JP5414346B2 - Data processing device - Google Patents

Description

  The present invention relates to device authentication, data integrity authentication, and data concealment in communication with a data processing device, and in particular, inter-device communication while maintaining the security strength required for LCNA (Low Cost Network Application: LCNA) communication. Technology for lightweight device authentication, data integrity authentication, and data concealment.

In a facility network consisting of building equipment (facility) equipment and its management equipment, there are many equipment equipment in the building to realize each function such as air conditioning management and entrance / exit management, and these are controlled by the control device for each function. Managed.
The control device is managed by a management server or a management center.
The control device transmits various information in the building acquired from the equipment to the management server and the like, and controls the equipment according to various commands from the management server.

  For the control device, LCNA is generally used because of cost limitations.

In recent years, facility networks are required to open systems.
Opening can be expected to reduce equipment costs and facility work costs, but security is inevitable due to ease of connection.

In recent years, the IPv6 protocol, which is one of open protocols, is becoming widespread in communication between LCNAs in a facility network.
The reason for this is that IPv6 is superior in multi-building management and group management, and a vast address space meets the need to manage a large number of management points, and a service network with excellent access control can be constructed at a relatively low cost. It is mentioned that.

  In addition, since it is essential for the IPv6 protocol stack to implement IPsec, it also meets the requirements of the facility network in terms of security.

However, IPv6 has been created on the assumption that a personal computer (PC) accesses the Internet.
Accordingly, the encryption algorithm and authentication algorithm used in IPsec achieve high security strength, but require high calculation processing capacity and calculation capacity.

  Unlike IPsec, which uses abundant computing resources, if IPsec is used in LCNA, the performance is sacrificed due to an unnecessarily high security strength, and the communication performance is reduced to several tenths.

Security required for facility networks is different from security required for wide area networks such as the Internet.
This is due to the period during which data should be protected.

  One of the reasons for device authentication and confidential communication in the facility network is to prevent a third party from issuing an administrator command such as an emergency stop arbitrarily.

When a customer browses various information in the facility network, if the third party can intercept the information in real time, the third party may show information different from the fact to the customer using spoofing technology.
Preventing this is also one of the reasons for performing device authentication and confidential communication.

On the other hand, when device authentication and confidential communication are used in a wide area network such as the Internet, there are transmission / reception of non-public documents and transmission of a password of a cash card.
Such information needs to be protected for a long time even after the communication is completed. On the other hand, in the facility network, the period for which the security guarantee is required is short, and it is completed when transmission and reception are completed in both communicating parties.

  As an example, when the secret key is exchanged every three months, even if the secret communication contents are decrypted after four months in the facility network communication, the secret key has already been exchanged at that time, so an emergency stop command is issued. Even if it is planned to cause a malfunction by sending it, it cannot be implemented.

On the other hand, even if the secret key is exchanged every three months, the information that is required to be protected for a long time is significant information even if it is decrypted after the key exchange.
In order to conceal such information, cryptological secrecy is required, but it is not always necessary for facility network communication.

  In addition, since the facility network normally performs maintenance every several months, it can be expected that private keys can be exchanged during this period even as part of maintenance work even for LCNAs that do not have an automatic secret key exchange protocol. .

  Since the secret key can be expected to be exchanged every several months, even if the algorithm itself cannot be expected to have cryptographically confidential strength, it can be used for communication with the LCNA in the facility network as long as the secret strength of about several months can be guaranteed. It is possible to prevent third-party threats by exchanging.

Okabe et al. “Examination of IPv6 minimum requirement specification for application to non-PC digital devices”, Information Processing Society of Japan, Vol. 42, no. 9, pp. 920-925, 2001.

As described above, the cryptographically confidential strength is not necessarily required for LCNA communication.
Even if the algorithm requires only a few months instead of a small amount of computation, if the strength can be guaranteed for a few months, the facility network will permanently secure the security as long as the private key is managed. It is possible to keep.
As a reminder, this temporal premise depends on the exchange of the secret communication key at every maintenance period of the building equipment, so the above-mentioned strength must be guaranteed.

Here, the secret communication needs to have a source authentication function and a message tampering detection function.
Since adding new hardware to add such processing increases the cost, LCNA normally performs these processing by software (hereinafter referred to as S / W).

Essentially, message authentication cannot be performed unless the message packet has been concealed.
When the concealment process and the authentication process are performed by a single CPU (Central Processing Unit), if different algorithms are used for each process, both processes need to be performed separately.
That is, the message authentication process cannot be performed during the concealment process, and the next message concealment process cannot be performed during the message authentication process.

  No matter how lightweight the communication concealment process or authentication process is, if the concealment process and the authentication process operate separately, the processing time increases due to the exclusivity of these processes and the communication performance deteriorates.

The present invention has been made in view of the above problems, and realizes data integrity authentication processing that can be performed in parallel with data concealment processing for device-to-device communication, and provides data concealment processing and data integrity authentication. The main purpose is to realize a mechanism for reducing processing time by performing processing in parallel.
In the IPsec protocol, the encryption algorithm and the authentication algorithm can be implemented independently of the protocol itself. If a mechanism for solving the above problem can be used from the IPsec protocol, IPv6 IPsec communication can be used in LCNA.

The data processing apparatus according to the present invention
A one-way operation portion for a one-way operation of the tamper detection target data to be subjected to tampering detection de San rows have unidirectional operation value for each predetermined calculation target data length,
A calculation value accumulating unit for cumulatively adding one direction calculation value calculated by the one-way computation unit,
An authentication value specifying portion which the accumulated value which is cumulatively added by the arithmetic value accumulating unit and the authentication value of the tampering detection target data,
And a concealment processing unit configured to conceal the alteration detection target data based on the cumulative addition value cumulatively added by the calculation value cumulative addition unit .
In addition, a data reception unit that receives an authentication value used for falsification detection of the falsification detection target data, and falsification detection target data that is subject to falsification detection after being concealed;
A one-way calculation unit that calculates a one-way calculation value by performing one-way calculation of the falsification detection target data for each predetermined calculation target data length;
A calculation value cumulative addition unit that cumulatively adds the one-way calculation values calculated by the one-way calculation unit;
A collation unit that collates the cumulative addition value cumulatively added by the calculation value cumulative addition unit with the authentication value received by the data reception unit;
And a decoding processing unit that performs a decoding process on the alteration detection target data based on the cumulative addition value cumulatively added by the calculation value cumulative addition unit.

According to the present invention, the one-way calculated value of the falsification detection target data is sequentially calculated, and the authentication value for data falsification detection is generated by cumulatively adding the calculated one-way calculated value, and based on the cumulative added value. Since the data concealment process is performed, the amount of calculation processing can be reduced. In addition, the one-way calculation value of the tampering detection target data that has been subjected to the concealment process is sequentially calculated, and the cumulative addition value of the calculated one-way calculation value is compared with the received authentication value. Therefore, the amount of calculation processing can be reduced.

The figure which shows the structural example of the facility network which concerns on Embodiment 1-6. FIG. 3 is a diagram illustrating a configuration example of a control device according to the first embodiment. FIG. 6 is a diagram for explaining a stream HASH according to the first embodiment. FIG. 4 is a diagram illustrating a processing example when data is transmitted by the control device according to the first embodiment. FIG. 3 is a diagram illustrating a processing example when data is received by the control device according to the first embodiment. FIG. 4 is a diagram showing a flow of calculation of an authentication value of the control device according to the first embodiment. FIG. 10 shows an example of transmission data according to the second embodiment. FIG. 5 is a diagram illustrating a configuration example of a control device according to a second embodiment. The flowchart figure which shows the process example at the time of the data transmission of the control apparatus which concerns on Embodiment 2. FIG. The flowchart figure which shows the initial position concealment process which concerns on Embodiment 2. FIG. The flowchart figure which shows the initial concealment process which concerns on Embodiment 2. FIG. The flowchart figure which shows the confidential authentication process which concerns on Embodiment 2. FIG. The figure which shows the flow of the calculation of the authentication value of the control apparatus which concerns on Embodiment 2, and a concealment process. The figure which shows the flow of the calculation of the authentication value of the control apparatus which concerns on Embodiment 2, and a concealment process. FIG. 10 is a diagram illustrating an example of received data according to the second embodiment. The flowchart figure which shows the process example at the time of the data reception of the control apparatus which concerns on Embodiment 2. FIG. FIG. 9 is a flowchart showing initial position decoding processing according to the second embodiment. FIG. 9 is a flowchart showing decoding processing according to the second embodiment. FIG. 9 is a flowchart showing a sliding process according to the second embodiment. The figure which shows the flow of the calculation of the authentication value of the control apparatus which concerns on Embodiment 2, and a decoding process. The figure which shows the flow of the calculation of the authentication value of the control apparatus which concerns on Embodiment 2, and a decoding process. The figure which shows the flow of the calculation of the authentication value of the control apparatus which concerns on Embodiment 2, and a decoding process. FIG. 10 is a diagram illustrating an operation for determining an authentication value according to the second embodiment. The figure which shows the operation | movement after the authentication value determination which concerns on Embodiment 2. FIG.

Embodiment 1 FIG.
FIG. 1 shows a configuration example of a facility network described in the present embodiment and the following embodiments.
In the building-side network, a large number of equipments for realizing each function such as air-conditioning management and entrance / exit management exist in the building, and these are managed by the control device 1 for each function.
The control device 1 is managed by a management server or a management center.
The control device 1 transmits various information in the building acquired from the equipment to a management server and the like, and controls the equipment according to various commands from the management server.

The control device 1 generally uses LCNA due to cost limitations.
The control device 1 is an example of a data processing device.

In the present embodiment, a configuration and a method for maintaining data integrity in the control device 1 will be described.
That is, in the present embodiment, a process for maintaining data integrity (hereinafter also referred to as data integrity authentication process) that can be performed in parallel with the data concealment process will be described.
An example of performing the data concealment process in parallel with the data integrity authentication process described in the present embodiment will be described in the second and subsequent embodiments.
In other words, if the data integrity authentication process is extracted by discarding the data concealment process from the operation of the control device 1 shown in the second and subsequent embodiments, the extracted data integrity authentication process is the data described in the present embodiment. The content is the same as the integrity authentication process.
As described in the second and subsequent embodiments, the processing time can be shortened by executing the data concealment processing and the data integrity authentication processing in parallel.
In the data integrity authentication process, when the control device 1 is the data transmission side, the control device 1 generates an authentication value used for detection of falsification of the transmission data, and adds the authentication value to the transmission data. When the control device 1 is the data receiving side, the authentication value is calculated by performing an operation on the received data, and the authentication value added to the received data is collated with the calculated authentication value. The detection of falsification of received data.

FIG. 2 shows a configuration example of the control device 1 according to the present embodiment.
In the control device 1, a data integrity ensuring unit 4 is provided between the equipment control unit 2 and the communication control unit 3.
The communication control unit 3 is an example of a data transmission unit and a data reception unit.

  The data integrity ensuring unit 4 includes a transmission side concealment processing control unit 41, a reception side concealment processing control unit 42, and a HASH calculation unit 43 therein.

The transmission-side confidential processing control unit 41 includes a HASH calculation management unit 411 and a transmission-side confidential communication processing unit 412.
In the present embodiment, the transmission side secret communication processing unit 412 performs control of the HASH calculation management unit 411, the stream HASH calculation unit 431, and the calculation value accumulation addition unit 430 during data transmission without performing data concealment processing. Do. Further, the transmission side secret communication processing unit 412 determines an authentication value and adds the authentication value to the transmission data. The transmission side secret communication processing unit 412 is an example of an authentication value designating unit.

The reception side confidential processing control unit 42 includes a HASH calculation management unit 421 and a reception side confidential communication processing unit 422.
The HASH calculation management unit 421 has the same mechanism as the HASH calculation management unit 411 included in the transmission-side confidential processing control unit 41.
In the present embodiment, the reception side secret communication processing unit 422 controls the HASH calculation management unit 421, the stream HASH calculation unit 431, and the calculation value accumulation addition unit 430 at the time of data reception without performing the data decoding process. . In addition, the reception side secret communication processing unit 422 verifies whether the data has been tampered with by collating the authentication value added to the received data with the authentication value derived by the HASH calculation. The reception side secret communication processing unit 422 is an example of a collation unit.

The HASH calculation unit 43 includes a stream HASH calculation unit 431 and a calculation value accumulation addition unit 430 therein.
The stream HASH calculation unit 431 performs HASH calculation that is one-way calculation. The stream HASH calculation unit 431 is an example of a one-way calculation unit.
Note that the stream HASH calculation unit 431 is not necessarily required to calculate the stream HASH, and may be any unit that provides a means for calculating the HASH value. However, it is preferable to adopt the stream HASH from the viewpoint of calculation amount.
In the present embodiment, Rabin Fingerprinting based on the Rabin-Karp method is adopted as the HASH function.
This HASH function is described in Non-Patent Document 2, and the output length is 64 bits. The amount of calculation of Rabin Fingerprinting is XOR 2 times, 2 shifts, and OR 1 time per data 1 byte.
In addition, every time the stream HASH calculation unit 431 calculates the HASH value, the calculation value accumulation addition unit 430 sequentially accumulates the calculated HASH value.
The calculation value cumulative addition unit 430 is configured using, for example, a cumulative addition register.

  Non-Patent Document 2: M.M. Rabin, “Fingerprinting by random polynomials,” Technical Report TR-15-81, Harvard University, Department of Computer Science, 1981.

FIG. 3 is a diagram illustrating the description of the stream HASH.
Data of a certain input length called window size is cut out from the calculation target data 5 for calculating the HASH value and input to the HASH function 6. The window size is a data length that is a target of hash calculation, and is an example of a calculation target data length.
The cutting method is to slide out by one byte at a time, like 51, 52, 53.
HASH values such as 61, 62, and 63 are generated for the data extracted as 51, 52, and 53, respectively.
In this specification, the sliding amount of the window is described as 1 byte. However, if the sliding amount is smaller than the window size (sliding amount <window size), the sliding amount may not be 1 byte.

Since the HASH function 6 is initialized with a 64-bit key, HASH functions initialized with different keys output different HASH values even with the same input value.
Conversely, even if the HASH functions are initialized using the same key, different values are output if the HASH functions have different window sizes.
That is, the same HASH function can be configured for the stream HASH only when the key and the window size match.

The control device 1 calculates an authentication value according to a data authentication target range (falsification detection target data) via the data integrity ensuring unit 4 when transmitting data from the facility device to another device.
This operation is shown in FIG.
Here, the authentication range does not necessarily have to be the entire transmission data from the MSB (Most Significant Bit), and may be a part thereof.
The maximum range that can be specified is the entire transmission data, and the minimum range is 1 bit.
However, since the practical minimum unit is 1 byte, the minimum range will be described in 1 byte in the following description of this specification.
The method for designating the authentication start position and the authentication range is not limited in the present embodiment, but is usually stored in the header of the transmission data or is determined in advance.

When the control device 1 receives data from another device, the data integrity ensuring means 4 verifies the integrity of the received data.
This operation is shown in FIG.
After calculating the authentication value of the received data according to the authentication range, it is compared with the authentication value held by the received data.
If the authentication values match, the received data is data that has been transmitted from the transmission source, and therefore is treated as correct received data.
If the authentication values do not match, the received data has been altered in the middle of the route or the data has been corrupted.
In either case, it cannot be used as received data, and therefore the data is discarded.
Even on the receiving side, the method for specifying the authentication start position and the authentication range is not particularly limited in the present embodiment.

Conventionally, as a means for confirming that an error is not included in a message, a checksum for the entire confirmation target area has been widely used.
However, since the checksum can be easily recalculated, it is possible that the checksum has been tampered with when there is a third party on the communication path aiming at tampering with the data.
Therefore, in this embodiment, instead of using the data checksum, the HASH value is calculated for the entire area of the data to be detected for falsification, and the sum is used as an authentication value for guaranteeing the integrity of the data.
Authentication values cannot be easily recalculated without knowing the shared information.
In this embodiment, since the HASH value is calculated based on Non-Patent Document 2, it is necessary to share two types of information, that is, the radix of the polynomial and the window size, at both communication end points.
In this embodiment, the radix of a polynomial is used as a key.

  The selection of the radix is preferably determined so that the HASH function that is a polynomial is irreducible.

  Next, the flow of processing until the data integrity ensuring unit 4 calculates the authentication value will be described.

First, the processing of the control device 1 when the control device 1 is the transmission side will be described.
The HASH calculation management unit 411 in the transmission side concealment processing control unit 41 manages information to be shared by both communication end points, and includes at least a key used for calculating an authentication value.
When Rabin Fingerprinting is adopted as the HASH function as in this example, the coefficient table is calculated from a 64-bit key, a window size, and the key. The reason why these are necessary depends on Non-Patent Document 2.
The coefficient table is calculated every time the key is changed.

  When transmission data whose authentication value is to be calculated is generated, the transmission side secret communication processing unit 412 calculates the authentication value using the stream HASH calculation unit 431 and the HASH calculation management unit 411 of the HASH calculation unit 43.

It is assumed that the authentication start position and the authentication range are preset or information is stored in the transmission data header.
Prior to the calculation of the authentication value, the transmission side secret communication processing unit 412 initializes the stream HASH calculation unit 431.
This processing is realized by setting the coefficient table of the HASH calculation management unit 411 in the stream HASH calculation unit 431 and providing the stream HASH calculation unit 431 with a value 0 corresponding to the window size.

After the initialization is completed, the transmission side secret communication processing unit 412 calculates an authentication value.
This flow is shown in FIG.
The initial value of the cumulative addition register 4121 is 0. The cumulative addition register 4121 is a register constituting the calculation value cumulative addition unit 430.
When the window size from the beginning of the authentication range is input to the stream HASH calculation unit 431, a HASH value is output, and this value is added to the cumulative addition register 4121.
In this embodiment, it is assumed that the bit width of the authentication value is 64 bits, and accordingly, the cumulative addition register 4121 is also 64 bits.
However, an appropriate width may be selected for use as the bit width.

  When the authentication range 701 is less than the window size, the area other than the authentication range is regarded as 0 and is input to the stream HASH calculation unit 431.

By inputting the next 1 Byte of the window size to the stream HASH calculator 431, the stream HASH is slid by 1 Byte.
Thereafter, the stream HASH calculation unit 431 outputs a HASH value every time it is slid, so that the cumulative addition register 4121 sequentially performs cumulative addition according to the order of HASH calculation.

When the end of the window reaches the end point of the authentication range and the HASH value output at that time has been added in the cumulative addition register 4121, the transmission side secret communication processing unit 412 causes the final value of the cumulative addition register (final cumulative Addition value) is adopted as the authentication value.
When transmitting the transmission data 700 to the communication path, the transmission side secret communication processing unit 412 transmits the authentication value 712 following the transmission data 700.
This completes the calculation of the authentication value on the transmission side.

  The processing on the receiving side is started when the communication control unit 3 receives the data and then passes it to the data integrity ensuring unit 4.

