WO2004049651A1 - Moniteur, dispositif de communication de donnees et procede de communication de donnees - Google Patents

Moniteur, dispositif de communication de donnees et procede de communication de donnees Download PDF

Info

Publication number
WO2004049651A1
WO2004049651A1 PCT/JP2002/012422 JP0212422W WO2004049651A1 WO 2004049651 A1 WO2004049651 A1 WO 2004049651A1 JP 0212422 W JP0212422 W JP 0212422W WO 2004049651 A1 WO2004049651 A1 WO 2004049651A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
area
key
terminal device
monitoring device
Prior art date
Application number
PCT/JP2002/012422
Other languages
English (en)
Japanese (ja)
Inventor
Kiminari Fukumoto
Masashi Watanabe
Original Assignee
Bishu Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bishu Corporation filed Critical Bishu Corporation
Priority to AU2002355047A priority Critical patent/AU2002355047A1/en
Priority to PCT/JP2002/012422 priority patent/WO2004049651A1/fr
Publication of WO2004049651A1 publication Critical patent/WO2004049651A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Definitions

  • the present invention relates to a monitoring device, a data communication device, and a data communication method, and particularly to a monitoring device, a data communication device, and a data communication method with improved security.
  • Conventional technology a monitoring device, a data communication device, and a data communication method with improved security.
  • V-data transmitted and received via networks such as the Internet and VPNs can maintain the confidentiality of a given level by encrypting the data.
  • ⁇ 7 A method is adopted in which access to a specific terminal device is permitted based on the received data and data is transmitted and received (for example, see Patent Document 1).
  • One of the functions of the router is to secure the communication security by filtering the packet with the network.
  • IP node outside a certain network communicates with an IP node inside the network. When you do this, go through the router at the entrance to the network.
  • the router reads the headers of the network layer and transport layer in the packet and transfers the packet. Therefore, set the IP address of TCP / IP packets and TCP / UDP port numbers of TCP / IP packets that can pass therethrough, and discard the packets that do not correspond to those.
  • IP nodes inside the network can no longer be accessed externally, or access to ports in a particular transport layer can be prohibited. These are This is called packet layering of the network layer level and packet filtering of the transport layer level, and is useful for enhancing communication security.
  • authentication passwords and the like are used as a method to identify terminal devices.However, impersonation in which an unauthorized accessor obtains a legitimate ID and gains access, and unauthorized authentication methods such as overflow are widespread. There have been many accidents in which data in the server has been extracted or the system has been destroyed without the knowledge of the administrator.
  • network layer and transport layer level finalization means that, for unauthorized access, data can be obtained at that layer after all, and that the data can be decrypted. Is a matter of time.
  • the present invention has been made in view of such problems, and, first, a transmission that is mounted on a terminal device that performs data communication and processes a part of an IP header of data transmitted and received based on a TCPZIP procedure and transmits the processed data. Holding encryption means; receiving and decrypting means for receiving the data and decrypting a part of the IP header to authenticate the data; and key data used for processing and decrypting the data. This is the solution.
  • the transmission encryption means processes a part of the IP header on a bit basis using the key data.
  • reception decryption means is characterized in that a part of the IP header is decrypted in units of bits using the key data.
  • a part of the IP header is a source IP address.
  • data in a first area in an IP header of data transmitted / received based on a TCPZIP procedure, which is mounted on a terminal device that performs data communication is processed using an encryption key, and a second area in the IP header is processed.
  • the data of the first area is characterized in that a bit code corresponding to a pulse in a physical layer and a bit code in a layer higher than a data link layer have different values. Is what you do.
  • the transmission encryption means processes a bit code of the first area in a bit unit between a physical layer and a data link layer according to the encryption key, and replaces the bit code with the first area. This is the feature.
  • reception / decryption unit decrypts the bit code of the first area of the data received between the physical layer and the data link layer according to the decryption key in bit units, and decodes the data. It is characterized by performing authentication.
  • the first area is a source IP address area.
  • the second area is an identifier area.
  • transmission encryption means for processing a part of the IP header of the transmission / reception data based on the TCP / IP procedure and transmitting the data, and receiving the data and decrypting a part of the IP header to obtain the data
  • a monitoring device having reception / decryption means for performing authentication of the data, and a key device used for processing and decrypting the data; a plurality of terminal devices each including the monitoring device; and the plurality of terminals. The problem is solved by providing a communication line for connecting the devices.
  • the present invention is characterized in that data communication is performed only between specific terminal devices provided with the monitoring device.
  • the transmission encryption unit processes a part of the IP header in bit units
  • the reception decoding means decodes a part of the IP header bit by bit.
  • a part of the IP header is a source IP address.
  • the data in the first area in the IP header of the data transmitted / received based on the TCPZIP procedure is processed by the encryption key, and the decryption key is set in the second area in the IP header, Transmission encryption means for transmitting data, reception and decryption means for receiving the data and obtaining the decryption key, decrypting the data in the first area and authenticating the data, and the encryption key and the composite key
