1276018 (1) 玖、發明說明 【發明所屬之技術領域】 本發明有關於密碼系統及密碼裝置,特別是適用於在 於網絡上可以減低由外部之攻擊而資訊之盗取或塗改等之 缺點而實施資訊之密碼化/解碼處理之系統及裝置而合宜 之密碼系統及密碼裝置。 【先前技術】 如果以單獨台使用個人電腦時,個人電腦內部之資訊 之被盗取或改塗改之危險性少。惟將個人電腦連接於網路 等之網絡時,即由於交換(接·送)之資訊乃在於很多之網 絡中被轉轉發送,因此在該途中被盗取塗改之機會係一下 子地增多。又從外部之不正當存取而被盗取、塗改等情形 也增多。 爲了解決此問題而有:防火牆、抗病毒、存取控制、 資訊之密碼化、VPN(Virtual Private Network)等等,其中 利用密碼化之系統乃,將資訊予以密碼化後送至對方,而 將它解碼後予以利用,採如上述之措施之後,就算是在於 網絡之中途而資訊之被盗取之時,由於資訊被密碼化所以 資訊本身之被閱見之可能性少,又被塗改之缺點也可以減 低。又在VPN係使用實質的專用線而抑取來自外部之不當 存取。 上述之保全(保密)技術乃分別單獨地供使用,惟任意 的組合使用時’更可提高保全效果。 -5- (2) 1276018 例如,在於VPN網絡中有實施密碼化之系統之存在。 此種系統予以分類時可以分類爲:①Site-To-Site型、② Remote-Access型、③End-To-End型之三型。第1圖係說明 這些三型之密碼系統之圖。 第1圖所示,在於VPN網絡中,複數之桌上型個人電 腦10 1 A之藉由LAN(Local Area Net work)(區域網絡)等所連 接之擬點A網絡100 A,及複數之桌上型個人電腦10 1B之藉 由LAN所連接之擬點B網絡100B係介著構成假想專用線之 網絡200而被連接而成。 在於Site-To-Site型時乃,在於各擬點網絡100A, 100B之出入口設置閘路(gateway)102A,102B,而在於該 閘路102A,102B實施密碼化/解碼處理,由而在於閘路間 之網絡200實施資料之密碼通訊。 在於Remote Access型係在於閘路102A,102B與遙控 終端機103,104之間實施密碼化/解碼處理,由而在於閘 路與遙控終端機之間實施資訊之密碼通訊。 上述之任一型式乃均只在於擬點網絡100 A,100B之 外部而實施密碼通訊者,具有擬點內之資訊完全沒有被保 護之缺點。構築於擬點內之LAN係連接於網路(Inter Net) 等之網絡(Net-Work)200,必要時由LAN內之個人電腦對 於網絡實施存取由而可以實施資訊之互相交換(接•交)。 惟如這樣LAN係連接於網路,即由發生由外部之不正當之 侵入或攻擊而LAN內部之資訊之被盗取或塗改之危險性。 此時,擬點網絡100A,100B之出入口之閘路102A, -6· 1276018 ,* (3) 102B乃容易成爲由外部之攻擊之對象,負荷也會集中,因 此具有必要設置昂貴之機器,且對於這些機器個別的做難 解之設定及管理之缺點。 再者,也具備各擬點網絡100A,100B之內部乃對於 除了閘路以外之侵入□(經由無線LAN等)之侵入即完全沒 有防備之缺點。 對於上述之問題,End-To-End型乃在於擬點網絡100A ,100B內之各桌上型個人電腦101A,101B而實施密碼化/ 解碼處理,由而在於對象之終端機間實施密碼通訊。依此 型時,不管在於擬點內或擬點外,完全可以保護資訊,所 以完全解決Site-To-Site型、Remote Access型之上述缺點。 由於以往終端機之處理能力低,所以End-To-End型非現實 ,惟由於半導體(特別是CPU處理能力)之進步而最近即成爲 可能實現。 惟欲在於End-To-End型中利用密碼起見,須要在於擬 密碼通訊之終端機之全部,安裝密碼軟體,施予各種設定 才行。但是連接於擬點網絡100A,100B內之LAN等之終端 機卻有,可以安裝密碼軟體之桌上型個人電腦101 A,10 1B 以外之終端機也存在。 例如,印表機、傳真等物理的無法安裝密碼軟體之終 端機,或印表機伺服器或資料庫伺服器等等由於動作安定 上等之問題而不宜安裝多餘之軟體之終端機,沒有OS (操 作系統)之具備單純之網絡終端功能之終端機等等也存在 ,所以雖然在於End-To-End型之密碼系統上,仍然無法利 1276018 '(4) 用密碼,具有不能有效的保護資訊之問題存在。 再者,在於以往之End-To-End型密碼系統乃’在於複 數擬點內之終端間,實施密碼通訊者,只在於一個擬點之 封閉之世界中(例如只在於擬點A網絡1〇〇 A內)就無法利用 密碼。又例如在於擬點B網絡100B內有無法安裝密碼軟體 之終端機存在之情形,或在於擬點B網絡100B內,備,有龐 大數目之終端機,由而對於這些全部安裝密碼軟體係不現 實等情形時,即在於擬點A,B間不能利用End-To-End型之 密碼系統,在這種情形時,如果有至少在於擬點A網絡 100A內地利用密碼之要求時,以往並沒有實現該要求之手 本發明乃爲了解決上述問題所創作,其目的乃提供一 種在於具有無法安裝密碼軟體之終端機之企業LAN之中亦 可以利用密碼,由而減低由來自外部之不正當侵入或攻擊 而LAN內部之機密資訊之被盗取塗改之危險性者。 再者本發明之另一目的爲,在於複數之擬點間實施資 訊時,於只在於一個封閉之擬點網絡內也可以利用密碼實 施通訊。 【發明內容】 本發明之密碼系統,乃直接或間接的連接,介著網絡 實施資料通訊之複數之終端機,與設置於上述複數之終端 機之間之專用之密碼裝置或載置密碼處理功能之中繼裝置 而成之密碼裝置中,在於上述密碼裝置或上述中繼裝置中 -8 - 1276018 ’ (5) ,將由某一擬點網絡之內部或在其外部之某一方之終端機 所受訊之資料密碼化’而送訊至在於上述或某一擬點網絡 之內部之另一方之終端機,同時將由上述另一方之終端機 所受訊之資料之密碼予以解碼後送訊至上述一方之終端機 的構成爲其特徵。 本例中之專用之密碼裝置係指專門的實施資料之密碼 化處理或解碼處理之裝置。又載置密碼化處理之功能之中 繼裝置乃,只要具有可以實施資料之密碼化處理及解碼處 理之功能即又備有其他功能也可以之裝置而言。 在於本發明之其他態樣乃直接或間接的連接介著網絡 實施資料通訊之複數之終端機,與設置於上述複數之終端 機之間之專用之密碼裝置,或載置了密碼處理功能之中繼 裝置而成之密碼系統中,在於上述密碼裝置或上述中繼裝 置中,將由在於某一擬點網絡之外部之上述網絡所受訊之 資料予以密碼化而送訊至在於上述或某一擬點網絡之內部 之上述終端機,同時將由上述終端機所受訊之資料之密碼 予以解碼後送訊至上述網絡的構成爲其特徵。 本發明之其他之態樣乃,介著有線或無線之網絡連接 :在於某一擬點網絡之內部之具備密碼處理功能之第1之 終端機,與在於上述或某一擬點網絡之內部或外部之不具 備密碼處理功能之第2之終端機,與配置於上述第1之終端 機與第2之終端機之間,用於實施資料之密碼化處理或解 碼處理之密碼裝置或中繼裝置而成之密碼系統中,上述密 碼裝置或中繼裝置乃,具備有:爲了終端與上述第1之終端 -9 - (6) 1276018 * c 機之間而藉密碼化之保全而實施資料之密碼化處理及解碼 處理之密碼化/解碼手段,及將由一端口所輸入,藉上述密 碼化/解碼手段施予密碼化處理或解碼處理之資料輸出於 其他端口之資料轉送手段爲其特徵。 本發明之其他態樣乃上述密碼化/解碼手段係在於與上 述第1之終端機之間實施被密碼化之資料通訊’同時在於 與上述第2之終端機之終端機乃爲了實施沒有密碼化之資 料之通訊而實施上述密碼化處理及上述解碼處理爲其特徵 〇 本發明之其他態樣乃上述中繼裝置係具備有,將上述 密碼化/解碼手段之功能予以積體化之半導體晶片爲其特 徵。 本發明之其他態樣乃上述半導體晶片係具設於訊號之 送受訊部與基頻帶處理器之間爲其特徵。 > 又本發明之密碼裝置乃直接或間接的連接於介著網絡 實施資料通訊之複數之終端機之間,將由在於某一擬點網 絡之內部或外部之一方之終端機所受訊之資料予以密碼化 而送訊至在於上述或某擬點網絡之另一方之終端機,同時 ,將由上述另一方之終端機所受訊之密碼予以解碼,送訊 至上述一方之終端機爲其特徵。 本發明之其他態樣乃在於介著網絡實施資料通訊之終 端機與該網絡之間,直接或間接的連接於上述終端機,將 由在於某擬點網絡之外部之上述網絡所受訊之資料予以密 碼化而送訊至在於上述或某一擬點網絡內部之上述終端機 •10- (7) 1276018 ,同時,將由上述終端機所受訊之資料之密碼予以解碼送 訊至上述網絡爲其特徵。 本發明之其他態樣乃在於介著網絡實施資料通訊之複 數之終端機之間,直接或間接的連接於在於某一擬點網絡 之內部之一方之終端機近傍, 將由在於上述某一擬點網絡之內部或外部之另一方之 終端機所受訊之資料之密碼予以解碼,送至上述一方之終 端機,同時將由上述一方之終端機所受訊之資料予以密碼 化送訊至上述另一方之終端機爲其特徵。 本發明之其他態樣乃介著有線或無線之網絡連接於, 在於某一擬點網絡之內部之具有密碼處理功能之第1之終 端機,與在於上述或某一擬點網絡之內部或外部之不具備 密碼處理功能之第2之終端機之間,具備:在於與上述第1 之終端機之間,爲了終端藉密碼化之保全起見,實施資料 之密碼化處理及解碼處理之密碼化/解碼手段,及將由一· 方之端口所輸入之藉上述密碼化/解碼處理手段而被密碼 化處理或解碼處理之資料輸出於其他端口之資料轉送手段 爲其特徵。 本發明之其他態樣乃上述密碼化/解碼手段乃5在於與 上述第1之終端機之間係實施密碼化之資料之通訊,在於 與上述第2之終端機之間係爲了實施沒有密碼化之資料之 通訊起見,實施上述密碼化處理及上述解碼處理爲其特徵 〇 本發明之其他態樣乃將上述密碼化/解碼手段以及上述 • 11 - (8) 1276018 資料轉送之功能藉積體化於半導體晶片而構成爲其特徵。 本發明之其他態樣乃在於某一擬點網絡之內部之不具 有密碼處理功能之第1之終端機,與在於上述某一擬點網 絡內部或外部之具有密碼處理功能之第2之終端機之間’ 介著有線或無線之網絡連接於上述第1之終端機之近傍’ 具備:爲了終端,在於與上述第1之終端機之間之藉密碼 化之保全而實施資料之密碼化處理及解碼處理之密碼化/ 解碼手段,及 將由一端口所輸入之由上述密碼化/解碼手段而施予 密碼化處理或解碼處理之資料輸出於其他端口之資料轉送 手段爲其特徵。 【實施方式】 (第1之實施形態) 下面依附圖說明本發明之第1實施形態。 第2圖表示適用本實施形態之密碼裝置之第1實施形態 之密碼系統之構成例之圖。 第2圖中符號1係本實施形態之密碼裝置(依本發明之專 用之密碼裝置或載置之密碼處理功能之中繼裝置均可)° 具有二個端口,在一方之端口連接網絡印表機2 ’ DB伺服 器3,網絡終端機4等之裝置’在另一端口連接有集線器5 〇 本密碼裝置1乃,在於網絡印表機2 ’ DB伺服器3 ’網 絡終端機4等之裝置與集線器5之間實施資料之中繼。 -12· 1276018· • Ο) 網絡印表機2係物理的不能安裝密碼軟體之終端機。 DB伺服器3係由於動作安定上等之理由不合宜於安裝 多餘之密碼軟體之終端機。 網絡終端機4係沒有OS(操作系統)由而不能使密碼軟體 動作之終端機。所以設爲這些終端機2〜4沒有安裝密碼軟體 〇 又,集線器5係在於OSI參照模式之物理層而中繼資料 之機器。除了連接上述密碼裝置1之外,也連接無線通訊用 之存取點(存取站)6 ’及桌上型個人電腦7。即此時之集線器 5係在於密碼裝置1,及存取點6及桌上型個人電腦7之間實 施資料之中繼。 又,在於上述存取點6,以無線連接桌上型個人電腦8 及膝上型個人電腦9。在於桌上型個人電腦7、8及膝上型個 人電腦9上可能安裝實施資料之密碼化及解碼之用之密碼軟 體,而設爲已安裝有密碼軟體。 如上所述,本實施形態之密碼裝置1係具有二個端口, 對於一方之端口,介著集線器5或存取點6而間接的連接有 屬於具有密碼處理功能之終端機之個人電腦7〜9。 又在於另一端口,直接連接有,網絡印表機2,DB伺 月艮器3,網絡終端機4。並且由這些密碼裝置丨,網絡印表機 2,D B伺服器3,網絡終端機4,集線器5,存取點6,個人 電腦7〜9而構成一個擬點網絡。 由上述之構成,而在於未安裝(載置)密碼軟體之網絡 印表機2,DB伺服器3及網絡印表機4,與安裝(載置)有密 -13- (10) 1276018 碼軟體之個人電腦7〜9(這些裝置2〜4、7〜9均相當於本發明 之終端機)之間,得介著密碼裝置1,集線器5及存取點6實 施資料通訊。 此時密碼裝置1係在於,與安裝有密碼軟體之個人電 腦7〜9之間實施密碼化之資料通訊,同時在於與沒有安裝 密碼軟體之終端機2〜4之間即爲了實施沒有密碼化之資料 通訊起見,實施密碼化處理以及密碼之解碼處理。 例如欲從桌上型個人電腦7對於網絡印表機2送出資料 印出時,首先使用安裝於桌上型個人電腦7之密碼軟體而 將資料密碼化,介著集線器5供給於密碼裝置1。接著密碼 裝置1係將所受訊之資料予以解碼,送到網絡印表機2。 又,例如欲將由D B伺服器3所管理之資料取入於膝上型 個人電腦9時,D B伺服器3乃隨應於要求將該要求之資料供 給於密碼裝置1,接受了該未密碼化之資料之密碼裝置1乃 將該資料密碼化之後,介著集線器5及存取點6送訊至膝上 型個人電腦9。膝上型個人電腦9係將所受訊之資料予以解 碼後利用於所欲之處理。 由上述之說明可以明瞭,由於使用本實施形態之密碼 裝置1,由而在於具備有不能安裝專用之密碼軟體之終端機 2〜4之企業內LAN之內,也可以利用密碼。由而可以構築, 由來自外部之不正當侵入或攻擊而LAN內部之機密資訊之被 盜取、塗改之危險性少之保全網路也。 又,密碼裝置1與各終端機2〜4之間,雖然不能利用密 碼,惟連繫這些之電纜11係物理的短之配線,此部份之由外 -14- 1276018 (11) 部之攻擊而被盗取或塗改之可能性非常少,所以保全上並不 會特別或問題。 第3圖係表示第1實施形態之密碼系統之其他構成例之 圖。又在此第3圖上,對於具有與第2圖之構成要素之同一功 能之構成要件係標上同一符號。 第2圖所示之密碼裝置1係備有有線之通訊介面,而以 有線連接於集線器5。相對的第3圖所示之密碼裝置1,係備有 無線之通訊介面,無線的連接於存取點6。且桌上型個人電 腦7也以無線連接於存取點6。所以在於第3圖之例子中不需 要集線器。第3圖之情形時,由密碼裝置1,,存取點6、個 人電腦7〜9而構成一個擬點網絡。其他之點係與第2圖者相 同。 再者,在於上述第2圖之例中,將密碼裝置1之功能積 體化於小型之1C,而將該1C實裝於集線器5也可以。又在於 第3圖之例中,將密碼裝置1 /之功能積體化於小型之1C將該 1C竇裝於存取點6之中也可以。 (第2之實施形態) 下面說明本發明之第2實施形態。 第4圖表示適用本實施形態之密碼裝置之第2實施形態 之密碼系統之構成例之圖。又本第4圖中,與第2圖所示之 構成要件具有同一功能之要件係標上同一符號。 如第4圖所示,本實施形態之密碼裝置21乃,利用了網 路等之假想專用線之網絡20係連接於一方之端口,在於另 -15- (12) 1276018 一方之端口連接有集線器5。此第4圖之情形係由:密碼裝 置21,集線器5、存取點6、個人電腦7〜9而構成一個擬點網 絡。再者,在於網絡20之前方存在有其他之擬點網絡(不圖 示),乃複數台的連接有,如第2圖所示之網絡印表機2、DB 伺服器3、網絡終端機4等,不能安裝密碼軟體之終端機, 或如個人電腦7〜9等安裝有密碼軟體之終端機^ 在弟2圖所不之第1實施形態乃,對於丨台之密碼裝置1連 接有一台之裝置。以一台之密碼裝置1而專用的實施關於一 台裝置之密碼化/解碼處理。詳述之,第2圖所示之密碼裝 置1係連接於安裝了密碼軟體之個人電腦7〜9,與沒有安裝 密碼軟體之一台之裝置之間,對於該一台之裝置終端了藉 密碼化之保全。 而相對的,第4圖所示之第2實施形態乃,密碼裝置21係 連接於安裝了密碼軟體之個人電腦7〜9,與以網絡連接之複 數台之裝置之間(不圖示)。上述複數台之裝置係,如第2圖 所示之網絡印表機2,DB伺服器3,網絡終端機4等,沒有 安裝密碼軟體者亦可以,或如個人電腦7〜9,安裝有密碼軟 體者亦可以。本實施形態之密碼裝置21乃對於複數台之裝 置(網絡20),終端藉密碼化之保全。此時密碼裝置21係具有 所連接之裝置之數目之資料庫,分別對於各裝置地以不同之 密碼鍵實施密碼化/解碼處理。 例如,介著網絡20由保全網絡10內之桌上型個人電腦7 對於在於其他之擬點網絡內之未安裝密碼軟體之外部裝置 送出資料時,首先使用安裝於個人電腦7之密碼軟體將資料 -16· (13) 1276018 密碼化’介著集線器5供給於密碼裝置2 1。接著密碼裝置2 1 ,乃’將接受之資料解碼,介著網絡20送出於其他擬點網 絡內之裝置。 再者’例如欲將以其他擬點網絡內之不具備密碼軟體 之外部裝置所管理之資料取入於保全網絡10內之膝上型個 人電腦9時’該其他擬點網絡內之外部裝置乃,隨應於被賦 予之要求而將該相當之資料送出至網絡20。此時接受(受訊) 了該未密碼化之資料之密碼裝置21乃將該資料密碼化,介 著集線器5及存取點6而送訊至膝上型個人電腦9。膝上型個 人電腦9係將所接受之資料解碼之後利用於所欲之處理。 如上所述,在連接於網絡20之其他之擬點網絡內,有 未安裝密碼軟體之裝置之存在之情形下,對於與該裝置之 間地實施資料通訊時,不能利用先前之End-To-End型密碼 系統。所以實施資料通訊之各個擬點網絡內係呈顯完全無 防備狀態。 相對的依本實施形態時,至少在於一方之擬點網絡(第 4圖之保全網絡10)即可以利用藉密碼化之保護。 本例中,在於其他擬點網絡也設置密碼系統21,由而 在於該其他擬點網絡內也可以利用藉密碼之保護。