JPH11331151A - System and method for cryptographic communication - Google Patents

System and method for cryptographic communication

Info

Publication number
JPH11331151A
JPH11331151A JP12849698A JP12849698A JPH11331151A JP H11331151 A JPH11331151 A JP H11331151A JP 12849698 A JP12849698 A JP 12849698A JP 12849698 A JP12849698 A JP 12849698A JP H11331151 A JPH11331151 A JP H11331151A
Authority
JP
Japan
Prior art keywords
encryption
communication
encryption device
terminal
device
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
JP12849698A
Other languages
Japanese (ja)
Inventor
Shinobu Atozawa
Toru Inada
Norimitsu Nagashima
Akira Watanabe
忍 後沢
規充 永島
晃 渡邊
徹 稲田
Original Assignee
Mitsubishi Electric Corp
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitsubishi Electric Corp, 三菱電機株式会社 filed Critical Mitsubishi Electric Corp
Priority to JP12849698A priority Critical patent/JPH11331151A/en
Publication of JPH11331151A publication Critical patent/JPH11331151A/en
Granted legal-status Critical Current

Links

Abstract

PROBLEM TO BE SOLVED: To provide a cryptographic key specifying method, capable of simplifying the processing of as key search packet and reducing overhead at the time of cryptographic communication by performing processing only at enciphering devices on the side of transmission and reception for the key search packet in specifying the cryptographic key for the enciphering device to encipher communication data. SOLUTION: This cryptographic communication system consists of enciphering devices 1, 2 and 5 and terminals A and C for transmitting/receiving data. The enciphering device 1 and the terminal A belong to virtual private networks(VPN) 1(9) and 2(10), the enciphering device 5 and the terminal C belong to the VPN 2, and the enciphering device 2 belongs to the VPN 1. Each enciphering device has the key to the VPN to which the device itself belongs. The key search packet is exchanged between the enciphering devices 1 and 5, and the enciphering device 2 repeats the transmission without processing the key search packet.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a cryptographic communication system and a cryptographic communication method for maintaining the secrecy of data in a computer network, and more particularly to a cryptographic communication method in which a cryptographic device determines a processing method of communication data for performing cryptographic communication. The present invention relates to a system and an encryption communication method.

[0002]

2. Description of the Related Art With the spread of computer networks in recent years, interest in communication data encryption technology for maintaining the confidentiality of data on a network has increased. As a method of performing cryptographic communication between terminals, Japanese Patent Application No. Hei 9-357
As described in No. 491, encryption key information for identifying an encryption key of an encryption device on a communication path between terminals is collected using an encryption key search packet (FIG. 17), and the collected encryption key information is added to the collected encryption key information. There is a method in which encryption key information is automatically registered in an encryption key table as shown in FIG. 16 based on this, and each encryption device encrypts, decrypts, and relays plaintext communication data between terminals. FIG.
Is an example of a network to which the encryption device is connected. In the figure, encryption devices 1 to 5 are encryption devices that perform encryption processing of communication data, and terminals A to C are terminals that perform data communication. In this network configuration, an encryption key 1 (KEY1) is delivered to the encryption devices 2 and 4, and an encryption key 2 (KEY2) is delivered to the encryption devices 1, 3, and 5 in advance.
2 is being built. Here, VPN (Virtual Private
Network), each communication terminal can communicate as a virtual private network by using the same encryption key. An operation in which each encryption device determines a processing method of communication data when terminal A transmits communication data to terminal C will be described. The encryption device 1 that has received the communication data from the terminal A holds the communication data and uses the encryption key information (key ID) for specifying the encryption key (KEY2) of the encryption device 1 itself.
2) is set in the key search packet as local port encryption key information, and transmitted to the terminal C. The encryption device 2 receives the key search packet transmitted from the encryption device 1, adds its own encryption key information (key ID1) to the local port encryption key information of the key search packet, and relays it. Encryption device 5
Receives the key search packet relayed by the encryption device 2, adds its own encryption key information (key ID2) to the public port encryption key information of the key search packet, and relays.
The terminal C receives the key search packet relayed by the encryption device 5. In the key search packet received by terminal C, key ID2 (encryption device 1) and key ID1 (encryption device 2) are set as local port encryption key information, and key ID2 (encryption device 5) is set as public port encryption key information. Is set.
Next, the terminal C transmits a response packet having the same contents as the key search packet received by the terminal C to the encryption device 1. The encryption device 5 receives the response packet transmitted from the terminal C, and has the same encryption key information (key ID2 of the encryption device 1) as its own encryption key information (key ID2) in the local port encryption key information. Make sure that According to the confirmation result, it is determined that the communication data between the terminals A and C is to be encrypted / decrypted by KEY2, and the response packet is relayed as it is. The encryption device 2 receives the response packet relayed by the encryption device 5, and confirms that the same encryption key information (key ID1) as its own does not exist in the public port encryption key information of the response packet. . The encryption devices 1 and 5 recognize that the communication data between the terminals A and C is encrypted with the encryption key KEY2.
It decides to relay the data between them in plaintext, and relays the response packet as it is. The encryption device 1 receives the response packet relayed by the encryption device 2 and uses the same encryption key information (key ID2 of the encryption device 5) as the encryption key information (key ID2) of its own in the public port encryption key information of the response packet. )
Make sure that exists. According to the confirmation result, the terminal A-
It decides to encrypt / decrypt the communication data between C with KEY2.

[0003]

In the above-mentioned method, all the encryption devices existing on the relay path add their own encryption key information (key ID) to the encryption key search packet and relay them. The encryption device receiving the response packet searches for encryption key information paired with the information added by itself from the encryption key information added by other encryption devices on the relay path, and performs encryption, decryption, plaintext relay, etc. Of the encryption device is determined. In this method, since the processing of the key search packet is performed in all the encryption devices on the relay path, the same processing is performed by the number of the encryption devices and becomes redundant. However, there is a problem that this causes an overhead. The present invention has been made in order to solve the above-described problems, and reduces the processing load of the encryption key search in the encryption device existing in the middle of the relay route, speeds up the processing, and improves the encryption key search. The purpose is to reduce such overhead.

