TW200534653A - Communication system using TCP/IP protocols - Google Patents

Abstract

A server apparatus receives a TCP connection start signal transmitted from a request issuance equipment to establish a TCP connection with the request issuance equipment, receives a connection request signal including an equipment ID of a request acceptance equipment, and an IP address and a port number thereof, searches the equipment ID thereof included in the received connection request signal from an equipment information list, identifies the equipment related to a set of pieces of equipment information including the equipment ID coincident with the equipment ID thereof included in the connection request signal, as the request acceptance equipment, identifies the IP address and the port number included in a set of pieces of equipment information on the identified request acceptance equipment, and transmits a connection request signal including the IP address and the port number included in the received connection request signal.

Description

200534653 IX. Description of the invention: Field of the invention The present invention relates to a communication system using the Internet Protocol 5 (TCP / IP) of the round control protocol plant. The present invention also relates to (a) a server device for use in point-to-point communication between devices connected to a network, such as the Internet or the like; (b)-a request to issue a device, It sends a connection request signal; (c) a request acceptance device that accepts the connection request signal; (d)-a server device; (e)-a communication system including the request 10 issuing device and the request acceptance device; and ( f) a communication method. The invention further relates to a program comprising steps in the communication method. I: Prior Art 3 Background of the Invention In recent years, as a 15-broadband environment for xDSL, fiber-optic cable, or the like has been constructed, the Internet has not only gradually extended to companies, but also to ordinary homes. In addition, not only (a) a personal computer (PC), but also (b) an AV device (for example, a television receiver or a DVD recorder), (c) an air conditioner, and (d) a household electrical device (for example, a refrigerator), Can also be connected to the Internet. In the description of the present invention, a device connected to a network (for example, the Internet and communication using other devices) will be referred to as a "communication device" or "device". In order to connect a local area network (hereinafter referred to as LAN) to the Internet in a house or company, it has a network address translation (hereinafter referred to as NAT) function and a network address port conversion (hereinafter referred to as NAPT ) The function of the diameter of the device is generally 5 200534653. When communication is performed between devices connected to the Internet, a wide-area IP address uniquely assigned to each device is used. However, the number of wide-area IP addresses has gradually decreased, as the number of devices connected to the Internet has increased rapidly. This results in that private IP addresses that are only uniquely assigned to the LAN in accordance with RFC 1918 are often used in the LAN without being directly connected to the Internet. It should be noted that private IP addresses are not unique on the Internet and are not allowed to be used on the Internet. As a result, devices with private IP addresses cannot communicate with other 10 devices connected to the Internet without any device support. The NAT function or NAPT function solves this problem. The NAT or NAPT function performs the conversion between the private IP address and the wide area IP address, so the device with the private IP address configured and connected to the LAN can communicate with other devices connected to the Internet. 15 The NAPT function mechanism will be explained with reference to Figures 10 to 12. Figure 10 is a block diagram showing a network configuration example of a prior art communication system. Referring to FIG. 10, the request receiving device 13 having the NAPT function and the router device 104 constitute a LAN 106, and the LAN 106 is connected to the Internet (WAN) 105 at the WAN terminal port of the router device 104. The server device 11 and the request issuing device 12 are also connected to the Internet (WAN) 105. In order to identify the so-called Internet and LAN, the Internet will be represented by a WAN (Wide Area Network). Figure 11 shows the communication sequence of an example of communication using NAPT function. Referring to Fig. 11, the packet 21 is transmitted from the request receiving device 13 to the router device 104. By allowing the router device 104 to perform route conversion processing before executing the packet 21 on step 22, the packet 23 is transmitted from the router device 104 to the server device 11. Further, the packet 25 is sent from the server device 11 to the router device 104. By allowing the router device 104 to perform the reverse route conversion processing on the packet 25 in step S26, the packet 27 is transmitted from the router device 104 to the request acceptance device 13. Furthermore, FIG. 12 is a list showing an example of the NAPT list of the router device 104. The contents of this NAPT list are stored in the list memory contained in the 10-router device 104 (not shown). As shown in FIG. 10, it is assumed that the wide-area IP address “130.74.23.6” is configured on the server device 11 and the wide-area IP address “202.204 · 16.13” is configured on the WAN side of the router device 104. And the private IP address "192.168.1.3" is configured on the request acceptance device 13. 15 An IP packet for communication on the Internet includes a source IP address field (hereinafter referred to as SA) of a specified source and a destination IP address field (hereinafter referred to as DA) of a specified destination. In addition, when TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) is used as the communication protocol, the ιρ packet also contains a source port number field 20 (hereinafter referred to as SP) as one of the source port numbers. , And the destination port number block (hereafter called DP) as the destination port number. When the receiving device 13 is required to perform TCP communication with the server device 11, the receiving device 13 is required to send a packet 21, as shown in FIG. 11, for example, to the router device 104. Packet 21 contains the SA address of the specified source 7 200534653 "192.168.1.3" and SP is "2_", da of the specified destination is "130.743.23.6" and DP is "1200". The router device 104 performs route conversion processing before the received packet 21 in step S22, and sends the processed packet 23 to the server device 11 of the packet destination. In the route conversion processing before step S22, the router device 104 replaces the private IP address sa "192.168_1.3" with the wide area IP address "202.204.16.13" on the WAN side of the router device 104, In addition, the router device 104 replaces the "2000" of the SP with the port number "3400" of the 14iWAN end of the router device. At this time, the router device 104 stores a set of 10 addresses "192.168.1.3, And "2202 · 204 · 16 · 13", and the port numbers "2OO" and "3400" are shown in the NAPT table, as shown in Fig. 12. When receiving the packet 23, the server device η A predetermined response process is performed in step S24, and then, a packet 25 is sent to the router device 104 as a response to the packet 23. The packet 25 contains SA "130.743.23.6," and 15 SP "1200" of the specified source. , And the designated destination da "202.204.16.13," and DP "3400". When receiving the packet 25, the router device 104 queries the NAPT table, and performs the reverse route conversion processing of the packet 25 in step S26. The processed packet 27 goes to the request receiving device 13. The reverse path is transferred in step S26 When processing 20, the router device 104 first queries the "202 · 204 · 16 · 13" and DP "3400" pairs of da in the NAPT list. Because this pair appears in the router device 104 through DA "192.168.1.3" replaces "202.204.16.13" of DA packet 25, and then replaces "3400" of DP of packet 25 with "2000" of DP. 8 200534653 During communication, it is stored in the NAPT list. The data is retained and discarded after the end of the connection. With this operation, a device with a private IP address on the LAN can communicate with other devices connected to the Internet. However, instead, it is connected to the network 5 Internet devices cannot start communication with devices with private IP addresses on the LAN. In order to solve this problem, a function called "static NAPT" is provided. In other words, the "static NAPT list is set in advance by path" Device 104. The contents of the static NAPT list are equivalent to those of the NAPT 10 list shown in Figure 2. However, in this case, when setting, an unused port number should be designated as a WA N port number. Static NA The use of the PT function has the following beneficial effects. For example, when a device on the Internet side sends a packet to a router device 104 having a set wide-area IP address and a set port number, the routing The device device 104 converts the IP address and port number in a manner similar to the operation shown in FIG. 15. Then, the packet arrives at the request acceptance device 13 having a private IP address and connected to the LAN. As a result, devices connected to the Internet can communicate with devices with private IP addresses on the LAN. By the way, the wide area IP address of the router device 104 is often not fixed. For example, when the router device 104 is connected to an Internet service provider using PPP (point-to-point protocol) or the IP address is dynamically configured on the router device according to DHCP (Dynamic Host Configuration Protocol) At 104 o'clock, whenever the router device 104 is connected to the Internet, the wide-area IP address usually changes. This makes it difficult to grasp the wide-area IP address of the device to be connected. In addition, if static NAPT is used by 9 200534653, the device can access other devices on the LAN, even when no communication is performed in the meantime, and this causes its security to be disadvantageously reduced. In order to solve these problems, a communication system is proposed in International Publication 5 WG) -2 '__ 314-A1, which is a family of Japanese Patent No. 3445986. The same communication system as recommended in the International Announcement will be explained with reference to Figures 10 to 13. Fig. 13 is a sequence diagram of a communication sequence example of the communication system shown in Fig. 10. As shown in the figure, suppose a wide-area IP address "8117121009, 10" is configured in the requesting device 12. It is also assumed that the requesting device 13 stores a group of devices that are uniquely configured to the device 13. The ID is in the internal memory (not shown). The receiving device 13 is required to periodically use UDP to send a device registration packet 31 containing the device ID in the payload to the server device u. Requesting 15 to accept the private use of the device 13 The UDP packet with the IP address "192_168 · 1 · 3" is written into the SA of the device registration packet 31. When the device registration packet 31 passes the router device 104, one of the device registration packet 31 SA and a servant use as above The described NAPT function is transformed, and the transformed packet 31 is sent to the server device 11. The server device 1 inquires the received device registration packet 31, and 20 and stores one of the requested devices 13 in step 2 Group device ID, a wide-area IP address, and a port number. The receiving device 13 is required to periodically send a device registration packet 3 to the servo device 11. Therefore, even the wide-area IP of the router device 104 Address or WAN The port number of the device is changed, and the request for accessing the 200534653 device 13 stored in the server device. The device ID, a set of wide area IP addresses, and the port number will still be executed by step S32, similar to Step S32A of step S32 or the like is automatically updated. On the other hand, when the request issuing device 12 wishes to communicate with the request receiving device π 5, the request issuing device 12 first sends a TCP connection start packet 33 to the temple server. The server device 11 therefore establishes a TCP connection with the server device 11 and sends a connection request packet 34 with the device 11} requesting the receiving device 13 (which is the connection pairing) to the server device n. When receiving the connection request packet At 34 o'clock, in step S35, the server device 11 queries the device ID list stored in the internal memory 10 (not shown). If the same information as the device ID contained in the device ID in the connection request packet 34 is presented, , The server device 11 sends a connection request notification packet 36 to the instructed device using UDP, and the device is instructed by using the IP address and the port number related to the device ID. The connection request notification packet 36 is sent to the router device 104, and the response 15 is the device registration packet 31. Therefore, the IP address and the port number are converted by the router device 104, so the connection request notification packet is% The reachable request accepts 5 and prepares 13. When receiving the connection request notification packet 36, the requesting receiving device 13 sends a TCP connection start packet 37 to the server device u, and then establishes a TCP connection with the server device 11. 20 Subsequently, when the requesting device 12 is requested to send a command signal 38 to the server device using the TCP connection starting with the TCP connection start packet 33, the server device 11 may transfer the command signal using the TCP connection starting packet 37iTcp connection 38 to request to accept equipment 13. Further, when the receiving device 13 is required to send a packet to the server device 11 using the TCP connection start packet 372TCp connection 11 200534653, the server device u may transfer the packet to the server device 11 using the TCP connection starting with the TCP connection start packet 33 Ask for equipment 12. In this way, the repeater of the server device U can execute a request issuing device 12 on a device having a wide area 5 slave address and connected to the Internet, and a device having a private IP address and connected to the LAN The request accepts communication between devices J 3. Even if the request issuing device 12 is presented in another LAN and connected to the Internet via a router device, the request issuing device 12 can still communicate with the request receiving device 13 by the same operation. 10 15

