TW200841672A - Relaying apparatus - Google Patents

Abstract

To provide a technology capable of preventing "leakage" and "falsification" of data and further "impersonation", "intrusion, and "attack" on the Internet in communication between personal computers and external devices without imposing loads of installation of software or hardware on the personal computers. A relaying apparatus 100 is provided with NIC (Network Interface Card) drivers 1a, 1b respectively connected to networks 200, 300, and with a network layer and a transport layer including the "TCP/IP"2 for stipulating a communication method for the communication between two optional nodes while carrying out routing for a physical layer and a data link layer including the NIC drivers 1a, 1b. Then a function of the "TCP2"3 is provided between the data link layer and the network layer.

Description

[Technical Field] The present invention relates to an ideal relay device used for electronic information communication, for example, when an encryption function is added to a TCP or UDP protocol of a transport layer. In particular, it is a security system in communications, especially to prevent "leakage" and "tampering" of data on the Internet, or even "disguise", "intrusion" or even "attack". [Prior Art] The inventor of the present invention has previously provided the encryption and decryption logic on the transmitting side and the receiving side in order to enhance the prevention of data leakage, tampering, camouflage, intrusion, and attack in order not to change the upper application. It is applied to the payload of the TCP or UDP protocol that exists in the transport layer, and becomes the new encryption system TCP2 (International Publication No. WO 2005/0 1 5 827 A1: hereinafter referred to as Patent Document 1). • In recent years, Internet-based communications, as long as they are Windows PCs, can be accessed by anyone in the company as long as they are connected to the Internet and anyone can access the computers on the Internet. On the other hand, with the spread of the Internet communication, hackers or crackers invade other people's computer systems, peek into software or materials, or tamper with or destroy, causing great social problems. As a specific case of improper impediment, first, for example, a computer system that transmits a large amount of information from the network in order to make the central system unusable is hampered by a hindered system. If the host exceeds the load due to the obstruction, there is also -4 - (2) (2) 200841672 may cause the system to crash. Also, improperly obtaining the password of the host, stealing confidential information, and improperly impeding "improper access and disguise" of information tampering or destruction. This hindering is to arbitrarily rewrite the information held by the computer and is a despicable trick to frame others. In addition, misconduct of so-called spyware that lurks on a specific personal computer and swindles personal confidential information such as mail addresses or passwords is also occurring. In this way, it is impossible to peek into the contents of the database held by computers connected to the Internet. The possibility that so-called eavesdropping behavior is going on frequently is undeniable. Also, on the platform or the server operator, deliberately stealing personal information, or sneaking into the company to launch cyber terrorist attacks (

The crisis of Cyber terrorism cannot be said to be completely non-existent at the moment. 甚至 Even the improper handling of the "virus" that causes computer impediments to other people's computers has recently become more and more hampered. The injected virus will be infected with a personal computer used in the home by mail, etc., and when it is connected to the company, all the personal computers in the company will be infected, or the virus will destroy the files in the computer, or even It will cause problems for all the network to crash. Therefore, in the communication on the Internet using the previous TCP/IP (Transmission Control Protocol/Internet Protocol) or UDP (User Datagram Protocol), the function of preventing "leakage" or "tampering" of data is to use the so-called function. IPsec (Security

Encrypted communication technology such as Architecture for Internet Protocol) or SSL (Secure S o c k e t L a y e r). (3) 200841672 Generally speaking, although there are common key (also known as secret key) encryption method and public key encryption method in encrypted communication, 1 PSeC uses common key encryption. The common key encryption method is a more public key encryption method, and the encryption and decryption speed is faster, which is a feature. The common key encryption method used by the 1P see is a method of encrypting and decrypting with the same key. The generation of the key can be generated on either the transmitting side or the receiving side, but due to the receiving side and sending The message side uses a common key, so care must be taken to ensure that the content is not leaked to the outside when the key is exchanged. The algorithm used in the common key encryption method is represented by DES (Data Encryption Standard: Common Synthetic Gold (Secure Gold Mirror) Encryption Algorithm developed by IBM Corporation of the United States). IP s e c is also used as one of the encryption algorithms. IPsec, standardized by the Internet Engineer Task Force (IETF), is characterized by not simply encrypting a specific application, but encrypting all communications sent from the host at the IP level. # This allows users to communicate securely without having to be aware of the application. Moreover, in order to be able to use it over the future, IPsec can change only the encryption algorithm used without changing its own mechanism. As a common encryption key used by IPsec, a 32-bit encoding called SPI (Security Pointer Index) is used, and IKE (Internet Key Exchange) is used as a gold exchange protocol. Even the AH (Authentication Header) for integrity authentication is prepared in IPsec. In addition, SSL is the HTTP protocol for additional security functions developed by Netscape (Netscape, now absorbed by A0L). It can be used by -6 - (4) (4) 200841672 to enable the client and the server. The devices can authenticate each other on the network, encrypting confidential information such as credit card information and then transacting. In this way, it is possible to prevent data eavesdropping and resend attacks (first eavesdropping on data flowing over the network and then repeatedly sending out attacks), impersonation (for fake communication), data tampering, and the like. FIG. 6A is an example of a protocol stack when the previous ipsec encrypted communication is performed, and FIG. 6B is an example of a protocol stack using the previous SSL encrypted communication. . OSI reference model, the lowest layer (layer 1) is the physical layer (