  • the server is characterized in that the encryption key and the decryption key are arbitrarily changed.
  • data communication is performed between the specific terminal device provided with the monitoring device and the server.
  • the data of the first area is characterized in that a bit code corresponding to a pulse in a physical layer and a bit code in a layer higher than a data link layer have different values. is there.
  • the transmission encryption means processes the bit code of the first area in units of a bit between a physical layer and a data link layer according to an encryption key, and replaces the bit code with the first area. It is assumed that.
  • reception / decryption unit decrypts the bit code of the first area bit by bit between a physical layer and a data link layer according to the decryption key to perform authentication of the data. It is a feature.
  • the first area is a source IP address area.
  • the second area is an identifier area.
  • the monitoring device is characterized by comprising the monitoring device and further comprising a router connected to the communication line.
  • the T C is transmitted between the first terminal device as the transmission source and the second terminal device as the transmission destination.
  • a part of an IP header of data is processed from the first terminal device and transmitted, and the data is received by the second terminal device. Then, by authenticating a part of the IP header, data communication can be performed between the specific first and second terminal devices.
  • the first monitoring device provided in the first terminal device has a TCP / I
  • the server further includes a server connected to the first terminal device and the second terminal device and including a third monitoring device, and the key data is arbitrarily changed by the server. It is assumed that.
  • a part of the IP header is a source IP address.
  • a step of obtaining an encryption key by a first monitoring device provided in the first terminal device, and encrypting data in a first area in an IP header of data based on a TCP / IP procedure Processing by a key, setting a decryption key in a second area in the IP header, and transmitting the data, and receiving the data by the second terminal device; Obtaining the decryption key by a second monitoring device provided in the computer; decrypting the data in the first area using the decryption key; The problem is solved by providing a process of authenticating data and performing data communication between the specific first terminal device and the specific second terminal device.
  • the server further includes a server that is in contact with the first terminal device and the second terminal device and includes a third monitoring device, and the server uses the server to transmit the encryption key and the decryption key. It is characterized by being arbitrarily changed.
  • the encryption key and the decryption key can be changed for each packet of the data.
  • the first area is a source IP address area
  • the second area is an identifier area
  • first terminal device selects a communication path for each data communication.
  • FIG. 1 is a schematic diagram showing an example of a data communication device 10 according to the first embodiment of the present invention.
  • FIG. 1 (A) shows a data communication device 10
  • FIG. 1 (B) shows a schematic diagram of a monitoring device 2 mounted on a terminal.
  • the present embodiment includes a first terminal device 1a, a first monitoring device 2a, a second terminal device 1b, a second monitoring device 2b, and a communication line 3.
  • a first terminal device 1a is provided with a first monitoring device 2a
  • a second terminal device 1b is provided with a second monitoring device 2b.
  • the terminal devices 1a and 1b are connected by a communication line 3.
  • the first terminal device 1a and the second terminal device 1b are collectively referred to as the terminal device 1
  • the first monitoring device 2a and the second monitoring device 2b are referred to as the terminal device 1.
  • monitoring device 2 When they are collectively referred to as monitoring device 2.
  • the first terminal device l a and the second terminal device lb are information processing devices provided with devices connectable to a communication line, and have a TCP Z IP protocol.
  • the communication line 3 is a wired or wireless line having a data transfer function between the terminal devices 1. It is.
  • the first monitoring device 2a and the second monitoring device 2b respectively process a part of the IP header of the transmission / reception data based on the TCP / IP procedure and transmit the data.
  • the key data 23 is obtained by storing a plurality of encryption keys 24 and a decryption key 25 in a plurality of tables.
  • the monitoring device 2 is mounted on, for example, a general LAN board, a LAN card, or the like.
  • the transmission encryption means 21 of the first monitoring device 2a uses the transmission source IP which is a part of the IP header.
  • the address SA (the IP address of the first terminal device la) is processed using the key data 23.
  • this processed source IP address is referred to as an encrypted address EA.
  • the second terminal device 1b receives the data in the reception / decryption means 22 of the second monitoring device 2b, and generates the key data 23 holding the encrypted address EA in the second monitoring device 2b.
  • the data is authenticated by decrypting using a part of the key data 23 attached to the data.
  • the source IP address SA (the address of the second terminal device 1b) is processed by the key data 23 to generate an encrypted address EA, and the key is used for decryption.
  • a part of the data 23 is set, and a destination IP address DA (address of the first terminal device la) is set and transmitted.
  • the destination IP address of the IP header is used.
  • the destination IP address DA of the other party with whom you want to perform data communication is set as it is, but in the source IP address area, the source IP address SA is processed and the encryption address EA is set and data is transmitted.
  • the encrypted address EA of the data sent via the monitoring device 2 is processed into a value or format different from the original source IP address S A.
