WO2016147340A1 - Cryptographic communication device, cryptographic communication terminal, cryptographic communication method, and cryptographic communication program - Google Patents

Cryptographic communication device, cryptographic communication terminal, cryptographic communication method, and cryptographic communication program Download PDF

Info

Publication number
WO2016147340A1
WO2016147340A1 PCT/JP2015/058065 JP2015058065W WO2016147340A1 WO 2016147340 A1 WO2016147340 A1 WO 2016147340A1 JP 2015058065 W JP2015058065 W JP 2015058065W WO 2016147340 A1 WO2016147340 A1 WO 2016147340A1
Authority
WO
WIPO (PCT)
Prior art keywords
encryption
communication
buffer
key
encryption key
Prior art date
Application number
PCT/JP2015/058065
Other languages
French (fr)
Japanese (ja)
Inventor
陽一 柴田
忠和 山中
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to JP2017505944A priority Critical patent/JP6192870B2/en
Priority to PCT/JP2015/058065 priority patent/WO2016147340A1/en
Publication of WO2016147340A1 publication Critical patent/WO2016147340A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • the present invention relates to an encryption communication device, an encryption communication terminal, an encryption communication method, and an encryption communication program.
  • One-time pad encryption is a common key encryption method in which a key is shared between a transmission side and a reception side.
  • encryption is performed using an encryption key having the same number of bits as communication data.
  • the encryption key once used for encryption is not reused. That is, the encryption key is made disposable.
  • a typical example of the one-time pad cipher is the Burnham cipher.
  • an exclusive OR or the like is calculated bit by bit for communication data and an encryption key, and the calculation result is transmitted as encrypted data. If even one bit is misaligned between the communication data and the encryption key, the encrypted data cannot be decrypted correctly. Therefore, what means is used to adjust which part of the encryption key is used for the communication data.
  • an encryption key capable of encrypting communication data for a certain time is prepared in advance.
  • the encryption key since the encryption key is disposable, the encryption key may be exhausted during the encryption communication. In this case, there is a delay from when the encryption key is exhausted until the encryption key is replenished. Note that the encryption key being “depleted” means that the remaining number of encryption keys is zero.
  • An object of the present invention is to eliminate a delay that occurs between the time when an encryption key is exhausted and the time when the encryption key is replenished.
  • An encryption communication apparatus is provided.
  • Memory Each time communication data is input, one encryption key stored in a buffer that is an internal area of the memory is acquired, and the communication data is encrypted using the acquired encryption key. And generating encrypted data with the encryption unit for deleting the acquired encryption key from the buffer, A data transmission unit that performs cryptographic communication by transmitting the encrypted data generated by the encryption unit; A management unit that adds a new encryption key to the buffer according to a speed at which the number of encryption keys in the buffer decreases while encryption communication by the data transmission unit continues.
  • a new encryption key is added to the buffer according to the speed at which the number of encryption keys in the buffer decreases while the encrypted communication continues. For this reason, it is possible to eliminate a delay that occurs until the encryption key is replenished after the encryption key is depleted.
  • FIG. 1 is a block diagram illustrating a configuration of a communication system according to Embodiment 1.
  • FIG. 3 shows an operation of the communication system according to the first embodiment.
  • 1 is a block diagram illustrating a configuration of an encryption communication device according to a first embodiment.
  • 1 is a block diagram illustrating a configuration of an encryption communication device according to a first embodiment.
  • 5 is a flowchart showing the operation of the cryptographic communication apparatus according to the first embodiment.
  • 4 is a detailed flowchart showing the operation of the cryptographic communication apparatus according to the first embodiment.
  • 4 is a detailed flowchart showing the operation of the cryptographic communication apparatus according to the first embodiment.
  • FIG. 4 is a diagram illustrating a specific example of processing of the cryptographic communication apparatus according to the first embodiment.
  • FIG. 4 is a diagram illustrating a specific example of processing of the cryptographic communication apparatus according to the first embodiment.
  • FIG. 4 is a diagram illustrating a specific example of processing of the cryptographic communication apparatus according to the first embodiment.
  • FIG. 4 is a diagram illustrating a specific example of processing of the cryptographic communication apparatus according to the first embodiment.
  • FIG. 4 is a diagram illustrating a specific example of processing of the cryptographic communication apparatus according to the first embodiment.
  • FIG. 4 is a diagram illustrating a specific example of processing of the cryptographic communication apparatus according to the first embodiment.
  • FIG. 4 is a diagram illustrating a specific example of processing of the cryptographic communication apparatus according to the first embodiment.
  • Embodiment 1 FIG. First, as an outline of the present embodiment, the configuration of the system according to the present embodiment, the operation of the system according to the present embodiment, and the effects of the present embodiment will be described in order.
  • the communication system 100 includes a plurality of encryption communication terminals 110 and 120.
  • the encryption communication terminals 110 and 120 are mobile terminals such as smartphones, tablets, and mobile phones, respectively.
  • the encryption communication terminals 110 and 120 may be terminals other than mobile terminals such as personal computers.
  • the terminal A which is the encryption communication terminal 110 on the transmission side includes an encryption communication device 111 and a processing device 112.
  • the encrypted communication device 111 generates encrypted data by encrypting the communication data using a disposable encryption key every time the communication data is received.
  • the cryptographic communication device 111 performs cryptographic communication by transmitting the generated encrypted data.
  • the processing device 112 executes a program 113 that inputs communication data to the encryption communication device 111.
  • the program 113 is a plurality of applications 114.
  • the processing device 112 is a processor such as a CPU (Central Processing Unit).
  • the key sharing device 115 can be connected to the terminal A.
  • the cryptographic communication apparatus 111 can acquire the cryptographic key from the key sharing apparatus 115 when the key sharing apparatus 115 is connected to the terminal A.
  • the encryption communication device 111 stores the encryption key in advance or generates the encryption key independently.
  • Terminal B which is the encryption communication terminal 120 on the receiving side, includes an encryption communication device 121 and a processing device 122.
  • the cryptographic communication device 121 performs cryptographic communication by receiving encrypted data. Each time the encrypted communication device 121 receives encrypted data, the encrypted communication device 121 generates communication data by decrypting the encrypted data using a disposable encryption key.
  • the processing device 122 executes a program 123 that receives input of communication data from the encryption communication device 121.
  • the program 123 is a plurality of applications 124.
  • the processing device 122 is a processor such as a CPU.
  • the key sharing device 125 can be connected to the terminal B.
  • the cryptographic communication apparatus 121 can acquire the cryptographic key from the key sharing apparatus 125 when the key sharing apparatus 125 is connected to the terminal B.
  • the encryption communication device 121 stores the encryption key in advance or generates the encryption key independently.
  • Terminal A and terminal B are connected to a network 130 such as the Internet.
  • cryptographic communication between the cryptographic communication terminals 110 and 120 is performed by the cryptographic communication devices 111 and 121 incorporated in the cryptographic communication terminals 110 and 120 via the network 130, respectively.
  • the cryptographic communication devices 111 and 121 are cryptographic communication modules that are independent of the applications 114 and 124 executed by the cryptographic communication terminals 110 and 120, respectively. Therefore, in this embodiment, it is possible to use encrypted communication even in the applications 114 and 124 that do not have the encrypted communication function.
  • the encryption communication devices 111 and 121 have buffers for temporarily storing encryption keys for the applications 114 and 124, as will be described later.
  • encryption communication terminal 110 when each application 114 communicates with another encryption communication terminal 120, encryption communication is performed using the encryption key in the corresponding buffer. The same applies to the encryption communication terminal 120.
  • the cryptographic communication devices 111 and 121 manage buffers for the applications 114 and 124, respectively.
  • the encryption communication devices 111 and 121 need to be based on the amount of encryption key consumed by encryption communication and the remaining amount of encryption key in the buffer. Add the encryption key to the buffer.
  • both one or both of the encryption communication terminals 110 and 120 may be equipped with both the encryption communication module on the transmission side and the encryption communication module on the reception side. That is, the encryption communication device 111 of the terminal A may have both functions of the transmission side and the reception side. In that case, the cryptographic communication device 111 may be configured by two cryptographic communication modules of the transmission side and the reception side, or may be configured by one cryptographic communication module in which the transmission side and the reception side are integrated. .
  • the encryption communication device 121 of the terminal B is the same as the encryption communication device 111 of the terminal A.
  • the number of encryption communication terminals provided in the communication system 100 is not limited to two, and may be three or more. Of the three or more encryption communication terminals, at least one encryption communication terminal is equipped with a transmission-side encryption communication module, and at least one other encryption communication terminal is equipped with a reception-side encryption communication module. The remaining encrypted communication terminals only need to be equipped with at least one of the transmitting-side encrypted communication module and the receiving-side encrypted communication module.
  • the application 114 of the terminal A sends the destination information T1 of the terminal B to the encryption communication device 111 of the terminal A.
  • the encryption communication device 111 identifies the terminal B from the destination information T1.
  • the encryption communication device 111 creates the key list L1 from the encryption key group G1 that it owns.
  • the encryption key group G1 includes an encryption key K1.
  • the encryption communication device 111 transmits the key list L1 to the encryption communication device 121 of the terminal B.
  • the application 124 of the terminal B sends the destination information T2 of the terminal A to the encryption communication device 121 of the terminal B.
  • the encryption communication device 121 identifies the terminal A from the destination information T2.
  • the encryption communication device 121 receives the key list L1 from the encryption communication device 111 of the terminal A.
  • the encryption communication device 121 creates a key list L2 from the encryption key group G2 held by itself.
  • the encryption key group G2 includes an encryption key K1. However, not all of the encryption keys included in the encryption key group G2 need to match the encryption keys included in the encryption key group G1.
  • the encryption communication device 121 specifies the encryption key K1 used for encryption communication from the key list L1 and the key list L2.
  • the encryption communication device 121 transmits key information I1 that is identification information of the encryption key K1 to the encryption communication device 111 of the terminal A.
  • the encryption communication device 111 of the terminal A receives the key information I1.
  • the encryption communication device 111 expands the data of the encryption key K1 pointed to by the key information I1 in the buffer M1 assigned to the application 114 of the terminal A.
  • the data of the encryption key K1 pointed to by the key information I1 is expanded in the buffer M2 assigned to the application 124 of the terminal B.
  • the encryption communication device 111 encrypts the communication data D1 by using the encryption key K1 in the buffer M1, and encrypts it.
  • Data E1 is created.
  • the encryption communication device 111 transmits the encrypted data E1 to the encryption communication device 121 of the terminal B.
  • the encryption communication device 121 of the terminal B receives the encrypted data E1.
  • the encryption communication device 121 decrypts the encrypted data E1 using the encryption key K1 in the buffer M2, and obtains communication data D1.
  • the encryption communication device 121 sends the communication data D1 to the application 124 of the terminal B.
  • Similar processing refers to processing performed in the same procedure as described above using a different encryption key for each processing.
  • the encryption communication device 111 of the terminal A and the encryption communication device 121 of the terminal B monitor the decrease speeds of the encryption keys in the buffer M1 and the buffer M2, respectively.
  • the encryption communication device 111 of the terminal A and the encryption communication device 121 of the terminal B add the encryption keys to the buffer M1 and the buffer M2 before the encryption keys of the buffer M1 and the buffer M2 respectively disappear.
  • the encryption communication device 111 of the terminal A creates a key list L3 from the encryption key group G3 held by itself.
  • the encryption key group G3 includes an encryption key K3.
  • the encryption communication device 111 transmits the key list L3 to the encryption communication device 121 of the terminal B.
  • the encryption communication device 121 of the terminal B receives the key list L3.
  • the encryption communication device 121 creates a key list L4 from the encryption key group G4 that it owns.
  • the encryption key group G4 includes an encryption key K3. However, not all of the encryption keys included in the encryption key group G4 need to match the encryption keys included in the encryption key group G3.
  • the encryption communication device 121 specifies the encryption key K2 used for encryption communication from the key list L3 and the key list L4.
  • the encryption communication device 121 transmits key information I2 that is identification information of the encryption key K2 to the encryption communication device 111 of the terminal A.
  • the encryption communication device 111 of the terminal A receives the key information I2.
  • the encryption communication device 111 expands the data of the encryption key K2 pointed to by the key information I2 in the buffer M1 assigned to the application 114 of the terminal A.
  • the data of the encryption key K2 pointed to by the key information I2 is expanded in the buffer M2 assigned to the application 124 of the terminal B.
  • the encryption key is added after the encryption key is depleted by adding the encryption key before the encryption key is exhausted during the encryption communication of the specific application 114, 124. It is possible to eliminate the delay that occurs up to.
  • each application 114 and 124 when a plurality of applications 114 and 124 perform one-time pad encryption communication in the same encryption communication terminal 110 and 120, each application 114 and 124 has a dedicated encryption key. There is no need. Therefore, the data capacity in the encryption communication terminals 110 and 120 can be reduced.
  • the cryptographic communication device 111 includes a wired interface 151, an internal interface 152, a communication interface 153, a storage medium 154, and a memory 155.
  • the encryption communication device 111 includes an acquisition unit 161, a data reception unit 162, a request reception unit 163, a list generation unit 164, a list transmission unit 165, an information reception unit 166, a management unit 167, and an encryption Unit 168 and a data transmission unit 169.
  • the wired interface 151 is an interface for communicating with an external device.
  • the wired interface 151 is used to acquire an encryption key from the key sharing device 115.
  • the wired interface 151 can be replaced with a wireless interface.
  • the internal interface 152 is an interface for communicating with the application 114 in the terminal A.
  • the internal interface 152 is used for exchanging destination information and communication data with the application 114.
  • the communication interface 153 is an interface for communicating with other terminals.
  • the communication interface 153 is used for communicating with the terminal B.
  • the storage medium 154 stores the encryption key group acquired by the acquisition unit 161.
  • the memory 155 has a buffer associated with the application 114 of the terminal A.
  • the acquisition unit 161 acquires the encryption key from the key sharing device 115 via the wired interface 151.
  • the acquisition unit 161 stores the acquired encryption key in the storage medium 154.
  • the data receiving unit 162 receives communication data from the application 114 of the terminal A via the internal interface 152.
  • the data reception unit 162 passes the received communication data to the encryption unit 168.
  • the request reception unit 163 receives destination information from the application 114 of the terminal A through the internal interface 152.
  • the request reception unit 163 instructs the list generation unit 164 to generate a key list.
  • the list generation unit 164 receives the destination information from the request reception unit 163.
  • the list generation unit 164 generates a key list from the encryption key group in the storage medium 154.
  • the list generation unit 164 passes the generated key list to the list transmission unit 165 together with the destination information.
  • the list transmission unit 165 receives the key list and the destination information from the list generation unit 164.
  • the list transmission unit 165 transmits the key list to the terminal B, which is the destination described in the destination information, via the communication interface 153.
  • the information receiving unit 166 receives key information that is identification information of an encryption key from the terminal B that is the partner to which the list transmitting unit 165 has transmitted the key list, via the communication interface 153.
  • the information receiving unit 166 passes the received key information to the management unit 167.
  • the management unit 167 acquires an encryption key that matches the key information received from the information reception unit 166 from the storage medium 154.
  • the management unit 167 sets a flag indicating that the encryption key in the storage medium 154 is being used.
  • the management unit 167 expands the encryption key in a buffer associated with the application 114 of the terminal A in the memory 155.
  • the management unit 167 sets the buffer in the memory 155.
  • the management unit 167 deletes the encryption key expanded in the buffer from the storage medium 154.
  • the encryption unit 168 receives communication data from the data reception unit 162.
  • the encryption unit 168 acquires the bit string of the encryption key from the buffer associated with the application 114 of the terminal A in the memory 155.
  • the encryption unit 168 encrypts the communication data with the one-time pad encryption using the acquired bit string of the encryption key, and generates encrypted data.
  • the encryption unit 168 passes the generated encrypted data to the data transmission unit 169.
  • the data transmission unit 169 transmits the encrypted data received from the encryption unit 168 via the communication interface 153.
  • the cryptographic communication device 121 includes a wired interface 171, an internal interface 172, a communication interface 173, a storage medium 174, and a memory 175.
  • the encryption communication apparatus 121 includes an acquisition unit 181, a data transmission unit 182, a request reception unit 183, an information generation unit 184, a list reception unit 185, an information transmission unit 186, a management unit 187, and a decryption unit. 188 and a data receiving unit 189.
  • the wired interface 171 is an interface for communicating with an external device.
  • the wired interface 171 is used to acquire an encryption key from the key sharing device 125.
  • the wired interface 171 can be replaced with a wireless interface.
  • the internal interface 172 is an interface for communicating with the application 124 in the terminal B.
  • the internal interface 172 is used to exchange destination information and communication data with the application 124.
  • the communication interface 173 is an interface for performing communication with other terminals.
  • the communication interface 173 is used for communicating with the terminal A.
  • the storage medium 174 stores the encryption key group acquired by the acquisition unit 181.
  • the memory 175 has a buffer associated with the application 124 of the terminal B.
  • the acquisition unit 181 acquires an encryption key from the key sharing device 125 via the wired interface 171.
  • the acquisition unit 181 stores the acquired encryption key in the storage medium 174.
  • the request reception unit 183 receives destination information from the application 124 of the terminal B via the internal interface 172.
  • the request reception unit 183 instructs the list reception unit 185 to wait for reception of the key list.
  • the list receiving unit 185 receives the key list via the communication interface 173.
  • the list receiving unit 185 passes the received key list to the information generating unit 184.
  • the information generation unit 184 receives the key list from the list reception unit 185.
  • the information generation unit 184 generates a key list from the encryption key group in the storage medium 174.
  • the information generation unit 184 generates key information that is identification information of the encryption key from the key list received from the list reception unit 185 and the generated key list.
  • the information generation unit 184 passes the generated key information to the information transmission unit 186.
  • the information transmitting unit 186 transmits the key information received from the information generating unit 184 to the terminal A that is the partner from which the list receiving unit 185 has received the key list, via the communication interface 173.
  • the information transmission unit 186 passes the transmitted key information to the management unit 187.
  • the management unit 187 acquires an encryption key that matches the key information received from the information transmission unit 186 from the storage medium 174.
  • the management unit 187 sets a flag indicating that the encryption key in the storage medium 174 is being used.
  • the management unit 187 expands the encryption key in a buffer associated with the application 124 of the terminal B in the memory 175.
  • the management unit 187 sets the buffer in the memory 175.
  • the management unit 187 deletes the encryption key expanded in the buffer from the storage medium 174.
  • the data receiving unit 189 receives the encrypted data via the communication interface 173.
  • the data receiving unit 189 passes the received encrypted data to the decrypting unit 188.
  • the decryption unit 188 receives the encrypted data from the data reception unit 189.
  • the decryption unit 188 acquires the bit string of the encryption key from the buffer associated with the application 124 of the terminal B in the memory 175.