Physical Layer), the second layer is the data link layer, the third layer is the network layer, the fourth layer is the transport layer, and the fifth layer is the session layer (Session). Layer), the sixth layer is the Presentation Layer, and the top layer (the seventh layer) is the Application Layer. The 7-level in the OSI reference model is represented by dividing the communication function into 7 stages, and each of the levels has a function module defined therein. In Fig. 6A, it is illustrated until the fifth layer of the session layer. The term "agreement stacking" refers to the selection of programs for realizing functions in all levels of the network, and stacking them into a hierarchical software group. First, if the 0SI reference model is briefly explained, the physical layer of the first layer defines a layer of the physical electrical characteristics of the signal line or the modulation method of the coding. However, it is rarely defined solely by this layer. It is usually defined with the layer 2 data link, for example, and Ethernet specifications, as defined in (5) (5) 200841672. The data link layer of the second layer defines a layer of data packetization or entity address, packet transmission and reception methods, and the like. This layer specifies that the communication medium through the entity 'the association between the two nodes for packet exchange' is to give each node an address, and the destination of the packet is specified according to the address. The packet is sent to the communication medium. As a communication medium, there are various types of media, such as copper wiring or wireless, optical fiber, and the like. Moreover, the topology (topology) is not just the opposite connection of i to 1, but has many types such as busbar type, star type, and ring type. The packet sent to the communication medium is captured by the node at the point of arrival to the receiving side node and delivered to the upper protocol layer. The NIC (Network Interface Card) driver configured across the physical layer and the data link layer is used to connect PCs and printers to the expansion boards required on the local area network (LAN). . When it is simply called "network card", it is mostly referred to as an interface card connected to the Ethernet. With the NIC driver, the node (machine) designed to send data first monitors the idle state of the cable, and starts transmitting if the cable is in an idle state. At this time, if multiple nodes start transmitting at the same time, the data will be destroyed due to collision in the cable, so the two will interrupt the transmission, wait for a random amount of time, and then restart the transmission. This allows a cable to be used by multiple nodes to communicate with each other. The layer 3 of the network layer is a layer that specifies the communication method between any two nodes. If it is TCP/IP, it is equivalent to the IP layer. In the data link layer, (6) (6) 200841672 Although communication can be performed between nodes on the same network medium, the role of the network layer is to use its function to allow any two nodes existing on the network. It is possible to perform routing and communication. Here, "bypass" means that when the packet is transmitted to the destination host in the TCP/IP network, the best path is selected and transmitted. For example, in an Ethernet network, although only nodes on the same segment can communicate with each other, in the network layer, packets are bypassed between two Ethernet segments. Communication is possible. In addition, the connection of the computer to the network (Ethernet) to the PPP (Point to Point Protocol) line through the telephone line, or the use of the fiber to the private line, etc., can be independent of the entity Wrap around the network media. For this purpose, each node is usually given an address that does not depend on the physical medium (or IP address if TCP/IP), and is routed according to it. IP sec, at the network layer, encrypts all communications sent from the host at the IP level, so users can communicate securely without having to be aware of the existence of an application. The transport layer of the fourth layer is a protocol that can be implemented between two processing programs (Process) executed on each node without realizing a virtual communication path. If it is TCP/IP, it is equivalent to the TCP layer. Moreover, in the network layer, although the function of communication between two nodes is provided, the task of this layer is to use a virtual one without error between the two processes (Process). Communication road. That is to say, although the network layer is sufficient to transmit data, it cannot guarantee that the information is delivered to the other party -9 - (7) 200841672. Also, there is no guarantee that the data will be delivered in the correct order of delivery. Therefore, in order to be easy to use for an application, it is the layer that provides a communication path without errors. When necessary, data is re-delivered and repaired. In this transport layer, although UDP is configured in addition to T cp, the difference between UDP and TCP is that TCP is a protocol for compensating data, which is relatively low-speed. In contrast, UDP does not perform data supplementation. Repay, but relatively high speed. The communication between computers is mainly used to transmit data when using T C P, and when using IP phones to transmit sound or video, UDP is mostly used. The communication system was first proposed by the inventor of the present invention in Patent Document 1.