換言之 在於雙方之擬點內可以構築具有保全性之網路,又,在於 各擬點之出入口設置,第1圖所示之閘路(gate way),由而 在於網絡20上也可以利用密碼。 替代於在各擬點之出入口設置第1圖所示之閘路地, 在該密碼裝置21設定「密碼裝置21有無(需要或不需要)密 -17- (14) 1276018 碼化/解碼處理」由而可能使之在於網絡20上也可以利用 密碼 > 例如在於密碼裝置2 1上設定:「安裝有密碼軟體之 各終端機之互相實施通訊時,在於密碼裝置21不做解碼處 理」。以及「與未安裝密碼軟體之終端機之間實施通訊時 ,即令在於密碼裝置21實施解碼」之資訊。 此時,例如從保全網絡1 0內之桌上型個人電腦7而介 著網絡20對於其他擬點網絡內之具有密碼軟體之外部裝置 送出資料時,即首先利用安裝於桌上型個人電腦7之密碼 軟體而將資料予以密碼化,介著集線器5供給於密碼裝置 2卜 接著密碼裝置2 1乃將接受之資料不經解碼地介著網絡 20送出於外部裝置,該外部裝置係將接受之資料予以解碼 後利用於所欲之處理。 相反的,經在於網絡20之前方之擬點網絡內之外部裝 置被密碼化之資料送出至保全網絡1 0內之桌上型個人電腦 7時,密碼裝置21係介著網絡20而從外部裝置所接受之資 料不做解碼地維持被密碼化之狀態地介著集線器5供給於 桌上型個人電腦7也。 又,連接於密碼裝置21之複數台之裝置乃並非一定需 要介著網絡來連接,直接或介著集線器來連接於密碼裝置 21也可以。直接連接時,密碼裝置21即須具有二個端口。 第5圖係表示第2之實施形態之密碼系統之其他構成例 之圖。又,在此第5圖中,對於具有與第4圖所示之構成要 件同一功能之構成要件即標上同一符號。第5圖所示之例 -18- (15) 1276018 子也與第4圖所示之例子同樣,以一台之密碼裝置21對於 複數台之裝置終端藉密碼化之保全之例子。 第5圖所示之例乃·保全網絡10之內部係,該三台之個 人電腦7〜9均以無線LAN連接在存取點6,又存取點6係介 著密碼裝置21連接於網絡20。 一般而言,無線LAN乃與有線之網路比較時在於保全 (保密)上脆弱。很容易受來自外部之攻擊。做爲無線LAN 之標準保全功能而可能利用SSID( Service Set Identifier) 及WEP(Wired Equivalent Privacy),惟只利用這些之標準 無線LAN環境乃,資料之被盗取塗改等之可能性很高。再 者關於被盗取或洩漏係被害時也不容易察知。 相對的依本實施形態時,只要在於擬點網絡之出入口 設置一個密碼裝置2 1,就可以確保在於無線LAN內部之藉 密碼化之保全,所以有效的防止資料之盗取、塗改等等。 又,在於第5圖之例中得以無線來連接密碼裝置21與 存取點6之間。 又在於上述第4圖之例中,將密碼裝置21之功能積體 化成小型之1C,而將該1C實裝於存取點6中亦可以。 第6圖表示第2之實施形態之密碼系統之再一別之構成 之例之圖。 按在於上述第2圖〜第5圖說明了做爲本發明之「在某 一擬點網絡之內部之另一方之終端機」或「在某一擬點網 絡內部之具備密碼處理功能之第1之終端機」之例而舉出 安裝有密碼軟體之個人電腦7〜9,而在於密碼裝置1 ’ 1 > -19- (16) 1276018 ,21與個人電腦7~9之間而終端藉密碼化之保全之例子, 但本發明之上述終端機係不侷限於此例,將包含具備有與 密碼裝置1,1 /,2 1同樣之功能之其他密碼裝置,第6圖 係表示此時之構成例。 第6圖所示之例乃,擬點A,B之二個擬點網絡30 A, 3 0B係介著路由器40 A,40B及網路等之網絡20所連接。擬 點A網絡30A之內係由個人電腦31A〜33A,及密碼裝置21A-1〜21A-3而構成企業內LAN。個人電腦31A〜33A均未安裝 密碼軟體之終端機。又密碼裝置21A-1〜21A-3係均具有與第 4圖之密碼裝置21同樣之功能者,一方之端口連接個人電腦 31A〜33A,另一方之端口連接有路由器40A。 擬點B網絡30B內也同樣由個人電腦31B〜33B及密碼裝 置21B01〜21B-3來構成企業內LAN。個人電腦31B〜33B均未安 裝密碼軟體之終端機。又密碼裝置21 B-1〜21 B-3均具有與第 4圖之密碼裝置21同樣之功能者。在其一方之端口連接個人 電腦31B〜3 3B,另一方之端口連接有路由器40B。 依上述之構成,在屬於不同擬點網絡30A,30B之個人 電腦之間乃介著密碼裝置21A-1〜21A-3,21Β-1~21Β-3而實 施資料通訊。 例如欲從在於擬點A網絡30A內之個人電腦31A對於擬 點B網絡30B內之個人電腦33B送資料之送訊時,密碼裝置 21 A-1乃將由個人電腦31A所供給之資料予以密碼化介著 路由器40A,網絡20及路由器40B送訊至密碼裝置21B-3。 密碼裝置21B-3係將受訊之資料予以解碼後供給於個人電 -20- 1276018· (17) 腦33B。由而在於不同擬點網絡30A,30B之間可以利用密 碼。 又,例如在於擬點A網絡30A之內部,在於未安裝密 碼軟體之各個人電腦31A〜33A互相之間乃介著密碼裝置 21Α-1~21Α-3實施資料通訊。例如從某一個人電腦31A對 於其他個人電腦33 A送資料時,密碼裝置21 A-1係從個人電 腦31 A所給之資料予以密碼化送訊至密碼裝置21 A-3。密碼 裝置21A-3即將接受(受訊)之資料解碼後供給於個人電腦 33A。 在於擬點B網絡30B之內部亦同樣,未安裝密碼軟體 之個人電腦31B~33B互相之間係介著密碼裝置21B-1〜21B-3實施資料通訊。例如從某一個人電腦3 1 B對於其他個人電 腦3 3 B送資料時,密碼裝置2 1 B -1係將由個人電腦3 1 B所給 之資料密碼化,送訊至密碼裝置21B-3。密碼裝置21B-3乃 將接受之資料解碼後供給於個人電腦3 3 B。 如上所述,密碼裝置21A-1〜21A-3,21Β-1~21Β·3乃均 與未安裝密碼軟體之個人電腦31Α〜33Α,31Β〜33Β係實施 未經密碼化之資料之通訊,同時在於具有密碼處理功能之 終端機之密碼裝置21Α-1〜21Α-3,21Β-1〜21Β-3之間即爲了 實施密碼化之資料之通訊而實施密碼化處理以及密碼之解 碼處理。 如上所述,將密碼裝置21Α-1〜21Α-3,21Β-1~21Β-3分 別連接於個人電腦31Α〜33Α,31Β〜33Β之近傍’由而當然 在於不同之擬點網絡30A,30Β之間’在於不具備密碼軟 -21 - 1276018- (18) 體之個人電腦之企業內LAN之中也可能利用密碼。由而可 以使各擬點網絡30A,30B成爲,從外部之不正侵入或攻 擊而企業LAN內部之機密資訊所盗取、塗改之危險性少之 保全性(保密性)之網絡也。 再者,在上述第6圖之例乃,各擬點網絡30 A,30B均 具備複數台之具有密碼處理功能之終端機(密碼裝置21A-1〜21A-3,21B-1〜21B-3)而構成,惟採用至少一方之擬點 網絡只具備一台之具有密碼處理功能之終端機之構成亦可 〇 例如,在於擬點網絡30 A中,連接一台個人電腦3 1 A 與一台密碼裝置21 A-1來構成亦可以。此時即與第6圖所示 之構成同樣在於不同之擬點網絡3 〇 A,3 〇 B間可以利用密 碼。又,關於擬點網絡30A之內’係藉將密碼裝置21 A-1連 接於個人電腦31A之近傍,就可以使該擬點網絡30A之出 入口與密碼裝置2 1 A-1之間可以利用密碼。 又,上述第6圖之例子乃表示以網絡20連接二個擬點 網絡3 0 A,3 0 B,在於各擬點網絡3 0 A,3 0 B內,分別具備 了密碼裝置21A-1〜21A-3,21B-1〜21B-3及個人電腦 3 1 A〜3 3 A,3 1 B〜3 3 B之例子,惟並不侷限於本例。 例如,在於一個擬點網絡內,具備密碼裝置21八-1〜21A-3, 21B-1〜21B-3及個人電腦 31A~33A, 31B~33B, 而該未安裝密碼軟體之個人電腦31A〜33A,31B-33B之間 之資料之互相接·交即介著密碼裝置21Α·1~21Α-3 ’ 21B· 1〜21 Β-3來實施也可以。此時在於一個擬點網絡內’至少 -22· 1276018 (19) 在於密碼裝置21A-1〜21A-3,21B-1〜21B-3之間可以利用密 碼。 又除了上述之外,例如採用於第2圖之構成中,替代 安裝有密碼軟體之個人電腦7而使用未安裝密碼軟體之個 人電腦及密碼裝置1,而將密碼裝置1連接於集線器5之構 成亦可行。此時不能安裝密碼軟體之網絡印表機2、DB伺 月艮器3、網絡終端機4等之裝置與沒有安裝有密碼軟體之個 人電腦之間乃介著連接於兩者臨近之密碼裝置1可以實施 密碼通訊。 (第3之實施例) 接著說明本發明之第3之實施形態。 第7圖表示適用了本實施形態之密碼裝置之第3之實施 形態之密碼系統之構成例之圖。在於第7圖中’對於具有 與第3圖及第5圖所示之構成要件相同之功之構成要件係標 上同一之符號。 第7圖所示之第3之實施形態係組合了第3圖所示之密 碼裝置與第5圖所示之密碼裝置21而構成了密碼系統者 〇 依此例時,在於無線LAN之內部可以確立保全網絡1 0 ,對於實質上不能安裝密碼軟體之裝置也使之可能利用密 碼0 (第4之實施形態) -23- (20) 1276018 接著說明本發明之第4之實施形態。 第8圖表示第4之實施形態之密碼裝置(載置了密碼處理 功能之中繼裝置)之構成例之圖,其中第8圖(a)係表示實裝 上述密碼裝置21之功能之ic晶片50之構成例’第8圖(b)表 示載置了 MIC晶片50之手提話機60之構成例。 如第8圖(a)所示,用於實現上述密碼裝置2 1之功能之 1C晶片50乃具備有,CPU50、ROM52、RAM53,存取控制 器54,及介面部55等之功能塊。 , CPU51乃由存取控制器54而存取於ROM52及RAM53, 並且依照收納於ROM52之程序而將RAM53做爲工作領域而 動作,實施資料之密碼化/解碼處理。介面部55乃將該供 CPU5 1處理之資料或已處理過之資料接•交於1C晶片50之 外部。 又,如第8圖(b)所示,上述之1C晶片50(密碼晶片)50 乃實裝於手提話機60之送受訊號與基頻帶處理器65之間。 送受訊部均包含習知之天線61,天線開關62,RF部( 高頻處理部)63,IF部(中頻處理部)64。此送受訊部乃例如 對應於無線LAN或Bluet tooth等等,在於與個人電腦或 PDA(Personal Digital Assistants)等之外部終端機之間實 施資料之送受訊。 如上所構成之手提手機6 0係,例如可替代第5圖所示 之密碼裝置21地使用。在此時,例如從保全網絡10內之桌 上型個人電腦7而介著網絡20對於其他擬點網絡內之裝置 送資料時,即首先使用安裝於桌上型個人電腦7之密碼軟 -24- (21) 1276018 體將資料密碼化,而將該密碼資料送訊至手提手機60 ’接 著手提手機60乃在於密碼晶片50內而將接受之資料予以解 碼介著網絡20而送出於其他擬點網絡內之裝置。 又,例如欲將由其他之擬點網絡內之裝置所管理之資 料取入於保全網絡1〇內之膝上型個人電腦9時’該其他之擬 點網絡內之裝置係隨應於所賦予之要求’將該資料送出於 網絡20內。接受了該未密碼化之資料之手提手機60乃以密 碼晶片5 0而將該資料密碼化送訊至膝上型個人電腦9。膝 上型個人電腦9乃將接受之資料解碼利用於所欲之處理。 如上所述,將密碼裝置2 1之功能予以晶片化,將它組 入於手提手機60,由而在於使用該手提手機60之無線LAN 環境內可以實現由密碼化之保全(保密)。 又,本例係說明使用手提手機60來替代第5圖之密碼 裝置2 1之例子。惟亦可替代第3圖之密碼裝置1 >地使用。 此時連接網絡印表機2,DB伺服器3、網絡終端機4之間之 線將用無線。惟這些部份係如上所述不能利用密碼。所以 需要這些裝置2〜4與手提手機60之物理的距離之短的狀態 來使用爲其必要條件。 又,本例係說明了對於手提(電話)手機60實裝1C晶片 5 0之例子,惟其他只要是具備通訊介面之電子機器就可適 用。 以上係對於第1〜第4之實施形態做了說明,惟對於在 這些實施形態所使用之密碼化之算法(algorithm)係本發明 乃不做限定,換言之習知之任何密碼算法均可能適用。 -25- 1276018 s (22) 又在於上述之各實施形態中,該網絡係說明了使用假 想專用線之例子,惟本實施形態之密碼裝置之可連接之電 路並不侷限於假想專用線。 其他,上述之各實施形態均不過是爲實施本發明時之 具體化之一例而已,並非由該實施形態而限定的解釋本發 明之技術範圍。換言之本發明乃仍不逸脫其精神或主要特 徵地可以種種形態來實施者。 如上所述本發明乃,在於介著網絡實施資料通訊之終 端機之間,連接專用之密碼裝置等等,而在該密碼裝置等 ,將由某一擬點網絡之內部或外部之一方之終端機所受訊 之資料予以密碼化而送訊至某一擬點網絡之內部之某一其 他之終端機,同時將由另一方終端機所受訊之資料之密碼 予以解碼後送至一方之終端機地構成,所以在於具有不能 安裝密碼軟體之終端機之企業內LAN之中也成爲可以利用 密碼,由而可以減低由外部之不正當侵入或攻擊而LAN內 部之機密資訊之被盗取•塗改等之危險性。 又,本發明係,例如只在於以假想專用線所連接之複 數之擬點網絡之中之一個擬點網絡之封閉之世界中也可以 利用密碼。 例如,在於其他之擬點網絡內,存在了無法安裝密碼 軟體之終端機之情形,其他之擬點網絡內設有龐大數目之 終端機,而對於其全部之終端機安裝密碼軟體係屬非現實 的做法之情形等等也可以在至少一個擬點網絡內而可以利 用密碼。 -26- 1276018 • (23) 例如只構成一個擬點網絡之無線LAN也可以達成藉密 碼之保護者。 產業上之利用可能性 本發明係做爲:在於具有,無法安裝專用之密碼軟體 之終端機之企業內LAN之中也可以利用密碼,由而減低來 自外部之不正當侵入或攻擊,由而LAN內部之機密資訊所 盗取或塗改之危險性上很有用。 又,本發明乃利用爲在於複數之擬點間實施資訊通訊 時,只在於一個封閉之擬點網絡內也可以利用密碼之用途 上很有用。 【圖式簡單說明】 第1圖表示先前之密碼系統之構成圖。 第2圖表示適用本實施形態之密碼裝置之第1實施形態 之密碼系統之構成例之圖。 第3圖表示依第1實施形態之密碼系統之其他構成例之 圖。 第4圖表示適用本實施形態之密碼裝置之第2實施形態 之密碼系統之構成例之圖。 第5圖表示依第2實施形態之密碼系統之其他構成例之 圖。 第6圖表示依第2實施形態之密碼系統之再一其他構成 例之圖。 -27- (24) 1276018 第7圖表示適用本實施形態之密碼裝置之第3實施形態 之密碼系統之構成例之圖。 第8圖表示第4實施形態之密碼裝置(中繼裝置)之構成之 圖。第8圖(a)表示密碼晶片之構成例。第8圖(b)表示載置該 密碼晶片之手提話機之構成例之圖。 [符號說明] 1,厂:密碼裝置 2 :網絡印表機 3 : DB伺服器 4 :網絡終端機 5 :集線器 6 :存取點 7 :桌上型個人電腦 8 :桌上型個人電腦 9 :膝上型個人電腦 I 0 :安全網路 II :電纜 20 :網路 21 :密碼裝置 21A-1〜3 .