Nothing Special   »   [go: up one dir, main page]

TW200841672A - Relaying apparatus - Google Patents

Relaying apparatus Download PDF

Info

Publication number
TW200841672A
TW200841672A TW96112719A TW96112719A TW200841672A TW 200841672 A TW200841672 A TW 200841672A TW 96112719 A TW96112719 A TW 96112719A TW 96112719 A TW96112719 A TW 96112719A TW 200841672 A TW200841672 A TW 200841672A
Authority
TW
Taiwan
Prior art keywords
encryption
layer
communication
tcp
network
Prior art date
Application number
TW96112719A
Other languages
Chinese (zh)
Inventor
Hirotsugu Ozaki
Keiko Ogawa
Original Assignee
Keiko Ogawa
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Keiko Ogawa filed Critical Keiko Ogawa
Publication of TW200841672A publication Critical patent/TW200841672A/en

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

To provide a technology capable of preventing "leakage" and "falsification" of data and further "impersonation", "intrusion, and "attack" on the Internet in communication between personal computers and external devices without imposing loads of installation of software or hardware on the personal computers. A relaying apparatus 100 is provided with NIC (Network Interface Card) drivers 1a, 1b respectively connected to networks 200, 300, and with a network layer and a transport layer including the "TCP/IP"2 for stipulating a communication method for the communication between two optional nodes while carrying out routing for a physical layer and a data link layer including the NIC drivers 1a, 1b. Then a function of the "TCP2"3 is provided between the data link layer and the network layer.

Description

200841672 ⑴ 九、發明說明 【發明所屬之技術領域】 本發明係有關於,例如對位於傳輸層之TCP或UDP 協定追加加密機能而進行電子化資訊通訊之際所使用的理 想之中繼裝置。詳言之,係爲通訊中的安全系統,尤其是 用來防止網際網路上的資料「洩漏」及「竄改」、甚至「 僞裝」、「入侵」乃至「攻擊」。 【先前技術】 本案發明人,係早先爲了不改變上位應用程式而強化 資料之洩漏、竄改、僞裝、入侵、攻擊的防止機能,提供 了在送訊側和收訊側進行加密•解密邏輯的取決,將其適 用至存在於傳輸層之TCP或UDP所該當之協定之酬載上 ,而成爲新型加密系統TCP2 (國際公開wo 2005/0 1 5 827 A1號公報:以下簡稱專利文獻1 )。 • 近年來,利用網際網路的通訊,只要是Windows個人 電腦,則只要將其連上網路,任何人都能存取網路上的電 腦,因此在公司中急速地普及擴展中。另一方面,伴隨該 網際網路通訊的普及擴展,駭客(hacker )或快客( Cracker)侵入他人的電腦系統,偷窺軟體或資料,或進行 竄改或破壞,造成很大的社會問題。 作爲具體的不當妨礙之案例,首先舉例有,爲了使中 心系統無法使用,而從網路發送大量訊息的電腦系統運用 妨礙的系統妨礙。若因該妨礙導致主機超過負荷,則亦有 -4 - (2) (2)200841672 可能引發系統當機。 又還有,不當取得主機的密碼,盜取機密資訊,進行 資訊竄改或破壞的「不當存取和僞裝」的不當妨礙。該妨 礙是會隨意改寫電腦所保有的資訊,是陷害別人的卑劣伎 倆。又,潛伏在特定的個人電腦,詐取郵件位址或密碼等 個人機密資料的所謂間諜軟體的不當行爲也在發生。如此 不當窺視連接在網路上的電腦所持有之資料庫內容,所謂 的竊聽行爲正頻繁進行的可能性,是不可否定的。 又’在站台或是伺服器的營運商,蓄意盜取個人資訊 的行爲,或潛入公司內的間諜等所發動的網路恐怖攻擊([Technical Field] The present invention relates to an ideal relay device used for electronic information communication, for example, when an encryption function is added to a TCP or UDP protocol of a transport layer. In particular, it is a security system in communications, especially to prevent "leakage" and "tampering" of data on the Internet, or even "disguise", "intrusion" or even "attack". [Prior Art] The inventor of the present invention has previously provided the encryption and decryption logic on the transmitting side and the receiving side in order to enhance the prevention of data leakage, tampering, camouflage, intrusion, and attack in order not to change the upper application. It is applied to the payload of the TCP or UDP protocol that exists in the transport layer, and becomes the new encryption system TCP2 (International Publication No. WO 2005/0 1 5 827 A1: hereinafter referred to as Patent Document 1). • In recent years, Internet-based communications, as long as they are Windows PCs, can be accessed by anyone in the company as long as they are connected to the Internet and anyone can access the computers on the Internet. On the other hand, with the spread of the Internet communication, hackers or crackers invade other people's computer systems, peek into software or materials, or tamper with or destroy, causing great social problems. As a specific case of improper impediment, first, for example, a computer system that transmits a large amount of information from the network in order to make the central system unusable is hampered by a hindered system. If the host exceeds the load due to the obstruction, there is also -4 - (2) (2) 200841672 may cause the system to crash. Also, improperly obtaining the password of the host, stealing confidential information, and improperly impeding "improper access and disguise" of information tampering or destruction. This hindering is to arbitrarily rewrite the information held by the computer and is a despicable trick to frame others. In addition, misconduct of so-called spyware that lurks on a specific personal computer and swindles personal confidential information such as mail addresses or passwords is also occurring. In this way, it is impossible to peek into the contents of the database held by computers connected to the Internet. The possibility that so-called eavesdropping behavior is going on frequently is undeniable. Also, on the platform or the server operator, deliberately stealing personal information, or sneaking into the company to launch cyber terrorist attacks (