  • the encrypted address EA is restored by the monitoring device 2 to the source IP address SA. That is, in the terminal device 1 having the monitoring device 2, the encrypted address EA can be restored, so that the data can be received. However, in the terminal device without the monitoring device 2, the encryption address EA can be recovered. Since the EA cannot be restored, the source IP address SA cannot be recognized and data cannot be received. In other words, monitoring is such that data communication can be performed only with a specific first terminal device 1a and second terminal device 1b provided with the device 2.
  • the IP header 26 will be described with reference to FIG.
  • the IP header 26 is added to the data 27 of the TCP packet communication service.
  • the terminal device 1 on the transmitting side writes information required by the IP protocol, and attaches the IP header 26 to the packet 27.
  • the terminal device 1 on the receiving side performs necessary processing for receiving the information based on the information of the IP header 26 of the received packet 27.
  • the IP header 26 includes a purge address, a header length, a service type, a packet length, an identifier, a flag, a fragment offset, a lifetime, a protocol, a checksum, a source IP address SA, It is composed of 32 bits of destination IP address DA, option, and padding.
  • the source IP address SA is the IP address of terminal device 1 that sends out the packet
  • the destination IP address DA is the IP address of terminal device 1 that receives the packet. is there.
  • the source IP address SA in the IP header 25 is processed using the encryption key 24 held in the monitoring device 2.
  • the decrypted address EA is replaced with the first area 26a in which the source IP address SA is stored.
  • the transmission encryption means 21 further sets a decryption key 25 for decrypting the encrypted address EA in a free area of the second area 26 b where the identifier is stored.
  • the IP address of the second terminal device 1b is set to the destination IP address DA of the IP header 26.
  • the data 27 of the communication service is added after the IP header 26 as before, and a TCP header (not shown) is added at the head of the IP header 26.
  • the TCP sending the packet describes the necessary information in the TCP header and sends it out, and the TCP receiving the packet refers to the information in the sent TCP header and performs the necessary processing and response. I do. In this way, the TCPs of the two terminal devices that perform communication establish communication while communicating with each other via the information in the TCP header.
  • the reception / decryption means 22 receives the data, obtains the encryption address EA of the source IP address area 26a and the decryption key 25 of the identifier area 26b, and uses the decryption key 25. Decrypts the encrypted address EA to the source IP address SA and authenticates the data.
  • the information contained in the TCP header includes a port number for identifying a communication service, a serial number for checking for a packet lost during transmission, and information for error detection.
  • the TCP header does not specify information such as an IP address for identifying the destination or source terminal device.
  • TCP does not have a role to deliver a packet to a communication partner terminal device.
  • TCP is a communication protocol used after a packet has already arrived at a terminal device. No need to specify. That is, even if the encryption address EA of a format or value that cannot be recognized normally is replaced by the source IP address area 26a, data can be transmitted to the destination terminal device. .
  • Fig. 3 (A) is the OSI reference model.
  • the physical layer converts data and signals (pulses) and specifies the standards for cables and connectors to be actually transmitted and the signal system.
  • the data link layer specifies the exchange between directly connected devices (computers). At the time of reception, when the clock is at the H level, the presence or absence of a pulse in the physical layer is obtained,
  • the network layer regulates the exchange in inter-network communication.
  • the transport layer specifies measures to be taken when information (signal) is damaged or lost to ensure the quality of communication.
  • the session layer specifies the path through which data is transmitted.
  • the presentation layer specifies the conversion between the format of the data handled (understandable by the user) and the format suitable for communication.
  • the application layer specifies the communication application actually used by the user.
  • the monitoring device 2 monitors data between the physical layer and the data link layer.
  • data at the physical layer is a pulse, so that any value or format is transmitted through the communication line 3.
  • all the received data is converted into binary bits by the data link layer at the data link layer, and is subjected to 4-bit-by-bit parsing to form an 8-bit code.
  • This 8-bit code is decrypted bit by bit, data is further authenticated, and only the permitted data is transmitted to the layer above the data link layer.
  • the encrypted address EA is decrypted by the receiving decryption means 22 into the source IP address SA.
  • the monitoring device 2 when the monitoring device 2 is not provided, when the data arrives at the terminal device 1, that is, in the data link layer, if the source IP address cannot be recognized, an error is processed, and the data is transferred to a higher layer. No data is transmitted. That is, the terminal device 1 without the monitoring device 2 cannot transmit data because data is transmitted only to the physical layer.
  • the accessible layer is higher than the data link layer. For example, you can get data at the physical layer Even if it does, it is impossible for the terminal device (computer) 1 to decipher or analyze it unless it is transmitted to the software level layer above the data link layer. That is, if the monitoring device 2 of the present invention is provided between a plurality of terminal devices 1 to which data communication is to be permitted, data communication can be performed only between the terminal devices 1, but the monitoring device 2 is provided. Unauthorized access can be prevented because data cannot be obtained with a terminal device that does not have it.
  • the source IP address SA is set up to the data link layer, but the transmission encryption means 21 allows the transmission data to be transmitted between the physical layer and the data link layer.
  • the 8-bit code of the source IP address SA is processed bit by bit and transmitted.
