WO2003101040A1 - Secret key manager - Google Patents

Secret key manager Download PDF

Info

Publication number
WO2003101040A1
WO2003101040A1 PCT/JP2002/005025 JP0205025W WO03101040A1 WO 2003101040 A1 WO2003101040 A1 WO 2003101040A1 JP 0205025 W JP0205025 W JP 0205025W WO 03101040 A1 WO03101040 A1 WO 03101040A1
Authority
WO
WIPO (PCT)
Prior art keywords
secret key
communication
unit
encrypted
key
Prior art date
Application number
PCT/JP2002/005025
Other languages
French (fr)
Japanese (ja)
Inventor
Kiyohito Kaneko
Original Assignee
Allied Telesis K.K.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Allied Telesis K.K. filed Critical Allied Telesis K.K.
Priority to JP2004507198A priority Critical patent/JPWO2003101040A1/en
Priority to AU2002308882A priority patent/AU2002308882A1/en
Priority to PCT/JP2002/005025 priority patent/WO2003101040A1/en
Publication of WO2003101040A1 publication Critical patent/WO2003101040A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0866Generation of secret information including derivation or calculation of cryptographic keys or passwords involving user or device identifiers, e.g. serial number, physical or biometrical information, DNA, hand-signature or measurable physical characteristics

Definitions

  • the present invention relates to a secret key management device, a secret key management method, a secret key management program, and a secret key management program.
  • the present invention relates to an encryption communication system.
  • an object of the present invention is to provide a secret key management device, a secret key management method, a secret key management program, and an encryption communication system that can solve the above-mentioned problems.
  • This object is achieved by a combination of features described in the independent claims.
  • the dependent claims define further advantageous embodiments of the present invention.
  • a secret key management device that manages a secret key for a communication device to perform encrypted communication in an encrypted communication system, A secret key based on the device identification information that identifies the communication device.
  • It has an encryption unit for encryption and a transmission unit for transmitting the secret key encrypted by the encryption unit to the communication device.
  • a device information storage unit that stores the device identification information of the communication device and the address information in association with each other; the encryption unit encrypts a secret key based on the device identification information stored in the device information storage unit; The transmitting unit may transmit the secret key to the communication device based on the address information stored in the device information storage unit.
  • the device information storage unit stores information indicating whether or not the transmission unit has transmitted the secret key to the communication device in association with the device identification information.
  • the transmission unit refers to the device information storage unit, and the transmission unit
  • the secret key may be transmitted to a communication device that has not transmitted the secret key.
  • the encryption unit may encrypt the secret key based on the MAC address that is the device identification information of the communication device.
  • the apparatus may further include a key generation unit that generates a secret key, and the encryption unit may encrypt the secret key generated by the key generation unit.
  • the key generation unit may further include a random number generation unit that generates a random number, and the key generation unit may generate the secret chain using the random number when the transmission unit does not transmit the secret key to the communication device.
  • the key generation unit further generates another secret key different from the secret key when a predetermined time has elapsed after generating the secret key, and the encryption unit further generates another secret key based on the device identification information.
  • the encryption unit may further transmit another secret key encrypted by the encryption unit to the communication device.
  • the key generation unit further generates another secret key different from the secret key when a predetermined time has elapsed after the generation of the secret key, and the encryption unit encrypts the other secret key using the secret key.
  • the transmission unit may further transmit another secret key encrypted by the encryption unit to the communication device.
  • the key generation unit may generate a secret key of a common key cryptosystem.
  • the key generation unit may generate a secret key and a public key of the public key cryptosystem, and the transmission unit may further transmit the public key generated by the key generation unit to the communication device.
  • a secret key management method in a secret key management device that manages a secret key for performing encrypted communication comprising: an encryption step of encrypting a secret key based on device identification information for identifying a communication device; Transmitting the secret key to the communication device.
  • a secret key management program for a secret key management device for managing a secret key for a communication device to perform encrypted communication in an encryption communication system comprising: The device functions as encryption means for encrypting a secret key based on device identification information for identifying the communication device, and as transmission means for transmitting the encrypted secret key to the communication device.
  • an encrypted communication system for performing encrypted communication, wherein a plurality of communication devices performing encrypted communication in the encrypted communication system and a plurality of communication devices encrypt each other.
  • a secret key management device for managing a secret key for performing communication, the secret key management device comprising: an encryption unit for encrypting the secret key based on device identification information for identifying the communication device; and an encryption unit.
  • a transmission unit that transmits the encrypted secret key to the communication device.
  • the encryption communication system includes, as a plurality of communication devices, a wireless access point that performs wired communication with the secret key management device, and a wireless communication terminal that performs wireless communication with the wireless access point.
  • the secret key management device includes an encryption unit.
  • the wireless communication terminal further includes a key recording unit that records the encrypted secret key on a removable external recording medium, the transmitting unit transmits the secret key to a wireless access point, and the wireless communication terminal transmits the secret key from the external recording medium.
  • FIG. 1 shows an example of a configuration of an encrypted communication system 10 according to the first embodiment.
  • FIG. 2 shows an example of the configuration of the secret key management device 100.
  • FIG. 3 shows an example of the data format of the device information storage unit 104.
  • FIG. 4 shows an example of an operation flow of the secret key management device 100.
  • FIG. 5 shows an example of a hardware configuration of the secret key management device 100.
  • FIG. 6 shows an example of a configuration of an encrypted communication system 20 according to the second embodiment.
  • FIG. 1 shows an example of a configuration of an encrypted communication system 10 according to the first embodiment of the present invention.
  • the encryption communication system 10 includes a secret key management device 100 that manages a secret key used in the encryption communication system 10, and a wireless access point (AP) that performs wired communication with the secret key management device 100.
  • AP wireless access point
  • 200 a and 200 b, and wireless communication terminals 300 a to 300 d that perform wireless communication with the wireless access points 200 a and 200 b.
  • the wireless access points 200a and 200b and the wireless communication terminals 300a to 300d are examples of the communication device of the present invention.
  • the communication device of the present invention may be a wireless device such as a wireless router, a wireless switch, a wireless media converter, etc., in addition to the wireless access point.
  • the wireless communication terminals 300 a to 300 d perform encrypted communication with the wireless access point 200 a or 200 b using the secret key generated by the secret key management device 100, and the wireless access points 200 a and 200 b To send and receive data to and from each other. This can prevent communication data between the wireless access points 200a and 200b and the wireless communication terminals 300a to 300d from being stolen.
  • FIG. 2 shows an example of the configuration of the secret chain management device 100.
  • the secret key management device 100 includes a random number generation unit 101 that generates a random number, and a random number generated by the random number generation unit 101. Five
  • a key generation unit 102 that generates a secret key using the device information; a device information storage unit 104 that stores device identification information and address information for identifying a communication device; and a device identification stored in the device information storage unit 104.
  • the encryption unit 106 encrypts the secret key generated by the key generation unit 102 based on the information, and the encryption unit 106 encrypts based on the address information stored in the device information storage unit 104.