Cyber terrorism)之危機,現況下也是不能說完全不存在 〇 甚至,對他人電腦注入會使電腦造成障礙的程式亦即 「病毒」的此種不當妨礙,最近越來越多。該被注入的病 毒,會以郵件等感染在自宅使用之個人電腦,而將其連接 至公司內的瞬間,公司內的所有個人電腦都會感染,或是 病毒去破壞電腦中的檔案,甚至,也會造成網路全體當機 的問題。 因此,利用先前的 TCP/IP ( Transmission Control Protocol/Internet Protocol)或 UDP ( User Datagram Protocol )的網際網路上的通訊中,作爲防止資料的「洩 漏」、「竄改」等之機能,是利用了所謂IPsec ( SecurityThe crisis of Cyber terrorism cannot be said to be completely non-existent at the moment. 甚至 Even the improper handling of the "virus" that causes computer impediments to other people's computers has recently become more and more hampered. The injected virus will be infected with a personal computer used in the home by mail, etc., and when it is connected to the company, all the personal computers in the company will be infected, or the virus will destroy the files in the computer, or even It will cause problems for all the network to crash. Therefore, in the communication on the Internet using the previous TCP/IP (Transmission Control Protocol/Internet Protocol) or UDP (User Datagram Protocol), the function of preventing "leakage" or "tampering" of data is to use the so-called function. IPsec (Security

