JP2017038413A - Communication device, key generating device, communication method, program, and communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To select an optimal encryption communication mode taking throughput and cost into consideration according to a request of an application.SOLUTION: A communication device to be connected to a key generating device generating an encryption key comprises an inquiry unit, an encryption processing unit, and a selection unit. The inquiry unit inquires the key generating device of capability information indicating capability by which the key generating device generates the encryption key. The encryption processing unit executes a plurality of encryption functions. The selection unit selects an encryption function according to the capability information from the plurality of encryption functions. The encryption processing unit executes the encryption function selected by the selection unit.SELECTED DRAWING: Figure 3

Description

  Embodiments described herein relate generally to a communication device, a key generation device, a communication method, a program, and a communication system.

  There is known a cryptographic communication network composed of a plurality of nodes connected to each other by a plurality of links. Each node uses a function for generating and sharing a random number (hereinafter also referred to as generation sharing) with an opposite node connected by a link, and using the random number as an encryption key (hereinafter referred to as a link key). And a function for performing encrypted communication. Some of the nodes have a function of generating a random number independently of the link and a function of transmitting the generated random number to another node. An application in the encryption communication network has a function of acquiring a random number from a node and using this as an encryption key (hereinafter referred to as an application key) to perform encryption communication with another application. The application may be realized integrally with the node, or may be realized as a terminal independent of the node.

  In the node, the function of generating and sharing a random number (link key) with an opposite node connected by a link is realized, for example, by a technique generally called quantum cryptography communication. In this case, a technique in which a node generates a random number (application key) independently of a link and transmits the generated random number to another node via the link is called quantum key distribution (QKD). There is.

Dianati, M., Alleaume, R., Gagnaire, M. and Shen, X. (2008), Architecture and protocols of the future European quantum key distribution network. Security and Communication Networks, 1: 57-74. DOI: 10.1002 / sec.13

  A random number (that is, an application key) generated independently of a link in a node on the cryptographic communication network is a finite resource in the cryptographic communication network. There is also a technical upper limit on the generation speed of application keys. Therefore, even if the method of acquiring the application key from the node and performing the encrypted communication for the application is the most secure communication, the encrypted communication is not always optimal in consideration of the cost and the like. For example, from the viewpoint of communication throughput restrictions and costs due to the use of finite resources, another encryption communication method (that is, a method other than the method in which an application key is acquired from a node on the encryption communication network and encrypted communication) is used. Even if the security is lower, the communication may satisfy the requirements of the application. As described above, the method of obtaining the application key from the node and performing cryptographic communication is not always optimal. In other words, in the conventional method, it is not possible to select an optimal encryption communication method in consideration of throughput and cost in light of application requirements.

  The communication apparatus according to the embodiment is a communication apparatus connected to a key generation apparatus that generates an encryption key, and includes an inquiry unit, an encryption processing unit, and a selection unit. The inquiry unit inquires the key generation device about capability information indicating the capability of the key generation device to generate the encryption key. The cryptographic processing unit executes a plurality of cryptographic functions. The selection unit selects an encryption function corresponding to the capability information from among the plurality of encryption functions. The encryption processing unit executes the encryption function selected by the selection unit.

The network block diagram of the communication system concerning embodiment. The block diagram of the node of 1st Embodiment. The block diagram of the application in 1st Embodiment. The sequence diagram of the communication processing by the communication system of 1st Embodiment. The block diagram of the node concerning 2nd Embodiment. The block diagram of the application concerning 2nd Embodiment. The sequence diagram of the communication processing by the communication system of 2nd Embodiment. The hardware block diagram of the apparatus concerning 1st and 2nd embodiment.

  Exemplary embodiments of a communication apparatus according to the present invention will be explained below in detail with reference to the accompanying drawings.

(First embodiment)
In the communication system according to the first embodiment, an application inquires capability information (hereinafter referred to as application key information) indicating the capability of generating an application key to a node. The application compares the encryption function and performance that are possible when the application key is acquired with the encryption function and performance that are possible without acquiring the application key. Then, an optimal encryption communication method is selected in light of the application request.

The application key information is, for example, the following information.
(A) The amount of application keys that the node can currently provide to the corresponding application. (B) Among the application key throughputs that the node is currently generating and sharing, the application key throughput that can be assigned to the corresponding application. Information (C) Information related to the cost required for allocating the application key amount or throughput to the corresponding application

  FIG. 1 is a diagram illustrating a network configuration example of a communication system according to the present embodiment. The communication system includes nodes 100a to 100c as key generation devices and applications 200a and 200c.

  When it is not necessary to distinguish the nodes 100a to 100c, the node 100 may be simply referred to as a node 100. When it is not necessary to distinguish between the applications 200a and 200c, the application 200a may be simply referred to as an application 200. The number of nodes 100 is not limited to three. Further, the number of applications 200 is not limited to two.

  As described above, the nodes 100a to 100c generate and share random numbers with the opposite node, and use the generated random numbers as link keys to perform cryptographic communication on links (links 300a and 300b). With. The node 100 may have a function of generating a random number independently of the link and a function of transmitting the generated random number to another node.

  FIG. 2 is a block diagram illustrating an example of the configuration of the node 100. As illustrated in FIG. 2, the node 100 includes a first communication unit 101, a generation unit 102, a key management unit 103, a second communication unit 104, and a platform unit 105.

  The first communication unit 101 communicates with another node (hereinafter also referred to as an opposite node) connected by a link 51 that is a communication link (inter-node communication link) with another node 100 (external device). Using random encryption communication technology, random numbers are generated and shared, and the generated random numbers are managed as link keys. Note that the link key may be generated and shared by a method other than the quantum cryptography communication technique. The first communication unit 101 is used when data is transmitted / received to / from other nodes connected by the link 51 (inter-node data communication). Here, the other node that is the partner of the data communication may be an opposite node directly connected by the link 51, or another node that is further connected via another link of the opposite node. In some cases. In this case, the first communication unit 101 may provide a routing function for performing communication via the plurality of nodes 100 in the encryption communication network. The inter-node data communication may be communication encrypted using a link key managed by the first communication unit 101.

  The generation unit 102 has a function of generating a random number independently of the first communication unit 101 and sharing the generated random number with other nodes 100. The function of the first communication unit 101 may be used when sharing random numbers with other nodes 100. The random number generated and shared by the generation unit 102 is called an application key.

  Further, the generation unit 102 can assign to the application 200 among the application keys that can be currently provided and the application keys that are currently generated and shared in response to an inquiry from the application 200 via the second communication unit 104. A function for notifying information on the throughput of a simple application key and information on a cost necessary to realize the throughput and the amount of keys. Any method may be used for the node 100 to grasp the information. The node 100 only needs to grasp the information by some method.

  The key management unit 103 manages the application key generated and shared by the generation unit 102. The key management unit 103 selects and passes an appropriate application key in response to a request from the second communication unit 104.

  The second communication unit 104 communicates by connecting to the application 200 via a link 52 (application communication link) that is a communication link with the application 200. The second communication unit 104 receives a request from the application 200 and provides an application key to the application 200.

  Here, since the application communication link is not particularly defined, the application 200 may exist on another computer connected to the node 100 via some network. In this case, existing network security functions such as a firewall, data encryption, and data authentication may be implemented on the network connecting the node 100 and the application 200. The application 200 may exist on the node 100 and may be connected to the second communication unit 104 via a software API (Application Program Interface).

  The platform unit 105 provides management of other components on the node 100, computer operating system functions necessary for operation, and the like.

  The configuration of the node 100 in the first embodiment has been described above. Next, a configuration example of the application 200 in the first embodiment will be described. FIG. 3 is a block diagram illustrating a configuration example of the application 200 according to the first embodiment. As illustrated in FIG. 3, the application 200 includes a communication unit 201, an encryption processing unit 202, an execution unit 203, a communication unit 204, an inquiry unit 205, a selection unit 206, and a platform unit 207. Yes.

  The communication unit 201 is connected to the node 100 (specifically, the second communication unit 104 of the node 100) via the application communication link (link 52) and transmits / receives various data. For example, the communication unit 201 acquires from the node 100 an application key necessary for performing cryptographic communication.

  The encryption processing unit 202 provides functions of data encryption processing and decryption processing. The cryptographic processing unit 202 according to the first embodiment executes a selected cryptographic function among a plurality of cryptographic functions. Cryptographic functions and performance that can be provided differ depending on hardware resources such as a security chip and CPU (Central Processing Unit) included in the application 200 and software resources such as a cryptographic library. As one of the encryption functions that can be provided, the application key acquired by the communication unit 201 may be held, and the application key may be used to perform encryption processing and decryption processing of data necessary for performing encrypted communication. .

  The encryption algorithm (encryption method) used by the encryption function is not particularly limited. An application key may or may not be used. For example, a block cipher such as AES (Advanced Encryption Standard) or a Burnham cipher such as OTP (One-time Pad) Also good.

  The cryptographic processing unit 202 may be capable of grasping information on performance in addition to information on cryptographic functions that can be provided and notifying the selection unit 206 and the like. The information related to the cryptographic function is generally information about supported cryptographic algorithms and authentication algorithms and their key lengths. For example, a character string indicating an algorithm, a key length, and a mode such as “AES-128-CBC”, “AES-256-CBC”, and “DES-EDE3” may be used. The information related to performance is information related to the amount of data per fixed time that can be processed when the cryptographic function is used, the CPU load when the cryptographic function is used, and the like. For example, throughput formats such as 10 Gbps and 100 Mbps, and CPU load (% display). Alternatively, it may be expressed by the number of CPU instructions necessary for processing data of a certain size.

  In the first embodiment, any method may be used for the encryption processing unit 202 to grasp the information. The cryptographic processing unit 202 only needs to grasp the information by some method.

  Which encryption function the encryption processing unit 202 uses is determined and set by the selection unit 206 and the like which will be described later. Further, what encryption function the encryption processing unit 202 uses may be hidden by the execution unit 203 and the communication unit 204.

  The execution unit 203 executes an application function for performing cryptographic communication. The type of application function is not particularly limited as long as it performs communication. For example, the execution unit 203 executes functions such as video transmission. The execution unit 203 passes transmission data to the communication unit 204 and receives reception data from the communication unit 204.

  The execution unit 203 holds information (request information) related to an application request by some method (for example, a method such as setting by a user, an administrator, and an application developer, statistical information processing, and automatic control). And Request information includes, for example, security (request for security of encryption processing and decryption processing), throughput (request for communication speed), cost (consumption of a finite resource called an application key) (for example, money) (Required for cost) and their priorities and the like.

  The communication unit 204 provides a communication function necessary for the operation of the execution unit 203. In data communication, the encryption processing unit 202 can be used to encrypt and decrypt data. When receiving the transmission data from the application 200, the communication unit 204 encrypts the data using the encryption processing unit 202, and transmits the data via the data communication link (link 53). The data communication link is a link for transmitting and receiving data to and from the communication partner application 200. In addition, when receiving data from the data communication link, the communication unit 204 decrypts the received data using the encryption processing unit 202 and delivers the decrypted data to the application 200.

  The inquiry unit 205 inquires of the node 100 about application key information such as the above (A) to (C) via the communication unit 201. The result obtained by the inquiry is passed to the selection unit 206.

The selection unit 206 refers to the obtained application key information and the like, and selects an optimal encryption function when executing the application 200. The selection unit 206 may select the encryption function using the following information about the application 200 (hereinafter referred to as application information) in addition to the application key information obtained by inquiring the node 100. The information referred to by the selection unit 206 at the time of selection is not limited to these, and only some of them may be referred to.
(1) Request information acquired from the execution unit 203 (2) Information regarding the cryptographic function and performance that can be realized by the application 200 by itself, acquired from the cryptographic processing unit 202 (hereinafter referred to as cryptographic function information)
(3) Information obtained from the platform unit 207 or the like regarding the resource usage status in the current application 200 (hereinafter referred to as resource information)

  The platform unit 207 provides management of other components on the application 200, computer operating system functions necessary for operation, and the like.

  The configuration of the application 200 in the first embodiment has been described above. However, the above description is an example.

  Note that each unit of the node 100 and the application 200 may be realized by causing a processing device such as a CPU (Central Processing Unit) to execute a program, that is, by software or hardware such as an IC (Integrated Circuit). It may be realized by a combination of software and hardware.

  Next, a sequence for realizing the first embodiment will be described. FIG. 4 is a sequence diagram illustrating an example of communication processing by the communication system according to the first embodiment. FIG. 4 is a sequence in a case where when the application 200 starts encryption communication, the node 100 is inquired about the generation state of the application key, and the application 200 selects an optimal encryption function.

  The execution unit 203 of the application 200 notifies request information held by the execution unit 203 to the selection unit 206 before initiating the execution of the application, and inquires about an optimal encryption function associated with the execution of the application. Upon receiving this inquiry, the selection unit 206 instructs the inquiry unit 205 to inquire about the application key (key inquiry). In response to this inquiry, the inquiry unit 205 transmits a key inquiry message to the node 100 via the communication unit 201 (step S101).

  The second communication unit 104 of the node 100 receives the key inquiry message. The second communication unit 104 notifies the key management unit 103 of the key inquiry. In response to the key inquiry, the key management unit 103 returns at least one of the above-described application key information (A) to (C) to the application 200 via the second communication unit 104 (step S102). . The communication unit 201 of the application 200 notifies the inquiry unit 205 of the received application key information. Inquiry unit 205 notifies application key information to selection unit 206.

  The selection unit 206 acquires application key information from the inquiry unit 205. The selection unit 206 may further inquire the encryption processing unit 202 regarding the encryption functions that can be provided. Upon receiving this inquiry, the cryptographic processing unit 202 provides the cryptographic function information to the selection unit 206. More specifically, the cryptographic function information includes information on the function and performance of an available security chip (hardware) and information on the function and performance of an available cryptographic library (software).

  The selection unit 206 may further inquire the platform unit 207 regarding the resource usage status in the application. Upon receiving this inquiry, the platform unit 207 provides the resource information to the selection unit 206. More specifically, the resource information includes CPU load, memory usage, execution status of other jobs, usage status of security chip, and the like.

  Note that the timing of acquisition of application key information from the inquiry unit 205 by the selection unit 206 and the inquiry and information acquisition to the encryption processing unit 202 and the platform unit 207 are not particularly limited. Whichever is done first. Alternatively, it may be performed in advance before the execution of this sequence.

  As described above, the selection unit 206 can receive the request information from the execution unit 203, the application key information from the inquiry unit 205, the cryptographic function information from the cryptographic processing unit 202, and the resource information from the platform unit 207. . However, this is an example, and only some of the above information may be used, or other information may be acquired.

Based on the above information, the selection unit 206 selects an optimal encryption function in light of the application request (request information) (step S103). There are various selection methods, and there is no particular limitation here. For example, if there is an application request “I want to perform communication with the highest security while ensuring the throughput X”, the following selection method can be applied. In this example, for simplification, it is assumed that the application 200 supports only AES by the security chip. Depending on the encryption function,
(C1) OTP encryption using application key (hereinafter referred to as QKD OTP)
(C2) AES block cipher using application key (hereinafter QKD AES)
(C3) It is assumed that normal AES encryption is possible. Also, it is assumed that there is no difference in cost among these three types of cryptographic functions, and security is higher in the order of (C1), (C2), and (C3).

  First, the selection unit 206 determines whether or not the throughput A when the (C1) encryption function with the highest security is applied is X or more. Throughput A can be calculated using information on the throughput of application keys that can be assigned to the application 200 among the obtained application key information. If X <A, the selection unit 206 determines that it is optimal to use the encryption function (C1). Otherwise (C1) is not optimal.

  Next, the selection unit 206 determines whether or not the second highest security (C2) throughput B is X or more. The throughput B can be calculated from the information on the throughput of the application key that can be allocated to the application 200 among the application key information, the AES key length used in (C2), and the performance of the available security chip or cryptographic library. . If X <B, the selection unit 206 determines that it is optimal to use the encryption function (C2). Otherwise (C2) is not optimal.

  Finally, the selection unit 206 determines whether or not the third highest security (C3) throughput C is X or more. Throughput C can be calculated from the key length of AES used in (C3) and the performance of available security chips or cryptographic libraries. If X <C, the selection unit 206 determines that it is optimal to use the encryption function (C3).

  In the above example, only the throughput request is considered as the application request. For example, an application request (cost request) related to a cost such as “I want to perform communication with the highest security after securing the cost Y or less” may be compared and determined in the same manner. Although not used in this example, for example, when it is clear to the application 200 that the communication data amount is Z, the amount of application keys that can be provided to the application 200 is also compared. May be.

  Note that several operations are possible when no encryption function satisfying the application request is found. For example, a method of selecting an encryption function closest to the application request, determining that the selected encryption function is optimal, and a method of notifying the application 200 or the user as an error because the optimal encryption function is not found can be used. .

  The selection unit 206 sets the encryption processing unit 202 to use the encryption function determined (selected) as optimal (step S104). In addition, the selection unit 206 may notify the execution unit 203 that the selection of the encryption function has been completed or the encryption function selected as a result.

  The execution unit 203 starts executing the application 200 (step S105). The application 200 uses the communication unit 204 during data communication. At this time, the encryption processing unit 202 optimally set by the selection unit 206 performs encryption processing and decryption processing of communication data. When the application key provided from the node 100 is unnecessary, the application 200 may perform encrypted communication using an encryption function using another encryption method and another encryption key without using the application key.

  As described above, in the communication system according to the first embodiment, an application can select an optimal encryption function using application key information obtained by inquiring a node and an application request.

(Modification)
In the first embodiment, the encryption function is selected before the execution of the application function (encrypted communication). In the modification, the encryption function to be used can be dynamically changed even during the encryption communication (deformation function 1). In the first embodiment, an optimal one encryption communication method (encryption function) is selected. However, the number of encryption functions to be selected is not limited to one. The communication system according to the modified example selects an optimal combination of cryptographic communication methods (a plurality of cryptographic functions) (modified function 2). Only one of the deformation function 1 and the deformation function 2 may be executed.

  The modification differs from the first embodiment in the following points among the components of the application 200.

  The cryptographic processor 202 can dynamically change the cryptographic function to be used even during cryptographic communication. Also, the encryption processing unit 202 can set a plurality of encryption functions (encryption algorithms) at the same time and perform encrypted communication. Further, the encryption processing unit 202 receives the transmission data (transmission data) and the metadata such as the importance level and the confidential level of the transmission data from the communication unit 204, and uses them for encryption of the transmission data based on the metadata. The encryption function (encryption algorithm) to be selected can be selected. Note that the encryption algorithm may be selected based on the data received by the encryption processing unit 202 without receiving the metadata from the communication unit 204.

  Further, the communication unit 204 can pass metadata such as importance of data to the encryption processing unit 202.

  The inquiry unit 205 can send an inquiry and a result to the encryption processing unit 202 even during encryption communication.

  The selection unit 206 can make a determination even during encryption communication. Further, the selection unit 206 may select the most appropriate combination of cryptographic functions in light of the application request.

  Heretofore, the configuration of the node and application according to the modification has been described. However, the above description is an example.

  Next, a sequence for realizing this modification will be described. The process flow is the same as that of FIG. 4 representing the sequence of the first embodiment. The sequence of this modification is, for example, a sequence when the application 200 makes an inquiry about the generation status of the application key to the node 100 while the application 200 is performing encrypted communication, and the application 200 selects an optimal encryption function. It is. Hereinafter, description will be made by paying attention to the difference from the first embodiment.

  The selection unit 206 instructs the inquiry unit 205 to make a key inquiry periodically even during execution of the application. In response to this instruction, the inquiry unit 205 makes a key inquiry to the node 100 via the communication unit 201 (step S101).

  The node 100 answers the key inquiry (step S102). At this time, the response of the node returns the current application key information that is being encrypted. The key inquiry (step S101) may not be executed, and the application key information may be directly notified from the node 100 to the application 200 (step S102).

  The communication unit 201 of the application 200 notifies the inquiry unit 205 of application key information. Inquiry unit 205 notifies application key information to selection unit 206.

  The selection unit 206 acquires the above-described application key information from the inquiry unit 205. The selection unit 206 can receive dynamic information during communication. Specifically, the selection unit 206 receives request information from the execution unit 203, receives application key information from the inquiry unit 205, receives cryptographic function information from the cryptographic processing unit 202, and receives resource information from the platform unit 207. However, this is an example, and only some of the above information may be used, or other information may be acquired.

  Based on the above information, the selection unit 206 selects an optimal encryption function in light of the application request (step S103).

  For example, as a selection result at this time, the selection unit 206 can also determine that “the combination of the encryption function A and the encryption function B” is optimal. For example, as a criterion for determination, logic such as which encryption function should be used in combination to maintain the required throughput may be used.

  The selection unit 206 sets the encryption processing unit 202 to use the encryption function determined (selected) as optimal. This setting is reflected even during encrypted communication. This may be done if cryptographic negotiation is required with the communication partner application.

  In addition, when a plurality of encryption functions are selected, a criterion for using each encryption function (encryption function selection criterion) is also determined. The selection criterion is a criterion for determining the encryption function based on, for example, the type of transmission data and additionally transmitted metadata of transmission data.

  The execution unit 203 continues to execute the application 200. Although it is transparent to the application 200, the encryption function used by the encryption processing unit 202 during data communication may be changed from when the application is started. With this change, the communication throughput that can be used by the application 200 can be maintained even if the throughput of the application key that can be used by the function of the node 100 actually fluctuates.

  In the case where a plurality of encryption functions (encryption function A and encryption function B) are used in combination, several methods are conceivable.

  For example, in one data packet, the first half includes data encrypted by the encryption function A, and the second half can also be used by defining a new encryption function including data encrypted by the encryption function B. It is. This method is not limited to data packets. For example, even in communication using a data stream, it is possible to use a stream that alternately includes data encrypted by the encryption function A and data encrypted by the encryption function B, depending on a certain data size or the like.

  Different data communication may be performed for each encryption function. That is, in the communication unit 204, for example, both a TCP (Transmission Control Protocol) connection that performs communication using the encryption function A and a TCP connection that performs communication using the encryption function B are established, and data communication is performed using these in parallel. It is also possible. However, in this case, the communication unit 204 of the receiving-side application 200 that receives data is subjected to order control processing or the like from data such as a sequence number included in the data or the header, on the data received by a plurality of TCP connections. Therefore, it is necessary to pass it to the execution unit 203.

  In addition, even when these are used together (though it is natural that they are not used together), any encryption function, combination of encryption functions, and combination with the application 200 as the communication partner Negotiations need to be made and agreed on how to implement the method. As a negotiation method for this purpose, encryption algorithm negotiation in the handshake function provided in the communication unit 204 can be used. These encryption algorithm negotiation methods are known methods generally known by TLS (Transport Layer Security) / SSL (Secure Socket Layer) or the like. When negotiating a combination of cryptographic functions and a combination method, it is necessary to define an expression method for expressing the combined cryptographic function and the combined method and to have an agreement in advance between the applications.

(Second Embodiment)
In the communication system according to the second embodiment, not the application but the node selects the optimal encryption function. In other words, the node receives request information, cryptographic function information, and resource information from the application, and selects the optimal cryptographic function using these information and the application key information that can be grasped by the node. Notify

  FIG. 5 is a block diagram illustrating an example of a configuration of the node 100-2 according to the second embodiment. As illustrated in FIG. 5, the node 100-2 includes a first communication unit 101, a generation unit 102, a key management unit 103, a second communication unit 104-2, a platform unit 105, and a selection unit 106-2. And.

  In the second embodiment, the selection unit 106-2 is added and the function of the second communication unit 104-2 is different from that of the first embodiment. Other configurations and functions are the same as those in FIG. 2 which is a block diagram of the node 100 according to the first embodiment, and thus the same reference numerals are given and description thereof is omitted here.

  In addition to the function of the second communication unit 104 of the first embodiment, the second communication unit 104-2 has a function of receiving request information and the like from an application 200-2 (described later) of the second embodiment. That is, the second communication unit 104-2 includes a receiving unit 501. The receiving unit 501 receives cryptographic function information indicating a plurality of cryptographic functions executable by the application 200-2 from the application 200-2.

  Similar to the selection unit 206 of the first embodiment, the selection unit 106-2 refers to the cryptographic function information received from the application 200-2, the application key information obtained from the key management unit 103, etc. Select the encryption function. In addition, the selection unit 106-2 sets the encryption processing unit 202 of the application 200-2 via the second communication unit 104-2 so as to execute the selected encryption function.

  FIG. 6 is a block diagram illustrating an example of the configuration of the application 200-2 according to the second embodiment. As shown in FIG. 6, the application 200-2 includes a communication unit 201-2, an encryption processing unit 202, an execution unit 203, a communication unit 204, a platform unit 207, and an information providing unit 208-2. I have.

  The second embodiment is different from the first embodiment in that the information providing unit 208-2 is added, the function of the communication unit 201-2, and the inquiry unit 205 and the selection unit 206 are deleted. Since other configurations and functions are the same as those in FIG. 3 which is a block diagram of the application 200 according to the first embodiment, the same reference numerals are given and description thereof is omitted here.

  The information providing unit 208-2 provides the application information acquired from the cryptographic processing unit 202 or the like to the node 100-2 via the transmission unit 601. For example, the information providing unit 208-2 acquires request information from the execution unit 203, acquires cryptographic function information from the cryptographic processing unit 202, and acquires resource information from the platform unit 207. Then, the information providing unit 208-2 notifies the acquired application information to the node 100-2 via the transmission unit 601.

  The communication unit 201-2 includes a transmission unit 601 in addition to the function of the communication unit 201 of the first embodiment. The transmission unit 601 transmits the cryptographic function information provided from the information providing unit 208-2 to the node 100-2.

  The encryption processing unit 202 is the same as in the first embodiment, but which encryption function is executed is set by the communication unit 201-2 that has received the selection result, for example. That is, for example, the encryption setting information indicating the encryption function selected by the node 100-2 is transmitted to the application 200-2. Then, the configuration unit (for example, the communication unit 201-2) in the application 200-2 sets the encryption processing unit 202 so as to execute the encryption function corresponding to the received encryption setting information. Note that the selection unit 106-2 of the node 100-2 may be configured to set the encryption processing unit 202 so as to execute the selected encryption function via the communication unit 201-2.

  Next, a sequence for realizing the second embodiment will be described. FIG. 7 is a sequence diagram illustrating an example of communication processing by the communication system according to the second embodiment. FIG. 7 shows that application information is provided to the node 100-2 when the application 200-2 starts encrypted communication, and the application 200 in the node 100-2 is also considered in consideration of the application key generation status. -2 is a sequence for selecting an optimal encryption function for -2 and replying to the application 200-2.

  The execution unit 203 of the application 200-2 notifies the information providing unit 208-2 of the request information held by the execution unit 203 before starting the application execution. Further, the information providing unit 208-2 may make an inquiry to the cryptographic processing unit 202 regarding the cryptographic functions that can be provided. Upon receiving this inquiry, the cryptographic processing unit 202 provides the cryptographic function information to the information providing unit 208-2.

  The information providing unit 208-2 may further make an inquiry to the platform unit 207 regarding the resource usage status in the application. Upon receiving this inquiry, the platform unit 207 provides the resource information to the information providing unit 208-2.

  As described above, the information providing unit 208-2 can collect request information from the execution unit 203, collect cryptographic function information from the cryptographic processing unit 202, and collect resource information from the platform unit 207. However, this is an example, and only some of the above information may be used, or other information may be acquired.

  The information providing unit 208-2 notifies the collected application information (request information, cryptographic function information, and resource information) to the node 100-2 via the communication unit 201-2 (step S201).

  The second communication unit 104-2 of the node 100-2 receives the application information. When receiving the application information, the second communication unit 104-2 notifies the selection unit 106-2 of the application information.

  The selection unit 106-2 inquires of the key management unit 103 about the held application key information. Note that the timing of inquiry to the key management unit 103 by the selection unit 106-2 and the timing of acquisition of application information from the application 200-2 via the second communication unit 104-2 are not particularly limited. In other words, either may be performed first or may be performed in parallel.

  As described above, the selection unit 106-2 can acquire request information, encryption function information, and resource information from the second communication unit 104-2, and can acquire application key information from the key management unit 103. However, this is an example, and only some of the above information may be used, or other information may be acquired.

  Based on the above information, the selection unit 106-2 selects an optimal encryption function in light of the application request (step S202). As the selection method, various methods can be applied as in the first embodiment. Also, various methods can be applied to the operation when no cryptographic function that satisfies the application request is found, as in the first embodiment.

  The selection unit 106-2 notifies the application 200-2 of the encryption function (selection result) determined to be optimal (selected) via the second communication unit 104-2 (step S203).

  The communication unit 201-2 of the application 200-2 receives the encryption function selection result. The communication unit 201-2 sets the encryption processing unit 202 to use the encryption function determined to be optimum based on the selection result (step S204). In addition, the communication unit 201-2 may notify the information providing unit 208-2 or the execution unit 203 that the selection of the encryption function has been completed and the selected encryption function.

  The execution unit 203 starts executing the application 200-2 (step S205). The application 200-2 uses the communication unit 204 during data communication. At this time, the encryption processing unit 202 optimally set by the selection unit 106-2 performs communication data encryption processing and decryption processing.

  As described above, in the communication system according to the second embodiment, the node can select the optimum encryption function using the application key information and the application information obtained from the application.

  Also in the second embodiment, as in the modification of the first embodiment, a function for dynamically changing the encryption function during the encryption communication (deformation function 1) and an optimal encryption communication system It may be configured to further include at least one of functions (deformation function 2) for selecting a combination (a plurality of encryption functions).

  As described above, according to the first and second embodiments, it is possible to select an optimal encryption communication method in consideration of throughput and cost in light of application requirements.

  Next, the hardware configuration of the devices (communication device, key generation device) according to the first and second embodiments will be described with reference to FIG. FIG. 8 is an explanatory diagram showing the hardware configuration of the devices according to the first and second embodiments.

  The devices according to the first and second embodiments are connected to a control device such as a CPU (Central Processing Unit) 51, a storage device such as a ROM (Read Only Memory) 52 and a RAM (Random Access Memory) 53, and a network. A communication I / F 54 that performs communication and a bus 61 that connects each unit are provided.

  The program executed by the devices according to the first and second embodiments is provided by being incorporated in advance in the ROM 52 or the like.

  A program executed by the apparatus according to the first and second embodiments is a file in an installable format or an executable format, and is a CD-ROM (Compact Disk Read Only Memory), a flexible disk (FD), a CD-R. (Compact Disk Recordable), DVD (Digital Versatile Disk) or the like may be recorded on a computer-readable recording medium and provided as a computer program product.

  Furthermore, the program executed by the devices according to the first and second embodiments may be provided by being stored on a computer connected to a network such as the Internet and downloaded via the network. . The program executed by the devices according to the first and second embodiments may be provided or distributed via a network such as the Internet.

  The program executed by the devices according to the first and second embodiments can cause a computer to function as each unit of the above-described device. In this computer, the CPU 51 can read a program from a computer-readable storage medium onto a main storage device and execute the program.

  Although several embodiments of the present invention have been described, these embodiments are presented by way of example and are not intended to limit the scope of the invention. These novel embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made without departing from the scope of the invention. These embodiments and modifications thereof are included in the scope and gist of the invention, and are included in the invention described in the claims and the equivalents thereof.

100 node 101 first communication unit 102 generation unit 103 key management unit 104 second communication unit 105 platform unit 200 application 201 communication unit 202 cryptographic processing unit 203 execution unit 204 communication unit 205 inquiry unit 206 selection unit 207 platform unit 208 information provision unit

Claims (15)

A communication device connected to a key generation device that generates an encryption key,
An inquiry unit that inquires the key generation device for capability information indicating the capability of the key generation device to generate the encryption key;
An encryption processing unit that executes a plurality of encryption functions, including an encryption function that uses the encryption key, and an encryption function that does not use the encryption key;
Among a plurality of the cryptographic functions, the key generation amount that can be allocated to the communication device, transmitted by the key generation device in response to an inquiry from the inquiry unit, is stored in the key generation device. The capability information including at least one of the total amount of the encryption key and the cost generated when the communication device uses the encryption key, and each of the plurality of encryption functions Processing performance information representing processing performance, resource information representing computing resources that can be used by the communication device, and security, throughput, and cost information held for the cryptographic communication application executed in the communication device. A selection unit that selects the encryption function according to request information indicating at least two of the priority relationships, and
The encryption processing unit executes the selected encryption function;
Communication device. A communication unit that executes communication processing using the encryption function;
The inquiry unit inquires the key generation device for the capability information while communication processing is being executed by the communication unit.
The communication apparatus according to claim 1. The selection unit selects a plurality of the encryption functions according to the capability information, the processing performance information, and the resource information,
The encryption processing unit executes the selected plurality of the encryption functions.
The communication apparatus according to claim 1. Further comprising a communication unit that establishes a plurality of communications corresponding to each of the plurality of selected cryptographic functions, and executes a communication process using the plurality of established communications;
The communication apparatus according to claim 3. The selection unit includes the encryption function according to the capability information, the processing performance information, the resource information, and request information representing a request for processing using the encryption key among the plurality of encryption functions. The communication device according to claim 1. A key generation device connected to a communication device using an encryption key,
A generating unit for generating the encryption key;
When executing each of the plurality of encryption functions, and encryption function information indicating a plurality of encryption functions that can be executed by the communication device, including an encryption function that uses the encryption key and an encryption function that does not use the encryption key Processing performance information representing the processing performance of the communication device, resource information representing the computational resources available to the communication device, and security, throughput, and cost held for the cryptographic communication application executed in the communication device A receiving unit that receives request information indicating at least two priority relationships from the communication device;
Among the plurality of cryptographic functions indicated by the cryptographic function information, as the capability of the generation unit to generate the encryption key, a key generation amount per unit time that can be allocated to the communication device, the key generation device Capability information including at least one of the total amount of the stored encryption keys and the cost generated when the communication device uses the encryption key, the processing performance information, and the resource information And a selection unit that selects the encryption function according to the request information;
A key generation device comprising: A communication unit that transmits the generated encryption key to the communication device;
The key generation apparatus according to claim 6. The selection unit selects a plurality of the encryption functions according to the capability information, the processing performance information, and the resource information;
The key generation apparatus according to claim 6. The receiving unit further receives request information representing a request for processing using the encryption key from the communication device,
The key generation according to claim 6, wherein the selection unit selects the encryption function according to the capability information, the processing performance information, the resource information, and the request information among a plurality of the encryption functions. apparatus. A communication method executed by a communication device connected to a key generation device that generates an encryption key,
An inquiry step in which the communication device inquires the key generation device for capability information indicating the capability of the key generation device to generate the encryption key;
An encryption processing step in which the communication device executes a plurality of encryption functions including an encryption function using the encryption key and an encryption function not using the encryption key;
Of the plurality of cryptographic functions, the communication device transmits the key generation device in response to an inquiry in the inquiry step and can be assigned to the communication device, and the key generation amount per unit time, the key generation The capability information including at least one of the total amount of the encryption key stored in the device and the cost generated when the communication device uses the encryption key, and each of the plurality of encryption functions Processing performance information representing the processing performance when executing communication, resource information representing computing resources available to the communication device, and security and throughput held for the cryptographic communication application executed in the communication device And selecting the encryption function according to request information indicating a priority relationship of at least two of the costs. Includes a step, the,
The encryption processing step executes the selected encryption function;
Communication method. A communication method executed by a key generation device connected to a communication device using an encryption key,
A generation step in which the key generation device generates the encryption key;
The key generation device includes an encryption function that uses the encryption key and an encryption function that does not use the encryption key. Security information held for processing performance information representing processing performance when executing each function, resource information representing computing resources available to the communication device, and an encryption communication application executed in the communication device Receiving the request information indicating at least two priority relationships among the throughput and the cost from the communication device;
Key generation amount per unit time that can be assigned to the communication device as the capability of the generation step to generate the encryption key among the plurality of encryption functions indicated by the encryption function information. Capability information including at least one of the total amount of the encryption key stored in the key generation device and the cost generated when the communication device uses the encryption key, and the processing performance A selection step of selecting the encryption function according to information, the resource information, and the request information;
Including a communication method. A computer connected to a key generation device for generating an encryption key;
An inquiry unit that inquires the key generation device for capability information indicating the capability of the key generation device to generate the encryption key;
An encryption processing unit that executes a plurality of encryption functions, including an encryption function that uses the encryption key, and an encryption function that does not use the encryption key;
Of the plurality of cryptographic functions, the key generation amount that can be allocated to the computer and transmitted by the key generation device in response to an inquiry from the inquiry unit is stored in the key generation device. The capability information including at least one of the total amount of the encryption key and the cost generated when the computer uses the encryption key, and processing performance when executing each of the plurality of encryption functions At least two of security performance, throughput, and cost held for cryptographic communication applications executed on the computer, resource information representing computing resources available to the computer A selection unit that selects the encryption function according to request information indicating a priority relationship;
Is a program for functioning as
The encryption processing unit executes the selected encryption function;
program. A computer connected to a communication device using an encryption key
A generating unit for generating the encryption key;
When executing each of the plurality of encryption functions, and encryption function information indicating a plurality of encryption functions that can be executed by the communication device, including an encryption function that uses the encryption key and an encryption function that does not use the encryption key Processing performance information representing the processing performance of the communication device, resource information representing the computational resources available to the communication device, and security, throughput, and cost held for the cryptographic communication application executed in the communication device A receiving unit that receives request information indicating at least two priority relationships from the communication device;
Among the plurality of cryptographic functions indicated by the cryptographic function information, as the ability of the generating unit to generate the cryptographic key, the amount of key generation per unit time that can be allocated to the communication device is stored in the computer. Capacity information including at least one of the total amount of the encryption key and the cost generated when the communication device uses the encryption key, the processing performance information, the resource information, A selection unit that selects the encryption function according to the request information;
Program to function as. A communication system comprising a key generation device for generating an encryption key and a communication device,
The communication device
An inquiry unit that inquires the key generation device for capability information indicating the capability of the key generation device to generate the encryption key;
An encryption processing unit that executes a plurality of encryption functions, including an encryption function that uses the encryption key, and an encryption function that does not use the encryption key;
Among a plurality of the cryptographic functions, the key generation amount that can be allocated to the communication device, transmitted by the key generation device in response to an inquiry from the inquiry unit, is stored in the key generation device. The capability information including at least one of the total amount of the encryption key and the cost generated when the communication device uses the encryption key, and each of the plurality of encryption functions Processing performance information representing processing performance, resource information representing computing resources that can be used by the communication device, and security, throughput, and cost information held for the cryptographic communication application executed in the communication device. A selection unit that selects the encryption function according to request information indicating at least two of the priority relationships, and
The cryptographic processing unit executes the selected cryptographic function;
The key generation device includes:
A generating unit for generating the encryption key;
A communication unit that transmits the capability information to the communication device in response to an inquiry from the inquiry unit;
Communications system. A communication system comprising a key generation device for generating an encryption key and a communication device,
The key generation device includes:
A generating unit for generating the encryption key;
When executing each of the plurality of encryption functions, and encryption function information indicating a plurality of encryption functions that can be executed by the communication device, including an encryption function that uses the encryption key and an encryption function that does not use the encryption key Processing performance information representing the processing performance of the communication device, resource information representing the computational resources available to the communication device, and security, throughput, and cost held for the cryptographic communication application executed in the communication device A receiving unit that receives request information indicating at least two priority relationships from the communication device;
Among the plurality of cryptographic functions indicated by the cryptographic function information, as the capability of the generation unit to generate the encryption key, a key generation amount per unit time that can be allocated to the communication device, the key generation device Capability information including at least one of the total amount of the stored encryption keys and the cost generated when the communication device uses the encryption key, the processing performance information, and the resource information And a selection unit that selects the encryption function according to the request information,
The communication device
A transmission unit for transmitting the cryptographic function information to the key generation device;
A cryptographic processing unit for executing the selected cryptographic function;
A communication system comprising:

Images