  • a transmission unit 108 that transmits the secret key to the wireless access points 200a and 200b, and a key record that records the secret key encrypted by the sign unit 106 on a removable external recording medium.
  • a timer unit 103 that notifies the key generation unit 102 and the device information storage unit 104 of the timing at which the key generation unit 102 generates a secret key.
  • the key recording unit 110 is a floppy disk drive, and records a secret key on a floppy disk that is an external recording medium.
  • the wireless communication terminals 300a to 300d read the encrypted secret key from the pop-up disk provided by the administrator of the encrypted communication system 10, and read the device identification information of each wireless communication terminal.
  • the wireless access points 2000a and 2000b respectively decrypt the secret key received from the secret key management device 100 using the device identification information of each wireless access point.
  • the wireless access points 200a and 200b and the wireless communication terminals 300a to 300d perform encrypted communication using the distributed secret key.
  • the key generation unit 110 When the encrypted communication system 10 is constructed so that encrypted communication is performed by the common key encryption method, the key generation unit 110 generates a secret key of the common key encryption method. Further, when the encrypted communication system 10 is constructed so that the encrypted communication is performed by the public key encryption method, the key generation unit 110 generates a secret key and a public key of the secret key encryption method. . In this case, transmitting section 108 transmits the secret key and public key generated by key generating section 102 to radio access points 200a and 200b. Further, the key recording unit 110 records the secret key and the public key on an external recording medium. Then, the wireless communication terminals 300a to 300d read the secret key and the public key from the external recording medium. According to the secret key management apparatus 100 according to the present embodiment, the secret key is encrypted and distributed based on the device identification information. it can. In addition, wireless access point via network
  • FIG. 3 shows an example of the data format of the device information storage unit 104.
  • the device information storage unit 104 includes an IP address, which is address information of the communication device, a MAC address, which is device identification information of the communication device, and information indicating whether or not a secret key has been transmitted to each of the communication devices. Is stored in association with the distribution history.
  • the device information storage unit 104 stores the date and time when the transmission unit 10'8 or the key recording unit 110 distributed the secret key to the communication device as a distribution history. Therefore, the date and time are not stored in the distribution history corresponding to the communication device to which the private key has not been distributed.
  • the secret key management device 100 the IP address and the MAC address of the communication device to which the secret key for performing the encrypted communication in the encryption communication system 10 is to be sent are stored in the device information storage unit.
  • FIG. 4 shows an example of the operation flow of the secret key management device 100.
  • the encrypted communication system 10 is started (S100).
  • the key generation unit 102 generates a random number because the secret key has not been transmitted to the communication device.
  • the secret key is generated using the random number generated by the unit 101 (S102).
  • the encryption unit 106 refers to the distribution history of the device information storage unit 104 (S104), and encrypts the secret key based on the MAC address of the communication device to which the secret key has not been distributed (S104). 1 06).
  • the transmitting unit 108 or the key recording unit 110 distributes the secret ⁇ encrypted by the No. unit 106 ⁇ to the communication device identified by the MAC address (S108).
  • the device information storage unit 104 stores the date and time as the distribution history in association with the MAC address of the communication device to which the secret key has been distributed (S110).
  • the timer unit 103 determines whether or not a predetermined time has elapsed since the key generation unit 102 generated the secret key (S112). If the timer unit 103 determines in S112 that the predetermined time has elapsed, the device information storage unit 104 deletes the distribution history (S114).
  • the key generation unit 102 generates another secret key different from the previously generated secret key using the random number generated by the random number generation unit 101 (S 102).
  • the encryption unit 106 refers to the distribution history of the device information storage unit 104 (S 104), and determines the MAC address of the communication device to which the secret key has not been distributed, or the secret generated by the key generation unit 102 last time.
  • the other secret key is encrypted based on the key (S106).
  • the transmitting unit 108 or the key recording unit 110 distributes another secret key encrypted by the encrypting unit 106 to the communication device identified by the MAC address (S108).
  • the transmitting unit 108 sends the wireless communication terminal 300a to 300d by wireless communication via the wireless access point 200a or 200b. It is preferable to distribute by sending another secret key. If communication cannot be performed because the power of the wireless communication terminals 300a to 300d is turned off or the like, the administrator later uses the external recording medium to connect the wireless communication terminals 300a to 300d to other wireless communication terminals 300a to 300d. A private key may be distributed. Then, the device information storage unit 104 stores the date and time as the distribution history in association with the MAC address of the communication device to which the other secret key has been distributed (S110).
  • the process proceeds to S120, and the timer unit 103 determines that the key generation unit 102 has generated the secret key. It is determined whether or not a predetermined time has elapsed (S120). If the timer unit 103 determines in S120 that the predetermined time has elapsed, the device information storage unit 104 deletes the distribution history (S114), and returns to S102.
  • the process returns to S118, and determines whether the encryption communication system 10 has been stopped (S111). 8). If it is determined in S118 that the encryption communication system 100 has been stopped, the operation flow of the secret key management device 100 ends.
  • FIG. 5 shows an example of a hardware configuration of the secret key management device 100.
  • the functions of the secret key management device 100 are as follows: CPU 810, ROM 820, RAM 830, communication interface 840, and computer 800 equipped with hard disk drive 850. This is realized in cooperation with a program executed on the computer 800.
  • PC Ranko 25 is realized in cooperation with a program executed on the computer 800.
  • the computer 800 may further include a floppy disk drive 860 and a Z or CD-ROM drive 870.
  • the program for realizing the function of the secret key management device 100 includes a random number generation module, a key generation module, a timer module, an encryption module, a device information storage module, a transmission module, and a key recording module.
  • These modules include a computer 800, a random number generation unit 101, a key generation unit 102, a timer unit 103, an encryption unit 106, a device information storage unit 104, and a transmission unit 108.
  • a program that operates as the key recording unit 110 includes a program that operates as the key recording unit 110.
  • FIG. 6 shows an example of the configuration of an encrypted communication system 20 according to the second embodiment of the present invention.
  • the same components as those in the encrypted communication system 10 of the first embodiment are denoted by the same reference numerals as in the first embodiment.
  • the description of the same configuration and operation as in the first embodiment will be partially omitted, and the configuration and operation different from the first embodiment will be particularly described.
  • the encryption communication system 200 includes a secret key management device 100 connected to the Internet network 400 and managing a secret key used in the encryption communication system 100, and an Internet network 400.
  • Wireless access points (APs) 200a and 200 that perform wired communication with the secret key management device 100 via the router 500 connected to the Internet, the Internet network 400 and the router 500.
  • APs Wireless access points
  • the secret key management device 100 is an M of the wireless access point 200a or 200b.
  • the secret key is encrypted based on the AC address, and transmitted to the wireless access point 200a or 200b via the Internet network 400.
  • the wireless access point According to the encrypted communication system 20 according to the present embodiment, the wireless access point
  • a secret key management device As is apparent from the above description, according to the present invention, it is possible to provide a secret key management device, a secret key management method, a secret key management program, and an encryption communication system that realize encrypted communication with high security. .