The calculation method of the authentication value is the same as the calculation method on the transmission side.
That is, the stream HASH calculation unit 431 generates a HASH value corresponding to the window size while sliding the window 1 byte at a time from the beginning of the authentication range (falsification detection target data) of the received data, and the operation value accumulation addition unit 430 calculates the stream HASH calculation. Each time the HASH value is calculated by the unit 431, cumulative addition is performed according to the order of HASH calculation.
However, since the authentication value calculated on the transmission side is given to the reception data, the reception side secret communication processing unit 422 and the authentication value calculated by itself (the final cumulative addition value of the calculation value cumulative addition unit 430) and The authentication value given by the transmission side is collated, and the integrity of the received data is determined based on the result.

In order to have the same value on the transmission side and the reception side, it is necessary to configure the same HASH function, and for this purpose, both communication end points need to share the same key and window size.
If the authentication value calculated on the reception side matches the authentication value added from the transmission side, it can be said that the data in the authentication range has not been altered on the communication path.
When data is tampered on the communication path, the authentication value calculated on the receiving side does not match the authentication value assigned on the transmitting side, and tampering can be detected.

  Since the authentication values do not match unless the secret information is shared, the process also functions as partner authentication. As described above, the data integrity function and the partner authentication function can be realized.

In some countries and regions, data concealment may be prohibited, and this embodiment can cope with such a case.
By the method described above, it is possible to provide a data integrity function and a partner authentication function for plain text without performing concealment processing.

In the above description, the example in which the final value of the cumulative addition value of the HASH value is used as the authentication value has been described, but the intermediate cumulative addition value may be used as the authentication value.
For example, if the transmitting side and the receiving side decide in advance that the cumulative addition value calculated for the Nth (N ≧ 2) th time is used as the authentication value, the Nth cumulative addition value can be used as the authentication value.

Embodiment 2. FIG.
In this embodiment, an example will be described in which the data concealment process is performed simultaneously with the data integrity authentication process described in the first embodiment.
Here, it should be noted that the data integrity function in the confidential communication must be provided for the data after the confidential processing.
That is, in the present embodiment, at the time of data transmission, the HASH value is calculated for the data after the concealment process, and the calculated HASH value is cumulatively added. The concealment process is performed using the cumulative addition value of the HASH value.
Further, at the time of data reception, a HASH value is calculated for data that has not been decrypted (in a state of being concealed), and a cumulative addition of the calculated HASH value is performed. The decoding process is performed using the cumulative addition value of the HASH value.

Thereafter, the concealment process and the authentication calculation of the transmission data 700 shown in FIG. 7 are performed as an example of the process.
In the concealment calculation described in the present embodiment, the concealment process and the authentication calculation can be performed simultaneously even with software (S / W) implementation.
This makes it possible to finish the processing at a higher speed than when using different algorithms for the confidential processing and the authentication calculation.

FIG. 8 shows the configuration of the control device 1 that provides the secret communication function.
Compared with the configuration of FIG. 2, an initial HASH calculation unit 432 is attached to the HASH calculation unit 43.
The initial HASH calculation unit 432 is arbitrary as long as it is a HASH calculation unit different from the stream HASH calculation unit 431. However, in this embodiment, a 32-bit checksum calculation unit such as Adler-32 or CRC-32 is mounted as the unit. Is assumed.
This is because, even in the case of S / W implementation, the processing is fast, and the calculation unit does not require pre-known conditions such as keys.
The initial HASH calculation unit 432 is an example of a one-way calculation unit together with the stream HASH calculation unit 431.

The transmission side needs to conceal communication data, and the reception side needs to decrypt the concealed data.
For this reason, the processing contents of the transmission-side secret communication processing unit 412 and the reception-side secret communication processing unit 422 are also different from the processing shown in the first embodiment.
Unlike the first embodiment, the transmission-side secret communication processing unit 412 performs data concealment processing, and the reception-side secret communication processing unit 422 performs data decryption processing.
The transmission side secret communication processing unit 412 according to the present embodiment is an example of a concealment processing unit and an authentication value designating unit, and the reception side secret communication processing unit 422 according to the present embodiment is an example of a decoding processing unit and a verification unit. It is.
Hereinafter, details of the processing of the transmission-side secret communication processing unit 412 and the reception-side secret communication processing unit 422 will be described.

The flowchart of the transmission side secret communication processing unit 412 is shown in FIGS. 9, 10, 11, and 12.
The contents of the processing described in the flowchart are shown in FIGS.
The following description is based on these drawings.

First, initialization is performed by setting the coefficient table held in the HASH calculation management unit 411 in the stream HASH calculation unit 431.
The stream HASH calculation unit 431 is used for concealing the confidential authentication range 702 of the transmission data 700 and calculating the authentication value, but the window size from the beginning of the range 702 is concealed using the stream HASH calculation unit 431 due to the nature of the stream HASH. It cannot be made.
Therefore, the concealment process for the portion is performed using the initial position concealment process.

In the initial position concealment process in FIG. 9, the concealment process is performed on the data corresponding to the window size from the top of the concealment authentication range 702.
The flowchart of this initial position concealment process is shown in FIGS.
Here, FIG. 13 is a diagram for explaining the operation of FIG.
In order to perform concealment processing for the window size from the beginning of the range 702, the transmission side concealment communication processing unit 412 inputs the key value 4111 that is shared information to the initial HASH calculation unit 432, and calculates the 32-bit value calculated from the key value. 4321 is obtained.
This value 4321 is used as an input to the initial HASH calculation unit 432 to obtain a new 32-bit value 4322. The transmission side secret communication processing unit 412 XORs this value 4322 and 32 bits from the top of the transmission data, and sets the result value as the secret data.
In addition, in FIGS. 13-15, the colored part of the secret authentication range has shown the data part which has been concealed.

Since the window size of the present embodiment is 6 bytes, the remaining 2 bytes are still in plain text.
In order to conceal this area, the transmission side concealment communication processing unit 412 inputs the 32-bit value 4322 to the initial HASH calculation unit 432 and obtains the next 32-bit value 4323.
The value 4323 and 2 bytes of secret authentication processing target data are XORed by the transmitting side secret communication processing unit 412 and the result value is set as secret data.
This completes the concealment process for the window size.

In the secret authentication process in FIG. 9, after the secret process for the window size is completed, the entire secret authentication range 702 is concealed and the authentication value is calculated.
The flowchart is shown in FIG. 12, and the description thereof is shown in FIG.