  • the decryption unit 188 decrypts the encrypted data using the one-time pad encryption using the acquired bit string of the encryption key, and generates communication data.
  • the decryption unit 188 passes the generated communication data to the data transmission unit 182.
  • the data sending unit 182 receives the communication data from the decoding unit 188.
  • the data transmission unit 182 passes the received communication data to the application 124 of the terminal B via the internal interface 172.
  • FIG. 5 shows a rough processing flow of the encryption communication device 111 of the terminal A and the encryption communication device 121 of the terminal B.
  • step S11 it is determined that encryption communication is used between the application 114 of the terminal A and the application 124 of the terminal B by an arbitrary method.
  • the encryption communication device 111 of the terminal A receives the encryption communication request from the application 114 of the terminal A.
  • This encrypted communication request includes destination information T1 designating the terminal B.
  • the encryption communication device 121 of the terminal B also receives the encryption communication request from the application 124 of the terminal B.
  • This encrypted communication request includes destination information T2 for designating the terminal A.
  • step S12 the encryption communication device 111 of the terminal A and the encryption communication device 121 of the terminal B perform a key confirmation process with each other.
  • step S13 the encryption communication device 111 of the terminal A performs the encryption communication process on the transmission side.
  • the encryption communication device 121 of the terminal B performs reception side encryption communication processing.
  • FIG. 6 shows the flow of the key confirmation process in step S12 of FIG. Note that since the key confirmation processing is not directly involved in transmission / reception of communication data, the roles of the encryption communication device 111 of the terminal A and the encryption communication device 121 of the terminal B may be switched.
  • step S21 the encryption communication device 111 of the terminal A creates a key list L1 from the encryption key group G1 in the storage medium 154.
  • step S22 the encryption communication device 111 of the terminal A transmits the key list L1 created in step S21 to the encryption communication device 121 of the terminal B.
  • step S23 the encryption communication device 121 of the terminal B receives the key list L1 transmitted in step S22. Further, the encryption communication device 121 of the terminal B creates the key list L2 from the encryption key group G2 in the storage medium 174.
  • step S24 the encryption communication device 121 of the terminal B determines the encryption key K1 used for encryption communication from the key list L1 received in step S23 and the key list L2 created in step S23.
  • step S25 the encryption communication device 121 of the terminal B sets a flag indicating that it is in use for the encryption key K1 determined in step S24 in the storage medium 174.
  • step S26 the encryption communication device 121 of the terminal B transmits the key information I1 of the encryption key K1 determined in step S24 to the encryption communication device 111 of the terminal A.
  • step S27 the encryption communication device 111 of the terminal A receives the key information I1 transmitted in step S26.
  • step S28 the encryption communication device 111 of the terminal A sets a flag indicating that the encryption key K1 corresponding to the key information I1 received in step S27 in the storage medium 154 is in use.
  • step S29 the encryption communication device 111 of the terminal A expands the encryption key K1 corresponding to the key information I1 received in step S27 in the buffer M1 in the memory 155, and deletes the original encryption key K1 from the storage medium 154. .
  • step S30 the encryption communication device 111 of the terminal A notifies the start of encryption communication.
  • step S31 the encryption communication device 121 of the terminal B receives a notification of the start of encryption communication.
  • step S32 the encryption communication device 121 of the terminal B expands the encryption key K1 for which the flag is set in step S25 in the buffer M2 in the memory 175, and deletes the original encryption key K1 from the storage medium 174.
  • step S24 to S29 and step S32 is performed not only for the encryption key K1, but also for all encryption keys common to the key list L1 on the transmission side and the key list L2 on the reception side.
  • FIG. 7 shows the flow of encryption communication processing in step S13 of FIG.
  • step S41 the encryption communication device 111 of the terminal A receives the communication data D1 from the application 114 of the terminal A.
  • step S42 the encryption communication device 111 of the terminal A encrypts the communication data D1 received in step S41 with the one-time pad encryption using the encryption key K1 in the buffer M1 of the memory 155 to obtain the encrypted data E1. .
  • step S43 the encryption communication device 111 of the terminal A transmits the encrypted data E1 obtained in step S42 to the encryption communication device 121 of the terminal B. If the communication ends here, the encryption communication process ends.
  • step S44 the encryption communication device 111 of the terminal A checks the remaining amount of the encryption key in the buffer M1, and determines whether it is necessary to add the encryption key to the buffer M1. If it is not necessary to add an encryption key, the encryption communication apparatus 111 of the terminal A repeats the process after step S41 about the following communication data.
  • step S45 the encryption communication device 111 of the terminal A performs a key confirmation process.
  • the key confirmation process is as described with reference to FIG. 6, but the process of notifying the start of encrypted communication in steps S30 and S31 is not necessary.
  • step S46 the encryption communication device 121 of the terminal B receives the encrypted data E1 transmitted in step S43 from the encryption communication device 111 of the terminal A.
  • step S47 the encryption communication device 121 of the terminal B uses the encryption key K1 stored in the buffer M2 of the memory 175 to decrypt the encrypted data E1 received in step S46 using the one-time pad encryption to obtain communication data D1. .
  • the encryption communication device 121 of the terminal B passes the communication data D1 to the application 124 of the terminal B. If the communication ends here, the encryption communication process ends.
  • step S48 the encryption communication device 121 of the terminal B checks the remaining amount of the encryption key in the buffer M2, and determines whether it is necessary to add the encryption key to the buffer M2. If it is not necessary to add an encryption key, the encryption communication apparatus 121 of the terminal B repeats the process after step S46 about the following encryption data.
  • step S48 If the result of determination in step S48 is that an encryption key is to be added to the buffer M2, in step S49, the encryption communication device 121 of the terminal B performs key confirmation processing.
  • the key confirmation process is as described with reference to FIG. 6, but the process of notifying the start of encrypted communication in steps S30 and S31 is not necessary.
  • steps S41 and S42 every time the encryption unit 168 receives input of communication data, the encryption unit 168 acquires one encryption key out of the encryption keys stored in the buffer that is an internal area of the memory 155, and the acquired encryption key The encrypted data is generated by encrypting the communication data using, and the acquired encryption key is deleted from the buffer.
  • step S43 the data transmission unit 169 performs encrypted communication by transmitting the encrypted data generated by the encryption unit 168.
  • the management unit 167 adds a new encryption key to the buffer according to the speed at which the number of encryption keys in the buffer decreases while the encrypted communication by the data transmission unit 169 continues. Specifically, the management unit 167 estimates the time until the encryption key in the buffer runs out from the speed at which the number of encryption keys in the buffer decreases and the number of encryption keys remaining in the buffer. When the value falls below the threshold, a new encryption key is added to the buffer.
  • This threshold value can be arbitrarily adjusted, but is preferably set to a time longer than the delay that occurs between the time when the encryption key in the buffer is exhausted and the time when the encryption key is replenished in the buffer. That is, it is desirable that the threshold be set longer than the time required for executing the key confirmation process in the encryption communication device 111 of the terminal A. Note that the speed at which the number of encryption keys in the buffer decreases can be measured by an arbitrary method.
  • step S46 the data receiving unit 189 performs encrypted communication by receiving the encrypted data.
  • step S47 every time encrypted data is received by the data receiving unit 189, the decrypting unit 188 acquires one of the encryption keys stored in the buffer that is an internal area of the memory 175, and acquires it.
  • the communication data is generated by decrypting the encrypted data using the encrypted key, and the acquired encryption key is deleted from the buffer.
  • the management unit 187 adds a new encryption key to the buffer according to the speed at which the number of encryption keys in the buffer decreases while the encryption communication by the data reception unit 189 continues. Specifically, the management unit 187 estimates the time until the encryption key in the buffer runs out from the speed at which the number of encryption keys in the buffer decreases and the number of encryption keys remaining in the buffer. When the value falls below the threshold, a new encryption key is added to the buffer.
  • This threshold value can be arbitrarily adjusted as in the case of terminal A, but is set to a time longer than the delay that occurs between the time when the encryption key in the buffer is exhausted and the time when the encryption key is replenished to the buffer.
  • the threshold is set longer than the time required for executing the key confirmation process in the encryption communication apparatus 121 of the terminal B. Note that the speed at which the number of encryption keys in the buffer decreases can be measured by an arbitrary method.
  • the buffers of the encryption communication device 111 of the terminal A and the encryption communication device 121 of the terminal B are individually assigned to each of the plurality of applications 114 and 124. For this reason, the management units 167 and 187 make a new response according to the speed at which the number of encryption keys in the buffer allocated to the applications 114 and 124 in which the encrypted communication continues among the plurality of applications 114 and 124 decreases.
  • the encryption key is added to the buffer assigned to the application 114 or 124. Specifically, the management units 167 and 187 determine whether the number of encryption keys in the buffer allocated to the applications 114 and 124 decreases and the number of encryption keys remaining in the buffer.
  • This threshold value may be set uniformly, but may be set at a different time for each application 114. For example, the threshold may be set longer for an application 114 that has a relatively high degree of influence due to delay, such as a voice call, and may be set shorter for an application 114 that has a relatively low degree of influence due to delay, such as mail communication.
  • the encryption keys used by the encryption unit 168 of the encryption communication device 111 of the terminal A and the decryption unit 188 of the encryption communication device 121 of the terminal B are determined by communication with the respective counterparts of the encryption communication.
  • FIG. 8 shows a specific example of processing performed by the list generation unit 164 of the encryption communication device 111 of the terminal A.
  • each encryption key includes key information, a flag, and key data.
  • the encryption key K1 includes key information I1 “002”, a flag “unused”, and key data “10111011010.
  • the list generation unit 164 extracts the key information of the encryption key whose flag is “unused” from the encryption key database 210.
  • the list generation unit 164 generates the extracted key information list as the key list L1.
  • FIG. 9 shows a specific example of processing performed by the information generation unit 184 of the encryption communication device 121 of the terminal B.
  • each encryption key included in the encryption key group G2 is recorded.
  • the configuration of each encryption key is the same as that of the encryption key database 210 of the terminal A.
  • the information generation unit 184 When the information generation unit 184 receives the key list L1 from the list reception unit 185, the information generation unit 184 extracts the key information of the encryption key whose flag is “unused” from the encryption key database 220. The information generation unit 184 generates the extracted key information list as the key list L2. The information generation unit 184 compares the key list L1 and the key list L2. The information generation unit 184 selects key information in both lists as a result of comparison. For example, the key information I1 is key information in both lists. The information generation unit 184 passes the selected key information to the information transmission unit 186. At this time, the information generating unit 184 sets the encryption key flag that matches the selected key information to “in use” in the encryption key database 220. The key information selected by the information generation unit 184 corresponds to the key information generated by the information generation unit 184.
  • FIG. 10 shows a specific example of processing performed when the management unit 167 of the encryption communication device 111 of the terminal A receives the key information I1.
  • the management unit 167 Upon receiving the key information I1 from the information receiving unit 166, the management unit 167 searches the encryption key database 210 of the storage medium 154 for the encryption key K1 having the same key information I1. The management unit 167 sets the flag of the encryption key K1 to “in use”.
  • FIG. 11 shows a specific example of processing performed when the management unit 167 of the encryption communication device 111 of the terminal A expands the encryption key in the buffer M1.
  • the management unit 167 reads the key data of the encryption key K1 having the same key information I1 received from the information receiving unit 166.
  • the management unit 167 expands the read key data of the encryption key K1 in the buffer M1 of the memory 155.
  • the management unit 167 deletes the encryption key K1 expanded in the buffer M1 from the encryption key database 210 of the storage medium 154.
  • the management unit 187 of the encryption communication device 121 of the terminal B reads the key data of the encryption key K1 having the same key information I1 as that generated by the information generation unit 184.
  • the management unit 187 expands the read key data of the encryption key K1 in the buffer M2 of the memory 175.
  • the management unit 187 deletes the encryption key K1 expanded in the buffer M2 from the encryption key database 220 of the storage medium 174.
  • FIG. 12 shows a specific example of processing performed by the encryption unit 168 of the encryption communication device 111 of the terminal A.
  • the encryption unit 168 When the encryption unit 168 receives the communication data D1 from the data reception unit 162, the encryption unit 168 reads the key data of the encryption key K1 from the buffer M1 of the memory 155. The encryption unit 168 calculates the exclusive OR of the read key data of the encryption key K1 and the communication data D1. The encryption unit 168 passes the calculation result to the data transmission unit 169 as encrypted data E1.
  • FIG. 13 shows a specific example of processing performed by the decryption unit 188 of the encryption communication device 121 of the terminal B.
  • the decrypting unit 188 When receiving the encrypted data E1 from the data receiving unit 189, the decrypting unit 188 reads the key data of the encryption key K1 from the buffer M2 of the memory 175. The decryption unit 188 calculates an exclusive OR of the read key data of the encryption key K1 and the encrypted data E1. The decryption unit 188 passes the calculation result to the data transmission unit 182 as communication data D1.
  • FIG. 14 shows a specific example of processing performed when the management unit 167 of the encryption communication device 111 of the terminal A detects that the key data of the encryption key in the buffer M1 has decreased.
  • the management unit 167 monitors the buffer M1 used in the encrypted communication while the encrypted communication is continued.
  • the management unit 167 estimates the time until the key data of the encryption key is exhausted from the speed at which the key data of the encryption key decreases and the remaining amount of the key data of the encryption key.
  • the management unit 167 calls a key confirmation process to maintain a state where the encryption key of the buffer M1 is not exhausted.
  • the management unit 187 of the encryption communication device 121 of the terminal B monitors the buffer M2 used in the encryption communication while the encryption communication is continued.
  • the management unit 187 estimates the time until the key data of the encryption key is exhausted from the speed at which the key data of the encryption key decreases and the remaining amount of key data of the current encryption key.
  • the management unit 187 maintains a state where the encryption key of the buffer M2 is not depleted by calling the key confirmation process when the estimated time is less than a certain value.
  • the encryption communication device 111 and the encryption communication device 121 manage the encryption key, so that each of the applications 114 and 124 individually manages the encryption key. An increase in capacity can be avoided. In addition, by providing a separate buffer for each of the applications 114 and 124 and supplying an encryption key before the buffer runs out, a system that does not cause a delay during encryption communication can be realized.
  • the data capacity in the encryption communication terminals 110 and 120 is reduced, and the encryption communication is performed. It is possible to achieve both a delay and no delay.
  • a new encryption key is added to the buffer according to the speed at which the number of encryption keys in the buffer decreases while the encryption communication continues. For this reason, it is possible to eliminate a delay that occurs until the encryption key is replenished after the encryption key is depleted.
  • Each of the cryptographic communication devices 111 and 121 is a computer.
  • the cryptographic communication devices 111 and 121 include hardware such as a processor 901, an auxiliary storage device 902, a memory 903, a communication device 904, an input interface 905, and a display interface 906, respectively.
  • the processor 901 is connected to other hardware via the signal line 910, and controls these other hardware.
  • the input interface 905 is connected to the input device 907.
  • the display interface 906 is connected to the display 908.
  • the processor 901 is an IC (Integrated Circuit) that performs processing.
  • the processor 901 is, for example, a CPU, a DSP (Digital Signal Processor), or a GPU (Graphics Processing Unit).
  • the auxiliary storage device 902 is, for example, a ROM (Read / Only / Memory), a flash memory, or an HDD (Hard / Disk / Drive).
  • the storage medium 154 of the encryption communication device 111 and the storage medium 174 of the encryption communication device 121 correspond to the auxiliary storage device 902, respectively.
  • the memory 903 is, for example, a RAM (Random Access Memory).
  • the memory 155 of the cryptographic communication device 111 and the memory 175 of the cryptographic communication device 121 correspond to the memory 903, respectively.
  • the communication device 904 includes a receiver 921 that receives data and a transmitter 922 that transmits data.
  • the communication device 904 is, for example, a communication chip or a NIC (Network, Interface, Card).
  • the wired interface 151 and the communication interface 153 of the cryptographic communication device 111 and the wired interface 171 and the communication interface 173 of the cryptographic communication device 121 correspond to the communication device 904, respectively.
  • the internal interface 152 of the cryptographic communication device 111 and the internal interface 172 of the cryptographic communication device 121 are each a bus interface or the like.
  • the input interface 905 is a port to which the cable 911 of the input device 907 is connected.
  • the input interface 905 is, for example, a USB (Universal / Serial / Bus) terminal.
  • the display interface 906 is a port to which the cable 912 of the display 908 is connected.
  • the display interface 906 is, for example, a USB terminal or an HDMI (registered trademark) (High Definition, Multimedia, Interface) terminal.
  • the input device 907 is, for example, a mouse, a touch pen, a keyboard, or a touch panel.
  • the display 908 is, for example, an LCD (Liquid / Crystal / Display).
  • the auxiliary storage device 902 includes an acquisition unit 161, a data reception unit 162, a request reception unit 163, a list generation unit 164, a list transmission unit 165, an information reception unit 166, a management unit 167, an encryption unit 168, Data transmission unit 169 or acquisition unit 181, data transmission unit 182, request reception unit 183, information generation unit 184, list reception unit 185, information transmission unit 186, management unit 187, decryption unit 188, data
  • a program for realizing the function of “unit” such as the receiving unit 189 is stored. This program is loaded into the memory 903, read into the processor 901, and executed by the processor 901.
  • the auxiliary storage device 902 also stores an OS (Operating System). At least a part of the OS is loaded into the memory 903, and the processor 901 executes a program that realizes the function of “unit” while executing the OS.
  • OS Operating System
  • one processor 901 is shown, but the cryptographic communication apparatuses 111 and 121 may each include a plurality of processors 901. A plurality of processors 901 may execute a program for realizing the function of “unit” in cooperation with each other.
  • auxiliary storage device 902 Information, data, signal values, and variable values indicating the processing results of “unit” are stored in the auxiliary storage device 902, the memory 903, or a register or cache memory in the processor 901.
  • Parts may be provided on “Circuits”. Further, “part” may be read as “circuit”, “process”, “procedure”, or “processing”. “Circuit” and “Circuitry” include not only the processor 901 but also other logic ICs, GA (Gate-Array), ASIC (Application-Specific-Integrated-Circuit), FPGA (Field-Programmable-Gate-Array), etc. It is a concept that includes various types of processing circuits.
  • 100 communication system 110 encryption communication terminal, 111 encryption communication device, 112 processing device, 113 program, 114 application, 115 key sharing device, 120 encryption communication terminal, 121 encryption communication device, 122 processing device, 123 program, 124 application, 125 Key sharing device, 130 network, 151 wired interface, 152 internal interface, 153 communication interface, 154 storage medium, 155 memory, 161 acquisition unit, 162 data reception unit, 163 request reception unit, 164 list generation unit, 165 list transmission unit, 166 Information reception unit, 167 management unit, 168 encryption unit, 169 data transmission unit, 171 wired interface, 172 internal interface, 17 Communication interface, 174 storage medium, 175 memory, 181 acquisition unit, 182 data transmission unit, 183 request reception unit, 184 information generation unit, 185 list reception unit, 186 information transmission unit, 187 management unit, 188 decoding unit, 189 data reception Part, 210 encryption key database, 220 encryption key database, 901 processor, 902 auxiliary storage device, 903 memory, 904 communication device, 905 input interface