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A secret key manager, which manages a secret key for a communication device to carry out encrypting communication in an encrypting communication system, comprises an encrypting section which encrypts a secret key on the basis of device identifying information for identifying the communication device and a transmitting section which transmits the secret key encrypted by the encrypting section to the communication device.

Description

PC漏 2/05025  PC leak 2/05025
技術分野 Technical field
本発明は、 秘密鍵管理装置、 秘密鍵管理方法、 秘密鍵管理プログラム、 及び 明  The present invention relates to a secret key management device, a secret key management method, a secret key management program, and a secret key management program.
暗号化通信システムに関する。 The present invention relates to an encryption communication system.
田 背景技術  Field background technology
近年、 無線 L A N等の無線通信技術の発展に伴い、 無線通信を行う通信機器 の暗号化機能の実装が必須になっている。 しかしながら、 従来の暗号化通信シ ステムでは、 通信機器に対して、 秘密鍵の元となる文字列又は秘密鍵をそれぞ れ設定しなければならない。 そのため、 大規模な暗号化通信システムにおいて 、 管理者は、 秘密鍵の元となる文字列又は秘密鍵を通信機器に入力するために 長時間要している。 また、 秘密鍵の元となる文字列や秘密鍵は、 管理者が直接 通信機器に入力するので可視可能なテキストデータでなければならず、 窃取さ れる恐れがあるという問題がある。  In recent years, with the development of wireless communication technologies such as wireless LAN, it has become essential to implement an encryption function for communication devices that perform wireless communication. However, in a conventional encrypted communication system, a character string or a secret key that is a source of a secret key must be set for a communication device. For this reason, in a large-scale encrypted communication system, it takes a long time for an administrator to input a character string or a secret key that is a source of a secret key to a communication device. In addition, the character string and the secret key that are the source of the secret key must be visible text data because the administrator inputs it directly to the communication device, and there is a problem that the secret key may be stolen.
そこで本発明は、 上記の課題を解決することのできる秘密鍵管理装置、 秘密 鍵管理方法、 秘密鍵管理プログラム、 及び暗号化通信システムを提供すること を目的とする。 この目的は請求の範囲における独立項に記載の特徴の組み合わ せにより達成される。 また従属項は本発明の更なる有利な具体例を規定する。  Therefore, an object of the present invention is to provide a secret key management device, a secret key management method, a secret key management program, and an encryption communication system that can solve the above-mentioned problems. This object is achieved by a combination of features described in the independent claims. The dependent claims define further advantageous embodiments of the present invention.
発明の開示 Disclosure of the invention
このような目的を達成するために、 本発明の第 1の形態によれば、 暗号化通 信システムにおいて通信機器が暗号化通信を行うための秘密鍵を管理する秘密 鍵管理装置であって、 通信機器を識別する機器識別情報に基づいて、 秘密鍵を PC漏細 25 In order to achieve such an object, according to a first aspect of the present invention, there is provided a secret key management device that manages a secret key for a communication device to perform encrypted communication in an encrypted communication system, A secret key based on the device identification information that identifies the communication device. PC leak 25
2 暗号化する暗号部と、 暗号部が暗号化した秘密鍵を通信機器に送信する送信部 とを備える。  2 It has an encryption unit for encryption and a transmission unit for transmitting the secret key encrypted by the encryption unit to the communication device.
通信機器の機器識別情報とァドレス情報とを対応づけて格納する機器情報格 納部をさらに備え、 暗号部は、 機器情報格納部が格納する機器識別情報に基づ いて、 秘密鍵を暗号化し、 送信部は、 機器情報格納部が格納するア ドレス情報 に基づいて、 秘密鍵を通信機器に送信してもよい。  A device information storage unit that stores the device identification information of the communication device and the address information in association with each other; the encryption unit encrypts a secret key based on the device identification information stored in the device information storage unit; The transmitting unit may transmit the secret key to the communication device based on the address information stored in the device information storage unit.
機器情報格納部は、 機器識別情報に対応づけて、 送信部が通信機器に秘密鍵 を送信したか否かを示す情報を格納し、 送信部は、 機器情報格納部を参照し、 送信部が秘密鍵を送信していない通信機器に秘密鍵を送信してもよい。  The device information storage unit stores information indicating whether or not the transmission unit has transmitted the secret key to the communication device in association with the device identification information.The transmission unit refers to the device information storage unit, and the transmission unit The secret key may be transmitted to a communication device that has not transmitted the secret key.
暗号部は、 通信機器の機器識別情報である MA Cア ドレスに基づいて、 秘密 鍵を暗号化してもよい。  The encryption unit may encrypt the secret key based on the MAC address that is the device identification information of the communication device.
秘密鍵を生成する鍵生成部をさらに備え、 暗号部は、 鍵生成部が生成した秘 密鍵を暗号化してもよい。  The apparatus may further include a key generation unit that generates a secret key, and the encryption unit may encrypt the secret key generated by the key generation unit.
乱数を生成する乱数生成部をさらに備え、 鍵生成部は、 送信部が通信機器に 秘密鍵を送信していない場合に、 乱数を用いて秘密鏈を生成してもよい。  The key generation unit may further include a random number generation unit that generates a random number, and the key generation unit may generate the secret chain using the random number when the transmission unit does not transmit the secret key to the communication device.
鍵生成部は、 秘密鍵を生成した後、 所定時間経過した場合に、 秘密鍵と異な る他の秘密鍵をさらに生成し、 暗号部は、 機器識別情報に基づいて、 他の秘密 鍵をさらに暗号化し、 送信部は、 暗号部が暗号化した他の秘密鍵を通信機器に さらに送信してもよレ、。  The key generation unit further generates another secret key different from the secret key when a predetermined time has elapsed after generating the secret key, and the encryption unit further generates another secret key based on the device identification information. The encryption unit may further transmit another secret key encrypted by the encryption unit to the communication device.
鍵生成部は、 秘密鍵を生成した後、 所定時間経過した場合に、 秘密鍵と異な る他の秘密鍵をさらに生成し、 暗号部は、 秘密鍵を用いて、 他の秘密鍵を暗号 ィ匕し、 送信部は、 暗号部が暗号化した他の秘密鍵を通信機器にさらに送信して もよい。  The key generation unit further generates another secret key different from the secret key when a predetermined time has elapsed after the generation of the secret key, and the encryption unit encrypts the other secret key using the secret key. The transmission unit may further transmit another secret key encrypted by the encryption unit to the communication device.
鍵生成部は、 共通鍵暗号方式の秘密鍵を生成してもよい。  The key generation unit may generate a secret key of a common key cryptosystem.
鍵生成部は、 公開鍵暗号方式の秘密鍵及び公開鍵を生成し、 送信部は、 鍵生 成部が生成した公開鍵を通信機器にさらに送信してもよい。  The key generation unit may generate a secret key and a public key of the public key cryptosystem, and the transmission unit may further transmit the public key generated by the key generation unit to the communication device.
本発明の第 2の形態によれば、 暗号化通信システムにおいて通信機器が暗号 化通信を行うための秘密鍵を管理する秘密鍵管理装置における秘密鍵管理方法 であって、 通信機器を識別する機器識別情報に基づいて、 秘密鍵を暗号化する 暗号段階と、 暗号化された秘密鍵を通信機器に送信する送信段階とを備える。 本発明の第 3の形態によれば、 暗号化通信システムにおいて通信機器が喑号 化通信を行うための秘密鍵を管理する秘密鍵管理装置用の秘密鍵管理プログラ ムであって、 秘密鍵管理装置を、 通信機器を識別する機器識別情報に基づいて 、 秘密鍵を暗号化する暗号手段、 暗号化された秘密鍵を通信機器に送信する送 信手段として機能させる。 According to the second aspect of the present invention, in the encrypted communication system, A secret key management method in a secret key management device that manages a secret key for performing encrypted communication, comprising: an encryption step of encrypting a secret key based on device identification information for identifying a communication device; Transmitting the secret key to the communication device. According to a third aspect of the present invention, there is provided a secret key management program for a secret key management device for managing a secret key for a communication device to perform encrypted communication in an encryption communication system, comprising: The device functions as encryption means for encrypting a secret key based on device identification information for identifying the communication device, and as transmission means for transmitting the encrypted secret key to the communication device.
本発明の第 4の形態によれば、 暗号化通信を行う暗号化通信システムであつ て、 当該暗号化通信システムにおいて暗号化通信を行う複数の通信機器と、 複 数の通信機器が互いに暗号化通信を行うための秘密鍵を管理する秘密鍵管理装 置とを備え、 秘密鍵管理装置は、 通信機器を識別する機器識別情報に基づいて 、 秘密鍵を暗号化する暗号部と、 暗号部が暗号化した秘密鍵を通信機器に送信 する送信部とを有する。  According to a fourth aspect of the present invention, there is provided an encrypted communication system for performing encrypted communication, wherein a plurality of communication devices performing encrypted communication in the encrypted communication system and a plurality of communication devices encrypt each other. A secret key management device for managing a secret key for performing communication, the secret key management device comprising: an encryption unit for encrypting the secret key based on device identification information for identifying the communication device; and an encryption unit. A transmission unit that transmits the encrypted secret key to the communication device.