This will be described with reference to FIG.
The transmission side secret communication processing unit 412 inputs the concealed data for the window size to the stream HASH calculation unit 431, and adds the result to the accumulation addition register 4121.
The initial value of the cumulative addition register 4121 is 0.
Thereafter, the transmission side secret communication processing unit 412 performs XOR calculation with the transmission data for 8 bytes from the next position of the window and the cumulative addition value of the cumulative addition register 4121, and the obtained result is set as the confidential data.

Subsequently, the transmission side secret communication processing unit 412 slides by 1 byte, inputs the concealed data for the window size to the stream HASH calculation unit 431 as described above, and adds the result to the cumulative addition register 4121.
Thereafter, the transmission side secret communication processing unit 412 performs XOR calculation with the transmission data for 8 bytes from the next data of the window and the cumulative addition value of the cumulative addition register 4121, and the obtained result is set as the confidential data.
As a note, 7 bytes of 8 bytes of transmission data that are XOR calculation objects are areas in which XOR calculation has been performed before sliding. By performing XOR in duplicate, it can be expected that the stirrability of the bit series is improved.

Thereafter, the transmission-side secret communication processing unit 412 performs the same processing from the end of the secret authentication range 702 to 1 byte before, thereby concealing the entire range 702.
After that, HASH calculation and cumulative addition of HASH values are performed for the last 1 byte.
The transmission side secret communication processing unit 412 adds the last value of the cumulative addition register 4121 to the transmission data as the authentication value 712.
Since the data concealment process (XOR) precedes the HASH operation, when approaching the end of the cipher authentication range 702, XOR calculation is performed in a range of 7 bytes, and further, XOR calculation is performed in a range of 6 bytes by sliding 1 byte. Moreover, every time 1 byte is slid, the amount of data subject to XOR decreases by 1 byte.

Above, the process of the transmission side secret communication process part 412 is complete | finished.
It can be seen that the confidential processing and the authentication processing are performed simultaneously in the processing of the transmission side confidential communication processing unit 412.
That is, in the present embodiment, the stream HASH calculation unit 431 calculates the HASH value by performing HASH calculation of data for the window size (calculation target data length) in order from the front of the secret authentication range (falsification detection target data). In addition, each time the concealment process is performed by the transmission side confidential communication processing unit 412, the window target range is slid backward by a predetermined slide amount (slide amount <window size), and the data of the window size after the slide is A HASH operation is performed to calculate a HASH value. In addition, every time the HASH value is newly calculated by the stream HASH calculation unit 431, the calculation value accumulation addition unit 430 accumulates the newly calculated HASH and the cumulative addition value of HASH calculated so far. The transmission side secret communication processing unit 412 uses the newly calculated cumulative addition value every time the calculation value cumulative addition unit 430 calculates a new cumulative addition value. To conceal the secret authentication range.
In this way, in the present embodiment, the data integrity authentication process (HASH value cumulative addition) and the data concealment process are performed in parallel.

Next, processing of the reception side secret communication processing unit 422 will be described.
FIG. 15 shows an example of the received data, and the processing on the decoding side will be described by taking the received data 800 in this figure as an example.
It should be noted that the receiving side secret communication processing unit 422 has a FIFO (First In First Out) (FIFO storage unit) capable of storing data having the same size as the authentication value only in an entry calculated by {window size + authentication value size}. ).
In this example, since the window size is 6 bytes and the authentication value size is 8 bytes, it is assumed to have a FIFO capable of storing 8 bytes × 14 entries.

The flowcharts of the reception side secret communication processing unit 422 are shown in FIGS. 16, 17, 18, and 19.
In addition, according to these flowcharts, FIG. 20, FIG. 21, FIG. 22, FIG. 23, and FIG. 24 show operations in which the reception side secret communication processing unit 422 also performs authentication value determination while decrypting the received data 800.

The operation immediately after the start of the decoding process is shown in FIG.
In FIG. 16, which is a flowchart showing the entire process, the initial position decoding process and the decoding process are immediately terminated.
The reason is that the flag condition is not satisfied unless the sliding process is completed up to the byte length calculated by {window size + authentication value size}.
The sliding process is a process of updating the cumulative addition register by sequentially calculating HASH on the data that is still concealed while sliding the window.

In the sliding process, prior to the start of the decryption process by the reception-side secret communication processing unit 422, as shown in FIG. 20, the stream HASH calculation unit 431 performs the window in order from the top of the secret authentication range in which the concealment process is performed. HASH calculation is performed on the data for the size, and the HASH value is calculated. At the same time, the target range of the window is slid backward by the slide amount (1 byte), and the HASH calculation is performed on the data for the window size after the slide. Then, the operation value accumulation / addition unit 430 cumulatively adds the HASH values calculated by the stream HASH calculation unit 431 according to the order of HASH operations.
The stream HASH calculation unit 431 sequentially calculates 14 64-bit HASH values, and the operation value accumulation addition unit 430 sequentially accumulates and adds 14 HASH values to calculate 14 accumulation addition values. Are output to a 64-bit × 14-stage FIFO 4222, and the 64-bit × 14-stage FIFO 4222 stores 14 64-bit cumulative addition values.
20 to 24, the colored portion of the secret authentication range indicates the data portion that has been concealed (undecrypted).

  When the sliding process exceeds {window size + authentication value size}, the initial position decoding process and the decoding process are started.

FIG. 21 is a diagram showing the operation of the initial position decoding process. The flowchart is shown in FIG.
This process is a process corresponding to the initial position concealment process on the transmission side, and is decrypted by performing the same operation as the transmission side on the concealed received data.
This process is executed only once when the left end of the sliding window of the stream HASH in the sliding process advances {window size + authentication value size} bytes from the start position of the secret authentication range.

  A flowchart of the decoding process is shown in FIG. This process is performed after the initial position concealment process is completed. At this stage, the FIFO entry is full.

FIG. 22 illustrates the processing operation when the decoding process and the sliding process are performed in the loop of FIG. 16 after the initial position concealment process is completed.
This operation is performed until the right end of the sliding window of the stream HASH in the sliding process reaches the right end of the secret authentication range.

In FIG. 22, the decoding process is first performed, and then the sliding process is performed.
When the decryption process is performed for the first time, it is immediately after the end of the initial position concealment process, and the decryption start position is a position advanced by the sliding window size from the start position of the concealment authentication range.
The reception side secret communication processing unit 422 extracts one entry from the FIFO 4222, and performs XOR operation with the received data having the same Byte length as the authentication value from the position.
In this example, an 8-byte XOR operation is performed.
At this time, what is decoded is one byte on the left side, and the remaining 7 bytes and the entire other secret authentication range are sequentially decoded by 1 byte by subsequent processing.
On the other hand, when the decoding process is finished, the sliding process is performed, the HASH value is calculated by the stream HASH calculation unit 431, and the cumulative addition register 4221 performs the cumulative addition of the HASH value, and the cumulative addition value becomes a FIFO 4222 as a new entry. Stored in

FIG. 23 is a diagram when the right end of the sliding window of the stream HASH in the sliding process has reached the right end of the secret authentication range.
If the received data 800 has not been tampered with on the communication path as it was sent by the sender sharing the secret information, the HASH value obtained at this time is added to the cumulative addition register 4221 so that the cumulative addition register 4221 The value should match the authentication value 812.
The receiving side secret communication processing unit 422 compares the value of the cumulative addition register 4221 with the authentication value 812 to determine whether the secret authentication range has been tampered with.
If they do not match, the received data has been lost or some operation has been performed on the communication path, and is discarded and the processing of the receiving side secret communication processing unit 422 is terminated.

The value of the cumulative addition register 4221 when reaching the right end is used only for determination of the authentication value, and is not stored in the FIFO 4222.
In FIG. 18, Sflg is turned on and the sliding process is stopped.

FIG. 24 is a diagram when the area that is still concealed after FIG. 23 is decrypted.
According to FIG. 18, the receiving side secret communication processing unit 422 extracts data from the FIFO 4222 and performs XOR processing with the data that has been concealed.
This process is performed while shifting 1 byte at a time, and all areas are decoded.
If the data to be processed is less than 8 bytes, XOR processing is performed using the right end side of the FIFO entry in order to correspond to processing on the transmission side.

This completes the authentication value determination and decryption processing on the receiving side.
It can be seen that the decryption process and the authentication process are performed at the reception side as well as the transmission side.

In other words, in the present embodiment, the reception-side secret communication processing unit 422 sequentially acquires the cumulative addition value from the FIFO 4222 and uses the acquired cumulative addition value from the front of the secret authentication range where the concealment process is performed. The data corresponding to 8 bytes (data length to be decoded) is sequentially decoded, and the stream HASH calculation unit 431 moves forward of the secret authentication range every time the reception-side secret communication processing unit 422 performs the data decoding for 8 bytes. In order, the HASH value of the undecoded data corresponding to the window size (calculation target data length) is calculated by sliding the object range of the window backward by a predetermined slide amount (slide amount <window size) to obtain the HASH value. The calculation value cumulative addition unit 430 calculates a new HASH value by the stream HASH calculation unit 431. Each time, the newly calculated HASH value and the cumulative addition value of the HASH value calculated so far are cumulatively added to calculate a new cumulative addition value, and the calculated new cumulative addition value is input to the FIFO 4222. Output.
In this way, in the present embodiment, the data integrity authentication process (HASH value cumulative addition) and the data decryption process are performed in parallel.

Next, consider the strength of secrecy.
Note that the HASH function is composed of the window size and the key.
Assume that the window size is a known fixed length and that the HASH function changes only with the key. Further, it is assumed that the computing capacity of the computer used for decoding is about 56200 MIPS. This computing capability is equivalent to that of a computer with high computing capability among computers that are practically available at present. By assuming realistic computing ability instead of unrealistic computing ability, it is possible to verify the strength assuming an actual attack.

  The calculation amount of the HASH function itself is {XOR 2 times, shift 2 times, OR 1 time} per 1 byte. Further, since the output value of the HASH function varies depending on the key, in order to perform an exhaustive search, it is necessary to search for the collision of the HASH function while changing the key.

First, when the key is determined and the HASH function is determined, in order to calculate the collision, if 2 ^ (64/2) are calculated by the so-called birthday attack, the data causing the collision can be established by 50%. Can be identified.
That is, when the key is fixed, it is approximately 0.382 (seconds) until a candidate for the beginning of the plaintext is found.
However, if the keys do not match, the whole value cannot be deciphered because the value is different when sliding calculation is performed.
If the key is different, the output value of the HASH function also changes, so it is necessary to recalculate the candidate value for causing the collision.

  Therefore, 0.382 (seconds) is required for one key, and 2 ^ 64 times are required for the key attempt. However, from the case of DES Challenge III described in Non-Patent Document 3 and Non-Patent Document 4, it is assumed that it can be specified in about 20% of the search area.

  As described above, the time required for exhaustive search is 0.386 × ((2 ^ (64)) × 0.20) (seconds) = 1.117 × 10 ^ (10) (year). It is difficult to understand.

Here, the probability of specifying the key by exhaustive search is uniform for the search area.
The assumption of 20% search is a value set from Non-Patent Document 4, which is an example of high-speed decoding among past official decoding examples.

Non-Patent Document 3: Information-technology Promotion Agency, “An Investigation Report on Compromised Cryptography”
Non-Patent Document 4: RSA (registered trademark) Laboratories, DES Challenge III: http: // www. rsa. com / rsalabs / node. asp? id = 2108

  As described above, according to the present embodiment, it is possible to provide scrambled communication that can guarantee the level of confidentiality and authentication strength required for LCNA communication in LCNA that does not have high calculation processing capacity and calculation capacity. .

Furthermore, even in software implementation, data concealment and authentication calculation proceed simultaneously, so that high-speed secret communication can be realized.
That is, since the data concealment process and the data integrity authentication process can be executed in parallel, the processing time can be reduced, thereby preventing the communication performance from deteriorating.

  Since the algorithm shown in the present embodiment performs data concealment and integrity authentication value calculation, it can be used as an IPsec encryption algorithm and data integrity authentication algorithm.

In IPsec itself, neither the concealment algorithm nor the data integrity authentication algorithm is defined in particular, but only implementation-required algorithms (DES, MD5, SHA-1) are defined.
However, since IPsec itself is designed assuming communication between PCs, the computational load of the implementation-required algorithm is high.
IPsec has not only data concealment and integrity authentication, but also excellent security properties such as prevention of replay attacks.
However, when IPsec is used in LCNA, secure communication can be realized, but concealment and integrity authentication processing are heavy and communication performance is lowered.

  If the algorithm according to the present embodiment is used for IPsec processing, not only the amount of calculation is small, but also concealment and integrity authentication calculation can be performed at one time. Can be processed at high speed.