Abstract

A cryptographic communication device (111) comprises a memory (155), a management unit (167), an encryption unit (168) and a data transmission unit (169). The encryption unit (168) acquires, upon each reception of an input of communication data, one of encryption keys stored in a buffer that is an internal area of the memory (155), uses the acquired encryption key to encrypt the communication data, thereby generating encrypted data, and deletes the acquired encryption key from the buffer. The data transmission unit (169) transmits the encrypted data generated by the encryption unit (168), thereby performing a cryptographic communication. While the cryptographic communication performed by the data transmission unit (169) continues, the management unit (167) adds new encryption keys to the buffer in accordance with a rate at which the number of encryption keys in the buffer decreases.

Description

暗号通信装置及び暗号通信端末及び暗号通信方法及び暗号通信プログラムEncryption communication apparatus, encryption communication terminal, encryption communication method, and encryption communication program
 本発明は、暗号通信装置及び暗号通信端末及び暗号通信方法及び暗号通信プログラムに関するものである。 The present invention relates to an encryption communication device, an encryption communication terminal, an encryption communication method, and an encryption communication program.
 ワンタイムパッド暗号は、送信側と受信側とで鍵を共有する共通鍵暗号の一方式である。ワンタイムパッド暗号では、通信データと同一ビット数の暗号鍵を用いて暗号化が行われる。ワンタイムパッド暗号では、一度暗号化に使用された暗号鍵は再利用されない。即ち、暗号鍵は使い捨てにされる。 One-time pad encryption is a common key encryption method in which a key is shared between a transmission side and a reception side. In the one-time pad encryption, encryption is performed using an encryption key having the same number of bits as communication data. In the one-time pad encryption, the encryption key once used for encryption is not reused. That is, the encryption key is made disposable.
 ワンタイムパッド暗号の典型的な例としては、バーナム暗号がある。バーナム暗号では、通信データと暗号鍵とについて1ビットずつ排他的論理和等が計算され、計算結果が暗号化データとして送信される。通信データと暗号鍵とに1ビットでもズレが生じていると、暗号化データは正しく復号できない。そのため、通信データに対して、どの部分の暗号鍵を利用するかをどのような手段で調整するかが重要である。 A typical example of the one-time pad cipher is the Burnham cipher. In the Burnham cryptography, an exclusive OR or the like is calculated bit by bit for communication data and an encryption key, and the calculation result is transmitted as encrypted data. If even one bit is misaligned between the communication data and the encryption key, the encrypted data cannot be decrypted correctly. Therefore, what means is used to adjust which part of the encryption key is used for the communication data.
 ワンタイムパッド暗号を用いた従来の通信システムでは、暗号通信前に通信端末間で互いに持っている暗号鍵が確認され、暗号化に利用する暗号鍵が調整される。これにより、暗号鍵に部分的な抜け又はズレ等があった場合でも暗号通信が可能になっている(例えば、特許文献1参照)。 In the conventional communication system using the one-time pad encryption, the encryption keys held by the communication terminals are confirmed before the encryption communication, and the encryption keys used for encryption are adjusted. Thereby, even when there is a partial omission or deviation in the encryption key, encryption communication is possible (see, for example, Patent Document 1).
国際公開第2012/025987号International Publication No. 2012/025987
 従来の通信システムでは、一定の時間分の通信データを暗号化できるだけの暗号鍵が事前に用意される。しかし、前述したように、暗号鍵は使い捨てにされるため、暗号通信中に暗号鍵が枯渇する場合がある。その場合、暗号鍵が枯渇してから暗号鍵が補充されるまでに遅延が生じる。なお、暗号鍵が「枯渇」するというのは、暗号鍵の残数が0個になるという意味である。 In the conventional communication system, an encryption key capable of encrypting communication data for a certain time is prepared in advance. However, as described above, since the encryption key is disposable, the encryption key may be exhausted during the encryption communication. In this case, there is a delay from when the encryption key is exhausted until the encryption key is replenished. Note that the encryption key being “depleted” means that the remaining number of encryption keys is zero.
 本発明は、暗号鍵が枯渇してから暗号鍵が補充されるまでに生じる遅延を解消することを目的とする。 An object of the present invention is to eliminate a delay that occurs between the time when an encryption key is exhausted and the time when the encryption key is replenished.
 本発明の一の態様に係る暗号通信装置は、
 メモリと、
 通信データの入力を受ける度に、前記メモリの内部の領域であるバッファに格納された暗号鍵のうち1つの暗号鍵を取得し、取得した暗号鍵を使用して前記通信データを暗号化することで暗号化データを生成するとともに、取得した暗号鍵を前記バッファから削除する暗号化部と、
 前記暗号化部により生成された暗号化データを送信することで暗号通信を行うデータ送信部と、
 前記データ送信部による暗号通信が継続している間、前記バッファ内の暗号鍵の数が減る速さに応じて、新たな暗号鍵を前記バッファに追加する管理部とを備える。 An encryption communication apparatus according to one aspect of the present invention is provided.
Memory,
Each time communication data is input, one encryption key stored in a buffer that is an internal area of the memory is acquired, and the communication data is encrypted using the acquired encryption key. And generating encrypted data with the encryption unit for deleting the acquired encryption key from the buffer,
A data transmission unit that performs cryptographic communication by transmitting the encrypted data generated by the encryption unit;
A management unit that adds a new encryption key to the buffer according to a speed at which the number of encryption keys in the buffer decreases while encryption communication by the data transmission unit continues.
 本発明では、暗号通信が継続している間、バッファ内の暗号鍵の数が減る速さに応じて、新たな暗号鍵がバッファに追加される。このため、暗号鍵が枯渇してから暗号鍵が補充されるまでに生じる遅延を解消することができる。 In the present invention, a new encryption key is added to the buffer according to the speed at which the number of encryption keys in the buffer decreases while the encrypted communication continues. For this reason, it is possible to eliminate a delay that occurs until the encryption key is replenished after the encryption key is depleted.
実施の形態1に係る通信システムの構成を示すブロック図。1 is a block diagram illustrating a configuration of a communication system according to Embodiment 1. FIG. 実施の形態1に係る通信システムの動作を示す図。FIG. 3 shows an operation of the communication system according to the first embodiment. 実施の形態1に係る暗号通信装置の構成を示すブロック図。1 is a block diagram illustrating a configuration of an encryption communication device according to a first embodiment. 実施の形態1に係る暗号通信装置の構成を示すブロック図。1 is a block diagram illustrating a configuration of an encryption communication device according to a first embodiment. 実施の形態1に係る暗号通信装置の動作を示すフローチャート。5 is a flowchart showing the operation of the cryptographic communication apparatus according to the first embodiment. 実施の形態1に係る暗号通信装置の動作を示す詳細フローチャート。4 is a detailed flowchart showing the operation of the cryptographic communication apparatus according to the first embodiment. 実施の形態1に係る暗号通信装置の動作を示す詳細フローチャート。4 is a detailed flowchart showing the operation of the cryptographic communication apparatus according to the first embodiment. 実施の形態1に係る暗号通信装置の処理の具体例を示す図。FIG. 4 is a diagram illustrating a specific example of processing of the cryptographic communication apparatus according to the first embodiment. 実施の形態1に係る暗号通信装置の処理の具体例を示す図。FIG. 4 is a diagram illustrating a specific example of processing of the cryptographic communication apparatus according to the first embodiment. 実施の形態1に係る暗号通信装置の処理の具体例を示す図。FIG. 4 is a diagram illustrating a specific example of processing of the cryptographic communication apparatus according to the first embodiment. 実施の形態1に係る暗号通信装置の処理の具体例を示す図。FIG. 4 is a diagram illustrating a specific example of processing of the cryptographic communication apparatus according to the first embodiment. 実施の形態1に係る暗号通信装置の処理の具体例を示す図。FIG. 4 is a diagram illustrating a specific example of processing of the cryptographic communication apparatus according to the first embodiment. 実施の形態1に係る暗号通信装置の処理の具体例を示す図。FIG. 4 is a diagram illustrating a specific example of processing of the cryptographic communication apparatus according to the first embodiment. 実施の形態1に係る暗号通信装置の処理の具体例を示す図。FIG. 4 is a diagram illustrating a specific example of processing of the cryptographic communication apparatus according to the first embodiment. 本発明の実施の形態に係る暗号通信装置のハードウェア構成例を示す図。The figure which shows the hardware structural example of the encryption communication apparatus which concerns on embodiment of this invention.
 以下、本発明の実施の形態について、図を用いて説明する。なお、各図中、同一又は相当する部分には、同一符号を付している。実施の形態の説明において、同一又は相当する部分については、その説明を適宜省略又は簡略化する。 Hereinafter, embodiments of the present invention will be described with reference to the drawings. In addition, the same code | symbol is attached | subjected to the part which is the same or it corresponds in each figure. In the description of the embodiments, the description of the same or corresponding parts will be omitted or simplified as appropriate.
 実施の形態1.
 まず、本実施の形態の概要として、本実施の形態に係るシステムの構成、本実施の形態に係るシステムの動作、本実施の形態の効果を順番に説明する。 Embodiment 1 FIG.
First, as an outline of the present embodiment, the configuration of the system according to the present embodiment, the operation of the system according to the present embodiment, and the effects of the present embodiment will be described in order.
 ***構成の説明***
 図1を参照して、本実施の形態に係るシステムである通信システム100の構成を説明する。 *** Explanation of configuration ***
With reference to FIG. 1, the structure of the communication system 100 which is a system based on this Embodiment is demonstrated.
 通信システム100は、複数の暗号通信端末110,120を備える。 The communication system 100 includes a plurality of encryption communication terminals 110 and 120.
 本実施の形態において、暗号通信端末110,120は、それぞれスマートフォン、タブレット、携帯電話機といった携帯端末である。なお、暗号通信端末110,120は、それぞれパーソナルコンピュータ等、携帯端末以外の端末であってもよい。 In the present embodiment, the encryption communication terminals 110 and 120 are mobile terminals such as smartphones, tablets, and mobile phones, respectively. The encryption communication terminals 110 and 120 may be terminals other than mobile terminals such as personal computers.
 送信側の暗号通信端末110である端末Aは、暗号通信装置111と、処理装置112とを備える。 The terminal A which is the encryption communication terminal 110 on the transmission side includes an encryption communication device 111 and a processing device 112.
 暗号通信装置111は、通信データの入力を受ける度に、使い捨ての暗号鍵を使用して通信データを暗号化することで暗号化データを生成する。暗号通信装置111は、生成した暗号化データを送信することで暗号通信を行う。 The encrypted communication device 111 generates encrypted data by encrypting the communication data using a disposable encryption key every time the communication data is received. The cryptographic communication device 111 performs cryptographic communication by transmitting the generated encrypted data.
 処理装置112は、通信データを暗号通信装置111に入力するプログラム113を実行する。本実施の形態において、プログラム113は、複数のアプリケーション114である。処理装置112は、具体的には、CPU(Central・Processing・Unit)等のプロセッサである。 The processing device 112 executes a program 113 that inputs communication data to the encryption communication device 111. In the present embodiment, the program 113 is a plurality of applications 114. Specifically, the processing device 112 is a processor such as a CPU (Central Processing Unit).
 端末Aには、鍵共有装置115を接続することができる。暗号通信装置111は、端末Aに鍵共有装置115が接続されている場合に、鍵共有装置115から暗号鍵を取得することができる。暗号通信装置111は、端末Aに鍵共有装置115が接続されていない場合には、予め暗号鍵を記憶しておくか、独自に暗号鍵を生成する。 The key sharing device 115 can be connected to the terminal A. The cryptographic communication apparatus 111 can acquire the cryptographic key from the key sharing apparatus 115 when the key sharing apparatus 115 is connected to the terminal A. When the key sharing device 115 is not connected to the terminal A, the encryption communication device 111 stores the encryption key in advance or generates the encryption key independently.
 受信側の暗号通信端末120である端末Bは、暗号通信装置121と、処理装置122とを備える。 Terminal B, which is the encryption communication terminal 120 on the receiving side, includes an encryption communication device 121 and a processing device 122.
 暗号通信装置121は、暗号化データを受信することで暗号通信を行う。暗号通信装置121は、暗号化データを受信する度に、使い捨ての暗号鍵を使用して暗号化データを復号することで通信データを生成する。 The cryptographic communication device 121 performs cryptographic communication by receiving encrypted data. Each time the encrypted communication device 121 receives encrypted data, the encrypted communication device 121 generates communication data by decrypting the encrypted data using a disposable encryption key.
 処理装置122は、通信データの入力を暗号通信装置121から受けるプログラム123を実行する。本実施の形態において、プログラム123は、複数のアプリケーション124である。処理装置122は、具体的には、CPU等のプロセッサである。 The processing device 122 executes a program 123 that receives input of communication data from the encryption communication device 121. In the present embodiment, the program 123 is a plurality of applications 124. Specifically, the processing device 122 is a processor such as a CPU.
 端末Bには、鍵共有装置125を接続することができる。暗号通信装置121は、端末Bに鍵共有装置125が接続されている場合に、鍵共有装置125から暗号鍵を取得することができる。暗号通信装置121は、端末Bに鍵共有装置125が接続されていない場合には、予め暗号鍵を記憶しておくか、独自に暗号鍵を生成する。 The key sharing device 125 can be connected to the terminal B. The cryptographic communication apparatus 121 can acquire the cryptographic key from the key sharing apparatus 125 when the key sharing apparatus 125 is connected to the terminal B. When the key sharing device 125 is not connected to the terminal B, the encryption communication device 121 stores the encryption key in advance or generates the encryption key independently.
 端末Aと端末Bは、インターネット等のネットワーク130に接続されている。 Terminal A and terminal B are connected to a network 130 such as the Internet.
 本実施の形態では、暗号通信端末110,120同士の暗号通信が、ネットワーク130を介して、暗号通信端末110,120のそれぞれに内蔵された暗号通信装置111,121により行われる。暗号通信装置111,121は、暗号通信端末110,120のそれぞれで実行されるアプリケーション114,124とは独立した暗号通信モジュールである。よって、本実施の形態では、暗号通信機能を持たないアプリケーション114,124でも暗号通信を利用することが可能となる。 In the present embodiment, cryptographic communication between the cryptographic communication terminals 110 and 120 is performed by the cryptographic communication devices 111 and 121 incorporated in the cryptographic communication terminals 110 and 120 via the network 130, respectively. The cryptographic communication devices 111 and 121 are cryptographic communication modules that are independent of the applications 114 and 124 executed by the cryptographic communication terminals 110 and 120, respectively. Therefore, in this embodiment, it is possible to use encrypted communication even in the applications 114 and 124 that do not have the encrypted communication function.
 暗号通信装置111,121は、後述するように、各アプリケーション114,124用に暗号鍵を一時保有するバッファを持つ。暗号通信端末110において、各アプリケーション114が他の暗号通信端末120との通信を行う場合には、該当するバッファにある暗号鍵を用いて暗号通信が行われる。暗号通信端末120においても同じである。 The encryption communication devices 111 and 121 have buffers for temporarily storing encryption keys for the applications 114 and 124, as will be described later. In the encryption communication terminal 110, when each application 114 communicates with another encryption communication terminal 120, encryption communication is performed using the encryption key in the corresponding buffer. The same applies to the encryption communication terminal 120.
 暗号通信装置111,121は、各アプリケーション114,124用のバッファを管理する。暗号通信によりバッファ内の暗号鍵が減少した場合には、暗号通信装置111,121が、暗号通信により消費される暗号鍵の量とバッファ内の暗号鍵の残量とを基に、必要であればバッファに暗号鍵を追加する。 The cryptographic communication devices 111 and 121 manage buffers for the applications 114 and 124, respectively. When the encryption key in the buffer decreases due to encryption communication, the encryption communication devices 111 and 121 need to be based on the amount of encryption key consumed by encryption communication and the remaining amount of encryption key in the buffer. Add the encryption key to the buffer.
 なお、暗号通信端末110,120のうちいずれか1台又は両方に、送信側の暗号通信モジュールと受信側の暗号通信モジュールとの両方が搭載されていてもよい。即ち、端末Aの暗号通信装置111が、送信側と受信側との両方の機能を有していてもよい。その場合、暗号通信装置111は、送信側と受信側との2つの暗号通信モジュールで構成されてもよいし、送信側と受信側とが統合された1つの暗号通信モジュールで構成されてもよい。端末Bの暗号通信装置121についても、端末Aの暗号通信装置111と同じである。 It should be noted that both one or both of the encryption communication terminals 110 and 120 may be equipped with both the encryption communication module on the transmission side and the encryption communication module on the reception side. That is, the encryption communication device 111 of the terminal A may have both functions of the transmission side and the reception side. In that case, the cryptographic communication device 111 may be configured by two cryptographic communication modules of the transmission side and the reception side, or may be configured by one cryptographic communication module in which the transmission side and the reception side are integrated. . The encryption communication device 121 of the terminal B is the same as the encryption communication device 111 of the terminal A.
 通信システム100が備える暗号通信端末の台数は、2台に限らず、3台以上でもよい。3台以上の暗号通信端末のうち、少なくとも1台の暗号通信端末に送信側の暗号通信モジュールが搭載され、他の少なくとも1台の暗号通信端末に受信側の暗号通信モジュールが搭載されていれば、残りの暗号通信端末には、送信側の暗号通信モジュールと受信側の暗号通信モジュールとのうち少なくともいずれかが搭載されていればよい。 The number of encryption communication terminals provided in the communication system 100 is not limited to two, and may be three or more. Of the three or more encryption communication terminals, at least one encryption communication terminal is equipped with a transmission-side encryption communication module, and at least one other encryption communication terminal is equipped with a reception-side encryption communication module. The remaining encrypted communication terminals only need to be equipped with at least one of the transmitting-side encrypted communication module and the receiving-side encrypted communication module.
 ***動作の説明***
 図2を参照して、通信システム100の動作を説明する。具体的には、端末Aのアプリケーション114と端末Bのアプリケーション124とで、通信が行われる場合の動作の概要を説明する。この動作では、端末Aのアプリケーション114から送られた通信データが、端末Aの暗号通信装置111で暗号化される。暗号化された通信データが、端末Bの暗号通信装置121で復号される。復号された通信データが、端末Bのアプリケーション124で受け取られる。 *** Explanation of operation ***
The operation of the communication system 100 will be described with reference to FIG. Specifically, an outline of operation when communication is performed between the application 114 of the terminal A and the application 124 of the terminal B will be described. In this operation, communication data transmitted from the application 114 of the terminal A is encrypted by the encryption communication device 111 of the terminal A. The encrypted communication data is decrypted by the encryption communication device 121 of the terminal B. The decrypted communication data is received by the application 124 of the terminal B.
 まず、端末Aのアプリケーション114は、端末Bの宛先情報T1を端末Aの暗号通信装置111に送る。暗号通信装置111は、宛先情報T1から端末Bを特定する。暗号通信装置111は、自身の保有する暗号鍵群G1から鍵リストL1を作成する。暗号鍵群G1には、暗号鍵K1が含まれる。暗号通信装置111は、端末Bの暗号通信装置121に鍵リストL1を送信する。 First, the application 114 of the terminal A sends the destination information T1 of the terminal B to the encryption communication device 111 of the terminal A. The encryption communication device 111 identifies the terminal B from the destination information T1. The encryption communication device 111 creates the key list L1 from the encryption key group G1 that it owns. The encryption key group G1 includes an encryption key K1. The encryption communication device 111 transmits the key list L1 to the encryption communication device 121 of the terminal B.
 端末Bのアプリケーション124は、端末Aの宛先情報T2を端末Bの暗号通信装置121に送る。暗号通信装置121は、宛先情報T2から端末Aを特定する。暗号通信装置121は、端末Aの暗号通信装置111から鍵リストL1を受信する。暗号通信装置121は、自身の保有する暗号鍵群G2から鍵リストL2を作成する。暗号鍵群G2には、暗号鍵K1が含まれる。ただし、暗号鍵群G2に含まれる暗号鍵の全てが暗号鍵群G1に含まれる暗号鍵と一致している必要はない。暗号通信装置121は、鍵リストL1と鍵リストL2とから、暗号通信で利用する暗号鍵K1を特定する。暗号通信装置121は、暗号鍵K1の識別情報である鍵情報I1を端末Aの暗号通信装置111に送信する。 The application 124 of the terminal B sends the destination information T2 of the terminal A to the encryption communication device 121 of the terminal B. The encryption communication device 121 identifies the terminal A from the destination information T2. The encryption communication device 121 receives the key list L1 from the encryption communication device 111 of the terminal A. The encryption communication device 121 creates a key list L2 from the encryption key group G2 held by itself. The encryption key group G2 includes an encryption key K1. However, not all of the encryption keys included in the encryption key group G2 need to match the encryption keys included in the encryption key group G1. The encryption communication device 121 specifies the encryption key K1 used for encryption communication from the key list L1 and the key list L2. The encryption communication device 121 transmits key information I1 that is identification information of the encryption key K1 to the encryption communication device 111 of the terminal A.