趙碼裝置 21B-1〜3 :密碼裝置 3 1 A〜B個人電腦 32A〜B :個人電腦 (25) 1276018 33A〜B:個人電腦 30A〜B :擬點()網絡 40A〜B :路由器 100A〜B :擬點()網絡 101A〜B:桌上型個人電腦 102A〜B :閘路 103 :遙控終端機 104 :遙控終端機 200 :網絡 50 : 1C晶片1276018 (1) 玖, [Technical Field] The present invention relates to a cryptosystem and a cryptographic device. In particular, it is suitable for a cryptosystem and a cryptographic device that are suitable for systems and devices that implement information encryption/decoding processing by reducing the shortcomings of information such as theft or alteration of information by external attacks. [Prior Art] If you use a personal computer in a separate station, The information inside the personal computer is less likely to be stolen or altered. However, when connecting a personal computer to a network such as the Internet, That is, since the information exchanged (send and send) is transmitted in many networks, Therefore, the chance of being stolen and altered on the way is increased. Also stolen from external improper access, The situation such as alterations has also increased. In order to solve this problem, there are: Firewall, Antiviral, Access control, Cryptographic information, VPN (Virtual Private Network), etc. Where the system using cryptography is, Encrypt the information and send it to the other party. And use it to decode it and use it. After taking the above measures, Even if the information is stolen in the middle of the network, Since the information is encrypted, the information itself is less likely to be read. The shortcomings that have been altered can also be reduced. In addition, the VPN system uses a substantial dedicated line to suppress improper access from the outside. The above-mentioned preservation (secret) technology is separately available for use. However, any combination can be used to improve the security. -5- (2) 1276018 For example, There is a system in the VPN network that implements encryption. When such systems are classified, they can be classified as: 1Site-To-Site type, 2 Remote-Access type, Type 3 of the 3End-To-End type. Figure 1 is a diagram showing the cryptosystems of these three types. As shown in Figure 1, In the VPN network, A plurality of desktop personal computers 10 1 A are connected to a pseudo-point A network 100 A by a LAN (Local Area Net work) or the like. And the plurality of desktop personal computers 10 1B are connected by a network B that constitutes a virtual dedicated line. In the case of Site-To-Site, In each of the network 100A, The gateway of the 100B is provided with a gateway 102A, 102B, And in the gate 102A, 102B implements cryptographic/decoding processing, The cryptographic communication of the data is carried out by the network 200 between the gates. The Remote Access type is based on the gate 102A. 102B and remote control terminal 103, Performing cryptographic/decoding processing between 104, The cryptographic communication of information is implemented between the gate and the remote terminal. Any of the above types is only in the pseudo-point network 100 A, Implementing password communication outside the 100B, There is a disadvantage that the information within the quasi-point is completely unprotected. The LAN built in the proposed point is connected to a network (Net-Work) 200 such as an Internet (Inter Net). If necessary, the personal computer of the LAN can access the network to exchange information (interchange). However, if the LAN is connected to the network, That is, the risk of theft or alteration of information within the LAN caused by an external intrusion or attack. at this time, Quasi-point network 100A, Gate 102A of the entrance and exit of 100B, -6· 1276018 , * (3) 102B is easy to be the object of external attacks, The load will also be concentrated, Therefore, it is necessary to set up expensive machines, And for these machines, the inconvenience of setting and managing the shortcomings. Furthermore, Also has a network of each point 100A, The inside of 100B is a flaw that is completely unprepared for intrusion beyond the gate (via wireless LAN, etc.). For the above questions, The End-To-End type is in the pseudo-point network 100A. Each desktop PC 101A in 100B, Encryption/decoding processing is performed at 101B, The password communication is implemented between the terminals of the object. According to this type, Whether in or after the quasi-point, Fully protect information, So completely solve the Site-To-Site type, The above disadvantages of the Remote Access type. Due to the low processing power of the terminal in the past, So End-To-End is unrealistic, However, due to advances in semiconductors (especially CPU processing power), it has recently become possible. In order to use the password in the End-To-End type, It needs to be in the terminal of the pseudo-communication communication, Install password software, Give various settings. But connected to the pseudo-point network 100A, The terminal such as LAN in 100B does have A desktop personal computer 101 A in which a password software can be installed, Terminals other than 10 1B also exist. E.g, Printer, a physical terminal that cannot be installed with a password, such as a fax, Or the printer server or the database server, etc., because of the stability of the action, it is not appropriate to install the terminal of the redundant software. Terminals that do not have an OS (Operation System) with simple network terminal functions, etc., also exist. So although it is on the End-To-End type cryptosystem, Still can't benefit 1276018 '(4) with a password, There is a problem with not being able to effectively protect information. Furthermore, In the past, the End-To-End type cryptosystem was located between terminals in a complex pseudo-point. Implement a password correspondent, It is only in a closed world of a quasi-point (for example, only within the pseudo-point A network 1〇〇A) that the password cannot be used. For another example, in the case where the terminal B network 100B has a terminal device in which the password software cannot be installed, Or in the pseudo-B network 100B, Ready, There are a large number of terminals, Therefore, when these all-installed password soft systems are not real, etc., That is, the point A, The End-To-End type cryptosystem cannot be used between B. In this case, If there is at least a requirement to use the password in the in-place network A, 100A, The invention has not been implemented in the past. The present invention has been made to solve the above problems. The purpose is to provide a password in a corporate LAN having a terminal that cannot be installed with a password software. This reduces the risk of theft and alteration of confidential information inside the LAN caused by improper intrusion or attack from the outside. Still another object of the present invention is When the information is implemented between the plural points, It is also possible to implement communication using a password in a closed network. SUMMARY OF THE INVENTION The cryptosystem of the present invention, Is a direct or indirect connection, a terminal that implements the data communication through the network, In a cryptographic device formed by a dedicated cryptographic device or a relay device having a cryptographic processing function disposed between the plurality of terminals, In the above cryptographic device or the above-mentioned relay device -8 - 1276018 ’ (5) The data received by the terminal within one of the network or one of the external terminals is cryptographically transmitted to the other terminal within the network of the above or a certain point network, At the same time, the password of the data received by the terminal of the other party is decoded and sent to the terminal of the above-mentioned terminal. The dedicated cryptographic device in this example refers to a device for cryptographic processing or decoding processing of a specific implementation data. And the function of the cryptographic processing is further installed, As long as it has a function of performing cryptographic processing and decoding processing of data, it is also possible to have other functions. In other aspects of the present invention, a terminal device that directly or indirectly connects to a network to implement data communication is provided. a dedicated cryptographic device between the terminals set up above, Or a cryptographic system in which a relay device of a cryptographic processing function is placed, In the above cryptographic device or the above relay device, The