20 More progressively, the Japanese Patent Application Publication No. 20003_200323 discloses-an information processing line for directly sending a wide-area IP address between unknown devices transferred from Lianyizaki. To send edit points. Each of the customers with Guangqing address is connected to each other ’, so the other customers are connected to each other via the server_customer server. The edit points were created in conjunction with the reduced-area 1P address he won. By partially changing the client-to-server connection: point-to-point connection, local traffic concentration on the ship can be prevented. At first, the communication system disclosed in the international publication WO-2004-030314_Al has the following problems. The communication system master disclosed in the International Proclamation of Yu is used to perform communication by an external device u. Reason: This is because 'when a larger capacity of data (such as moving image data) is sent to these devices', a larger load is applied to the device. In particular :,: When most communications are performed at the same time, such communications are sometimes;: processed 'even if distributed processing is performed by using a majority server device. 12 200534653 Further, the information processing system disclosed in Japanese Patent Application Publication No. 2003-203023 is only between these devices with a wide area smart address and is not a private address and is connected to Point-to-point transmission is performed between these devices of LAN. [Summary of the Invention] SUMMARY OF THE INVENTION The object of the present invention is to provide a server device, a request issuing device, a request receiving device, a communication system, and a communication method, which can solve the above-mentioned problems of the prior art and achieve Point-to-point communication between devices with private amine address 10 but placed on a different LAN that prohibits any illegal access. Another object of the present invention is to provide a program including steps of a communication method. According to the first aspect of the present invention, a servo device provided in a communication system is disclosed. The communication system includes a request-issuing device and 15 request-reading servo devices and a plurality of devices are each connected to the network, and the temple server device is operable to transfer the connection request signal from the request-issuing device. To request acceptance of equipment. The server device includes a device asset storage device operable to store a device information list containing a set of device information for each of the plurality of devices, the set of device information 20 containing information related to the plurality of devices One of each of the IP address and a port number, and each of the plurality of devices 10.忒 The server device is operable to receive a device registration signal, each of which contains a set of device information for requesting the receiving device, and it is sent periodically from the requesting receiving device, and is operable to store the requesting device 13 200534653 A set of device information of the receiving device, which is included in the received device registration signal of the device information storage device. The server device is operable to receive a first τ c P connection start signal sent from the request issuing device for establishing a first TCP connection with the request issuing device. The server device is operable to receive a first connection request signal, which includes the device ID of the request accepting device, and the IP address and port number of the request issuing device, and it uses the first TCP connection from The request sends the device to the request receiving device. The server device is operable to search the device information list for the device ID of the request accepting 10 device included in the received first connection request signal, and to identify a group of device information, including A device ID of the device ID of the request-receiving device in the connection request signal, the device serving as the request-receiving device, and identifying the IP address and port number included in the device information of the identified request-receiving device as the device The information list is related to the IP address and port number of the receiving device. The server device is operable to send a second connection request signal included in the received first connection request signal and related to the positive address and port number of the request issuing device to the identified request acceptance The device, as a response signal to the device registration signal, sets the identified IP address and the identified port address as the destination. 20 In the above server device, after identifying the IP address and port number included in the device information of a group of identified request accepting devices as the IP address and port number related to the request accepting device, and Before sending the second connection request signal to the identified request accepting device, the server device sends a second connection request signal to the request accepting device, and since the 14 200534653 connection request: the P connection start signal is used for the third _ = Successful response signal to establish the second and fifth table with the requirements to accept the equipment

And shipping a second connection requires money to the request accepting device. In the other positions mentioned above, the first connection request signal is further provided for the password information of the request acceptance device. The warship device works to increase the password information connection request signal included in the __ connection request signal, and sends a second connection request signal including the password information.

The above-mentioned servo II device further includes a first encrypted communication device and a certification information storage device. The first encrypted communication device is operable to generate a first common key for communication and a second key for communication, and uses the first common key for communication to decrypt the received signal, And use the second common key for communication to add a code to the transmitted signal. The certification information storage device is operable to store server certification information for verifying the validity of the server device. The server device is operable to send the server certification information to the request issuing device before receiving the first connection request signal. The server device is operable to use the first TCP connection to receive the first common key generation information generated from the request issuing device in response to the server certification information, in response to the first common key generation information As a result, the first encrypted communication device generates second common key generation information, which causes the first encrypted communication device to generate a first for communication based on the first common key generation information and the second common key generation information. Common key, using the first TCP connection 15 200534653 to send the second common key generation information to the request issuing device, and cause the request issuing device to generate the second common key generation information and the second common key generation information according to the first common key The information generates the same common key for communication as the first common key for communication to share the first common key for communication 5 with the request issuing device. The server device is operable to use the first TCP connection to receive a first connection request signal encrypted from the request issuing device using a first common password for communication, and cause the first encrypted communication device to use the The first common key for communication is used to decrypt the received first connection request signal. Before sending the second connection request signal, the server device sends the server certification information to the request accepting device. The temple server device is operable to use the second TCP connection to receive from the request accepting device a third common key generated due to the server's certification information being generated, resulting in a 5H first fork code communication The device generates fourth common key generation information in response to the third common key generation information, which causes the first 15 plus cryptographic communication device to generate a certificate based on the third common key generation information and the fourth common key generation information. The second common key for communication uses the second TCP connection to send the fourth common secret-generating information to the request receiving device, and causes the request accepting device to generate the information and the fourth common secret according to the third common secret transmission. The key generation information generates the same common key for communication as the second common 20 key for communication to share the second common key for communication with the request receiving device. After receiving the first connection request signal and before sending the second connection request signal, the server farm causes the first encrypted communication device to use a second common secret for communication and add a password to the first connection request signal. . 16 200534653 According to the second aspect of the present invention, a request issuing device provided in a communication system is disclosed. In the request issuing device, a server device and a plurality of devices including the request issuing device and a request receiving device are each connected to a network, and the request issuing device is operable to communicate with the server 5 device and request acceptance Device communication. The request issuing device is operable to send a TCP connection start signal to the server device for establishing a first TCP connection with the server device. The request issuing device is operable to send a first connection request signal to the server device using a first TCP connection, the first connection request signal including a device ID of one of the request accepting devices and one of the phase 10 requesting devices. An IP address and a port number, and the first connection request signal is a request to the request accepting device. After receiving a communication request signal from the request receiving device for requesting one of the communications between the request issuing device and the request receiving device, the request issuing device accepts the request issuing device and the response in response to the communication request signal. Requirement 15 accepts communication between devices and begins communicating with the request-receiving device. In the above-mentioned request issuing device, the first connection request signal further includes password information for use in the request receiving device. The above-mentioned request issuing device further includes a second encrypted communication device and a first group of certification information authentication devices. The second encrypted communication device 20 is operable to generate a first common key for communication, and uses the first common key for communication to encrypt the transmitted signal. First certification information The authentication device is operable to authenticate server certification information used to verify the validity of the server device. The request issuing device is operable to receive the server certification information from the server device before sending the first connection request signal. 17 200534653 The request issuing device is operable to authenticate the received server certification information by the first certification information authentication device and confirm whether the received server certification information is valid. When confirming that the received server certification information is valid, the request issuing device causes the second encrypted communication device to generate 5 first common key generation information, and uses the first TCP connection to send the generated first common The key generation information is sent to the server device, and the first TCP connection is used to receive the second common key generation information generated from the server device in response to the first common key generation information, resulting in the second encrypted communication The device generates the first common key for communication according to the first common key generation information and the second common secret key generation information, and causes the server device to generate the information and the second common secret according to the first common secret input. The key generation information generates the same common secret for communication as the first common key for communication to share the first common key for communication with the server device. Before sending the first connection request signal, the request issuing device causes the second encrypted communication device to use the first common key for communication to add a password to the first connection request signal. The request issuing device is operable to send the encrypted first connection request signal to the server device using the first TCP connection. According to a third aspect of the present invention, a request acceptance device provided in a communication system is disclosed. In the communication system, a server device and a plurality of devices including a request issuing device and the request receiving device are each connected to a network, and the request receiving device is operable to communicate with the server device and the request issuing device. The request acceptance device includes a set of device ID storage means operable to store the device ID of the request acceptance device. The request receiving device is operable to periodically send a device registration signal including the device ID of the request receiving device to the server device. The request accepting device is operable to receive a second connection request signal including an IP address and a port number related to the request issuing device from the server device as a response signal to the device 5 registration signal. The request receiving device is operable to send a communication request signal to request communication between the request receiving device and the request issuing device to use the IP address included in the received second connection request signal. And the request issuing device represented by the port number. After the request issuing device accepts communication between the request receiving device and the request issuing device in response to the communication request signal, the request receiving device starts communication with the request issuing device. In the above request accepting device, after sending the device registration signal to the server device and before receiving the second connection request signal, the request accepting device receives a third connection request signal from the server device as a pair of 15 to the The device registers a response signal of the signal and sends a second TCP connection start signal to the server device as a response signal to the third connection request signal to establish a second TCP connection with the server device. The request acceptance device is operable to receive a second connection request signal from the server device using the established second TCP connection. 20 The above-mentioned request accepting device further includes a password information storage device 'which is operable to store password information for use in the request accepting device. The request accepting device is operable to receive a second connection request signal from the server device further comprising password information using the second Tcp connection. The request accepting device is operable, and is sent only when the password information contained in the second connection request signal 200534653 matches the password information provided for the request accepting device stored in the password information storage device. A communication request signal is sent to the request issuing device. The above-mentioned request acceptance device further includes a third encrypted communication device and a second certification information authentication device. The third encrypted communication device is operable to generate a second common key for communication, and uses the second common key for communication to decrypt the received signal. The second certification information authentication device is operable to authenticate server certification information used to verify the validity of the server device. Before receiving the second connection request signal, the request accepting device receives the server certification information from the server device. The request acceptance device is operable to cause the second certification information authentication device to authenticate whether the received server certification information is valid to confirm whether the received server certification information is valid. When confirming that the received server certification information is valid, the request acceptance device causes the third encrypted communication device to generate third common key generation information, and uses a second TCP connection to send the generated third The common key generation information is sent to the server device, and the second TCP connection is used to receive the fourth common key generation information generated from the server device in response to the third common key generation information, resulting in the third encryption code. The communication device generates the second common key for communication according to the second common key generation information and the fourth common key 20 generation information, and causes the server device to generate the information and the fourth common key according to the third common key. The secret generates information to generate the same common key for communication as the second common key for communication to share the second common key for communication with the server device. The request accepting device is operable to use the second TCP connection to receive a second connection request signal encrypted from the server device by using the second TCP connection. The communication device uses the second common key for communication to decrypt the received second connection request signal. 