 端末Aの暗号通信装置111は、鍵情報I1を受信する。暗号通信装置111は、鍵情報I1が指す暗号鍵K1のデータを、端末Aのアプリケーション114に割り当てられたバッファM1に展開する。端末Bの暗号通信装置121においても、鍵情報I1が指す暗号鍵K1のデータを、端末Bのアプリケーション124に割り当てられたバッファM2に展開する。 The encryption communication device 111 of the terminal A receives the key information I1. The encryption communication device 111 expands the data of the encryption key K1 pointed to by the key information I1 in the buffer M1 assigned to the application 114 of the terminal A. Also in the encryption communication device 121 of the terminal B, the data of the encryption key K1 pointed to by the key information I1 is expanded in the buffer M2 assigned to the application 124 of the terminal B.
 その後、端末Aのアプリケーション114から端末Aの暗号通信装置111に通信データD1が送られたとすると、暗号通信装置111は、バッファM1にある暗号鍵K1を使って通信データD1を暗号化し、暗号化データE1を作成する。暗号通信装置111は、端末Bの暗号通信装置121に暗号化データE1を送信する。 Thereafter, if the communication data D1 is sent from the application 114 of the terminal A to the encryption communication device 111 of the terminal A, the encryption communication device 111 encrypts the communication data D1 by using the encryption key K1 in the buffer M1, and encrypts it. Data E1 is created. The encryption communication device 111 transmits the encrypted data E1 to the encryption communication device 121 of the terminal B.
 端末Bの暗号通信装置121は、暗号化データE1を受信する。暗号通信装置121は、バッファM2にある暗号鍵K1を使って暗号化データE1を復号し、通信データD1を得る。暗号通信装置121は、通信データD1を端末Bのアプリケーション124に送る。 The encryption communication device 121 of the terminal B receives the encrypted data E1. The encryption communication device 121 decrypts the encrypted data E1 using the encryption key K1 in the buffer M2, and obtains communication data D1. The encryption communication device 121 sends the communication data D1 to the application 124 of the terminal B.
 以降、端末Aのアプリケーション114から端末Aの暗号通信装置111に送られる通信データがなくなるまで、同様の処理が繰り返される。なお、「同様の処理」とは、処理ごとに異なる暗号鍵を使って上記と同じ手順で行われる処理のことである。 Thereafter, the same processing is repeated until there is no communication data transmitted from the application 114 of the terminal A to the encryption communication device 111 of the terminal A. Note that “similar processing” refers to processing performed in the same procedure as described above using a different encryption key for each processing.
 ここで、バッファM1及びバッファM2にある暗号鍵が暗号通信により消費されることで、暗号鍵が不足し、暗号通信が行えない場合が想定される。そのため、端末Aの暗号通信装置111と端末Bの暗号通信装置121は、それぞれバッファM1及びバッファM2の暗号鍵の減少速度を監視する。 Here, it is assumed that the encryption keys in the buffer M1 and the buffer M2 are consumed by the encryption communication, so that the encryption key is insufficient and the encryption communication cannot be performed. Therefore, the encryption communication device 111 of the terminal A and the encryption communication device 121 of the terminal B monitor the decrease speeds of the encryption keys in the buffer M1 and the buffer M2, respectively.
 端末Aの暗号通信装置111と端末Bの暗号通信装置121は、それぞれバッファM1及びバッファM2の暗号鍵がなくなる前に、バッファM1及びバッファM2に暗号鍵を追加する。追加する暗号鍵を特定するために、端末Aの暗号通信装置111は、自身の保有する暗号鍵群G3から鍵リストL3を作成する。暗号鍵群G3には、暗号鍵K3が含まれる。暗号通信装置111は、端末Bの暗号通信装置121に鍵リストL3を送信する。 The encryption communication device 111 of the terminal A and the encryption communication device 121 of the terminal B add the encryption keys to the buffer M1 and the buffer M2 before the encryption keys of the buffer M1 and the buffer M2 respectively disappear. In order to specify the encryption key to be added, the encryption communication device 111 of the terminal A creates a key list L3 from the encryption key group G3 held by itself. The encryption key group G3 includes an encryption key K3. The encryption communication device 111 transmits the key list L3 to the encryption communication device 121 of the terminal B.
 端末Bの暗号通信装置121は、鍵リストL3を受信する。暗号通信装置121は、自身の保有する暗号鍵群G4から鍵リストL4を作成する。暗号鍵群G4には、暗号鍵K3が含まれる。ただし、暗号鍵群G4に含まれる暗号鍵の全てが暗号鍵群G3に含まれる暗号鍵と一致している必要はない。暗号通信装置121は、鍵リストL3と鍵リストL4とから、暗号通信で利用する暗号鍵K2を特定する。暗号通信装置121は、暗号鍵K2の識別情報である鍵情報I2を端末Aの暗号通信装置111に送信する。 The encryption communication device 121 of the terminal B receives the key list L3. The encryption communication device 121 creates a key list L4 from the encryption key group G4 that it owns. The encryption key group G4 includes an encryption key K3. However, not all of the encryption keys included in the encryption key group G4 need to match the encryption keys included in the encryption key group G3. The encryption communication device 121 specifies the encryption key K2 used for encryption communication from the key list L3 and the key list L4. The encryption communication device 121 transmits key information I2 that is identification information of the encryption key K2 to the encryption communication device 111 of the terminal A.
 端末Aの暗号通信装置111は、鍵情報I2を受信する。暗号通信装置111は、鍵情報I2が指す暗号鍵K2のデータを、端末Aのアプリケーション114に割り当てられたバッファM1に展開する。端末Bの暗号通信装置121においても、鍵情報I2が指す暗号鍵K2のデータを、端末Bのアプリケーション124に割り当てられたバッファM2に展開する。 The encryption communication device 111 of the terminal A receives the key information I2. The encryption communication device 111 expands the data of the encryption key K2 pointed to by the key information I2 in the buffer M1 assigned to the application 114 of the terminal A. Also in the encryption communication apparatus 121 of the terminal B, the data of the encryption key K2 pointed to by the key information I2 is expanded in the buffer M2 assigned to the application 124 of the terminal B.
 ***効果の説明***
 本実施の形態では、上記のように、特定のアプリケーション114,124の暗号通信中に暗号鍵が枯渇する前に暗号鍵を追加することで、暗号鍵が枯渇してから暗号鍵が追加されるまでに生じる遅延を解消することができる。 *** Explanation of effects ***
In the present embodiment, as described above, the encryption key is added after the encryption key is depleted by adding the encryption key before the encryption key is exhausted during the encryption communication of the specific application 114, 124. It is possible to eliminate the delay that occurs up to.
 また、本実施の形態では、同一の暗号通信端末110,120内で、複数のアプリケーション114,124がワンタイムパッド暗号通信を行う場合に、それぞれのアプリケーション114,124で専用の暗号鍵を保有する必要がない。よって、暗号通信端末110,120内のデータ容量を削減することができる。 In the present embodiment, when a plurality of applications 114 and 124 perform one-time pad encryption communication in the same encryption communication terminal 110 and 120, each application 114 and 124 has a dedicated encryption key. There is no need. Therefore, the data capacity in the encryption communication terminals 110 and 120 can be reduced.
 また、本実施の形態では、暗号鍵を取得するための通信路を、暗号通信を行う通信路とは別に用意する必要がない。 In this embodiment, it is not necessary to prepare a communication path for acquiring the encryption key separately from a communication path for performing encryption communication.
 次に、本実施の形態の詳細として、暗号通信装置111,121の構成、暗号通信装置111,121の動作、本実施の形態の効果を順番に説明する。 Next, as the details of the present embodiment, the configuration of the cryptographic communication devices 111 and 121, the operation of the cryptographic communication devices 111 and 121, and the effects of the present embodiment will be described in order.
 ***構成の説明***
 図3を参照して、端末Aの暗号通信装置111の構成を説明する。 *** Explanation of configuration ***
With reference to FIG. 3, the structure of the encryption communication apparatus 111 of the terminal A is demonstrated.
 暗号通信装置111は、有線インタフェース151と、内部インタフェース152と、通信インタフェース153と、記憶媒体154と、メモリ155とを備える。また、暗号通信装置111は、取得部161と、データ受け付け部162と、要求受け付け部163と、リスト生成部164と、リスト送信部165と、情報受信部166と、管理部167と、暗号化部168と、データ送信部169とを備える。 The cryptographic communication device 111 includes a wired interface 151, an internal interface 152, a communication interface 153, a storage medium 154, and a memory 155. In addition, the encryption communication device 111 includes an acquisition unit 161, a data reception unit 162, a request reception unit 163, a list generation unit 164, a list transmission unit 165, an information reception unit 166, a management unit 167, and an encryption Unit 168 and a data transmission unit 169.
 有線インタフェース151は、外部装置と通信を行うためのインタフェースである。有線インタフェース151は、鍵共有装置115から暗号鍵を取得するために用いられる。なお、有線インタフェース151は、無線インタフェースに置き換えることができる。 The wired interface 151 is an interface for communicating with an external device. The wired interface 151 is used to acquire an encryption key from the key sharing device 115. The wired interface 151 can be replaced with a wireless interface.
 内部インタフェース152は、端末A内のアプリケーション114と通信を行うためのインタフェースである。内部インタフェース152は、アプリケーション114と宛先情報及び通信データのやり取りを行うために用いられる。 The internal interface 152 is an interface for communicating with the application 114 in the terminal A. The internal interface 152 is used for exchanging destination information and communication data with the application 114.
 通信インタフェース153は、他の端末と通信を行うためのインタフェースである。通信インタフェース153は、端末Bと通信を行うために用いられる。 The communication interface 153 is an interface for communicating with other terminals. The communication interface 153 is used for communicating with the terminal B.
 記憶媒体154は、取得部161で取得された暗号鍵群を記憶する。 The storage medium 154 stores the encryption key group acquired by the acquisition unit 161.
 メモリ155は、端末Aのアプリケーション114に関連付けられたバッファを有する。 The memory 155 has a buffer associated with the application 114 of the terminal A.
 取得部161は、有線インタフェース151を介して、鍵共有装置115から暗号鍵を取得する。取得部161は、取得した暗号鍵を記憶媒体154に保存する。 The acquisition unit 161 acquires the encryption key from the key sharing device 115 via the wired interface 151. The acquisition unit 161 stores the acquired encryption key in the storage medium 154.
 データ受け付け部162は、内部インタフェース152を介して、端末Aのアプリケーション114から通信データを受け取る。データ受け付け部162は、受け取った通信データを暗号化部168に渡す。 The data receiving unit 162 receives communication data from the application 114 of the terminal A via the internal interface 152. The data reception unit 162 passes the received communication data to the encryption unit 168.
 要求受け付け部163は、内部インタフェース152を介して、端末Aのアプリケーション114から宛先情報を受け取る。要求受け付け部163は、リスト生成部164に鍵リストの生成を指示する。 The request reception unit 163 receives destination information from the application 114 of the terminal A through the internal interface 152. The request reception unit 163 instructs the list generation unit 164 to generate a key list.
 リスト生成部164は、要求受け付け部163から宛先情報を受け取る。リスト生成部164は、記憶媒体154にある暗号鍵群から鍵リストを生成する。リスト生成部164は、生成した鍵リストを、宛先情報とともにリスト送信部165に渡す。 The list generation unit 164 receives the destination information from the request reception unit 163. The list generation unit 164 generates a key list from the encryption key group in the storage medium 154. The list generation unit 164 passes the generated key list to the list transmission unit 165 together with the destination information.
 リスト送信部165は、リスト生成部164から鍵リストと宛先情報とを受け取る。リスト送信部165は、宛先情報に記載されている宛先である端末Bに、通信インタフェース153を介して鍵リストを送信する。 The list transmission unit 165 receives the key list and the destination information from the list generation unit 164. The list transmission unit 165 transmits the key list to the terminal B, which is the destination described in the destination information, via the communication interface 153.
 情報受信部166は、リスト送信部165が鍵リストを送信した相手である端末Bから、通信インタフェース153を介して、暗号鍵の識別情報である鍵情報を受信する。情報受信部166は、受信した鍵情報を管理部167に渡す。 The information receiving unit 166 receives key information that is identification information of an encryption key from the terminal B that is the partner to which the list transmitting unit 165 has transmitted the key list, via the communication interface 153. The information receiving unit 166 passes the received key information to the management unit 167.
 管理部167は、情報受信部166から受け取った鍵情報に合致する暗号鍵を記憶媒体154から取得する。管理部167は、記憶媒体154にある暗号鍵に使用中であることを示すフラグを設定する。そして、管理部167は、メモリ155の端末Aのアプリケーション114に関連付けたバッファに暗号鍵を展開する。ここで、メモリ155に、端末Aのアプリケーション114に関連付けたバッファがない場合には、管理部167は、メモリ155に、そのバッファを設定する。管理部167は、バッファに展開した暗号鍵を記憶媒体154から削除する。 The management unit 167 acquires an encryption key that matches the key information received from the information reception unit 166 from the storage medium 154. The management unit 167 sets a flag indicating that the encryption key in the storage medium 154 is being used. Then, the management unit 167 expands the encryption key in a buffer associated with the application 114 of the terminal A in the memory 155. Here, when there is no buffer associated with the application 114 of the terminal A in the memory 155, the management unit 167 sets the buffer in the memory 155. The management unit 167 deletes the encryption key expanded in the buffer from the storage medium 154.
 暗号化部168は、データ受け付け部162から通信データを受け取る。暗号化部168は、メモリ155にある端末Aのアプリケーション114に関連付けられたバッファから暗号鍵のビット列を取得する。暗号化部168は、取得した暗号鍵のビット列を使って通信データをワンタイムパッド暗号により暗号化し、暗号化データを生成する。暗号化部168は、生成した暗号化データをデータ送信部169に渡す。 The encryption unit 168 receives communication data from the data reception unit 162. The encryption unit 168 acquires the bit string of the encryption key from the buffer associated with the application 114 of the terminal A in the memory 155. The encryption unit 168 encrypts the communication data with the one-time pad encryption using the acquired bit string of the encryption key, and generates encrypted data. The encryption unit 168 passes the generated encrypted data to the data transmission unit 169.
 データ送信部169は、通信インタフェース153を介して、暗号化部168から受け取った暗号化データを送信する。 The data transmission unit 169 transmits the encrypted data received from the encryption unit 168 via the communication interface 153.
 図4を参照して、端末Bの暗号通信装置121の構成を説明する。 With reference to FIG. 4, the configuration of the encryption communication device 121 of the terminal B will be described.
 暗号通信装置121は、有線インタフェース171と、内部インタフェース172と、通信インタフェース173と、記憶媒体174と、メモリ175とを備える。また、暗号通信装置121は、取得部181と、データ送出部182と、要求受け付け部183と、情報生成部184と、リスト受信部185と、情報送信部186と、管理部187と、復号部188と、データ受信部189とを備える。 The cryptographic communication device 121 includes a wired interface 171, an internal interface 172, a communication interface 173, a storage medium 174, and a memory 175. The encryption communication apparatus 121 includes an acquisition unit 181, a data transmission unit 182, a request reception unit 183, an information generation unit 184, a list reception unit 185, an information transmission unit 186, a management unit 187, and a decryption unit. 188 and a data receiving unit 189.
 有線インタフェース171は、外部装置と通信を行うためのインタフェースである。有線インタフェース171は、鍵共有装置125から暗号鍵を取得するために用いられる。なお、有線インタフェース171は、無線インタフェースに置き換えることができる。 The wired interface 171 is an interface for communicating with an external device. The wired interface 171 is used to acquire an encryption key from the key sharing device 125. The wired interface 171 can be replaced with a wireless interface.
 内部インタフェース172は、端末B内のアプリケーション124と通信を行うためのインタフェースである。内部インタフェース172は、アプリケーション124と宛先情報及び通信データのやり取りを行うために用いられる。 The internal interface 172 is an interface for communicating with the application 124 in the terminal B. The internal interface 172 is used to exchange destination information and communication data with the application 124.
 通信インタフェース173は、他の端末と通信を行うためのインタフェースである。通信インタフェース173は、端末Aと通信を行うために用いられる。 The communication interface 173 is an interface for performing communication with other terminals. The communication interface 173 is used for communicating with the terminal A.
 記憶媒体174は、取得部181で取得された暗号鍵群を記憶する。 The storage medium 174 stores the encryption key group acquired by the acquisition unit 181.
 メモリ175は、端末Bのアプリケーション124に関連付けられたバッファを有する。 The memory 175 has a buffer associated with the application 124 of the terminal B.
 取得部181は、有線インタフェース171を介して、鍵共有装置125から暗号鍵を取得する。取得部181は、取得した暗号鍵を記憶媒体174に保存する。 The acquisition unit 181 acquires an encryption key from the key sharing device 125 via the wired interface 171. The acquisition unit 181 stores the acquired encryption key in the storage medium 174.
 要求受け付け部183は、内部インタフェース172を介して、端末Bのアプリケーション124から宛先情報を受け取る。要求受け付け部183は、リスト受信部185に鍵リストの受信待機を指示する。 The request reception unit 183 receives destination information from the application 124 of the terminal B via the internal interface 172. The request reception unit 183 instructs the list reception unit 185 to wait for reception of the key list.
 リスト受信部185は、通信インタフェース173を介して鍵リストを受信する。リスト受信部185は、受信した鍵リストを情報生成部184に渡す。 The list receiving unit 185 receives the key list via the communication interface 173. The list receiving unit 185 passes the received key list to the information generating unit 184.
 情報生成部184は、リスト受信部185から鍵リストを受け取る。情報生成部184は、記憶媒体174にある暗号鍵群から鍵リストを生成する。情報生成部184は、リスト受信部185から受け取った鍵リストと、生成した鍵リストとから、暗号鍵の識別情報である鍵情報を生成する。情報生成部184は、生成した鍵情報を情報送信部186に渡す。 The information generation unit 184 receives the key list from the list reception unit 185. The information generation unit 184 generates a key list from the encryption key group in the storage medium 174. The information generation unit 184 generates key information that is identification information of the encryption key from the key list received from the list reception unit 185 and the generated key list. The information generation unit 184 passes the generated key information to the information transmission unit 186.
 情報送信部186は、通信インタフェース173を介して、リスト受信部185が鍵リストを受信した相手である端末Aに、情報生成部184から受け取った鍵情報を送信する。情報送信部186は、送信した鍵情報を管理部187に渡す。 The information transmitting unit 186 transmits the key information received from the information generating unit 184 to the terminal A that is the partner from which the list receiving unit 185 has received the key list, via the communication interface 173. The information transmission unit 186 passes the transmitted key information to the management unit 187.
 管理部187は、情報送信部186から受け取った鍵情報に合致する暗号鍵を記憶媒体174から取得する。管理部187は、記憶媒体174にある暗号鍵に使用中であることを示すフラグを設定する。そして、管理部187は、メモリ175の端末Bのアプリケーション124に関連付けたバッファに暗号鍵を展開する。ここで、メモリ175に、端末Bのアプリケーション124に関連付けたバッファがない場合には、管理部187は、メモリ175に、そのバッファを設定する。管理部187は、バッファに展開した暗号鍵を記憶媒体174から削除する。 The management unit 187 acquires an encryption key that matches the key information received from the information transmission unit 186 from the storage medium 174. The management unit 187 sets a flag indicating that the encryption key in the storage medium 174 is being used. Then, the management unit 187 expands the encryption key in a buffer associated with the application 124 of the terminal B in the memory 175. Here, if there is no buffer associated with the application 124 of the terminal B in the memory 175, the management unit 187 sets the buffer in the memory 175. The management unit 187 deletes the encryption key expanded in the buffer from the storage medium 174.
 データ受信部189は、通信インタフェース173を介して、暗号化データを受信する。データ受信部189は、受信した暗号化データを復号部188に渡す。 The data receiving unit 189 receives the encrypted data via the communication interface 173. The data receiving unit 189 passes the received encrypted data to the decrypting unit 188.
 復号部188は、データ受信部189から暗号化データを受け取る。復号部188は、メモリ175にある端末Bのアプリケーション124に関連付けられたバッファから暗号鍵のビット列を取得する。復号部188は、取得した暗号鍵のビット列を使って暗号化データをワンタイムパッド暗号により復号し、通信データを生成する。復号部188は、生成した通信データをデータ送出部182に渡す。 The decryption unit 188 receives the encrypted data from the data reception unit 189. The decryption unit 188 acquires the bit string of the encryption key from the buffer associated with the application 124 of the terminal B in the memory 175. The decryption unit 188 decrypts the encrypted data using the one-time pad encryption using the acquired bit string of the encryption key, and generates communication data. The decryption unit 188 passes the generated communication data to the data transmission unit 182.