  • a pulse of the encrypted address EA different from the pulse corresponding to the source IP address SA is transmitted, and the pulse is transmitted through the monitoring device 2. Recognized as a source IP address SA above the data link layer. In other words, the bit code corresponding to the pulse in the physical layer has a different value from the bit code in a layer higher than the data link layer.
  • the key data 23 includes the encryption key 24 and the decryption key 25 as described above.
  • the encryption key 24 is a key for processing the source IP address SA into an encryption address EA when it is a transmission side, and an encryption address when it is a reception side.
  • the transmission encryption means 21 processes the 8-bit code of the source IP address SA in bit units. That is, the encryption key 24 composed of 8 bits is added (or subtracted), for example, to the 8-bit code of the source IP address SA. As a result, an encrypted address EA consisting of an 8-bit code completely different from the source IP address SA is generated. Further, the transmission encryption means 21 replaces the encrypted address EA with the source IP address area 26a. Also, in order to decrypt the encrypted address EA, the decryption key 25 is set in the free area of the identifier area 26b, and the data is transmitted.
  • the encryption key 24 is determined with reference to a plurality of tables in the key data 23 held in the monitoring device 2.
  • the transmission encryption means 21 transmits a first encryption key (initial value for the first time) 24 a that is updated each time a connection is made to the communication line, and a transmission source IP address SA of its own transmission source. Referring to Table X 1 using random numbers based on numerical values, obtain the second encryption key 24 b in Table Y 1.
  • the first cipher # 24a is updated when the terminal device disconnects from the line, and has a different value when starting the next communication.
  • a third encryption consisting of an 8-bit code actually used for processing the source IP address SA ⁇ 24 (for example, ⁇ 0 0 0 0 0 0 0 1 ”).
  • the third encryption key 24 is added to (or subtracted from) the 8-bit code of the source IP address S A to generate an encryption address E A.
  • the unit that can be recognized by the computer is a unit of one bit (8 bits), consisting of the upper 4 bits indicating the data format and the lower 4 bits indicating the data.
  • data processed in bit units will be recognized as data of a format or value different from the original data if it is one byte recognized by the computer. That is, by processing each bit in the monitoring device 2, one byte of the transmission source IP address is converted into a format different from the format or value of the original data.
  • the transmission encryption means 21 replaces the encrypted address EA with the source IP address SA, and further stores data indicating the storage location (for example, n 1) of the third encryption key 24 in Table Z1. Is set in the identifier area 26b as the decryption key 25, and the data is transmitted.
  • the receiving / decoding means 22 receives the data, converts the pulse in the physical layer into binary bits in the data link layer, and obtains an 8-bit code. At this time, the bit code of the encrypted address EA set in the source IP address area 25a of the received data is decrypted bit by bit. In order to decrypt the encrypted address EA, the 8-bit code of the third encryption key 24 used at the time of transmission may be subtracted (or added) from the 8-bit code of the encrypted address EA. That is, the receiving / decrypting means 2.2 only needs to be able to acquire the 8-bit code of the third encryption key 24.
  • the key data 23 of the monitoring device 2 as the destination holds the table Z 2 corresponding to the table Z 1 of the transmitting side, and the decryption key 2 set in the identifier area 26 b of the IP header 26. 5 (data indicating the storage position of the third encryption key 24), the third encryption key 24 is obtained with reference to Table Z2, and the encrypted address EA is decrypted.
  • the reception decryption means 22 authenticates the decrypted source IP address SA. Permitted data is transmitted to a layer above the data link layer, and data communication becomes possible.
  • the example of encryption described here is an example.
  • the monitoring device 2 processes the transmission source IP address S A bit by bit to obtain an encrypted address E A, or decrypts the encrypted address E A for authentication.
  • the number of tables for obtaining the encryption key 24 and the decryption key 25, the method of referring to the tables, and the like vary depending on the security level of data communication, and are not limited to the above examples, but are defined by the claims. Is to be done.
  • All terminal devices connected to communication line 3 can acquire this data (pulse). Since any pulse can be received at the physical layer, data to which the encrypted address EA has been assigned can be received by all connected terminal devices.
  • the data to which the EA has been assigned can be received as a pulse.
  • the pulse In the physical layer, only the pulse is transmitted as described above, and it is not known what data it means.
  • This terminal device determines the source from the received data and attempts to obtain the source IP address SA for data communication. That is, the pulse is converted into the corresponding binary bit in the data link layer, and the data is layered in 4-bit units to obtain an 8-bit code. An attempt is made to determine the source IP address SA based on this 8-bit code, but this 8-bit code is an encrypted address EA.
  • the encrypted address EA cannot be decrypted, error processing is performed in the data link layer, and data is not transmitted to the upper layer. Also, since error processing is performed in the data link layer at the time of reception, information notifying the reception cannot be returned, and data communication cannot be performed.
  • data communication can be performed only between the terminal devices 1 each having the monitoring device 2, so that impersonation and overflow can be prevented. Even if the data can be obtained by an unauthorized terminal device, the source IP address SA cannot be identified, and an error is processed in the data link layer. In other words, since no data is transmitted to a higher layer, the data is not analyzed by a person who attempts unauthorized access.