暗号化通信システムは、 複数の通信機器として、 秘密鍵管理装置と有線通信 を行う無線アクセスボイントと、 無線アクセスボイントと無線通信を行う無線 通信端末とを備え、 秘密鍵管理装置は、 暗号部が暗号化した秘密鍵を着脱可能 な外部記録媒体に記録する鍵記録部をさらに有し、 送信部は、 秘密鍵を無線ァ クセスポイントに送信し、 無線通信端末は、 外部記録媒体から秘密鍵を読み出 なお上記の発明の概要は、 本発明の必要な特徴の全てを列挙したものではな く、 これらの特徴群のサブコンビネーションも又発明となりうる。 図面の簡単な説明  The encryption communication system includes, as a plurality of communication devices, a wireless access point that performs wired communication with the secret key management device, and a wireless communication terminal that performs wireless communication with the wireless access point. The secret key management device includes an encryption unit. The wireless communication terminal further includes a key recording unit that records the encrypted secret key on a removable external recording medium, the transmitting unit transmits the secret key to a wireless access point, and the wireless communication terminal transmits the secret key from the external recording medium. Reading The summary of the invention described above does not list all necessary features of the present invention, and sub-combinations of these features may also constitute the invention. BRIEF DESCRIPTION OF THE FIGURES
図 1は、 第 1実施形態に係る暗号化通信システム 1 0の構成の一例を示す。 図 2は、 秘密鍵管理装置 1 0 0の構成の一例を示す。  FIG. 1 shows an example of a configuration of an encrypted communication system 10 according to the first embodiment. FIG. 2 shows an example of the configuration of the secret key management device 100.
図 3は、 機器情報格納部 1 0 4のデータフォーマッ トの一例を示す。 図 4は、 秘密鍵管理装置 1 00の動作フローの一例を示す。 FIG. 3 shows an example of the data format of the device information storage unit 104. FIG. 4 shows an example of an operation flow of the secret key management device 100.
図 5は、 秘密鍵管理装置 1 00のハードウエア構成の一例を示す。  FIG. 5 shows an example of a hardware configuration of the secret key management device 100.
図 6は、 第 2実施形態に係る暗号化通信システム 20の構成の一例を示す。 発明を実施するための最良の形態  FIG. 6 shows an example of a configuration of an encrypted communication system 20 according to the second embodiment. BEST MODE FOR CARRYING OUT THE INVENTION
以下、 発明の実施の形態を通じて本発明を説明するが、 以下の実施形態はク レームにかかる発明を限定するものではなく、 又実施形態の中で説明されてい る特徴の組み合わせの全てが発明の解決手段に必須であるとは限らない。 図 1は、 本発明の第 1実施形態に係る暗号化通信システム 1 0の構成の一例 を示す。 暗号化通信システム 1 0は、 当該暗号化通信システム 1 0で使用され る秘密鍵を管理する秘密鍵管理装置 1 00と、 秘密鍵管理装置 1 00と有線通 信を行う無線アクセスポイント (AP) 200 a及び 200 bと、 無線ァクセ スポイント 200 a及び 200 bと無線通信を行う無線通信端末 300 a〜 3 00 dとを備える。 無線ァクセスポイント 200 a及ぴ 200 bと無線通信端 末 3 00 a〜3 00 dとは、 本発明の通信機器の一例である。 また、 本発明の 通信機器は、 無線アクセスポイントの他、 無線ルータ、 無線スィッチ、 無線メ ディアコンバータ等の無線機器であってもよい。  Hereinafter, the present invention will be described through embodiments of the present invention. However, the following embodiments do not limit the invention according to the claims, and all combinations of the features described in the embodiments are all aspects of the present invention. It is not always necessary for the solution. FIG. 1 shows an example of a configuration of an encrypted communication system 10 according to the first embodiment of the present invention. The encryption communication system 10 includes a secret key management device 100 that manages a secret key used in the encryption communication system 10, and a wireless access point (AP) that performs wired communication with the secret key management device 100. 200 a and 200 b, and wireless communication terminals 300 a to 300 d that perform wireless communication with the wireless access points 200 a and 200 b. The wireless access points 200a and 200b and the wireless communication terminals 300a to 300d are examples of the communication device of the present invention. The communication device of the present invention may be a wireless device such as a wireless router, a wireless switch, a wireless media converter, etc., in addition to the wireless access point.
無線通信端末 300 a〜3 00 dは、 秘密鍵管理装置 1 0 0が生成した秘密 鍵を用いて、 無線アクセスポィント 200 a又は 200 bと暗号化通信を行い 、 無線アクセスポイント 200 a及び 200 bを介して互いにデータを送受信 する。 これにより、 無線アクセスボイント 200 a及び 200 bと無線通信端 末 300 a〜3 00 dとの間の通信データが窃取されることを防ぐことができ る。 図 2は、 秘密鏈管理装置 1 00の構成の一例を示す。 秘密鍵管理装置 1 00 は、 乱数を生成する乱数生成部 1 0 1と、 乱数生成部 1 0 1が生成した乱数を 5 The wireless communication terminals 300 a to 300 d perform encrypted communication with the wireless access point 200 a or 200 b using the secret key generated by the secret key management device 100, and the wireless access points 200 a and 200 b To send and receive data to and from each other. This can prevent communication data between the wireless access points 200a and 200b and the wireless communication terminals 300a to 300d from being stolen. FIG. 2 shows an example of the configuration of the secret chain management device 100. The secret key management device 100 includes a random number generation unit 101 that generates a random number, and a random number generated by the random number generation unit 101. Five
用いて秘密鍵を生成する鍵生成部 1 0 2と、 通信機器を識別する機器識別情報 及びァドレス情報を格納する機器情報格納部 1 0 4と、 機器情報格納部 1 0 4 が格納する機器識別情報に基づいて鍵生成部 1 0 2が生成した秘密鍵を暗号化 する暗号部 1 0 6と、 機器情報格納部 1 0 4が格納するァドレス情報に基づい て暗号部 1 0 6が暗号化した秘密鍵を無線アクセスポィント 2 0 0 a及ぴ 2 0 0 bに送信する送信部 1 0 8と、 喑号部 1 0 6が暗号化した秘密鍵を着脱可能 な外部記録媒体に記録する鍵記録部 1 1 0と、 鍵生成部 1 0 2が秘密鍵を生成 するタイミングを鍵生成部 1 0 2及び機器情報格納部 1 0 4に通知するタイマ 部 1 0 3とを備える。 A key generation unit 102 that generates a secret key using the device information; a device information storage unit 104 that stores device identification information and address information for identifying a communication device; and a device identification stored in the device information storage unit 104. The encryption unit 106 encrypts the secret key generated by the key generation unit 102 based on the information, and the encryption unit 106 encrypts based on the address information stored in the device information storage unit 104. A transmission unit 108 that transmits the secret key to the wireless access points 200a and 200b, and a key record that records the secret key encrypted by the sign unit 106 on a removable external recording medium. And a timer unit 103 that notifies the key generation unit 102 and the device information storage unit 104 of the timing at which the key generation unit 102 generates a secret key.
例えば、 鍵記録部 1 1 0は、 フロッピーディスクドライプであり、 外部記録 媒体であるフロッピーディスクに秘密鍵を記録する。 そして、 無線通信端末 3 0 0 a〜3 0 0 dは、 暗号化通信システム 1 0の管理者によって提供されたプ 口ッピーディスクから暗号化された秘密鍵を読み出し、 各無線通信端末の機器 識別情報を用いてそれぞれ復号化する。 また、 無線アクセスポイント 2 0 0 a 及ぴ 2 0 0 bは、 秘密鍵管理装置 1 0 0から受信した秘密鍵を、 各無線ァクセ スポイントの機器識別情報を用いてそれぞれ復号化する。 そして、 無線ァクセ スポイント 2 0 0 a及び 2 0 0 bと無線通信端末 3 0 0 a〜3 0 0 dとは、 配 布された秘密鍵を用いて暗号化通信を行う。  For example, the key recording unit 110 is a floppy disk drive, and records a secret key on a floppy disk that is an external recording medium. Then, the wireless communication terminals 300a to 300d read the encrypted secret key from the pop-up disk provided by the administrator of the encrypted communication system 10, and read the device identification information of each wireless communication terminal. , Respectively. The wireless access points 2000a and 2000b respectively decrypt the secret key received from the secret key management device 100 using the device identification information of each wireless access point. Then, the wireless access points 200a and 200b and the wireless communication terminals 300a to 300d perform encrypted communication using the distributed secret key.