 データ送出部182は、通信データを復号部188から受け取る。データ送出部182は、受け取った通信データを、内部インタフェース172を介して、端末Bのアプリケーション124に渡す。 The data sending unit 182 receives the communication data from the decoding unit 188. The data transmission unit 182 passes the received communication data to the application 124 of the terminal B via the internal interface 172.
 ***動作の説明***
 図5から図7を参照して、端末Aの暗号通信装置111及び端末Bの暗号通信装置121の動作を説明する。具体的には、端末Aの暗号通信装置111が端末Aのアプリケーション114の暗号通信要求を受け取ってから、端末Bのアプリケーション124に通信データが届くまでの動作について説明する。暗号通信装置111,121の動作は、本実施の形態に係る暗号通信方法に相当する。暗号通信装置111,121の動作は、本実施の形態に係る暗号通信プログラムの処理手順に相当する。 *** Explanation of operation ***
With reference to FIG. 5 to FIG. 7, operations of the encryption communication device 111 of the terminal A and the encryption communication device 121 of the terminal B will be described. Specifically, an operation from when the encryption communication apparatus 111 of the terminal A receives the encryption communication request of the application 114 of the terminal A until the communication data reaches the application 124 of the terminal B will be described. The operations of the cryptographic communication devices 111 and 121 correspond to the cryptographic communication method according to the present embodiment. The operations of the cryptographic communication devices 111 and 121 correspond to the processing procedure of the cryptographic communication program according to the present embodiment.
 図5は、端末Aの暗号通信装置111及び端末Bの暗号通信装置121の大まかな処理の流れを示している。 FIG. 5 shows a rough processing flow of the encryption communication device 111 of the terminal A and the encryption communication device 121 of the terminal B.
 ステップS11において、端末Aのアプリケーション114と端末Bのアプリケーション124との間で任意の方法により暗号通信を利用することが決定される。端末Aの暗号通信装置111は、端末Aのアプリケーション114から暗号通信要求を受け取る。この暗号通信要求には、端末Bを指定する宛先情報T1が含まれる。端末Bの暗号通信装置121も、端末Bのアプリケーション124から暗号通信要求を受け取る。この暗号通信要求には、端末Aを指定する宛先情報T2が含まれる。 In step S11, it is determined that encryption communication is used between the application 114 of the terminal A and the application 124 of the terminal B by an arbitrary method. The encryption communication device 111 of the terminal A receives the encryption communication request from the application 114 of the terminal A. This encrypted communication request includes destination information T1 designating the terminal B. The encryption communication device 121 of the terminal B also receives the encryption communication request from the application 124 of the terminal B. This encrypted communication request includes destination information T2 for designating the terminal A.
 ステップS12において、端末Aの暗号通信装置111と端末Bの暗号通信装置121は、互いに鍵確認処理を行う。 In step S12, the encryption communication device 111 of the terminal A and the encryption communication device 121 of the terminal B perform a key confirmation process with each other.
 ステップS13において、端末Aの暗号通信装置111は、送信側の暗号通信処理を行う。端末Bの暗号通信装置121は、受信側の暗号通信処理を行う。 In step S13, the encryption communication device 111 of the terminal A performs the encryption communication process on the transmission side. The encryption communication device 121 of the terminal B performs reception side encryption communication processing.
 図6は、図5のステップS12における鍵確認処理の流れを示している。なお、鍵確認処理は通信データの送受信に直接関与していないため、端末Aの暗号通信装置111と端末Bの暗号通信装置121との役割は入れ替わってもよい。 FIG. 6 shows the flow of the key confirmation process in step S12 of FIG. Note that since the key confirmation processing is not directly involved in transmission / reception of communication data, the roles of the encryption communication device 111 of the terminal A and the encryption communication device 121 of the terminal B may be switched.
 ステップS21において、端末Aの暗号通信装置111は、記憶媒体154にある暗号鍵群G1から鍵リストL1を作成する。 In step S21, the encryption communication device 111 of the terminal A creates a key list L1 from the encryption key group G1 in the storage medium 154.
 ステップS22において、端末Aの暗号通信装置111は、ステップS21で作成した鍵リストL1を端末Bの暗号通信装置121に送信する。 In step S22, the encryption communication device 111 of the terminal A transmits the key list L1 created in step S21 to the encryption communication device 121 of the terminal B.
 ステップS23において、端末Bの暗号通信装置121は、ステップS22で送信された鍵リストL1を受信する。また、端末Bの暗号通信装置121は、記憶媒体174にある暗号鍵群G2から鍵リストL2を作成する。 In step S23, the encryption communication device 121 of the terminal B receives the key list L1 transmitted in step S22. Further, the encryption communication device 121 of the terminal B creates the key list L2 from the encryption key group G2 in the storage medium 174.
 ステップS24において、端末Bの暗号通信装置121は、ステップS23で受信した鍵リストL1と、ステップS23で作成した鍵リストL2とから、暗号通信に用いる暗号鍵K1を確定する。 In step S24, the encryption communication device 121 of the terminal B determines the encryption key K1 used for encryption communication from the key list L1 received in step S23 and the key list L2 created in step S23.
 ステップS25において、端末Bの暗号通信装置121は、記憶媒体174にある、ステップS24で確定した暗号鍵K1に対して、使用中であることを示すフラグを設定する。 In step S25, the encryption communication device 121 of the terminal B sets a flag indicating that it is in use for the encryption key K1 determined in step S24 in the storage medium 174.
 ステップS26において、端末Bの暗号通信装置121は、ステップS24で確定した暗号鍵K1の鍵情報I1を端末Aの暗号通信装置111に送信する。 In step S26, the encryption communication device 121 of the terminal B transmits the key information I1 of the encryption key K1 determined in step S24 to the encryption communication device 111 of the terminal A.
 ステップS27において、端末Aの暗号通信装置111は、ステップS26で送信された鍵情報I1を受信する。 In step S27, the encryption communication device 111 of the terminal A receives the key information I1 transmitted in step S26.
 ステップS28において、端末Aの暗号通信装置111は、記憶媒体154にある、ステップS27で受信した鍵情報I1に対応する暗号鍵K1に対して、使用中であることを示すフラグを設定する。 In step S28, the encryption communication device 111 of the terminal A sets a flag indicating that the encryption key K1 corresponding to the key information I1 received in step S27 in the storage medium 154 is in use.
 ステップS29において、端末Aの暗号通信装置111は、ステップS27で受信した鍵情報I1に対応する暗号鍵K1をメモリ155にあるバッファM1に展開し、元の暗号鍵K1を記憶媒体154から削除する。 In step S29, the encryption communication device 111 of the terminal A expands the encryption key K1 corresponding to the key information I1 received in step S27 in the buffer M1 in the memory 155, and deletes the original encryption key K1 from the storage medium 154. .
 ステップS30において、端末Aの暗号通信装置111は、暗号通信の開始を通知する。 In step S30, the encryption communication device 111 of the terminal A notifies the start of encryption communication.
 ステップS31において、端末Bの暗号通信装置121は、暗号通信の開始の通知を受ける。 In step S31, the encryption communication device 121 of the terminal B receives a notification of the start of encryption communication.
 ステップS32において、端末Bの暗号通信装置121は、ステップS25でフラグを設定した暗号鍵K1をメモリ175にあるバッファM2に展開し、元の暗号鍵K1を記憶媒体174から削除する。 In step S32, the encryption communication device 121 of the terminal B expands the encryption key K1 for which the flag is set in step S25 in the buffer M2 in the memory 175, and deletes the original encryption key K1 from the storage medium 174.
 なお、ステップS24からS29及びステップS32の処理は、暗号鍵K1だけでなく、送信側の鍵リストL1と受信側の鍵リストL2とで共通する全ての暗号鍵について行われる。 Note that the processing from step S24 to S29 and step S32 is performed not only for the encryption key K1, but also for all encryption keys common to the key list L1 on the transmission side and the key list L2 on the reception side.
 図7は、図5のステップS13における暗号通信処理の流れを示している。 FIG. 7 shows the flow of encryption communication processing in step S13 of FIG.
 ステップS41において、端末Aの暗号通信装置111は、端末Aのアプリケーション114から通信データD1を受け取る。 In step S41, the encryption communication device 111 of the terminal A receives the communication data D1 from the application 114 of the terminal A.
 ステップS42において、端末Aの暗号通信装置111は、メモリ155のバッファM1にある暗号鍵K1を用いて、ステップS41で受け取った通信データD1をワンタイムパッド暗号により暗号化し、暗号化データE1を得る。 In step S42, the encryption communication device 111 of the terminal A encrypts the communication data D1 received in step S41 with the one-time pad encryption using the encryption key K1 in the buffer M1 of the memory 155 to obtain the encrypted data E1. .
 ステップS43において、端末Aの暗号通信装置111は、ステップS42で得た暗号化データE1を端末Bの暗号通信装置121に送信する。ここで通信終了であれば、暗号通信処理が終了する。 In step S43, the encryption communication device 111 of the terminal A transmits the encrypted data E1 obtained in step S42 to the encryption communication device 121 of the terminal B. If the communication ends here, the encryption communication process ends.
 通信終了でない場合は、ステップS44において、端末Aの暗号通信装置111は、バッファM1にある暗号鍵の残量をチェックし、バッファM1に暗号鍵を追加する必要があるか判定する。暗号鍵を追加する必要がなければ、端末Aの暗号通信装置111は、次の通信データについてステップS41以降の処理を繰り返す。 If the communication is not finished, in step S44, the encryption communication device 111 of the terminal A checks the remaining amount of the encryption key in the buffer M1, and determines whether it is necessary to add the encryption key to the buffer M1. If it is not necessary to add an encryption key, the encryption communication apparatus 111 of the terminal A repeats the process after step S41 about the following communication data.
 ステップS44の判定の結果、バッファM1に暗号鍵を追加する場合には、ステップS45において、端末Aの暗号通信装置111は、鍵確認処理を行う。鍵確認処理については、図6を用いて説明した通りであるが、ステップS30及びS31における暗号通信の開始を通知する処理は不要である。 As a result of the determination in step S44, when an encryption key is added to the buffer M1, in step S45, the encryption communication device 111 of the terminal A performs a key confirmation process. The key confirmation process is as described with reference to FIG. 6, but the process of notifying the start of encrypted communication in steps S30 and S31 is not necessary.
 ステップS46において、端末Bの暗号通信装置121は、端末Aの暗号通信装置111から、ステップS43で送信された暗号化データE1を受信する。 In step S46, the encryption communication device 121 of the terminal B receives the encrypted data E1 transmitted in step S43 from the encryption communication device 111 of the terminal A.
 ステップS47において、端末Bの暗号通信装置121は、メモリ175のバッファM2にある暗号鍵K1を用いて、ステップS46で受信した暗号化データE1をワンタイムパッド暗号により復号し、通信データD1を得る。端末Bの暗号通信装置121は、通信データD1を端末Bのアプリケーション124に渡す。ここで通信終了であれば、暗号通信処理が終了する。 In step S47, the encryption communication device 121 of the terminal B uses the encryption key K1 stored in the buffer M2 of the memory 175 to decrypt the encrypted data E1 received in step S46 using the one-time pad encryption to obtain communication data D1. . The encryption communication device 121 of the terminal B passes the communication data D1 to the application 124 of the terminal B. If the communication ends here, the encryption communication process ends.
 通信終了でない場合は、ステップS48において、端末Bの暗号通信装置121は、バッファM2にある暗号鍵の残量をチェックし、バッファM2に暗号鍵を追加する必要があるか判定する。暗号鍵を追加する必要がなければ、端末Bの暗号通信装置121は、次の暗号化データについてステップS46以降の処理を繰り返す。 If the communication is not finished, in step S48, the encryption communication device 121 of the terminal B checks the remaining amount of the encryption key in the buffer M2, and determines whether it is necessary to add the encryption key to the buffer M2. If it is not necessary to add an encryption key, the encryption communication apparatus 121 of the terminal B repeats the process after step S46 about the following encryption data.
 ステップS48の判定の結果、バッファM2に暗号鍵を追加する場合には、ステップS49において、端末Bの暗号通信装置121は、鍵確認処理を行う。鍵確認処理については、図6を用いて説明した通りであるが、ステップS30及びS31における暗号通信の開始を通知する処理は不要である。 If the result of determination in step S48 is that an encryption key is to be added to the buffer M2, in step S49, the encryption communication device 121 of the terminal B performs key confirmation processing. The key confirmation process is as described with reference to FIG. 6, but the process of notifying the start of encrypted communication in steps S30 and S31 is not necessary.
 ここで、暗号通信処理において、端末Aの暗号通信装置111の管理部167と暗号化部168とデータ送信部169とが行う処理について説明する。 Here, processing performed by the management unit 167, the encryption unit 168, and the data transmission unit 169 of the encryption communication device 111 of the terminal A in the encryption communication processing will be described.
 ステップS41及びS42では、暗号化部168が、通信データの入力を受ける度に、メモリ155の内部の領域であるバッファに格納された暗号鍵のうち1つの暗号鍵を取得し、取得した暗号鍵を使用して通信データを暗号化することで暗号化データを生成するとともに、取得した暗号鍵をバッファから削除する。 In steps S41 and S42, every time the encryption unit 168 receives input of communication data, the encryption unit 168 acquires one encryption key out of the encryption keys stored in the buffer that is an internal area of the memory 155, and the acquired encryption key The encrypted data is generated by encrypting the communication data using, and the acquired encryption key is deleted from the buffer.
 ステップS43では、データ送信部169が、暗号化部168により生成された暗号化データを送信することで暗号通信を行う。 In step S43, the data transmission unit 169 performs encrypted communication by transmitting the encrypted data generated by the encryption unit 168.
 ステップS44及びS45では、管理部167が、データ送信部169による暗号通信が継続している間、バッファ内の暗号鍵の数が減る速さに応じて、新たな暗号鍵をバッファに追加する。具体的には、管理部167は、バッファ内の暗号鍵の数が減る速さとバッファに残っている暗号鍵の数とから、バッファ内の暗号鍵がなくなるまでの時間を推測し、推測した時間が閾値を下回った場合に、新たな暗号鍵をバッファに追加する。この閾値は、任意に調整することができるが、バッファ内の暗号鍵が枯渇してからバッファに暗号鍵が補充されるまでに生じる遅延よりも長い時間に設定されることが望ましい。即ち、閾値は、端末Aの暗号通信装置111において鍵確認処理の実行にかかる時間よりも長く設定されることが望ましい。なお、バッファ内の暗号鍵の数が減る速さは、任意の方法で計測することができる。 In steps S44 and S45, the management unit 167 adds a new encryption key to the buffer according to the speed at which the number of encryption keys in the buffer decreases while the encrypted communication by the data transmission unit 169 continues. Specifically, the management unit 167 estimates the time until the encryption key in the buffer runs out from the speed at which the number of encryption keys in the buffer decreases and the number of encryption keys remaining in the buffer. When the value falls below the threshold, a new encryption key is added to the buffer. This threshold value can be arbitrarily adjusted, but is preferably set to a time longer than the delay that occurs between the time when the encryption key in the buffer is exhausted and the time when the encryption key is replenished in the buffer. That is, it is desirable that the threshold be set longer than the time required for executing the key confirmation process in the encryption communication device 111 of the terminal A. Note that the speed at which the number of encryption keys in the buffer decreases can be measured by an arbitrary method.
 暗号通信処理において、端末Bの暗号通信装置121の管理部187と復号部188とデータ受信部189とが行う処理についても説明する。 Processing performed by the management unit 187, the decryption unit 188, and the data reception unit 189 of the cryptographic communication device 121 of the terminal B in the cryptographic communication processing is also described.
 ステップS46では、データ受信部189が、暗号化データを受信することで暗号通信を行う。 In step S46, the data receiving unit 189 performs encrypted communication by receiving the encrypted data.
 ステップS47では、復号部188が、データ受信部189により暗号化データが受信される度に、メモリ175の内部の領域であるバッファに格納された暗号鍵のうち1つの暗号鍵を取得し、取得した暗号鍵を使用して暗号化データを復号することで通信データを生成するとともに、取得した暗号鍵をバッファから削除する。 In step S47, every time encrypted data is received by the data receiving unit 189, the decrypting unit 188 acquires one of the encryption keys stored in the buffer that is an internal area of the memory 175, and acquires it. The communication data is generated by decrypting the encrypted data using the encrypted key, and the acquired encryption key is deleted from the buffer.
 ステップS48及びS49では、管理部187が、データ受信部189による暗号通信が継続している間、バッファ内の暗号鍵の数が減る速さに応じて、新たな暗号鍵をバッファに追加する。具体的には、管理部187は、バッファ内の暗号鍵の数が減る速さとバッファに残っている暗号鍵の数とから、バッファ内の暗号鍵がなくなるまでの時間を推測し、推測した時間が閾値を下回った場合に、新たな暗号鍵をバッファに追加する。この閾値は、端末Aの場合と同じように、任意に調整することができるが、バッファ内の暗号鍵が枯渇してからバッファに暗号鍵が補充されるまでに生じる遅延よりも長い時間に設定されることが望ましい。即ち、閾値は、端末Bの暗号通信装置121において鍵確認処理の実行にかかる時間よりも長く設定されることが望ましい。なお、バッファ内の暗号鍵の数が減る速さは、任意の方法で計測することができる。 In steps S48 and S49, the management unit 187 adds a new encryption key to the buffer according to the speed at which the number of encryption keys in the buffer decreases while the encryption communication by the data reception unit 189 continues. Specifically, the management unit 187 estimates the time until the encryption key in the buffer runs out from the speed at which the number of encryption keys in the buffer decreases and the number of encryption keys remaining in the buffer. When the value falls below the threshold, a new encryption key is added to the buffer. This threshold value can be arbitrarily adjusted as in the case of terminal A, but is set to a time longer than the delay that occurs between the time when the encryption key in the buffer is exhausted and the time when the encryption key is replenished to the buffer. It is desirable that That is, it is desirable that the threshold is set longer than the time required for executing the key confirmation process in the encryption communication apparatus 121 of the terminal B. Note that the speed at which the number of encryption keys in the buffer decreases can be measured by an arbitrary method.
 本実施の形態では、端末Aの暗号通信装置111及び端末Bの暗号通信装置121のいずれのバッファも、複数のアプリケーション114,124のそれぞれに対して個別に割り当てられる。そのため、管理部167,187は、複数のアプリケーション114,124のうち、暗号通信が継続しているアプリケーション114,124に割り当てられたバッファ内の暗号鍵の数が減る速さに応じて、新たな暗号鍵を当該アプリケーション114,124に割り当てられたバッファに追加する。具体的には、管理部167,187は、当該アプリケーション114,124に割り当てられたバッファ内の暗号鍵の数が減る速さと、そのバッファに残っている暗号鍵の数とから、そのバッファ内の暗号鍵がなくなるまでの時間を推測し、推測した時間が閾値を下回った場合に、新たな暗号鍵を、そのバッファに追加する。この閾値は、一律に設定されてもよいが、アプリケーション114ごとに異なる時間に設定されてもよい。例えば、閾値は、音声通話等、遅延による影響の度合いが比較的大きいアプリケーション114ほど長く設定され、メール通信等、遅延による影響の度合いが比較的小さいアプリケーション114ほど短く設定されてもよい。 In this embodiment, the buffers of the encryption communication device 111 of the terminal A and the encryption communication device 121 of the terminal B are individually assigned to each of the plurality of applications 114 and 124. For this reason, the management units 167 and 187 make a new response according to the speed at which the number of encryption keys in the buffer allocated to the applications 114 and 124 in which the encrypted communication continues among the plurality of applications 114 and 124 decreases. The encryption key is added to the buffer assigned to the application 114 or 124. Specifically, the management units 167 and 187 determine whether the number of encryption keys in the buffer allocated to the applications 114 and 124 decreases and the number of encryption keys remaining in the buffer. The time until the encryption key runs out is estimated, and when the estimated time falls below the threshold, a new encryption key is added to the buffer. This threshold value may be set uniformly, but may be set at a different time for each application 114. For example, the threshold may be set longer for an application 114 that has a relatively high degree of influence due to delay, such as a voice call, and may be set shorter for an application 114 that has a relatively low degree of influence due to delay, such as mail communication.
 本実施の形態では、端末Aの暗号通信装置111の暗号化部168及び端末Bの暗号通信装置121の復号部188により使用される暗号鍵が、それぞれの暗号通信の相手との通信により決定される。具体的には、どの暗号鍵をどのような順番で使うかが、通信により決定される。しかし、どの暗号鍵をどのような順番で使うかは、事前に決定されていてもよい。その場合、ステップS30及びS31における暗号通信の開始を通知する処理を除く、鍵確認処理の大部分を省略することができる。 In the present embodiment, the encryption keys used by the encryption unit 168 of the encryption communication device 111 of the terminal A and the decryption unit 188 of the encryption communication device 121 of the terminal B are determined by communication with the respective counterparts of the encryption communication. The Specifically, which encryption key is used and in what order is determined by communication. However, which encryption key is used and in what order may be determined in advance. In that case, most of the key confirmation process can be omitted except for the process of notifying the start of encrypted communication in steps S30 and S31.
 以下では、図8から図14を参照して、前述した鍵情報、フラグ、暗号鍵群、鍵リスト、通信データ、暗号化データと、これらに関する処理との具体例について説明する。 Hereinafter, specific examples of the key information, the flag, the encryption key group, the key list, the communication data, the encrypted data, and the processing related to these will be described with reference to FIGS.