  • the IP address plays the role of arriving the packet at the target computer, but is not used at the stage of determining which communication service (application) program to process after arrival. In other words, only the data authenticated by the monitoring device 2 is passed to the communication service program, and specific communication is performed.
  • Step 1 Receive data (S101).
  • Step 2 Check the received data for the SYN packet (whether it is fixed length or not). If it is not a SYN packet, perform the processing in step 6. If the packet is a SYN packet, it is checked in step 3 that the packet matches the connection rule (S102). Step 3: Check whether the connection rule matches with the connection rule, such as whether the protocol is TCP / IP or has an identifier. If there is no match, search for the next connection rule. If they match, the process of step 4 is performed. If all connection rules do not match, the process of step 7 is performed (S103).
  • the connection rule such as whether the protocol is TCP / IP or has an identifier. If there is no match, search for the next connection rule. If they match, the process of step 4 is performed. If all connection rules do not match, the process of step 7 is performed (S103).
  • Step 4 If the connection rule matches, create an entry in the information management table (S104).
  • Step 5 Execute the corresponding action such as decryption of the encrypted address, authentication, and connection processing (S105).
  • Step 6 If the packet is not a SYN packet in step 2, correct the error automatically and check again whether the entry exists in the information management table. If there is an entry in the information management table, the process of step 5 is performed, and if there is no entry, the process of step 7 is performed (S106).
  • step 7 the connection is refused and the communication is disconnected. (S107).
  • the data communication method includes a step of obtaining an encryption key by a first monitoring device provided in a first terminal device, and a step of obtaining a first area in an IP header of data based on a TCP / IP procedure. Processing the data using the encryption key, setting a decryption key in a second area in the IP header, and transmitting the data; and receiving the data at the second terminal device, A step of obtaining the decryption key by a second monitoring device provided in the second terminal device, a step of decrypting the data in the first area by the decryption key, and a step of: Authenticating the data in the area and performing data communication between the specific first terminal device and the second terminal device.
  • First step a step of obtaining an encryption key 24 by a first monitoring device 2a provided in a first terminal device 1a.
  • the monitoring device 2a acquires the encryption key 24 by referring to the key data 23 (S201).
  • the source IP address SA stored in the source IP address area 26a in the IP header 26 of the data based on the TCP / IP procedure is replaced with the encryption key 2
  • the encrypted address EA is generated by processing in bit units according to 4 (S202).
  • the decryption key 25 for decrypting the encrypted address EA at the destination is encrypted to improve security, and is set in the identifier area 26b in the IP header (S203).
  • various data of the communication service are also encrypted by a known method to improve security, and one packet of data is transmitted (S204).
  • Third step a step in which the data is received by the second terminal device 1b, and the decryption key 25 is obtained by the second monitoring device 2b provided in the second terminal device 2b.
  • the terminal device 1b on the receiving side receives the data (S2.05), and acquires the encrypted decryption key 25 assigned to the data identifier area 26b by the monitoring device 2b.
  • Fourth step a step of decrypting the data in the first area 26 a using the decryption key 25.
  • the decryption key 25 itself is decrypted
  • the encryption key 24 for decryption is obtained by referring to the key data 23 held in the monitoring device 2b based on the decryption key 25, and the encryption address is obtained.
  • Fifth step a step of authenticating data in the first area 26a and performing data communication between the specific first terminal device 1a and the specific second terminal device 1b.
  • the source IP address S A stored in the source IP address area 26a is authenticated (S207), and no data is returned in the case of unauthorized access.
  • the authenticated data decrypts the communication service data (S208), and performs TCP processing and data transmission to the upper layer to perform application processing (S209).
  • the encryption key 24 is obtained in the monitoring device 2b (S210), and is transmitted.
  • the source IP address SA is processed into the encrypted address EA (S211).
  • the decryption key 25 itself is encrypted (S212), and the communication data is encrypted by a known method and transmitted for each packet (S213).
  • the terminal device 1a receives the data (S2 14), obtains the decryption key 25, decrypts the decryption key 25, and decrypts the encrypted address EA to the source IP address (S2 1 Five ). After that, the source IP address SA is authenticated (S216), the authenticated data decrypts the data of the communication service (S216), and performs the TCP processing and application processing. (S218). Thereafter, the same processing is repeated until the communication ends.
  • FIG. 7 shows a detailed flow of the terminal device on the transmitting side in the data communication method of the present invention.
  • the power of the terminal device 1 is turned on (S301), and the key data 23 held in the EEPROM in the monitoring device 2 is read (S302). It checks whether the protocol is TCP / IP (S303), and in the case of TCP / IP protocol, encryption key 24 and decryption key based on key data 23 and source IP address SA Acquire 25 (S305). If the protocol is not the TCP / IP protocol, the DELAY adjustment is performed (S304). Next, data ⁇ for encrypting communication service data by a known method is created by a known method (S 306).
  • the source IP address SA is processed based on the encryption key 24 to generate an encryption address EA (S307), and the decryption key 25 itself to be transmitted together with the data is encrypted (S300). 8)
  • the data key itself for encrypting the communication service data is also encrypted (S309).
  • the encrypted address EA is set in the source IP address area 26a of the IP header
  • the encrypted decryption key 25 is set in the identifier area 26b, and information of other IP headers is stored.