5 According to the fourth aspect of the present invention, there is provided a communication system including the temple server device, a plurality of devices including a request issuing device and a request receiving device. In the remote communication system, each of the equipment and the server device is connected to a network. According to a fifth aspect of the present invention, a communication method is provided, which includes 10 or more steps, which are performed using the server device, the request issuing device, and the request accepting device. According to a sixth aspect of the present invention, a program for causing a computer to perform the communication method is provided. Therefore, according to the present invention, a point-to-point communication between the request issuing device and the request 15 request and 5 request can be realized, wherein the request issuing device and the request receiving device each have—㈣1P him and are set. Put on a different LAN with any illegal access prohibited. Further, according to the present invention, a program containing the steps of the j-signal method can be provided, and when the program uses electricity-or: it is captured by beta, allowing a computer or device connected to the Internet to execute The steps of the communication method. Brief Description of the Drawings Figure 1 is a block diagram of a network group of a communication system in accordance with a preferred embodiment of the present invention; & Sequence diagram of a communication example executed in the communication line 21 200534653; The sequence diagram of the first connection request sequence that is not processed in detail in step §2 03 shown in Figure 2; Figure 4 is the fifth of the wind-margin not processed in detail in step S206 shown in Figure 2 Sequence diagram of the second connection request sequence; Figure 5 is a block diagram of the Zeniji position 51, which is used for the server device 101 of the request issuing device 102 and the request receiving device 103 in the first picture. Is valid; FIG. 6 is a list showing an example of the NAPT list stored in the 10 internal list memory 104am of the router device shown in FIG. 1; FIG. 7A is a view showing the LAN shown in FIG. 2 Figure 7B is an exploded view of the configuration of the device registration packet 201; Figure 7B is an exploded view showing the configuration of the WAN end device registration packet 201 shown in Figure 2; 15 Figure 7C is not shown in Figure 3 The LAN side connection requires an exploded view of the 217 groups of packets; Figure 7D is shown in Figure 3 An exploded view of the WAN connection request packet 217 configuration; Figure 8A is an exploded view showing the LAN terminal connection request notification packet 20 205 configuration shown in Figure 2; Figure 8B is a WAN end shown in Figure 2 An exploded view of the configuration of the connection request notification packet 205; Figure 8C is an exploded view showing the configuration of the LAN-side connection request packet 226 shown in Figure 4; 22 200534653 Figure 8D is a WAN shown in Figure 4 Exploded view of the configuration of the connection request packet 226; FIG. 9 is a list showing an example of the device information list in the list memory 10lm of the server device 101 shown in FIG. 1; 5 FIG. It is a block diagram of a network configuration example of a communication system, especially a technical communication system; Figure U shows a sequence diagram of a communication sequence example for communication without using the NAPT function of a router device; Figure 12 shows 10 is an example of a NAPT list of the router device 104; and FIG. 13 is a sequence diagram showing an example of a communication sequence of the communication system shown in FIG. [Embodiment] The best mode for carrying out the present invention 15 Hereinafter, a preferred embodiment of the present invention will be described with reference to FIGS. 1 to 9. Fig. 1 is a block diagram showing an example of a network configuration of a communication system according to a preferred embodiment of the present invention. The request issuing device 102 having a NAPT function and the router device 104a constitute a request-emitting LAN 106a. The request-originating-end LAN 106a is connected to the Internet 20 (WAN) 105 at the WAN end port of the router device 104a. Further, the request acceptance device 103 having a NAPT function and the router device 104b constitute a request-receiving-end LAN 106b. The request-accept-side LAN 106b is connected to the Internet (WAN) 105 at the WAN terminal port of the router device 104b. In addition, the server device 101 is connected to the Internet (WAN) 105 ° 23 200534653. The communication system according to the preferred embodiment of the present invention includes a plurality of devices, for example, a request issuing device 102 and a request receiving device 103, each connected to The Internet (WAN) 105, and the server device 101 is connected to the Internet (WAN) 105. In the communication system, the request issuing device 102 on the request-issuing-end LAN 5106a transfers a connection request signal to the request receiving device 103 on the request-receiving-side LAN 106b via the server device 101, And the communication between the request issuing device 102 and the request receiving device 103 is performed. In this communication system, the server device 101 contains a device information storage device or a device list memory 10lm, which stores a device information list. As shown in FIG. 9, it is included in a group of IP bits associated with each device. A set of device information on each device consisting of the address and port number and the device ID of the device. The request accepting device 103 periodically sends a device registration packet 201 containing a set of device information on the request accepting device 103 to the server device 101. In steps S202 and S202A shown in FIG. 2, the server device 101 receives and receives the device registration packet 201, and stores a set of device information contained in the requested device registration packet 201 included in the received device registration packet 201 in the The list memory is 101m. When communicating with the request accepting device 103, the request issuing device 102 first executes the first set of connection request sequences of step S203. In step S203, the issuing device 102 is required to send a TCp connection start packet 211 to the server device 101, so a first TCP connection with the server device 101 is established, and then, using the first TCP connection, A connection request packet 217 (containing the device ID of the request receiving device 103 and the IP address and port number of the request issuing device 102 to be sent to the request receiving device 103) is sent to the server device 101. The server device 101 receives a connection request packet 24 200534653 217. In step S204, the server device 101 searches the device information list for a request ID of the request accepting device 1 03 included in the received connection request packet 217, and identifies whether it contains a packet that meets the request included in the connection request. a? One of the devices in the request acceptance device 103 is still a group of device information 5. The device in the device information list is the request acceptance device 103, and the identification is included in the related request acceptance device 103. The IP address and port number in a group of device information are used as the IP address and port number of the requested device 103 on the device information list. At step S205, the server device ιοί sends a connection request packet 226 to the identified request to receive 10 texts 103, the connection request packet 226 contains the IP address and port number of the request issuing device 102 and It is included in the received connection request packet 217 as a response signal to the device registration packet 201 and the identified IP address and port number as the destination. The request receiving device 103 receives the connection request packet 226. In addition, the request receiving device 10 sends a TCP 15 connection request packet 208 to the request issuing device 10 using the IP address and port number contained in the received connection request packet 226 as a request in A communication request signal is required to be transmitted between the device 102 and the receiving device 103. When the requesting device 102 responds to the Tcp connection request packet 208 and accepts the communication between the requesting device 102 and the requesting device 103, it is used for the communication between the requesting device 102 and the requesting device 103. The data communication sequence of the data communication starts at step S209. In a preferred embodiment of the present invention, the server device 101, the request issuing device 102, and the request receiving device 103 may be configured to operate a device for communication by a computer-readable program for executing a plurality of steps. Or general 25 200534653 purpose computer, which will be explained later. In the preferred embodiment of the present invention, it is assumed as follows, as shown in FIG. I, "130 · 74 · 23 · 6" is configured in the server device 101 as a wide-area IP address' the server The device 101 includes a list memory 10lm for storing its wide area IP address and a list of 5 device information. "192.168.1.11" is configured in the request issuing device 102 as a private IP address. "192 · ΐ68 · 1 · 3, is configured in the request accepting device 103 as a private IP address. The request issuing device 102 contains a list memory 102m, which stores its private IP address and access Port number. The receiving device 103 is required to include a list memory 103m, which stores its private IP address and port number. "4.17.168.2" is configured in the router device 104a as a wide area IP bit. Address, and "202.204.16.13" is configured in the router device 104b as the wide area IP address. In a manner similar to that shown in Figure 12, the router device 104a stores the contents of the NAPT list in Figure 6 (including its WAN port number and wide-area IP address, and the private use of the requesting device) 0215. IP address and port number) in its internal list memory 104am. Further, the router device 104b stores the contents of the NAPT list (including the port number and wide area IP address of its WAN end, and the private IP address and port number of the receiving device 103), and Internal list memory 104bm. It is also assumed as shown below. The requesting device 102 is stored uniquely, and a group of device ID "1051" is allocated to the device 102 in its internal list memory 102m. The receiving device 103 is uniquely allocated to the device 103. One set of device ID "2133" is in its internal list memory 103m. The device ID is identification information uniquely assigned to each device that performs point-to-point communication in the preferred embodiment of the present invention. For example, a group of IDs configured by the device manufacturer can be used as the device ID. However, the device ID is not limited to them. It is further assumed that the receiving device 103 is required to store a set of passwords as secret information in its internal list memory 103m. As will be explained later, the request-issuing device 102 that performs peer-to-peer communication with the request-receiving device 103 needs to obtain a password and the device ID of the request-receiving device 102 in advance, and the wide-area IP address of the router 104a and Port numbers on the WAN side and store them in its internal list memory 102m. Figures 2 to 4 are sequence diagrams showing examples of communication sequences, which are implemented in the communication system shown in Figure 1 to Figure 10. Figures 7A to 7D and Figures 8A to 8D show examples of most packets used in the communication sequence shown in Figures 2 to 4. 0 The receiving device 103 is required to send UDP periodically or at a predetermined period. Register 15 packets 201 to the server device 101 at the device in the payload π). As shown in FIG. 7A, on the request-receiving-end-LAN 106b, "192.168.1.3" is written into the SA of the device registration packet 201, and "2000" is written into the device registration packet 201 In the SP. The device registration packet 201 is transmitted to the server device 101 via the router device 104b. When the device registration packet 201 passes through the router device 104b, the router 20 device 104b uses the NAPT function to convert the device The SA on the registered packet 201 is 202.204.16 · 13 "and the sp on the device registered packet 201 is also converted to" 3400 ". The device registration packet 201 converted using the NAPT function is transmitted to the server device 101 via the Internet (WAN) 105 as shown in FIG. 7B. 27 200534653 The feeder 101 contains a list of memory 101m 'that stores a list of device information and the list contains a set of device information on the respective devices connected to the Internet (WAN) 105 and its composition is related to The ιρ address and port number of each device and the device ID of each device. The server device 101 inquires the payload of SA, SP, 5 and the received device registration packet 201, and then, in step S202, the server device 101 stores a group of devices 1D, which are required to receive the device 103. The wide-area IP address of the server device 104b and the port number of the WAN end of the router device 104b are included in the list memory 101m of the server device 101, which corresponds to the request acceptance device 103. A set of device information 10 (i.e., items of the device information list). In the preferred embodiment of the present invention, the server device 101 inquires the wide area IP address and the port number of the WAN end of the router device 10, as the scarce address and the port number related to the request receiving device. . In other words, when the server device 101 sends a packet to the request-receiving device 103, the server device 101 queries the wide-area IP address and the WAN end port of the request-receiving 15 device 103 including the request-receiving device 103 as the destination. Number (thus, the wide area IP address and WAN end port number of the router device 104b). FIG. 9 shows an example of the device information list stored in the list memory 10lm included in the server device 101. The receiving device 103 is required to periodically send a device registration packet 201 to the server device 丨 〇 丨. Because of this, even if the wide area IP address or WAN end port number of the router device 104b is changed, the device information list on the server device 丨 〇 丨 is performed by executing step S202 and step S202A similar to step S202. Updated automatically. On the other hand, when the request issuing device 102 wishes to perform data communication with the request receiving device 28 200534653 device 103, in step S203, the first connection request sequence between the request issuing device 102 and the server device 101, using the servo Step S204 of the server device 101, step S205 of sending the packet, and the second connection request 5 sequence between the server device 101 and the request receiving device 103 in step S206 is performed as a series of processing procedures to issue the device from the request 102 sends a connection request message to the request accepting device 103, and the connection request flood information is used to notify the request issuing device 102 that it wishes to perform data communication with the request accepting device 103. Next, the connection request 5 from the request issuing device 102 is relayed by the server device and transferred from the request issuing device 102 to the request receiving device 103. The request issuing device 102 first executes the first set of connection request sequences between the request issuing device 102 and the server device 101 at step S203, so as to send a connection request message to the request receiving device 103. At the first step of step S203, The connection request sequence requires the sending of secret information, such as the password of the receiving device 103, the device ID of the receiving device 103, and the 102iIP address and port number of the requesting device. For this reason, SSL (Secure Socket Layer) is used to add secret information to the cipher in the preferred embodiment of the present invention. The SSL communication (20 which will be described later) which is usually used to encrypt the connection request packet 217 is explained first with reference to FIGS. 3 and 5. Fig. 5 is a block diagram of the certification authority 51. The authentication server 101 is valid for the request issuing device 102 and the request receiving device 103. In particular, FIG. 5 shows a method of allocating server certification data 65 and a method of authentication for verifying the validity of the server device 101. In Figure 5, the actuators 104a and 104b are not shown because they are not necessary for certification purposes. Referring to Fig. 5, the certificate authority 51 (where the certificate authority is hereinafter referred to as a CA) stores a pair of an internal CA common key 52 and a CA key 53 in a list memory 51m of the certificate authority 51. The server device 101 5 stores a pair of the internal server key 61 and the server shared key 62 and the server certification data 65 issued by the certificate authorization device 51 in the list memory 10lm of the server device 101. The server certification data 65 is composed of a server common key 62 and a signature 64 generated by the certification authority 51. In order to execute the processing procedures of the first connection request sequence in step S203 and the second connection request sequence in step S206 10, the server device 101 first needs to cause the certificate authorization device 51 to issue server certification data in advance according to the processing sequence described below. 