 図8は、端末Aの暗号通信装置111のリスト生成部164が行う処理の具体例を示している。 FIG. 8 shows a specific example of processing performed by the list generation unit 164 of the encryption communication device 111 of the terminal A.
 記憶媒体154の暗号鍵データベース210には、暗号鍵群G1に含まれる複数の暗号鍵が記録されている。各暗号鍵は、鍵情報、フラグ、鍵データで構成されている。例えば、暗号鍵K1は、鍵情報I1「002」、フラグ「未使用」、鍵データ「10111011010・・・」で構成されている。 In the encryption key database 210 of the storage medium 154, a plurality of encryption keys included in the encryption key group G1 are recorded. Each encryption key includes key information, a flag, and key data. For example, the encryption key K1 includes key information I1 “002”, a flag “unused”, and key data “10111011010.
 リスト生成部164は、暗号鍵データベース210からフラグが「未使用」になっている暗号鍵の鍵情報を抽出する。リスト生成部164は、抽出した鍵情報のリストを鍵リストL1として生成する。 The list generation unit 164 extracts the key information of the encryption key whose flag is “unused” from the encryption key database 210. The list generation unit 164 generates the extracted key information list as the key list L1.
 図9は、端末Bの暗号通信装置121の情報生成部184が行う処理の具体例を示している。 FIG. 9 shows a specific example of processing performed by the information generation unit 184 of the encryption communication device 121 of the terminal B.
 記憶媒体174の暗号鍵データベース220には、暗号鍵群G2に含まれる複数の暗号鍵が記録されている。各暗号鍵の構成については、端末Aの暗号鍵データベース210と同じである。 In the encryption key database 220 of the storage medium 174, a plurality of encryption keys included in the encryption key group G2 are recorded. The configuration of each encryption key is the same as that of the encryption key database 210 of the terminal A.
 情報生成部184は、リスト受信部185から鍵リストL1を受け取ると、暗号鍵データベース220からフラグが「未使用」になっている暗号鍵の鍵情報を抽出する。情報生成部184は、抽出した鍵情報のリストを鍵リストL2として生成する。情報生成部184は、鍵リストL1と鍵リストL2とを比較する。情報生成部184は、比較の結果、どちらのリストにもある鍵情報を選択する。例えば、鍵情報I1は、どちらのリストにもある鍵情報である。情報生成部184は、選択した鍵情報を情報送信部186に渡す。このとき、情報生成部184は、暗号鍵データベース220に対して、選択した鍵情報に合致する暗号鍵のフラグを「使用中」に設定する。なお、情報生成部184が選択した鍵情報は、情報生成部184が生成した鍵情報に相当する。 When the information generation unit 184 receives the key list L1 from the list reception unit 185, the information generation unit 184 extracts the key information of the encryption key whose flag is “unused” from the encryption key database 220. The information generation unit 184 generates the extracted key information list as the key list L2. The information generation unit 184 compares the key list L1 and the key list L2. The information generation unit 184 selects key information in both lists as a result of comparison. For example, the key information I1 is key information in both lists. The information generation unit 184 passes the selected key information to the information transmission unit 186. At this time, the information generating unit 184 sets the encryption key flag that matches the selected key information to “in use” in the encryption key database 220. The key information selected by the information generation unit 184 corresponds to the key information generated by the information generation unit 184.
 図10は、端末Aの暗号通信装置111の管理部167が鍵情報I1を受け取った際に行う処理の具体例を示している。 FIG. 10 shows a specific example of processing performed when the management unit 167 of the encryption communication device 111 of the terminal A receives the key information I1.
 管理部167は、情報受信部166から鍵情報I1を受け取ると、同じ鍵情報I1を持つ暗号鍵K1を記憶媒体154の暗号鍵データベース210から探す。管理部167は、暗号鍵K1のフラグを「使用中」に設定する。 Upon receiving the key information I1 from the information receiving unit 166, the management unit 167 searches the encryption key database 210 of the storage medium 154 for the encryption key K1 having the same key information I1. The management unit 167 sets the flag of the encryption key K1 to “in use”.
 図11は、端末Aの暗号通信装置111の管理部167がバッファM1に暗号鍵を展開する際に行う処理の具体例を示している。 FIG. 11 shows a specific example of processing performed when the management unit 167 of the encryption communication device 111 of the terminal A expands the encryption key in the buffer M1.
 管理部167は、情報受信部166から受け取ったものと同じ鍵情報I1を持つ暗号鍵K1の鍵データを読み込む。管理部167は、読み込んだ暗号鍵K1の鍵データをメモリ155のバッファM1に展開する。このとき、管理部167は、バッファM1に展開した暗号鍵K1を記憶媒体154の暗号鍵データベース210から削除する。 The management unit 167 reads the key data of the encryption key K1 having the same key information I1 received from the information receiving unit 166. The management unit 167 expands the read key data of the encryption key K1 in the buffer M1 of the memory 155. At this time, the management unit 167 deletes the encryption key K1 expanded in the buffer M1 from the encryption key database 210 of the storage medium 154.
 同じように、端末Bの暗号通信装置121の管理部187は、情報生成部184が生成したものと同じ鍵情報I1を持つ暗号鍵K1の鍵データを読み込む。管理部187は、読み込んだ暗号鍵K1の鍵データをメモリ175のバッファM2に展開する。このとき、管理部187は、バッファM2に展開した暗号鍵K1を記憶媒体174の暗号鍵データベース220から削除する。 Similarly, the management unit 187 of the encryption communication device 121 of the terminal B reads the key data of the encryption key K1 having the same key information I1 as that generated by the information generation unit 184. The management unit 187 expands the read key data of the encryption key K1 in the buffer M2 of the memory 175. At this time, the management unit 187 deletes the encryption key K1 expanded in the buffer M2 from the encryption key database 220 of the storage medium 174.
 図12は、端末Aの暗号通信装置111の暗号化部168が行う処理の具体例を示している。 FIG. 12 shows a specific example of processing performed by the encryption unit 168 of the encryption communication device 111 of the terminal A.
 暗号化部168は、データ受け付け部162から通信データD1を受け取ると、メモリ155のバッファM1から暗号鍵K1の鍵データを読み出す。暗号化部168は、読み出した暗号鍵K1の鍵データと通信データD1との排他的論理和を計算する。暗号化部168は、計算結果を暗号化データE1としてデータ送信部169に渡す。 When the encryption unit 168 receives the communication data D1 from the data reception unit 162, the encryption unit 168 reads the key data of the encryption key K1 from the buffer M1 of the memory 155. The encryption unit 168 calculates the exclusive OR of the read key data of the encryption key K1 and the communication data D1. The encryption unit 168 passes the calculation result to the data transmission unit 169 as encrypted data E1.
 図13は、端末Bの暗号通信装置121の復号部188が行う処理の具体例を示している。 FIG. 13 shows a specific example of processing performed by the decryption unit 188 of the encryption communication device 121 of the terminal B.
 復号部188は、データ受信部189から暗号化データE1を受け取ると、メモリ175のバッファM2から暗号鍵K1の鍵データを読み出す。復号部188は、読み出した暗号鍵K1の鍵データと暗号化データE1との排他的論理和を計算する。復号部188は、計算結果を通信データD1としてデータ送出部182に渡す。 When receiving the encrypted data E1 from the data receiving unit 189, the decrypting unit 188 reads the key data of the encryption key K1 from the buffer M2 of the memory 175. The decryption unit 188 calculates an exclusive OR of the read key data of the encryption key K1 and the encrypted data E1. The decryption unit 188 passes the calculation result to the data transmission unit 182 as communication data D1.
 図14は、端末Aの暗号通信装置111の管理部167がバッファM1にある暗号鍵の鍵データが減少したことを検知した際に行う処理の具体例を示している。 FIG. 14 shows a specific example of processing performed when the management unit 167 of the encryption communication device 111 of the terminal A detects that the key data of the encryption key in the buffer M1 has decreased.
 管理部167は、暗号通信が継続されている間、暗号通信で使われているバッファM1を監視する。管理部167は、暗号鍵の鍵データの減少する速さと現在の暗号鍵の鍵データの残量とから暗号鍵の鍵データが枯渇するまでの時間を推測する。管理部167は、推測した時間が一定値を下回った場合に、鍵確認処理を呼び出すことで、バッファM1の暗号鍵が枯渇しない状態を維持する。 The management unit 167 monitors the buffer M1 used in the encrypted communication while the encrypted communication is continued. The management unit 167 estimates the time until the key data of the encryption key is exhausted from the speed at which the key data of the encryption key decreases and the remaining amount of the key data of the encryption key. When the estimated time falls below a certain value, the management unit 167 calls a key confirmation process to maintain a state where the encryption key of the buffer M1 is not exhausted.
 同じように、端末Bの暗号通信装置121の管理部187は、暗号通信が継続されている間、暗号通信で使われているバッファM2を監視する。管理部187は、暗号鍵の鍵データの減少する速さと現在の暗号鍵の鍵データの残量とから暗号鍵の鍵データが枯渇するまでの時間を推測する。管理部187は、推測した時間が一定値を下回った場合に、鍵確認処理を呼び出すことで、バッファM2の暗号鍵が枯渇しない状態を維持する。 Similarly, the management unit 187 of the encryption communication device 121 of the terminal B monitors the buffer M2 used in the encryption communication while the encryption communication is continued. The management unit 187 estimates the time until the key data of the encryption key is exhausted from the speed at which the key data of the encryption key decreases and the remaining amount of key data of the current encryption key. The management unit 187 maintains a state where the encryption key of the buffer M2 is not depleted by calling the key confirmation process when the estimated time is less than a certain value.
 ***効果の説明***
 上記のように構成された端末A及び端末Bにおいては、暗号通信装置111,暗号通信装置121が暗号鍵を管理することで、各アプリケーション114,124が個別に暗号鍵を管理することによる、データ容量の増加を回避することができる。また、アプリケーション114,124ごとに個別のバッファを設け、バッファが枯渇する前に暗号鍵を供給することで、暗号通信時に遅延が生じないシステムを実現することができる。 *** Explanation of effects ***
In the terminal A and the terminal B configured as described above, the encryption communication device 111 and the encryption communication device 121 manage the encryption key, so that each of the applications 114 and 124 individually manages the encryption key. An increase in capacity can be avoided. In addition, by providing a separate buffer for each of the applications 114 and 124 and supplying an encryption key before the buffer runs out, a system that does not cause a delay during encryption communication can be realized.
 つまり、本実施の形態では、複数のアプリケーション114,124が同時にワンタイムパッド暗号通信を利用することが想定される場合に、暗号通信端末110,120内のデータ容量を削減することと、暗号通信に遅延を生じさせないことを両立できる。 That is, in the present embodiment, when it is assumed that a plurality of applications 114 and 124 simultaneously use the one-time pad encryption communication, the data capacity in the encryption communication terminals 110 and 120 is reduced, and the encryption communication is performed. It is possible to achieve both a delay and no delay.
 以上のように、本実施の形態では、暗号通信が継続している間、バッファ内の暗号鍵の数が減る速さに応じて、新たな暗号鍵がバッファに追加される。このため、暗号鍵が枯渇してから暗号鍵が補充されるまでに生じる遅延を解消することができる。 As described above, in this embodiment, a new encryption key is added to the buffer according to the speed at which the number of encryption keys in the buffer decreases while the encryption communication continues. For this reason, it is possible to eliminate a delay that occurs until the encryption key is replenished after the encryption key is depleted.
 以下では、図15を参照して、本発明の実施の形態に係る暗号通信装置111,121のハードウェア構成例を説明する。 Hereinafter, a hardware configuration example of the cryptographic communication apparatuses 111 and 121 according to the embodiment of the present invention will be described with reference to FIG.
 暗号通信装置111,121は、それぞれコンピュータである。暗号通信装置111,121は、それぞれプロセッサ901、補助記憶装置902、メモリ903、通信装置904、入力インタフェース905、ディスプレイインタフェース906といったハードウェアを備える。プロセッサ901は、信号線910を介して他のハードウェアと接続され、これら他のハードウェアを制御する。入力インタフェース905は、入力装置907に接続されている。ディスプレイインタフェース906は、ディスプレイ908に接続されている。 Each of the cryptographic communication devices 111 and 121 is a computer. The cryptographic communication devices 111 and 121 include hardware such as a processor 901, an auxiliary storage device 902, a memory 903, a communication device 904, an input interface 905, and a display interface 906, respectively. The processor 901 is connected to other hardware via the signal line 910, and controls these other hardware. The input interface 905 is connected to the input device 907. The display interface 906 is connected to the display 908.
 プロセッサ901は、プロセッシングを行うIC(Integrated・Circuit)である。プロセッサ901は、例えば、CPU、DSP(Digital・Signal・Processor)、又は、GPU(Graphics・Processing・Unit)である。 The processor 901 is an IC (Integrated Circuit) that performs processing. The processor 901 is, for example, a CPU, a DSP (Digital Signal Processor), or a GPU (Graphics Processing Unit).
 補助記憶装置902は、例えば、ROM(Read・Only・Memory)、フラッシュメモリ、又は、HDD(Hard・Disk・Drive)である。暗号通信装置111の記憶媒体154と、暗号通信装置121の記憶媒体174は、それぞれ補助記憶装置902に相当する。 The auxiliary storage device 902 is, for example, a ROM (Read / Only / Memory), a flash memory, or an HDD (Hard / Disk / Drive). The storage medium 154 of the encryption communication device 111 and the storage medium 174 of the encryption communication device 121 correspond to the auxiliary storage device 902, respectively.
 メモリ903は、例えば、RAM(Random・Access・Memory)である。暗号通信装置111のメモリ155と、暗号通信装置121のメモリ175は、それぞれメモリ903に相当する。 The memory 903 is, for example, a RAM (Random Access Memory). The memory 155 of the cryptographic communication device 111 and the memory 175 of the cryptographic communication device 121 correspond to the memory 903, respectively.
 通信装置904は、データを受信するレシーバ921及びデータを送信するトランスミッタ922を含む。通信装置904は、例えば、通信チップ又はNIC(Network・Interface・Card)である。暗号通信装置111の有線インタフェース151及び通信インタフェース153と、暗号通信装置121の有線インタフェース171及び通信インタフェース173は、それぞれ通信装置904に相当する。なお、暗号通信装置111の内部インタフェース152と、暗号通信装置121の内部インタフェース172は、それぞれバスインタフェース等である。 The communication device 904 includes a receiver 921 that receives data and a transmitter 922 that transmits data. The communication device 904 is, for example, a communication chip or a NIC (Network, Interface, Card). The wired interface 151 and the communication interface 153 of the cryptographic communication device 111 and the wired interface 171 and the communication interface 173 of the cryptographic communication device 121 correspond to the communication device 904, respectively. The internal interface 152 of the cryptographic communication device 111 and the internal interface 172 of the cryptographic communication device 121 are each a bus interface or the like.
 入力インタフェース905は、入力装置907のケーブル911が接続されるポートである。入力インタフェース905は、例えば、USB(Universal・Serial・Bus)端子である。 The input interface 905 is a port to which the cable 911 of the input device 907 is connected. The input interface 905 is, for example, a USB (Universal / Serial / Bus) terminal.
 ディスプレイインタフェース906は、ディスプレイ908のケーブル912が接続されるポートである。ディスプレイインタフェース906は、例えば、USB端子又はHDMI(登録商標)(High・Definition・Multimedia・Interface)端子である。 The display interface 906 is a port to which the cable 912 of the display 908 is connected. The display interface 906 is, for example, a USB terminal or an HDMI (registered trademark) (High Definition, Multimedia, Interface) terminal.
 入力装置907は、例えば、マウス、タッチペン、キーボード、又は、タッチパネルである。 The input device 907 is, for example, a mouse, a touch pen, a keyboard, or a touch panel.
 ディスプレイ908は、例えば、LCD(Liquid・Crystal・Display)である。 The display 908 is, for example, an LCD (Liquid / Crystal / Display).
 補助記憶装置902には、暗号通信装置111の取得部161、データ受け付け部162、要求受け付け部163、リスト生成部164、リスト送信部165、情報受信部166、管理部167、暗号化部168、データ送信部169、或いは、暗号通信装置121の取得部181、データ送出部182、要求受け付け部183、情報生成部184、リスト受信部185、情報送信部186、管理部187、復号部188、データ受信部189といった「部」の機能を実現するプログラムが記憶されている。このプログラムは、メモリ903にロードされ、プロセッサ901に読み込まれ、プロセッサ901によって実行される。補助記憶装置902には、OS(Operating・System)も記憶されている。OSの少なくとも一部がメモリ903にロードされ、プロセッサ901はOSを実行しながら、「部」の機能を実現するプログラムを実行する。 The auxiliary storage device 902 includes an acquisition unit 161, a data reception unit 162, a request reception unit 163, a list generation unit 164, a list transmission unit 165, an information reception unit 166, a management unit 167, an encryption unit 168, Data transmission unit 169 or acquisition unit 181, data transmission unit 182, request reception unit 183, information generation unit 184, list reception unit 185, information transmission unit 186, management unit 187, decryption unit 188, data A program for realizing the function of “unit” such as the receiving unit 189 is stored. This program is loaded into the memory 903, read into the processor 901, and executed by the processor 901. The auxiliary storage device 902 also stores an OS (Operating System). At least a part of the OS is loaded into the memory 903, and the processor 901 executes a program that realizes the function of “unit” while executing the OS.
 図15では、1つのプロセッサ901が示されているが、暗号通信装置111,121がそれぞれ複数のプロセッサ901を備えていてもよい。そして、複数のプロセッサ901が「部」の機能を実現するプログラムを連携して実行してもよい。 In FIG. 15, one processor 901 is shown, but the cryptographic communication apparatuses 111 and 121 may each include a plurality of processors 901. A plurality of processors 901 may execute a program for realizing the function of “unit” in cooperation with each other.
 「部」の処理の結果を示す情報やデータや信号値や変数値は、補助記憶装置902、メモリ903、又は、プロセッサ901内のレジスタ又はキャッシュメモリに記憶される。 Information, data, signal values, and variable values indicating the processing results of “unit” are stored in the auxiliary storage device 902, the memory 903, or a register or cache memory in the processor 901.
 「部」を「サーキットリ」で提供してもよい。また、「部」を「回路」又は「工程」又は「手順」又は「処理」に読み替えてもよい。「回路」及び「サーキットリ」は、プロセッサ901だけでなく、ロジックIC、GA(Gate・Array)、ASIC(Application・Specific・Integrated・Circuit)、FPGA(Field-Programmable・Gate・Array)といった他の種類の処理回路をも包含する概念である。 “Parts” may be provided on “Circuits”. Further, “part” may be read as “circuit”, “process”, “procedure”, or “processing”. "Circuit" and "Circuitry" include not only the processor 901 but also other logic ICs, GA (Gate-Array), ASIC (Application-Specific-Integrated-Circuit), FPGA (Field-Programmable-Gate-Array), etc. It is a concept that includes various types of processing circuits.
 以上、本発明の実施の形態について説明したが、この実施の形態を部分的に実施しても構わない。例えば、この実施の形態の説明において「部」として説明するもののうち、いずれか1つのみを採用してもよいし、いくつかの任意の組み合わせを採用してもよい。なお、本発明は、この実施の形態に限定されるものではなく、必要に応じて種々の変更が可能である。 As mentioned above, although embodiment of this invention was described, you may implement this embodiment partially. For example, only one of those described as “parts” in the description of this embodiment may be adopted, or some arbitrary combinations may be adopted. In addition, this invention is not limited to this embodiment, A various change is possible as needed.
 100 通信システム、110 暗号通信端末、111 暗号通信装置、112 処理装置、113 プログラム、114 アプリケーション、115 鍵共有装置、120 暗号通信端末、121 暗号通信装置、122 処理装置、123 プログラム、124 アプリケーション、125 鍵共有装置、130 ネットワーク、151 有線インタフェース、152 内部インタフェース、153 通信インタフェース、154 記憶媒体、155 メモリ、161 取得部、162 データ受け付け部、163 要求受け付け部、164 リスト生成部、165 リスト送信部、166 情報受信部、167 管理部、168 暗号化部、169 データ送信部、171 有線インタフェース、172 内部インタフェース、173 通信インタフェース、174 記憶媒体、175 メモリ、181 取得部、182 データ送出部、183 要求受け付け部、184 情報生成部、185 リスト受信部、186 情報送信部、187 管理部、188 復号部、189 データ受信部、210 暗号鍵データベース、220 暗号鍵データベース、901 プロセッサ、902 補助記憶装置、903 メモリ、904 通信装置、905 入力インタフェース、906 ディスプレイインタフェース、907 入力装置、908 ディスプレイ、910 信号線、911 ケーブル、912 ケーブル、921 レシーバ、922 トランスミッタ。 100 communication system, 110 encryption communication terminal, 111 encryption communication device, 112 processing device, 113 program, 114 application, 115 key sharing device, 120 encryption communication terminal, 121 encryption communication device, 122 processing device, 123 program, 124 application, 125 Key sharing device, 130 network, 151 wired interface, 152 internal interface, 153 communication interface, 154 storage medium, 155 memory, 161 acquisition unit, 162 data reception unit, 163 request reception unit, 164 list generation unit, 165 list transmission unit, 166 Information reception unit, 167 management unit, 168 encryption unit, 169 data transmission unit, 171 wired interface, 172 internal interface, 17 Communication interface, 174 storage medium, 175 memory, 181 acquisition unit, 182 data transmission unit, 183 request reception unit, 184 information generation unit, 185 list reception unit, 186 information transmission unit, 187 management unit, 188 decoding unit, 189 data reception Part, 210 encryption key database, 220 encryption key database, 901 processor, 902 auxiliary storage device, 903 memory, 904 communication device, 905 input interface, 906 display interface, 907 input device, 908 display, 910 signal line, 911 cable, 912 Cable, 921 receiver, 922 transmitter.