The layer 5 of the session layer defines the layer of the program (from the beginning to the end of the communication), and sets up a connection between the applications to make it a layer of communication. The "communication slot" (socket) configured in this layer means the IP # address corresponding to the address on the network held by the computer, and the communication nickname which is the sub-address of the 1P address. , the combined network address. When connecting computers to each other, be sure to specify the communication slot (a combination of IP address and communication nickname) to connect. As shown in Figure 6B, the previously representative encrypted communication technology S S L is to implement encrypted communication on this session layer. The presentation layer of the sixth layer is a layer that specifies the presentation method or encoding, encryption, etc. of the data exchanged during the session (from the beginning to the end of the communication). In the TCP/IP protocol, there is no equivalent to the layer, but usually -10- (8) (8) 200841672 The application itself controls the processing of streaming data. Further, the application layer of the seventh layer is for specifying the layer of the exchange of information between applications. In the TCP/IP protocol, there is no equivalent to the layer. For example, the format of the e-mail, or the internal structure of the document, is a layer that defines the common data structure required for the exchange of data between applications. In Fig. 6, A is a standard protocol stack equipped with IP sec. First, in the physical layer (layer 1) and the data link layer (layer 2), the NIC Driver (network interface card driver) is set. . The driver (Driver) is a driver for connecting a computer and other hardware to the interface card required by the network, and the content is a data receiving and controlling software. For example, it is equivalent to a LAN board or LAN card used to connect to Ethernet (Ethernet). The layer 3 of the network layer has an IP emulator that extends to the transport layer (layer 4). The portion extending to the transport layer does not have a function as a transport layer. Only the functions of the network layer are provided to the session layer. The IP emulator is responsible for switching between IPsec for encrypted communication and IP for non-encrypted communication. Further, an ARP (Address Resolution Protocol) is placed in the network layer of the third layer. The ARP is a protocol used to determine the physical address of Ethernet from the IP address, that is, the MAC (Media Access Control) address. MAC, which is commonly referred to as media access control, is a transmission control technology used by LANs, etc. -11 - (9) (9) 200841672 is a method for receiving and transmitting messages of a data receiving and transmitting unit. The frame format, error correction, etc. are utilized. Further, the network layer is provided with an ICMP (Internet Control Massage Protocol) that transmits an IP error message or a control message, and a configuration for efficiently distributing the same data to a plurality of hosts or receiving and delivering the same data. Controls the IGMP (lnternet Group Management Protocol) of the host group. Then, in the transport layer of the upper layer of the network layer, TCP and UDP are configured, and in the upper layer, that is, the session layer, a communication slot (socket) interface is configured. Fig. 6B shows an example of SSL as a standard protocol for the encryption processing protocol. Instead of IPsec in the network layer, SSL is installed in the communication slot (session layer). The other protocols are the same as those in the previous Figure A. In the previously known encrypted communication technology, IP sec encrypts IP packets and sends and receives them. Therefore, application software using upper-party protocols such as TCP or UDP is It is not necessary to be aware that IP sec is being used. On the other hand, in SSL, in the mutual authentication level, a digital certificate using RSA (Rivest Shamir Adleman: prefix from the developer's three-way developer) public key encryption technology is used in the encryption of data. It is a common key encryption technology using DES. Since the SSL is at the layer level of the fifth layer, it is dependent on the specific application. IPsec is implemented as a function to prevent data leakage or tampering in the layer 3 (network layer) of the lower layer of the OSI layer 4 (transport layer) (for example, refer to R. Atkinson). , August 1995 ' -12 - (10) 200841672

Security Architecture for thelnternet Protocol", RCF1825. ). In contrast, SSL belongs to the encryption technology in the layer layer of the fifth layer, and is a WWW (World Wide Web) or FTP (File Transport Protocol) commonly used on the Internet. Encrypted data is used to securely send and receive information related to privacy or corporate secret information. The appearance of Figure 7 is a comparison of the functions of I p s e c and s s [ As seen in the table, it can be seen that IP sec and SSL have the opposite advantages and disadvantages. For example, in the client-client communication, in the case of SSL, since the command system and communication contents are master-slave relationships, in other words, they become client/server, so it is impossible to perform without the server. Client-client communication. That is, when the secret data is encrypted by the terminal S from the terminal A to the terminal B, it is necessary to have a server between the two. In contrast, IPsec does not have this limitation and # can communicate directly. In the PPP (Point to Point Protocol) mobile environment or the ADSL (Asymmetric Digital Subscriber Line) environment, IPsec determines the encryption method, performs key exchange, and uses mutual authentication before the data encryption communication starts. The agreement is also the communication of the IKE (Internet Key Exchange) agreement, which authenticates the connected target. Therefore, in the PPP action environment (remote client) or ADSL environment, since the IP address cannot be fixed, the IPsec gateway is most often used for the IKE main mode of -13- (11) 200841672, that is, The mode of using the IP address information of the communication pair at the time of authentication will become unusable. In addition, as a solution, the Aggressive type can be used, and the IP address can be not used in the ID information, and the user information can be used in the ID information, for example, the user's code is used in the known shared key. The other party can be specified. However, since the ID of the connection object is sent in the same message as the key exchange information in the Aggressive mode, the ID is sent directly in plaintext without being encrypted. Moreover, by using XAUTH (Extended Authentication within IKE), although the authentication problem can be solved, in the setting of the anti-wall, the ip address is not due to access from the remote client, so IKE must be fully licensed. , IP sec, so keep a question on security. SSL is still communicating in this environment. Also, IPsec has problems that cannot support NAT (Network Address Translation) or IP impersonation. In order to support them, it is necessary to use such other functions as loading them into the payload of UDP. NAT, a technology that connects Internet-based enterprises, etc., to share a global IP address to multiple computers, is capable of passing only the IP address (area address) and the Internet on the Internet. The technology that addresses (global sites) are converted to each other. The reason why the NAT cannot be supported is that the header is included in the authentication range of the AH (Authentication Header), which causes the mutual conversion from the address of the area to the global address to become non-initial, and the regional addresses of different sub-networks are mutually The communication is also unable to carry out the square model. The secret is the use of the IP address of the fire. The law is 14- (12) 200841672 In addition, the so-called IP impersonation refers to the plural from the LAN with a private address. The design that the client can access the Internet can be seen from the outside (internet) only by seeing the terminal that is performing IP impersonation, so it is ideal for security. The reason IP sec can't support IP impersonation is IP sec ESP ( Encapsulation Security

