying address information of the communication data, Based on the communication data, the multi-key corresponding to the group identification information is identified. Reads the strike key, based on the multicast key thus read out. Thus decrypting the communication data, it is possible to establish the encrypted communication between the communication device in groups of multicast communication.

  Also, the cryptographic communication system of the present invention has a management terminal device that communicates and connects for each of the cryptographic communication devices, and the management terminal device is communicatively connected to the cryptographic communication device and the multicast within the cryptographic communication device. The multicast key stored in the key storage means can be changed.

  Therefore, according to the cryptographic communication system of the present invention, the management terminal device can communicate with the cryptographic communication device and change the setting of the multicast key stored in the multicast key storage means inside the cryptographic communication device. Therefore, it is possible to change the setting of the multicast key used for encryption of multicast communication for each encrypted communication device.

  The cryptographic communication system of the present invention has a key management server that can be connected to all cryptographic communication devices via the multi-access network, and the key management server communicates with each cryptographic communication device via the multi-access network. The multicast key stored in the multicast key storage means inside each encryption communication device can be set and changed.

  Therefore, according to the cryptographic communication system of the present invention, the key management server is connected to each cryptographic communication device via the multi-access network and is stored in the multicast key storage means inside each cryptographic communication device. Since the key can be set and changed, the key management server can collectively change the setting of the multicast key used for encryption of the multicast communication in all the encryption communication apparatuses.

  Further, in the encryption communication system of the present invention, the encrypted communication means includes a range specifying means for specifying a predetermined data range of a payload portion included in the communication data, and a payload in a predetermined data range specified by the range specifying means. And the decryption communication means decrypts the payload part of the predetermined data range designated by the range designation means based on the multicast key.

  Therefore, according to the encryption communication system of the present invention, the payload portion of the predetermined data range included in the communication data is encrypted with the multicast key, and the encrypted payload portion of the predetermined data range is decrypted with the multicast key. Therefore, since only a part of the payload portion is encrypted, the processing load on the encrypted communication means and the decryption communication means can be reduced.

  Further, the cryptographic communication system of the present invention comprises a range specifying means for configuring the multicast key with a predetermined number of cast keys and dividing and specifying a payload portion included in the communication data into a predetermined number of data ranges; and the range specifying means Cast key storage means for storing a cast key for each data range specified in (1), and when the encrypted communication means detects communication data to the opposite encryption communication device, a payload included in the communication data For each data range, a cast key corresponding to the data range is sequentially read from the cast key storage means, the data range is sequentially encrypted based on the sequentially read cast key, and the decryption communication means includes: When communication data from the opposite encryption communication device is detected, the same data is detected for each data range of the payload portion included in the communication data. Sequentially reading out the cast key corresponding to over data ranges from the cast key storage means, and adapted to successively decode the same data range on the basis of the sequentially read cast key.

  Therefore, according to the cryptographic communication system of the present invention, the multicast key is composed of a predetermined number of cast keys, the payload portion of the communication data is divided and specified into a predetermined number of data ranges, and communication to the opposite side encryption communication device is performed. When data is detected, encryption is performed based on the cast key for each data range of the communication data, and when communication data from the opposite encryption communication device is detected, a cast key is determined for each data range of the encrypted communication data. Since the payload portion is encrypted and decrypted with a plurality of cast keys, it is possible to further enhance the security of communication data.

  In order to achieve the above object, the cryptographic communication system of the present invention is a cryptographic communication for encrypting communication data between the cryptographic communication devices on a multi-access network in which a plurality of cryptographic communication devices can be simultaneously connected to each other. The encryption communication apparatus is an encryption system for communication data related to multicast communication in which one of the plurality of encryption communication apparatuses communicates simultaneously with a plurality of encryption communication apparatuses in a specific group. When the communication data to the opposite side encryption communication device among the plurality of encryption communication devices is detected, the address information included in the communication data is identified. At the same time, when communication data from the opposite encryption communication apparatus is detected, an address for identifying address information included in the communication data is detected. Based on the identification result of the address information identifying means, the communication type determining means for determining the communication type of the communication data, and the communication type determining means for the communication data to the opposite encryption communication device. If it is determined that the communication type is the multicast communication, the multicast key is read from the multicast key storage means, the communication data is encrypted based on the read multicast key, and the encrypted communication data is An encrypted communication means for transmitting to the encryption communication device on the side, and the multicast key storage means when the communication type of the communication data from the opposite encryption communication device is determined to be the multicast communication by the communication type determination means The multicast key is read out from the multicast key based on the read multicast key Countercurrently side encrypted communication device side so as to have a decoding communication means for decoding communication data the encryption.

  Therefore, according to the encryption communication system of the present invention, the encryption communication device stores a multicast key used for encryption of communication data related to the multicast communication, and transmits communication data to the opposite encryption communication device. If detected, the address information included in the communication data is identified, and based on the identification result, when it is determined that the communication type of the communication data is multicast communication, the communication data is encrypted based on the multicast key. The encrypted communication data is transmitted to the opposite encryption communication device, and when the communication data from the opposite encryption communication device is detected, the address information included in the communication data is identified, and based on the identification result If the communication type of this communication data is determined to be multicast communication, the multicast key Therefore, since the communication data is decrypted, not only a public service network capable of multicast communication expected in the future, but also a multi-access network such as an IP-VPN capable of multicast communication even in the present situation can be encrypted. Security of communication data related to multicast communication can be enhanced by using the communication device.

  Further, the cryptographic communication system of the present invention includes, for each group identification information for identifying the group classified by the predetermined condition by the cryptographic communication apparatus, group information storage means for storing address information of the cryptographic communication apparatus belonging to the group, Based on the identification result of the communication data of the multicast key storage means storing the multicast key used for encryption of communication data related to the group for each group identification information, and the address information identification means, the communication data Group identification means for identifying group identification information, wherein the encrypted communication means determines that the communication type of the communication data to the opposite encryption communication device is the multicast communication by the communication type determination means. Then, the address information identification means identifies the address information of the communication data, and based on the identification result. The group identification means identifies the group identification information of the communication data, reads the multicast key corresponding to the group identification information from the multicast key storage means, and based on the read multicast key, the communication data is In addition to encryption, when the communication type determination unit determines that the communication type of the communication data from the opposite side encryption communication device is the multicast communication, the decryption communication unit causes the address information identification unit to And identifying the address identification information of the communication data based on the identification result, identifying the group identification information of the communication data by the group identification means, and storing the multicast key corresponding to the group identification information in the multicast key Read from the means, based on this read multicast key It was set to decrypt the communication data.

  Therefore, according to the cryptographic communication system of the present invention, the address information of the cryptographic communication device belonging to the same group and the multicast key related to the same group are stored for each group identification information, When the communication data is detected, the address information of the communication data is identified, the group identification information of the communication data is identified based on the identification result, the multicast key corresponding to the group identification information is read, and the read Based on the multicast key, the communication data is encrypted, and when the encrypted communication data is detected by the encrypted communication means on the opposite side encryption communication device side, the address information of the communication data is identified, and the identification Based on the result, the group identification information of the communication data is identified, and this group identification information is supported. Reads the multicast key, based on the multicast key thus read out. Thus decrypting the communication data, it is possible to establish the encrypted communication of the communication data relating to the multicast communication in groups.

  Further, the cryptographic communication system of the present invention uses the session key used for encrypting communication data related to unicast communication in which the cryptographic communication device communicates with a single cryptographic communication device as address information of the cryptographic communication device. Each having a session key storage means stored therein, wherein the encrypted communication means determines that the communication type of the communication data to the opposite encryption communication device is the unicast communication by the communication type determination means. The address information identifying means identifies the address information of the communication data, reads a session key corresponding to the address information from the session key storage means, and encrypts the communication data based on the read session key. The encrypted communication data is transmitted to the opposite encryption communication device, and the decryption communication means is configured to determine the communication type. When the means determines that the communication type of the communication data from the opposite encryption communication device is the unicast communication, the address information identification means identifies the address information of the communication data, and the address information A corresponding session key is read from the session key storage means, and the communication data is decrypted based on the read session key.

  Therefore, according to the encryption communication system of the present invention, the encryption communication device stores a session key used for encryption of communication data related to unicast communication for each address information of the encryption communication device, and If it is determined that the communication type of the communication data to the opposite side encryption communication device is unicast communication, the address information of this communication data is identified, the session key corresponding to this address information is read, and the read session key And encrypting the communication data, and if the communication type of the communication data from the opposite encryption communication device is determined to be the unicast communication, the address information of the communication data is identified and the address A session key corresponding to the information is read, and the communication data is decrypted based on the read session key. Since the multicast communication, of course, it is possible to establish an encrypted communication also communication data unicast communication.

  Further, in the cryptographic communication system of the present invention, the cryptographic communication device manages subordinate address management information including address information of the communication device to be accommodated and connected, and the subordinate address information according to a predetermined timing. Subordinate address management information notification means for notifying the opposite side encrypted communication apparatus of the subordinate address management information being managed by the management means, and receiving the subordinate address management information from the subordinate address management information notification means on the opposite side encrypted communication apparatus side Then, in association with the address information of the opposing communication device included in the subordinate address management information, the session key storage means is configured to store the session key of the opposing encryption communication device accommodating and connecting the opposing communication device. And updating means for updating.

  Therefore, according to the encryption communication system of the present invention, the encryption communication device notifies the opposite side encryption communication device of the subordinate address management information including the address information of the communication device to be accommodated and connected according to a predetermined timing. When receiving the subordinate address management information on the encryption communication device side, the session key of the opposite side encryption communication device accommodating and connecting the opposite side communication device in association with the address information of the opposite side communication device included in the subordinate address management information Since the session key storage means is updated to store the session key, each encryption communication apparatus can hold a session key for each communication apparatus accommodated and connected to the opposite encryption communication apparatus.

  In the cryptographic communication system according to the present invention, the cryptographic communication apparatus is configured to use a key form storage unit that stores a key form for each key number and a key based on a current time and a predetermined program according to a common timing for all the cryptographic communication apparatuses. A key form selecting means for calculating a number and selecting a key form corresponding to the calculated key number from the key form storage means, and the key form selected by the key form selecting means as the multicast key as the multicast key. Multicast key update means for updating the storage means.

  Therefore, according to the encryption communication system of the present invention, the encryption communication device stores a key form for each key number, and the key number is based on the current time and a predetermined program according to the timing common to all encryption communication devices. The key form corresponding to the calculated key number is selected, and the selected key form is updated as the multicast key in the multicast key storage unit. The same key form is stored for each number, and all the encryption communication devices can update the multicast key to a new multicast key at the same timing.

  Also, the cryptographic communication system of the present invention has a key management server that can be communicably connected to all cryptographic communication devices via the multi-access network, and the key management server stores a key form storage means that stores a plurality of key forms. And a key form selection means for selecting an arbitrary key form from a plurality of key forms in the key form storage means at every predetermined timing, and the key form selected by the key form selection means as the multicast key, Key form distribution means for distributing to each encryption communication device at every predetermined timing.

  Therefore, according to the cryptographic communication system of the present invention, the key management server is connected to all cryptographic communication apparatuses via the multi-access network, and selects an arbitrary key form from a plurality of key forms at a predetermined timing. The selected key form is distributed as a multicast key to each cryptographic communication device at a predetermined timing.As a result, each cryptographic communication device has a distribution timing of the key management server or a communication access timing of each cryptographic communication device. A new key form is received from each key management server, and the received key form is updated as a new multicast key, so the key management server is used to encrypt multicast communications inside all cryptographic communication devices in a batch. The multicast key to be set can be changed.

  Further, in the encryption communication system of the present invention, the encryption communication device has range specifying means for specifying a predetermined data range of a payload portion included in the communication data, and the encrypted communication means includes the communication type determination means. When it is determined that the communication type of the communication data to the opposite encryption communication device is the multicast communication, the payload portion of the predetermined data range specified by the range specifying means is encrypted based on the multicast key At the same time, when the communication type determination unit determines that the communication type of the communication data from the opposite encryption communication device is the multicast communication, the decryption communication unit determines the predetermined value specified by the range specification unit. The payload part of the data range is decrypted based on the multicast key.

  Therefore, according to the encryption communication system of the present invention, the payload portion of the predetermined data range included in the communication data is encrypted with the multicast key, and the encrypted payload portion of the predetermined data range is decrypted with the multicast key. Therefore, since only a part of the payload portion is encrypted, the processing load on the encrypted communication means and the decryption communication means can be reduced.

  Further, in the encryption communication system of the present invention, the encryption communication device has range specifying means for specifying a predetermined data range of a payload portion included in the communication data, and the encrypted communication means includes the communication type determination means. When the communication type of the communication data transmitted to the opposite communication device is determined to be the unicast communication, the payload portion of the predetermined data range specified by the range specifying means is encrypted based on the session key In addition, when the communication type determining unit determines that the communication type of the communication data from the opposite communication device is the unicast communication, the decoding communication unit specifies the range specifying unit. The payload portion of the predetermined data range is decrypted based on the session key.

  Therefore, according to the cryptographic communication system of the present invention, the multicast key is composed of a predetermined number of cast keys, the payload portion of the communication data is divided and specified into a predetermined number of data ranges, and communication to the opposite side encryption communication device is performed. When data is detected, encryption is performed based on the cast key for each data range of the communication data, and when communication data from the opposite encryption communication device is detected, a cast key is determined for each data range of the encrypted communication data. Since the payload portion is encrypted and decrypted with a plurality of cast keys, it is possible to further enhance the security of communication data.

  Also, in the cryptographic communication system of the present invention, the subordinate address management information notifying means encrypts the subordinate address management information and a session key related to unicast communication of its own cryptographic communication device using the IKE protocol. The managed subordinate address management information and session key are transmitted to the opposite side encryption communication device.

  Therefore, according to the cryptographic communication system of the present invention, the subordinate address management information and the session key are transmitted to the opposite side cipher communication device using the IKE protocol. It can be strengthened.

  In order to achieve the above object, the encryption communication device of the present invention is configured such that one of the plurality of encryption communication devices is encrypted on a multi-access network in which a plurality of encryption communication devices can be simultaneously connected to each other. An encryption communication device in an encryption communication system for encrypting communication data between the encryption communication devices when the communication device performs multicast communication for simultaneous communication with a plurality of encryption communication devices in a specific group, wherein the multicast communication device Multicast key storage means for storing a multicast key used for encryption of communication data related to communication, and when the communication data to the opposite side encryption communication device among the plurality of encryption communication devices is detected, the multicast key storage The multicast key is read from the means, and the communication data is read based on the read multicast key. And the encrypted communication means for transmitting the encrypted communication data to the opposite-side encrypted communication device, and the encrypted communication data detected by the encrypted communication means of the opposite-side encrypted communication device, The multicast key is read from the multicast key storage means, and based on the read multicast key, decryption communication means for decrypting the encrypted communication data on the opposite encryption communication apparatus side is provided.

  Therefore, according to the encryption communication device of the present invention, a multicast key used for encryption of communication data related to the multicast communication is stored, and when the communication data to the opposite encryption communication device is detected, the multicast key is used. And encrypting the communication data, transmitting the encrypted communication data to the opposite encryption communication device, and detecting the encrypted communication data in the encryption communication means of the opposite encryption communication device, Since the encrypted communication data is decrypted on the opposite encryption communication device side based on the multicast key, not only a public service network capable of multicast communication expected in the future, but also multicast communication is possible at present. Even in a multi-access network such as IP-VPN, the encryption communication device is used to It is possible to achieve the enhanced security of communication data relating to Chikyasuto communication.

  According to the encryption communication system of the present invention configured as described above, the encryption communication device stores a multicast key used for encryption of communication data related to multicast communication, and communicates with the opposite-side encryption communication device. When data is detected, the communication data is encrypted based on the multicast key, the encrypted communication data is transmitted to the opposite side encryption communication device, and the encryption communication unit of the opposite side encryption communication device transmits the encryption data. When the encrypted communication data is detected, the encrypted communication data is decrypted on the opposite encryption communication device side based on the multicast key, so that the public service network capable of multicast communication expected in the future is of course Even in multi-access networks such as IP-VPN that can be used for multicast communication even in the present situation It is possible to enhance security of the communication data relating to the multicast communication using the encryption communication device.

  According to the encryption communication system of the present invention, the encryption communication device stores a multicast key used for encryption of communication data related to multicast communication, and detects communication data to the opposite side encryption communication device. Address information included in the communication data is identified, and based on the identification result, when it is determined that the communication type of the communication data is multicast communication, the communication data is encrypted based on the multicast key, When the communication data from the opposite encryption communication device is detected, the address information included in the communication data is identified, and based on the identification result, the communication data is transmitted to the opposite encryption communication device. If it is determined that the data communication type is multicast communication, the communication type is determined based on the multicast key. Since the data is decrypted, the encryption communication device is used not only for public service networks that can be used for multicast communication in the future, but also for multi-access networks such as IP-VPN that can be used for multicast communication at present. Thus, the security of communication data related to multicast communication can be enhanced.

  Moreover, according to the encryption communication device of the present invention configured as described above, a multicast key used for encryption of communication data related to multicast communication is stored, and communication data to the opposite encryption communication device is detected. Then, based on the multicast key, the communication data is encrypted, and the encrypted communication data is transmitted to the opposite-side encrypted communication device, and the encrypted communication is performed by the encrypted communication unit of the opposite-side encrypted communication device. When data is detected, the encrypted communication data is decrypted on the opposite encryption communication device side based on the multicast key, so that the public service network capable of multicast communication expected in the future is of course However, even in a multi-access network such as IP-VPN capable of multicast communication, an encryption communication device It is possible to enhance security of the communication data relating to the multicast communication using.

  Hereinafter, an encryption communication system showing an embodiment of the present invention will be described with reference to the drawings.

(Embodiment 1)
FIG. 1 is a block diagram showing a schematic configuration inside the cryptographic communication system according to the first embodiment.

  A cryptographic communication system 1 shown in FIG. 1 includes a multi-access network 2, a plurality of cryptographic communication devices 3 that are in communication connection with the multi-access network 2, a key management server 4 that is in communication connection with the multi-access network 2, an encryption A communication device 5 such as a personal computer accommodated and connected to the communication device 3, and one of the plurality of encryption communication devices 3 communicates simultaneously with a plurality of encryption communication devices 3 in a specific group. When multicast communication is performed, communication data between the encryption communication devices 3 is encrypted.

  The encryption communication device 3 of “A” accommodates and connects the communication devices 5 of “A1” and “A2”, and the encryption communication device 3 of “B” connects the communication devices 5 of “B1” and “B2” to “ The “C” encryption communication device 3 accommodates and connects the “C1” and “C2” communication devices 5, and the “D” encryption communication device 3 accommodates and connects the “D1” and “D2” communication devices 5, respectively. To do.

  Multicast communication corresponds to a method in which one cryptographic communication device 3 communicates simultaneously with a plurality of cryptographic communication devices 3 in a specific group. The communication partner is different for each group. For example, when the group is “1”, “A” The communication device 5 of the encryption communication device 3 of "" is simultaneously communicating with the communication devices 5 of the three encryption communication devices 3 of "B", "C" and "D", and in the case of the group "2", the encryption of "A" When the communication device 5 of the communication device 3 is the simultaneous communication to the communication device 5 of the encryption communication device 3 of “B”, and the group “3”, the communication device 5 of the encryption communication device 3 of “C” is the encryption communication of “D”. It communicates simultaneously with the communication device 5 of the device 3.

  FIG. 2 is a block diagram showing a schematic configuration inside the cryptographic communication device 3.

  Each encryption communication device 3 includes a network interface 11 that controls a communication interface with the multi-access network 2, a communication device interface 12 that controls a communication interface with a communication device 5 that is accommodated and connected, and a communication device 5 that is accommodated and connected. For each group number that identifies address information management unit 13 that manages address information, for each group number that identifies a group involved in multicast communication, for each group number, A multicast key table 15 storing a multicast key used for encryption of communication data related to the group, and communication data from the communication device 5 through the communication device interface 12 or the opposite side encryption communication device 3 through the network interface 11. When the communication data is detected, the address information identification unit 16 that identifies the address information included in the communication data, and the communication type determination unit that determines the communication type of the communication data based on the identification result of the address information identification unit 16 17 and the communication type determination unit 17 determines that the communication type of the communication data is multicast communication, the group identification for identifying the group number of the communication data based on the identification result of the address information identification unit 16 Unit 18 and an encryption processing unit 19 that reads a multicast key corresponding to the group number corresponding to the identification result of group identification unit 18 from multicast key table 15 and encrypts communication data based on the read multicast key. , Corresponding to the group number corresponding to the identification result of the group identification unit 18 Reads the cast key from a multicast key table based on the multicast key thus read out, and a decoding unit 20 which decodes the communication data, and a control unit 21 which controls the entire encryption communication device 3.

  As shown in FIG. 3, the group management table 14 stores, for each group number 14a for identifying a group for multicast communication, the address information 14b of the cryptographic communication device 3 belonging to the same group. It is assumed that “1” stores address information of the encryption communication device 3 of “A”, “B”, “C”, and “D”.

  As shown in FIG. 4, the multicast key table 15 stores, for each group number 15a, a multicast key 15b used for encryption and decryption of communication data of the same group. Stores a multicast key M1.

  When the communication data from the communication device 5 is detected through the communication device interface 12, the address information identification unit 16 identifies the transmission destination address based on the address information in the header portion of the communication data and When communication data from the opposite communication device 5 of the side encryption communication device 3 is detected, the transmission destination address is identified based on the address information in the header portion of the communication data.

  The communication type determination unit 17 determines whether the communication type of the communication data is multicast communication based on the transmission destination address corresponding to the identification result of the address information identification unit 16.

  In the case of communication data from the communication device 5 through the communication device interface 12, the group identification unit 18 determines that the communication type of the communication data is multicast communication in the group management table 14 when the communication type determination unit 17 determines that the communication type is multicast communication. Based on the contents of the table, the group number of the multicast communication group corresponding to the destination address of this communication data is identified, and in the case of communication data from the opposite side encryption communication device 3 through the network interface 11, the communication type determination unit 17 If the communication type of the communication data is determined to be multicast communication, the group number of the multicast communication group corresponding to the destination address of the communication data is identified based on the table contents of the group management table 14.

  When the communication type determination unit 17 determines that the communication type of the communication data is multicast communication in the case of communication data from the communication device 5 through the communication device interface 12, the encryption processing unit 19 performs group identification unit 18. The multicast key corresponding to the group number corresponding to the identification result is read from the multicast key table 15, the communication data is encrypted based on the read multicast key, and the encrypted communication data is sent to the opposite side through the network interface 11. The data is transmitted to the side encryption communication device 3.

  The decryption processing unit 20 reads the multicast key corresponding to the group number corresponding to the identification result of the group identification unit 18 from the multicast key table 15 in the case of communication data from the opposite side encryption communication device 3 through the network interface 11, Based on the read multicast key, the communication data is decrypted, and the decrypted communication data is transmitted to the communication device 5 through the communication device interface 12.

  FIG. 5 is a block diagram showing a schematic configuration inside the communication device 5 accommodated and connected to the encryption communication device 3.

  The communication device 5 shown in FIG. 5 is configured by, for example, a personal computer, and a data transmission unit 31 that transmits communication data to the communication device interface 12 of the encryption communication device 3 and communication from the communication device interface 12 of the encryption communication device 3. A data receiving unit 32 for receiving data, a data output unit 33 for outputting communication data received by the data receiving unit 32, and a communication device side control unit 34 for controlling the entire communication device 5; The transmission unit 31 and the data reception unit 32 transmit and receive communication data to and from the opposite communication device 5 that is accommodated and connected to the opposite encryption communication device 3 through the encryption communication device 3 and the opposite encryption communication device 3. .

  FIG. 6 is a block diagram showing a schematic configuration inside the key management server 4.

  The key management server 4 shown in FIG. 6 includes a server interface 41 that controls a communication interface with the multi-access network 2, a key form storage unit 42 that stores a plurality of, for example, thousands of key forms, and a predetermined timing. The key form selection unit 43 that selects a key form for each group number from a plurality of key forms stored in the key form storage unit 41, and the key form selected by the key form selection unit 43 is managed in units of group numbers. A key form management unit 44; and a key form distribution unit 45 that distributes the key form currently managed by the key form management unit 44 to all the cryptographic communication devices 3 through the server interface 41 in units of group numbers as a multicast key. ing. The predetermined timing corresponds to a predetermined cycle timing, for example, one timing per minute.

  When receiving the key form for each group number from the key form distribution unit 45 of the key management server 4, the control unit 21 in the cryptographic communication device 3 newly creates a key form for each group number stored in the multicast key table 15. It is stored and updated as a multicast key.

  In addition, the control unit 21 includes a data range specifying unit (not shown) that specifies the data range of the payload portion of the communication data that is to be encrypted by the encryption processing unit 19. The data range specified by the data range specifying unit is common to all the encryption communication devices 3.

  When the encryption processing unit 19 detects communication data to the opposite encryption communication device 3, the encryption processing unit 19 encrypts a predetermined data range portion in the payload portion of the communication data using a multicast key. In addition, when the decryption processing unit 20 detects the encrypted communication data from the opposite encryption communication device 3, the decryption processing unit 20 decrypts the encrypted predetermined data range portion of the communication data using the multicast key. Is.

  The encryption communication system according to the claims is the encryption communication system 1, the multi-access network is the multi-access network 2, the encryption communication device is the encryption communication device 3, the multicast key storage means is the multicast key table 15, and the encryption communication means is encryption. A processing unit 19, a decoding communication unit is a decoding processing unit 20, an address information management unit is an address information management unit 13, a data distribution unit is a communication device interface 12, a communication device is a communication device 5, and a data transmission unit is a data transmission unit. 31, data receiving means is the data receiving section 32, group information storing means is the group management table 14, address information identifying means is the address information identifying section 16, group identifying means is the group identifying section 18, key management server is the key management server 4, Range designation means is data range designation section, multicast key update means It corresponds to the control unit 21.

  Next, the operation of the cryptographic communication system 1 showing the first embodiment will be described.

  For example, the operation when the communication device 5 of “A1” accommodated and connected to the encryption communication device 3 of “A” executes multicast communication of the group number “1” will be described. FIG. 7 is a flowchart showing the processing operation of the cryptographic communication device 3 related to the multicast encryption processing.

  The address information identification unit 16 of the encryption communication device 3 determines whether or not communication data from the communication device 5 has been detected through the communication device interface 12 (step S11).

  When the address information identifying unit 16 detects communication data from the communication device 5 through the communication device interface 12, the address information identifying unit 16 identifies a transmission destination address based on the address information in the header portion of the communication data (step S12).

  The communication type determination unit 17 of the encryption communication device 3 determines whether or not the communication type of this communication data is multicast communication based on the transmission destination address of this communication data (step S13).

  When the communication type determination unit 17 determines that the communication type of the communication data is multicast communication, the group identification unit 18 of the encryption communication device 3 transmits the transmission destination of this communication data based on the table contents of the group management table 14. The group number of the multicast communication group corresponding to the address is identified (step S14).

  The encryption processing unit 19 of the encryption communication device 3 reads the multicast key corresponding to the group number of the communication data identified by the group identifying unit 18 from the multicast key table 15 (step S15), and based on the read multicast key. The predetermined data range portion in the payload portion of the communication data is encrypted (step S16).

  The encryption processing unit 19 transmits the encrypted communication data to the opposite side encryption communication device 3 of the multicast communication partner via the multi-access network 2 through the network interface 11 (step S17), and performs this processing operation. finish. The opposite side encryption communication device 3 of the multicast communication partner corresponds to the encryption communication device 3 of “B”, “C”, and “D” in the case of multicast communication with the group number “1”.

  Next, the operation of the opposite encryption communication apparatus 3 that has received the encrypted communication data will be described. FIG. 8 is a flowchart showing the processing operation inside the opposite side encryption communication apparatus 3 related to the multicast decryption process.

  In FIG. 8, the address information identification unit 16 of the opposite side encryption communication device 3 determines whether or not encrypted communication data from the encryption communication device 3 is detected through the network interface 11 (step S21).

  When the address information identification unit 16 detects the encrypted communication data from the encryption communication device 3 through the network interface 11, the address information identification unit 16 identifies the transmission destination address based on the address information in the header portion of the communication data (step S22). .

  The communication type determination unit 17 of the opposite encryption communication device 3 determines whether or not the communication type of this communication data is multicast communication based on the transmission destination address of this communication data (step S23).

  When the communication type determination unit 17 determines that the communication type of the communication data is multicast communication, the group identification unit 18 of the opposite encryption communication device 3 determines the communication data based on the table contents of the group management table 14. The group number of the multicast communication group corresponding to the transmission destination address is identified (step S24).

  The decryption processing unit 20 of the opposite side encryption communication device 3 reads the multicast key corresponding to the group number of the communication data identified by the group identification unit 18 from the multicast key table 15 (step S25), and this read multicast key Based on the above, the encrypted predetermined data range portion in the payload portion of the communication data is decrypted (step S26).

  The decryption processing unit 20 transmits the decrypted communication data to the opposite communication device 5 through the communication device interface 12 (step S27), and ends this processing operation.

  In other words, as shown in FIG. 9, when the encryption communication device 3 of “A” detects communication data of the group number “1” from the communication device 5 of “A1”, the multicast corresponding to this group number “1”. Based on the key M1, the payload portion of the communication data is encrypted, and the encrypted communication data is distributed to the opposite encryption communication device 3 with the group number “1”. The encryption communication device 3 with “B” encrypts the encrypted data. When communication data is detected, the payload portion of the communication data is decrypted based on the multicast key corresponding to the group number “1”, and the decrypted communication data is distributed to the communication device 5 of “B1” of the group number “1”. Will do.

  As a result, between the communication device 5 of “A1” on the encryption communication device 3 side of “A” and the opposite communication device 5 on the opposite encryption communication device 3 side of “B”, “C”, “D”. Multicast communication encryption communication can be realized.

  According to the first embodiment, each encryption communication device 3 stores a multicast key for each group number for identifying a multicast communication group, detects communication data to the opposite encryption communication device 3, When it is determined that the communication type of this communication data is multicast communication, the group number of the multicast communication group of this communication data is identified, and the communication data is encrypted based on the multicast key corresponding to this group number, When communication data from the opposite encryption communication device 3 is detected and it is determined that the communication type of this communication data is multicast communication, the group number of the multicast communication group of this communication data is identified, and this group number is Decrypt encrypted communication data based on the corresponding multicast key In addition to the public service network capable of multicast communication expected in the future, even in a multi-access network such as IP-VPN capable of multicast communication at present, communication related to multicast communication using the encryption communication device 3 The security of communication data between the devices 5 can be enhanced.

  According to the first embodiment, the communication device 5 accommodated and connected to the encryption communication device 3 is accommodated and connected to the opposite encryption communication device 3 via the multi-access network 2 through the encryption communication device 3 and the opposite encryption communication device 3. Since the communication data is transmitted / received to / from the opposite communication device 5, even if the communication device 5 does not have the encryption communication function, the encryption communication between the communication devices 5 is performed using the encryption communication device 3. Can be established.

  According to the first embodiment, the key management server 4 is communicatively connected to all the cryptographic communication devices 3 via the multi-access network 2, and an arbitrary key form is grouped from a plurality of key forms at a predetermined timing. And the selected key form is distributed to all the cryptographic communication devices 3 as a multicast key. As a result, each cryptographic communication device 3 receives a new key form from the key management server 4 at a predetermined timing. Since the received key form is updated as a new multicast key, the key management server 4 may collectively change the setting of the multicast key used for encryption and decryption of the multicast communication in all the encryption communication devices 3. it can.

  According to the first embodiment, at the time of multicast communication, the payload portion of the predetermined data range portion included in the communication data is encrypted with the multicast key, and the encrypted payload portion of the predetermined data range portion is decrypted with the multicast key. Since only a part of the payload portion is encrypted, the processing load on the encryption processing unit 19 and the decryption processing unit 20 can be reduced.

  In the first embodiment, in order to update the multicast key common to all the cryptographic communication devices 3 stored in each cryptographic communication device 3 with a new multicast key, the key management server 4 Communication access is made to all cryptographic communication devices 3 and a key form as a new multicast key is provided and distributed to all cryptographic communication devices 3 from the key management server 4. For example, the cryptographic communication device 3 is added to the multi-access network 2. When connecting, it is necessary to register the address information of the additionally connected encryption communication device 3 in the key management server 4.

  Therefore, in order to improve such registration work, each cryptographic communication device 3 communicates with the key management server 4 at a common timing, and the key management server 4 sends a multicast key to each cryptographic communication device 3 in response to this communication access. If a system configuration that provides and distributes a key form is obtained, even if a new encryption communication device 3 is additionally connected, it is not necessary to register the address information of the new encryption communication device 3 in the key management server 4, and all encryption It is also possible to update the multicast key in the communication device 3.

  In the first embodiment, the key management server 4 is used to update the multicast key in the entire cryptographic communication device 3 to a new multicast key. For example, for each cryptographic communication device 3, It goes without saying that the same effect can be obtained even if a management terminal device capable of setting and changing the multicast key stored in the multicast key table 15 is arranged and the multicast key is changed by this management terminal device.

  Similarly, as shown in FIGS. 10 and 11, each cryptographic communication device 3 is common to all the cryptographic communication devices 3 of the key form storage unit 22 for storing the key form 22b for each key number 22a and the control unit 21. A key number is calculated based on the current time and a predetermined program according to the timing of the key form, and a key form selection unit 23 that selects a key form corresponding to the calculated key number from the key form storage unit 22, and the key form selection unit The key form selected in 23 may be provided with a multicast key update unit 24 that updates the multicast key table 15 as a multicast key. In this case, each encryption communication device 3 has the same key number for the same key number. If it is assumed that the key form is stored, and the same program is used with the clock set, all the encryption communication devices 3 are managed at the same timing. It is also possible to update the Chikyasuto key to the new multicast key.

  In the first embodiment, the encryption processing unit 19 and the decryption processing unit 20 encrypt or decrypt the predetermined data range portion of the payload portion of the communication data using the multicast key. However, as shown in FIGS. 12 and 13, for example, a multicast key is composed of a predetermined number of cast keys, and each encryption communication device 3 designates a payload portion included in communication data to be divided into a predetermined number of data ranges. And a cast key table 25 for storing a cast key for each data range designated by the range designation unit. The encryption processing unit 19 detects communication data to the opposite side encryption communication device 3. Then, for each data range of the payload portion included in the communication data, a cast key corresponding to the data range is sequentially read from the cast key table 25, and this order is determined. The data range is sequentially encrypted based on the read cast keys C5, C4, and C6, and when the decryption processing unit 20 detects the communication data from the opposite encryption communication device 3, the payload unit included in the communication data For each data range, cast keys C5, C4, and C6 corresponding to the data range are sequentially read from the cast key table 25, and the data range is sequentially decrypted based on the sequentially read cast keys C5, C4, and C6. Alternatively, since the payload portion is encrypted and decrypted with a plurality of cast keys, the security of communication data can be further enhanced.

  In the first embodiment, the encryption communication related to the communication data of the multicast communication on the multi-access network 2 has been described as an example. However, in addition to the multicast communication, a single encryption communication device 3 is used. Since this is also applicable to encryption communication related to communication data, that is, communication data of unicast communication, this embodiment will be described as a second embodiment.

(Embodiment 2)
FIG. 14 is a block diagram showing a schematic configuration inside the cryptographic communication apparatus 3 according to the second embodiment. In addition, about the structure same as the encryption communication system 1 which shows 1st Embodiment, the same code | symbol is attached | subjected, and the description of the overlapping structure and operation | movement is abbreviate | omitted.

  The encryption communication device 3A shown in FIG. 14 differs from the encryption communication device 3 shown in FIG. 2 in that the encryption communication device 3A can cope with not only multicast communication encryption communication but also unicast communication encryption communication. A session key table 51 that stores therein session keys used for encrypted communication of unicast communication for each address information of the encrypted communication device 3A is provided.

  Further, the encryption communication device 3A has an address information notification unit 52 that notifies the opposite side encryption communication device 3A of the address information of the communication device 5 being managed by the address information management unit 13 according to a predetermined timing, and the opposite side encryption communication. A table that updates the session key table 51 to store the session key in association with the address information of the opposite communication device 5 when the address information of the opposite communication device 5 is received from the address information notification unit 52 on the device 3A side. And an update unit 53.

  That is, as shown in FIG. 15, the session key table 51 stores the session key 15b for each address information 15a of the opposite side encryption communication device 3A, and accommodates and connects to the opposite side encryption communication device 3A. The session key 15b is stored for each address information 15a. The session key of the opposite side communication device 5 is the same key as the session key of the opposite side encryption communication device 3A that accommodates and connects the opposite side communication device 5, for example, the session of the opposite side encryption communication device 3A of “B”. When the key is “S1”, the session keys of the communication devices 5 of “B1” and “B2” that are accommodated and connected to the opposite encryption communication device 3A are also “S1”.

  Accordingly, each encryption communication device 3A exchanges address information of the communication device 5 accommodated and connected to itself according to a predetermined timing, and as a result, each encryption communication device 3A includes all the encryption communication devices 3A accommodated and connected. The session key table 51 updates the address information of the communication device 5 and the session key used for the unicast communication of the communication device 5 for each address information of the communication device 5.

  For example, when unicast communication is performed between the communication device 5 of “A2” and the communication device 5 of “C1”, the encryption communication device 3A of “A” that accommodates and connects the communication device 5 of “A2” is shown in FIG. The encrypted communication device 3A of “C” that reads the session key S2 corresponding to the communication device 5 of “C1” shown in FIG. 15A and accommodates and connects the communication device 5 of “C1” is shown in FIG. The session key S2 corresponding to the communication device 5 “A2” is read out.

  The communication type determination unit 17 of the encryption communication device 3A performs unicast communication when it is determined that the communication type of this communication data is not multicast communication based on the transmission destination address corresponding to the identification result of the address information identification unit 16. Whether or not.

  When the communication type determination unit 17 determines that the communication type of the communication data is unicast communication, the encryption processing unit 19 of the encryption communication device 3A determines the communication data corresponding to the identification result of the address information identification unit 16. A session key corresponding to the destination address is read from the session key table 51, the communication data is encrypted based on the read session key, and the encrypted communication data is sent to the opposite side encryption communication device 3A via the network interface 11. Is to be transmitted.

  When the communication type determination unit 17 determines that the communication type of the communication data is unicast communication, the decryption processing unit 20 of the encryption communication device 3A determines the communication data corresponding to the identification result of the address information identification unit 16. A session key corresponding to the transmission source address is read from the session key table 51, the encrypted communication data is decrypted based on the read session key, and the decrypted communication data is communicated through the communication device interface 12. The data is transmitted to the device 5.

  The encrypted communication device described in the claims is the encryption communication device 3A, the session key storage means is the session key table 51, the subordinate address information management means is the address information management section 13, the subordinate address management information notification means is the address information notification section 52, The update means corresponds to the table update unit 53.

  Next, the operation of the cryptographic communication system showing the second embodiment will be described.

  For example, an operation when the communication device 5 “A2” accommodated and connected to the encryption communication device 3A “A” performs unicast communication with the communication device 5 “C2” accommodated and connected to the encryption communication device 3A “C”. Will be described. FIG. 16 is a flowchart showing the processing operation of the cryptographic communication device 3A related to the multicast / unicast encryption processing.

  In FIG. 16, when the address information identification unit 16 of the encryption communication device 3A detects communication data from the communication device 5 through the communication device interface 12 in step S11, the transmission destination address is determined based on the address information of the communication data in step S12. Identify

  In step S13, the communication type determination unit 17 of the encryption communication device 3A determines whether or not the communication type of the communication data is multicast communication based on the transmission destination address of the communication data. If it is determined that the communication is multicast communication, the processing operations in steps S14 to S17 are executed. If it is determined in step S13 that the communication data communication type is not multicast communication, the communication data communication type is determined. Is determined to be unicast communication (step S31).

  When the communication type determination unit 17 determines that the communication type of the communication data is unicast communication, the encryption processing unit 19 of the encryption communication device 3A determines the communication data corresponding to the identification result of the address information identification unit 16. A session key for unicast communication corresponding to the destination address is read from the session key table 51 (step S32), and a predetermined data range portion in the payload portion of the communication data is encrypted based on the read session key (step S33). ).

  The encryption processing unit 19 transmits the encrypted communication data to the opposite encryption communication device 3A that accommodates and connects the opposite communication device 5 of the unicast communication partner via the network interface 11 (step S34). This processing operation ends.

  Next, the operation of the opposite encryption communication apparatus 3A that receives encrypted communication data will be described. FIG. 17 is a flowchart showing the processing operation of the opposite encryption communication apparatus 3A related to the multicast / unicast decryption process.

  In FIG. 17, when the address information identification unit 16 of the opposite side encryption communication device 3A detects the encrypted communication data from the encryption communication device 3A through the network interface 11 in step S21, the address of the communication data in step S22. The destination address is identified based on the information.

  In step S23, the communication type determination unit 17 of the opposite side encryption communication device 3A determines whether or not the communication type of the communication data is multicast communication based on the transmission destination address of the communication data. If it is determined that the type is multicast communication, the processing operations of step S24 to step S27 are executed. If it is determined in step S23 that the communication type of communication data is not multicast communication, the communication data It is determined whether the communication type is unicast communication (step S41).

  When the communication type determination unit 17 determines that the communication type of the communication data is unicast communication, the decryption processing unit 20 of the opposite side encryption communication device 3A performs communication corresponding to the identification result of the address information identification unit 16. A session key for unicast communication corresponding to the data source address is read from the session key table 51 (step S42), and based on the read session key, the encrypted predetermined data range portion in the payload portion of the communication data is read. Decryption is performed (step S43).

  The decryption processing unit 20 transmits the decrypted communication data to the opposite communication device 5 through the communication device interface 12 (step S44), and ends this processing operation.

  In other words, as shown in FIG. 18, the encryption communication device 3A of “A” detects communication data from the communication device 5 of “A2” to the communication device 5 of “C1”. The payload portion of the communication data is encrypted based on the session key S2 corresponding to the unicast communication, and the encrypted communication data is distributed to the opposite encryption communication device 3A of “C”. The encryption communication device 3A of “C” When the communication data from the encrypted “A2” communication device 5 is detected, the payload portion of the communication data is decrypted based on the session key S2 corresponding to the unicast communication of the “A2” communication device 5. The decrypted communication data is distributed to the communication device 5 of “C1”.

  As a result, encrypted communication of unicast communication between the communication device 5 of “A2” of the encryption communication device 3A of “A” and the opposite communication device 5 of “C1” of the opposite encryption communication device 3A of “C”. Can be realized.

  According to the second embodiment, the encryption communication device 3A stores the session key used for encryption of unicast communication for each address information of the encryption communication device 3A and the communication device 5, and the opposite side encryption When it is determined that the communication type of communication data to the communication device 3A is unicast communication, the transmission destination address of this communication data is identified, the session key corresponding to this transmission destination address is read, and the read session key The communication data is encrypted, and if the communication type of the communication data from the opposite side encryption communication device 3A is determined to be unicast communication, the transmission source address information of this communication data is identified, and this transmission The session key corresponding to the original address is read out, and the communication data is decrypted based on the read session key. Yasuto communication, of course, can also establish the encrypted communication between the communication device 5 for communicating data unicast communication.

  Further, according to the second embodiment, the encryption communication device 3A notifies address information of the communication device 5 to be accommodated and connected to the opposite encryption communication device 3A according to a predetermined timing, and the opposite encryption communication device 3A. When the address information of the opposite side communication device 5 is received, the session key of the opposite side encryption communication device 3A accommodating and connecting the opposite side communication device 5 is stored in association with the address information of the opposite side communication device 5 Therefore, since the session key table 51 is updated, each encryption communication device 3A side can hold a session key for each communication device 5 accommodated and connected to the opposite encryption communication device 3A.

  Further, according to the second embodiment, the payload portion of the predetermined data range portion included in the communication data is encrypted with the session key during unicast communication, and the encrypted payload portion of the predetermined data range portion is encrypted with the session key. Since the decryption is performed, only a part of the payload portion is encrypted, so that the processing load on the encryption processing unit 19 and the decryption processing unit 20 can be reduced.

  In the second embodiment, as described in the first embodiment, the multicast key in the multicast key table 15 in each encryption communication device 3A is updated to a new multicast key. However, even if the session key stored for each address information of each encryption communication device 3A and communication device 5 in the session key table 51 inside each encryption communication device 3A is updated to a new session key, the same effect is obtained. Needless to say, is obtained.

  In the second embodiment, the address information of the communication device 5 accommodated and connected is notified to the opposite side encryption communication device 3A through the address information notification unit 52, but the same address is used using the IKE protocol. The information may be encrypted, and the encrypted address information may be notified to the opposite encryption communication apparatus 3A, and security can be enhanced when address information is provided to the opposite encryption communication apparatus 3A.

  Next, an embodiment of a video distribution system to which the cryptographic communication system 1 showing the first embodiment is applied will be described as a third embodiment.

(Embodiment 3)
FIG. 19 is a block diagram showing a schematic configuration inside the video distribution system according to the third embodiment.

  A video distribution system 1A shown in FIG. 19 provides a video distribution center 101 that distributes a plurality of service videos, a plurality of bases 102 that receive provision of desired service video from the video distribution center 101, and services to the video distribution center 101 and the bases 102. A key management server 4A that distributes a multicast key used for video encryption and decryption, and the video distribution center 101 provides service to the bases 102 in a specific group via multicast communication via the IP network 2A. The video is distributed.

  The video distribution center 101 includes a center-side router 103A that controls a communication interface with the IP network 2A, a database 104 that stores a plurality of service videos, and a video distribution that selects an arbitrary service video from a plurality of service videos in the database 104. A server-side encryption communication device 3B that encrypts the service video selected by the video distribution server function, and the center-side cryptographic communication device 3B detects the service video selected by the video distribution server function. Then, this service video is encrypted and distributed to the base 102 of the specific group by multicast communication.

  Each site 102 includes a site-side router 103B that controls a communication interface with the IP network 2A, a site-side encrypted communication device 3C that decrypts service video of multicast communication received through the site-side router 103B, and this site-side encrypted communication. When the base side encrypted communication device 3C receives the encrypted service video via the IP network 2A by multicast communication, the base side encrypted communication device 3C has a plurality of communication devices 5A accommodated and connected to the device 3C. And the decoded service video is distributed to the communication device 5A.

  For example, the “B” site-side cryptographic communication device 3C at the “B” site 102 replaces the “B1” and “B2” site-side communication devices 5A with the “C” site 102 at the “C” site 102. The base-side cryptographic communication device 3C is “C1” and “C2” base-side communication device 5A, and the “D” base-side cryptographic communication device 3C at the “D” base 102 is “D1” and “D2”. The base side communication device 5A is accommodated and connected.

  FIG. 20 is a block diagram showing a schematic configuration inside the center side encryption communication device 3B.

  The center side cryptographic communication device 3B shown in FIG. 20 manages the router interface 11B that controls the communication interface with the center side router 103A, the database interface 12B that controls the communication interface with the database 104, and the address information of the database 104. Address information management unit 13B, multicast key table 15B storing a multicast key used for encrypting service video of the same group for each group number for identifying service video, and IGMP of center side router 103A through router interface 11B A group management table 14B for managing the address information of the communication device 5A for each group number according to the execution of the snooping process, and a multi-function corresponding to the group number at the time of multicast distribution of service video And a control unit 21B that controls the entire center side encryption communication device 3B. The encryption processing unit 19B encrypts the service video based on the read multicast key. Yes.

  For example, the service video “1” is a group number “1”, the service video “2” is a group number “2”, the service video “3” is a group number “3”, and the like. A group number for identification is given.

  When the center-side router 103A detects a multicast group participation expression (IGMPjoin) from the center-side cryptographic communication device 3B using a multicast management protocol such as IGMP / MLD, the address of the center-side cryptographic communication device 3B is transmitted through the IGMP snooping process. It recognizes the group number of the multicast group of information and participation expression.

  Further, when the center side router 103A detects the participation of the multicast group (IGMPjoin) from the communication device 5A on the base side router 103B side using the dynamic routing protocol, the center side router 103A executes the IGMP snooping process to execute the address of the communication device 5A. In addition to recognizing the group number of the multicast group of the information and the participation expression, the distribution route on the IP network 2A between the communication device 5A and the center side encryption communication device 3B is determined using a dynamic routing protocol.

  As shown in FIG. 21, the group management table 14B includes, for each service video 14c, a group number 14d for identifying a viewing group (multicast group) of the service video, and address information 14e of the opposite communication device 5A of the viewing group. The control unit 21B acquires and manages the address information of the communication device 5A for each group number 14d according to the execution of the IGMP snooping process of the center side router 103A.

  As shown in FIG. 22, the multicast key table 15B stores a multicast key 15d for each group number 15c, and the control unit 21B receives a multicast key for each group number from the key management server 4A on the IP network 2A. Is received and the table is updated.

  The encryption processing unit 19B reads the multicast key corresponding to the group number corresponding to the service video from the multicast key table 15B during multicast distribution of the service video, and encrypts the service video of the group based on the read multicast key. The encrypted service video is distributed by multicast communication to the communication device 5A belonging to the same group through the router side interface 11A.

  FIG. 23 is a block diagram showing a schematic configuration inside the base-side encrypted communication device 3C.

  The site-side cryptographic communication device 3C shown in FIG. 23 includes a site-side router interface 11C that controls a communication interface with the site-side router 103B and a communication device interface 12C that controls a communication interface between a plurality of communication devices 5A to be accommodated and connected. A base-side multicast key table 15C that manages address information of the communication device 5A and stores a multicast key used for decrypting the service video of the group corresponding to the group number subscribed for each address of the communication device 5A; When the multicast communication service video is received, the base-side address information identification unit 16C that identifies the transmission destination address of the service video, and when the multicast communication service video is received, the base that identifies the group number corresponding to the service video A side group identification unit 18C; The multicast key corresponding to the group number corresponding to the identification result of the site-side group identification unit 18C is read from the site-side multicast key table 15C, and decryption is performed to decrypt the encrypted service video based on the read multicast key. A processing unit 20C and a base-side control unit 21C that controls the entire base-side encrypted communication device 3C are provided.

  As shown in FIG. 24, the base-side multicast key table 15C includes, for each address information 15f of the communication device 5A, the group number 15g corresponding to the viewing group to which the communication device 5A has joined, and the decoding of the service video of the group. And a multicast key 15h to be used.

  When receiving the multicast communication of the service video through the base side router 103B, the decryption processing unit 20C reads the multicast key corresponding to the group number of the service video from the base side multicast key table 15C, and based on the read multicast key, The encrypted service video is decrypted.

  FIG. 25 is a block diagram showing a schematic configuration inside the key management server 4A.

  The key management server 4A shown in FIG. 25 includes a server interface 41A that manages a communication interface with the IP network 2A, a key form storage unit 42A that stores a plurality of, for example, thousands of key forms, and a predetermined timing. A key form selection unit 43A for selecting a key form for each group number from a plurality of key forms stored in the key form storage unit 41A, and a key for managing the key form selected by the key form selection unit 43A in units of group numbers Key form distributed to the center side encryption communication device 3B and the base side encryption communication device 3C via the server interface 41A using the form management unit 44A and the key form currently managed by the key form management unit 44A as a multicast key. And a delivery unit 45A.

  The key form distribution unit 45A distributes the key form to the center side encryption communication device 3B and the site side encryption communication device 3C for each group number managed by the key form management unit 45A through the server interface 41A.

  The control unit 21B of the center side encryption communication device 3B receives the multicast key corresponding to the group number from the key management server 4A and updates the multicast key table 15B.

  When the base-side control unit 21C of the base-side encrypted communication device 3C receives a multicast key having a group number corresponding to the viewing group to which the communication device 5A belongs from the key management server 4A, the base-side control unit 21C The table is updated in the multicast key table 15C.

  The encryption communication system described in the claims is the video distribution system 1A, the multi-access network is the IP network 2A, the encryption communication device is the center side encryption communication device 3B and the site side encryption communication device 3C, and the multicast key storage means is the multicast key table 15B. And the base-side multicast key table 15C, the encryption communication means is the encryption processing section 19B, the decryption communication means is the decryption processing section 20C, the address information management means is the address information management section 13B and the base-side address information management section 13C, data The distribution means corresponds to the communication device interface 12C, the communication device corresponds to the communication device 5A, the group information storage means corresponds to the group management table 14B, the group identification means corresponds to the site side group identification unit 18C, and the key management server corresponds to the key management server 4A. is there.

  Next, the operation of the video distribution system 1A showing the third embodiment will be described. FIG. 26 is an explanatory diagram showing the state of the video distribution system 1A under the initial state.

  In the video distribution system 1A in the initial state, the user of the communication device 5A on the site 102 side is not subscribed to the video distribution system 1A, that is, on the video distribution center 101 side, service video to the communication device 5A at each site 102 is displayed. It is in a state of not delivering.

  Note that the group management table 14B and the multicast key table 15B of the center-side cryptographic communication device 3B on the video distribution center 101 side are in a data unstored state, and the base-side multicast key table 15C of the base-side cryptographic communication device 3C of the base 102 is accommodated and connected. In this state, only the address of the communication device 5A is stored.

  Further, the center side router 103A of the video distribution center 101 and the base side router 103B of each base 102 are connected by communication, and the IGMP / MLD multicast management protocol is operating on the IP network 2A.

  FIG. 27 is an explanatory diagram showing the state of the video distribution system 1A under preparation for the video distribution service.

  The video distribution system 1A under preparation for the video distribution service is in a preparation state for starting the video distribution service.

  The control unit 21C of the center side encryption communication device 3B on the video distribution center 101 side updates the group number of the multicast distribution group for identifying the service video in the group management table 15B for each service video.

  Further, the control unit 21C of the center side encryption communication device 3B notifies the center side router 103A through the router interface 11B of IGMP join indicating the participation expression for each group in order to create a multicast key for each group number.

  When the center side router 103A detects IGMP join indicating the participation expression of the multicast distribution from the center side encryption communication device 3B, the center side router 103A executes the IGMP snooping process for each group number.

  The control unit 21B of the center side cryptographic communication device 3B identifies the group number of the participation announcement through the IGMP snooping process of the center side router 103A, and receives the key form from the key management server 4A for each group number. Is stored in the multicast key table 15B as a multicast key. The key management server 4A selects a key form for each group number and manages the selected key form in the key form management unit 44A in units of group numbers.

  As a result, the control unit 21B of the center side encryption communication device 3B stores, for each group number for identifying the service video, a multicast key used for encrypting the service video of the same group in the multicast key table 15B. It is assumed that “1” stores a multicast key M1, and group number “2” stores a multicast key M2.

  Next, after the video distribution service of the video distribution system 1A is prepared, the operation when the user of the communication device 5A on the site 102 side executes the viewing procedure of the desired service video from a plurality of service videos stored in the database 104 will be described. . FIG. 28 is an explanatory diagram briefly showing the state of the video distribution system 1B during the viewing procedure.

  When the user of the communication device 5A at each site 102 wants to view the desired service video, it is necessary to participate in a group for identifying the service video.

  For example, when the user of the communication device 5A of “B1” participates in the group number “1”, the base-side encryption communication device 3C of “B” performs a group operation according to a predetermined operation from the communication device 5A of “B1”. The IGMP join indicating the participation expression of the number “1” is notified to the base side router 103B and the center side router 103A.

  When the center side router 103A and the base side router 103B detect the IGMP join of the communication device 5A of “B1” through the base side encryption communication device 3C of “B”, the distribution route on the IP network 2A is determined by the multicast routing protocol.

  Further, the base router 103B of “B” executes IGMP snooping processing when detecting IGMP join indicating the participation of the group number “1” of multicast distribution from the base side encryption communication device 3C of “B”.

  The base-side control unit 21C of the base-side encryption communication device 3C of “B” responds to the IGMP snooping process of the base-side router 103B of “B” and the communication devices 5A of the group numbers “1” and “B1” of the participation statement Is identified, the group number “1” is stored in the base-side multicast key table 15C in association with the address information of the communication device 5A of “B1”.

  Further, the site-side control unit 21C receives the key form corresponding to the group number “1” from the key management server 4A, and associates the key form with the address of the communication device 5A and the multicast key with the group number “1”. Is stored in the base-side multicast key table 15C. The base-side multicast key table 15C of the base-side encryption communication device 3C of “B” stores the multicast key M1 of the group number “1” in association with the address of the communication device 5A of “B1”. .

  Further, similarly, when the center side router 103A detects IGMP join indicating the participation expression of the group number “1” of the multicast distribution from the base side encrypted communication device 3C of “B”, the center side router 103A executes the IGMP snooping process.

  When the control unit 21B of the center side encryption communication device 3B identifies the address information of the communication devices 5A having the group numbers “1” and “B1” in the participation statement according to the IGMP snooping process of the center side router 103A, the group management table The address information of the communication device 5A of “B1” is stored as the opposite address in association with the same group number “1” in 14B.

  As a result, the user of the communication device 5A of “B1” is in a state where the viewing procedure of the service video of the group number “1” is completed. The base-side multicast in the base-side cipher communication device 3C of “B” that accommodates and connects the group key “1” in the multicast key table 15B of the center-side cipher communication device 3B and the communication device 5A of “B1”. The multicast key having the group number “1” corresponding to the communication device “B1” in the key table 15C is the same key M1.

  The other communication device 5A also executes a desired service video viewing procedure in the same manner as described above. As shown in FIG. 29, for example, the user of the communication device 5A of “D2” has the service of the group number “3”. When the video viewing procedure is completed, the group management table 14B of the center side encryption communication device 3B stores the address information of the communication device 5A of “D2” in association with the group number “3”, and the communication of “D2”. The multicast key M3 with the group number “3” corresponding to the communication device 5A of “D2” in the base-side multicast key table 15C of the base-side encryption communication device 3C that accommodates and connects the device 5A is stored.

  Next, an operation of distributing service video from the video distribution center 101 to each communication device 5A in each site 102 after the service video viewing procedure is completed will be described. FIG. 29 is an explanatory diagram showing a state of the video distribution system 1B during service video distribution.

  When the center side encryption communication device 3B shown in FIG. 29 distributes the service video of the group number “1”, if the service video of the group number “1” is detected from the database 104 through the database interface 12B, The group number “1” and the transmission destination address (opposite address) corresponding to this group number are read from the group management table 14B.

  When identifying the group number “1” corresponding to the service video, the encryption processing unit 19B of the center side encryption communication device 3B reads the multicast key M1 corresponding to the group number “1” from the multicast key table 15B. The payload portion of the service video is encrypted based on the read multicast key M1, and the encrypted service video is distributed to each communication device 5A addressed to the transmission destination address (opposite side address) by multicast communication through the router interface 11B. The center side encryption communication device 3B refers to the group management table 14B shown in FIG. 29. For example, when the group number is “1”, the service video is multicast to the two communication devices 5A of “B1” and “C2”. Will be delivered.

  For example, the base router address information identification unit 16C of the base side encrypted communication device 3C of “B” that accommodates and connects the communication device 5A of “B1” that has completed the viewing procedure of the service video of the group number “1” has the interface for the base router When the service video is detected through 11C, the transmission destination address of the service video is identified. Note that the addresses of the communication devices 5A of “B1” and “C2” are identified as the transmission destination addresses.

  The site-side group identifying unit 18C of the site-side encrypted communication device 3C identifies the group number corresponding to this service video based on the transmission destination address of this service video. The group number identifies the group number “1”.

  The decryption processing unit 20C of the site side encrypted communication device 3C reads the multicast key corresponding to the group number from the site side multicast key table 15C, and decrypts the payload portion of the encrypted service video based on the read multicast key. Turn into. The base side encryption communication device 3C reads the multicast key M1 corresponding to the communication device 5A of “B1” and the group number “1” with reference to the base side multicast key table 15C of “B” shown in FIG. become.

  When the decryption processing unit 20C decrypts the payload portion of the service video based on the multicast key M1, the decrypted service video is distributed to the communication device 5A of “B1” through the communication device side interface 12C. Become.

  As a result, the user of the communication device 5A of “B1” can view the service video of the group number “1” encrypted by the center side encryption communication device 3B.

  Similarly, the user of the communication device 5A of “C2” uses the multicast key M1 corresponding to the group number “1” stored in the base-side multicast key table 15C of the base-side encryption communication device 3C of “C”. Then, the service video of the group number “1” encrypted by the center side encryption communication device 3B can be viewed.

  Next, operations related to the viewing end procedure of the communication device 5A will be described.

  When the user of the communication device 5A at each site 102 wants to end viewing of the service video being viewed, the user needs to leave the group that identifies the service video.

  For example, when the user of the communication device 5A of “B1” leaves the group number “1”, the base-side encryption communication device 3C of “B” performs a group operation according to a predetermined operation from the communication device 5A of “B1”. The IGMPLeave indicating the group leaving of the number “1” is notified to the base side router 103B and the center side router 103A.

  When the center side router 103A and the base side router 103B detect the IGMPLeave of the communication device 5A of “B1” through the base side encryption communication device 3C of “B”, the center side router 103A executes IGMP snooping processing and is viewing the communication device 5A. The service video group number and the address of the communication device 5A are identified.

  The base side control unit 21C of the base side encryption communication device 3C of “B” obtains the address information of the communication device 5A of group numbers “1” and “B1” in accordance with the IGMP snooping process of the base side router 103B of “B”. When identified, the group number “1” corresponding to the communication device 5A of “B1” in the base-side multicast key table 15C is deleted, and the multicast key M1 corresponding to the group number “1” is assigned to the key management server 4A. I will return it.

  Further, when the control unit 21B of the center side encryption communication device 3B identifies the addresses of the communication devices 5A having the group numbers “1” and “B1” according to the IGMP snooping process of the center side router 103A, the group number in the group management table 14B The address of the communication device 5A of “B1” is deleted from the transmission destination address (opposite side address) corresponding to “1”.

  As a result, the center side encrypted communication device 3B stops multicast distribution of the service video of the group number “1” to the communication device 5A of “B1”, and the user of the communication device 5A of “B1” 1 "service video cannot be viewed.

  As described above, according to the third embodiment, the group number of the service video is associated with the group management table 14B of the center side encryption communication device 3B according to the viewing procedure of the desired service video of the user of the communication device 5A. The address of the communication device 5A is managed as a transmission destination address (opposite side address), and each address of the communication device 5A is stored in the base-side multicast key table 15C of the base-side encryption communication device 3C accommodating and connecting the communication device 5A. When the center side encryption communication device 3B distributes the service video to each communication device 5A by multicast communication, the center side encryption communication device 3B stores the group number and multicast key of the service video. The service video is encrypted based on the multicast key corresponding to the In the base-side encrypted communication device 3C that accommodates and connects the communication device 5A, the encrypted service video is decrypted based on the multicast key corresponding to the group number of the service video. The security of the service video distributed to the communication device 5A can be enhanced.

(Embodiment 4)
Next, an encryption communication system when applied to a wide area network as the multi-access network 2 will be described as a fourth embodiment. FIG. 30 is a block diagram illustrating a schematic configuration inside the wide area network cryptographic communication system according to the fourth embodiment.

  A wide area network cryptographic communication system 1B shown in FIG. 30 includes a wide area network 2C, a plurality of encryption communication apparatuses 3D that are connected to communicate with the wide area network 2C, a key management server 4B that is connected to the wide area network 2C, and an encryption system. And a communication device 5B such as a personal computer accommodated and connected to the communication device 3D. Among the plurality of encryption communication devices 3D, one encryption communication device 3D simultaneously communicates with a plurality of encryption communication devices 3D in a specific group. When the multicast communication is executed, the communication frame between the encrypted communication devices 3D is encrypted.

  The “A” encryption communication device 3D accommodates and connects the communication devices 5B “A1” and “A2”, and the “B” encryption communication device 3D connects the communication devices 5B “B1” and “B2” to “ The “C” encryption communication device 3D accommodates and connects the “C1” and “C2” communication devices 5B, and the “D” encryption communication device 3D accommodates the “D1” and “D2” communication devices 5B. To do.

  Multicast communication corresponds to a method in which one cryptographic communication device 3D communicates with a plurality of cryptographic communication devices 3D in a specific group at the same time. For example, in the case of group “1”, “A” The communication device 5B of the encryption communication device 3D of "" is simultaneously communicating with the communication devices 5B of the three encryption communication devices 3D of "B", "C" and "D", and in the case of the group "2" the encryption of "A" The communication device 5B of the communication device 3D performs simultaneous communication with the communication device 5B of the encryption communication device 3D of “B”. In the case of the group “3”, the communication device 5B of the encryption communication device 3D of “C” has the encryption communication of “D”. This means simultaneous communication with the communication device 5B of the device 3D.

  FIG. 31 is a block diagram showing a schematic configuration inside the cryptographic communication device 3D.

  The encryption communication device 3D includes a network interface 11D that controls a communication interface with the wide area network 2C, a communication device interface 12D that controls a communication interface with the communication device 5B that is accommodated and connected, and an IP address of the communication device 5B that is accommodated and connected. And an address information management unit 13D that manages address information such as a MAC address, a group management table 14D that stores the IP address and MAC address of the cryptographic communication device 3D belonging to the group for each group number that identifies the group, and a group For each number, a multicast key table 15D storing multicast keys used for encryption and decryption of communication frames related to the group, and a communication frame or network from the communication device 5B through the communication device interface 12D. When the communication frame from the opposite encryption communication device 3D is detected through the interface 11D, the address information identification unit 16D that identifies the IP address and the MAC address included in the communication frame, and the identification result of the address information identification unit 16D When the communication type determination unit 17D determines the communication type of the communication frame and the communication type determination unit 17D determines that the communication type of the communication frame is multicast communication, the identification result of the address information identification unit 16D The group identification unit 18D for identifying the group number of this communication frame and the multicast key corresponding to the group number corresponding to the identification result of the group identification unit 18D are read from the multicast key table 15D, and the read multicast key is used as the read multicast key. Communication A multicast key corresponding to the group number corresponding to the identification result of the encryption processing unit 19D and the group identification unit 18D is read from the multicast key table 15D, and the communication frame is read based on the read multicast key. It has a decryption processing unit 20D for decrypting and a control unit 21D for controlling the entire encryption communication device 3D.

  As shown in FIG. 32, the group management table 14D stores address information 14h of the cryptographic communication device 3D belonging to the group for each group number 14g for identifying the group of multicast communication. It is assumed that “1” stores the MAC address and IP address of the encryption communication device 3D of “A”, “B”, “C”, and “D”.

  As shown in FIG. 33, the multicast key table 15D stores, for each group number 15j, a multicast key 15k used for encryption and decryption of the communication frame of the same group. Stores a multicast key M1.

  When the address information identification unit 16D detects the communication frame from the communication device 5B through the communication device interface 12D, the address information identification unit 16D identifies the transmission destination MAC address based on the MAC address in the header portion of the communication frame, and also through the network interface 11D. When the communication frame from the opposite communication device 5B of the opposite encryption communication device 3D is detected, the transmission destination MAC address is identified based on the MAC address in the header portion of the communication frame.

  The communication type determination unit 17D determines whether the communication type of this communication frame is multicast communication based on the identification result of the address information identification unit 16D.

  In the case of a communication frame from the communication device 5B through the communication device interface 12D, the group identification unit 18D, when the communication type determination unit 17D determines that the communication type of the communication frame is multicast communication, the group management table 14D Based on the contents of the table, the group number of the multicast communication group corresponding to the destination MAC address of this communication frame is identified, and in the case of the communication frame from the opposite side encryption communication device 3D through the network interface 11D, the communication type determination unit 17D When it is determined that the communication type of the communication frame is multicast communication, the group number of the multicast communication group corresponding to the destination MAC address of this communication frame is identified based on the table contents of the group management table 14D. Is shall.

  In the case of a communication frame from the communication device 5B through the communication device interface 12D, the encryption processing unit 19D, when the communication type determination unit 17D determines that the communication type of the communication frame is multicast communication, the group identification unit 18D The multicast key corresponding to the group number corresponding to the identification result is read from the multicast key table 15D, the communication frame is encrypted based on the read multicast key, and the encrypted communication frame is opposed to the network key 11D. The data is transmitted to the side encryption communication device 3D.

  In the case of a communication frame from the opposite encryption communication device 3D through the network interface 11D, the decryption processing unit 20D reads the multicast key corresponding to the group number corresponding to the identification result of the group identification unit 18D from the multicast key table 15D, Based on the read multicast key, the communication frame is decrypted, and the decrypted communication frame is transmitted to the communication device 5B through the communication device interface 12D.

  Furthermore, the encryption communication device 3D includes a session key table 51D that stores a session key used for encryption communication of unicast communication for each MAC address of the encryption communication device 3D so as to be compatible with encryption communication of unicast communication. According to a predetermined timing, the address information notifying unit 52D for notifying the opposite side encryption communication device 3D of the address information of the communication device 5B being managed by the address information management unit 13D, and the address information notification on the opposite side encryption communication device 3D side A table updating unit 53D that updates the session key table 51D to store the session key in association with the address information of the opposite communication device 5B when receiving the address information of the opposite communication device 5B from the unit 52D. ing.

  That is, as shown in FIG. 34, the session key table 51D stores the session key 51d for each MAC address 51c of the opposite side encryption communication device 3D, and also accommodates and connects the opposite side communication device 5B to the opposite side encryption communication device 3D. Session key 51d is stored for each MAC address 51c. The session key of the opposite side communication device 5B is the same as the session key of the opposite side encryption communication device 3D that accommodates and connects the opposite side communication device 5B. For example, the session key of the opposite side encryption communication device 3D of “B” is used. When the key is “S1”, the session keys of the communication devices 5B of “B1” and “B2” that are accommodated and connected to the opposite encryption communication device 3D are also “S1”.

  Accordingly, each encryption communication device 3D exchanges address information of the communication device 5B accommodated and connected to itself according to a predetermined timing. As a result, each encryption communication device 3D has all the encryption communication devices 3D accommodated and connected. For each MAC address of the communication device 5B and the MAC address of each communication device 5B, the session key used for the unicast communication of the communication device 5B is stored in the session key table 51D.

  For example, when performing unicast communication between the communication device 5B of "A2" and the communication device 5B of "C1", the encryption communication device 3D of "A" that accommodates and connects the communication device 5B of "A2" The cipher communication device 3D of “C” that reads out the session key S2 corresponding to the communication device 5B of “C1” shown in FIG. 34 (a) and accommodates and connects the communication device 5B of “C1” is shown in FIG. The session key S2 corresponding to the communication device 5B of “A2” is read out.

  The communication type determination unit 17D of the encryption communication device 3D determines whether the communication type of the communication frame is not multicast communication based on the identification result of the address information identification unit 16D, whether or not the communication type is unicast communication. Is.

  When the communication type determination unit 17D determines that the communication type of the communication frame is unicast communication, the encryption processing unit 19D of the encryption communication device 3D determines the communication frame corresponding to the identification result of the address information identification unit 16D. A session key corresponding to the destination MAC address is read from the session key table 51D, the communication frame is encrypted based on the read session key, and the encrypted communication frame is transmitted to the opposite side encryption communication device through the network interface 11D. It is transmitted in 3D.

  When the communication type determination unit 17D determines that the communication type of the communication frame is unicast communication, the decryption processing unit 20D of the encryption communication device 3D determines the communication frame corresponding to the identification result of the address information identification unit 16D. A session key corresponding to the transmission source MAC address is read from the session key table 51D, the encrypted communication frame is decrypted based on the read session key, and the decrypted communication frame is transmitted through the communication device interface 12D. The data is transmitted to the communication device 5B.

  FIG. 35 is a block diagram showing a schematic configuration inside the communication device 5B accommodated and connected to the encryption communication device 3D.

  The communication device 5B shown in FIG. 35 is configured by, for example, a personal computer, and transmits from the frame transmission unit 31B that transmits a communication frame to the communication device interface 12D of the encryption communication device 3D, and the communication from the communication device interface 12D of the encryption communication device 3D. A frame receiving unit 32B that receives a frame; a data output unit 33B that outputs a communication frame received by the frame receiving unit 32B; and a communication device side control unit 34B that controls the entire communication device 5B. The transmission unit 31B and the frame reception unit 32B transmit and receive a communication frame to and from the opposite communication device 5B accommodated and connected to the opposite encryption communication device 3D through the encryption communication device 3D and the opposite encryption communication device 3D. .

  When receiving the key form for each group number from the key management server 4B, the control unit 21D in the encryption communication device 3D stores and updates the key form as a new multicast key for each group number stored in the multicast key table 51D. Is.

  Further, the control unit 21D includes a data range specifying unit that specifies the data range of the payload portion of the communication frame that is to be encrypted by the encryption processing unit 19D. The data range specified by the data range specification unit is common to all the encryption communication devices 3D.

  When the encryption processing unit 19D detects a communication frame to the opposite encryption communication device 3D, the encryption processing unit 19D encrypts a predetermined data range portion in the payload portion of the communication frame using a multicast key. In addition, when the decryption processing unit 20D detects the encrypted communication frame from the opposite encryption communication device 3D, the decryption processing unit 20D decrypts the encrypted predetermined data range portion of the communication frame using the multicast key. Is.

  The encryption communication system according to the claims is the wide area network encryption communication system 1B, the multi-access network is the wide area network 2C, the encryption communication apparatus is the encryption communication apparatus 3D, the multicast key storage means is the multicast key table 15D, and the encryption communication means is The encryption processing unit 19D, the decryption communication unit is the decryption processing unit 20D, the address information management unit is the address information management unit 13D, the data distribution unit is the communication device interface 12D, the communication device is the communication device 5B, and the data transmission unit is the frame. The transmission unit 31D, the data reception unit is the frame reception unit 32D, the group information storage unit is the group management table 14D, the address information identification unit is the address information identification unit 16D, the group identification unit is the group identification unit 18D, and the key management server is the key management server 4B, the range designation means Data range designation section, session key storage means is session key table 51D, subordinate address information management means is address information management section 13D, subordinate address management information notification means is address information notification section 52D, update means is table update section 53D, multicast The key update means corresponds to the control unit 21D.

  Next, the operation of the wide area network cryptographic communication system 1B according to the fourth embodiment will be described.

  For example, an operation when the communication device 5B of “A1” accommodated and connected to the encryption communication device 3D of “A” executes multicast communication of the group number “1” will be described. FIG. 36 is a flowchart showing the processing operation of the cryptographic communication device 3D related to the multicast / unicast encryption processing.

  The address information identification unit 16D of the encryption communication device 3D determines whether or not a communication frame from the communication device 5B is detected through the communication device interface 12D (step S51).

  When the address information identification unit 16D detects the communication frame from the communication device 5B through the communication device interface 12D, the address information identification unit 16D identifies the destination MAC address based on the address information in the header portion of the communication frame (step S52).

  The communication type determination unit 17D of the encryption communication device 3D determines whether or not the communication type of this communication frame is multicast communication based on the transmission destination MAC address of this communication frame (step S53).

  When the communication type determination unit 17D determines that the communication type of the communication frame is multicast communication, the group identification unit 18D of the encryption communication device 3D transmits the transmission destination of this communication frame based on the table contents of the group management table 14D. The group number of the multicast communication group corresponding to the MAC address is identified (step S54).

  The encryption processing unit 19D of the encryption communication device 3D reads the multicast key corresponding to the group number of the same communication frame identified by the group identification unit 18D from the multicast key table 15D (step S55), and based on the read multicast key The predetermined data range portion in the payload portion of this communication frame is encrypted (step S56).

  The encryption processing unit 19D transmits the encrypted communication frame to the opposite side encryption communication device 3D of the multicast communication partner via the wide area network 2C through the network interface 11D (step S57), and ends this processing operation. To do. The opposite side encryption communication device 3D of the multicast communication partner corresponds to the encryption communication device 3D of “B”, “C”, and “D” in the case of multicast communication with the group number “1”.

  Also, the address information identification unit 16D of the encryption communication device 3D ends this processing operation unless a communication frame from the communication device 5B is detected in step S51.

  If the communication type determination unit 17D of the encryption communication device 3D determines that the communication type of the communication frame is not multicast communication based on the transmission destination MAC address of the communication frame in step S53, the communication type of the communication frame is determined. It is determined whether or not the communication is unicast communication (step S58).

  When the communication type determination unit 17D determines that the communication type of the communication frame is unicast communication, the encryption processing unit 19D of the encryption communication device 3D determines the communication frame corresponding to the identification result of the address information identification unit 16D. A session key for unicast communication corresponding to the destination MAC address is read from the session key table 51D (step S59), and a predetermined data range portion in the payload portion of this communication frame is encrypted based on the read session key (step S59). S60).

  The encryption processing unit 19D transmits the encrypted communication frame to the opposite encryption communication device 3D that accommodates and connects the opposite communication device 5B of the unicast communication partner through the network interface 11D (step S61). This processing operation ends.

  If it is determined in step S53 that the communication type of the communication frame is not unicast communication, the communication type determination unit 17D of the encryption communication device 3D ends the processing operation.

  Next, the operation of the opposite side encryption communication device 3D that receives the encrypted communication frame will be described. FIG. 37 is a flowchart showing the processing operation in the opposite side encryption communication apparatus 3D related to the multicast / unicast decryption process.

  In FIG. 37, the address information identification unit 16D of the opposite side encryption communication device 3D determines whether an encrypted communication frame from the encryption communication device 3D is detected through the network interface 11D (step S71).

  When the address information identification unit 16D detects the encrypted communication frame from the encryption communication device 3D through the network interface 11D, the address information identification unit 16D identifies the destination MAC address based on the address information in the header portion of the communication frame (step S72). ).

  The communication type determination unit 17D of the opposite side encryption communication device 3D determines whether the communication type of this communication frame is multicast communication based on the transmission destination MAC address of this communication frame (step S73).

  When the communication type determination unit 17D determines that the communication type of the communication frame is multicast communication, the group identification unit 18D of the opposite side encryption communication device 3D determines the communication frame based on the table contents of the group management table 14D. The group number of the multicast communication group corresponding to the transmission destination MAC address is identified (step S74).

  The decryption processing unit 20D of the opposite side encryption communication device 3D reads the multicast key corresponding to the group number of the same communication frame identified by the group identification unit 18D from the multicast key table 15D (step S75), and this read multicast key Based on the above, the encrypted predetermined data range portion in the payload portion of the communication frame is decrypted (step S76).

  The decryption processing unit 20D transmits the decrypted communication frame to the opposite communication device 5B through the communication device interface 12D (step S77), and ends this processing operation.

  As a result, between the communication device 5B of “A1” on the encryption communication device 3D side of “A” and the opposite communication device 5B on the opposite encryption communication device 3D side of “B”, “C”, “D”. Multicast communication encryption communication can be realized.

  Further, the address information identification unit 16D of the opposite side encryption communication device 3D ends this processing operation unless it has detected an encrypted communication frame from the encryption communication device 3D in step S71.

  If the communication type determination unit 17D of the opposite side encryption communication device 3D determines that the communication type of the communication frame is not multicast communication based on the transmission destination MAC address of the communication frame in step S73, the communication type of the communication frame is determined. It is determined whether or not the communication is unicast communication (step S78).

  When the communication type determination unit 17D determines that the communication type of the communication frame is unicast communication, the decryption processing unit 20D of the opposite side encryption communication device 3D performs communication corresponding to the identification result of the address information identification unit 16D. A session key for unicast communication corresponding to the transmission source MAC address of the frame is read from the session key table 51D (step S79). Based on the read session key, an encrypted predetermined data range portion in the payload portion of the communication frame Is decrypted (step S80).

  The decryption processing unit 20D transmits the decrypted communication frame to the opposite communication device 5B through the communication device interface 12D (step S81), and ends this processing operation.

  As a result, the encryption communication of the unicast communication between the communication device 5B of “A2” of the encryption communication device 3D of “A” and the opposite communication device 5B of “C1” of the opposite encryption communication device 3D of “C”. Can be realized.

  On the other hand, if it is determined in step S78 that the communication type of the communication frame is not unicast communication, the opposite side encryption communication device 3D ends this processing operation.

  According to the fourth embodiment, each encryption communication device 3D stores a multicast key for each group number for identifying a multicast communication group, detects a communication frame to the opposite encryption communication device 3D, When it is determined that the communication type of this communication frame is multicast communication, the group number of the multicast communication group of this communication frame is identified, the communication frame is encrypted based on the multicast key corresponding to this group number, When the communication frame from the opposite side encryption communication device 3D is detected and it is determined that the communication type of this communication frame is multicast communication, the group number of the multicast communication group of this communication frame is identified, and this group number is Encrypted communication frame based on the corresponding multicast key Since so as to decode, it can also over a wide area network 2C, to enforce the additional security of the communication frame between the communication apparatus 5B according to the multicast communication using a cryptographic communication device 3D.

  According to the fourth embodiment, the communication device 5B accommodated and connected to the encryption communication device 3D is accommodated and connected to the opposite encryption communication device 3D via the wide area network 2C through the encryption communication device 3D and the opposite encryption communication device 3D. Since the communication frame is transmitted / received to / from the opposite-side communication device 5B, even the communication device 5B that does not have the encryption communication function uses the encryption communication device 3D to perform encryption communication between the communication devices 5B. Can be established.

  According to the fourth embodiment, the encryption communication device 3D stores the session key used for encryption of unicast communication for each address information of the encryption communication device 3D and the communication device 5B, and the opposite side encryption When it is determined that the communication type of the communication frame to the communication device 3D is unicast communication, the transmission destination MAC address of the communication frame is identified, the session key corresponding to the transmission destination MAC address is read, and the read Based on the session key, the communication frame is encrypted, and when it is determined that the communication type of the communication frame from the opposite side encryption communication device 3D is unicast communication, the source MAC address of this communication frame is identified, A session key corresponding to the source MAC address is read, and a communication frame is read based on the read session key. Since so as to decode the multicast communication, of course, it can also establish the encrypted communication between the communication apparatus 5B for communication frame unicast communication.

  In addition, according to the fourth embodiment, the encryption communication device 3D notifies the address information of the communication device 5B to be accommodated and connected to the opposite encryption communication device 3D according to a predetermined timing, and the opposite encryption communication device 3D. When the address information of the opposite communication device 5B is received, the session key of the opposite encryption communication device 3D accommodating and connecting the opposite communication device 5B is stored in association with the address information of the opposite communication device 5B. Therefore, since the session key table 51D is updated, each encryption communication device 3D can hold a session key for each communication device 5B accommodated and connected to the opposite encryption communication device 3D.

  In the fourth embodiment, when the communication device 5B on the encryption communication device 3D side performs encryption communication on the wide area network 2C to the opposite communication device 5B in the specific group by multicast communication, the specific group When the communication device 5B on the encryption communication device 3D side performs encryption communication of the communication frame to the opposite communication device 5B by unicast communication using the multicast key corresponding to The encryption communication of the payload portion of the communication frame is executed using the session key corresponding to the MAC address of the opposite side communication device 5B. For example, according to the start of communication between the communication device 5B and the opposite side communication device 5B. In response to a MAC address inquiry request from the communication device 5B to the opposite communication device 5B by broadcast communication. When an ARP request is executed, a multicast key corresponding to broadcast communication is used, and when an ARP response corresponding to the ARP request is executed from the opposite communication device 5B to the communication device 5B by unicast communication, the unicast communication Even if the encrypted communication is executed using the session key of the communication device 5B, it is possible to further enhance the security by encrypting the communication in the initial operation of communication start.

  In the fourth embodiment, as shown in FIG. 38, the payload portion of the communication frame is encrypted and decrypted based on the multicast key or the session key. However, the VLAN tag in the communication frame is If detected, the VLAN tag may be skipped without being encrypted or decrypted, and the payload part that follows the Type / Length field may be encrypted or decrypted as an encrypted field. It is also possible to appropriately change the encryption field according to the service. In addition, it may be possible to select whether or not a part of the Type / Length field is to be encrypted.

  Also, as shown in FIG. 39, when the interval (number of bytes) from the beginning of the communication frame to the beginning of the payload portion is clear, a predetermined number of bytes is set as an offset value, It goes without saying that the same effect can be obtained even if decoding is performed.

  According to the encryption communication system of the present invention, when the encryption communication device stores a multicast key used for encryption of communication data related to multicast communication and detects communication data to the opposite encryption communication device, the multicast key And encrypting the communication data, transmitting the encrypted communication data to the opposite encryption communication device, and detecting the encrypted communication data by the encryption communication means of the opposite encryption communication device. Since the encrypted communication data is decrypted on the opposite encryption communication device side based on the multicast key, not only the public service network capable of multicast communication expected in the future but also the multicast communication is possible in the present situation Even for multi-access networks such as IP-VPN, use cryptographic communication devices. Since it is possible to enhance security of communication data between the communication device according to the multicast communication, it is useful for video distribution system that requires encryption of example service video.

  Further, according to the encryption communication device of the present invention, a multicast key used for encryption of communication data related to multicast communication is stored, and when communication data to the opposite encryption communication device is detected, based on the multicast key, When the communication data is encrypted, the encrypted communication data is transmitted to the opposite side encryption communication device, and the encrypted communication data of the opposite side encryption communication device is detected, the multicast key is detected. The encrypted communication data is decrypted on the opposite side encryption communication device side based on the IP- Even in a multi-access network such as VPN, a multicast communication device can be used for multicasting. Since it is possible to enhance security of the communication data relating to communications, for example useful in cryptographic communication device for use in video distribution system that requires cryptographic service video.

It is a block diagram which shows schematic structure inside the encryption communication system which shows 1st Embodiment in connection with this invention. It is a block diagram which shows schematic structure inside the encryption communication apparatus in connection with 1st Embodiment. It is explanatory drawing which shows the table content of the group management table inside the encryption communication apparatus in connection with 1st Embodiment briefly. It is explanatory drawing which shows the table content of the multicast key table inside the encryption communication apparatus in connection with 1st Embodiment briefly. It is a block diagram which shows schematic structure inside the communication apparatus in connection with 1st Embodiment. It is a block diagram which shows schematic structure inside the key management server in connection with 1st Embodiment. It is a flowchart which shows the processing operation inside the encryption communication apparatus in connection with the multicast encryption process of 1st Embodiment. It is a flowchart which shows the processing operation inside the encryption communication apparatus in connection with the multicast decryption process of 1st Embodiment. It is explanatory drawing which shows briefly operation | movement of the encryption communication system which shows 1st Embodiment. It is a block diagram which shows schematic structure inside the encryption communication apparatus incorporating the multicast key update function in connection with other embodiment. It is explanatory drawing which shows briefly the table content of the key form storage part inside the multicast key update function shown in FIG. It is explanatory drawing which shows briefly the table content of the cast key table in connection with other embodiment. It is explanatory drawing which shows briefly the encryption and the decoding process of the communication data using the cast key table concerning other embodiment. It is a block diagram which shows schematic structure inside the encryption communication apparatus of the encryption communication system which shows 2nd Embodiment. It is explanatory drawing which shows briefly the table content of the session key table inside the encryption communication apparatus concerning 2nd Embodiment. It is a flowchart which shows the processing operation inside the encryption communication apparatus in connection with the multicast unicast encryption process of 2nd Embodiment. It is a flowchart which shows the processing operation inside the encryption communication apparatus regarding the multicast unicast decoding process of 2nd Embodiment. It is explanatory drawing which shows briefly operation | movement of the encryption communication apparatus of the encryption communication system which shows 2nd Embodiment. It is a block diagram which shows schematic structure inside the video delivery system which shows 3rd Embodiment. It is a block diagram which shows schematic structure inside the center side encryption communication apparatus in connection with 3rd Embodiment. It is explanatory drawing which shows the table content of the group management table inside the center side encryption communication apparatus in connection with 3rd Embodiment briefly. It is explanatory drawing which shows briefly the table content of the multicast key table in the center side encryption communication apparatus in connection with 3rd Embodiment. It is a block diagram which shows schematic structure inside the base side encryption communication apparatus in connection with 3rd Embodiment. It is explanatory drawing which shows briefly the table content of the base side multicast key table in the base side encryption communication apparatus in connection with 3rd Embodiment. It is a block diagram which shows schematic structure inside the key management server in connection with 3rd Embodiment. It is explanatory drawing which shows simply the initial state of the video delivery system which shows 3rd Embodiment. It is explanatory drawing which shows simply the video delivery preparation state of the video delivery system which shows 3rd Embodiment. It is explanatory drawing which shows briefly the service video viewing-and-listening procedure state of the video delivery system which shows 3rd Embodiment. It is explanatory drawing which shows briefly the service video delivery state of the video delivery system which shows 3rd Embodiment. It is explanatory drawing which shows schematic structure inside the encryption communication system for wide area networks which shows 4th Embodiment. It is a block diagram which shows schematic structure inside the encryption communication apparatus in connection with 4th Embodiment. It is explanatory drawing which shows briefly the table content of the group management table of the encryption communication apparatus concerning 4th Embodiment. It is explanatory drawing which shows briefly the table content of the multicast key table of the encryption communication apparatus concerning 4th Embodiment. It is explanatory drawing which shows briefly the table content of the session key table of the encryption communication apparatus concerning 4th Embodiment. It is a block diagram which shows schematic structure inside the key management server in connection with 4th Embodiment. It is a block diagram which shows schematic structure inside the encryption communication apparatus in connection with the multicast unicast encryption process of 4th Embodiment. It is a block diagram which shows schematic structure inside the encryption communication apparatus in connection with the multicast unicast decoding process of 4th Embodiment. It is explanatory drawing which shows briefly the operation | movement in connection with encryption and decoding of the communication frame in connection with other embodiment. It is explanatory drawing which shows briefly the operation | movement in connection with encryption and decoding of the communication frame in connection with other embodiment.

Explanation of symbols

1 Cryptographic Communication System 1A Video Distribution System (Cryptographic Communication System)
1B Cryptographic communication system for wide area network (cryptographic communication system)
2 Multi-access network 2A IP network (multi-access network)
2C Wide area network (multi-access network)
3 Cryptographic Communication Device 3A Cryptographic Communication Device 3B Center-side Cryptographic Communication Device (Cryptographic Communication Device)
3C Site side encryption communication device (encryption communication device)
3D encryption communication device 4 Key management server 4A Key management server 4B Key management server 5 Communication device 5A Communication device 5B Communication device 12 Communication device interface (data distribution means)
12C Communication device interface (data distribution means)
12D communication device interface (data distribution means)
13 Address information management section (subordinate address information management means)
13B Address information management section (subordinate address information management means)
13C Site side address information management section (subordinate address information management means)
13D address information management unit (subordinate address information management means)
14 Group management table (group information storage means)
14B Group management table (group information storage means)
14D group management table (group information storage means)
15 Multicast key table (Multicast key storage means)
15B Multicast key table (multicast key storage means)
15C Base side multicast key table (multicast key storage means)
15D multicast key table (multicast key storage means)
16 Address information identification part (address information identification means)
16D address information identification unit (address information identification means)
18 Group identification part (group identification means)
18C Site side group identification section (group identification means)
18D group identification part (group identification means)
19 Encryption processing section (encrypted communication means)
19B Encryption processing unit (encrypted communication means)
19D Encryption processing unit (encrypted communication means)
20 Decryption processing unit (decryption communication means)
20C Decoding processing unit (decoding communication means)
20D decoding processing unit (decoding communication means)
21 Control unit (multicast key update means)
21B control unit (multicast key update means)
21C Site side controller (multicast key update means)
21D control unit (multicast key update means)
24 Multicast update unit (multicast key update means)
31 Data transmission part (data transmission means)
31D frame transmission unit (data transmission means)
32 Data receiver (data receiver)
32D frame receiver (data receiver)
51 Session key table (session key storage means)
51D session key table (session key storage means)
52 Address information notification section (subordinate address management information notification means)
52D address information notification unit (subordinate address management information notification means)
53 Table update section (update means)
53D table update unit (update means)

Claims (17)

On a multi-access network in which a plurality of cryptographic communication devices can be connected simultaneously, one of the plurality of cryptographic communication devices communicates simultaneously with a plurality of cryptographic communication devices in a specific group. An encryption communication system that encrypts communication data between the encryption communication devices when performing multicast communication,
The encryption communication device is:
A multicast key storage means for storing a multicast key used for encryption of communication data related to the multicast communication;
When communication data to the opposite encryption communication device is detected among the plurality of encryption communication devices, the multicast key is read from the multicast key storage means, and the communication data is encrypted based on the read multicast key, Encrypted communication means for transmitting the encrypted communication data to the opposite-side encrypted communication device;
When the encrypted communication data of the opposite side encryption communication device is detected by the encrypted communication means, the multicast key is read from the multicast key storage means, and on the opposite side encryption communication device side based on the read multicast key And a decryption communication means for decrypting the encrypted communication data. The encryption communication device is:
Data distribution means for distributing the communication data decrypted by the decryption communication means to the communication device;
The communication device
Data transmission means for transmitting the communication data to the encryption communication device;
Data receiving means for receiving the communication data distributed by the data distribution means,
The data transmitting means and the data receiving means are:
2. The cryptographic communication system according to claim 1, wherein the communication data is transmitted / received to / from an opposing communication device that is accommodated and connected to the opposing cryptographic communication device through the cryptographic communication device and the opposing cryptographic communication device. . The encryption communication device is:
Group information storage means for storing address information of cryptographic communication devices belonging to the same group for each group identification information for identifying groups classified according to predetermined conditions;
The multicast key storage means for storing the multicast key used for encrypting communication data related to the group for each group identification information;
When communication data to the opposite encryption communication device is detected among the plurality of encryption communication devices, address information included in the communication data is identified, and communication data from the opposite encryption communication device is detected. Address information identifying means for identifying address information included in the communication data;
Based on the identification result of the address information identification means, the group identification means for identifying the group identification information of the communication data,
The encrypted communication means includes
When communication data to the opposite encryption communication device is detected, the address information identification means identifies the address information of the communication data, and based on the identification result, the group identification means identifies the communication data group identification information. And a multicast key corresponding to the group identification information is read from the multicast key storage means, the communication data is encrypted based on the read multicast key, and
The decryption communication means includes
When the encrypted communication data on the opposite side encryption communication device side is detected by the encrypted communication means, the address information identification means identifies the address information of the communication data, and based on the identification result, the group identification Means for identifying group identification information of the communication data, reading a multicast key corresponding to the group identification information from the multicast key storage means, and decoding the communication data based on the read multicast key. The cryptographic communication system according to claim 1 or 2. A management terminal device for communication connection for each encryption communication device;
The management terminal device
4. The cryptographic communication according to claim 1, wherein the multicast key stored in the multicast key storage means inside the cryptographic communication device can be set and changed by communication connection with the cryptographic communication device. system. Having a key management server capable of communication connection to all cryptographic communication devices via the multi-access network;
The key management server
A communication connection is established with each cryptographic communication device via the multi-access network, and the setting of the multicast key stored in the multicast key storage means inside each cryptographic communication device can be changed. 3. The cryptographic communication system according to 3. The encrypted communication means includes
A range designating unit for designating a predetermined data range of a payload portion included in the communication data;
Encrypt the payload portion of the predetermined data range specified by the range specifying means based on the multicast key,
The decryption communication means includes
6. The encryption communication system according to claim 1, wherein the payload portion of the predetermined data range designated by the range designation means is decrypted based on the multicast key. A range specifying means for configuring the multicast key with a predetermined number of cast keys and dividing and specifying a payload part included in the communication data into a predetermined number of data ranges;
Cast key storage means for storing a cast key for each data range designated by the range designation means;
The encrypted communication means includes
When communication data to the opposite encryption communication device is detected, a cast key corresponding to the data range is sequentially read from the cast key storage unit for each data range of the payload portion included in the communication data, and this sequential read Encrypt the same data range sequentially based on the cast key,
The decryption communication means includes
When communication data from the opposite encryption communication device is detected, a cast key corresponding to the data range is sequentially read from the cast key storage unit for each data range of the payload portion included in the communication data, and this sequential read 6. The encryption communication system according to claim 1, wherein the same data range is sequentially decrypted based on a cast key. A cryptographic communication system that encrypts communication data between the cryptographic communication devices on a multi-access network in which a plurality of cryptographic communication devices can be simultaneously connected to each other,
The encryption communication device is:
Multicast storing a multicast key used for encryption of communication data related to multicast communication in which one of the plurality of cryptographic communication devices communicates simultaneously with a plurality of cryptographic communication devices in a specific group Key storage means;
When communication data to the opposite encryption communication device is detected among the plurality of encryption communication devices, address information included in the communication data is identified, and communication data from the opposite encryption communication device is detected. Address information identifying means for identifying address information included in the communication data;
A communication type determination unit that determines a communication type of the communication data based on the identification result of the address information identification unit;
When the communication type determining means determines that the communication type of communication data to the opposite encryption communication device is the multicast communication, the multicast key is read from the multicast key storage means, and the read multicast key is used as the read multicast key. On the basis of the encrypted communication data, the encrypted communication means for transmitting the encrypted communication data to the opposite encryption communication device,
When the communication type determining unit determines that the communication type of the communication data from the opposite encryption communication device is the multicast communication, the multicast key is read from the multicast key storage unit, and the read multicast key is used as the read multicast key. And a decryption communication means for decrypting the encrypted communication data on the opposite encryption communication apparatus side. The encryption communication device is:
Group information storage means for storing address information of cryptographic communication devices belonging to the group for each group identification information for identifying the group classified under the predetermined condition;
The multicast key storage means for storing the multicast key used for encrypting communication data related to the group for each group identification information;
Group identification means for identifying group identification information of the communication data based on the identification result of the communication data of the address information identification means,
The encrypted communication means includes
When the communication type determining unit determines that the communication type of the communication data to the opposite encryption communication device is the multicast communication, the address information identifying unit identifies the address information of the communication data, Based on the identification result, the group identification means identifies the group identification information of the communication data, reads the multicast key corresponding to the group identification information from the multicast key storage means, based on the read multicast key, While encrypting communication data,
The decryption communication means includes
When the communication type determination unit determines that the communication type of the communication data from the opposite encryption communication device is the multicast communication, the address information identification unit identifies the address identification information of the communication data, Based on the identification result, the group identification means identifies group identification information of the communication data, reads the multicast key corresponding to the group identification information from the multicast key storage means, and based on the read multicast key, 9. The encryption communication system according to claim 8, wherein the communication data is decrypted. The encryption communication device is:
A session key storage means for storing, for each address information of the encryption communication device, a session key used for encryption of communication data related to unicast communication communicating between a single encryption communication device;
The encrypted communication means includes
When the communication type determining unit determines that the communication type of the communication data to the opposite encryption communication device is the unicast communication, the address information identifying unit identifies the address information of the communication data, A session key corresponding to the address information is read from the session key storage unit, the communication data is encrypted based on the read session key, and the encrypted communication data is transmitted to the opposite encryption communication device,
The decryption communication means includes
When the communication type determination unit determines that the communication type of the communication data from the opposite encryption communication device is the unicast communication, the address information identification unit identifies the address information of the communication data, 10. The encryption communication system according to claim 8, wherein a session key corresponding to the address information is read from the session key storage unit, and the communication data is decrypted based on the read session key. The encryption communication device is:
Subordinate address information management means for managing subordinate address management information including address information of communication devices to be accommodated and connected;
Subordinate address management information notifying means for notifying the opposite side cryptographic communication apparatus of subordinate address management information being managed by the subordinate address information management means according to a predetermined timing;
When receiving the subordinate address management information from the subordinate address management information notification means on the counter side cipher communication device side, the counter side communication device is associated with the address information of the counter side communication device included in the subordinate address management information. 11. The encryption communication system according to claim 10, further comprising an update unit that updates the session key storage unit so as to store a session key of the opposite side encryption communication device to be accommodated and connected. The encryption communication device is:
Key form storage means for storing a key form for each key number;
A key form selection unit that calculates a key number based on the current time and a predetermined program according to the timing common to all the cryptographic communication devices, and selects a key form corresponding to the calculated key number from the key form storage unit;
12. The cryptographic communication according to claim 8, 9, 10 or 11, further comprising: a multicast key update unit that updates the key form selected by the key form selection unit to the multicast key storage unit as the multicast key. system. Having a key management server capable of communication connection to all cryptographic communication devices via the multi-access network;
The key management server
A key form storage means for storing a plurality of key forms;
Key form selection means for selecting an arbitrary key form from a plurality of key forms in the key form storage means at a predetermined timing;
12. A key form distribution unit that distributes the key form selected by the key form selection unit to each encryption communication device at a predetermined timing using the multicast form as the multicast key. The cryptographic communication system described. The encryption communication device is:
A range designating unit for designating a predetermined data range of a payload portion included in the communication data;
The encrypted communication means includes
When the communication type determining unit determines that the communication type of the communication data to the opposite encryption communication device is the multicast communication, the payload part of the predetermined data range specified by the range specifying unit is set to the multicast key. Encryption based on
The decryption communication means includes
When the communication type determining unit determines that the communication type of the communication data from the opposite encryption communication device is the multicast communication, the payload part of the predetermined data range specified by the range specifying unit is used as the multicast key. 14. The encryption communication system according to claim 8, 9, 10, 11, 12, or 13, wherein decryption is performed based on the above. The encryption communication device is:
A range designating unit for designating a predetermined data range of a payload portion included in the communication data;
The encrypted communication means includes
When it is determined by the communication type determining means that the communication type of the communication data transmitted to the opposite communication device is the unicast communication, the payload portion of the predetermined data range specified by the range specifying means is Encrypt based on the key,
The decryption communication means includes
When the communication type determining unit determines that the communication type of the communication data from the opposite communication device is the unicast communication, the payload part of the predetermined data range specified by the range specifying unit is used as the session key. 15. The encryption communication system according to claim 10, 11, 12, 13 or 14, wherein the decryption is performed based on the above. The subordinate address management information notification means includes:
Encrypting the subordinate address management information and the session key related to the unicast communication of its own encryption communication device using the IKE protocol, and transmitting the encrypted subordinate address management information and session key to the opposite side encryption communication device. The cryptographic communication system according to claim 11. On a multi-access network in which a plurality of cryptographic communication devices can be connected simultaneously, one of the plurality of cryptographic communication devices communicates simultaneously with a plurality of cryptographic communication devices in a specific group. An encryption communication device in an encryption communication system that encrypts communication data between the encryption communication devices when performing multicast communication,
A multicast key storage means for storing a multicast key used for encryption of communication data related to the multicast communication;
When communication data to the opposite encryption communication device is detected among the plurality of encryption communication devices, the multicast key is read from the multicast key storage means, and the communication data is encrypted based on the read multicast key, Encrypted communication means for transmitting the encrypted communication data to the opposite-side encrypted communication device;
When the encrypted communication data of the opposite side encryption communication device is detected by the encrypted communication means, the multicast key is read from the multicast key storage means, and on the opposite side encryption communication device side based on the read multicast key And a decryption communication means for decrypting the encrypted communication data.

Images