  • the bucket data of the communication service is also encrypted by a known method based on the data key (S311), and the data is transmitted (S312).
  • FIG. 8 shows a detailed flow of the terminal device 1 on the receiving side in the data communication method of the present invention.
  • the data is received (S401), and the key data held in the EEPROM in the monitoring device 2 is received.
  • the data is read (S402). Next, it is checked whether the protocol is the TCP / IP protocol (S 403). Next, it is checked whether there is a header option (S 405). If there is no header option, the data is discarded (S 406). ). If the protocol is not the TCP / IP protocol, the delay is adjusted (S404). If there is a header option, the encrypted decryption key 25 is decrypted, and the data key itself for decrypting the communication service data is decrypted (S407), and the decryption key 25 (encryption key) attached to the data is decrypted.
  • the encryption key 24 in its own key data 23 is obtained from the storage location 24 and the encrypted address EA is decrypted (S408).
  • the decrypted source IP address SA is authenticated (S409), and if authenticated, the communication service data packet is decrypted using the data key (S410). If the source IP address SA is not authenticated, the data is discarded (S406). If the reception was successful, a notification of reception confirmation is sent (S411).
  • FIG. 9 is a schematic diagram showing an example of a data communication device 10 and a data communication method according to the second embodiment of the present invention.
  • a first terminal device 1a a first monitoring device 2a, a second terminal device lb, a second monitoring device 2b, a server 4, a third monitoring device 2c, a communication line Consists of five.
  • the first terminal 1a is provided with a first monitoring device 2a
  • the second terminal lb is provided with a second monitoring device 2b
  • the server 4 is provided with a third monitoring device 3c.
  • the terminal device 1 and the server 4 are connected by a network 5.
  • the first terminal device 1a and the second terminal device 1b are information processing devices provided with devices connectable to the network 5, and have TCP / IP protocols.
  • the server 4 is an information processing device provided with a device connectable to the network 5, and has a TCP / IP protocol.
  • the network 5 is a single network having a data transfer function between the terminal device 1 and the server 2 or a network complex including a plurality of networks, for example, a telephone network or a wireless Z wired packet. It is a LAN composed of network Ethernet.
  • the data communication device and the data communication method of the second embodiment are the same as those of the first embodiment.
  • This is a configuration in which a server 4 having a monitoring device 2 c is added to the configuration.
  • the configuration of the monitoring device 2, the configuration of the IP header 26, and the outline of the data communication method are the same as those in the first embodiment. Omitted.
  • the server 4 it is possible for the server 4 to arbitrarily change the key data 23 held by the monitoring device 2. This can be performed by using the same transmission encryption means and reception / decryption as in the first embodiment. (See Fig. 9 (B)).
  • the transmission encryption means 21 of each monitoring device 2 has a plurality of tables as key data 23.
  • the transmission encryption means 21 uses a random number based on the first encryption key (initial value for the first time) 24 a that is updated each time a connection is made to the communication line and the value of its own source IP address. Referring to Table XI, the second encryption key 24 b in Table Y 1 is obtained.
  • the first encryption key 24 a is updated by the server 4 at an arbitrary timing.
  • a third encryption key 24 (e.g., "0") consisting of an 8-bit code actually used for processing the source IP address SA 0 0 0 0 0 0 1 J)
  • the third encryption key 24 is added to (or subtracted from) the 8-bit code of the source IP address SA to generate an encrypted address EA. .
  • the receiving / decrypting means 22 only needs to be able to acquire the 8-bit code of the third encryption key 24. Therefore, the key data 23 of the monitoring device 2 that is the other party holds the table Z2 corresponding to the table Z1 of the transmitting side, and the decryption set in the identifier area 26b in the IP header 26. Using the key 25 (data indicating the storage position of the third encryption key 24), the third encryption key 24 is obtained with reference to Table Z2, and the encrypted address EA is decrypted.
  • the first encryption key 24a is updated to a different value, and during the data communication (while connected to the network), Cannot be changed. Also, the key data 23 is stored in the monitoring device in advance, and the number of key data 23 is limited between specific terminal devices.
  • the value of the key data 23 can be arbitrarily changed.
  • the table held as key data 23 is automatically updated at regular intervals, or the user is requested to change the first encryption key 24a or decryption key 25 while connected to the network. You. Further, it is also possible to change the key data 23 for each data communication and for each packet of TCP / IP data.
  • the decryption key 25 is monitored by the server 4 so that correspondence can be taken only between the authorized terminal devices 1. In other words, even if a plurality of terminal devices 1 connected to the same network 5 are provided with the monitoring device 2, a common encryption key 24 and a common decryption key 25 Therefore, even if the terminal device 1 having the different decryption key 25 has the monitoring device 2, data communication cannot be performed.
  • the server 4 can manage the MAC address of the monitoring device 2 and the permitted terminal device 1. For example, if the monitoring device 2 is replaced by a terminal device that is not permitted by an unauthorized access person, the server 4 will check the status at any time and stop the function of the monitoring device 2 for the unauthorized access terminal. It can also function only as a board.
  • the network 5 generally has a configuration in which a plurality of terminal devices 1 and servers 4 are connected to a plurality of routers 6 as shown in FIG. 10, and the routers 6 are connected to each other.
  • the IP writes necessary information and adds an IP header to the bucket.