65. The certificate authority 51 includes a list memory 51m, which stores a pair of the CA common key 52 and the CA secret 53 in advance. The server device 101 generates a pair of a server common key 62 and a server key 61. The server device 101 sends the server common key 62 and information on the server device 101 to the certification authority device 51 as a server certification data request packet 63, and requests the certification authority device 51 to issue the server certification data 65. When receiving the server certificate data request packet 63, the certificate authority device 51 uses the CA key 53 to generate a signature 64 based on the information received from the server device 101 and 20 and other necessary information. Next, the certification authority 51 issues the server device 101 as the server certification data 65 by combining the information received from the server device 101, other necessary information, and the signature 64 to the server device 101. Therefore, the issued server certification data 65 is sent from the certification authority device 5 丨 to the server 30 200534653 The device 10H sends a packet 54 for the server certification data. The server device 101 stores the received server certification data 6 5 in the server shock store 丨 〇 丨 internal list memory 101m. The request issuing device 102 and the request receiving device 5 103 which are regarded as client devices, obtain the CA common key 52 in advance from the certificate authority 51, and store the obtained CA public key 52 in their respective internal memory 102m And 103m. Generally, the CA public key 52 is distributed to the client device in the form of a CA certification data packet 55 combined with the information on the certification authority device 51 and the like (ie, other devices that communicate with the server device 101). ίο 备). When the server certification data 65 is received from the server device 101 via the server certification data packet 214, each of the request issuing device 102 and the request receiving device 103 is allowed to be supplied to the respective devices 102 and 10 respectively. Each of the certification information authentication processing sections 102c and 103c in 3 uses the CA public key 52 stored in each of the internal list memories 102m and 103m to authenticate whether the signature 64 included in the certification data 65 of the server 15 is valid . This results in each request issuing device 102 and request receiving device 103 confirming whether the server public key 62 in the server certificate 65 is valid. Specifically, at step S203, a first connection request sequence for secret communication between the request issuing device 102 and the server device 101 is performed as shown below. Fig. 3 is a sequence diagram showing details of processing of the first connection request sequence in step S203. Figure 3 shows a flowchart of using SSL communication to send a connection request packet 217. In Fig. 3, reference numeral 73 indicates a common secret used for secret communication for communication. 31 200534653 It is assumed that the server device 101 further includes a set of encrypted communication processing sections 101e. Then, the encrypted communication processing part i0ie generates common keys 73 and 83 for encrypting and decrypting signals that will be sent and received signals for communication, and uses the generated common key 73 for communication. Encrypt and 5 decrypt the password to / from the device 102 to send and receive the signal, and use the common key 83 for communication to encrypt and decrypt and send the password to the receiving device 103 signal. At the same time, it is assumed that the request issuing device 102 further includes a encrypted communication processing section 102 and a certification information authentication processing section 102c. The encrypted communication processing part 10 of the device 102 generates a common key 73 for communication for the purpose of encrypting and deciphering signals that will be sent and received, and uses the generated common key 73 for communication to Encryption and decryption of signals to be sent and received to / from the server device 101 is performed. The certification information authentication processing section 102c authenticates the server certification data 65 as valid. 15 In SSL communication, the client's request issuing device 102 first sends a TCP connection start packet 211 to the server device 101 via the diameter device 104a, and this results in a request for communication with the server device 101 using a TCP connection Was started. Fig. 6 shows an example of a NAPT list stored in the internal list memory 104am of the router device 104a. When the TCP connection start packet 211 20 passes through the router device 104a, the router device 104a converts the SA on the TCP connection start packet 211 from "192.168.1.1Γ" to "4_17.168 · 2", and At the same time, the NAPT function is used according to the NAPT table to make the SP on the TCP connection start packet 211 change from "1500" to "7000". Further, when receiving a packet addressed to the requesting sending device 102, the router device 104a performs a relative conversion of 32 200534653 to the da on the packet and a different DP to the packet and sends the generated The packet is sent to the requesting device 102. Uben

In the description of the invention ', for the sake of brevity, the NAPT processing operation of the router device 104a will not be explained again. However, in reality, when the requesting device 5 102 wants to send or receive a packet to / from the server device 101 or other device on the Internet (WAN) 105, the device 102 always passes the router The device 104a sends and receives the packet, and the device 104a performs NAPT processing of the packet. Next, the issuing device 102 and the server device 101 are required to perform the encryption 10 specification negotiation step, and thus mutually check the specifications of the encryption mechanism used in the secret communication. It is required that the sending device 102 first sends a set of encrypted communication using the TCP connection established by the * TCp connection to start the start packet 211 to start a request packet (hereinafter referred to as a client-greeting packet) 212 to the server device 101. Encrypted communication begins requesting that the packet 212 contains an available SSL 15 version, a list of available encryption organizations, a session ID, and the like, and also a group generated by requesting device 102 Random number ClientHello.random. When receiving the encrypted communication start request packet 212 and allowing the communication to start, the server device 101 sends a set of encrypted 20-code communication start response packets using a TCP connection established with a Tcp connection start start packet 211 (known as " The server hello packet, 213), to the requesting device 102. The encrypted communication starts to respond. The packet 213 contains the SSL version to be used (the latest between those requested to send out the device 102 and the server device 101). Version),-session ID,-cryptographic mechanism to be used, and the like, and also includes the use of a server device ι〇ι in a way similar to the random number "ClientHello.random" 33 200534653 Generate a set of random numbers "ServerHello.random ,." In the first connection request sequence below step S203, the SSL version specified by the response packet 213 and the encryption mechanism are used to start the encryption communication. Random number 5 "ClientHello.random" and "ServerHello.random" are generated independently by requesting the issuing device 102 and the server device 10m as separate 32-bit timestamps and 28-bit random numbers (Or a sufficiently secure pseudo-random number). Encrypted communication including the random numbers ClientHello.random and ServerHello.random respectively requires packets 212 and 10 encrypted communication to start responding to the packet 213 being sent without any encryption. Next, the server device 101 sends a The server certificate data packet 214 to the request issuing device 102 and the server certificate data packet 214 to the request sending device 102 are not always sent after the encrypted communication starts to respond to the sending of the packet 213. As long as the server proves that the data packet 214 is in use Sent before the reception of the request-issued 15 device · end communication common key generation information packet 215, which will be explained later, the packet 214 may be at any timing (for example, before the first connection request sequence of step S203 ) Is sent. The certification information authentication processing part io2c of the device 102 is requested to use the CA public key 52 stored in the device 102 to confirm that the server included in the server certificate 20 data packet 214 is sent Whether the certification data 65 is valid, as described previously. When confirming the certification information processing section 102c to confirm When the server certification data 65 contained in the sent server certification data packet 214 is valid, the requesting device 102 is required to start a common key generation information exchange 34 200534653 step, which includes steps for requesting-issuing device-end communication Sending and receiving of common key generation information 71 and common secret record generation information 72 for feeder and device-end communication. In the common key generation information exchange step, it is required that the issuing device 102 first 5 utilize the addition of the device 102 Cryptographic communication processing part of the job is used to generate request-issued common key generation information for device-end communication 71. In addition, the request-issuing device 102 uses the iTcp connection established by the Tcp connection start packet 211 to send for the request-issue The common key generation information packet 215 of the device-end communication is transmitted to the server device 101, and the common key generation information packet 215 includes the common key generated by the request-issued device-end communication. Generate information 71. The information packet 215 is generated in response to the common key sent for requesting and sending device-end communication, and the server device 101 The common key generation information 72 for server-device · end communication is generated by the encrypted communication processing part 10le of the device 101. In addition, the server device 101 uses a packet 211 that is established through a 15 TCP connection. The TCP connection sends a common secret generated information packet 216 for server-device communication to the requesting device 102 'The common secret generated information packet 216 contains this generated for server_device-end communication Common key generation information 72. The request issuing device 102 and server device 101 use their encrypted communication processing sections 102e and 101e to generate the same for communication based on the common key generation information 71 and 2072, respectively. Common key 73. This results in that the common key 73 for communication may be shared between the request issuing device 102 and the server device 101. The preferred embodiment of the common key generation information exchange varies depending on the encryption mechanism used for the SSL key exchange. When an RSA encryption mechanism is used, 35 200534653 is required to generate a fork code communication processing part 102e of device 1, which is a 48-bit random number called "pre-master secret (PMS)" , As the common key generation information 71 for request-issue device-end communication, and use the server common key 62 included in the server certification data 65 to encrypt the 5-code PMS that should be generated. Then request the issue The device 102 uses a TCP connection established by starting a packet 211 through the TCP connection to send the encrypted PMS to the server device 101. The server device 101 causes the encrypted communication processing section 101e to use the server device The server key 61 owned by 101 is used to decode the PMS that is received and encrypted at the same time, so the 10 PMS that is sent is obtained. The common key generation information 72 of the server-device-end communication is not generated and sent. Is carried out. The server device 101 and the requesting device 102 use PMS to generate a common key 73 for communication, as will be explained later, so the key is shared between them. If Diffie-Hellman adds a cryptographic mechanism To use, it is required that the issuing device 15 102 and the server device 101 determine an agreement on two parameters (ie, a prime number "p" and a primitive root "g" of the prime number "P") in advance in them A Diffie_Hellman key is shared between them. After receiving the server certificate data packet 214, the sending device 102 is required to generate a random number "a," and calculate the smallest positive remainder ga about the modulus "p" as the requirement. _Issuing Device_Communication for Common 20 Generation of Communication> 5 Where 71 'and sending the common key generation information 71 containing the common key used for Request-Issuing-Device-Communication for request_Common Secret鍮 Generate an information packet 215 to the server device 101. The server device 101 generates a random number "b", calculates the smallest positive remainder g about the modulus "p" as ί, and generates common key generation information for server, device, and terminal communication 36 200534653 72, and sends it The common key generation information 72 for server_device_end communication is included and the common key generation information packet 216 for server_device_end communication is sent to the requesting device 102. Therefore, pieces of the common key generation information which are thus transmitted to each other are used as the Diffie_Hellman * 5 key. Further, when fragments of the common key generation information 71 and 72 are transmitted separately, signatures of the requesting device 102 and the server device 101 may be added. If a fixed Diffie-Hellman encryption mechanism, which is one of the Diffie-Hellman encryption mechanisms, is used, the value contained in the server certification data 65 is used as the information from the server device 101. Therefore, the generation and transmission of the common key generation information 72 for server-device-side communication is not performed. As described above, when the pieces of the common key generation information 71 and 72 are exchanged between the request issuing device 102 and the server device 101, the common key 73 used as the communication key for the later communication 73 is first Fragments of information 71 and 72 are generated using these common keys. To generate the common key 73 for communication, the PMS is generated based on the common key generation information 71 and 72 that are exchanged with each other. In the case of the RSA encryption mechanism, the PMS is the common key generation information for request-issue device-side communication as described above. In the case of a Diffie-Hellman encryption mechanism, the PMS is generated using the Diffie-Hellman shared key of both the device 101 and the device 102. In other words, the server device 101 calculates the smallest positive remainder for the modulo "P" as the PMS, which is to multiply the received smallest positive remainder of the # for the modulo "P" by the bth time The value that was obtained. The requesting device 102 37 200534653 calculates the smallest positive remainder for the modulus "p" as the PMS, which is to multiply the received smallest positive remainder gb with respect to the modulus "P" and the & The value obtained. If the Diffie-Hellman encryption mechanism is used, then the Pms calculated using the request issuing device 102 and the server device 101 is 5 equal to the smallest positive remainder gab about the modulus "p". In order to generate a common key 73 for communication from the PMS, the following calculations are performed using a set of MD5 (Interpretation Digest 5) and SHA (Secret Promiscuous Algorithm) hashing algorithms.