Payload: The encrypted payload) header is immediately after the ip header. Implementing a general router with IP impersonation is to identify the TCP/UDP nickname immediately after the IP header. Therefore, if the nickname is changed via the router with the ip impersonation installed, the IP sec determines that it has been tampered with, causing the host's authentication to fail. This problem can be avoided by using a product that supports NAT-T (NAT_Traversal) used to load UDP payloads. However, if NAT-T traverses differently, even products that support NAT-T will not be able to connect to each other. SSL is still communicating in this environment. • In contrast, SSL is incapable of resisting various attacks on TCP/IP by improper hackers such as hackers or hackers, such as the so-called DoS attack (Denial of Service). For a DoS attack on a TCP/IP protocol stack, for example, if a TCP cut attack is performed, the TCP session will be cut off and the SSL service will be stopped. Since IPsec is implemented at Layer 3 (IP layer), it has security functions at the IP layer and can prevent DoS attacks against TCP/IP (Layer 4, Layer 3). However, since SSL is implemented in the TCP/IP (Layer 4, Layer 3) layer (Layer 5) encryption protocol ' -15- (13) 200841672, it is impossible to prevent DoS on TCP/IP. attack. Even in the case of communication errors in a bad communication environment, such as communication errors in physical noise, SSL is more effective than IPsec. That is, when IPsec detects an error, it passes the resend action to TCP processing. Although TCP will send the resend data to IP sec, IP sec will not be able to recognize the resend data, which will result in re-encryption. SSL does not re-encrypt the same data due to incorrect repair processing with TCP. # Also, communication between different LANs cannot be performed in IPsec. That is, the promulgation management of the subnet address in the LAN is managed by a DHCP (Dynamic Host Configuration Protocol) server located in the LAN, so that the same subnet address is not allocated in the LAN. However, when communicating between different LANs, since the DHCP servers in each other's LANs are each assigned a subnet address, it is possible to assign the same address. In the case of such a match to the same address, it is not possible to communicate in IPsec. However, if an IPsec-DHCP server is additionally established, the management will not be delivered to the same address, and communication can be performed. Since s S L is located at the fifth layer (phase layer) of the above O SI reference model, the lower layer TCP can be used for error repair processing, and communication can be performed even in such a harsh environment. In addition, for communication in different network environments, since IPsec must manage all the nodes that pass through, and change settings so that IPsec can pass, it is very difficult to manage, but SSL can be used even in this environment. Communicate without being aware of the environment of the node being passed. -16- (14) (14)200841672 Also, since SSL does not support UDP communication, UDP encrypted communication cannot be performed. TCP can only support specific 埠', so it is impossible to encrypt all TCP ports. In contrast to the 'IPsec system, encrypted communication can be performed regardless of UDP or TCP. Even SSL has problems with applications that are not compatible. The application uses the communication slot (layer 5) as a program interface when communicating over the Internet. Therefore, when the application is using SSL (Layer 5), the communication slot interface must be changed to the SSL interface. Therefore, SSL is not application compatible. In contrast, since IPsec is located below the communication slot (Layer 5), it should be used as long as the communication slot (Layer 5) is used as a program interface, so that application compatibility is achieved. Further, IPsec is controlled by an IP address unit, whereas SSL is controlled by a resource unit (URL unit, folder unit). Even IP s e c has the problem that the maximum segment size will shrink. That is, since the ESP header (header) and the ESP trailer are used in IPsec, the payload (Payload) becomes small, so that fragmentation (packet division) occurs, and the throughput is lowered. In addition, in the TCP packet, since the fragment is prohibited, it is necessary to grasp the environment in which the IP s e c passes by the endpoint to the end point, and set the maximum extent size that does not cause the fragment to occur. In this regard, S S L is because there is no need to grasp the passing environment, so there is no need to set the maximum segment size. Although the performance comparison between IPSec and SSL has been described according to Table 1 (Fig. 7), as described above, the advantages and disadvantages of IPsec and SSL are that -17-(15) 200841672 exists. On the other hand, the inventors of the present invention have already included all the advantages of IPsec and SSL, and have more excellent encryption communication protocols, that is, TCP2 (refer to Patent Document 1, that is, the invention described in Patent Document 1, It is not necessary to prevent the "encryption function" of improperly invading the computer terminal from being executed in the program. Therefore, the application itself does not need to be re-created, and the communication partner who can support the encryption function can also perform the previous plain text # to even if IPsec cannot be used. The environment (or the use of the encryption or the authentication, which is not intended to be used.) Fig. 8 is a protocol stack used in an embodiment of the communication system proposed by the inventor of the present invention in Patent Document 1. The invention described in Patent Document 1 As shown in Fig. 8 of the protocol stack, the driver layer 1 is arranged in the physical layer (the first layer of the first layer (the second layer) of the OSI7 hierarchy). • It is the interface card required to connect a computer and other hardware to the network, and its content is the data receiving and receiving control software. For example, its phase. Connecting to Ethernet (Ethernet) LAN board or LAN ^, Layer 3 network layer, there is a part of the extension to the 4th layer of the IP simulator (emulator) 13. The extension is not implemented As a function of transmission, it only supplies the network layer to the session layer. The IP simulator 13 is responsible for the encryption communication with the use of IPsec on CP IP on CP. 13a. Here, the so-called "on CP" refers to the revolution of the package, and the encryption stack that is used for the application and the communication is not the case. (Network As mentioned above, the driver is used as the c ° transport layer (partial, function, lift and use 13b and "will become -18- (16) (16) 200841672 intrusion protector (CP)) The surveillance, discarding, and cutting of "fake" or "intrusion" and "attack" may even limit the passage of the object, or may become the person by setting.