  • the IP of each router that performs routing processing on the Internet refers to the information of the IP header of the transmitted packet and appropriately transfers the packet.
  • the receiving terminal device 2 performs necessary processing for receiving the information based on the information of the IP header of the received packet.
  • the direction of forwarding to router 6 is not limited to one, but may be multiple. Therefore, the router 6 checks the destination IP address assigned to the received bucket, selects an optimal route, and transfers the route to the next router in that direction.
  • the router incorporates an IP protocol in addition to the physical layer and data link layer communication protocols. Since the role of the router is to transfer information only in the direction of the destination IP address, there is no need to provide communication services or TCP protocols. Physical layer, data Only the link layer and IP protocols are sufficient.
  • the router 6 can also be provided with the monitoring device 2.
  • each of the networks A and CD connected to the router 6 can perform data communication between the permitted terminal devices 1 without having the individual monitoring device 2.
  • data communication is not possible on network F, which has no monitoring device 2 in router 6.
  • the monitoring device 2 may be provided in specific terminal devices B and E.
  • the data communication is performed by the terminal device 1 or the server 4, and the data communication is possible if the router 6 is not provided with the monitoring device 2 but provided individually.
  • Router 6 By providing the monitoring device 2 in the data communication device 12 connected to the network 5 via the router 6 in this manner, data is communicated by selecting a new communication route every time. . Router 6 recognizes only Router 6 (or terminal device, server) that sent data to itself and Router 6 (or terminal device, server) that it sent, sends the data, and sends it. If the time and the router 6 (or terminal or server) before and after the same are the same, the data is returned via the same route.
  • the router 6 that first receives the data containing the encrypted address EA from the terminal device 1 with the monitoring device 2 will not know the source IP address SA if it does not have the monitoring device 2. Send data to all lines.
  • the most vacant route is selected and sent to the next router 6 or the destination terminal device 1.
  • the communication route is not determined because the data that is transferred to all the routes at every communication and the data that selects the least vacant route reaches the router 6.
  • the router 6 having the monitoring device 2 cannot receive the data because the decryption key 25 given to the data is different unless it is addressed to itself.
  • Router 6 that is not addressed to itself first receives the data containing the encrypted address EA, the source IP address SA is unknown, so all routers do not have the monitoring device 2, so all routers do not receive the data. The data will be sent. In other words, data is transferred to all routes for every communication, and the data that selects the most vacant route reaches the router 6.Therefore, it is not possible to determine which route has been passed. Is improved.
  • the data that selects the most vacant route is received by the terminal device 1 of the transmission destination every time, so that the data can be transferred without delay.
  • the existing network V system can be used because it is only necessary to attach a monitoring device to the terminal device, server, or router that is generally used.
  • the key data for encrypting and decrypting the 3S first IP address can be updated at random. Also, since the server can manage the key data so as to be common among the permitted terminal devices, it is possible to specify the terminal device permitted to communicate among the terminal devices having the monitoring device. .
  • FIG. 1 (A) is a schematic diagram showing a data communication device of the present invention
  • FIG. 1 (B) is a schematic diagram showing a monitoring device mounted on the data communication device of the present invention
  • FIG. FIG. 3 is a diagram showing an IP header of the present invention.
  • FIG. 3 (A) is a schematic diagram for explaining the present invention.
  • FIG. 3 (B) is a schematic diagram for explaining the present invention.
  • C) is a schematic diagram for explaining the present invention
  • FIG. 4 is a schematic diagram for explaining the present invention
  • FIG. 5 is a schematic diagram for explaining the data communication method of the present invention
  • FIG. FIG. 7 is a flowchart illustrating the present invention
  • FIG. 7 is a flowchart illustrating the present invention
  • FIG. 8 is a flowchart illustrating the present invention
  • FIG. 9 (A) illustrates the present invention.
  • FIG. 9 (B) is a schematic diagram for explaining the present invention
  • FIG. 10 is a schematic diagram for explaining the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Il existe un problème selon lequel même si des données de services de communication destinées à la transmission/réception sont chiffrées, des contenus de données peuvent fuir uniquement par décodage du chiffrement lorsque les données codées elles-mêmes sont acquises par un tiers. Des procédés d'authentification non autorisée de mots de passe spécifiant une station terminale prévalent également. Une adresse IP d'origine de transmission est traitée par l'unité binaire, et les données sont transmises entre une couche physique et une couche de liaison de données via un moniteur. Dans une station terminale ne présentant pas de moniteur, il est impossible de décoder l'adresse IP d'origine de transmission, ou d'acquérir les données au niveau de la hiérarchie située au-dessus de la couche de liaison de données. Dans la station terminale présentant un moniteur, les données sont décodées à l'adresse IP d'origine de transmission en fonction d'une clé de décodage données aux données, de sorte que les données sont authentifiées.
PCT/JP2002/012422 2002-11-28 2002-11-28 Moniteur, dispositif de communication de donnees et procede de communication de donnees WO2004049651A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU2002355047A AU2002355047A1 (en) 2002-11-28 2002-11-28 Monitor, data communication device, and data communication method
PCT/JP2002/012422 WO2004049651A1 (fr) 2002-11-28 2002-11-28 Moniteur, dispositif de communication de donnees et procede de communication de donnees