Common key master-secret = 10 MD5 (PMS || SHA (6A? || PMS || ClientHello.random 11 ServerHello.random)) | | MD5 (PMS 11 SHA (BB? | | PMS || ClientHello.random || ServerHello.random)) || MD5 (PMS || SHA (4CCC? I | PMS I | ClientHello.random | I ServerHello.random)) (1) In equation (l), " IΓ represents the connection of a bit sequence. Thereafter, the requesting device 15 and the server device 101 are required to use the common key "master-secret" calculated as the common key 73 for communication as represented by equation (1). (common key "maste-secret") while encrypting and decoding the connection requires packet 217, and this results in that secret communication can be performed. In other words, when the request issuing device 102 and the server device 101 have a common secret for communication When the sharing of the key 73 20 is completed, the request to issue the device 102 causes the encrypted communication part 102e of the device 102 to encrypt the data using the common key 73 for communication before sending the first connection request packet 217, which includes the connection target. Device ID of requested device 103, requested device 103 The password, and the related IP address and port number of the requesting device 102 and the number of the IP address and the port number used in the communication are included. _Issue_end 1 ^ 11 ^ 1 06a wide area IP address and WAN end port number, that is, the router device 104aiWAN 5 end wide area IP address and WAN end port number. Request to issue The device 102 generates a connection request packet 217, which contains the encrypted data as a payload, and uses a TCP connection established by starting the packet 211 with the TCP connection to send the generated connection request packet 217 to the server. More specifically, the sending device 10 is required to send a connection request packet 217 to the router device 104a as shown in FIG. 7C. In addition, the router device 104a performs The received connection requires NAPT processing of the packet 217, and sends the connection request packet 217 (as shown in FIG. 7D, which has accepted the NAPT processing) to the server device 101. On the other hand, the server device 101 uses the Built on Servo Device 101 and request issued TCP connection between the device 102 is connected to the secret information as in claim 15 emitted from device 102 receives the encrypted data containing the request packet 217. In response to the receipt of the packet 217, the server device 101 causes the encrypted communication processing part 101 of the server device 101 to use the shared key 73 for communication to decrypt the encrypted data. When the TCP connection start packet 208 and the packet (which will be described later) related to the data 20 communication sequence of step S209 are transmitted and received, the path written in the connection request packet 217 is passed to the WAN end of the router 104a The wide area IP address and the number of WAN end ports are used. In other words, the request issuing device 102 starts packet 208 from the request receiving device 103 to receive the TCP connection, and establishes a TCP connection between the device 102 and 103. When the sending device 102 is requested to use 39 200534653 to use the established TCP connection to send and receive packets related to the data communication sequence of step S209 (as explained later), the router device 10 has the wide area of the WAN side. The IP address and the number of WAN end ports are written into the packets that are therefore sent and received. It can be assumed that the WAN end wide-area IP address and the number of WAN end ports that are written into the packet can be converted to a request-issuing device using the NAPT function of the router device 104a.丨 〇2 the private IP address and the number of ports, or vice versa. If the requesting device 102 starts to receive packets 208 from the request receiving device 103 according to the number of ports (for example, "1600"), the NAPT list of the router 10 and the device 104a is as shown in FIG. 6. The second column of the NAPT list shown in FIG. 6 is the conversion list used when the requesting device 102 receives the TCP connection start packet 208 from the request receiving device 103 and the packet of the subsequent data communication sequence in step S209. The receiving device 103 is required to send a TCP connection start packet 208 with a wide area IP address "4.17.168.2" and a port number of 15 "5000" to the router device 104a in order to establish a TCP connection. Then, the IP address and the number of ports written in the TCP connection start packet 208 are converted into the private IP address and the router of the requesting device 102 using the NAPT function of the router device 104a, respectively. Number of ports on device 104a. Finally, the request receiving device 103 can establish a TCP connection with the request 20 sending device 102. When receiving the connection request packet 217, the server device 101 refers to the multi-array device information stored in the device information list stored in the internal list memory 101m of the server device 101, as shown in FIG. 9, and in step S204 From the device information list, search for the device ID “2133” of the request accepting device 103 included in the received connection request packet 200534653 217. If a device ID corresponding to "2133" is found on the device information list, the server device 101 confirms that the device 103 including the device information of one of the devices "2133" is requested as the connection target. In addition, the server device 101 confirms 5 that the IP address and the number of ports included in one of the device information on the identification request accepting device 103 are respectively related to the IP address and the number of ports of the request accepting device 103. . The server device 101 does not immediately transmit the IP address and the number of ports included in the received connection request packet 217 and the request issuing device 102 and the request receiving device 103 password to the request receiving device 10 丨 〇3 ° In this case, the server device 101 uses an IP address "2202 · 204_16_13" which has one of the relevant receiving device 103 requirements and the port number "3400" (included in the same device ^^ ,, in the device information) UDP as the destination, and send a connection request notification packet 205. The connection request notification packet 20 5 is sent to the router device 4b as a response signal to the device registration 15 packet 201. The router device 104b performs the conversion of the IP address and the number of ports, and the packet 205 containing the converted IP address and the number of ports can thus reach the request acceptance device 103. As shown in Figures 8A and 8B, the connection request notification packet 205 contains a connection request notification flag that displays the packet indicating the connection request notification. 20 When receiving the connection request notification packet 205, the request receiving device 103 executes the first connection request sequence stepped between the request receiving device 1G3 and the server device 1G1. Figure 4 is a sequence diagram showing the second connection request procedure at step 8206. In the second connection request sequence of the step, in a manner similar to the first connection request sequence of step S203 in 200534653, secret information must be sent, for example, the password of the requesting device 103 and the IP address of the requesting device 102 And the number of ports. For this reason, SSL is used to encrypt the secret information in the preferred embodiment of the present invention. It is assumed that the receiving device 103 further includes a set of encrypted communication processing section 03e and a certification information authentication processing section 103e. The encrypted communication processing part 103e of the device 103 generates a common key 83 for communication for the purpose of encrypting and deciphering signals to be sent and received, and uses the generated common key 83 for communication to Encryption and decryption of signals sent to and received from the server device 101 is performed. The certification information authentication processing part 103 of the device 103 judges whether the server certification data 65 is valid. The second connection request sequence for step S206 for secret communication between the server device 101 and the request receiving device 103 is performed as shown below. In the SSL communication, the client's request receiving device 103 first sends a TCP connection start packet 221 to the server device 101 via the router device 104b. Therefore, it is required to use the TCP connection to start the server device 101. The general. When the TCP connection start packet 221 passes through the router device 104b, the router device 104b uses the NAPT function used when the device registration packet 201 is sent to convert the SA and SP on the TCP connection start packet 221 . Further, when receiving a packet addressed to the request-receiving device 103, the router device 104b performs a relative conversion for the conversion performed on the SA, the DA of the conversion on the packet is completed, and the A different transformation of §0 on the packet is completed, and the transformation is different from the transformation completed for SD 'and then, the formed packet is sent to the request receiving device 103. For the sake of simplifying the description, the NAPT processing operation of the router device 104b will not be described in the description of the present invention. However, in reality, when the receiving device 103 is required to send or receive a packet, the device 103 always sends or receives the packet via the router device 104b, and the router device 104b performs 5 about the packet. NAPT processing. Next, the receiving device 103 and the server device 101 are required to perform the encryption specification negotiation step, and thus mutually check the specifications of the encryption mechanism used in the secret communication. The request accepting device 103 first uses the TCP connection established by the TCP connection start packet 221 to send a encrypted communication. The request packet (hereinafter referred to as "client-hello packet") 222 is sent to the server device. 101. Encrypted communication begins requesting that the packet 222 contains an available SSL version, a list of available encryption organizations, a session 115, and the like, and also includes a random number ClientHello generated using the request acceptance device 103. .random. When the request packet 222 is received from the request accepting device 10 and receiving the encrypted communication with 15 ciphers, the server device 101 sends a encrypted communication with the TCp connection established by the TCP connection starting packet 221 to start a response packet (hereinafter referred to as "Server-helloPacket") 223 to the request receiving device 103. The encrypted communication start response packet 223 contains the SSL version to be used (the latest version supported by the request request device 102 and the server device 101), the session ID, the encryption mechanism used, And the like, and also includes a random number “ServerHello.midom” generated using the server device 101. In the second connection request sequence of the next step, the encrypted version of the SSL version 43 200534653 and the encryption mechanism specified by the packet 223 is used to respond to the encrypted communication. The random numbers "ClientHello.random" and "ServerHello.random" are generated independently of each other using the request receiving device 103 and the server device 101, and are respectively used as a 32-bit time stamp and a 28-bit random number. (Or a sufficiently secure pseudorandom number of 5). The encrypted communication starts including the random numbers “ClientHello.random” and “ServerHello.random” respectively require the packet 222 and the encrypted communication start response packet 223 to be sent without any additional password. The server device 101 then sends a server certification data packet 214 to the request receiving device 103. It is not always necessary to send the packet 214 of the server certification data packet 10 to the receiving device 103 after the encrypted communication start response packet 223 is sent. As long as the server proves that the data packet 214 was sent before the reception of the common key generation information packet 224 for request-receiving device-end communication, the packet 214 may be at any timing (for example, the second connection at step 8206) Before the request sequence). The certification information authentication unit 15 of requesting acceptance of the device 103 is issued in a manner similar to the above-mentioned example of the request in FIG. 5 and the device 102 is issued using the CA shared key stored in the device 103. And it is confirmed whether the feeder information in packet 3 in the sending server certification packet 214 is valid. When the certification information authentication processing section 103e confirms that the feeding device certification data 65 sent by the certificate 20 is valid, the requesting device 103 starts a common key generation information exchange step, which includes a request for- The common key generation information of the receiving device-end communication and the common key generation information M for the poetic device-device-end communication are sent and received. In order to exchange information in the generation of common keys, the receiving device 1 033 2005 200553 53 is first used to encrypt the communication processing part 1 103 of the device 103 to generate the shared key generation information 81 for request-receiving device-end communication. . In addition, the request receiving device 103 uses the TCP connection established by the TCP connection start packet 221 to send a common key 5 for request-receiving device-end communication to generate an information packet 224 to the server device 101, where the packet 224 contains the generated common key generation information 81 for request-receiving-device communication. The response is used for request-receiving device-end communication to send a common secret transmission to generate an information packet 224. Using the encrypted communication processing part 101e of the server device 101, the server device 101 generates a server_device_ The common key generation information 82 of the end communication 10. In addition, the server device 101 uses the TCP connection established by the TCP connection start packet 221 to send a common key for the server-device-end communication to generate an information packet 225 to the requesting device 102, of which the packet 225 Contains common key generation information 82 for server-to-device communication. Based on the common key generating information 81 and 15 82, the issuing device 102 and the server device 101 are required to use their encrypted communication processing sections 102e and 101e to generate the same common key 83 for communication, respectively. An RSA encryption mechanism, a Diffie-Hellman encryption mechanism, or the like is used, and a common key 83 for communication is generated in a sequence similar to the first connection request sequence of step S203. Fragments of the generated common key generation 20 body messages 81 and 82 are exchanged between the request receiving device 103 and the server 1001, respectively. By generating these fragments of information 81 and 82 using the common key respectively, the encrypted communication processing section 1033 and 1016 generated by the requesting receiving device 103 and the server device 101 will be used as a little The post communication key uses the common key 83 for communication. 