Claims (14)

  1.  メモリと、
     通信データの入力を受ける度に、前記メモリの内部の領域であるバッファに格納された暗号鍵のうち1つの暗号鍵を取得し、取得した暗号鍵を使用して前記通信データを暗号化することで暗号化データを生成するとともに、取得した暗号鍵を前記バッファから削除する暗号化部と、
     前記暗号化部により生成された暗号化データを送信することで暗号通信を行うデータ送信部と、
     前記データ送信部による暗号通信が継続している間、前記バッファ内の暗号鍵の数が減る速さに応じて、新たな暗号鍵を前記バッファに追加する管理部と
    を備える暗号通信装置。     Memory,
    Each time communication data is input, one encryption key stored in a buffer that is an internal area of the memory is acquired, and the communication data is encrypted using the acquired encryption key. And generating encrypted data with the encryption unit for deleting the acquired encryption key from the buffer,
    A data transmission unit that performs cryptographic communication by transmitting the encrypted data generated by the encryption unit;
    An encryption communication apparatus comprising: a management unit that adds a new encryption key to the buffer according to a speed at which the number of encryption keys in the buffer decreases while encryption communication by the data transmission unit continues.
  2.  前記管理部は、前記バッファ内の暗号鍵の数が減る速さと前記バッファに残っている暗号鍵の数とから、前記バッファ内の暗号鍵がなくなるまでの時間を推測し、推測した時間が閾値を下回った場合に、前記新たな暗号鍵を前記バッファに追加する請求項1に記載の暗号通信装置。 The management unit estimates the time until the encryption key in the buffer runs out from the speed at which the number of encryption keys in the buffer decreases and the number of encryption keys remaining in the buffer, and the estimated time is a threshold value. The cryptographic communication device according to claim 1, wherein the new cryptographic key is added to the buffer when the number of the cryptographic key is lower than the threshold.
  3.  前記暗号化部により使用される暗号鍵は、前記暗号通信の相手との通信により決定される請求項1又は2に記載の暗号通信装置。 The encryption communication device according to claim 1 or 2, wherein the encryption key used by the encryption unit is determined by communication with the other party of the encryption communication.
  4.  請求項1から3のいずれか1項に記載の暗号通信装置と、
     前記通信データを前記暗号通信装置に入力するプログラムを実行する処理装置と
    を備える暗号通信端末。     The encryption communication device according to any one of claims 1 to 3,
    A cryptographic communication terminal comprising: a processing device that executes a program for inputting the communication data to the cryptographic communication device.
  5.  前記バッファは、前記プログラムである複数のアプリケーションのそれぞれに対して個別に割り当てられ、
     前記管理部は、前記複数のアプリケーションのうち、前記暗号通信が継続しているアプリケーションに割り当てられた前記バッファ内の暗号鍵の数が減る速さに応じて、前記新たな暗号鍵を当該アプリケーションに割り当てられた前記バッファに追加する請求項4に記載の暗号通信端末。     The buffer is individually assigned to each of a plurality of applications that are the programs,
    The management unit assigns the new encryption key to the application in accordance with a speed at which the number of encryption keys in the buffer allocated to the application in which the encrypted communication is continued among the plurality of applications. The encryption communication terminal according to claim 4, wherein the encryption communication terminal is added to the allocated buffer.
  6.  メモリと、
     暗号化データを受信することで暗号通信を行うデータ受信部と、
     前記データ受信部により前記暗号化データが受信される度に、前記メモリの内部の領域であるバッファに格納された暗号鍵のうち1つの暗号鍵を取得し、取得した暗号鍵を使用して前記暗号化データを復号することで通信データを生成するとともに、取得した暗号鍵を前記バッファから削除する復号部と、
     前記データ受信部による暗号通信が継続している間、前記バッファ内の暗号鍵の数が減る速さに応じて、新たな暗号鍵を前記バッファに追加する管理部と
    を備える暗号通信装置。     Memory,
    A data receiver that performs encrypted communication by receiving encrypted data;
    Each time the encrypted data is received by the data receiving unit, one encryption key stored in a buffer that is an internal area of the memory is obtained, and the obtained encryption key is used to obtain the encryption key. A communication unit for generating communication data by decrypting the encrypted data, and a decrypting unit for deleting the obtained encryption key from the buffer;
    An encryption communication apparatus comprising: a management unit that adds a new encryption key to the buffer according to a speed at which the number of encryption keys in the buffer decreases while encryption communication by the data reception unit continues.
  7.  前記管理部は、前記バッファ内の暗号鍵の数が減る速さと前記バッファに残っている暗号鍵の数とから、前記バッファ内の暗号鍵がなくなるまでの時間を推測し、推測した時間が閾値を下回った場合に、前記新たな暗号鍵を前記バッファに追加する請求項6に記載の暗号通信装置。 The management unit estimates the time until the encryption key in the buffer runs out from the speed at which the number of encryption keys in the buffer decreases and the number of encryption keys remaining in the buffer, and the estimated time is a threshold value. The encryption communication device according to claim 6, wherein the new encryption key is added to the buffer when the value is less than.
  8.  前記復号部により使用される暗号鍵は、前記暗号通信の相手との通信により決定される請求項6又は7に記載の暗号通信装置。 The encryption communication device according to claim 6 or 7, wherein an encryption key used by the decryption unit is determined by communication with the other party of the encryption communication.
  9.  請求項6から8のいずれか1項に記載の暗号通信装置と、
     前記通信データの入力を前記暗号通信装置から受けるプログラムを実行する処理装置と
    を備える暗号通信端末。     The cryptographic communication device according to any one of claims 6 to 8,
    A cryptographic communication terminal comprising: a processing device that executes a program that receives input of the communication data from the cryptographic communication device.
  10.  前記バッファは、前記プログラムである複数のアプリケーションのそれぞれに対して個別に割り当てられ、
     前記管理部は、前記複数のアプリケーションのうち、前記暗号通信が継続しているアプリケーションに割り当てられた前記バッファ内の暗号鍵の数が減る速さに応じて、前記新たな暗号鍵を当該アプリケーションに割り当てられた前記バッファに追加する請求項9に記載の暗号通信端末。     The buffer is individually assigned to each of a plurality of applications that are the programs,
    The management unit assigns the new encryption key to the application in accordance with a speed at which the number of encryption keys in the buffer allocated to the application in which the encrypted communication is continued among the plurality of applications. The encryption communication terminal according to claim 9, wherein the encryption communication terminal is added to the allocated buffer.
  11.  メモリを備えるコンピュータが、通信データの入力を受ける度に、前記メモリの内部の領域であるバッファに格納された暗号鍵のうち1つの暗号鍵を取得し、取得した暗号鍵を使用して前記通信データを暗号化することで暗号化データを生成するとともに、取得した暗号鍵を前記バッファから削除し、
     前記コンピュータが、前記暗号化データを送信することで暗号通信を行い、
     前記コンピュータが、前記暗号通信が継続している間、前記バッファ内の暗号鍵の数が減る速さに応じて、新たな暗号鍵を前記バッファに追加する暗号通信方法。     Each time a computer including a memory receives input of communication data, the computer acquires one encryption key among the encryption keys stored in a buffer that is an internal area of the memory, and uses the acquired encryption key to perform the communication Generate encrypted data by encrypting the data, delete the acquired encryption key from the buffer,
    The computer performs encrypted communication by transmitting the encrypted data,
    An encryption communication method in which the computer adds a new encryption key to the buffer according to a speed at which the number of encryption keys in the buffer decreases while the encryption communication continues.
  12.  メモリを備えるコンピュータが、暗号化データを受信することで暗号通信を行い、
     前記コンピュータが、前記暗号化データが受信される度に、前記メモリの内部の領域であるバッファに格納された暗号鍵のうち1つの暗号鍵を取得し、取得した暗号鍵を使用して前記暗号化データを復号することで通信データを生成するとともに、取得した暗号鍵を前記バッファから削除し、
     前記コンピュータが、前記暗号通信が継続している間、前記バッファ内の暗号鍵の数が減る速さに応じて、新たな暗号鍵を前記バッファに追加する暗号通信方法。     A computer equipped with a memory performs encrypted communication by receiving encrypted data,
    Each time the encrypted data is received, the computer acquires one encryption key stored in a buffer, which is an internal area of the memory, and uses the acquired encryption key to acquire the encryption key. And generating communication data by decrypting the encrypted data, deleting the acquired encryption key from the buffer,
    An encryption communication method in which the computer adds a new encryption key to the buffer according to a speed at which the number of encryption keys in the buffer decreases while the encryption communication continues.
  13.  メモリを備えるコンピュータに、
     通信データの入力を受ける度に、前記メモリの内部の領域であるバッファに格納された暗号鍵のうち1つの暗号鍵を取得し、取得した暗号鍵を使用して前記通信データを暗号化することで暗号化データを生成するとともに、取得した暗号鍵を前記バッファから削除する処理と、
     前記暗号化データを送信することで暗号通信を行う処理と、
     前記暗号通信が継続している間、前記バッファ内の暗号鍵の数が減る速さに応じて、新たな暗号鍵を前記バッファに追加する処理と
    を実行させる暗号通信プログラム。     To a computer with memory,
    Each time communication data is input, one encryption key stored in a buffer that is an internal area of the memory is acquired, and the communication data is encrypted using the acquired encryption key. A process for generating encrypted data at, and deleting the obtained encryption key from the buffer;
    Processing for performing encrypted communication by transmitting the encrypted data;
    An encryption communication program for executing a process of adding a new encryption key to the buffer according to a speed at which the number of encryption keys in the buffer decreases while the encryption communication is continued.
  14.  メモリを備えるコンピュータに、
     暗号化データを受信することで暗号通信を行う処理と、
     前記暗号化データが受信される度に、前記メモリの内部の領域であるバッファに格納された暗号鍵のうち1つの暗号鍵を取得し、取得した暗号鍵を使用して前記暗号化データを復号することで通信データを生成するとともに、取得した暗号鍵を前記バッファから削除する処理と、
     前記暗号通信が継続している間、前記バッファ内の暗号鍵の数が減る速さに応じて、新たな暗号鍵を前記バッファに追加する処理と
    を実行させる暗号通信プログラム。     To a computer with memory,
    A process of performing encrypted communication by receiving encrypted data;
    Each time the encrypted data is received, an encryption key stored in a buffer that is an internal area of the memory is acquired, and the encrypted data is decrypted using the acquired encryption key. Processing to generate communication data and delete the acquired encryption key from the buffer;
    An encryption communication program for executing a process of adding a new encryption key to the buffer according to a speed at which the number of encryption keys in the buffer decreases while the encryption communication is continued.
PCT/JP2015/058065 2015-03-18 2015-03-18 Cryptographic communication device, cryptographic communication terminal, cryptographic communication method, and cryptographic communication program WO2016147340A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2017505944A JP6192870B2 (en) 2015-03-18 2015-03-18 Encryption communication apparatus, encryption communication terminal, encryption communication method, and encryption communication program
PCT/JP2015/058065 WO2016147340A1 (en) 2015-03-18 2015-03-18 Cryptographic communication device, cryptographic communication terminal, cryptographic communication method, and cryptographic communication program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2015/058065 WO2016147340A1 (en) 2015-03-18 2015-03-18 Cryptographic communication device, cryptographic communication terminal, cryptographic communication method, and cryptographic communication program

