TW200402010A - Encryption system and encryption device - Google Patents

Abstract

The invention relates to encryption system and encryption device. An encryption device (1) for performing encryption/decryption to terminate security by encryption between personal computers (7 to 9) having encryption software is connected between the personal computer (7 to 9) and terminals (2 to 4) having no encryption software. The encryption device (1), for example, encrypts data received from a DB server (3) before transmitting the data to the personal computer (7) and decrypts the data received from the personal computer (8) before transmitting the data to a network printer (2). Thus, it is possible to use encryption in an enterprise LAN having terminals (2 to 4) in which dedicated encryption software cannot be installed, thereby building a network (10) having little danger of that secret information in the LAN is stolen by an unauthorized intrusion and attack from outside.

Description

200402010 〇) Description of the invention [Technical field to which the invention belongs] The present invention relates to cryptographic systems and cryptographic devices, and is particularly suitable for implementing information on the network to reduce the shortcomings of theft or alteration of information by external attacks. System and device for cryptographic / decoding processing and suitable cryptosystem and device. [Prior art] If a personal computer is used on a separate computer, there is less danger that the information inside the personal computer will be stolen or altered. However, when a personal computer is connected to a network such as the Internet, the information exchanged (received / sent) is retransmitted in many networks, so the chances of being stolen and altered in the process are increased. The number of cases such as theft and alteration caused by unauthorized access from outside also increased. In order to solve this problem, there are: firewall, anti-virus, access control, information encryption, VPN (Virtual Private Network), etc. Among them, the system using encryption is to encrypt the information and send it to the other party, and send It is decoded and used. After taking the measures described above, even if the information is stolen in the middle of the network, because the information is encrypted, the information itself is less likely to be seen, and it is altered. It can also be reduced. In addition, in the VPN system, a substantial dedicated line is used to suppress inappropriate access from the outside. The above-mentioned security (confidentiality) technology is provided separately for use, but when used in any combination, the security effect can be further improved. (2) (2) 200402010 For example, there is a system that implements encryption in the VPN network. This system can be classified into three types: ① Site-To-Site type, ② Remote-Access type, ③ End-To-End type. Figure 1 is a diagram illustrating these three types of cryptosystems. As shown in FIG. 1, in a VPN network, a plurality of desktop personal computers 101A are connected to a quasi-point A network 100 A via a LAN (Local Area Network), and a plurality of desktop individuals The quasi-point B network 100B connected to the computer 10 1B via the LAN is connected via a network 200 constituting a virtual dedicated line. In the case of the Site-To-Site type, a gateway 10 2A, 102B is provided at the entrance and exit of each quasi-point network 100A, 100B, and the gateway 102A, 102B implements a ciphering / decoding process. The road-to-road network 200 implements cryptographic communication of data. The remote access type is to implement the encryption / decoding process between the gates 102A, 102B and the remote terminals 103, 104, and thus to implement the cryptographic communication of information between the gates and the remote terminals. Any of the above-mentioned types are those who implement cryptographic communication only on the outside of the quasi-point network 100A, 100B, and have the disadvantage that the information in the quasi-point is not protected at all. The LAN built in the virtual network is connected to a network (Net-Work) 200 such as a network (Inter Net). If necessary, the personal computer in the LAN can access the network to exchange information (connection · cross). However, if the LAN is connected to the network in this way, there is a danger that the information inside the LAN will be stolen or altered due to an unauthorized intrusion or attack from the outside. At this time, the gates 102A, -6- (3) (3) r200402010 10 2B at the entrances and exits of the quasi-point network 100A, 100B are easy to be the target of external attacks, and the load will be concentrated, so it is necessary to install expensive equipment. And, for these machines, the shortcomings of individual settings and management are difficult to understand. In addition, there are disadvantages that the inside of each of the quasi-point networks 100A and 100B is completely unguarded against intrusions other than gates (via wireless LAN, etc.). For the above problems, the End-To-End type is to implement the encryption / decoding process on the desktop personal computers 101A and 101B in the quasi-point network 100A and 100B, and to implement the password communication between the target terminals. According to this type, whether it is inside or outside the quasi-point, the information can be completely protected, so the above-mentioned shortcomings of the Site-To-Site type and Remote Access type are completely solved. Due to the low processing capability of the terminal in the past, the End-To-End type is not realistic, but it has recently become possible due to the advancement of semiconductors (especially CPU processing capabilities). However, in order to use the password in the End-To-End type, it is necessary to install the password software on all the terminals that are intended to communicate with the password, and apply various settings. However, there are terminals connected to the LAN 100A and 100B in the quasi-point network. Terminals other than 101A and 10 1B can also be installed on the desktop personal computer that can install the password software. For example, printers, faxes, and other physical terminals that cannot be installed with password software, or printer servers or database servers, etc., are not suitable for installing extra software terminals due to high-level operation stability. There is no OS. (Operating system) There are also terminals with simple network terminal functions, so although they are on the End-To-End type password system, they still cannot be used. (4) (4) "200402010 It is not effective to use a password. The problem of protecting information exists. Furthermore, the previous End-To-End type cryptosystem was that between the terminals within a plurality of