Further, "ARP on CP (Address Resolution Protocol on Cracking Protector)" is placed in the network layer. The ARP on CP is a protocol used to derive a physical address of Ethernet, that is, a MAC (Media Access Control) address, from an IP address that protects against cracker protection. MAC, generally referred to as media access control, is a transmission control technology used by LANs, etc., and is used to specify the format of the receiving and transmitting method of the data receiving and transmitting unit, the format of the frame, and the error correction. . Here, the IP simulator 13 integrates the software or firmware required for the previous IP peripheral stack in order to implement the various security functions described in the present invention. That is, it is an ICMP (Internet Control Massage Protocol) 14a for integrating an error message or a control message for transmitting IP, and a control group for controlling the host to efficiently deliver the same data to a plurality of hosts or receive distribution. Protocol IGMP (Internet Group Management Protocol) 14b, TCP15, UDP16 and Socket interface 17, the required software or firmware or even hardware (electronic circuits, electronic components). With the IP simulator 13, it is possible to perform IP before encryption and decryption, and necessary authentication information addition and authentication, and the like. In the transport layer (layer 4) of the upper layer of the IP simulator 13, a TCP emulator 15 and a UDP emulator 16 are arranged. TCP Simulator 15, which is negative -19- (17) (17) 200841672 Responsible for switching to use "TCPsec on CP" 15b, which is a protocol for encrypted communication, and "TCP on CP", which is a general communication protocol. 1 5a. Similarly, the UDP emulator 16 is responsible for switching between "UDPsec on CP" 16b, which is a protocol for performing encrypted communication, and "UDP on CP" 16a, which is a general communication protocol, for use. The most characteristic feature of Patent Document 1 is that an encrypted communication protocol of TCPsec 15b and UDPsec 16b is mounted in the transport layer (fourth layer). Details of TCPsecl 5b and UDPsecl 6b will be described later. In the session layer (the fifth layer) of the upper layer of the transport layer (the fourth layer), a communication slot (Socket) interface 17 for exchanging data with protocols such as TCP and UDP is provided. The meaning of the communication slot, as described above, means combining the IP address equivalent to the address on the network held by the computer and the communication number of the sub-address as the IP address. The network address is actually a combination of a series of headers and executions, a single software module (executive program, etc.) or a single hardware module (electronic circuit, Electronic components, etc.). The communication slot interface 17 is a unified access method for providing applications from higher-level applications (the EC application shown in FIG. 2 and the broadcast application shown in FIG. 3), and the types and types of parameters are designed. The same remains the same as the previous interface. The TCP emulator 15 is in the transport layer and is responsible for distinguishing packets into TCPsec 15b with data leakage and tampering prevention functions, that is, encryption, integrity authentication, and peer authentication, and does not have such encryption and integrity. Sexual certification and the other party's usual functions such as TCPl5a -20- (18) (18) 200841672. Further, since both the TCPsec 15b and the TCP 15a are provided with an intrusion preventer (CP), the defense function of "intrusion" and "attack" caused by the fast passenger can be realized regardless of which one is selected. The TCP emulator 15 also acts as an interface between the communication slots located on the upper layer. Further, as described earlier, UDP has an error compensation function with respect to TCP, and UDP does not have an error compensation function, but it is characterized by a faster transmission speed and a broadcast function. The UDP emulator 16 is similar to the TCP emulator 15. In the transport layer, it is responsible for distinguishing packets into UDP sec with data leakage and tampering prevention functions, that is, encryption, integrity authentication, and peer authentication. 16b, and any of the usual protocols UDP 1 6a that do not have such functions as encryption, integrity authentication, and counterpart authentication. As shown in FIG. 8, the communication slot 17, the TCP emulator 15, the UDP emulator 16, the "TCPsec on CP" 15b, the "UDPsec ο n CP" 16b, the "TCP on CP" 15a, and the "UDP on CP" are shown. 1 6a, "ICMP on CP" 14a, "IGMP on CP" 14b, IP simulator 13, "IP on CP" 13a, and "ARP on CP" 12 are formed by agreement stacking for performing the present invention. The agreed protocol stack, which is collectively referred to as TCP2 below. Further, although "IPsec on CP" 13b is not necessarily included in TCP2, "IP sec on CP" 13b may be included as TCP2. The TCP 2 disclosed in Patent Document 1 is a standard protocol including TCP, UDP, IP, IPsec -21 - (19) (19) 200841672, ICMP, IGMP, and ARP in addition to the above-mentioned protocol stack for performing encryption processing. Stacking. Moreover, CP (intrusion protector) is implemented in these standard protocols to protect against attacks from stack communication of various protocols, as well as attacks from applications (Trojan horses, tampering of programs, improper use of regular users) use). Further, in TCP2, there is implemented a TCP emulator 15, which is compatible from the communication slot (Socket) 17' located at the session level and the IP emulator 13 located at the network layer. 'So from the outside it is the same as the standard TCP. In fact, the function of T C P 2 is performed by switching between TCP and TCP sec. TCP sec is the encryption and authentication function of the present invention at the transport layer. Further, similarly, in TCP2, a UDP emulator 16' is implemented, and the UDP emulator 16 is viewed from a communication slot (Socket) 17 located at the session level and an IP emulator 13 located at the network layer. It is compatible, so it can be the same as the standard UDP from the outside. In fact, the function of TCP2 is to switch between UDP and UDPsec. UDPsec is an encryption and authentication function in the transport layer of the invention described in Patent Document 1. Next, TCPsec 15b and UDPsec 16b, which are particularly important functions in TCP2, are "data leakage" prevention functions. As the encryption/decryption method (algorithm, logic) used by TCPsecl5b and UDPsecl6b, a well-known secret key (common key) encryption algorithm is used. For example, DE S (Data Encryption Standard -22-(20) (20) 200841672), developed by IBM Corporation in the 1960s, is a secret key encryption algorithm, or a modified version of 3 D E S. Also, the IDEA (International Data Encryption Algorithm) published by James L. Massey and Xuejia Lai of the Swiss Engineering University in 1992 can be used as other encryption algorithms. The encryption algorithm encrypts the data by cutting it into 64-bit blocks, and the length of the encryption key is 1 2 8 bits. It is designed to be linear cryptanalytic or differential cryptanalysis that can efficiently crack secret key encryption and still has sufficient strength. Further, as the encryption method of TCPsecl5b and UDPsecl6b used in the present invention, in addition to FEAL (Fast data Encipherment ALgorithm), MISTY, AES (Advanced Encryption)