data received by the above-mentioned network outside the network of a certain point is cryptographically transmitted to the above-mentioned terminal located in the above-mentioned or a certain point network, At the same time, the configuration of the password of the data received by the terminal device is decoded and sent to the network. Another aspect of the present invention is that Connect to a wired or wireless network: The first terminal with cryptographic processing function inside a certain point network, And the second terminal that does not have a cryptographic processing function inside or outside the above-mentioned or a certain point network, And being disposed between the first terminal of the first terminal and the terminal of the second, In a cryptographic system formed by a cryptographic device or a relay device for implementing cryptographic processing or decoding processing of data, The above password device or relay device is Have: For the terminal and the first terminal -9 - (6) 1276018 * c machine, the cryptographic processing and decoding processing cryptography/decoding means are implemented by cryptographic security. And will be entered by a port, The data transfer means for outputting the data of the cryptographic processing or the decoding processing by the above-described ciphering/decoding means is output to other ports. According to another aspect of the present invention, the cryptographic/decoding means is to perform cryptographic data communication with the first terminal device, and at the same time, the terminal device of the second terminal device is not encrypted. The above-described cryptographic processing and the above-described decoding processing are carried out by communication of the data, and other aspects of the present invention are provided in the above-described relay device. A semiconductor wafer in which the functions of the above-described cryptographic/decoding means are integrated is characterized. Another aspect of the present invention is characterized in that the semiconductor wafer device is provided between a signal transmitting and receiving portion and a baseband processor. > Further, the cryptographic device of the present invention is directly or indirectly connected between a plurality of terminals that implement data communication through the network. The data received by the terminal located in one of the internal or external networks of a certain point network is cryptographically transmitted to the terminal of the other party on the above or a certain point network, Simultaneously , The password received by the terminal of the other party is decoded. The terminal to which the above-mentioned party is sent is characterized. Another aspect of the present invention resides in a network between a terminal that implements data communication over a network, and the network. Directly or indirectly connected to the above terminal, The data received by the above-mentioned network outside the network of a certain point is cryptographically transmitted to the above terminal (10-(7) 1276018 in the above-mentioned or a certain point network, Simultaneously, The password of the data received by the terminal device is decoded and transmitted to the above network. Other aspects of the present invention reside in a terminal device that implements a plurality of data communications over a network. Directly or indirectly connected to a terminal near one of the internal networks of a pseudo-point network, Decoding the password of the data received by the terminal located in the other party inside or outside the above-mentioned network, Sent to the terminal of the above party, At the same time, the information received by the terminal of the above-mentioned terminal is cryptographically transmitted to the terminal of the other party. Other aspects of the invention are connected to a wired or wireless network, The first terminal machine with cryptographic processing function inside a quasi-point network, Between the terminal of the second terminal that does not have the cryptographic processing function inside or outside the above-mentioned or a certain point network, have: Between the above-mentioned first terminal, In order to secure the terminal by cryptography, Cryptographic/decoding means for implementing cryptographic processing and decoding processing of data, And a data transfer means for outputting data encrypted or decoded by the above-described cryptographic/decoding processing means by the port of the first party to another port. The other aspect of the present invention is that the above-described cryptographic/decoding means 5 is that communication with the cryptographic data is performed between the first terminal and the first terminal. In connection with the above-mentioned second terminal, in order to implement communication without cryptographic data, The above-described cryptographic processing and the above-described decoding processing are characterized in that the cryptographic/decoding means and the function of the above-mentioned data transfer are integrated into a semiconductor wafer. Its characteristics. Another aspect of the present invention resides in a first terminal that does not have a cryptographic processing function within a certain point network, Having a wired or wireless network connected to the first terminal of the first terminal between the terminal having the cryptographic processing function inside or outside the above-mentioned one-point network: For the terminal, a cryptographic/decoding means for performing cryptographic processing and decoding processing of the data with the cryptographic security between the first terminal and the first terminal. And a data transfer means for outputting the data subjected to the cryptographic processing or the decoding processing by the above-mentioned cryptographic/decoding means to the other port by means of a port. [Embodiment] (Embodiment 1) Hereinafter, a first embodiment of the present invention will be described with reference to the drawings. Fig. 2 is a view showing an example of the configuration of a cryptographic system according to the first embodiment to which the cryptographic device of the present embodiment is applied. The symbol 1 in Fig. 2 is a cryptographic device of the present embodiment (a cryptographic device according to the present invention or a relay device having a cryptographic processing function mounted thereon) can have two ports. Connect the network printer 2 ’ DB server 3 to one of the ports. The device of the network terminal 4 or the like has a hub 5 connected to the other port. The data relay is implemented between the device such as the network printer 2' DB server 3' network terminal 4 and the hub 5. -12· 1276018· • Ο) Network printer 2 is a physical terminal that cannot install password software. The DB server 3 is not suitable for installing the terminal of the redundant password software because of the stability of the operation. The network terminal 4 is a terminal that does not have an OS (Operating System) and does not enable the password software to operate. Therefore, it is assumed that these terminal devices 2 to 4 do not have the password software installed. The hub 5 is a device that relays data in the physical layer of the OSI reference mode. In addition to connecting the above cryptographic device 1, Also, an access point (access station) 6' for wireless communication and a desktop personal computer 7 are connected. That is, the hub 5 at this time is in the cryptographic device 1, The relay of the data is implemented between the access point 6 and the desktop personal computer 7. also, In the above access point 6, The desktop personal computer 8 and the laptop personal computer 9 are connected wirelessly. In the desktop PC 7, 8 and the laptop personal computer 9 may be equipped with a password software for the encryption and decoding of the implementation data. It is set to have password software installed. As mentioned above, The cryptographic device 1 of the present embodiment has two ports. For the port of one party, The personal computers 7 to 9 belonging to the terminal having the cryptographic processing function are indirectly connected to the hub 5 or the access point 6. Again in another port, Direct connection, Network printer 2, DB server, 3, Network terminal 4. And by these cryptographic devices, Network printer 2, D B server 3, Network terminal 4, Hub 5, Access point 6, The personal computers 7 to 9 form a pseudo-point network. Composed of the above, But in the network printer 2 that does not have the (installed) password software installed, DB server 3 and network printer 4, PC 7~9 with the installation (displacement) -13- (10) 1276018 code software (these devices 2 to 4, 7 to 9 are equivalent to the terminal of the present invention), Have to pass the cryptographic device 1, Hub 5 and access point 6 implement data communication. At this time, the cryptographic device 1 is based on Cryptographic data communication is performed between the personal computers 7 to 9 with the password software installed. At the same time, in the case of communication with a terminal device 2 to 4 without a password software, in order to implement data without encryption, The cryptographic processing and the decoding processing of the password are implemented. For example, when the desktop PC 7 is to be sent out to the network printer 2, First, the data is encrypted using the password software installed on the desktop PC 7. The hub 5 is supplied to the cryptographic device 1. Then, the password device 1 decodes the received data. Send to network printer 2. also, For example, when the data managed by the D B server 3 is to be taken into the laptop personal computer 9, The D B server 3 supplies the information of the request to the cryptographic device 1 as required. After the cryptographic device 1 that has accepted the unencrypted data is encrypted, The hub 5 and the access point 6 are sent to the laptop personal computer 9. The laptop personal computer 9 decodes the data received and uses it for the desired processing. It can be understood from the above description, Since the cryptographic device 1 of the present embodiment is used, Therefore, there is an intra-enterprise LAN having terminals 2 to 4 in which a dedicated password software cannot be installed. You can also use a password. Can be constructed by Theft of confidential information inside the LAN by improper intrusion or attack from the outside, The security network with less danger of alteration is also available. also, Between the cryptographic device 1 and each of the terminal devices 2 to 4, Although you can't use the password, However, the cable 11 that is connected to these is a short physical wiring. There is very little chance that this part will be stolen or altered by an attack from the outside -14- 1276018 (11). Therefore, there is no special or problem in preservation. Fig. 3 is a view showing another configuration example of the encryption system of the first embodiment. Also on this third figure, The constituent elements having the same functions as those of the constituent elements of Fig. 2 are denoted by the same reference numerals. The cryptographic device 1 shown in FIG. 2 is provided with a wired communication interface. It is connected to the hub 5 by wire. The cryptographic device 1 shown in the opposite figure 3, It is equipped with a wireless communication interface. Wirelessly connected to access point 6. The desktop personal computer 7 is also wirelessly connected to the access point 6. So in the example of Figure 3 there is no need for a hub. In the case of Figure 3, By the cryptographic device 1, , Access point 6, Personal computers 7 to 9 form a pseudo-point network. The other points are the same as those in Figure 2. Furthermore, In the example of Figure 2 above, The function of the cryptographic device 1 is integrated into the small 1C, The 1C can be mounted on the hub 5. In the example of Figure 3, The function of the cryptographic device 1 / can be integrated into the small 1C to mount the 1C sinus in the access point 6. (Second embodiment) Next, a second embodiment of the present invention will be described. Fig. 4 is a view showing an example of the configuration of a cryptographic system according to a second embodiment of the cryptographic device of the embodiment. In this fourth picture, The elements having the same functions as those of the constituent elements shown in Fig. 2 are denoted by the same reference numerals. As shown in Figure 4, The cryptographic device 21 of the present embodiment is A network 20 that uses a virtual dedicated line such as a network is connected to one of the ports. The hub 5 is connected to the port of the other -15- (12) 1276018. The situation in this Figure 4 is made up of: Password device 21, Hub 5, Access point 6, Personal computers 7 to 9 form a pseudo-point network. Furthermore, There are other network of quasi-points (not shown) in front of the network 20, It is the connection of a plurality of stations, Network printer 2 as shown in Figure 2 DB server 3, Network terminal 4, etc. Cannot install the terminal of the password software, Or a terminal device in which a password software is installed, such as a personal computer 7 to 9, and the first embodiment is not shown in the second figure. A device is connected to the cryptographic device 1 of the platform. The cryptographic/decoding process for one device is implemented exclusively for one cryptographic device 1. In detail, The password device 1 shown in Fig. 2 is connected to the personal computers 7 to 9 in which the password software is installed. Between a device that does not have one of the cryptographic software installed, For the device terminal, the password is secured. And relative, The second embodiment shown in Fig. 4 is The password device 21 is connected to the personal computers 7 to 9 in which the password software is installed. Between the devices connected to the network (not shown). The device of the above plurality of stations, As shown in Figure 2, the network printer 2, DB server 3, Network terminal 4, etc. If you don't have the password software installed, you can. Or as a personal computer 7 to 9, It is also possible to install password software. The cryptographic device 21 of the present embodiment is for a plurality of devices (network 20). The terminal is secured by a password. At this time, the cryptographic device 21 has a database of the number of connected devices. The cryptographic/decoding process is performed for each device with a different cipher key. E.g, When the network 20 is sent by the desktop personal computer 7 in the security network 10 to an external device that does not have a password software installed in another network, First, the data -16·(13) 1276018 is cryptographically supplied to the cipher device 2 1 using the password software installed in the personal computer 7. Then the cryptographic device 2 1 , Is decoding the information received, The network 20 is sent to devices in other pseudo-point networks. In addition, for example, when the data managed by an external device that does not have a password software in another network is taken into the laptop personal computer 9 in the security network 10, the external device in the other network is , The equivalent information is sent to the network 20 in response to the request being granted. The cryptographic device 21 that accepts (receives) the unencrypted data at this time encrypts the data. The hub 5 and the access point 6 are sent to the laptop personal computer 9. The laptop personal computer 9 decodes the received data and uses it for the desired processing. As mentioned above, In other pseudo-point networks connected to the network 20, In the case where there is a device without a password software installed, When implementing data communication with the device, The previous End-To-End type cryptosystem cannot be utilized. Therefore, the implementation of the data communication in each of the pseudo-point networks is completely unprepared. Relative to this embodiment, At least one of the network of points (the security network 10 of Figure 4) can utilize the protection of the password. In this case, The cryptosystem 21 is also set up in other quasi-point networks. Therefore, the protection of the borrowed password can also be utilized in the other pseudo-point network. In other words, it is possible to build a network with security in both sides. also, In the entrance and exit settings of each point, The gate way shown in Figure 1, It is also possible to use a password on the network 20. Instead of setting the gate road shown in Figure 1 at the entrance and exit of each quasi-point, The cryptographic device 21 sets "the presence or absence of the cryptographic device 21 (required or unnecessary) -17-(14) 1276018 coded/decoded processing", which may be caused by the use of the password > For example, it is set on the cryptographic device 2 1 : "When each terminal that has the password software is configured to communicate with each other, The cryptographic device 21 does not perform decoding processing. And when communicating with a terminal that does not have a password software installed, That is, the information is decoded by the cryptographic device 21. at this time, For example, when the desktop 20 transmits the data to the external device having the cryptographic software in the other pseudo network, from the desktop personal computer 7 in the security network 10 That is, the data is first encrypted by using the password software installed on the desktop personal computer 7. The hub 5 is supplied to the cryptographic device 2b. The cryptographic device 2 1 then transmits the received data to the external device via the network 20 without decoding. The external device decodes the accepted data and uses it for the desired processing. The opposite of, When the external device in the network of the network in front of the network 20 is sent to the desktop personal computer 7 in the security network 10 by the encrypted information, The cryptographic device 21 is supplied to the desktop personal computer 7 via the hub 5 while the data received from the external device via the network 20 is maintained in a cryptographic state without being decoded. also, The devices connected to the plurality of cryptographic devices 21 do not necessarily need to be connected via a network. It is also possible to connect to the cryptographic device 21 directly or via a hub. When connecting directly, The cryptographic device 21 must have two ports. Fig. 5 is a view showing another configuration example of the cryptosystem of the second embodiment. also, In this picture 5, The constituent elements having the same functions as those of the constituent elements shown in Fig. 4 are denoted by the same reference numerals. The example shown in Figure 5 -18- (15) 1276018 is also the same as the example shown in Figure 4. An example in which a cryptographic device 21 is used to secure a cryptographic device terminal for a plurality of devices. The example shown in Figure 5 is the internal system of the security network 10. The three personal computers 7 to 9 are connected to the access point 6 by wireless LAN. Further, the access point 6 is connected to the network 20 via the cryptographic device 21. In general, Wireless LANs are vulnerable to security (confidentiality) when compared to wired networks. Very vulnerable to attacks from the outside. As a standard security feature of wireless LAN, it is possible to use SSID (Service Set Identifier) and WEP (Wired Equivalent Privacy). Only use these standards. The wireless LAN environment is, There is a high probability that the data will be stolen and altered. Furthermore, it is not easy to detect when a stolen or leaked person is killed. Relative to this embodiment, As long as it is located at the entrance and exit of the network, set up a cryptographic device 2 1, It is possible to ensure that the encryption of the password inside the wireless LAN is maintained. Therefore, effective prevention of data theft, Altered and so on. also, In the example of Fig. 5, the cryptographic device 21 and the access point 6 are wirelessly connected. In the example of the above fourth figure, The function of the cryptographic device 21 is integrated into a small 1C, It is also possible to install the 1C in the access point 6. Fig. 6 is a view showing an example of a further configuration of the cryptosystem of the second embodiment. According to the above-mentioned FIG. 2 to FIG. 5, the first terminal of the "inside a certain point network" or "the first one with a password processing function within a certain point network" is described as the present invention. The example of the terminal device is a personal computer 7 to 9 equipped with a password software. But in the cryptographic device 1 ' 1 > -19- (16) 1276018 , 21 and the personal computer between 7 and 9 and the terminal is cryptographically protected. However, the above terminal device of the present invention is not limited to this example. Will contain the cryptographic device 1, 1 /, 2 1 other cryptographic devices of the same function, Fig. 6 shows an example of the configuration at this time. The example shown in Figure 6 is, Quasi-point A, B's two pseudo-point networks 30 A, 3 0B is connected to router 40 A, 40B is connected to a network 20 such as a network. The pseudo-point A network 30A is composed of personal computers 31A to 33A, The cryptographic devices 21A-1 to 21A-3 constitute an in-house LAN. The personal computers 31A to 33A do not have the terminal for the password software installed. Further, the cryptographic devices 21A-1 to 21A-3 each have the same function as the cryptographic device 21 of Fig. 4, One port is connected to a personal computer 31A~33A, The other port is connected to the router 40A. In the pseudo-B network 30B, the personal computers 31B to 33B and the password devices 21B01 to 21B-3 are also configured to constitute an in-house LAN. The personal computers 31B to 33B do not have a terminal for installing the password software. Further, the cryptographic devices 21 B-1 to 21 B-3 each have the same functions as those of the