pseudo-points, the implementation of cryptographic communication was only in a closed world of pseudo-points (for example, only The password cannot be used in the network 100B of the pseudo-point A. Another example is the existence of a terminal that cannot install the password software in the network 100B of the pseudo-point B, or in the 100B of the network B of the pseudo-point. There are a large number of terminals 'so that it is unrealistic to install all password soft systems for these situations, that is, it is impossible to use End-To-End type password system between points A and B' If there is at least a request for using a password in the mainland of A network 100 A, there is no means to achieve the request in the past. The present invention was created to solve the above problem, and its purpose is to provide a terminal having software that cannot install passwords. It is also possible to use passwords in the corporate LAN of a mobile phone, thereby reducing the risk of theft and alteration of confidential information inside the LAN due to unauthorized intrusion or attack from the outside. Another object of the present invention is to When information is sent between multiple pseudo-nodes, communication can also be performed using a password in a closed pseudo-node network. [Summary of the Invention] The cryptographic system of the present invention is a direct or indirect connection that implements data communication through the network. Among the plurality of terminals, a dedicated cryptographic device or a relay device provided with a cryptographic processing function provided between the plurality of terminals is included in the aforementioned cryptographic device or the aforementioned relay device. -(5) (5) 200402010, the password of the data to be received by the terminal of a party inside or outside of a phantom network And send the message to the terminal of the other party located in the above or one of the intended networks, and at the same time decode the password of the data received by the terminal of the other party and send it to the terminal of the above party. The structure is its characteristics. The dedicated cryptographic device in this example refers to a device that implements cryptographic processing or decoding processing of data. A relay device that also carries the function of cryptographic processing is provided that it has a password that can implement data The functions of the processing and decoding processing are also devices that can also be equipped with other functions. The other aspect of the present invention is to directly or indirectly connect a plurality of terminals that implement data communication via the network, and the plurality of terminals provided in the plurality of terminals. In a cryptographic system made up of a dedicated cryptographic device between terminals or a relay device equipped with a cryptographic processing function, the above-mentioned cryptographic device or the above-mentioned relay device will consist of an external device located in a certain point network. The information received by the above-mentioned network is encrypted and sent to the above-mentioned terminals within the above-mentioned or a certain intended network. The password information of said terminal inquiry suffered evacuations be decoded to said network configuration information of its characteristics. Other aspects of the present invention are via a wired or wireless network connection: a first terminal with a password processing function located inside a certain point network, and inside or above a certain point network An external 2nd terminal that does not have a password processing function, and a cryptographic device or a relay device that is arranged between the i-th terminal and the 2nd terminal and is used to implement data encryption processing or decoding processing. In the completed cryptographic system, the above-mentioned cryptographic device or relay device is provided with: performing encryption processing and decoding of data by using cryptographic security for the terminal and the first terminal-9-200402010 It is characterized by the processing means of encryption / decoding, and the data transfer means input by one port and outputting the data which is encrypted or decoded by the above-mentioned encryption / decoding means to other ports. Another aspect of the present invention is that the above-mentioned encryption / decoding means is to implement encrypted data communication with the first terminal, and at the same time, the terminal with the second terminal is to implement no encryption. It is characterized by implementing the above-mentioned encryption process and the above-mentioned decoding process for communication of data. In another aspect of the present invention, the relay device is provided with a semiconductor chip that integrates the functions of the above-mentioned encryption / decoding means as: Its characteristics. Another aspect of the present invention is characterized in that the above-mentioned semiconductor chip is provided between a signal transmitting and receiving unit and a baseband processor. Moreover, the cryptographic device of the present invention is directly or indirectly connected between a plurality of terminals that implement data communication through the network, and the data received by the terminals located on one of the internal or external parties of the intended network is encrypted. The feature is to send the message to the terminal of the other party in the above-mentioned or a certain point network, and at the same time, decode the password received by the terminal of the other party and send the message to the terminal of the above-mentioned party. Another aspect of the present invention is that a terminal that implements data communication through a network and the network are directly or indirectly connected to the terminal, and will be provided by the information received by the network outside the network Encrypt and send the message to the above-mentioned terminal within the above-mentioned or a certain intended network-10- (7) (7) 200402010, at the same time, decode and send the password of the information received by the above-mentioned terminal to the above network For its characteristics. Another aspect of the present invention is that a plurality of terminals implementing data communication via a network are directly or indirectly connected to a terminal near one of the parties in a certain point network, and will be located in the above point. The password of the information received by the terminal of the other party inside or outside the network is decoded and sent to the terminal of the above party, and the information received by the terminal of the above party is encrypted and transmitted to the other party. The terminal is its feature. Other aspects of the