Standard) This type of encryption, other methods can also use the secret encryption and decryption algorithms. Here, FEAL is a secret key type encryption method developed by Japan Telecom Telephone Co., Ltd. (at the time), which is a secret key type encryption method that uses the same key for both encryption and decryption. The advantage of this FEAL is that it can encrypt and decrypt at a higher speed than DES. Next, the MISTY, which is also an encryption method used in the present invention, is a secret key type encryption method developed by Mitsubishi Electric Corporation, and is encrypted by cutting the data into 64-bit blocks in the same manner as IDEA. The key length is 1 2 8 bits. Both encryption and decryption use the same key as DES and so on. This approach is also designed to be sufficiently robust for linear cryptanalysis or differential cryptanalysis, which can efficiently decrypt secret key cryptography. Also, 'AES, selected by the Standards and Technology Bureau of the US Department of Commerce, -23-(21) (21)200841672, as the next generation of standard encryption for the US government, replaces the DES of the current standard encryption method. Developers of generational encryption standards. Among the several encryption methods collected from the public collection in the world, in the month of 2000, the method developed by Belgian password developers Joan Daemen and Vincent Rijmen was called Rij ndael. As described above, the encryption methods of TCPsecl5b and UDPsec16b of the present invention can be performed by using a known secret key encryption algorithm, and a secret key (common key) encryption method developed by the user. In addition, as a method for preventing "party authentication" and "integrity authentication" such as "disguise" and "data tampering", an algorithm using public painting or pre-shared secret sharing is used. For example, authentication algorithms such as MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm 1). In addition, it is also possible to replace such a well-known authentication algorithm and adopt an algorithm that utilizes a self-developed one-way function. The MD 5 belongs to a hash function (one-way digest function) used by an authenticated or digital signature, and generates a fixed length of hashes based on the original text, by performing at both ends of the communication path. The comparison can detect whether the original text has been tampered with during the communication. The hash is taken as a random number, and if it is based on it, it cannot be reproduced back to the original. Also, it is very difficult for other messages to produce the same hash. SHA1 is also a miscellaneous function used by a certified or digital signature. It generates a 160-bit hash from the original text of 64 or less elements of 2, and compares them at both ends of the communication path. It can detect whether the original text has been tampered with during the communication. The authentication algorithm is also representative of IPsec in the encrypted communication of the previous Internet by -24- (22) 200841672. In addition, these algorithms are designed to be distributed by Diffie-Hellman public key. Method, or the same Internet Key Exchange protocol as ipsec (UDP nickname 500) full key exchange, and the encryption/integrity authentication algorithm itself or the set/definition area of the required key is periodically By the protocol driver (TCPsecl5b, UDPsecl6b, etc.), as in the invention described in the above Patent Document 1, by making TCP2 proposed by the person, it is possible to realize leakage, tampering, camouflage, intrusion, The attack defense provides encryption and decryption logic on the transmitting and receiving sides that apply to the new encryption system that is present on the transport layer's TCP or UDP. However, in the invention described in the above Patent Document 1, the TCP 2 proposed in the present invention is implemented in a software or a form on a personal computer. However, at the same time, in order to put such a software or hardware on the computer, it is necessary to carry out the work required for the installation, or because of the hardware installation, the burden on the personal computer itself is increased. The software or hardware is installed on a personal computer to perform the work required for the above-described mounting, and the personal computer itself is increased. On the other hand, the above-mentioned system using the T C P 2 encryption system to prevent "leakage" and "tampering", "installation", "intrusion" and even "attack" of data on the Internet is specifically used. DH ( IKE (such as the security (logical) change, and the time-of-flight process can be used in this case to stop the function, depending on the hardware form of the inventor of the agreement, must be installed in such a software, must The burden is also used or even "pseudo-applied in the personal-25- (23) 200841672 computer and external communication. The present invention has been made in view of such a problem, and it is not necessary to pay for the personal computer system. In the communication of the software or the hard personal computer and the external communication, the function of TCP2 previously proposed by the person is clarified by a simple means. [Invention] In order to solve the above problem, the invention described in the present invention is achieved, and is a relay. The device is an ideal relay device used for electrical connection by adding an encryption function to the TCP or UDP protocol, and is characterized in that, depending on the corresponding device, the corresponding device is used; The information of the communication, at least the payment of the agreement, according to the method that has been determined, is encrypted and sent; and the agreement decryption means, the payload of the TCP or UDP agreement, according to the decision And decryption; using the transport layer of the TCP driver to communicate based on the encryption and decryption logic. In addition, in the relay device described in the application 2, the means of the secret and decryption logic may become the decryption logic, the memory In the memory and even in the logic change means, the encryption and decryption logic that has been memorized and installed can be periodically updated. In the relay device described in claim 3, the purpose of the present invention is encrypted. The burden can be achieved in this case. The application item 1 has the sub-information information communication at the transport layer: the encryption method of the means of decryption and the encryption logic determined by the packet of the decryption logic unit will have been received. The solution to the 5 UDP protocol is characterized by the fact that it will be added to the encryption circuit of the candidate; it can be used as a means of relying on the candidate and decryption logic -26 - (24) (24) 200841672 The encryption and decryption logics are based on the concept of plain text without encryption. [Embodiment] Hereinafter, the present invention will be described with reference to the drawings. A block diagram of an embodiment of the relay device of the present invention. In Fig. 1, the relay device 100 has its own function equivalent to that of a personal computer. Then, the relay device 1 is The NIC (Network Interface Card) drivers 1 a and 1 b are respectively connected to the network 200, 300. Further, for the physical layer and the data link layer including these NIC drivers 1 a and 1 b, A network layer and a transport layer containing "TCP/IP" 2, which are used to specify the communication required to communicate between any two nodes on the network 200, 300, while routing method. Then between these data link layers and the network layer, the function of "TCP2" 3 proposed by the inventor of the present invention can be set. That is to say, the function of "TCP2" 3 can be used to control the function of "TCP2" 3 or to change the encryption and decryption logic periodically, in addition to being able to be set in software or hardware. In the embodiment, the inventor of the present invention is equipped in the relay device by means of the encryption method to treat the essentials of the plain text, etc., as the external function (EXP·) 4 is set. The proposed function of TCP2 can prevent the personal computer