45 200534653 Next, a common key 83 may be shared for communication between the request receiving device 103 and the server device 101. The server device 101 and the request accepting device 103 use the common key 83 for the communication to encrypt and decrypt the connection request packet 226, and this results in that secret communication can be performed between them. In other words, after the reception of the first connection request packet 217 and before the transmission of the second connection request packet 226, when the common key 83 for sharing the communication between the request receiving device 103 and the server device 101 is completed The server device 101 causes the encrypted communication processing part 10 of the device 101 to use the common key 83 for communication to encrypt the password including the password of the request accepting device 103 included in the connection request packet 10 217, and the password The wide-area IP address "4.17.168.2" and the number of ports "500" are used for the communication router device 104a. The server device 101 generates a connection request packet 226 with the encrypted data contained as payload and uses the TCP connection established by the TCP connection start packet 221 to send the generated connection 15 request packet 226 to request the receiving device 103 as a response signal to the device registration packet 201. More specifically, using the device information list of the server device 101 and the step S204 shown in FIG. 2 is identified as the destination address and the IP address and port number of the request receiving device 103 as the destination, the server device 10 1 Send the connection request packet 226 shown in Figure 8D to the router device 104b. The controller device 104b executes the NAPT processing procedure of the received connection request packet 226, and sends the connection request packet 226 which has been accepted by the NAPT process shown in FIG. Gc to the request receiving device 103. On the other hand, using the TCP connection established between the server device 101 and the request accepting device 103, the request accepting device 103 receives a connection request packet containing the encrypted data as the secret information from the server device 101 from the server device 101. 226. In response to the reception of the packet 226, the request to accept the device 103 causes the encrypted communication processing part 103e of the device 103 to use the common key 83 for communication to decrypt the encrypted data. In this way, the connection request message for the notification request issuing device 102 request to perform the communication with the 5 request receiving device 103 is finally sent from the request issuing device 102 to the request receiving device 103. Referring again to FIG. 2, the request accepting device 103 determines whether the password contained in the connection request packet 226 matches the request accepting device 103 password stored in the request accepting device 103 internal list memory 103m. And because of this, is it valid at step S207. Only when the password is valid, the receiving device 103 is required to send a TCP connection start packet 208 to the router device 104a as a communication request signal, which requires the use of the relevant IP address contained in the connection request packet 226 " 4.17 · 168.2 "and the number of ports" 5000 ", the TCP connection of the requesting device 102 is started, and the communication between the requesting device 102 and the requesting device 103 is started. The TCP connection start packet 208 is as described above. Use the NAPT function of the router device 104a to reach the request issuing device 102. The request receiving device 103 can therefore establish a TCP connection with the request issuing device 丨 02. In response to the TCP connection starting packet 208, the request issuing device 丨 02 receives 20 After the communication between the request issuing device 102 and the request receiving device 103, the request issuing device 102 and the request receiving device 103 can use the TCP connection established by starting the packet 208 over the TCP connection to perform the data communication of step S209. In this way, by using the server device 101, data communication can be performed between the request issuing device 102 and the request receiving device i03 Implementation, the device 102 and the device 103 each have a private IP address and are placed on different LANs of the LAN 106a and the LAN 106b. Even if it is required that the device 102 has a wide-area IP address and is directly connected 5 After receiving the Internet (WAN) 105, communication between the request issuing device 102 and the request receiving device 103 can be performed by the same operation as described above. Further, even if the request receiving device 103 has a wide area IP address and Directly connected to the Internet (WAN) 105, the communication between the requesting device 102 and the request receiving device 103 can still be performed by the same operation as above. In any case except the controller The device does not perform the conversion of the IP address and the number of ports, and the same operations described above are performed. In a preferred embodiment of the present invention, the server device 101, the request device 102, and the request device 103 Is connected to the Internet (WAN) 105. However, the preferred embodiment of the present invention is not limited to this. The server device 101, the request issuing device 102, and the request receiving device 103 can still be configured to be connected to other One or both of the open network and the private network In addition, even if the routers 10 and 10b do not include the NAT function and only the NAT function, the requesting device 102 and the requesting device 20 103 Inter-communication can still be performed using the same operation as described above. In this case, the device is purchased and 10 cents are not converted into digital. The requesting device 102 can always maintain the same as The NAPT list shown in Figure 6 is set to clear the TCP packet and start the packet in the correct position. 48 200534653 The combination of the address and the port number, or when the first connection request sequence in step S203 starts. When the packet 211 can be set in the NAPT list, this, a, and ¥ 70 become the data communication sequence of step S209, and this is divided from the NAPT list by € 1, and σ. The NAPT list may be set using static NAPA or its 5 functions, such as universal plug and play. Further, in step S203, the first connection request sequentially starts the communication using the TCp connection to start the packet 211 via TCP connection, and in step S203 the first connection request sequentially starts the communication using the Tcp connection to start the packet such as communication via the tcp connection. It can be established using a communication mechanism different from one of ssl plus password 10. In addition, the TCP communication σ1 plus code in step S206 and S206 can be omitted. In the latter case, at step s, the request issuing device 102 may send a connection request packet 217 soon after sending the TCP connection start packet 211, thereby establishing a Tcp connection. In step S1, the server device 101 can send a connection request packet 226 shortly after receiving the TCP connection start packet 221. The processing of the data communication sequence in step S209 can be performed using a cryptographic connection mechanism, for example, the same SSL mechanism as in steps 8202 and 8206. In addition, the data transmission and reception in step S209 can be performed using other transmission protocols such as UDP. 20 The device registration packet 2o, connection request packet 217, connection request notification packet 205, and connection request packet 226 shown in Figures 7A to 7D and 8A to 8D are for display purposes only. Other columns may be used in addition or separate columns may be provided in a different order. The IP addresses, port numbers, and equipment 1 used in Figures 1 to 9 are only 49 200534653 for display purposes. They may be different values. As another preferred embodiment, the present invention can be provided as a computer-readable program including the respective steps of processing shown in Figs. 2 to 4. Alternatively, the present invention can be provided as a computer-readable recording medium, and the recording is performed in the following manner. In the latter case, the program can be read using a computer or device connected to the Internet, and the steps contained in the program can be executed using the computer or device. Then, the computer or the device can be operated as all or one of the server device 101, the request issuing device 102, and the request receiving device 103 according to the previously described preferred embodiment. Examples of recording programs 10 examples of recording media can include optical recording media, such as CD-ROM and DVD-ROM, magnetic recording media, such as floppy disks and hard disks, and semiconductor Lu Jiyi body. However, δ Jilu private § Jilu recorded media are not limited to them. In addition, the program can be distributed via a network, such as the Internet. As described above, the present invention can provide a communication system that can easily implement point-to-point communication between devices connected to the Internet (WAN) and devices placed on different [αν] and prohibit illegal access. Industrial Applicability Therefore, as explained in detail above, according to the present invention, it is possible to realize a request issuing device and a request accepting device having a private IP address in each 20 but placed on a different LAN which prohibits any illegal access. Point-to-point communication between devices. Further / according to the present invention, a program may be provided including the steps in a communication method. The computer or device connected to the Internet may be used to read the program. The steps. 50 200534653 [Brief description of the diagram] Fig. 悲 A block diagram of a network group of a communication system according to a preferred embodiment of the present invention. Fig. 2 is a diagram showing the implementation of a communication system not shown in Fig. 1 and 1 Communication 5 Sequence example sequence diagram; Figure 3 is a sequence diagram showing the first connection request sequence processed in detail in step S203 shown in Figure 2; Figure 4 is a step S2G6 of silk in Figure 2 Sequence diagram of the second connection request process detailed in Figure 10; Figure 5 is a block diagram of the certification authorization device 51, and its certification is used for the request issuing device 102 and the request receiving device 103 shown in Figure 1. Whether the server device 101 is valid; FIG. 6 is a list showing an example of the NAPT list stored in the internal list memory 104am of the router device 10 shown in FIG. 丨; FIG. 7A is a display FIG. 2 is an exploded view of the configuration of the LAN-end device registration packet 001 shown in FIG. 2; FIG. 7B is an exploded view showing the configuration of the WAN-side device registration packet 001 shown in FIG. 2; FIG. 7C is a display The LAN connection shown in Figure 3 requires the decomposition of 217 groups of 20 states. Figure 7D is an exploded view showing the configuration of the WAN-side connection request packet 217 shown in Figure 3; Figure 8A is an exploded view showing the configuration of the LAN-side connection request notification packet 205 shown in Figure 2; 51 200534653 Figure 8B is an exploded view showing the configuration of the WAN-side connection request notification packet 205 shown in Figure 2; Figure 8C is an exploded view showing the configuration of the LAN-side connection request packet 226 shown in Figure 4; 5 8D The figure is an exploded view showing the configuration of the WAN-side connection request packet 226 shown in FIG. 4; FIG. 9 is a device information list stored in the list memory 10lm of the server device shown in FIG. 1 List of examples; Fig. 10 is a block diagram showing a network configuration example of a prior art communication system, and Fig. 11 is a sequence diagram showing an example of a communication sequence using the NAPT function of the H device for communication; Fig. 12 is a list showing examples of NAPT money of the device 104; and Figs. 15 to 13 are examples of communication sequences showing the communication system shown in Fig. 1G

Sequence diagram. [Description of Symbols of Main Components] 11 ... Server Device 12 ... Required Device 13 ... Received Device 21 ... Package 23 ... Package 31 ... Package 34 ... Connection Request Packet (Pairing Device ID) 36 ... Connection Request Notification Packet 37 ... TCP Connection Start packet 38 ... command signal 51 ... certificate and authorize device 52 " «CA common key 53 ... CA key 5 4 ... feeding H certificate data sending packet 52 200534653 55 * " CA certificate data packet 61 ... server secret Key 62 ... Server common key 63 ... Server certification data request packet 64 ... Signature 65 ... Server certification data 71 ... Common key generation information 72 ... Common key generation information 73 ... Common key 81 for communication ... Common Key generation information 82 ... Common key generation information 83 ... Common key 101 ... Server device 101e ... Encrypted communication processing section 101m ... Internal list memory 102 ... Request issuing device 102c ... Certification information authentication processing unit 102e ... encrypted communication processing part 102m ... internal list memory 103 ... receiving device 103c ... certification information authentication processing part 103e ... encrypted communication part Management section 103m ... Internal list memory 104 ... Router device 104a ... Router device 104am ... Internal list memory 104b ... Router device 104bm ... Internal list memory 105 ... Internet Network (WAN)

106a ... Required-Out-End LAN

106b ··· Requirement_Accepted-end LAN 20 · Device registration packet (self-registered ID) S201-S209 ··· Communication sequence step executed in the communication system 205 ··· Connection request notification packet 208 ·· TΓP connection Start packet 211 ... TCP connection start packet 214 ... Server certification data packet 217 ... Communication request packet 222 ... Encryption communication start request packet 223 ... Communication start communication with packet 224 ... Shared secret Key generation information packet 225 ... Common common generation information packet 226 ... Connection request packet 1051 ... Device ID 2133 ... Device ID 53

Claims (1)