[0004]

A cryptographic communication system according to a first aspect of the present invention is a cryptographic communication system in which a plurality of communication groups perform cryptographic communication using a different encryption method for each communication group. Is the first terminal,
A second terminal, a first encryption device and a second encryption device on a communication path between the first terminal and the second terminal;
Transmits the communication group specifying data specifying all the communication groups to which the own encryption device belongs, and the second encryption device transmits the communication group specification data transmitted from the first encryption device to the communication to which the communication device belongs. A method of processing communication data between the first terminal and the second terminal is determined based on the group. A cryptographic communication system according to a second invention is a cryptographic communication system in which the first and second communication groups perform cryptographic communication using mutually different encryption methods, wherein the first and second communication groups belong to the first and second communication groups. A first terminal and a first encryption device, and a second terminal and a second encryption device belonging to the second communication group, wherein the first encryption device belongs to the first and second encryption devices to which the first device belongs. The second encryption device transmits communication group identification data that identifies the communication group of the first communication device and the first encryption device based on the communication group identification data transmitted from the first encryption device and the communication group to which the second encryption device belongs. A cryptographic processing method for communication data transmitted from the terminal is determined, and the first cryptographic device and the second cryptographic device are configured to determine the first terminal based on the cryptographic processing method determined by the second cryptographic device. It is characterized in that the communication data transmitted to the encryption processing to transmit to said second terminal from. The cryptographic communication system according to a third aspect of the present invention is the cryptographic communication system in which the first and second communication groups perform cryptographic communication using mutually different encryption methods.
A first terminal and a first encryption device belonging to a communication group of the second type, and a second terminal and a second encryption device belonging to the second communication group, wherein the first encryption device belongs to First communication group specifying data for specifying the first and second communication groups is transmitted, and the second encryption device specifies a second communication group to which the second encryption device belongs.
The second encryption device transmits the first communication group identification data from the first terminal based on the first communication group identification data transmitted from the first encryption device and the communication group to which the second encryption device belongs. The first encryption device determines an encryption processing method for the communication data to be transmitted, and the first encryption device determines the second communication group identification data transmitted from the second encryption device based on the communication group to which the first encryption device belongs. The first encryption device determines an encryption processing method for communication data transmitted from the first terminal, and the first encryption device determines a communication processing transmitted from the first terminal based on the encryption processing method determined by the first encryption device. The data is encrypted and transmitted to the second encryption device, and the second encryption device is transmitted from the first encryption device based on the encryption processing method determined by the second encryption device. Wherein the signal data by encryption process second
Of the terminal. A cryptographic communication system according to a fourth invention is the cryptographic communication system according to the second invention, wherein the communication group specifying data is used in the first communication group to which the first encryption device belongs. The first encryption key specifying data for specifying an encryption key and an encryption key used in the second communication group, wherein the second encryption device uses an encryption key used in the second communication group to which the second encryption device belongs. The second encryption device has the first encryption key identification data transmitted from the first encryption device and the second encryption key included in the second encryption key. The method is characterized by comparing the specific data and determining to encrypt the communication data transmitted from the first terminal using a matching encryption key. An encryption communication system according to a fifth invention is the encryption communication system according to the third invention, wherein the first communication group specifying data is the first communication group to which the first encryption device belongs. The first encryption key specifying data for specifying an encryption key to be used and an encryption key to be used in the second communication group, wherein the second communication group specifying data includes the second encryption device; The second encryption key identification data for identifying an encryption key used in the second communication group, wherein the first encryption device identifies the first encryption key transmitted from the second encryption device. Comparing the data with the first encryption key specifying data of the second terminal, determining that the communication data transmitted from the first terminal is to be encrypted using a matching encryption key, and apparatus Comparing the first encryption key identification data transmitted from the first encryption device with the second encryption key identification data owned by the first encryption device, and transmitting the first encryption key identification data from the first terminal using a matching encryption key. It is characterized in that it is determined to encrypt the communication data to be transmitted. An encryption communication system according to a sixth invention is the encryption communication system according to the first, second, or fourth invention, wherein the first encryption device stores the communication data processing method in a first storage. Means, and the second encryption device has a second storage means for storing the processing method of the communication data, and one of the first storage means and the second storage means has the communication When the data processing method is not stored, the first encryption device transmits the communication group specifying data. An encryption communication system according to a seventh invention is the encryption communication system according to the first, second, third, fourth, fifth or sixth invention, wherein the first encryption device is a first public device. A port and a first local port, the second cryptographic device has a second public port and a second local port, and the first cryptographic device and the second cryptographic device communicate with each other The communication data is processed based on whether the port receiving the data is the public port or the local port. An encryption communication method according to an eighth invention is the encryption communication method in which the first and second communication groups perform the encryption communication using different encryption methods, wherein the first encryption device belongs to the first encryption device. Transmitting communication group specifying data specifying the second communication group, and transmitting the communication group specifying data transmitted from the first cryptographic device to the communication group specifying data specifying the second communication group. Determining a cryptographic processing method for communication data transmitted from a first terminal belonging to the first and second communication groups based on the first and second cryptographic devices, wherein the first cryptographic device and the second cryptographic device 2
Encrypting the communication data transmitted from the first terminal based on the encryption processing method determined by the encryption device of
Transmitting to a second terminal belonging to the second communication group.