from being burdened with software or hardware. In the communication between the personal computer and the external -27-(25) (25) 200841672, the Internet is prevented. The information "leakage" and "tampering" and even "disguise", "intrusion" and even "attack". That is, the relay device 100 of the present invention, as shown in Fig. 2 of the commemorative diagram, is a security gateway connected to the communication line which implements TCP2 for encrypted communication and authentication. The relay devices 101 and 102 including TCP 2 in Fig. 2 are connected to a wide variety of interfaces because they do not depend on the physical interface of the communication. Here, various communication interfaces including Ethernet, FDDI, PPP, wireless LAN, and IEEE 1 3 94 can be used as interface A (network 300) and interface B (network 201, 202). Then, the relay device 101 inputs the existing communication data from the interface A, encrypts it with TCP2, and outputs it as encrypted data sent to the interface B. Further, the relay device 102 inputs the encrypted communication material from the interface B, decrypts it by TCP2, and outputs it as the existing communication material sent to the interface A. Further, the relay apparatuses 1 0 1 and 102 are used to authenticate the functions of each other's TCP 2 at the time of starting communication, and when the authentication cannot be successful, the communication is forcibly terminated. Therefore, in such a communication system, the existing communication device 401 and the relay device 101, the existing communication device 402, and the relay device 102 exchange the existing communication materials, respectively, but the relay device 1 〇1 The exchange of encrypted communication data with the relay device 1 〇 2 can prevent this part of the data from being "leaked" and "tampered", or even "disguised", "invaded" or even "attacked". Further, Fig. 3 illustrates an embodiment of a more specific communication network -28-(26) (26)200841672. In Fig. 3, on the host computer A side, a plurality of personal computers 4, i, 412, and 413 are connected by a network 201 such as Ethernet to form a so-called LAN (Local Area Network) environment. Therefore, the relay device 1 〇 1, which is used to connect to the external network 300 at this time, is a router. On the other hand, a separate personal computer 420 is provided on the host computer B side of the host computer. Therefore, the relay device 102 for connecting to the external network 300 at this time is a gateway which is connected to the personal computer 420, for example, the network 202 by Ethernet. Then, the external network 300 at this time is also connected by, for example, Ethernet. Then, in such a communication network, the range of the network 2 0 1 , 2 0 2 is the communication caused by the existing communication data; the part of the external network 3 00 is caused by the encrypted communication data. Communication. Then, some of the information on the external network, "leakage" and "tampering", or even "disguise", "intrusion" and even "attack" can be prevented. As described above, according to the relay device of the present invention, when the protocol located at the transport layer is encrypted and used for electronic information communication, there is a means for determining, and the corresponding encryption is determined between the opposite device and the opposite device. And the decryption logic; and the agreement encryption means, as the information unit of the receiving and dispatching information, at least the agreement payload, according to the encryption logic determined by the means of the decision, is encrypted and sent; and the agreement decryption means, The received payload of the encrypted agreement is decrypted according to the decryption logic determined by the means of resolution; the TCP or UDP protocol of the transport layer is used for communication based on encryption and decryption logic, thereby enabling the personal computer不不-29- (27) 200841672 It is necessary to spend the burden of installing software or hardware, and in the personal computer and external communication, it can prevent the data on the Internet from being "leaked" and "tampered" or even "disguised". Invade and even "attack." Finally, the advantages of TCP2 of the present invention over previous ipsec or SSL are illustrated in accordance with Table 2 and Figure 5 shown in FIG. Table 2 of Fig. 4 shows the function of adding TCP 2 to the function comparison table of ipsec and SSL in Table 1 of Fig. 7 described above. φ As can be seen from Table 2, various problems of IPsec and SSL (all of which are described in the technical field to which the invention pertains) can be solved by using TCP2. For example, it is difficult to support in SSL, client-client communication, DoS attack against TCP/IP protocol, secure communication for all UDP or TCP ports, application must change the limitation of communication slot program, etc., TCP2 Fully supported. In addition, it is difficult to support in IPsec, communication in a bad environment with frequent errors, communication between different LANs, communication via multiple telecommunications companies, connection in PPP, and communication in ADSL environment. TCP2 is fully supported. Even for Internet telephony using VoIP (Voice over Internet Protocol) in a mobile environment or in an ADSL environment, although IPsec and SSL have the problems shown in Tables 1 and 2, if TCP2 is according to the present invention, It can be supported in any environment. Further, for Internet telephony using VoIP between LANs or between LANs that are circulated by a plurality of telecommunication companies, IPsec and SSL cannot be supported, but TCP2 according to the present invention can be fully supported. Figure 5 is a diagram for explaining the superiority of TCP2, which is a stack of agreements (a) without security -30-(28) (28)200841672, and a case (b) to which previous SSL is applied, applying the previous Case (c) of IP sec, comparison diagram of case (d) to which TCP2 (TCPsec/UDPsec) of the present invention is applied. The SSL of Fig. 5(b) is as described above, and since it is provided in the communication slot of the session layer (the fifth layer), it does not have compatibility with the upper application. Therefore, S S L itself still has the above problems. Moreover, the IP sec of FIG. 5(c) is located at the network layer (Layer 3) and has no compatibility at the IP layer, and thus is subject to the above various limitations on the network. On the other hand, TCP2 (TCPsec/UDPsec) of FIG. 24(d) belongs to the encryption technology introduced at the transport layer (layer 4), so it can be directly used from the perspective of the application, and the IP is also viewed from the network. It can be used directly, so it will not be subject to restrictions on the network. As described above, the relay device of the present invention is compared with the existing encryption processing system by using the TCP2 previously proposed by the inventor of the present invention, especially for data leakage, tampering, camouflage, intrusion, and attack. Extremely high security. In addition, the present invention is not limited to the embodiments described above, and various embodiments are of course included in the scope of the invention as set forth in the appended claims. BRIEF DESCRIPTION OF THE DRAWINGS [Fig. 1] A block diagram of a configuration of an embodiment of a relay device of the present invention is applied. [Fig. 2] Implementing 1^?2 for encrypted communication and authentication -31 - (29) 200841672 A memorial view of the security gateway connected to the communication line. Fig. 3 is a view showing the configuration of an embodiment of a specific communication network to which the relay device according to the present invention is applied. [Fig. 4] A table diagram for explaining the comparison with the prior art. [Fig. 5] An explanatory diagram for explaining the comparison with the prior art 〔 [Fig. 6] A diagram showing the previous standard communication protocol stack using IPsec and SSL. [Fig. 7] A table diagram for explaining the prior art. [Fig. 8] An illustration of the protocol stack of TCP2 proposed by the inventor of the present invention. [Symbol description of main components] la, lb, 1 1 : NIC driver, 2: TCP/IP,

3: TCP2, 4: external circuit, 12: ARP on CP, 13: IP simulator, 13a: IP on CP, 1 3b: IPsec on CP, 14a: ICMP, 14b: IGMP, 15: TCP, -32- ( 30) 200841672 16 : UDP, 1 7 : communication slot interface, 100, 101, 102: relay device, 200, 201, 202, 300: network, 401, 402: existing communication device, 411, 412, 413, 420: Personal computer

Claims (1)

(1) 200841672 X. Patent application scope 1. A relay device is an ideal relay device used when electronic information communication is performed by adding encryption function to the tcp or UDP protocol of the transport layer. , with: relying on means, between the opposite device, depending on the corresponding encryption and decryption logic; and # agreement encryption means, as the information unit of the receiving and receiving information, at least the pre-record agreement payload, in accordance with The encryption logic that has been determined by the pre-recording method is encrypted and sent; and the protocol decryption means decrypts the payload of the TCP or UDP protocol that has been encrypted before it is received, according to the decryption logic determined by the pre-determined means. Communication using pre-recorded encryption and decryption logic using the TCP or UDP protocol of the pre-recorded transport layer. 2. 2. As claimed in claim 1, the relay device described in the first paragraph of the patent application, wherein the pre-recording encryption and decryption logic is determined by the means of encryption and decryption logic, which is stored in the memory and even in the memory. In the circuit; more logical means of change, the memory and even the installation may be the encryption and decryption logic depending on the candidate, regularly updated. 3 · As described in the patent device scope 1 or 2 of the relay device, where -34- (2) 200841672 pre-recorded encryption and decryption logic depends on the pre-record encryption and decryption logic, depending on The purpose of the plain text is not to be encrypted. -35-