200534653 10. Scope of patent application: κ 2 is provided in a server device in a communication system, which includes a device and a request-receiving device and a request-receiving device; several reading trees are connected to the network, and the server device can Operated to transfer a connection request signal from the request-issuing device to the request-receiving device. The server device includes a device information storage device that can store and store information for one of the plurality of devices. One device information list of the group device information. The accompanying information includes the "job address and-port number" of each 10 of the recorded devices, and the device ID of each of the "several devices; of which the server device Operable to receive a device registration signal, the latter containing a set of device information for use in the request acceptance device, which is sent periodically from the request acceptance device, and the server device is operable to store for use in the request acceptance A group of devices of the device is negative, and the latter is included in the received device registration signal of the device information storage device; The server device is operable to receive a first TCP connection start signal sent from the request issuing device for establishing a first TCP connection with the request 20 issuing device; wherein the server device is operable to receive a first connection request Signal, which contains the device ID of the request receiving device, and the IP address and port number of the request issuing device, and it is a request from the request issuing device to the request receiving device using the first TCP connection; 54 200534653 The server device is operable to search the device information list for the device ID of the request accepting device included in the received first connection request signal, and identify the information about the group of device information, which contains information that matches The 5th ID of the request accepting device in the connection request signal is the device ID of the request accepting device, and identifies the IP address and port included in the device information of the identified request accepting device. Use it as the IP address and port number of the requested device on the device information list; and where The server device is operable to send a second connection request signal including the first connection request signal included in the 10th job, to the identified request acceptance regarding the request to issue the device's IP address and port number. The device, as a response signal to the device registration, sets the identified IP address and the identified port address as the destination. 15 2 · If the server device of the first scope of the patent application, φ Among them, after identifying the IP address and port number included in the device information of a group of identified request accepting devices as the IP address and port number related to the request accepting device, and sending a second connection request Before the signal reaches the identified request accepting device, the server device sends a third connection request signal to the request accepting device, and receives a second TCP connection start signal from the request accepting device as the third connection request signal. A response signal to establish a second TCP connection with the request accepting device; and wherein the server device is operable to use the established The second 55 200534653 TCP connection transmitting the second connection request signal to the request acceptance equipment. 3. If the server device of the scope of patent application item 2, wherein the first connection request signal further includes password information for the request acceptance device; and 5 wherein the server device is operable to be included in the first The password information in the connection request signal is transmitted to the second connection request signal, and a second connection request signal including the password information is sent. 4. The server device according to item 3 of the patent application scope, wherein the server device further comprises: 10 a first encrypted communication device operable to generate a first common key for communication and a communication device for communication A second common key, using the first common key for communication to decrypt the received signal, and using the second common key for communication to encrypt the transmitted signal; and 15 A certification information storage device operable to store server certification information for verifying the validity of the server device; wherein the server device is operable to send the server certification information to the server before receiving the first connection request signal to The request issuing device; wherein the server device is operable to use the first TCP connection 20 to receive the first common key generation information generated from the request issuing device in response to the server certification information, in response to the first A common key generation information causes the first encrypted communication device to generate a second common key generation information, resulting in the first encryption The communication device generates a first common key for communication according to the first common key generation information and the second common key generation information. 56 200534653 uses a first TCP connection to send the second common key generation information to the The request issuing device causes the request issuing device to generate a common key for communication that is the same as the first common secret key for communication based on the first common key generation information and the second common key generation information to communicate with the first The first common key for the device shared communication is requested to be issued; wherein the server device is operable to use the first TCP connection to receive the first connection encrypted with the first common secret wheel for communication from the request issued device. Request the signal, and cause the first encrypted Shima communication device to decrypt the received first connection request signal using the first common key for communication; wherein, before sending the second connection request signal, the server The device sends the server certification information to the request accepting device; wherein the server device is operable to use the second TCP connection Since the request acceptance device receives third common key generation information generated in response to the server certification information, the first cryptographic flooding device responds to the third common key generation information to generate a fourth common key. The key generation information causes the first-key cryptographic communication device to generate a second common key for the seventh and the seventh according to the third common key generation information and the fourth common key generation information, using the second Tcp connection and Sending the fourth common secret key generation information to the request acceptance device, and causing the '^ request ② to be prepared based on the third common secret key generation information and the fourth common key generating resource and generating a third common key for rail use. A common secret used for communications with the same secret to share the second common key used with the request-receiving device 57 200534653; and wherein after receiving the first connection request signal and before sending the first connection request signal, the The server device causes the first encryption code ^ a device to use a common secret for communication and encrypts the password to the first 5 connection request signal. 5. A request issuing device provided in a communication system, in which a server is installed and a plurality of devices including the request issuing device and a request receiving device are connected to a network each, the request issuing device Operable to communicate with the server device and the request accepting device; 10 wherein the request issuing device is operable to send a first TCP connection start signal to the server device for establishing a first TCP connection with the server device; Wherein the request issuing device is operable to send a first connection request signal to the server device using the first TCP connection, the first connection request signal includes a device ID of one of the request receiving devices and one of the request issuing devices- The IP address and the number of the connection request, and the first connection request signal is a request to the request acceptance device; and wherein the receiving of the injury received from the request is used for the request issuing device and the request acceptance device. One of the communications between the communication requirements is reduced. The request is set in response to the request signal of the track and the communication is received between the request issuing device and the request receiving device, and the communication with the request receiving device begins. 6. If it is stated that the claim issues the equipment in claim 5, the first connection request signal further contains secret 58 200534653 code information for the request acceptance device. 7. The issuing device as claimed in item 6 of the scope of patent application, further comprising: a second encrypted communication device operable to generate 5 first common keys for communication, and using the first communication key for communication A common key and a password added to the transmitted signal; and a first certification information authentication device operable to authenticate server certification information used to verify the validity of the server device; wherein the request issuing device is operable to Receiving the server certification information from the server device before sending the first connection request signal; wherein the request issuing device is operable to authenticate the received server certification information by the first certification information authentication device and confirm the Whether the received server certification information is valid; wherein, when it is confirmed that the received server certification information is valid, the request issuing device causes the second encrypted communication device to generate the first common key generation information, using the first A TCP connection to send the generated first common key generation information to the server device, using the first TCP connection The second common key generation information generated in response to the first common key generation information is received from the server device, which causes the twentieth-second encrypted communication device to generate the information and the second common key based on the first common key. The key generation information generates a first common key for communication, and causes the server device to generate the same first communication key as the first common key for communication according to the first common key generation information and the second common key generation information. A common key for communication to share the first common key for communication with the server device 59 200534653; wherein, before sending the first connection request signal, the request issuing device causes the second encrypted communication device The first connection request signal is encrypted using the first common fee round for communication; and wherein the request issuing device is operable to send the encrypted first connection request signal to the servo device using the first Tcp connection. σ: a request receiving device provided in a communication system, wherein a servo is Pei Zhi and a plurality of devices including a request issuing device and the request receiving device are each connected to a network, and the request receiving device is operable To communicate with the server device and the request issuing device, the key device includes: & a device ID storage device operable to store a device ID of the request acceptance device; sighing that the request acceptance device is operable To periodically send a device registration signal containing the device ID of the edge request accepting device to the server; & wherein the request accepting device is operable to receive from the server, including an IP bit associated with the request issuing device Address and a second connection request signal of a port as a registration signal for the device; a response signal; and wherein the request receiving device is operable to send a request between the request receiving device and the request issuing device. One communication ^ request signal to use the IP address contained in the received second connection to Changguang 200534653 The request issuing device represented by the port number; and wherein, after the request issuing device responds to the communication request signal and accepts the communication between the request receiving device and the request issuing device5, the request receiving device starts Communication with the requesting device. 9. The request acceptance device according to item 8 of the scope of patent application, wherein after the device registration signal is sent to the server device and before the second connection request signal is received, the request acceptance device receives a third from the server device. The connection request signal is a response signal 10 to the device registration signal, and a second TCP connection start signal is sent to the server device as a response signal to the third connection request signal to establish a second TCP with the server device And wherein the request acceptance device is operable to receive a second connection request signal from the server device using the established second TCP connection. 15 10. The request acceptance device according to item 9 of the scope of patent application, further comprising: a password information storage device operable to store password information for use in the request acceptance device; wherein the request acceptance device is operable to use The second TCP connection 20 receives a second connection request signal further including password information from the server device; and wherein the request accepting device is operable only when the password information and the password information included in the second connection request signal are When the password information for the request accepting device stored in the password information storage device matches 61 200534653, a communication request signal is sent to the request issuing device. 11. The acceptance device as claimed in item 10 of the scope of patent application, which further includes a third encrypted communication device operable to generate a 5 second common key for communication and use the first Two common keys to decrypt the signals that should be received; and a second certification information authentication device operable to authenticate server certification information used to verify the validity of the server device; wherein, upon receiving a second connection request Prior to the signal, the request acceptance device receives the server certification information from the server device; wherein the request acceptance device is operable to cause the second certification information authentication device to authenticate whether the received server certification information is valid to confirm Whether the received server certification information is valid; wherein when confirming that the received server certification information is valid 15, the request acceptance device causes the third encrypted communication device to generate third common key generation information, Use the second TCP connection to send the generated third common key generation information to the server device, use The two TCP connections receive the fourth common key generation information generated from the server device in response to the third common key generation information, resulting in the 20 third encrypted communication device generating information based on the second common key and The fourth common key generation information generates a second common key for communication, and causes the server device to generate a second communication key for communication based on the third common key generation information and the fourth common key generation information. A common key for communication with the same common key to share with the server device 62 200534653 a second common key for communication; and wherein the request acceptance device is operable to use the second TCP connection from the server device Receiving a second connection request signal encrypted by using the second common key for communication, and causing the third encrypted 5-code communication device to use the second common key for communication to decrypt the received second password The connection requires a signal. 12. A communication system comprising: the server device as claimed in item 1 of the scope of patent application; and a plurality of devices including the device for issuing the request as described in item 5 of the scope of patent application and The request acceptance device of item 8; each of the plurality of devices and the server device are connected to a network. 13. A communication system comprising: 15 the server device as described in the scope of patent application item 2; and a plurality of equipment including the request issuing device as described in the scope of patent application item 5 and The request accepts equipment; each of the plurality of equipment and the server device is connected to the network. 