なお、 共通鍵暗号化方式により暗号化通信が行われるように暗号化通信シス テム 1 0が構築される場合、 鍵生成部 1 1 0は、 共通鍵暗号方式の秘密鍵を生 成する。 また、 公開鍵暗号化方式により暗号化通信が行われるように暗号化通 信システム 1 0が構築される場合、 鍵生成部 1 1 0は、 秘密鍵暗号方式の秘密 鍵及び公開鍵を生成する。 この場合、 送信部 1 0 8は、 鍵生成部 1 0 2が生成 した秘密鍵及ぴ公開鍵を無線アクセスボイント 2 0 0 a及び 2 0 0 bに送信す る。 また、 鍵記録部 1 1 0は、 秘密鍵及び公開鍵を外部記録媒体に記録する。 そして、 無線通信端末 3 0 0 a〜3 0 0 dは、 外部記録媒体から秘密鍵及び公 開鍵を読み出す。 本実施形態に係る秘密鍵管理装置 1 0 0によれば、 秘密鍵を機器識別情報に 基づいて暗号化して配布するので、 秘密鍵を配布する際に秘密鍵が窃取される ことを防ぐことができる。 また、 ネットワークを介して無線アクセスポイントWhen the encrypted communication system 10 is constructed so that encrypted communication is performed by the common key encryption method, the key generation unit 110 generates a secret key of the common key encryption method. Further, when the encrypted communication system 10 is constructed so that the encrypted communication is performed by the public key encryption method, the key generation unit 110 generates a secret key and a public key of the secret key encryption method. . In this case, transmitting section 108 transmits the secret key and public key generated by key generating section 102 to radio access points 200a and 200b. Further, the key recording unit 110 records the secret key and the public key on an external recording medium. Then, the wireless communication terminals 300a to 300d read the secret key and the public key from the external recording medium. According to the secret key management apparatus 100 according to the present embodiment, the secret key is encrypted and distributed based on the device identification information. it can. In addition, wireless access point via network
2 0 0 a及び 2 0 0 bに秘密鍵を配布するので、 管理者は、 無線アクセスボイ ント 2 0 0 a及び 2 0 0 bに、 秘密鍵の元となる文字列又は秘密鍵の入力する 手間を省くことができる。 また、 鍵生成部 1 0 2が秘密鍵を自動生成し、 ネッ トワーク又は外部記録媒体を介して配布するので、 秘密鍵をバイナリデータと することができる。 図 3は、 機器情報格納部 1 0 4のデータフォーマットの一例を示す。 機器情 報格納部 1 0 4は、 通信機器のァドレス情報である I Pアドレスと、 通信機器 の機器識別情報である MA Cァドレスと、 通信機器のそれぞれに秘密鍵を送信 したか否かを示す情報である配布履歴とを対応づけて格納する。 Since the secret key is distributed to 200a and 200b, the administrator inputs the character string or the secret key that is the source of the secret key to the wireless access points 200a and 200b. You can save time and effort. Further, since the key generation unit 102 automatically generates a secret key and distributes the secret key via a network or an external recording medium, the secret key can be converted into binary data. FIG. 3 shows an example of the data format of the device information storage unit 104. The device information storage unit 104 includes an IP address, which is address information of the communication device, a MAC address, which is device identification information of the communication device, and information indicating whether or not a secret key has been transmitted to each of the communication devices. Is stored in association with the distribution history.
例えば、 機器情報格納部 1 0 4は、 送信部 1 0' 8又は鍵記録部 1 1 0が、 通 信機器に秘密鍵を配布した日時を配布履歴として格納する。 したがって、 秘密 鍵を配布していない通信機器に対応する配布履歴には、 日時が格納されない。 本実施形態に係る秘密鍵管理装置 1 0 0によれば、 暗号化通信システム 1 0 において暗号化通信を行うための秘密鍵を送るべき通信機器の I Pァドレス及 び MA Cァドレスを機器情報格納部 1 0 4に登録し、 登録された通信機器に対 して秘密鍵を配布することにより、 登録された通信機器以外の通信機器への秘 密鍵の漏洩を防ぐことができる。 また、 配布履歴を格納することによって、 新 たに暗号化通信システム 1 0に接続され、 機器情報格納部 1 0 4に登録された 通信機器に対して自動的に秘密鍵を配布することができる。 図 4は、 秘密鍵管理装置 1 0 0の動作フローの一例を示す。 暗号化通信シス テム 1 0が始動される (S 1 0 0 ) 。 暗号化通信システム 1 0が始動したとき には、 通信機器に秘密鍵を送信していないため、 鍵生成部 1 0 2は、 乱数生成 部 1 0 1が生成した乱数を用いて秘密鍵を生成する (S 1 0 2) 。 そして、 暗 号部 1 06は、 機器情報格納部 1 04の配布履歴を参照し ( S 1 04 ) 、 秘密 鍵が配布されていない通信機器の MACァドレスに基づいて秘密鍵を暗号化す る (S 1 06) 。 そして、 送信部 1 08又は鍵記録部 1 1 0は、 喑号部 1 06 が暗号化した秘密鐽を、 MACア ドレスで識別される通信機器に配布する (S 1 08) 。 そして、 機器情報格納部 1 04は、 秘密鍵を配布した通信機器の M ACアドレスに対応づけて、 配布履歴として日時を格納する (S 1 10) 。 次に、 タイマ部 1 0 3は、 鍵生成部 1 02が秘密鍵を生成した後、 所定時間 が経過したか否かを判断する (S 1 1 2) 。 S 1 1 2においてタイマ部 1 03 が所定時間が経過したと判断した場合、 機器情報格納部 1 04は、 配布履歴を 消去する (S 1 14) 。 For example, the device information storage unit 104 stores the date and time when the transmission unit 10'8 or the key recording unit 110 distributed the secret key to the communication device as a distribution history. Therefore, the date and time are not stored in the distribution history corresponding to the communication device to which the private key has not been distributed. According to the secret key management device 100 according to the present embodiment, the IP address and the MAC address of the communication device to which the secret key for performing the encrypted communication in the encryption communication system 10 is to be sent are stored in the device information storage unit. By registering in 104 and distributing the secret key to the registered communication device, it is possible to prevent the secret key from being leaked to communication devices other than the registered communication device. Also, by storing the distribution history, it is possible to automatically distribute a secret key to communication devices newly connected to the encrypted communication system 10 and registered in the device information storage unit 104. . FIG. 4 shows an example of the operation flow of the secret key management device 100. The encrypted communication system 10 is started (S100). When the encryption communication system 10 starts, the key generation unit 102 generates a random number because the secret key has not been transmitted to the communication device. The secret key is generated using the random number generated by the unit 101 (S102). Then, the encryption unit 106 refers to the distribution history of the device information storage unit 104 (S104), and encrypts the secret key based on the MAC address of the communication device to which the secret key has not been distributed (S104). 1 06). Then, the transmitting unit 108 or the key recording unit 110 distributes the secret {encrypted by the No. unit 106} to the communication device identified by the MAC address (S108). Then, the device information storage unit 104 stores the date and time as the distribution history in association with the MAC address of the communication device to which the secret key has been distributed (S110). Next, the timer unit 103 determines whether or not a predetermined time has elapsed since the key generation unit 102 generated the secret key (S112). If the timer unit 103 determines in S112 that the predetermined time has elapsed, the device information storage unit 104 deletes the distribution history (S114).
そして、 S 1 0 2に戻り、 鍵生成部 1 02は、 乱数生成部 1 0 1が生成した 乱数を用いて、 前回生成した秘密鍵と異なる他の秘密鍵を生成する (S 1 02 ) 。 そして、 暗号部 1 06は、 機器情報格納部 1 04の配布履歴を参照し (S 1 04) 、 秘密鍵が配布されていない通信機器の MACアドレス、 又は鍵生成 部 1 02が前回生成した秘密鍵に基づいて、 他の秘密鍵を暗号化する (S 1 0 6) 。 そして、 送信部 1 08又は鍵記録部 1 1 0は、 暗号部 1 0 6が暗号化し た他の秘密鍵を、 MACァドレスで識別される通信機器に配布する (S 1 08 ) 。 前回生成した秘密鍵に基づいて他の秘密鍵を暗号化した場合、 送信部 1 0 8は、 無線アクセスポィント 200 a又は 200 bを介して無線通信によって 、 無線通信端末 300 a〜3 00 dに他の秘密鍵を送信することにより配布す ることが好ましい。 また、 無線通信端末 30 0 a〜300 dの電源が切れてい る等で通信することができない場合は、 後に管理者が外部記録媒体を用いて無 線通信端末 30 0 a〜300 dに他の秘密鍵を配布してもよい。 そして、 機器 情報格納部 1 04は、 他の秘密鍵を配布した通信機器の MACァドレスに対応 づけて、 配布履歴として日時を格納する (S 1 1 0) 。  Then, returning to S 102, the key generation unit 102 generates another secret key different from the previously generated secret key using the random number generated by the random number generation unit 101 (S 102). Then, the encryption unit 106 refers to the distribution history of the device information storage unit 104 (S 104), and determines the MAC address of the communication device to which the secret key has not been distributed, or the secret generated by the key generation unit 102 last time. The other secret key is encrypted based on the key (S106). Then, the transmitting unit 108 or the key recording unit 110 distributes another secret key encrypted by the encrypting unit 106 to the communication device identified by the MAC address (S108). When another secret key is encrypted based on the secret key generated last time, the transmitting unit 108 sends the wireless communication terminal 300a to 300d by wireless communication via the wireless access point 200a or 200b. It is preferable to distribute by sending another secret key. If communication cannot be performed because the power of the wireless communication terminals 300a to 300d is turned off or the like, the administrator later uses the external recording medium to connect the wireless communication terminals 300a to 300d to other wireless communication terminals 300a to 300d. A private key may be distributed. Then, the device information storage unit 104 stores the date and time as the distribution history in association with the MAC address of the communication device to which the other secret key has been distributed (S110).
S 1 1 2においてタイマ部 1 0 3が所定時間が経過していないと判断した場 PC蘭翻 25 If the timer unit 103 determines in S111 that the predetermined time has not elapsed, PC Lankan 25
8  8
合、 機器情報格納部 1 0 4に登録されたすベての通信機器に秘密鍵が送信され たか否かを判断する (S 1 1 6 ) 。 S 1 1 6においてすべての通信機器に秘密 鍵が送信されていないと判断した場合、 S 1 0 4に戻る。 In this case, it is determined whether or not the secret key has been transmitted to all the communication devices registered in the device information storage unit 104 (S116). If it is determined in S116 that the secret key has not been transmitted to all communication devices, the process returns to S104.
S 1 1 6においてすべての通信機器に秘密鍵が配布されたと判断した場合、 S 1 1 8に進み、 暗号化通信システム 1 0が停止されたか否かを判断する (S 1 1 8 ) o  If it is determined in S116 that the secret key has been distributed to all communication devices, the process proceeds to S118, and it is determined whether or not the encryption communication system 10 has been stopped (S118).
S 1 1 8において暗号化通信システム 1 0が停止されていないと判断した場 合、 S 1 2 0に進み、 タイマ部 1 0 3は、 鍵生成部 1 0 2が秘密鍵を生成した 後、 所定時間が経過したか否かを判断する (S 1 2 0 ) 。 S 1 2 0においてタ イマ部 1 0 3が所定時間が経過したと判断した場合、 機器情報格納部 1 0 4は 、 配布履歴を消去し (S 1 1 4 ) 、 S 1 0 2に戻る。  If it is determined in S118 that the encryption communication system 10 has not been stopped, the process proceeds to S120, and the timer unit 103 determines that the key generation unit 102 has generated the secret key. It is determined whether or not a predetermined time has elapsed (S120). If the timer unit 103 determines in S120 that the predetermined time has elapsed, the device information storage unit 104 deletes the distribution history (S114), and returns to S102.
S 1 2 0においてタイマ部 1 0 3が所定時間が経過していないと判断した場 合、 S 1 1 8に戻り、 暗号化通信システム 1 0が停止されたか否かを判断する ( S 1 1 8 ) 。 S 1 1 8において暗号化通信システム 1 0が停止されたと判断 した場合、 秘密鍵管理装置 1 0 0の動作フローは終了する。  If the timer unit 103 determines in S120 that the predetermined time has not elapsed, the process returns to S118, and determines whether the encryption communication system 10 has been stopped (S111). 8). If it is determined in S118 that the encryption communication system 100 has been stopped, the operation flow of the secret key management device 100 ends.
本動作フローにおいては、 所定時間が経過する毎に新たに秘密鍵を生成して 配布する例を用いて説明したが、 タイマ部 1 0 3は、 鍵生成部 1 0 2が次に秘 密鍵を生成するまでの時間を任意に変動させ、 任意のタイミングで秘密鍵を配 布させてもよレ、。  This operation flow has been described using an example in which a new secret key is generated and distributed every time a predetermined time elapses.However, the timer unit 103 sets the key generation unit 102 next to the secret key. You can arbitrarily vary the time until the key is generated, and distribute the secret key at any time.
本実施形態に係る秘密鍵管理装置 1 0 0によれば、 所定時間が経過する度に 、 新たに秘密鏈を生成して通信機器に配布するため、 秘密鍵が漏洩した場合で あっても、 長期に渡る通信データの漏洩を防ぐことができる。 図 5は、 秘密鍵管理装置 1 0 0のハードウェア構成の一例を示す。 秘密鍵管 理装置 1 0 0の機能は、 C P U 8 1 0、 R O M 8 2 0、 R AM 8 3 0、 通信ィ ンターフェイス 8 4 0、 及ぴハードディスク ドライブ 8 5 0を備える計算機 8 0 0と、 計算機 8 0 0上で実行されるプログラムとの連携により実現される。 PC蘭細 25 According to the secret key management device 100 according to the present embodiment, every time a predetermined time elapses, a new secret chain is generated and distributed to communication devices, so even if the secret key is leaked, Leakage of communication data over a long period can be prevented. FIG. 5 shows an example of a hardware configuration of the secret key management device 100. The functions of the secret key management device 100 are as follows: CPU 810, ROM 820, RAM 830, communication interface 840, and computer 800 equipped with hard disk drive 850. This is realized in cooperation with a program executed on the computer 800. PC Ranko 25
9  9
計算機 8 0 0は、 フロッピーディスク ドライブ 8 6 0及び Z又は C D— R OM ドライブ 8 7 0をさらに備えてもよい。 The computer 800 may further include a floppy disk drive 860 and a Z or CD-ROM drive 870.
秘密鍵管理装置 1 0 0の機能を実現するプログラムは、 乱数生成モジュール、 鍵 生成モジュール、 タイマモジュール、 暗号モジュール、 機器情報格納モジュール、 送信モジュール、 及び鍵記録モジュールを備える。 これらのモジュールは、 計算機 8 0 0を、 乱数生成部 1 0 1、 鍵生成部 1 0 2、 タイマ部 1 0 3、 暗号部 1 0 6、 機器情報格納部 1 0 4、 送信部 1 0 8、 及び鍵記録部 1 1 0として動作させるプロ グラムである。  The program for realizing the function of the secret key management device 100 includes a random number generation module, a key generation module, a timer module, an encryption module, a device information storage module, a transmission module, and a key recording module. These modules include a computer 800, a random number generation unit 101, a key generation unit 102, a timer unit 103, an encryption unit 106, a device information storage unit 104, and a transmission unit 108. , And a program that operates as the key recording unit 110.
以上に示したプログラム又はモジュールは、 外部の記憶媒体に格納されても よい。 記憶媒体としては、 フロッピーディスク 8 8 0、 C D— R O M 8 9 0の 他に、 0 ¥ 0ゃ 0等の光学記録媒体、 MD等の光磁気記録媒体、 テープ媒体 、 I Cカード等の半導体メモリ等を用いることができる。 また、 専用通信ネッ トワークゃィンターネットに接続されたサーバシステムに設けたハードディス ク又は R AM等の記憶装置を記録媒体として使用し、 外部ネットワーク又は計 算機 8 0 0に接続されたネットワーク等を介してプログラムを計算機 8 0 0に 提供 図 6は、 本発明の第 2実施形態に係る暗号化通信システム 2 0の構成の一例 を示す。 第 2実施形態において、 第 1実施形態の暗号化通信システム 1 0と同 様の構成要素には、 第 1実施形態と同様の符号を付す。 また、 第 2実施形態に おいては、 第 1実施形態と同様の構成及び動作についての説明は一部省略し、 特に第 1実施形態と異なる構成及び動作について説明する。  The programs or modules described above may be stored in an external storage medium. Examples of storage media include floppy disk 880, CD-ROM 890, optical recording media such as $ 0.00, magneto-optical recording media such as MD, tape media, semiconductor memory such as IC cards, etc. Can be used. Also, a storage device such as a hard disk or RAM provided in a server system connected to the dedicated communication network Internet is used as a recording medium, and an external network or a network connected to the computer 800 is used. FIG. 6 shows an example of the configuration of an encrypted communication system 20 according to the second embodiment of the present invention. In the second embodiment, the same components as those in the encrypted communication system 10 of the first embodiment are denoted by the same reference numerals as in the first embodiment. In the second embodiment, the description of the same configuration and operation as in the first embodiment will be partially omitted, and the configuration and operation different from the first embodiment will be particularly described.
暗号化通信システム 2 0は、 ィンターネット網 4 0 0に接続され当該暗号化 通信システム 1 ◦で使用される秘密鍵を管理する秘密鍵管理装置 1 0 0と、 ィ ンターネット網 4 0 0に接続されたルータ 5 0 0と、 ィンターネット網 4 0 0 及びルータ 5 0 0を介して秘密鍵管理装置 1 0 0と有線通信を行う無線ァクセ スポィント (A P ) 2 0 0 a及び 2 0 0 bと、 無線アクセスポィント 2 0 0 a 及び 2 0 0 bと無線通信を行う無線通信端末 3 0 0 a〜3 0 0 dとを備える。 秘密鍵管理装置 1 0 0は、 無線アクセスポイント 2 0 0 a又は 2 0 0 bの MThe encryption communication system 200 includes a secret key management device 100 connected to the Internet network 400 and managing a secret key used in the encryption communication system 100, and an Internet network 400. Wireless access points (APs) 200a and 200 that perform wired communication with the secret key management device 100 via the router 500 connected to the Internet, the Internet network 400 and the router 500. 0 b and wireless access point 2 0 0 a And wireless communication terminals 300a to 300d that perform wireless communication with the device 200b. The secret key management device 100 is an M of the wireless access point 200a or 200b.
A Cァドレスに基づいて秘密鍵を暗号化し、 ィンターネット網 4 0 0を介して 無線アクセスポイント 2 0 0 a又は 2 0 0 bに送信する。 The secret key is encrypted based on the AC address, and transmitted to the wireless access point 200a or 200b via the Internet network 400.
本実施形態に係る暗号化通信システム 2 0によれば、 無線アクセスボイント According to the encrypted communication system 20 according to the present embodiment, the wireless access point
2 0 0 a又は 2 0 0 bの MA Cァドレスに基づいて秘密鍵を暗号化するので、 無線アクセスポィント 2 0 0 a又は 2 0 0 bの MA Cァドレスを容易に入手で きないインターネット網 4 0 0において秘密鍵を窃取されることを防ぐことが できる。 以上発明の実施の形態を説明したが、 本出願に係る発明の技術的範囲は上記 の実施の形態に限定されるものではない。 上記実施の形態に種々の変更を加え て、 請求の範囲に記載の発明を実施することができる。 そのような発明が本出 願に係る発明の技術的範囲に属することもまた、 請求の範囲の記載から明らか である。 産業上の利用可能性 Since the secret key is encrypted based on the MAC address of 200a or 200b, the Internet network where the MA address of 200a or 200b is not readily available It is possible to prevent the secret key from being stolen in 0 0. Although the embodiments of the present invention have been described above, the technical scope of the present invention according to the present application is not limited to the above embodiments. The invention described in the claims can be implemented by adding various changes to the above embodiment. It is also apparent from the description of the claims that such an invention belongs to the technical scope of the invention of the present application. Industrial applicability
以上の説明から明らかなように、 本発明によれば、 セキュリティの高い暗号 化通信を実現する秘密鍵管理装置、 秘密鍵管理方法、 秘密键管理プログラム、 及び暗号化通信システムを提供することができる。  As is apparent from the above description, according to the present invention, it is possible to provide a secret key management device, a secret key management method, a secret key management program, and an encryption communication system that realize encrypted communication with high security. .

Claims

請 求 の 範 囲 The scope of the claims
1 . 暗号化通信システムにおいて通信機器が暗号化通信を行うための秘密鍵 を管理する秘密鍵管理装置であって、 1. A secret key management device that manages a secret key for a communication device to perform encrypted communication in an encrypted communication system,
前記通信機器を識別する機器識別情報に基づいて、 前記秘密鍵を暗号化する 暗号部と、  An encryption unit that encrypts the secret key based on device identification information for identifying the communication device;
前記暗号部 暗号化した前記秘密鍵を前記通信機器に送信する送信部と を備えることを特徴とする秘密鍵管理装置。  A transmission unit that transmits the encrypted secret key to the communication device.
2 . 前記通信機器の前記機器識別情報とァドレス情報とを対応づけて格納す る機器情報格納部をさらに備え、  2. It further includes a device information storage unit that stores the device identification information and the address information of the communication device in association with each other,
前記暗号部は、 前記機器情報格納部が格納する前記機器識別情報に基づいて 、 前記秘密鍵を暗号化し、  The encryption unit encrypts the secret key based on the device identification information stored in the device information storage unit,
前記送信部は、 前記機器情報格納部が格納する前記ァドレス情報に基づいて 、 前記秘密鍵を前記通信機器に送信することを特徴とする請求項 1に記載の秘  2. The secret according to claim 1, wherein the transmission unit transmits the secret key to the communication device based on the address information stored in the device information storage unit.
3 . 前記機器情報格納部は、 前記機器識別情報に対応づけて、 前記送信部が 前記通信機器に前記秘密鍵を送信したか否かを示す情報を格納し、 3. The device information storage unit stores information indicating whether or not the transmitting unit has transmitted the secret key to the communication device, in association with the device identification information,
前記送信部は、 前記機器情報格納部を参照し、 前記送信部が前記秘密鍵を送 信していない前記通信機器に前記秘密鍵を送信することを特徴とする請求項 2 に記載の秘密鍵管理装置。  The secret key according to claim 2, wherein the transmitting unit refers to the device information storage unit, and transmits the secret key to the communication device to which the transmitting unit has not transmitted the secret key. Management device.
4 . 前記暗号部は、 前記通信機器の前記機器識別情報である MA Cア ドレス に基づいて、 前記秘密鍵を暗号化することを特徴とする請求項 1に記載の秘密  4. The secret according to claim 1, wherein the encryption unit encrypts the secret key based on a MAC address, which is the device identification information of the communication device.
5 . 前記秘密鏈を生成する鍵生成部をさらに備え、 5. It further comprises a key generator for generating the secret chain,
前記暗号部は、 前記鍵生成部が生成した前記秘密鍵を暗号化することを特徴 とする請求項 1に記載の秘密鍵管理装置。  The secret key management device according to claim 1, wherein the encryption unit encrypts the secret key generated by the key generation unit.
6 . 乱数を生成する乱数生成部をさらに備え、 前記鍵生成部は、 前記送信部が前記通信機器に前記秘密鍵を送信していない 場合に、 前記乱数を用いて前記秘密鍵を生成することを特徴とする請求項 5に 記載の秘密鍵管理装置。 6. It further comprises a random number generation unit for generating random numbers, The secret key management according to claim 5, wherein the key generation unit generates the secret key using the random number when the transmission unit does not transmit the secret key to the communication device. apparatus.
7 . 前記鍵生成部は、 前記秘密鍵を生成した後、 所定時間経過した場合に、 前記秘密鍵と異なる他の秘密鍵をさらに生成し、  7. The key generator further generates another secret key different from the secret key when a predetermined time has elapsed after the secret key was generated,
前記暗号部は、 前記機器識別情報に基づいて、 前記他の秘密鍵をさらに暗号 化し、  The encryption unit further encrypts the other secret key based on the device identification information,
前記送信部は、 前記喑号部が暗号化した前記他の秘密鍵を前記通信機器にさ らに送信することを特徴とする請求項 5に記載の秘密鍵管理装置。  6. The secret key management device according to claim 5, wherein the transmission unit further transmits the another secret key encrypted by the symbol unit to the communication device.
8 . 前記鍵生成部は、 前記秘密鍵を生成した後、 所定時間経過した場合に、 前記秘密鐽と異なる他の秘密鍵をさらに生成し、 8. The key generation unit further generates another secret key different from the secret key when a predetermined time has elapsed after generating the secret key,
前記暗号部は、 前記秘密鍵を用いて、 前記他の秘密鍵を暗号化し、  The encryption unit encrypts the other secret key using the secret key,
前記送信部は、 前記暗号部が暗号化した前記他の秘密鍵を前記通信機器にさ らに送信することを特徴とする請求項 5に記載の秘密鍵管理装置。  6. The secret key management device according to claim 5, wherein the transmission unit further transmits the another secret key encrypted by the encryption unit to the communication device.
9 . 前記鍵生成部は、 共通鍵暗号方式の前記秘密鍵を生成することを特徴と する請求項 5に記載の秘密鍵管理装置。 9. The secret key management device according to claim 5, wherein the key generation unit generates the secret key of a common key cryptosystem.
1 0 . 前記鍵生成部は、 公開鍵暗号方式の前記秘密鍵及び公開鍵を生成し、 前記送信部は、 前記鍵生成部が生成した前記公開鍵を前記通信機器にさらに 送信することを特徴とする請求項 5に記載の秘密鍵管理装置。  10. The key generation unit generates the secret key and the public key of a public key cryptosystem, and the transmission unit further transmits the public key generated by the key generation unit to the communication device. 6. The secret key management device according to claim 5, wherein
1 1 . 暗号化通信システムにおいて通信機器が暗号化通信を行うための秘密 鍵を管理する秘密鏈管理装置における秘密鍵管理方法であって、  11. A secret key management method in a secret chain management device for managing a secret key for a communication device to perform encrypted communication in an encrypted communication system,
前記通信機器を識別する機器識別情報に基づいて、 前記秘密鍵を暗号化する 暗号段階と、  Encrypting the secret key based on device identification information for identifying the communication device;
暗号化された前記秘密鍵を前記通信機器に送信する送信段階と  Transmitting the encrypted secret key to the communication device;
を備えることを特徴とする秘密鍵管理方法。 A secret key management method comprising:
1 2 . 暗号化通信システムにおいて通信機器が暗号化通信を行うための秘密 鍵を管理する秘密鍵管理装置用の秘密鍵管理プログラムであって、 前記秘密鍵 管理装置を、 12. A secret key management program for a secret key management device that manages a secret key for a communication device to perform encrypted communication in an encrypted communication system, wherein the secret key is Management device,
前記通信機器を識別する機器識別情報に基づいて、 前記秘密鍵を暗号化する 暗号手段、  Encrypting means for encrypting the secret key based on device identification information for identifying the communication device;
暗号化された前記秘密鍵を前記通信機器に送信する送信手段  Transmission means for transmitting the encrypted secret key to the communication device
として機能させるための秘密鏈管理プログラム。 Secret chain management program to function as a.
1 3 . 暗号化通信を行う暗号化通信システムであって、  1 3. An encrypted communication system that performs encrypted communication,
当該暗号化通信システムにおいて暗号化通信を行う複数の通信機器と、 前記複数の通信機器が互いに暗号化通信を行うための秘密鍵を管理する秘密 鍵管理装置とを備え、  A plurality of communication devices that perform encrypted communication in the encrypted communication system, and a secret key management device that manages a secret key for the plurality of communication devices to perform encrypted communication with each other,
前記秘密鍵管理装置は、  The secret key management device,
前記通信機器を識別する機器識別情報に基づいて、 前記秘密鍵を暗号化する 暗号部と、  An encryption unit that encrypts the secret key based on device identification information for identifying the communication device;
前記暗号部が暗号化した前記秘密鍵を前記通信機器に送信する送信部と を有することを特徴とする暗号化通信システム。  A transmission unit for transmitting the secret key encrypted by the encryption unit to the communication device.
1 4 . 前記暗号化通信システムは、 前記複数の通信機器として、 14. The encrypted communication system, as the plurality of communication devices,
前記秘密鐽管理装置と有線通信を行う無線ァクセスポイントと、  A wireless access point for performing wired communication with the secret key management device;
前記無線アクセスポイントと無線通信を行う無線通信端末と .  A wireless communication terminal that performs wireless communication with the wireless access point;
を備え、 With
前記秘密鍵管理装置は、  The secret key management device,
前記暗号部が暗号化した前記秘密鍵を着脱可能な外部記録媒体に記録する鍵 記録部をさらに有し、  A key recording unit that records the secret key encrypted by the encryption unit on a removable external recording medium,
前記送信部は、 前記秘密鍵を前記無線アクセスボイントに送信し、  The transmitting unit transmits the secret key to the wireless access point,
前記無線通信端末は、  The wireless communication terminal,
前記外部記録媒体から前記秘密鍵を読み出すことを特徴とする請求項 1 3'に 記載の暗号化通信 ·  The encrypted communication according to claim 13, wherein the secret key is read from the external recording medium.
PCT/JP2002/005025 2002-05-23 2002-05-23 Secret key manager WO2003101040A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2004507198A JPWO2003101040A1 (en) 2002-05-23 2002-05-23 Secret key management device
AU2002308882A AU2002308882A1 (en) 2002-05-23 2002-05-23 Secret key manager
PCT/JP2002/005025 WO2003101040A1 (en) 2002-05-23 2002-05-23 Secret key manager