Architecture for Internet Protocol )或 SSL ( Secure S o c k e t L a y e r )這類加密通訊技術。 (3) 200841672 一般而言,加密通訊中雖然有共通金鑰(亦稱祕密金 鑰)加密方式和公開金鑰加密方式,但1 PSeC係使用共通 金鑰加密方式。共通金鑰加密方式是較公開金鑰加密方式 ,加密•解密的速度較快,是其特徵。該1P see所用之共 通金鑰加密方式,係以相同金鑰來進行加密和解密的方式 ,金鑰的生成係可於送訊側或收訊側之任一方生成,但是 由於收訊側和送訊側是使用共通金鑰,所以必須要細心注 φ 意在金鑰交換時,內容不可洩漏給外部。 共通金鑰加密方式中所用的演算法,係以DES ( Data Encryption Standard:美國IBM公司所開發的共通金綸( 祕密金鏡)加密演算法)爲代表。IP s e c也是將該D E S採 用爲加密演算法之一。IPsec,係由 IETF ( Internet Engineer Task Force)進行標準化,其特徵係,不是單純 地僅將特定之應用程式予以加密,而是從主機發送之所有 通訊皆在IP層級進行加密這點。 # 藉此,使用者可不必意識到應用程式,就可進行安全 的通訊。又,IPsec係爲了能跨越將來使用,可以不必改 變其本身的機制而只改變所使用的加密演算法。作爲被 IPsec所使用之共通加密金鑰,係使用稱作SPI ( Security Pointer Index )的32位元編碼,作爲金鑛交換協定係使用 IKE (Internet Key Exchange)。甚至,IPsec 中還準備了 完整性認證用的協定AH ( Authentication Header)。 又,SSL,係美國網景公司(Netscape,現在被A0L 吸收合倂)所開發的附加安全性機能的HTTP協定,藉由 -6 - (4) (4)200841672 利用其可使用戶端和伺服器在網路上能夠彼此認證,可將 信用卡資訊等高機密性資訊予以加密然後再進行交易。藉 此,可以防止資料的竊聽、重送攻擊(先竊聽網路上流過 的資料然後不斷重複送出的攻擊)、假冒(假冒本人而進 行通訊)、資料竄改等。 圖6之A係使用了先前之ipsec的加密通訊進行時的 協定堆疊(Protocol Stack)之例子,圖6的B係使用了 先前之SSL的加密通訊進行時的協定堆疊(Protocol S t a c k )之例子。 OSI參照模型,最下層(第1層)爲實體層(Encrypted communication technology such as Architecture for Internet Protocol) or SSL (Secure S o c k e t L a y e r). (3) 200841672 Generally speaking, although there are common key (also known as secret key) encryption method and public key encryption method in encrypted communication, 1 PSeC uses common key encryption. The common key encryption method is a more public key encryption method, and the encryption and decryption speed is faster, which is a feature. The common key encryption method used by the 1P see is a method of encrypting and decrypting with the same key. The generation of the key can be generated on either the transmitting side or the receiving side, but due to the receiving side and sending The message side uses a common key, so care must be taken to ensure that the content is not leaked to the outside when the key is exchanged. The algorithm used in the common key encryption method is represented by DES (Data Encryption Standard: Common Synthetic Gold (Secure Gold Mirror) Encryption Algorithm developed by IBM Corporation of the United States). IP s e c is also used as one of the encryption algorithms. IPsec, standardized by the Internet Engineer Task Force (IETF), is characterized by not simply encrypting a specific application, but encrypting all communications sent from the host at the IP level. # This allows users to communicate securely without having to be aware of the application. Moreover, in order to be able to use it over the future, IPsec can change only the encryption algorithm used without changing its own mechanism. As a common encryption key used by IPsec, a 32-bit encoding called SPI (Security Pointer Index) is used, and IKE (Internet Key Exchange) is used as a gold exchange protocol. Even the AH (Authentication Header) for integrity authentication is prepared in IPsec. In addition, SSL is the HTTP protocol for additional security functions developed by Netscape (Netscape, now absorbed by A0L). It can be used by -6 - (4) (4) 200841672 to enable the client and the server. The devices can authenticate each other on the network, encrypting confidential information such as credit card information and then transacting. In this way, it is possible to prevent data eavesdropping and resend attacks (first eavesdropping on data flowing over the network and then repeatedly sending out attacks), impersonation (for fake communication), data tampering, and the like. FIG. 6A is an example of a protocol stack when the previous ipsec encrypted communication is performed, and FIG. 6B is an example of a protocol stack using the previous SSL encrypted communication. . OSI reference model, the lowest layer (layer 1) is the physical layer (