[0005]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiment 1 FIG. 1 is a network configuration diagram according to the first embodiment. 1 to 5 are encryption devices 1 to 5 and 6 to 8 are terminals A and B, respectively.
C. In the figure, VPN1 (virtual private ne
twork) (9) all cryptographic devices 1, 2,
The encryption key (K) used in this VPN 1 (9) is
EY1) has been delivered in advance. Similarly, VPN2 (1
0), the encryption keys (K
EY2) has been delivered in advance. That is, the encryption device 1,
3 has KEY1 and KEY2, and encryption devices 2 and 4 have KEY1 and KEY2.
FIG. 2 is a configuration diagram of an encryption device and a configuration diagram of a key search packet that constitute a cryptographic communication system according to the present invention. In FIG. 2, reference numeral 13 denotes an encryption / decryption unit that encrypts and decrypts communication data, 14 denotes a transparent relay unit that relays communication data transparently, 15 denotes a discard unit that discards communication data, and 16 denotes processing of communication data. It is an encryption key table showing a method. Communication data processing methods include encryption / decryption, transparent relaying and discarding. Reference numeral 17 denotes an automatic learning processing unit that searches for a key when the encryption key between the communication parties is unknown, 11 denotes a public port,
19 is a local port. The encryption device determines an encryption processing method of encrypting or decrypting the communication data depending on the type of the port that has received the communication data. That is, the encryption device decrypts the communication data received from the public port 11 and transmits it to the local port 19,
The communication data received from the local port 19 is encrypted and transmitted to the public port 11. Reference numerals 12 and 18 denote transmission / reception processing units for performing communication data reception processing and transmission processing. 20 is a memory. 25 is a configuration diagram of a key search packet. Next, an operation for determining an encryption key used for communication between the terminals A and C in order to transmit data from the terminal A to the terminal C will be described with reference to FIGS. FIG. 3 is a communication sequence, and FIGS. 4 to 9 are operation flowcharts of each encryption device. First, the communication data 31 addressed to the terminal C is transmitted from the terminal A. The cryptographic device 1 receiving this from the local port checks whether the processing method of the communication data terminal pair, that is, the communication data between the terminals A and C is registered in the encryption key table 16 (step 4-1). . If it is registered in the encryption key table 16, the communication data is processed according to the registered contents (step 4-
3). Since it is not registered in this embodiment,
The communication data is stored in the memory 20, and encryption key information (key ID1, key ID1, key2) for specifying its own encryption key (KEY1, 2) is stored.
2), transmits the key search packet 32 set in the local port encryption key information to the terminal C which is the destination of the communication data (step 4-2). The encryption key information (key IDs 1 and 2) is registered in the memory 20 of the encryption device. The encryption device 2
The key search packet 32 transmitted from the encryption device 1 is received at the local port. The encryption device 2 is set in advance so that the key search packet received at the local port is transparently relayed as it is, and the key search packet received according to the setting is transparently relayed as it is (step 5-).
1). That is, the encryption device processes the key search packet based on the type of the port that has received the key search packet. The encryption device 5 receives the key search packet 33 transparently relayed by the encryption device 2 at the public port. The encryption device 5 is preset so that the key search packet received at the local port is transparently relayed as it is, and the received key search packet is transparently relayed as it is according to the setting (step 6-1). The terminal C receives the key search packet 34 that is transparently relayed by the encryption device 5, and exchanges the source and the source of the received key search packet 34,
A key search response packet 35 is generated. Key search packet 3
This key search response packet 35 having the same contents as
Is transmitted to the encryption device 1 that is the transmission source. The encryption device 5 receives the key search response packet 35 transmitted from the terminal C at the local port. It is checked whether or not the encryption key information is set in the public port encryption key information of the key search response packet 35, and it is checked whether the encryption device is the first encryption device to receive the key search response packet transmitted from the terminal C (step 7). -1). In the present embodiment, since there is no public port encryption key information, it is determined that the encryption device has received the key search response packet first. In the case of the encryption device that has received the key search response packet first, its own encryption key information (key ID) is set as the public port encryption key information (step 7-2), and its own is included in the local port encryption key information. A check is made to see if there is one that matches the encryption key information (step 7-4). In the present embodiment, since the key ID2 matches, the communication of this terminal pair is determined to be encrypted with the matching encryption key KEY2, and the matching encryption key information (key ID2) and the terminal pair A, C The address is set in the encryption key table (step 7-5). If they do not match, the processing of the communication data is discarded and registered in the encryption key table (step 7-6). After determining the communication data processing method, the determined processing content is set in the key search response packet (step 7-7), and the key search response packet is relayed (step 7-8). Next, the encryption device 2
Is the key search response packet 3 relayed by the encryption device 5
6 is received on the public port. It is checked whether or not this packet is addressed to itself (step 8-1). Since the packet is not addressed to itself, processing of communication data between the terminal pair A and C included in the packet is determined as transparent relay and registered in the encryption key table ( Step 8-2) is performed. Subsequently, the key search response packet is transparently relayed as it is (step 8-8). The encryption device 1 receives the key search response packet 37 relayed by the encryption device 2 from the public port, and checks that this packet is addressed to itself (step 8-1).
I do. The encryption key information (key ID) that matches the public port encryption key information and the local port encryption key information in the packet.
Since 2) is set, it is determined that the communication data between the terminal pairs A and C is to be encrypted with the matching encryption key (KEY2), and the address and the encryption of the terminal pair A and C are stored in the encryption key table 16. Set key information (key ID) (step 8-
4) Yes. Subsequently, an encryption key (KEY2) indicated by encryption key information (key ID2) in which the held communication data is set.
And transmits the encrypted data (step 8-6). If the matching encryption key information is not set in the public port encryption key information and the local port encryption key information in the key search response packet, the processing of the communication data is discarded, and the address of the terminal pair and the communication data Is set in the encryption key table (step 8-5). The held communication data is discarded according to the determined processing method (step 8-
7). The encryption device 2 receives the encrypted communication data 39 transmitted from the encryption device 1 from the local port. Since the communication data between the terminals A and C is registered to be transparently relayed, the communication data is transparently relayed as it is. Encryption device 5
Receives the encrypted communication data 39 transparently relayed by the encryption device 2 from the public port. It is checked whether the destination terminal pair A, C of this communication data is registered in the encryption key table 16 (step 9-1), and since it is registered, the communication data is decrypted according to the encryption key table (step 9-2). Note that the destination terminal pair A,
If C is not registered, the communication data is discarded (step 9-3). The encryption key information constitutes communication group identification information for identifying the communication group, and the encryption key table constitutes storage means for storing a processing method of communication data. As described above, when the encryption process between the communication terminals is determined using the key search packet, the encryption key used in the VPN is delivered to all the encryption devices belonging to the VPN in advance, and the communication data of the communication terminal is transmitted. Only the first encryption device, the first encryption device, and the first encryption device 5 add encryption key information to the key search packet in order to obtain the encryption key of the communication partner. Since the relay is performed without adding the encryption key, the processing load up to the determination of the encryption key can be reduced when a large number of encryption devices exist on the relay route, and the overhead at the start of the encryption communication can be reduced. Becomes possible. Note that the encryption key information (key ID) communicates not the encryption key itself but data associated with the encryption key, such as a corresponding numerical value on a table. Further, not only the encryption key but also different encryption algorithms may be used as the encryption method for each VPN. The encryption method may be public key or symmetric key encryption. Also, the encryption device that transmits the packet need not be the one closest to the communication terminal. This is the same in the following embodiments. In the present embodiment, the encryption device 1 determines the processing method of the communication data according to the encryption key information of the key search response packet. However, the encryption device 1 determines the processing method of the communication data set by the encryption device 5 in the key search response packet. 1 may be determined. At this time, the encryption key information of the encryption device 5 need not be set in the key search response packet. Thereby, the processing method of the communication data can be determined at a higher speed. This is the same in the second embodiment. The method of processing communication data is not registered in the table, and the encryption key can be determined using a packet for each communication. This makes it possible to easily change the method of processing communication data between terminals, thereby increasing the flexibility of system construction. or,
This does not prohibit processing other than the addition of key information in the transparent transmission of packets performed by the encryption devices 2 and 5. These points are the same in the second embodiment. Embodiment 2 FIG. In the present embodiment, a case where communication data is transmitted from terminal A to terminal B will be described. The communication system is the same as that in FIG.
Description is omitted. Since the configuration of the encryption device is as described in FIG. 2, the description is omitted. Each of the encryption devices 1 and 3 has a communication group to which it belongs, namely, KEY1 and KEY2, which are encryption keys for VPN1 and VPN2, and key ID1 and key ID2 which are encryption key information for identifying encryption keys. Can be performed using either KEY1 or KEY2, but if two encryption keys match, encryption / decryption is performed using KEY2. Each of the encryption devices 2 and 4 has KEY1 as an encryption key of VPN1 and a key ID1 as encryption key information, which is a communication group to which the encryption devices belong, and encrypts / decrypts communication data only with KEY1.
As described above, each encryption device performs encryption processing for encryption / decryption using only one encryption processing method. 4 to 6, 1
The operation will be described with reference to FIGS. These figures show the operation flow of the encryption device. First, communication data addressed to terminal B is transmitted from terminal A. The encryption device 1 receiving this from the local port checks whether or not the processing method of the communication data between the terminals A and B is registered in the encryption key table 16 (step 4-1). If it is registered in the encryption key table 16, the communication data is processed according to the registered contents (step 4-3). In the present embodiment, the communication data is not registered, the communication data is stored in the memory 20, and the encryption key information (key IDs 1 and 2) registered in the memory 20 of the encryption device is set as the local port encryption key information. The key search packet is transmitted to terminal B, which is the destination of the communication data (step 4-2). Encryption device 2
Receives the key search packet transmitted from the encryption device 1 at the local port. The encryption device 2 is set in advance so that the key search packet received at the local port is transparently relayed as it is, and the key search packet received according to the setting is transparently relayed as it is (step 5-).
1). The encryption device 4 receives the key search packet transparently relayed by the encryption device 2 at the public port. The encryption device 4 is preset so that the key search packet received at the public port is transparently relayed as it is, and the received key search packet is transparently relayed as it is in accordance with the setting (step 6-1). The encryption device 3 receives the key search packet transparently relayed by the encryption device 4 at the public port. The encryption device 3 is set in advance so that the key search packet received at the public port is transparently relayed as it is, and the key search packet received according to the setting is transparently relayed as it is (step 6).
-1). The terminal B receives the key search packet that has been transparently relayed by the encryption device 3, and switches the source and the source of the received key search packet to generate a key search response packet. This key search response packet having the same contents as the key search packet is transmitted to the encryption device 1 that is the transmission source. The encryption device 3 receives the key search response packet transmitted from the terminal B at the local port. It is checked whether or not encryption key information is set in the public port encryption key information of the key search response packet, and it is checked whether the encryption device is the first encryption device to receive the key search response packet transmitted from the terminal B (step 11-). 1). In the present embodiment, there is no public port encryption key information, and it is determined that the encryption device has first received the key search response packet. If the encryption device receives the key search response packet first, it sets its own encryption key information (key ID1 and key ID2) as the public port encryption key information (step 11-2), and sets itself as the local port encryption key information. A check is made to see if there is any that matches the encryption key information held by (step 11-4). In the present embodiment, since the key ID1 and the key ID2 match, it is determined that the communication of this terminal pair is encrypted with the matching encryption keys KEY1 and KEY2. Since the encryption device 3 performs the encryption process only with KEY2, the encryption device 3 sets in the encryption key table to encrypt the communication data between the terminals A and B with KEY2 among the matched encryption key information KEY1 and KEY2. (Step 11-5). If the encryption key information does not match, the processing of the communication data is discarded and registered in the encryption key table (step 11-6). The encryption device 3
After determining the processing method of the communication data, as the determined processing content, a process of encrypting with the encryption keys KEY1 and KEY2 is set in the key search response packet (step 11-7), and the key search response packet is relayed (step 11-7). Step 11-8). Next, the encryption device 4 receives the key search response packet relayed by the encryption device 3 at the local port. It is checked whether or not encryption key information is set in the public port encryption key information of the key search response packet, and it is checked whether the encryption device is the first encryption device to receive the key search response packet transmitted from the terminal B (step 11-). 1). In the present embodiment, the public port encryption key information has already been set, and this is not the encryption device that first received the key search response packet. Next, from the communication data processing information of the key search response packet, it is confirmed that the communication data is encrypted by KEY1 and KEY2, and the processing of the communication data between the terminals A and B included in the packet is encrypted by KEY1 which is owned by itself. Determined to be processed and registered in encryption key table (step 11-3)
I do. Subsequently, the key search response packet is transparently relayed as it is (step 11-8). Next, the encryption device 2 receives the key search response packet relayed by the encryption device 3 at the public port. Make sure this packet is not addressed to you. Next, from the communication data processing information of the key search response packet, it is confirmed that the communication data is encrypted by KEY1 and KEY2, and the processing of the communication data between the terminals A and B included in the packet is encrypted by KEY1 which is included in the packet. Determined to be processed and registered in encryption key table (step 1
2-2). Subsequently, the key search response packet is transparently relayed as it is (step 12-8). The encryption device 1 receives the key search response packet relayed by the encryption device 2 from the public port, and checks that the packet is addressed to itself (step 12-1). Since the matching encryption key information (key ID1 and key ID2) is set in the public port encryption key information and the local port encryption key information in the packet, the communication data between the terminals A and B is compared with the matching encryption key. Among them, it is determined that encryption processing is to be performed by KEY2, and encryption data is set to be encrypted by KEY2 in the encryption key table 16 (step 12-).
4) Yes. Subsequently, the held communication data is encrypted with the encryption key (KEY2) according to the setting and transmitted (step 12-6). If the matching encryption key information is not set in the public port encryption key information and the local port encryption key information in the key search response packet, the processing of the communication data is discarded, and the address of the terminal pair and the communication data Is set in the encryption key table (step 12-5). The held communication data is discarded according to the determined processing method (step 12-7). The encryption device 2 receives the encrypted communication data transmitted from the encryption device 1 from the local port. Communication data from terminal A to terminal B is K
Since it is registered to be encrypted in EY1, the communication data is encrypted in KEY1 and relayed. The encryption device 3 receives the encrypted communication data relayed by the encryption device 2 from the public port. Terminal A to Terminal B
Is registered to be decrypted by KEY1, so the communication data is decrypted by KEY1 and relayed. The encryption device 4 receives the encrypted communication data relayed by the encryption device 3 from the public port. The destination terminal pair A and B of the communication data are stored in the encryption key table 16.
Is checked (step 9-1), and since it is registered, the communication data is decrypted using KEY2 according to the encryption key table (step 9-2). If the destination terminal pairs A and B are not registered in the encryption key table 16, the communication data is discarded (step 9-3). As described above, when the encryption process between the communication terminals is determined using the key search packet, the encryption key information for specifying the encryption key to be used in the VPN is delivered to all the encryption devices belonging to the VPN in advance, The encryption device that first receives the communication data of the communication terminal adds the encryption key information to the key search packet, and the other encryption devices on the relay path relay without adding the encryption key information. This makes it possible to reduce the processing load up to the determination of the encryption key when a large number of encryption devices exist on the relay path, and to reduce the overhead at the start of the encryption communication. Embodiment 3 FIG. In the present embodiment, a case will be described in which there is only one encryption device on the communication path and the same encryption device transmits and receives the key search packet. FIG. 10 is a network configuration diagram according to the present embodiment. 1 to 10
Are the same or equivalent parts of the configuration in FIG. 1 and the description is omitted. Reference numeral 21 denotes a communication terminal D. Terminal B in FIG.
The operation when the terminal D and the terminal D communicate is shown in FIGS.
14 will be described. Each drawing is a flowchart of the encryption device according to the second embodiment. The basic configuration of the key search packet and the key search response packet is the same as in the first embodiment, and the description is omitted. Communication permission is registered in the encryption device 3 in advance as a communication mode for specifying a method of processing communication data between the terminals B and D. The encryption device 3 that has received the communication data addressed to the terminal D from the terminal B at the local port,
It is checked whether the terminal pair is registered in the encryption key table (step 4-1). Since it is not registered in the encryption key table 16, the communication data is held, and a key search packet in which its own encryption key information is set as the local port encryption key information is transmitted to the terminal D (step 4-3). The terminal D that has received the key search packet transmitted from the encryption device 3 transmits a key search response packet having the same content as the key search packet to the encryption device 3. The encryption device 3 receives this key search response packet at the public port. The encryption device 3 first checks whether the packet is addressed to itself (step 13-1). Since the packet is addressed to itself, it is checked whether key information matching the local port encryption key information and the public port encryption key information in the packet is set (step 13-4). Since the public port encryption key information is not set and does not match, the communication mode of the encryption device is checked (step 13-6). If the communication mode is set to allow communication, transparent relay is set in the encryption key table (step 13-8). If the communication mode is set to disable communication, discard is set in the encryption key table (step 13-).
7) Then, the held communication data is processed based on the encryption key table. In the present embodiment, since the communication mode is the communication permission, the communication data is transparently relayed. The above is an example of a case where communication data is first transmitted from the terminal B, but an operation when the communication data is transmitted from the terminal D will be described. The encryption device 3 that has received the communication data from the terminal D through the public port checks whether the terminal pair D and B are registered in the encryption key table (step 14-).
1) Since it is not registered, the communication mode of the encryption device is checked (step 14-2). When the communication mode is set to the communication permission, the communication data is transparently relayed (step 1).
4-5) If the communication mode is communication disabled, the communication data is discarded (step 14-4). In this embodiment, since the communication mode is set to the communication permission, the communication data is transparently relayed (step 14-5). As described above, in the communication between the terminals belonging to the VPN, when the encryption device cannot determine the encryption key, the process is performed based on the communication mode set in the encryption device, so that the encryption and decryption are performed in the key search. It is possible to cope with a case where a pair of encryption devices is not found.