14. A communication system comprising: the server device as claimed in the scope of patent application item 3; and a plurality of devices comprising the request issuing device as described in the scope of patent application item 6 and The request accepts the equipment of 200520055353; the device is connected to / from each of the majority of the equipment of the Zhonghai Specialty and the servo is connected to the network. -A communication system comprising: the server device as claimed in item 4 of the scope of patent application; and a plurality of devices comprising the request issuing device as stated in item 7 of the patent application scope and Request for acceptance Each of the plurality of devices and the server device are connected to a network. W-A communication method using feeding equipment provided in a communication system, in which _ 服 || xiangxiang receipt contains—requiring sending equipment and a majority of receiving equipment are connected to—the network, The feeder device is operable to issue a device transfer from the request-to connect the request signal to the request receiving device; wherein the server server includes a device information storage device, which is operable to store a device containing information for use in the majority of such devices. A list of device information for each of a set of device information, the set of device information includes an address and a port number associated with each of the plurality of devices, and a device for each of the plurality of devices ID; wherein the communication method includes: receiving a device registration signal, which includes a set of device information for the request receiving device, and which is periodically sent from the request receiving device 'and stored in the received device In the registration signal for 64 200534653, a group of device information of the request accepting device is stored in the device information storage device; The device sends a first TCP connection start signal to establish a first TCP connection with the request issuing device; 5 receives a first connection request signal, which includes the device ID of the request receiving device, and the ip associated with the request issuing device Address and port number 'and it is the request from the request issuing device to the request accepting device using the first TCP connection; searching from the device information list for the included in the received first connection request signal The device ro of the request accepting device recognizes information about a group of devices including a device ID that conforms to the device ID of the request accepting device included in the first connection request signal, and the device as the request accepting device, and identifies the The IP address and port number in the device information of the identified request-receiving device are used as the device information. 15 The IP address and port number on the list related to the request-receiving device; The first connection request signal and the first connection related to the IP address and port number of the requesting device The request signal is received to the identified request receiving device as a response signal to the 20% registered registration signal, and the identified IP address and the identified port address are set as destinations. 17. The communication method according to item 16 of the scope of patent application, which further comprises: ^ After " Hai identification and in the month of sending the second connection request signal 'J, send a third connection request signal to the request The receiving device, and since 65 200534653 the request receiving device receives a second TCP connection start signal as a response signal to the third connection request signal to establish a second TCP connection with the request receiving device; wherein the second connection request is sent The signal includes using the established second TCP connection to send a second connection request signal to the request receiving device. 18. The communication method according to item 17 of the patent application scope, wherein the first connection request signal further includes password information for use in the request acceptance device; and 10 wherein the communication method further includes adding a signal included in the first connection request signal. The password information is transmitted to the second connection request signal, and a second connection signal including the password information is transmitted. 19. The communication method according to item 18 of the scope of patent application, further comprising: sending server certification information for confirming the validity of the 15 server device to the request issuing device before the receiving the first connection request signal; Use the first TCP connection to receive the first common key generation information received from the request issuing device in response to the server certification information being generated, and generate the second common key generation in response to the first common key generation information. Information, the first common key for communication is generated according to the first common key generation information and the second common key generation information, and the second common key generation information is sent to the request issuing device using the first TCP connection And based on the first common key generation information and the second common key generation information, the request issuing device generates a common key for communication that is the same as the first common key for communication 66 200534653 to correspond to the request Issue the first common key for the device's common communication; use the first TCP connection to receive the request for communication from the request issuing device The first common key used for communication is encrypted with the first _ connection request 5 signal, and the first common key used for communication is used to decrypt the received first connection request signal; the second connection is sent at the Before the request signal, send the server certificate information to the request accepting device; use the second TCP connection to receive the third common key generated from the request accepting device in response to the server certificate information Erbeizun generates a fourth common key generation information in response to the third common key generation information, and generates a second common information for communication based on the third common key generation information and the fourth common key generation information. Key, use the second TCP connection to send the fourth common key generation information to the request receiving device, and cause the request according to the third common key generation information and the fourth common key generation information The receiving device generates a common key for communication that is the same as the second common key for common use to share the second common key for communication with the requesting receiving device; and After receiving a first connection request signal and before the transmission of a connection requires the # 20, using the second common key to the encrypted communication with the second connection request signal to the. 2 0 — A communication method using a request issuing device provided in a communication system, wherein a server device and a plurality of devices including the request issuing device and a request receiving device are each connected to a network, the request 67 200534653 The issuing device is operable to communicate with the server device and the request acceptance device, the communication method includes: sending a first TCP connection start signal to the server device to establish a first TCP connection with the server device; 5 A first connection request signal is sent using the first TCP connection, which includes a device ID of the request accepting device and an IP address and a port number related to the request issuing device, and it is a route to the request accepting device. Request to the server device; and after receiving a communication request signal requesting communication between the request issuing device 10 and the request receiving device from the request receiving device, in response to the communication request signal, accepting the request issued Communication between the device and the request-receiving device, and communication with the request-receiving device begins21. The communication method of claim 20, wherein the first connection request 15 signal further includes password information for use in the request acceptance device. 22. The communication method according to item 21 of the patent application scope, further comprising: receiving the server certification information from the server device before sending the first connection request signal; and authenticating whether the received server certification information is valid To confirm whether the received server certification information is valid; when confirming that the received server certification information is valid, generating the first common key generation information, and using the first TCP connection to send the generated first The common key generates information to the server device, and uses the first TCP connection to receive the second common key generation information in response to the first common key 68 200534653 generated information from the server device, according to the first common blanket key Generating the information and the second common key generation information to generate the first common key for communication, and generating the server device based on the first common key generation information and the first common key generation information. The _ common key used for λ is the same common key for communication to share the first common key for communication with the server device Same key; before sending the first connection request signal, use the common key for communication and add a password to the first connection request signal. 23 ·-A communication method using the request receiving device provided in the communication system and system The eight server device and a plurality of devices including a request issuing device and the request receiving device are each connected to a network, the request The receiving device is operable to communicate with the server device and the request issuing device, and the communication method includes: periodically sending a device 15 registration signal including the device m of the request receiving device to the server device; The device receives a second connection request signal including an IP address and a port number related to the request issuing device as a response signal to the device registration signal; and sends a request for requesting the request accepting device and the request issuing device. 20 A communication request signal from one of the devices to the communication request signal to the request issuing device using the IP address and the port number included in the received second connection request signal; and a response to the request issuing device 69 200534653 to accept communication between the request receiving device and the request issuing device in response to the communication request signal After that, communication with the device that issued the request began. 24. The communication method according to item 23 of the scope of patent application, further comprising: after the device registration signal is sent to the server device and before the second connection request signal is received, receiving from the server device 5 The third connection request signal is used as a response signal to the device registration signal, and a second TCP connection start signal is sent to the server device as a response signal to the third connection request signal to establish a second TCP with the server device. And using the established second TCP connection to receive a second connection request signal from the server device. 25. The communication method according to item 24 of the patent application scope, wherein the request acceptance device includes a password information storage device operable to store password information for use in the request acceptance device; wherein the second connection request signal further includes a password 15; and wherein the communication method further comprises: only when the password information included in the second connection request signal matches the password information for the request accepting device stored in the password information storage device When it is, the communication request signal is sent to the request issuing device. 20 26. The communication method according to item 25 of the patent application scope, further comprising: before receiving the second connection request signal, receiving the server certification information from the server device; authenticating the received server certification information Whether it is valid to confirm whether the received server certification information is valid; and 70 200534653 When it is confirmed that the received server certification information is valid, a third common key generation information is generated, and the second TCP connection is used to send The generated third common key generation information is sent to the server device, and a second TCP connection is used from the server device to receive a fourth common key generated in response to the third total 5 key generation information. Generate information, generate a second set of common keys for communication according to the second common key generation information and the fourth common key generation information, and generate information and the fourth common key according to the third common key Generating information and causing the server device to generate a common key for communication with the second common key for communication to communicate with the server A second common communication means with the common key; wherein the received second connection request signal further comprises the second used for communication with the common key password and the solution of the second connection request signal is received by the contact. 15 27. —A communication method using a communication system, wherein the communication system includes a server device and a plurality of devices including a request issuing device and a request receiving device; each of the plurality of devices and the server The device is connected to a network; and 20 wherein the communication method includes: a communication method such as the scope of application for a patent application item 16; a communication method such as the scope of application for a patent application item 20; and a communication method such as application for a patent application scope item 23. 28 · —A communication method using a communication system, wherein the communication system includes 71 200534653 a server device and a plurality of devices including a request issuing device and a request receiving device; each of the plurality of devices and the servo Device is connected to a network; and 5 wherein the communication method includes: a communication method such as the scope of application for the patent No. 17; a communication method such as the scope of the patent application for 20; and a communication method such as the scope of patent application for 24 . 29. A communication method using a communication system, wherein the communication system includes 10 server devices and a plurality of devices including a request issuing device and a request receiving device; each of the plurality of devices and the server The device is connected to a network; and wherein the communication method includes; 15 a communication method such as the scope of patent application No. 18; a communication method such as the scope of patent application No. 21; and a communication method such as the scope of patent application No. 25. 30. A communication method using a communication system, wherein the communication system includes a server device and a plurality of devices including a request issuing device and a request receiving 20 device; each of the plurality of devices and the server The device is connected to a network; and wherein the communication method includes: a communication method such as the scope of patent application 19; 72 200534653 a communication method such as the scope of patent application 22; and a communication method such as the scope of patent application 26 . 31. A program for causing a computer to perform a communication method as described in item 16 of the patent application. 5 32.—A program for causing a computer to perform a communication method as described in item 20 of the patent application. 33. A program for causing a computer to perform a communication method as described in item 23 of the patent application. 34. — A program for causing a computer to perform a communication method as described in item 27 10 of the patent application scope. 73