Physical Layer),第 2 層爲資料鏈結層(Data link layer ),第3層爲網路層(Network Layer),第4層爲傳輸層 (Transport Layer),第 5 層爲會期層(Session Layer) ,第6層爲展現層(Presentation Layer),最上層(第7 層)爲應用層(Application layer)。該OSI參照模型中 的7階層,係將通訊機能分成7階段而表示,每一該階層 中都有定義了機能模組。圖6之A中,是圖示到第5層會 期層爲止。所謂「協定堆疊」,係指選擇出用來實現網路 上之各階層中的機能的程式,將之往上堆疊成爲階層狀的 軟體群。 首先,若槪略地說明0SI參照模型,則第1層的實體 層,係規定了訊號線的實體電氣特性或編碼的調變方法等 的層。只不過,很少僅單獨地以該層來定義•實作,通常 是和第2層的資料鏈結層,例如和乙太網路規格等,一倂 (5) (5)200841672 予以定義。 第2層的資料鏈結層,係規定了資料的封包化或實體 的卽點位址、封包的收發訊方法等的層。該層係規定了透 過實體的通訊媒體’在兩個節點之間進行封包交換所需之 協疋’是封各節點賦予某種位址,根據該位址而特定出封 包的送訊目的地,而將封包發送至通訊媒體上。 做爲通訊媒體有,銅配線或無線、光纖等,有各種媒 體。又’連接形態(Topology,拓撲)也並非只是i對1 的對向連接而已,而是有匯流排型或星型、環型等許多種 類。被發送至通訊媒體上的封包,在到達收訊側節點的時 間點上被該節點擷取,而交付給上位的協定層。 橫跨實體層和資料鏈結層而配置的NIC ( Network Interface Card,網路介面卡)驅動程式,係讓個人電腦和 印表機等連接至區域網路(LAN )上所需的擴充板卡。單 純稱作「網路卡」的時候則多半是指連接乙太網路的介面 卡。 藉由該NIC驅動程式,是設計成欲發送資料的節點( 機器)會先監視纜線上的空閒狀態,若纜線正處於空閒狀 態則開始送訊。此時,若是複數節點同時開始送訊則資料 會因在纜線內碰撞而導致破壞,因此兩者會中斷送訊,等 待一段亂數的時間後,再重新開始送訊。藉此可將一條纜 線讓複數節點共用來彼此通訊。 第3層的網路層,係規定任意2節點之間的通訊方法 的層。若以TCP/IP而言則相當於IP層。資料鏈結層中, (6) (6)200841672 雖然在同一網路媒體上的節點間可以進行通訊’但是該網 路層的作用,是使用其機能,讓存在於網路上的任意2節 點間,能夠進行繞送(routing )而進行通訊。 此處,所謂「繞送」,係指在TCP/IP網路中在將封 包送訊直到目的之主機爲止時,會選擇最佳路徑而送訊。 例如,在乙太網路中,雖然只有同一區段(segment )上 的節點彼此間可以互相通訊,但是在網路層中,在兩個乙 太網路區段間藉由將封包繞送就可進行通訊。 又,透過電話線路將電腦連接至網路(乙太網路)之 往撥接PPP ( Point to Point Protocol)線路的繞送,或使 用光纖之往專線的繞送等,是能夠不依靠實體的網路媒體 而進行繞送。爲了該目的,通常是對各節點賦予一不依存 於實體媒體的位址(若爲TCP/IP則是IP位址),根據其 而進行繞送。 IP sec,係在該網路層上,也就是以IP層次而將從主 機發送的所有通訊予以加密,因此使用者可不必意識到有 應用程式的存在就能進行安全的通訊。 第4層的傳輸層,係爲了讓在各節點上執行的兩個處 理程序(Process )之間,能夠沒有錯誤地,實現一虛擬的 通訊路而制定的協定。若以TCP/IP而論則相當於TCP層 。又,在網路層中,雖然提供了在2個節點間進行通訊的 機能,但是,本層的任務是,使用其而兩個處理程序( Process)之間,能夠沒有錯誤地實現一虛擬的通訊路。 亦即’雖然網路層中成夠傳送資料,但是並無法保證 -9 - (7) 200841672 資料是否確實地送達對方手裡。又,也不保證資料是以正 確送訊順序送達。於是,爲了對應用程式而言是容易使用 ,而提供沒有錯誤的通訊路的就是本層。在必要時會進行 資料的重送·修復處理等。 該傳輸層中雖然除了 T c p以外還配置了 U D P,但 UDP和TCP不同的地方在於,TCP是會進行資料的補償 的協定,是較爲低速的,相對於此,UDP是不進行資料補 • 償,而較爲高速。在電腦間的通訊主要是傳送資料的時候 則採用T C P,而在使用IP電話這類傳送聲音或影像的時 候則多半採用UDP。該通訊系統,係本案發明人在專利文 獻1中所首先提出。Physical Layer), the second layer is the data link layer, the third layer is the network layer, the fourth layer is the transport layer, and the fifth layer is the session layer (Session). Layer), the sixth layer is the Presentation Layer, and the top layer (the seventh layer) is the Application Layer. The 7-level in the OSI reference model is represented by dividing the communication function into 7 stages, and each of the levels has a function module defined therein. In Fig. 6A, it is illustrated until the fifth layer of the session layer. The term "agreement stacking" refers to the selection of programs for realizing functions in all levels of the network, and stacking them into a hierarchical software group. First, if the 0SI reference model is briefly explained, the physical layer of the first layer defines a layer of the physical electrical characteristics of the signal line or the modulation method of the coding. However, it is rarely defined solely by this layer. It is usually defined with the layer 2 data link, for example, and Ethernet specifications, as defined in (5) (5) 200841672. The data link layer of the second layer defines a layer of data packetization or entity address, packet transmission and reception methods, and the like. This layer specifies that the communication medium through the entity 'the association between the two nodes for packet exchange' is to give each node an address, and the destination of the packet is specified according to the address. The packet is sent to the communication medium. As a communication medium, there are various types of media, such as copper wiring or wireless, optical fiber, and the