Publications (1)

Publication Number Publication Date
WO2016147340A1 true WO2016147340A1 (en) 2016-09-22

Family

ID=56919900

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2015/058065 WO2016147340A1 (en) 2015-03-18 2015-03-18 Cryptographic communication device, cryptographic communication terminal, cryptographic communication method, and cryptographic communication program

Country Status (2)

Country Link
JP (1) JP6192870B2 (en)
WO (1) WO2016147340A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111988142A (en) * 2020-08-25 2020-11-24 合肥美菱物联科技有限公司 Intelligent refrigerator key programming system and method
WO2022054410A1 (en) * 2020-09-10 2022-03-17 株式会社 東芝 Encryption communication system, key exchange node, application execution environment, control method, and program
WO2022163108A1 (en) * 2021-01-29 2022-08-04 株式会社 東芝 Quantum key delivery service platform

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022210700A1 (en) 2021-03-31 2022-10-06 堺化学工業株式会社 Electrically conductive material

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060062392A1 (en) * 2004-07-08 2006-03-23 Magiq Technologies, Inc. Key manager for QKD networks
JP2009510902A (en) * 2005-09-30 2009-03-12 ソニー エリクソン モバイル コミュニケーションズ, エービー Shared key encryption using a long keypad
JP2011044768A (en) * 2009-08-19 2011-03-03 Nec Corp Communication equipment and communication control method in steganographic communication system
WO2012025988A1 (en) * 2010-08-24 2012-03-01 三菱電機株式会社 Encryption device, encryption system, encryption method and encryption program
JP2014241463A (en) * 2013-06-11 2014-12-25 株式会社東芝 Communication device, communication method, program and communication system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060062392A1 (en) * 2004-07-08 2006-03-23 Magiq Technologies, Inc. Key manager for QKD networks
JP2009510902A (en) * 2005-09-30 2009-03-12 ソニー エリクソン モバイル コミュニケーションズ, エービー Shared key encryption using a long keypad
JP2011044768A (en) * 2009-08-19 2011-03-03 Nec Corp Communication equipment and communication control method in steganographic communication system
WO2012025988A1 (en) * 2010-08-24 2012-03-01 三菱電機株式会社 Encryption device, encryption system, encryption method and encryption program
JP2014241463A (en) * 2013-06-11 2014-12-25 株式会社東芝 Communication device, communication method, program and communication system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111988142A (en) * 2020-08-25 2020-11-24 合肥美菱物联科技有限公司 Intelligent refrigerator key programming system and method
WO2022054410A1 (en) * 2020-09-10 2022-03-17 株式会社 東芝 Encryption communication system, key exchange node, application execution environment, control method, and program
JP2022046111A (en) * 2020-09-10 2022-03-23 株式会社東芝 Encryption communication system, key exchange node, application execution environment, control method, and program
WO2022163108A1 (en) * 2021-01-29 2022-08-04 株式会社 東芝 Quantum key delivery service platform

Also Published As

Publication number Publication date
JPWO2016147340A1 (en) 2017-06-08
JP6192870B2 (en) 2017-09-06

Similar Documents

Publication Publication Date Title
US10187361B2 (en) Method for secure communication using asymmetric and symmetric encryption over insecure communications
WO2018014723A1 (en) Key management method, apparatus, device and system
US8948377B2 (en) Encryption device, encryption system, encryption method, and encryption program
US9032208B2 (en) Communication terminal, communication system, communication method and communication program
US11784801B2 (en) Key management method and related device
US10103891B2 (en) Method of generating a deniable encrypted communications via password entry
US9237008B2 (en) Encryption device, encryption method, and encryption program
US9961056B2 (en) Method of deniable encrypted communications
US9306734B2 (en) Communication device, key generating device, and computer readable medium
JP6192870B2 (en) Encryption communication apparatus, encryption communication terminal, encryption communication method, and encryption communication program
WO2021129470A1 (en) Polynomial-based system and method for fully homomorphic encryption of binary data
KR20180053148A (en) A method and terminal device for encrypting a message
CN113221146A (en) Method and device for data transmission between block chain nodes
US20160294551A1 (en) Data processing system, encryption apparatus, decryption apparatus, and computer readable medium
CN101431411A (en) Dynamic encryption method for network game data
JP6301008B2 (en) Cryptographic communication system terminal device, cryptographic communication system relay device, and cryptographic communication system control method
CN113987600A (en) Computer system, data processing method and computer readable storage medium
CN106487761B (en) Message transmission method and network equipment
CN113422832B (en) File transmission method, device, equipment and storage medium
CN113038444A (en) Method and device for generating application layer key
JP2016139861A (en) Encryption device, encryption method and distribution system
CN111131158A (en) Single byte symmetric encryption and decryption method, device and readable medium
US9705858B2 (en) Information processing device and information processing method to maintain secret key for authentication
JP2007324767A (en) Communication method and communication device
US20230299953A1 (en) Quantum cryptographic communication system, key management device, and key management method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15885436

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2017505944

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15885436

Country of ref document: EP

Kind code of ref document: A1