cryptographic device 21 of Fig. 4 . Connect the personal computer 31B to 3 3B to one of the ports, The other port is connected to the router 40B. According to the above composition, In the different pseudo-point network 30A, Between 30B's personal computers are cryptographic devices 21A-1~21A-3. Data communication was carried out at 21Β-1~21Β-3. For example, when the personal computer 31A located in the pseudo-point A network 30A sends a message to the personal computer 33B in the pseudo-B network 30B, The cryptographic device 21 A-1 encrypts the data supplied by the personal computer 31A through the router 40A. The network 20 and the router 40B are sent to the cryptographic device 21B-3. The cryptographic device 21B-3 decodes the received data and supplies it to the personal electric -20-1276018· (17) Brain 33B. By the different point network 30A, A password can be used between 30B. also, For example, in the interior of the pseudo-point A network 30A, In the case where the personal computers 31A to 33A in which the password software is not installed, the data communication is carried out via the cryptographic device 21Α-1~21Α-3. For example, when a personal computer 31A sends data to other personal computers 33 A, The cryptographic device 21 A-1 cryptographically transmits the data given from the personal computer 31 A to the cryptographic device 21 A-3. The password device 21A-3 decodes the data received (received) and supplies it to the personal computer 33A. The same applies to the interior of the pseudo-B network 30B. The personal computers 31B to 33B to which the password software is not installed perform data communication with the cryptographic devices 21B-1 to 21B-3. For example, when a personal computer 3 1 B sends information to other personal computers 3 3 B, The cryptographic device 2 1 B -1 encrypts the data given by the personal computer 3 1 B. The message is sent to the cryptographic device 21B-3. The cryptographic device 21B-3 decodes the received data and supplies it to the personal computer 3 3 B. As mentioned above, Cryptographic devices 21A-1 to 21A-3, 21Β-1~21Β·3 is the same as the personal computer 31Α~33Α without the password software installed. 31Β~33ΒImplementation of communication of unencrypted data, At the same time, the cryptographic device 21Α-1~21Α-3 of the terminal having the cryptographic processing function is Between 21Β-1 and 21Β-3, cryptographic processing and password decoding are performed to implement communication of the encrypted data. As mentioned above, Put the password device 21Α-1~21Α-3, 21Β-1~21Β-3 points are connected to personal computer 31Α~33Α, 31Β~33Β近傍’, of course, lies in different network 30A, Between the 30 ’ 在于 在于 在于 在于 - - - - - - - - - - - - - - - - - - - - - - - - 21 21 21 Therefore, each pseudo network 30A can be made, 30B becomes, Stealing of confidential information inside the corporate LAN from external intrusions or attacks, The network of security (privacy) with less risk of alteration. Furthermore, In the example of Figure 6 above, Each point network 30 A, 30B has a plurality of terminals with cryptographic processing functions (cryptographic devices 21A-1 to 21A-3, 21B-1 to 21B-3), However, it is also possible to use at least one of the terminals to have only one terminal with cryptographic processing capability. For example, In the quasi-point network 30 A, It is also possible to connect a personal computer 3 1 A with a cryptographic device 21 A-1. At this time, the configuration shown in Fig. 6 is the same as the different pseudo-point network 3 〇 A, 3 〇 B can use the password. also, Regarding the inside of the pseudo network 30A, the cryptographic device 21 A-1 is connected to the vicinity of the personal computer 31A. It is possible to make a password available between the gateway of the pseudo network 30A and the cryptographic device 2 1 A-1. also, The above example of Fig. 6 shows that two pseudo-point networks 3 0 A are connected by the network 20, 3 0 B, It lies in the network of 3 0 A, 3 0 B, The cryptographic devices 21A-1 to 21A-3 are respectively provided. 21B-1~21B-3 and personal computer 3 1 A~3 3 A, 3 1 B~3 3 B example, However, it is not limited to this example. E.g, In a quasi-point network, With password device 21-8-1 21A-3, 21B-1~21B-3 and personal computer 31A~33A, 31B~33B, And the personal computer 31A to 33A without the password software installed, The data between 31B and 33B may be connected to each other via a cryptographic device 21Α·1~21Α-3 ' 21B· 1 to 21 Β-3. At this time, in a pseudo-point network, at least -22·1276018 (19) lies in the cryptographic devices 21A-1 to 21A-3. A password can be used between 21B-1 and 21B-3. In addition to the above, For example, in the composition of Fig. 2, Instead of a personal computer 7 equipped with a password software, a personal computer and a password device 1 without a password software are used, The configuration in which the cryptographic device 1 is connected to the hub 5 is also possible. You cannot install the network printer 2 of the password software at this time. DB server The cryptographic device 1 connected to both of the devices of the network terminal device 4 and the like and the personal computer not equipped with the cryptographic software can perform cryptographic communication. (Third embodiment) Next, a third embodiment of the present invention will be described. Fig. 7 is a view showing a configuration example of a cryptosystem to which the third embodiment of the cryptographic device of the embodiment is applied. In Fig. 7, the constituent elements having the same functions as those of the constituent elements shown in Figs. 3 and 5 are denoted by the same reference numerals. The third embodiment shown in Fig. 7 is a combination of the cipher device shown in Fig. 3 and the cipher device 21 shown in Fig. 5, and constitutes a cryptosystem. The security network 10 can be established inside the wireless LAN. It is also possible to use the password 0 for a device that is substantially incapable of installing the password software (the fourth embodiment). -23- (20) 1276018 Next, a fourth embodiment of the present invention will be described. Fig. 8 is a view showing a configuration example of a cryptographic device (a relay device on which a cryptographic processing function is placed) according to the fourth embodiment. Fig. 8(a) shows a configuration example of an ic chip 50 in which the functions of the cryptographic device 21 are mounted. Fig. 8(b) shows a configuration example of a cellular phone 60 on which the MIC chip 50 is placed. As shown in Figure 8 (a), The 1C chip 50 for realizing the function of the above cryptographic device 21 is provided with CPU50, ROM52, RAM53, Access controller 54, And functional blocks such as face 55. , The CPU 51 is accessed by the access controller 54 in the ROM 52 and the RAM 53, And in accordance with the program stored in the ROM 52, the RAM 53 is operated as a work area. Encryption/decoding processing of the implementation data. The interface 55 is configured to interface the data processed by the CPU 51 or the processed data to the outside of the 1C chip 50. also, As shown in Figure 8(b), The 1C chip 50 (cryptographic chip) 50 described above is implemented between the transmission signal of the cellular phone 60 and the baseband processor 65. The receiving and receiving department includes a conventional antenna 61. Antenna switch 62, RF unit (high frequency processing unit) 63, IF unit (intermediate frequency processing unit) 64. The transmitting and receiving section is, for example, corresponding to a wireless LAN or a Bluet tooth, and the like. It is to send and receive information to and from external terminals such as personal computers or PDAs (Personal Digital Assistants). The mobile phone 6 0 system constructed as above, For example, it can be used instead of the cryptographic device 21 shown in Fig. 5. currently, For example, when the desktop type PC 7 in the security network 10 is used to send data to devices in other pseudo-point networks. That is, first encrypt the data using the password -24-(21) 1276018 installed on the desktop PC 7. The password data is sent to the mobile phone 60'. The mobile phone 60 is located in the cryptographic chip 50 and the received data is decoded through the network 20 and sent to other devices in the network. also, For example, if the data managed by the devices in the other network is to be taken into the laptop personal computer 9 in the security network, the device in the other network is adapted to the requirements given. The data is sent out of the network 20. The portable handset 60 that has accepted the unencrypted data is cryptographically transmitted to the laptop personal computer 9 with the cryptographic chip 50. The Kneeling PC 9 decodes the accepted data for the desired processing. As mentioned above, The function of the cryptographic device 21 is waferized, Group it into the mobile phone 60, The cryptographic security (confidentiality) can be achieved in the wireless LAN environment using the portable handset 60. also, This example illustrates an example in which the portable device 60 is used in place of the cryptographic device 21 of Fig. 5. However, it is also possible to replace the cryptographic device 1 of FIG. 3 > Use. Connect the network printer 2 at this time. DB server 3, The line between the network terminals 4 will be wireless. However, these parts cannot be used with passwords as described above. Therefore, it is necessary to use the state in which the physical distance between these devices 2 to 4 and the portable handpiece 60 is short. also, This example illustrates an example of mounting a 1C wafer 50 for a hand-held (telephone) handset 60. However, other applications can be applied as long as they are electronic devices with a communication interface. The above description has been made on the first to fourth embodiments. However, the present invention is not limited to the algorithm for cryptography used in these embodiments. In other words, any cryptographic algorithm that is known may be applicable. -25- 1276018 s (22) In addition to the above embodiments, This network illustrates an example of using a hypothetical dedicated line. However, the connectable circuit of the cryptographic device of the present embodiment is not limited to the imaginary dedicated line. other, Each of the above embodiments is merely an example of the actualization of the present invention. The technical scope of the present invention is not limited by the embodiment. In other words, the present invention can be implemented in various forms without departing from its spirit or main features. As described above, the present invention is Between the terminals that implement the data communication through the network, Connect a dedicated crypto device, etc. And in the crypto device, etc. The data received by the terminal of one of the internal or external networks of a certain point network is cryptographically transmitted to a certain terminal within a certain point network, At the same time, the password of the data received by the other terminal is decoded and sent to the terminal of one party. Therefore, it is also possible to use a password in an intra-enterprise LAN having a terminal device in which a password software cannot be installed. This can reduce the risk of theft or alteration of confidential information inside the LAN caused by external trespassing or attack. also, The invention is For example, a password can be used in a closed world in which only one of the pseudo-point networks connected by a hypothetical dedicated line is connected. E.g, In other networks of quasi-points, There is a situation where a terminal that cannot install the password software exists. There are a large number of terminals in other networks. For the case where all of the terminal installation password soft systems are unrealistic, etc., the password can also be used in at least one of the pseudo-point networks. -26- 1276018 • (23) For example, a wireless LAN that constitutes only a pseudo-point network can also achieve the protector of the borrowed code. Industrial Applicability The present invention is based on: Having, A password can also be used in an in-house LAN of a terminal that cannot install a dedicated password software. To reduce illegitimate intrusions or attacks from the outside, It is useful to steal or alter the confidential information inside the LAN. also, The present invention is utilized to implement information communication between complex points It is useful only for the purpose of using a password in a closed network. [Simple description of the drawing] Fig. 1 shows a configuration diagram of the previous cryptosystem. Fig. 2 is a view showing an example of the configuration of a cryptographic system according to the first embodiment to which the cryptographic device of the present embodiment is applied. Fig. 3 is a view showing another configuration example of the encryption system according to the first embodiment. Fig. 4 is a view showing an example of the configuration of a cryptographic system according to a second embodiment of the cryptographic device of the embodiment. Fig. 5 is a view showing another configuration example of the encryption system according to the second embodiment. Fig. 6 is a view showing still another example of the configuration of the encryption system according to the second embodiment. -27- (24) 1276018 Fig. 7 is a view showing a configuration example of a cryptosystem according to a third embodiment to which the cryptographic device of the present embodiment is applied. Fig. 8 is a view showing the configuration of a cipher device (relay device) according to the fourth embodiment. Fig. 8(a) shows an example of the configuration of a cryptographic chip. Fig. 8(b) is a view showing a configuration example of a cellular phone on which the code chip is placed. [Symbol description] 1, plant: Password device 2 : Network printer 3 : DB server 4 : Network terminal 5 : Hub 6: Access point 7: Desktop PC 8 : Desktop PC 9 : Laptop PC I 0 : Safety Network II: Cable 20: Network 21 : Password device 21A-1~3. Zhao code device 21B-1~3: password device 3 1 A~B personal computer 32A~B: personal computer (25) 1276018 33A~B: personal computer 30A~B: pseudo point () network 40A~B: router 100A~ B: Quasi-point () network 101A to B: desktop personal computer 102A to B: gate 103: remote terminal 104: remote terminal 200: network 50: 1C chip
51 : CPU51 : CPU
52 : ROM52 : ROM
53 : RAM 54 :存取控制器 5 5 :介面部 60 :攜帶式電話機 61 :天線 62 :天線開關 63 : RF部(高頻處理部) 64 : IF部(中頻處理部) 65 :基頻帶處理器 -29 -53 : RAM 54 : access controller 5 5 : interface 60 : portable telephone 61 : antenna 62 : antenna switch 63 : RF unit (high-frequency processing unit) 64 : IF unit (intermediate frequency processing unit ) 65 : base band Processor-29 -