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2002/012422 WO2004049651A1 (fr) 2002-11-28 2002-11-28 Moniteur, dispositif de communication de donnees et procede de communication de donnees

Publications (1)

Publication Number Publication Date
WO2004049651A1 true WO2004049651A1 (fr) 2004-06-10

Family

ID=32375622

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2002/012422 WO2004049651A1 (fr) 2002-11-28 2002-11-28 Moniteur, dispositif de communication de donnees et procede de communication de donnees

Country Status (2)

Country Link
AU (1) AU2002355047A1 (fr)
WO (1) WO2004049651A1 (fr)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0637750A (ja) * 1992-07-20 1994-02-10 Hitachi Ltd 情報転送方式
JPH08204698A (ja) * 1995-01-24 1996-08-09 Mitsubishi Electric Corp 暗号装置
EP1035666A2 (fr) * 1999-03-05 2000-09-13 Inmarsat Ltd. Méthodes et appareils de communication pour groupes des transmetteurs-récepteurs avec commande d'indication d'état.
JP2001086110A (ja) * 1999-09-13 2001-03-30 Toyo Commun Equip Co Ltd 暗号化情報のパケット通信システム
JP2001111612A (ja) * 1999-10-05 2001-04-20 Nippon Telegr & Teleph Corp <Ntt> 情報漏洩防止方法およびシステム並びに情報漏洩防止プログラムを記録した記録媒体
JP2002217896A (ja) * 2001-01-23 2002-08-02 Matsushita Electric Ind Co Ltd 暗号通信方法およびゲートウエイ装置
JP2002325088A (ja) * 2002-02-04 2002-11-08 Hitachi Software Eng Co Ltd データ転送システムおよび装置

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH0637750A (ja) * 1992-07-20 1994-02-10 Hitachi Ltd 情報転送方式
JPH08204698A (ja) * 1995-01-24 1996-08-09 Mitsubishi Electric Corp 暗号装置
EP1035666A2 (fr) * 1999-03-05 2000-09-13 Inmarsat Ltd. Méthodes et appareils de communication pour groupes des transmetteurs-récepteurs avec commande d'indication d'état.
JP2001086110A (ja) * 1999-09-13 2001-03-30 Toyo Commun Equip Co Ltd 暗号化情報のパケット通信システム
JP2001111612A (ja) * 1999-10-05 2001-04-20 Nippon Telegr & Teleph Corp <Ntt> 情報漏洩防止方法およびシステム並びに情報漏洩防止プログラムを記録した記録媒体
JP2002217896A (ja) * 2001-01-23 2002-08-02 Matsushita Electric Ind Co Ltd 暗号通信方法およびゲートウエイ装置
JP2002325088A (ja) * 2002-02-04 2002-11-08 Hitachi Software Eng Co Ltd データ転送システムおよび装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YOSHIDA FUJISUKE: "Integrator ga sotto oshieru kokateki na network no tsukurikata musen LAN no koka", COMPUTER & NETWORK LAN, vol. 14, no. 11, 1 November 1996 (1996-11-01), pages 16 - 20, XP002964301 *

Also Published As

Publication number Publication date
AU2002355047A1 (en) 2004-06-18

Similar Documents

Publication Publication Date Title
US9712494B2 (en) Method and system for sending a message through a secure connection
CN101682656B (zh) 用于保护数据分组的路由选择的方法和设备
US6240513B1 (en) Network security device
JP3783142B2 (ja) 通信システム、通信装置、通信方法、及びそれを実現するための通信プログラム
EP1635502B1 (fr) Serveur de commande de session et système de communication
US7443983B2 (en) Communication apparatus and method
FI118619B (fi) Menetelmä ja järjestelmä tiedon salaamiseksi ja tallentamiseksi
JP4407452B2 (ja) サーバ、vpnクライアント、vpnシステム、及びソフトウェア
US7877601B2 (en) Method and system for including security information with a packet
EP1618702B1 (fr) Systeme de transmission/reception utilisant un code d&#39;authentification de message
EP1560396A2 (fr) Méthode et appareil pour contrôler l&#39;authentification sur un réseau IPv6
EP2329621B1 (fr) Distribution de clé à un ensemble de routeurs
JPH09214556A (ja) パケット転送方法、パケット処理装置、パケット暗号化方法、パケット復号化方法及びパケット暗号処理方法
JP4877932B2 (ja) 暗号化通信システム及び暗号鍵更新方法
WO2011111842A1 (fr) Procédé de communication confidentielle à l&#39;aide d&#39;un vpn, système et programme pour celui-ci, et support de mémoire pour programme correspondant
US7243368B2 (en) Access control system and method for a networked computer system
US20050129236A1 (en) Apparatus and method for data source authentication for multicast security
TW200307422A (en) Encrypted central unified management system
CN113904809A (zh) 一种通信方法、装置、电子设备及存储介质
JP4305087B2 (ja) 通信ネットワークシステム及びそのセキュリティ自動設定方法
JP4647481B2 (ja) 暗号化通信装置
EP1645071B1 (fr) Adressage indirect securise
JP2004357284A (ja) 送受信システム
WO2004049651A1 (fr) Moniteur, dispositif de communication de donnees et procede de communication de donnees
JP4707325B2 (ja) 情報処理装置

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established
122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP