JP2012244415A - Cryptographic processing device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a cryptographic processing device which increases the number of cryptographic communication connections and maintains a decoding rate of a cryptographic communication connection of high importance.SOLUTION: A display device 107, which receives image data transmitted from an imaging device 102 via packet communications based on IPsec protocols, determines a degree of importance of image data received by an importance degree determination module 115, and preferentially stores security association (SA) corresponding to transmission of the image of high importance to a first SA storage module (SRAM) 116.

Description

  The present invention relates to a cryptographic processing technique for establishing a plurality of cryptographic communication connections in parallel and performing cryptographic processing.

An IPsec (IP Security Protocol) protocol or the like has been put into practical use as a communication technology that can ensure the same security as that of connecting communication terminals with a secure dedicated line.
In connection of encryption communication using the IPsec protocol, information such as an encryption algorithm and an encryption key must be shared between the transmission side and the reception side. These pieces of information are called security associations (hereinafter referred to as SA), and are managed by the transmitting end and receiving end devices as a data context including information such as initial vectors in addition to the encryption algorithm and the encryption key. . The SA context is standardized as an IPsec RFC, and the cryptographic processing apparatus performs encryption and decryption while referring to the SA shared by the transmission end and the reception end for each packet.
On the other hand, as a technique for processing a large number of cryptographic communication connections at high speed, for example, there is a method of processing a plurality of cryptographic communication connections simultaneously by configuring a plurality of cryptographic processing circuits in parallel. However, increasing the number of cryptographic processing circuits according to the number of cryptographic communication connections is not a realistic solution from the viewpoint of circuit area and power consumption. For this reason, it is often the case that packets for a plurality of encryption communication connections are processed by time division multiplexing with a single encryption processing circuit.
Here, when cryptographic communication processing using IPsec is executed by time division multiplexing, it is necessary to read out different SAs for each packet from any storage area as needed. When the SA reading speed is low, it becomes a bottleneck of the entire cryptographic communication processing. In particular, when an SA is arranged in a shared memory shared by the entire system, there is a problem that a delay time for reading the SA increases, and the processing performance of the cryptographic communication processing is lowered.
As a means for solving this problem, it is conceivable to arrange the SA in a dedicated memory area where high-speed reading is possible. For example, when the cryptographic processing device is composed of a CPU and a dedicated hardware device, the SA is placed in a cache memory (hereinafter referred to as a cache) that can be read at high speed (Patent Document 1).

JP 2004-096178 A

In a normal embedded system, the cache is implemented as an SRAM, but the cache capacity needs to be kept as small as possible from the viewpoint of chip cost reduction. For this reason, when the number of encrypted communication connections increases, all SAs cannot be stored in the cache and may need to be arranged in the shared memory. Here, even if there is a highly important encrypted communication connection requiring high-speed decryption, if the SA corresponding to the encrypted communication connection is arranged in the shared memory, the decryption is performed within a desired time. There is a problem that the possibility of not being able to finish is increased.
Accordingly, an object of the present invention is to achieve both an increase in the number of encrypted communication connections and maintenance of a decryption speed of highly important encrypted communication connections.

  The cryptographic processing apparatus of the present invention includes a receiving unit that receives encrypted information, a first storage unit and a second storage unit that store a group of information necessary for establishing encrypted communication on a transmission path, The first storage unit includes an importance level determination unit that determines the level of importance of the encrypted information, and a selection unit that selects a storage destination of the information group based on a determination result of the importance level determination unit. Can be read at a higher speed than the second storage means, and the selection means selects the first storage means as the storage destination of the information group corresponding to reception of highly important information. It is characterized by.

  According to the present invention, it is possible to achieve both an increase in the number of encrypted communication connections and maintenance of the decryption speed of highly important encrypted communication connections.

The block diagram which shows the function structure of a network camera system. The block diagram which shows the hardware constitutions of a network camera system. The flowchart which shows the operation | movement at the time of memorize | storing newly received SA. The flowchart which shows the operation | movement at the time of updating the importance of the image matched with SA. 10 is another flowchart showing an operation when updating the importance of an image associated with SA. The flowchart of a decoding process.

  First, as an embodiment of the present invention, a network camera system that performs image transmission using IPsec will be described with reference to FIG.

  FIG. 1 shows the configuration of a network camera system 101 in the present embodiment. In the network camera system 101, image transmission is performed from the imaging device 102, the imaging device 103, the imaging device 104, and the imaging device 105 to the display device 107 using IPsec. Note that the number of imaging devices is not limited to four and may be increased or decreased.

  The imaging apparatus 102 includes an imaging unit 108, an IPsec encryption unit 109, and a packet transmission unit 110. The imaging unit 108 digitizes incident light from the outside using an image sensor and an image processing circuit, and creates image data. The image data is divided into packets conforming to TCP / IP or UDP. The IPsec encryption unit 109 encrypts the packet created by the imaging unit 108 using an encryption method determined in advance by the IPsec protocol. The packet transmission unit 110 transmits the packet encrypted by the IPsec encryption unit 109 to the transmission path 106.

  Since the imaging device 103, the imaging device 104, and the imaging device 105 have the same configuration as the imaging device 102 (the imaging unit 108, the IPsec encryption unit 109, and the packet transmission unit 110), description thereof is omitted here.

  The transmission path 106 is a transmission path that connects a plurality of imaging devices including the imaging device 102 and the display device 107.

  The display device 107 includes a packet receiving unit 111, an IPsec decoding unit 112, a display unit 113, an SA arrangement control unit 114, an importance level determination unit 115, a first SA storage unit 116, and a second SA storage unit 117. The packet receiver 111 receives a packet transmitted from the packet transmitter 110 via the transmission path 106. The IPsec decryption unit 112 processes the packet received by the packet receiving unit 111 based on the SA (information used when decrypting) stored in advance in the first SA storage unit 116 or the second SA storage unit 117. Decrypt. The IPsec decoding unit 112 collects the decoded packets and reconstructs them as image data. The display unit 113 displays the image data reconstructed by the IPsec decoding unit 112. In the present embodiment, an image transmitted from the image capturing apparatus 102 and the image capturing apparatus 103, the image capturing apparatus 104, and the image capturing apparatus 105 having the same configuration is displayed in four divisions on one display.

  The SA placement control unit 114 receives the SA from the packet reception unit 111 and places the SA in the first SA storage unit 116 or the second SA storage unit 117. Further, based on the importance of the image determined by the importance determination unit 115, the SA corresponding to the connection for transmitting the important image is preferentially arranged in the first SA storage unit 116 from the second SA storage unit 117. The arrangement of SA will be described later.

  The importance determination unit 115 collects the packets decoded by the IPsec decoding unit 112, reconstructs them as image data, and determines the importance of the image. For example, when an image recognition algorithm such as face recognition, human body detection, or moving object detection is used and it can be determined that the human body or moving object is included in the image, the image is determined to be more important than the other images. . Further, an input device for manually setting the importance level of the image may be added to the display device 107, and the importance level of the image may be determined according to an input from the input device (not shown). Alternatively, when a network camera system that transmits audio simultaneously with an image is constructed, the importance of the image may be determined according to the presence or absence of audio, characteristics, and the like (not shown). Then, the determined importance is notified to the SA placement control unit 114. The importance is represented by an integer value, and the range is determined in advance based on the configuration of the network camera system 101.

  The first SA storage unit 116 stores the SA received from the SA arrangement control unit 114. The SA stored in the first SA storage unit 116 can be read out faster than the SA stored in the second SA storage unit 117. However, the number of SAs that can be stored in the first SA storage unit 116 is smaller than the number of SAs that can be stored in the second SA storage unit 117. The second SA storage unit 117 stores the SA received from the SA arrangement control unit 114. The SA stored in the second SA storage unit 117 cannot be read at a higher speed than the SA stored in the first SA storage unit 116. However, the number of SAs that can be stored in the second SA storage unit 117 is greater than the number of SAs that can be stored in the first SA storage unit 116.

  In the present embodiment, an example in which the display device 107 includes the display unit 113 will be described. However, the display device 107 functions as a cryptographic processing device without the display unit, and is a separate device having a display unit. , Display may be performed.

  FIG. 2 is a block diagram illustrating a hardware configuration (circuit block) of the network camera system 101.

  The imaging apparatus 102 includes an image sensor 201, a CPU 202, a RAM 203, a ROM 204, a communication unit 205, and a bus 206 that connects them.

  The image sensor 201 detects visible light incident on the image sensor 201 from a subject to be photographed, and generates digital image data. The CPU 202 is a central processing unit, executes an application program, an operating system (OS), a control program, and the like, and performs control for temporarily storing information, files, and the like necessary for executing the program in the RAM 203. A RAM 203 is a writable memory for temporarily storing various data, and functions as a main memory and a work area of the CPU 202. The RAM 203 is also used for storing SA. A ROM 204 is a read-only memory, and stores therein programs such as a basic input / output program and various data used in basic processing. The communication unit 205 is a communication interface that communicates with the display device 107 via the transmission path 106. The communication unit 205 implements encryption and decryption processing in IPsec communication in cooperation with the CPU 202. A bus 206 controls the flow of data in the imaging apparatus 102.

  Since the imaging device 103, the imaging device 104, and the imaging device 105 have the same hardware configuration as that of the imaging device 102, description thereof is omitted here.

  The display device 107 includes a CPU 207, a communication unit 208, an SRAM 209, a DRAM 210, a ROM 211, an image processing unit 212, a display control unit 213, a DMAC 214, and a bus 215 that connects them.

  The CPU 207, the communication unit 208, the DRAM 210, the ROM 211, and the bus 215 operate in the same manner as the CPU 202, the RAM 203, the ROM 204, the communication unit 205, and the bus 206 of the imaging device 102, respectively. The SRAM 209 is a writable memory that functions as a cache memory of the DRAM 210, and can read various data at a higher speed than the DRAM 210. The SRAM 209 is particularly used for storing an SA corresponding to an encryption communication connection that requires high-speed decryption. The image processing unit 212 performs image processing on the image received from the imaging device 102 and generates a display image. In addition, the image processing unit 212 performs image recognition and moving object detection processing on the generated image by cooperating with the CPU 207, and determines the importance of the image. The display control unit 213 outputs and displays the display image generated by the image processing unit 212 on a monitor or a projector (not shown). Under the control of the CPU 207, the DMAC 214 transfers various data such as image data and SA among the communication unit 208, SRAM 209, DRAM 210, ROM 211, image processing unit 212, and display control unit 213.

  The functions of the network camera system 101 are realized by the cooperative operation of these various types of hardware and software operating on the hardware.

  FIG. 3 is a flowchart showing an operation in arranging a newly received SA in the display device 107.

  First, in step S301, the packet reception unit 111 performs reception processing for receiving a new SA for establishing a new image transmission connection. In step S <b> 302, the SA placement control unit 114 performs storage processing for placing the new SA in the second SA storage unit 117. In step S303, the importance level determination unit 115 determines whether the display device 107 has received enough data to determine the importance level of the image through the image transmission connection corresponding to the new SA. As the determination method, for example, the determination is performed based on whether the received data has reached a predetermined data amount. If the data has been received (YES in step S303), the process proceeds to step S304. On the other hand, if the data has not been received yet (NO in step S303), after waiting for a predetermined time, step S302 is repeated.

  In step S304, the importance level determination unit 115 obtains the importance level of the image transmitted through the image transmission connection corresponding to the new SA. In step S305, it is determined whether or not the number of SAs already arranged in the first SA storage unit 116 exceeds a predetermined number. If it exceeds the predetermined number (YES in step S305), the process proceeds to step S307. On the other hand, if the predetermined number has not been reached (NO in step S305), the process proceeds to step S306. The predetermined number is a number that the first SA storage unit 116 can store SA. In step S306, a storage process for arranging the new SA in the first SA storage unit 116 in association with the importance of the image is performed.

  In step S307, the SA placement control unit 114 determines whether the importance level of the new SA is the lowest compared to the SA level of importance already stored in the first SA storage unit 116. If the importance of the new SA is the lowest (YES in step S307), the process proceeds to step S308. If the importance of the new SA is not the lowest (NO in step S307), the process proceeds to step S309.

  In step S309, the SA arrangement control unit 114 stores the SA that has the lowest importance of the associated image among the SAs already stored in the first SA storage unit 116, to the second SA storage unit 117. Process. In step S310, the SA placement control unit 114 performs a storage process of placing the new SA in the first SA storage unit 116 in association with the importance of the image.

  In addition, although arrange | positioned in the 2nd SA memory | storage part 117 in step S302, you may arrange | position to another memory | storage part not only in this.

  When processing the processing in FIG. 3 using the hardware configuration in FIG. 2, step S301 in FIG. 3 is executed by the communication unit 208, and processing other than step S301 is executed based on the control of the CPU 207. . At this time, the CPU 207 may use the DMAC 214. The first SA storage unit 116 is realized by the SRAM 209, and the second SA storage unit 117 is realized by the DRAM 210.

  FIG. 4 is a flowchart showing an operation in the display device 107 when the importance level of the image associated with the SA is updated.

  First, in step S401, the importance level determination unit 115 obtains the importance level of an image newly received by the display device 107. Next, in step S402, it is determined whether or not the importance value obtained in step S401 is higher than the importance value already associated with the SA corresponding to the encrypted communication connection that transmitted the image. If it is higher (YES in step S402), the process proceeds to step S403. On the other hand, if it is low (NO in step S402), the process proceeds to step S404. In step S <b> 403, it is determined whether the SA corresponding to the encrypted communication connection that transmitted the image is stored in the first SA storage unit 116. If stored (YES in step S403), the process proceeds to step S404. On the other hand, if not stored (NO in step S403), the process proceeds to step S405. In step S404, storage processing is performed to update the importance value already associated with the SA corresponding to the encrypted communication connection that transmitted the image to the importance value obtained in step S401.

  In step S405, it is determined whether or not the importance value obtained in step S401 is higher than the lowest importance value associated with the SA stored in the first SA storage unit 116. If so (YES in step S405), the process proceeds to step S404. On the other hand, if it is low (NO in step S405), the process proceeds to step S406. In step 406, a storage process is performed in which the least important SA associated with the SA among the SAs stored in the first SA storage unit 116 is moved to the second SA storage unit 117. In step 407, the SA corresponding to the encrypted communication connection that transmitted the image is associated with the importance value obtained in step S401, and then stored in the first SA storage unit 116.

  In the present embodiment, the image importance update processing shown in FIG. 4 is executed each time the display device 107 receives one image. However, the frequency of image importance update processing may be set in consideration of the time required for the importance determination unit 115 to determine the importance of the image and the frequency with which the display device 107 receives the image. It doesn't matter.

  4 is processed using the hardware configuration in FIG. 2, each process in FIG. 4 is executed under the control of the CPU 207. At this time, the CPU 207 may use the DMAC 214. The first SA storage unit 116 is realized by the SRAM 209, and the second SA storage unit 117 is realized by the DRAM 210.

  FIG. 6 is a flowchart of the decoding process in the display device 107.

  In step S601, the packet receiving unit 11 receives IPSed encrypted image data. In step S <b> 602, the IPSec decryption unit 112 decrypts the image data subjected to the IPSec encryption using the SA stored in the first SA storage unit 116 or the second SA storage unit 117. In step S603, the display unit 113 displays the decoded image data.

  As described above, the display device 107 receives and decrypts the encrypted packet for transmitting the image data, and determines the SA based on the importance of the image data, the first SA storage unit 116, the second SA storage unit 117, and the like. To place. Here, by preferentially storing the SA corresponding to image transmission with high importance in the first SA storage unit 116, even when the number of encryption communication connections increases, the communication speed of image transmission with high importance is maintained. it can.

  Furthermore, by regularly updating the importance of the image associated with the SA, it is possible to always maintain the communication speed of image transmission with a high importance.

<Modification>
FIG. 5 is another flowchart showing an operation in the display device 107 when the importance level of the image associated with the SA is updated and the SA is arranged as necessary. 4 differs from the flowchart shown in FIG. 4 in that FIG. 5 includes step S501, and the other processes are the same as those in FIG.

  In step S601, it is determined whether or not the delay time when reading the SA corresponding to the encrypted communication connection that transmitted the image from the first SA storage unit 116 or the second SA storage unit 117 exceeds a predetermined time. If it exceeds the predetermined time (YES in step S601), the process proceeds to step S403. On the other hand, if the predetermined time has not been exceeded (NO in step S601), the process proceeds to step S404.

  5 is processed using the hardware configuration in FIG. 2, each process in FIG. 5 is executed based on the control of the CPU 207. At this time, the CPU 207 may use the DMAC 214. The first SA storage unit 116 is realized by the SRAM 209, and the second SA storage unit 117 is realized by the DRAM 210.

  As described above, the delay time at the time of reading from the first SA storage unit 116 or the second SA storage unit 117 is measured, and if the delay time is within a range that does not affect the image display on the display device 107, the SA. Is left in place. In this way, the frequency with which the SA moves between the first SA storage unit 116 and the second SA storage unit 117 can be kept low.

(Other embodiments)
The component of the present invention can be applied to a system including a plurality of devices (for example, a host computer, an interface device, a reader, a printer, etc.), or a device (for example, a camera, a copier, The present invention may be applied to a facsimile machine or the like. An object of the present invention is to supply a storage medium storing software program codes for realizing the functions of the above-described embodiments to a system or apparatus, and the system reads and executes the program codes stored in the storage medium. Is also achieved. In this case, the program code itself read from the storage medium realizes the functions of the above-described embodiments, and the storage medium storing the program code constitutes the present invention. As a storage medium for supplying the program code, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, magnetic tape, nonvolatile data storage unit, ROM, or the like can be used. . Further, by executing the program code read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the computer based on the instruction of the program code. Perform some of the actual processing. Furthermore, the case where the functions of the above-described embodiments are realized by the processing is also included. Further, the program code read from the storage medium is written to a data storage unit provided in a function expansion board inserted into the computer or a function expansion unit connected to the computer. After that, based on the instruction of the program code, the CPU of the function expansion board or function expansion unit performs part or all of the actual processing, and the processing of the above-described embodiment is realized by the processing. It is.

Claims (3)

Receiving means for receiving encrypted information;
First storage means and second storage means for storing information used when decrypting the encrypted information;
Importance determining means for determining the importance of the encrypted information;
Based on the determination of the importance level determination means, the control means for controlling whether the information used for the decoding is stored in the first storage means or the second storage means,
The first storage means can be read faster than the second storage means,
The encryption processing apparatus characterized in that the control means controls the first storage means to store information used for the decryption corresponding to highly important information.   The cryptographic processing apparatus according to claim 1, wherein the information used for the decryption is a security association.   The cryptographic processing apparatus according to claim 1, further comprising a decrypting unit configured to decrypt the received information using information used for the decryption.

Images