  The secrecy strength is weaker than the algorithm used in normal IPsec, but it is sufficient as the strength required for communication between LCNAs.

As described above, in the present embodiment, in a non-PC inexpensive device that performs device authentication, data integrity authentication, and data concealment,
A stream HASH calculation unit that can be configured by specifying a key value and a window size, an Adder32 arithmetic logic, and an adder that accumulates and adds the output values of the stream HASH, and the adder is initialized with a value of 0 , A communication system having a falsification detection function for detecting falsification by performing HASH calculation for the entire area where it is desired to detect falsification on the communication path, accumulating HASH values, and using the result as data integrity authentication And a communication device has been described.

  Further, in the present embodiment, by sharing the key value and the window size of the stream HASH, it is possible to perform the same calculation on the transmission side and the reception side, and the communication method and communication apparatus for performing device authentication have been described. .

  Also, in this embodiment, by using the value of the adder, it is possible to perform concealment processing on the transmission side and decryption processing on the reception side simultaneously while performing the falsification detection function and device authentication. Thus, the communication method and the communication apparatus that can perform high-speed processing have been described.

  In addition, it has been described that the confidentiality of the communication method and the communication device according to the present embodiment can be calculated on a desktop for the exhaustive search, and it is possible to examine whether the confidentiality is sufficient by the calculation.

  Further, it has been described that the communication method according to the present embodiment can be used as an IPsec encryption algorithm and a data integrity authentication algorithm.

  In the above description, the window size (6 bytes) and the XOR operation target range (8 bytes) are different from each other. However, the window size and the XOR operation target range may be the same number of bytes.

Embodiment 3 FIG.
In the second embodiment, the concealment is performed up to the size of the authentication value, that is, up to 8 bytes in this example, at the stage when the first process of FIG. 14 is completed.
Therefore, as shown in FIG. 12, the secret calculation is stopped every 1 byte, and after the concealment is performed, the 7-byte sliding is performed only by adding the output HASH value, and the concealment is performed at the 8-byte sliding period. Is possible.
That is, the concealment slides the window every 8 bytes, the calculation of the HASH value slides the window every 1 byte, and the cumulative addition of the HASH values sequentially adds all the calculated HASH values.
This can reduce the amount of calculation.
That is, it corresponds to stopping the expectation of the bit sequence agitation improvement by performing the XOR operation repeatedly.

In the case of this implementation, the FIFO on the decoding side only needs to have entries for CEIL {(window size + authentication value size) / authentication value size}.
Here, CEIL {numerical value} is the closest integer that is greater than or equal to the numerical value. Since the number of entries held in the FIFO is reduced on the decoding side, not only the calculation amount but also the storage capacity is reduced.

  Also in this case, if the XOR with the message is not taken, the data integrity function and the partner authentication function for plaintext are provided without performing the concealment process as in the first embodiment.

Embodiment 4 FIG.
In the second embodiment, the concealment is performed up to the size of the authentication value, that is, up to 8 bytes in this example, at the stage when the first process of FIG. 14 is completed.
Therefore, as shown in FIG. 12, the secret calculation is stopped every 1 byte, only the sliding is performed, and after the concealment is performed, the 7-byte sliding does not add the output HASH value, and the concealment and the cumulative addition are performed by 8 bytes. It is also possible to do with a sliding period.
That is, concealment is performed by sliding the window every 8 bytes, calculation of the HASH value is performed by sliding the window every 1 byte, and cumulative addition of the HASH value is performed every 8 bytes.

Also in this case, the FIFO on the decryption side only needs to have entries corresponding to CEIL {(window size + authentication value size) / authentication value size}.
Here, CEIL {numerical value} is the closest integer that is greater than or equal to the numerical value. Since the number of entries held in the FIFO is reduced on the decoding side, not only the calculation amount but also the storage capacity is reduced.

  Also in this case, if the XOR with the message is not taken, the data integrity function and the partner authentication function for plaintext are provided without performing the concealment process as in the first embodiment.

Embodiment 5 FIG.
Furthermore, from the fourth embodiment, after the concealment is performed, the sliding amount is not performed for 7 bytes, and the calculation amount is conspicuously reduced by calculating, concealing, and accumulatively adding the HASH value in 8 bytes steps to the sliding window. It is also possible to do.
That is, concealment, calculation of HASH value, and cumulative addition of HASH value are all performed every 8 bytes.

In reducing the amount of calculation by the above, it is necessary to pay attention to whether the HASH window size is 8 bytes or more.
When the window size is 8 bytes or more, message integrity can be guaranteed for the entire message even in the above processing.

  However, in the case of 8 bytes or less, since 8 bytes are skipped without performing the HASH sliding, a message close check (8-window size) occurs every 8 bytes.

  In this case, if the XOR with the message is not taken, there is room for tampering with plain text.

  Furthermore, even if concealment processing is performed by XOR with the message, the integrity of the concealed data can no longer be guaranteed, and there is room for it to not be detected when some data is destroyed by a third party Leave. In this case, even if data decryption processing is performed on the receiving side, the data is destroyed, and this can be detected only by semantic interpretation of the data.

  Therefore, in order to reduce the calculation amount, the window size needs to be 8 bytes or more.

  Also in this case, if the XOR with the message is not taken, the data integrity function and the partner authentication function for plain text are provided without performing the concealment process.

  Thus, according to the present embodiment, XOR required for Rabin Fingerprinting, two shifts, one OR, and one addition for accumulating HASH values, or when performing concealment processing, XOR required for this One calculation (all 64-bit calculations) may be performed every 8 bytes, and the scramble process can be performed very lightly.

Embodiment 6 FIG.
In FIG. 16, data is adopted or discarded according to the value of Aflg.
Aflg stores the determination result of whether the authentication value of the received data matches the authentication value recalculated on the receiving side, and if the authentication value of the received data matches the authentication value recalculated on the receiving side Received data is adopted, otherwise it is discarded.

It is also possible to store an operation policy for received data in the case of matching or not matching in advance in a memory or the like, and determine the operation in each case based on the policy. A policy is setting data describing how to handle the received data in each case.
For example, when the authentication value of the received data and the authentication value recalculated on the receiving side do not match, it may be possible to set an operation policy such as registering the received data in the database for analyzing the falsification status.
It is also possible to define an operation policy for each transmission source.
For example, the reception data from the transmission source A is discarded when the authentication values do not match, and the reception data from the transmission source B is registered in the database for analyzing the tampering status when the authentication values do not match. It is possible to set an operation policy.

In the description of the first to sixth embodiments, an example in which a non-PC LCNA is targeted has been described, but the target is not limited to LCNA. For example, as long as the conditions such as the confidentiality strength and the authentication strength are met, the method described in the first to sixth embodiments may be applied to the PC.
When the methods described in the first to sixth embodiments are applied to a PC, the CPU uses the data stored in a RAM (Random Access Memory), a ROM (Read Only Memory), a magnetic disk device, etc. Control unit 2, communication control unit 3, transmission side confidential processing control unit 41, reception side confidential processing control unit 42, HASH calculation unit 43, HASH calculation management unit 411, transmission side confidential communication processing unit 412, HASH calculation management unit 421, The data concealment shown in the first to sixth embodiments is executed by executing a program that realizes the functions of the reception side secret communication processing unit 422, the operation value accumulation addition unit 430, the stream HASH calculation unit 431, and the initial HASH calculation unit 432 Processing and data integrity authentication processing will be performed.

  DESCRIPTION OF SYMBOLS 1 Control apparatus, 2 Equipment control part, 3 Communication control part, 4 Data integrity ensuring means, 41 Transmission side concealment process control part, 42 Reception side concealment process control part, 43 HASH calculation part, 411 HASH calculation management part, 412 Transmission side secret communication processing unit, 421 HASH calculation management unit, 422 Reception side secret communication processing unit, 430 calculation value accumulation addition unit, 431 stream HASH calculation unit, 432 initial HASH calculation unit.

Claims (19)

A one-way operation portion for a one-way operation of the tamper detection target data to be subjected to tampering detection de San rows have unidirectional operation value for each predetermined calculation target data length,
A calculation value accumulating unit for cumulatively adding one direction calculation value calculated by the one-way computation unit,
An authentication value specifying portion which the accumulated value which is cumulatively added by the arithmetic value accumulating unit and the authentication value of the tampering detection target data,
A data processing apparatus comprising: a concealment processing unit configured to conceal the alteration detection target data based on the cumulative addition value cumulatively added by the calculation value cumulative addition unit . The data processing apparatus according to claim 1 , wherein a slide amount in the one-way calculation unit is shorter than the calculation target data length. 3. The process according to claim 1, wherein the concealment processing unit performs the concealment process and the authentication value designation unit performs a process of calculating the authentication value of the alteration detection target data in parallel. The data processing apparatus described. The data processing according to any one of claims 1 to 3, wherein the one-way operation unit sequentially calculates the one-way operation value of the alteration detection target data every time the concealment process is performed. apparatus. The calculated value accumulating unit in turn the calculated one-way operation, the data according to all of the one-way operation value calculated in any one of claims 1-4, characterized that you added cumulatively Processing equipment. The calculation value cumulative addition unit selects and adds two or more from the calculated one-way calculation values in the order calculated by the one-way calculation unit, according to any one of claims 1 to 4. The data processing apparatus described in 1. The data processing apparatus according to claim 1, further comprising a data transmission unit that transmits the tampering detection target data to which the authentication value is added and concealed to a transmission destination apparatus. . Wherein the data processing device according to claim 7, wherein said arithmetic target data length, that the first and the key value used in one direction operation shared with the transmission destination device by the direction calculation unit Data processing equipment.   The data processing apparatus according to claim 1, wherein the one-way operation unit performs a stream hash operation as the one-way operation. A data reception unit that receives an authentication value used for falsification detection of the falsification detection target data, and falsification detection target data that is subject to falsification detection after being concealed ;
A one-way operation portion to leave calculate the one-way operation value had line a one-way operation on each prescribed operation target data length of the tamper detection target data,
A calculation value accumulating unit for cumulatively adding one direction calculation value calculated by the one-way computation unit,
A collation unit for collating the accumulated value which is cumulatively added by the arithmetic value accumulating unit, an authentication value received by the data receiving unit,
A data processing apparatus comprising: a decoding processing unit that performs a decoding process on the alteration detection target data based on the cumulative addition value cumulatively added by the calculation value cumulative addition unit . The data processing apparatus according to claim 10 , wherein a slide amount in the one-way calculation unit is shorter than the calculation target data length. The calculated value accumulating unit, the one-way operation sequentially calculated by the data processing apparatus according to any of the one-way operation value calculated in claim 10 or 11, characterized that you added cumulatively. Claim 10, wherein the matching unit is performed in parallel with processing to be matched with the authentication value the falsification detection target data, a process of the decoding unit performs decoding processing of the falsification detection target data, the The data processing apparatus in any one of -12 . Further comprising a FIFO storage section for storing the first-in first-out the accumulated value,
The decoding processing unit, by using the cumulative addition value retrieved from the FIFO storage unit, performs decrypt process,
The one direction calculation unit calculates a new way calculated value of the tampering detection target data which is not decrypt,
The calculated value accumulating unit is configured and a new one-way operation values, outputting the new accumulated value obtained by accumulating the said accumulated value that is calculated so far before Symbol FIFO storage unit The data processing device according to claim 10, wherein the data processing device is a data processing device. The one direction calculating unit, every time the decoding process is performed, a sequential data processing apparatus according to any one of claims 10 to 14, characterized in that to calculate the one-way operation value of the tampering detection target data . The FIFO storage unit has a plurality of storage stages.
Before SL unidirectional operation unit, before the start of the decoding process by the decoding unit, it calculates a plurality of said one-way operation value,
The calculated value accumulating unit outputs a plurality of cumulative addition value obtained by accumulating the time the previous SL unidirectional operation value is calculated for the FIFO storage unit,
15. The data processing apparatus according to claim 14 , wherein the decoding processing unit starts decoding processing when a cumulative addition value of the number of storage stages is stored in the FIFO storage unit. The one-way operation unit performs a one-way operation on an operation target data length of n bytes (n is an integer of 2 or more) for the tampering detection target data, and one m byte (m is an integer of 2 or more). Calculate the direction calculation value,
The data processing apparatus according to claim 16 , wherein the FIFO storage unit has n × m stages of storage stages. The data processing apparatus shares the calculation target data length and the key value used for the first one-way calculation by the one-way calculation unit with the transmission source apparatus of the alteration detection target data. The data processing apparatus according to claim 10 . The one-way operation unit is
As a one-way operation, claim and performs stream hash operation 10 to 18
A data processing apparatus according to any one of the above.