present invention are connected via a wired or wireless network to a first terminal with a cryptographic processing function inside a certain point network, and to the inside or outside of the above or some point network Between the second terminal that does not have the password processing function, there is: between the terminal and the first terminal described above, for the security of the terminal borrowing encryption, the data is encrypted and decoded. Decoding means and data transfer means for outputting data encrypted or decoded by the above-mentioned ciphering / decoding processing means inputted from one port to other ports are its features. Another aspect of the present invention is the above-mentioned encryption / decoding means, and the communication with the first terminal is encrypted. The communication with the second terminal is not implemented for encryption. For the communication of data, the implementation of the above-mentioned encryption process and the above-mentioned decoding process are its characteristics. In other aspects of the present invention, the above-mentioned encryption / decoding means and the above-mentioned 11-200402010 ⑼ data transfer function are integrated into It is characterized by a semiconductor wafer. Other aspects of the present invention are the first terminal that does not have a password processing function inside a certain point network, and the second terminal that has a password processing function that is inside or outside a certain point network. Between 'is connected to the first terminal near via a wired or wireless network, and includes: for the terminal, the implementation of cryptographic processing of data between the first terminal and the first terminal through the security of cryptography and The features of the encryption / decoding means of decoding processing and the data transfer means of outputting the data subjected to the encryption or decoding processing by the above-mentioned encryption / decoding means input to one port to other ports are input. [Embodiment] (First Embodiment) The first embodiment of the present invention will be described below with reference to the drawings. Fig. 2 is a diagram showing a configuration example of a cryptographic system according to the first embodiment of the cryptographic device according to this embodiment. The symbol 1 in the figure 2 is the cryptographic device of this embodiment (either a dedicated cryptographic device or a relay device equipped with a cryptographic processing function according to the present invention). It has two ports. One port is connected to devices such as the network printer 2, DB server 3, and network terminal 4. The other port is connected to the hub 5. The password device 1 is the network printer 2. , DB server 3, network terminal 4 and other devices and hub 5 implement data relay. -12- 200402010 〇) Network printer 2 is a physical terminal that cannot be installed with password software. The DB server 3 is a terminal that is not suitable for installing redundant password software due to its excellent operation stability. The network terminal 4 is a terminal that cannot operate cryptographic software without an OS (operating system). Therefore, it is assumed that these terminals 2 to 4 are not installed with password software. Also, the hub 5 is a device that relays data at the physical layer of the 0 SI reference mode. In addition to the above-mentioned cryptographic device 1, an access point (access station) 6 for wireless communication, and a desktop personal computer 7 are also connected. That is, the hub 5 at this time is a relay for implementing data between the cryptographic device 1, and the access point 6 and the desktop personal computer 7. The access point 6 is connected to a desktop personal computer 8 and a laptop personal computer 9 wirelessly. The desktop personal computers 7, 8 and laptop personal computers 9 may be installed with cryptographic software for encrypting and decoding data, and it is assumed that the cryptographic software is already installed. As described above, the cryptographic device of this embodiment has two ports. For one port, personal computers 7 to 9 belonging to terminals having a cryptographic processing function are indirectly connected via the hub 5 or the access point 6. . It is on another port, which is directly connected to ‘Network printer 2’, DB server 3 ’Network terminal 5 and Machine 4. These cryptographic devices 1, a network printer 2 'DB server 3, a network terminal 4, a hub 5, an access point 6, and personal computers 7 to 9 constitute a pseudo-point network. It is composed of the above, but the network printer 2 ′ DB server 3 and network printer 4 without the password software installed (mounted) are closely related to the installation (mount) -13- (10) (10) Between the personal computers 7 ~ 9 of 200402010 code software (these devices 2 ~ 4, 7 ~ 9 are equivalent to the terminal of the present invention), data communication can be implemented through the cipher device 1, the hub 5, and the access point 6. At this time, the cryptographic device 1 is to implement encrypted data communication with the personal computers 7 to 9 on which the cryptographic software is installed, and to communicate with the terminals 2 to 4 on which no cryptographic software is installed. For data communication, cryptographic processing and password decoding processing are implemented. For example, when data is to be sent from the desktop personal computer 7 to the network printer 2, the data is first encrypted using the password software installed on the desktop personal computer 7, and supplied to the cryptographic device 1 via the hub 5. Then the cipher device 1 decodes the received data and sends it to the network printer 2. In addition, for example, when the data managed by the DB server 3 is to be taken into the laptop personal computer 9, the DB server 3 supplies the requested data to the cryptographic device 1 as required, and accepts the unencrypted data. The cryptographic device 1 of the data is encrypted to send the data to the laptop personal computer 9 via the hub 5 and the access point 6. The laptop personal computer 9 decodes the received information and uses it for desired processing. As can be understood from the above description, since the cryptographic device 1 of this embodiment is used, a password can also be used in an enterprise LAN provided with terminals 2 to 4 that cannot install dedicated cryptographic software. Therefore, it is possible to build a security network with less risk of theft and alteration of confidential information inside the LAN due to unauthorized intrusion or attack from the outside. In addition, although the password cannot be used between the cryptographic device 1 and each of the terminals 2 to 4, the cables 11 connecting these are physically short wirings.

014P -14- (11) (11) 200402010 The possibility of being stolen or altered by the attack of the Ministry is very small, so there is no special or problem in the security. Fig. 3 is a diagram showing another configuration example of the cryptographic system of the first embodiment. Also on this third figure, the same reference numerals are given to the constituent elements having the same functions as the constituent elements of the second figure. The cryptographic device 1 shown in FIG. 2 is provided with a wired communication interface, and is connected to the hub 5 by a wire. The corresponding cryptographic device 1 shown in FIG. 3 is provided with a wireless communication interface, and is wirelessly connected to the access point 6. The desktop personal computer 7 is also connected to the access point 6 wirelessly. Therefore, a hub is not required in the example in FIG. 3. In the case of Fig. 3, a cryptographic device 1, an access point 6, and personal computers 7 to 9 constitute a pseudo-point network. The other points are the same as those in Figure 2. Furthermore, in the example of the second figure, the function of the cryptographic device 1 is integrated into a small 1C, and the 1C may be mounted on the hub 5. In the example of FIG. 3, it is also possible to integrate the function of the cryptographic device 1 / into a small Ic and install the 1C in the access point 6. (Second Embodiment) Next, a second embodiment of the present invention will be described. The fourth diagram does not apply to the configuration example of the cryptographic system of the second embodiment of the cryptographic device of this embodiment. In the fourth figure, elements having the same function as the constituent elements shown in FIG. 2 are marked with the same ~ symbol. As shown in FIG. 4, the cryptographic device 21 of this embodiment is a port connected to one side of the network 2 using an imaginary dedicated line such as a network. The other side is -15- (12) (12) 200402010. The port 5 is connected to a hub 5 ° The situation in FIG. 4 is composed of a cryptographic device 21, a hub 5, an access point 6, and a personal computer 7 to 9 to form a pseudo-point network. In addition, there are other pseudo-point networks (not shown) in front of the network 20, which are connected to a plurality of devices, such as a network printer 2, a DB server 3, and a network terminal 4 as shown in FIG. 2 Etc. 'Terminals where password software cannot be installed, or terminals with password software such as personal computers 7-9. In the first embodiment shown in Fig. 2, one device is connected to one cryptographic device 1. Encryption / decoding processing is performed exclusively for one device with one encryption device 1. In detail, the cryptographic device 1 shown in FIG. 2 is connected between the personal computers 7 to 9 on which the cryptographic software is installed, and a device on which one of the cryptographic software is not installed. Protection of transformation. In contrast, in the second embodiment shown in FIG. 4, the cryptographic device 21 is connected between the personal computers 7 to 9 on which the cryptographic software is installed, and a plurality of devices connected via a network (not shown). . The above-mentioned multiple devices are network printer 2, DB server 3, network terminal 4, etc. as shown in FIG. 2. Those without password software can also be installed, or if personal computers 7-9 have passwords installed Software users can also. The cryptographic device 21 of the present embodiment is a device (network 20) for plural devices, and the terminal secures by means of cryptography. At this time, the cryptographic device 21 is a database having the number of connected devices, and the cryptographic / decoding processing is performed for each device with a different cryptographic key. For example, when the personal computer 7 in the security network 10 is sent through the network 20 to an external device that does not have password software installed in another intended network, the password software installed in the personal computer 7 will be used first. Document-16- (13) (13) 200402010 Encryption is supplied to the encryption device 21 via the hub 5. Then the cryptographic device 2 1 'is' decodes the received data and sends it out to other devices in the intended network via the network 20. Furthermore, for example, when the data managed by an external device without password software in another intended network is taken into the laptop personal computer 9 in the security network 10, the external device in the other intended network is The corresponding information is sent to the network 20 in response to the given request. At this time, the cryptographic device 21 that has received (received) the unencrypted data is cryptographically transmitted to the laptop personal computer 9 via the hub 5 and the access point 6. The laptop personal computer 9 decodes the received data and uses it for the desired processing. As mentioned above, when there is a device without password software installed in the other intended network connected to the network 20, the previous End-To- End type password system. Therefore, the network of each point where data communication is implemented is completely unguarded. In contrast, according to this embodiment, at least one of the quasi-point networks (the security network 10 in FIG. 4) can use the protection by cryptography. In this example, the password system 21 is also provided in other pseudo-point networks, so that the password protection can also be used in the other pseudo-point networks. In other words, a security network can be built in the proposed points of both parties, and the entrances and exits of each proposed point are set up. The gate way shown in Figure 1 is thus that the password can also be used on the network 20. Instead of setting the gates shown in Figure 1 at the entrances and exits of each proposed point, set the password device 21 to "is the password device 21 available (required or not required)? -17-(14) (14) 200402010 encoding / decoding "Processing" may make it possible to use passwords on the network 20> For example, it is set on the cryptographic device 21: "When the terminals installed with cryptographic software communicate with each other, the cryptographic device 2i does not perform decoding processing ". And "When implementing communication with a terminal that does not have password software installed," that is to say that the implementation of decoding is performed by the code device 21. At this time, 'for example, when sending data from the desktop personal computer 7 in the security network 10 to the external device with password software in the other target network via the network 20', that is, first use the desktop personal computer 7 installed The cryptographic software encrypts the data and supplies it to the cryptographic device 21 via the hub 5. Then the cryptographic device 21 sends the received data to the external device via the network 20 without decoding. The external device will accept it. The data is decoded and used for the desired processing. On the contrary, when the encrypted data of the external device in the intended network before the network 20 is sent to the desktop personal computer 7 in the security network 10, the password device 21 is connected to the external device via the network 20 The received data is supplied to the desktop personal computer 7 via the hub 5 while maintaining the encrypted state without being decoded. Further, the plurality of devices connected to the cryptographic device 21 does not necessarily need to be connected via a network, and may be connected to the cryptographic device 21 directly or via a hub. When connected directly, the cryptographic device 21 must have two ports. Fig. 5 is a diagram showing another configuration example of the cryptographic system of the second embodiment. In Fig. 5, components having the same functions as those shown in Fig. 4 are denoted by the same symbols. The example shown in Fig. 5 -18-(15) (15) 200402010 The example is similar to the example shown in Fig. 4, in which one cryptographic device 21 is used to secure a plurality of device terminals by cryptography. The example shown in FIG. 5 is the internal system of the security network 10. The three personal computers 7 to 9 are all connected to the access point 6 by wireless LAN, and the access point 6 is connected to the access point 6 via a cryptographic device 21. Network 20. Generally speaking, wireless LANs are vulnerable to security (confidentiality) when compared to wired networks. Very vulnerable to external attacks. As a standard security function of wireless LAN, it is possible to use SSID (Service Set Identifier) and WEP (Wired Equivalent Privacy). However, only using these standard wireless LAN environments is that the possibility of data being stolen and altered is very high. Furthermore, it is not easy to detect when the theft or leakage was committed. In contrast, according to this embodiment, as long as a password device 21 is provided at the entrance and exit of the intended network, the security of borrowing and encryption within the wireless LAN can be ensured, so the theft, alteration, etc. of the data can be effectively prevented. In the example shown in Fig. 5, the encryption device 21 and the access point 6 can be connected wirelessly. In the example of FIG. 4 described above, the function of the cryptographic device 21 is integrated into a small 1C, and the 1C may be installed in the access point 6. Fig. 6 is a diagram showing an example of still another configuration of the cryptographic system of the second embodiment. Figures 2 to 5 described above describe the "the other party's terminal inside a given point network" or "the first terminal with a password processing function inside a given point network" as the present invention. The "terminal" is an example of a personal computer 7 ~ 9 installed with cryptographic software, and the cryptographic device 1, 1 > • 19- (16) (16) 200402010, 2 1 and personal computer 7-9 An example of the security of the terminal by cryptography, but the above-mentioned terminal system of the present invention is not limited to this example, and will include other cryptographic devices having the same functions as the cryptographic devices 1, 1 /, 21, FIG. 6 A configuration example at this time is shown. The example shown in FIG. 6 is that the two quasi-point networks 30A and 30B of the quasi-point A and B are connected through the routers 40A and 40B and the network 20 such as the network. Within the quasi-dot network 30, a personal computer 31-8 to 33-8 and a cryptographic device 21-8-1 to 21-8-3 constitute 1 ^ 1 ^ within the enterprise. The personal computers 31 to 33 are terminals with no password software installed. Each of the cryptographic devices 21A_1 to 21A-3 has the same function as the cryptographic device 21 of FIG. 4. One port is connected to a personal computer 3 1A to 33A, and the other port is connected to a router 40A. In the virtual point B network 30B, personal computers 31 B to 3 3B and password devices 21B0 and 21B-3 are also used to form an intra-company LAN. None of the personal computers 31B to 33B has a terminal with password software installed. Each of the cryptographic devices 21 B-1 to 21 B-3 has the same function as the cryptographic device 21 of Fig. 4. A personal computer 31B to 33B is connected to one port, and a router 40B is connected to the other port. According to the above-mentioned structure, data communication is performed between personal computers belonging to different pseudo-point networks 30A and 30B through cryptographic devices 21A-1 to 21A-3 and 21B-1 to 21B-3. For example, if you want to send information from the personal computer 31A in the quasi-point A network 30A to the personal computer 33B in the quasi-point B network 30B, the cryptographic device 21 A-1 passwords the information provided by the personal computer 31A It transmits information to the cryptographic device 21B-3 via the router 40A, the network 20, and the router 40B. The cryptographic device 21B-3 decodes the data received and supplies it to the personal computer. -20- (17) (17) 200402010 Brain 3 3 B. Therefore, the passwords can be used between different pseudo-point networks 3 A and 3 B. Also, for example, it is inside the point A network 3 0 A, and each personal computer 3 1 A ~ 3 3 A without password software is interposed with the password device 2 1 A -1 ~ 2 1 A-3 implementation data communication. For example, when sending data from a personal computer 3 i a to another personal computer 33 A, the cryptographic device 21 a-χ is encrypted and transmitted from the personal computer 3 1 A to the cryptographic device 2 i a-3. The encryption device 21A-3 is about to receive (receive) the data and decode it and supply it to the personal computer 33A. 〇It is the same inside the point B network 3 0 B. The personal computers 31B ~ 33B without password software are connected to each other. The cryptographic devices 21B-1 to 21B-3 implement data communication. For example, when sending data from a personal computer 31] 8 to other personal computers 3SB, the cryptographic device encrypts the data given by the personal computer 31B and sends the information to the cryptographic device 21B-3. The cryptographic device 21B-3 decodes the received data and supplies it to the personal computer 33B. As mentioned above, the cryptographic devices 21A-1 ~ 21A-3, 21B-1 ~ 21B-3 are all used to communicate with personal computers 31A ~ 33A, 31B ~ 33B without password software. At the same time, Between the cryptographic devices 21A-1 ~ 21A-3, 21B-1 ~ 21B-3 of the terminal with the cryptographic processing function, the cryptographic processing and the cryptographic decoding processing are implemented in order to implement the communication of the encrypted data. As described above, the cryptographic devices 21A-1 to 21A-3, 21B-1 to 21B-3 are connected to the personal computers 31 A to 33 A, 31 B to 3 3B, respectively, of course, because of different pseudo-point networks Between 30A and 30B, passwords may be used in corporate LANs that do not have password software • 21-(18) (18) 200402010. As a result, each of the proposed networks 30A and 30B can be a security (confidentiality) network with less danger of stealing or altering confidential information inside the corporate LAN from unauthorized intrusion or attack from the outside. Furthermore, in the example of the above-mentioned FIG. 6, each of the pseudo-point networks 30 A and 30B has a plurality of terminals with a password processing function (cryptographic devices 21 A-1 to 21 A-3, 21B-1 to 21B -3), but it is also possible to use a configuration in which at least one of the pseudo-point networks has only one terminal with a password processing function. For example, in the pseudo-point network 30A, a personal computer 3 1 A and a The encryption device 21 A-1 may be configured. In this case, the configuration shown in Fig. 6 is the same as that in the different pseudo-point networks 30 A and 30B, a password can be used. Also, regarding the pseudo-point network 30A, by connecting the cryptographic device 21 A-1 to the vicinity of the personal computer 31A, a password can be used between the entrance and exit of the pseudo-point network 30A and the cryptographic device 2 1 A-1. . The example of the above-mentioned FIG. 6 shows that two pseudo-point networks 30A and 30B are connected by the network 20. In each of the pseudo-point networks 30A and 30B, cryptographic devices 21A-1 to 21A-3 and 21B-1 to Examples of 21B-3 and personal computer 3 18 to 33 8 and 3 18 to 33 3 are not limited to this example. For example, 'In a pseudo-point network, there are encryption devices 21A-1 to 21A-3, 21B-1 to 21B · 3, and personal computers 31A to 33A, 31B to 33B, and the personal computer 31A to which the password software is not installed. The data exchange between 33A, 31B, and 33B can be implemented through the encryption devices 21A-1 to 21A-3, 21B-1 to 21B-3. At this time lies in a pseudo-point network, at least -22- (19) (19) 200402010 lies in the cryptographic device 2 1 A -1 ~ 2 1 A · 3, 2 1 B -1 ~ 2 1 B-3 Use password. In addition to the above, for example, the configuration shown in FIG. 2 is used in place of the personal computer 7 installed with the cryptographic software and using the personal computer and the cryptographic device 1 without the cryptographic software installed, and the cryptographic device i is connected to the hub 5 Also works. At this time, the devices such as the network printer 2, DB server 3, and network terminal 4 where the password software cannot be installed, and the personal computer without the password software installed are connected to the nearby password device 1 Implement password communication. (Third Embodiment) Next, a third embodiment of the present invention will be described. Fig. 7 is a diagram showing a configuration example of a cryptographic system to which the third embodiment of the cryptographic device of the embodiment is applied. In FIG. 7, components having the same functions as those shown in FIGS. 3 and 5 are marked with the same symbols. The third embodiment shown in FIG. 7 is a combination of the cryptographic device shown in FIG. 3 and the cryptographic device 21 shown in FIG. 5 to form a cryptographic system. In this example, the wireless LAN can be used internally. The security network 10 is established, and it is possible to use the password 0 even for devices that cannot substantially install password software (fourth embodiment) -23- (20) (20) 200402010 Next, a fourth embodiment of the present invention will be described. FIG. 8 is a diagram showing a configuration example of a cryptographic device (a relay device provided with a cryptographic processing function) according to the fourth embodiment, and FIG. 8 (a) is an IC chip showing the function of the cryptographic device 21 described above. Configuration Example of 50 'FIG. 8 (b) shows a configuration example of the mobile phone 60 on which the 1C chip 50 is mounted. As shown in Fig. 8 (a), the 1C chip 50 for realizing the functions of the above-mentioned cryptographic device 21 is provided with functional blocks such as a CPU 50, a ROM 52, a RAM 53 'access controller 54, and an interface 55. Huh? 1; 51 are accessed by the access controller 54 at 1101 ^ 52 and 1116 1 ^ 53, and the RAM53 is operated as a work area according to the program stored in the ROM52, and the data is encrypted / decoded. deal with. The interface part 55 receives and delivers the data for processing by the CPU 5 1 or the processed data to the outside of the 1C chip 50. In addition, as shown in FIG. 8 (b), the 1C chip 50 (cipher chip) 50 described above is installed between the transmitting and receiving signals of the mobile phone 60 and the baseband processor 65. The transmitting and receiving sections all include a conventional antenna 61, an antenna switch 62, an RF section (high-frequency processing section) 63, and an IF section (intermediate-frequency processing section) 64. This transmitting and receiving unit corresponds to wireless LAN, Blue tooth, etc., and transmits and receives data to and from an external terminal such as a personal computer or PDA (Personal Digital Assistants). The mobile phone 60 configured as described above can be used instead of the cryptographic device 21 shown in FIG. 5, for example. At this time, for example, when sending data from the desktop personal computer 7 in the security network 10 to the devices in the other intended network via the network 20, the password software installed on the desktop personal computer 7 is first used ( 21) (21) 200402010 The body encrypts the data, and sends the encrypted data to the mobile phone 60, and then the mobile phone 60 is in the crypto chip 50 and the received data is decoded through the network 20 and sent for other purposes. Click the device in the network. In addition, for example, if it is desired to take in the data managed by the devices in the other intended network into the laptop personal computer 9 in the security network 10, the devices in the other intended network will respond to the given requirements. To send the information out of the network 20. The mobile phone 60 that has received the unencrypted data is encrypted and transmitted to the laptop personal computer 9 with a password chip 50. The laptop personal computer 9 decodes the received data and uses it for desired processing. As described above, the function of the cryptographic device 21 is chipped and incorporated into the mobile phone 60, so that security (encryption) by encryption can be realized in the wireless LAN environment in which the mobile phone 60 is used. In addition, this example is an example in which a portable phone 60 is used in place of the cryptographic device 21 in Fig. 5. However, it can also be used instead of the cryptographic device 1 / ground of Fig. 3. At this time, the line connecting the network printer 2, the DB server 3, and the network terminal 4 will be wireless. However, these parts cannot use passwords as described above. Therefore, it is necessary to use these devices 2 to 4 with a short physical distance from the mobile phone 60. In this example, an example is shown in which an IC chip 50 is mounted on a portable (telephone) mobile phone 60, but other electronic devices can be applied as long as they have a communication interface. The above is the description of the first to fourth embodiments, but the cryptographic algorithm (a 1 g rithm) used in these embodiments is not a limitation of the present invention. In other words, any known cryptographic algorithm is May apply. -25- (22) (22) 200402010 In the above-mentioned embodiments, the network has explained an example of using a virtual dedicated line, but the connectable circuit of the cryptographic device of this embodiment is not limited to the virtual dedicated line . Each of the other embodiments described above is merely an example of a specific embodiment for carrying out the present invention, and the technical scope of the present invention is not limited by the embodiments. In other words, the present invention can still be implemented in various forms without departing from its spirit or main characteristics. As described above, the present invention is to connect a dedicated cryptographic device and the like between terminals that implement data communication through a network, and the cryptographic device and the like will be a terminal of one of the internal or external parties of a pseudo-network The received information is encrypted and sent to some other terminal: machine in a certain point network. At the same time, the password of the information received by the terminal of the other party is decoded and sent to the terminal of one party. Because of its local structure, passwords can also be used in corporate LANs with terminals that cannot install password software. This can reduce the theft and alteration of confidential information inside the LAN due to unauthorized intrusion or attack from the outside. Danger. The present invention is also applicable to a closed world where only one pseudo-point network among a plurality of pseudo-point networks connected by an imaginary private line is used. For example, in other pseudo-point networks, there are cases where terminals cannot be installed with password software. There are a large number of terminals in other pseudo-point networks, and it is unrealistic to install a password soft system for all the terminals. In the case of the method, etc., the password can also be used in at least one pseudo-point network. -26 · (23) 200402010 For example, a wireless LAN that only constitutes a pseudo-point network can also be used to protect the borrower's password. Industrial availability

The present invention is designed as follows: a password can also be used in an enterprise LAN with a terminal that cannot install dedicated password software, thereby reducing unauthorized intrusions or attacks from the outside and stealing confidential information inside the LAN It is useful to take or alter the dangers. In addition, the present invention is useful for implementing information communication between plural pseudo-nodes, and it is useful only for the purpose of using a password in a closed pseudo-node network. [Schematic description] Figure 1 shows the structure of the previous cryptographic system. Fig. 2 is a diagram showing a configuration example of a cryptographic system according to the first embodiment of the cryptographic device according to this embodiment. Fig. 3 is a diagram showing another configuration example of a cryptographic system according to the first embodiment. Fig. 4 is a diagram showing a configuration example of a cryptographic system according to the second embodiment of the cryptographic device to which this embodiment is applied. Fig. 5 is a diagram showing another configuration example of the cryptographic system according to the second embodiment. Fig. 6 is a diagram showing still another configuration example of the cryptographic system according to the second embodiment. -27- (24) 200402010 Fig. 7 is a diagram showing a configuration example of a cryptographic system to which a third embodiment of the cryptographic device of this embodiment is applied. Fig. 8 is a diagram showing the configuration of a cryptographic device (relay device) according to the fourth embodiment. Fig. 8 (a) shows a configuration example of a cryptographic chip. Fig. 8 (b) is a diagram showing a configuration example of a mobile phone on which the cipher chip is mounted. [Symbol Description]

1.1,: Password device 2: Network printer 3: DB server 4: Network terminal 5: Hub 6: Access point 7: Desktop personal computer 8: Desktop personal computer

9: Laptop personal computer 1 0: Secure network 1 1: Cable 20: Network 21: Password device 21 A-1 ~ 3: Password device 21B-1 ~ 3: Password device 3 1 A ~ B Personal computer 32A ~ B: Personal computer

-28 · (25) (25) 200402010 33A ~ B: Personal computer 30A ~ B: Pseudopoint () network 40A ~ B: Router 100A ~ B: Pseudopoint () network 101A ~ B: Desktop personal computer 102A ~ B: Gate 103: Remote terminal 104: Remote terminal 200: Network 5 0: IC chip

51: CPU

52: ROM

53: RAM 54: access controller 55: interface 60: portable telephone 61: antenna 62: antenna switch 63: RF section (high frequency processing section) 64: IF section (intermediate frequency processing section) 65: baseband processing -29-

Claims (1)

(2) (2) A cryptographic system composed of a cryptographic device or a relay device processed in 200402010, characterized in that the cryptographic device or the relay device is provided with: borrowing between the terminal and the first terminal described above Cryptographic preservation and implementation of cryptographic / decoding methods for data encryption and decoding, and inputting data from one port and applying cryptographic or decoding processing through the above-mentioned cryptographic / decoding methods to output to other ports Means of data transfer. 4. The cryptographic system according to item 3 of the scope of patent application, wherein the above-mentioned encryption / decoding means is to implement encrypted data communication with the first terminal described above, and at the same time with the second terminal described above The terminal of the machine implements the above-mentioned encryption processing and the above-mentioned decoding processing in order to implement communication without encrypted data. 5. The cryptographic system according to item 3 of the scope of patent application, wherein the relay device is provided with a semiconductor chip that integrates the functions of the cryptographic / decoding means described above. 6. The cryptographic system according to item 5 of the scope of patent application, wherein the above-mentioned semiconductor chip is provided between a signal transmitting and receiving unit and a baseband processor. 7 · —A cryptographic device, characterized in that: it is directly or indirectly connected between a plurality of terminals that implement data communication through a network, and will be received by a terminal that is one of the internal or external parties of a pseudo-point network The information is encrypted and sent to the terminal of the other party in the above or a certain point network 'at the same time' will be decoded by the other party's terminal -31-(3) (3) 200402010 The password is decoded ' Send the message to the terminal of the above party. 8 · —A cryptographic device, which is characterized in that: a terminal that implements data communication through a network and the network are directly or indirectly connected to the above terminal, and will be received by the above-mentioned network that is external to a certain point network The information of the message is encrypted and sent to the above-mentioned terminal within the above-mentioned or a certain intended network, and the password of the information received by the above-mentioned terminal is decoded and sent to the above-mentioned network. 9. A cryptographic device, characterized in that: between a plurality of terminals implementing data communication via a network, directly or indirectly connected to a terminal near one of the parties in a pseudo-point network, it will be caused by some of the above The password of the data received by the terminal of the other party inside or outside the network of a quasi-point network is decoded and sent to the terminal of the above party, and the data received by the terminal of the above party is encrypted and transmitted to The terminal of the other party. 10. A cryptographic device, characterized by being connected via a wired or wireless network to a first terminal having a cryptographic processing function within a pseudo-point network, and the aforementioned or a pseudo-point network Between the internal or external terminal 2 that does not have the password processing function, it is provided with: between the terminal 1 and the terminal 1 mentioned above, for the purpose of the terminal's cryptographic security, the data is encrypted and decoded. Cryptographic / decoding means for processing, and -32- (4) (4) 200402010 Data that is input from one port and encrypted or decoded by the above-mentioned ciphering / decoding processing means is output to other port data Means of transfer. 11 · The cryptographic device as described in Item 10 of the scope of patent application, wherein the above-mentioned encryption / decoding means is to communicate with the first terminal to implement encrypted data, and is to communicate with the second terminal. The terminals perform the above-mentioned encryption process and the above-mentioned decoding process in order to implement communication without encrypted data. 12. The cryptographic device according to item 10 of the scope of patent application, wherein the above-mentioned encryption / decoding means and the above-mentioned data transmission function are integrated into a semiconductor chip and constituted. 1 3. A cryptographic device, characterized in that it is the first terminal that does not have a cryptographic processing function inside a certain intended network, and the first terminal with a cryptographic processing function that is inside or outside a certain intended network. The second terminal is connected to the first terminal via a wired or wireless network, and includes: To implement a terminal for the purpose of securing the borrowed password between the first terminal and the first terminal Cryptographic / decoding means for cryptographic processing and decoding processing, and data transfer means for outputting data that was subjected to cryptographic processing or decoding processing by the aforementioned cryptographic / decoding method input from one port to other ports. -33-