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2002/005025 WO2003101040A1 (en) 2002-05-23 2002-05-23 Secret key manager

Publications (1)

Publication Number Publication Date
WO2003101040A1 true WO2003101040A1 (en) 2003-12-04

Family

ID=29561073

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2002/005025 WO2003101040A1 (en) 2002-05-23 2002-05-23 Secret key manager

Country Status (3)

Country Link
JP (1) JPWO2003101040A1 (en)
AU (1) AU2002308882A1 (en)
WO (1) WO2003101040A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2437432A1 (en) 2010-10-01 2012-04-04 Mitsumi Electric Co., Ltd. Communication device setting apparatus, communication device setting method, and recording medium.
JP2014078875A (en) * 2012-10-11 2014-05-01 Mitsubishi Electric Corp Encryption communication system, encryption communication repeater, encryption communication terminal, and encryption communication method
JP2018511952A (en) * 2015-02-13 2018-04-26 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation Automatic key management using organizational user identity management

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001044985A (en) * 1999-08-02 2001-02-16 Hitachi Ltd Cryptographic key storage system for communication equipment
JP2001111543A (en) * 1999-10-07 2001-04-20 Nec Corp Cryptographic key update system of radio lan and updating method therefor

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001044985A (en) * 1999-08-02 2001-02-16 Hitachi Ltd Cryptographic key storage system for communication equipment
JP2001111543A (en) * 1999-10-07 2001-04-20 Nec Corp Cryptographic key update system of radio lan and updating method therefor

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DAVIES D.W., PRICE W.L./ TRANSLATED UNDER THE SUPERVISION OF TADAHIRO UEZONO: "Network Security", 5 December 1985, pages: 145 - 146, XP002956638 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2437432A1 (en) 2010-10-01 2012-04-04 Mitsumi Electric Co., Ltd. Communication device setting apparatus, communication device setting method, and recording medium.
US8775582B2 (en) 2010-10-01 2014-07-08 Mitsumi Electric Co., Ltd. Communication device setting apparatus, communication device setting method, and recording medium
JP2014078875A (en) * 2012-10-11 2014-05-01 Mitsubishi Electric Corp Encryption communication system, encryption communication repeater, encryption communication terminal, and encryption communication method
JP2018511952A (en) * 2015-02-13 2018-04-26 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation Automatic key management using organizational user identity management

Also Published As

Publication number Publication date
JPWO2003101040A1 (en) 2005-09-29
AU2002308882A1 (en) 2003-12-12

Similar Documents

Publication Publication Date Title
KR100888472B1 (en) Cryptographic method using dual encryption keys and wireless local area network system therefor
US8635456B2 (en) Remote secure authorization
CN1949765B (en) Method and system for obtaining SSH host computer public key of device being managed
CN1708942B (en) Secure implementation and utilization of device-specific security data
CN1326349C (en) Content delivery system
EP1749389B1 (en) Method and system for authentication in a computer network
CN101771699A (en) Method and system for improving SaaS application security
US6988198B1 (en) System and method for initializing operation for an information security operation
CN112436936B (en) Cloud storage method and system with quantum encryption function
CN102970135A (en) Methods and apparatus for finding a shared secret without compromising non-shared secrets
WO2008095367A1 (en) A card issuing method, device and system
CN112187450A (en) Method, device, equipment and storage medium for key management communication
JP2001237818A (en) Proxy encryption communication system and method, and recoding medium having program recorded thereon
CN114125831B (en) 5G smart grid user side data acquisition method and system based on proxy re-encryption
JP2001103045A (en) Storage device for backing up cryptographic key
US20070098156A1 (en) Digital rights management
Ramkumar The subset keys and identity tickets (SKIT) key distribution scheme
WO2003101040A1 (en) Secret key manager
CN116049851A (en) Ciphertext processing system and method based on full homomorphic encryption
CN109409112A (en) A kind of disk binding method and device
CN111818521B (en) Authority authentication method and system based on data center 5G network encryption multicast
KR20030050881A (en) Key Management Method for Wireless LAN
CN111930325B (en) Safe printing method based on quantum key
CN114422189A (en) Park security management system and method based on block chain technology
CN112054905A (en) Secure communication method and system of mobile terminal

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 2004507198

Country of ref document: JP

AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
122 Ep: pct application non-entry in european phase