[0006]

The cryptographic communication system according to the first invention has
In a cryptographic communication system in which a plurality of communication groups perform cryptographic communication using a different encryption method for each communication group, the cryptographic communication system includes a first terminal, a second terminal,
A first encryption device and a second encryption device on a communication path between the first terminal and the second terminal, wherein the first encryption device specifies all communication groups to which the first encryption device belongs; The second encryption device transmits specific data, and the second encryption device communicates between the first terminal and the second terminal based on the communication group identification data transmitted from the first encryption device and the communication group to which the second encryption device belongs. The method is characterized in that the processing method of communication data is determined, so that the processing load up to the determination of the processing method of communication information can be reduced, and the overhead at the start of encrypted communication can be reduced. Become. A cryptographic communication system according to a second invention is a cryptographic communication system in which the first and second communication groups perform cryptographic communication using mutually different encryption methods, wherein the first and second communication groups belong to the first and second communication groups. A first terminal and a first encryption device, and a second terminal and a second encryption device belonging to the second communication group, wherein the first encryption device belongs to the first and second encryption devices to which the first device belongs. The second encryption device transmits communication group identification data that identifies the communication group of the first communication device and the first encryption device based on the communication group identification data transmitted from the first encryption device and the communication group to which the second encryption device belongs. A cryptographic processing method for communication data transmitted from the terminal is determined, and the first cryptographic device and the second cryptographic device are configured to determine the first terminal based on the cryptographic processing method determined by the second cryptographic device. Since the communication data transmitted from the communication terminal is encrypted and transmitted to the second terminal, the processing load up to the determination of the processing method of the communication information can be reduced. The overhead at the start can be reduced. In a cryptographic communication system according to a third aspect, the first and second communication groups include:
In an encryption communication system that performs encryption communication using different encryption methods, a first terminal and a first encryption device belonging to the first and second communication groups, and a second terminal belonging to the second communication group. And a second encryption device, wherein the first encryption device transmits first communication group identification data for identifying the first and second communication groups to which the first encryption device belongs, and the second encryption device The encryption device transmits second communication group identification data for identifying the second communication group to which the encryption device belongs, and the second encryption device transmits the first communication group identification data to the first communication group.
Based on the first communication group specifying data transmitted from the encryption device and the communication group to which the first communication group belongs.
The first encryption device determines an encryption processing method of communication data transmitted from the terminal based on the second communication group identification data transmitted from the second encryption device and the communication group to which the first encryption device belongs. Determining an encryption processing method for communication data transmitted from the first terminal, wherein the first encryption device transmits the communication data from the first terminal based on the encryption processing method determined by the first encryption device. Encrypts the transmitted communication data and transmits it to the second encryption device, and the second encryption device transmits the communication data from the first encryption device based on the encryption processing method determined by the second encryption device. Since the communication data is encrypted and transmitted to the second terminal, it is possible to reduce the processing load up to the determination of the processing method of the communication information. Over It becomes possible to reduce the head.
A cryptographic communication system according to a fourth invention is the cryptographic communication system according to the second invention, wherein the communication group specifying data is used in the first communication group to which the first encryption device belongs. The first encryption key specifying data for specifying an encryption key and an encryption key used in the second communication group, wherein the second encryption device uses an encryption key used in the second communication group to which the second encryption device belongs. And the second encryption device specifies the first encryption key identification data transmitted from the first encryption device.
Is compared with the second encryption key identification data of the first encryption key identification data, and the first encryption key identification data is compared with the first encryption key identification data using a matching encryption key.
Since it is characterized in that it is determined that the communication data transmitted from the terminal is to be subjected to encryption processing, it is possible to reduce the processing load up to determining the processing method of the communication information,
Also, it is possible to reduce the overhead at the start of the encrypted communication. A cryptographic communication system according to a fifth invention is the cryptographic communication system according to the third invention, wherein the first communication group specifying data belongs to the first cryptographic device,
The first communication key identification data is an encryption key used in the first communication group and an encryption key used in the second communication group. The second communication group identification data is the first encryption key identification data. Two cryptographic devices belong to,
The second encryption key identification data for identifying an encryption key used in the second communication group, wherein the first encryption device identifies the first encryption key transmitted from the second encryption device. Comparing the data with the first encryption key specifying data of the second terminal, determining that the communication data transmitted from the first terminal is to be encrypted using a matching encryption key, and The device compares the first encryption key identification data transmitted from the first encryption device with the second encryption key identification data of the first encryption device, and uses the matching encryption key to match the first terminal. Since it is characterized in that it is determined that the communication data transmitted from is encrypted, the processing load up to the determination of the communication information processing method can be reduced, and the overhead at the start of the encrypted communication can be reduced. Can be reduced To become. An encryption communication system according to a sixth invention is the encryption communication system according to the first, second, or fourth invention, wherein the first encryption device stores the communication data processing method in a first storage. Means, and the second encryption device has a second storage means for storing the processing method of the communication data, and one of the first storage means and the second storage means has the communication In the case where the data processing method is not stored, the first encryption device transmits the communication group specifying data. Therefore, in addition to the effects of the first, second, or fourth invention, In the case where a table is used, the cryptographic communication system according to the seventh invention, which enables high-speed processing of communication information, can be performed by using the first, second, third, fourth, fifth, or sixth cryptographic communication system. A cryptographic communication system according to the invention, wherein the first cipher Location has a first public port and the first local port,
The second cryptographic device has a second public port and a second local port, and the first cryptographic device and the second
Is characterized in that the communication device processes the communication data based on whether the port that has received the communication data is the public port or the local port. In a cryptographic communication method in which first and second communication groups perform cryptographic communication using mutually different encryption methods, a communication group specification that specifies the first and second communication groups to which a first encryption device belongs. A step of transmitting data; and a step in which a second encryption device sets the first and second communication groups on the basis of the communication group identification data transmitted from the first encryption device and a second communication group to which the second encryption device belongs. Determining an encryption processing method for communication data transmitted from the first terminal to which the first encryption device belongs; and the first encryption device and the second encryption device Encrypting the communication data transmitted from the first terminal based on the encryption processing method determined by the signaling device, and transmitting the encrypted data to the second terminal belonging to the second communication group. Therefore, the processing load up to the determination of the communication information processing method can be reduced, and the overhead at the start of encrypted communication can be reduced.

[0007]

[Brief description of the drawings]

FIG. 1 is a network configuration diagram according to Embodiments 1 and 2 of the present invention.

FIG. 2 is a block diagram of an encryption device according to Embodiments 1 and 2 of the present invention.

FIG. 3 is a communication sequence diagram according to the first embodiment of the present invention.

FIG. 4 is a flowchart showing an example of the operation of the encryption device according to Embodiments 1 and 2 of the present invention.

FIG. 5 is a flowchart showing an example of the operation of the encryption device according to Embodiments 1 and 2 of the present invention.

FIG. 6 is a flowchart showing an example of the operation of the encryption device according to Embodiments 1 and 2 of the present invention.

FIG. 7 is a flowchart illustrating an example of an operation of the encryption device according to the first embodiment of the present invention.

FIG. 8 is a flowchart illustrating an example of an operation of the encryption device according to the first embodiment of the present invention.

FIG. 9 is a flowchart illustrating an example of an operation of the encryption device according to the first embodiment of the present invention.

FIG. 10 is a network configuration diagram according to a third embodiment of the present invention.

FIG. 11 is a flowchart illustrating an example of an operation of the encryption device according to the second embodiment of the present invention.

FIG. 12 is a flowchart illustrating an example of an operation of the encryption device according to the second embodiment of the present invention.

FIG. 13 is a flowchart showing an example of the operation of the encryption device according to Embodiment 3 of the present invention.

FIG. 14 is a flowchart showing an example of the operation of the encryption device according to Embodiment 3 of the present invention.

FIG. 15 is a diagram illustrating a network configuration according to a conventional technique.

FIG. 16 is an encryption table in an encryption device according to a conventional technique.

FIG. 17 shows a key search packet according to the related art.

[Explanation of symbols]

1 encryption device 1, 2 encryption device 2, 3 encryption device 3, 4
Cryptographic devices 4, 5 Cryptographic devices 5, 6 Terminal A, 7 Terminal B, 8 Terminal C, 9 VPN1, 10 VPN2, 11
Public port, 12 transmission / reception processing unit, 13 encryption / decryption unit, 14 transmission relay unit, 15 discard unit, 16
Encryption key table, 17 automatic learning processing unit, 18 transmission / reception processing unit, 19 local port, 20 memory, 25
Key search packet.

 ──────────────────────────────────────────────────続 き Continued on the front page (72) Inventor Akira Watanabe 2-3-2 Marunouchi, Chiyoda-ku, Tokyo Mitsubishi Electric Corporation

Claims (8)

[Claims]
1. A cryptographic communication system in which a plurality of communication groups perform cryptographic communication using a different encryption method for each communication group, wherein the cryptographic communication system is a first terminal,
A second terminal, a first encryption device and a second encryption device on a communication path between the first terminal and the second terminal;
Transmits the communication group specifying data specifying all the communication groups to which the own encryption device belongs, and the second encryption device transmits the communication group specification data transmitted from the first encryption device to the communication to which the communication device belongs. An encryption communication system, wherein a method of processing communication data between the first terminal and the second terminal is determined based on a group.
2. A cryptographic communication system in which first and second communication groups perform cryptographic communication using different encryption methods, wherein a first terminal and a first terminal belonging to the first and second communication groups are provided. And a second terminal and a second encryption device belonging to the second communication group,
The first encryption device transmits communication group specifying data for specifying the first and second communication groups to which the first encryption device belongs, and the second encryption device transmits the communication transmitted from the first encryption device. Based on the group identification data and the communication group to which the terminal belongs, a cryptographic processing method for the communication data transmitted from the first terminal is determined, and the first encryption device and the second encryption device determine the second encryption device. An encryption communication system, wherein communication data transmitted from the first terminal is encrypted based on an encryption processing method determined by an encryption device and transmitted to the second terminal.
3. In a cryptographic communication system in which first and second communication groups perform cryptographic communication using different encryption methods, a first terminal and a first terminal belonging to the first and second communication groups are provided. And a second terminal and a second encryption device belonging to the second communication group,
The first encryption device transmits first communication group identification data for identifying the first and second communication groups to which the first encryption device belongs, and the second encryption device transmits the second communication group identification data to the second encryption device to which the first encryption device belongs.
Transmitting the second communication group specifying data specifying the communication group of the second communication device, the second encryption device transmits the first communication group specification data transmitted from the first encryption device to the communication group to which the second encryption device belongs. The first encryption device determines an encryption processing method for communication data transmitted from the first terminal based on the second communication group identification data transmitted from the second encryption device. A cryptographic processing method for communication data transmitted from the first terminal is determined based on the communication group to which the first cryptographic device belongs, and the first cryptographic device determines the cryptographic processing method based on the cryptographic processing method determined by the first cryptographic device. The communication data transmitted from the first terminal is encrypted and transmitted to the second encryption device, and the second encryption device performs the encryption processing based on the encryption processing method determined by the second encryption device. Cryptographic communication system, characterized in that the communication data transmitted from the first encryptor to encryption processing and transmits to the second terminal.
4. The communication group identification data according to claim 1, wherein:
The first encryption key specifying data that specifies the encryption key used in the first communication group and the encryption key used in the second communication group to which the second encryption device belongs. Has second encryption key specifying data for specifying an encryption key used in a second communication group to which the second encryption group belongs, and wherein the second encryption device transmits the second encryption key identification data transmitted from the first encryption device. Comparing the first encryption key identification data with the second encryption key identification data of the first terminal, and deciding to encrypt the communication data transmitted from the first terminal using a matching encryption key. The cryptographic communication system according to claim 2, wherein:
5. The first communication group specifying data includes an encryption key used in the first communication group and an encryption key used in the second communication group to which the first encryption device belongs. The first encryption key specifying data to be specified, and the second communication group specifying data is a second encryption key to specify an encryption key used in the second communication group to which the second encryption device belongs. Key identification data, wherein the first encryption device compares the first encryption key identification data transmitted from the second encryption device with the first encryption key identification data of the first encryption device, The second encryption device determines that the communication data transmitted from the first terminal is to be encrypted using the encryption key to be transmitted, and the first encryption key transmitted from the first encryption device is determined by the second encryption device. Specific data and self 4. The method according to claim 3, wherein the second encryption key specifying data included in the first terminal is compared, and it is determined that the communication data transmitted from the first terminal is encrypted using a matching encryption key. Cryptographic communication system.
6. The first encryption device has first storage means for storing the communication data processing method, and the second encryption device has a second storage for storing the communication data processing method. Means, and if one of the first storage means and the second storage means does not store the communication data processing method, the first encryption device transmits the communication group identification data The cryptographic communication system according to claim 1, 2 or 4, wherein:
7. The first cryptographic device has a first public port and a first local port; the second cryptographic device has a second public port and a second local port; The first cryptographic device and the second cryptographic device process the communication data based on whether the port that has received the communication data is the public port or the local port. 7. The cryptographic communication system according to 4, 5, or 6.
8. An encryption communication method in which first and second communication groups perform encryption communication using different encryption methods, wherein the first encryption device belongs to the first and second communication groups. Transmitting communication group specifying data specifying the first and second communication groups based on the communication group specifying data transmitted from the first encryption device and the second communication group to which the second encryption device belongs. Determining an encryption processing method for communication data transmitted from a first terminal belonging to a second communication group; and determining the first encryption device and the second encryption device by the second encryption device. Based on the encrypted encryption method
Encrypting communication data transmitted from the second terminal and transmitting the encrypted data to the second terminal belonging to the second communication group.
JP12849698A 1998-05-12 1998-05-12 System and method for cryptographic communication Granted JPH11331151A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP12849698A JPH11331151A (en) 1998-05-12 1998-05-12 System and method for cryptographic communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP12849698A JPH11331151A (en) 1998-05-12 1998-05-12 System and method for cryptographic communication

Publications (1)

Publication Number Publication Date
JPH11331151A true JPH11331151A (en) 1999-11-30

Family

ID=14986189

Family Applications (1)

Application Number Title Priority Date Filing Date
JP12849698A Granted JPH11331151A (en) 1998-05-12 1998-05-12 System and method for cryptographic communication

Country Status (1)

Country Link
JP (1) JPH11331151A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005260286A (en) * 2004-03-09 2005-09-22 Fujitsu Ltd Radio communication system
WO2012161417A1 (en) * 2011-05-26 2012-11-29 동국대학교 경주캠퍼스 산학협력단 Method and device for managing the distribution of access rights in a cloud computing environment

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005260286A (en) * 2004-03-09 2005-09-22 Fujitsu Ltd Radio communication system
JP4688426B2 (en) * 2004-03-09 2011-05-25 富士通株式会社 Wireless communication system
WO2012161417A1 (en) * 2011-05-26 2012-11-29 동국대학교 경주캠퍼스 산학협력단 Method and device for managing the distribution of access rights in a cloud computing environment

Similar Documents

Publication Publication Date Title
US8838972B2 (en) Exchange of key material
US8966611B2 (en) Method and apparatus for local area networks
ES2378816T3 (en) Network and node to provide secure transmission of messages from mobile application
EP0841770B1 (en) Method for sending a secure message in a telecommunications system
CN102130768B (en) Terminal equipment having capability of encrypting and decrypting link layer and data processing method thereof
USRE39360E1 (en) System for signatureless transmission and reception of data packets between computer networks
US7509491B1 (en) System and method for dynamic secured group communication
US7984295B2 (en) Method and apparatus for transmitting message to wireless devices that are classified into groups
US6215878B1 (en) Group key distribution
DE60121393T2 (en) Key management method for wireless local area networks
EP0924900B1 (en) Secure virtual LANS
KR100976750B1 (en) Encryption device, encryption method, and encryption system
EP1484856B1 (en) Method for distributing encryption keys in wireless lan
US7797530B2 (en) Authentication and encryption method and apparatus for a wireless local access network
FI118619B (en) Method and system for encrypting and storing information
US7486651B2 (en) Mobile node, an ad hoc network routing controlling method and an ad hoc network system
US8094822B2 (en) Broadcast encryption key distribution system
US6226751B1 (en) Method and apparatus for configuring a virtual private network
CN1319337C (en) Authentication method based on Ethernet authentication system
JP2812312B2 (en) Encryption system
CN100596062C (en) Secure protection device and method for distributed packet transfer
US8775790B2 (en) System and method for providing secure network communications
JP5060081B2 (en) Relay device that encrypts and relays frames
CN104735747A (en) Information transferring and receiving method and internet-of-things equipment
US20020120844A1 (en) Authentication and distribution of keys in mobile IP network

Legal Events

Date Code Title Description
RD01 Notification of change of attorney

Free format text: JAPANESE INTERMEDIATE CODE: A7421

Effective date: 20040621