like. Moreover, the topology (topology) is not just the opposite connection of i to 1, but has many types such as busbar type, star type, and ring type. The packet sent to the communication medium is captured by the node at the point of arrival to the receiving side node and delivered to the upper protocol layer. The NIC (Network Interface Card) driver configured across the physical layer and the data link layer is used to connect PCs and printers to the expansion boards required on the local area network (LAN). . When it is simply called "network card", it is mostly referred to as an interface card connected to the Ethernet. With the NIC driver, the node (machine) designed to send data first monitors the idle state of the cable, and starts transmitting if the cable is in an idle state. At this time, if multiple nodes start transmitting at the same time, the data will be destroyed due to collision in the cable, so the two will interrupt the transmission, wait for a random amount of time, and then restart the transmission. This allows a cable to be used by multiple nodes to communicate with each other. The layer 3 of the network layer is a layer that specifies the communication method between any two nodes. If it is TCP/IP, it is equivalent to the IP layer. In the data link layer, (6) (6) 200841672 Although communication can be performed between nodes on the same network medium, the role of the network layer is to use its function to allow any two nodes existing on the network. It is possible to perform routing and communication. Here, "bypass" means that when the packet is transmitted to the destination host in the TCP/IP network, the best path is selected and transmitted. For example, in an Ethernet network, although only nodes on the same segment can communicate with each other, in the network layer, packets are bypassed between two Ethernet segments. Communication is possible. In addition, the connection of the computer to the network (Ethernet) to the PPP (Point to Point Protocol) line through the telephone line, or the use of the fiber to the private line, etc., can be independent of the entity Wrap around the network media. For this purpose, each node is usually given an address that does not depend on the physical medium (or IP address if TCP/IP), and is routed according to it. IP sec, at the network layer, encrypts all communications sent from the host at the IP level, so users can communicate securely without having to be aware of the existence of an application. The transport layer of the fourth layer is a protocol that can be implemented between two processing programs (Process) executed on each node without realizing a virtual communication path. If it is TCP/IP, it is equivalent to the TCP layer. Moreover, in the network layer, although the function of communication between two nodes is provided, the task of this layer is to use a virtual one without error between the two processes (Process). Communication road. That is to say, although the network layer is sufficient to transmit data, it cannot guarantee that the information is delivered to the other party -9 - (7) 200841672. Also, there is no guarantee that the data will be delivered in the correct order of delivery. Therefore, in order to be easy to use for an application, it is the layer that provides a communication path without errors. When necessary, data is re-delivered and repaired. In this transport layer, although UDP is configured in addition to T cp, the difference between UDP and TCP is that TCP is a protocol for compensating data, which is relatively low-speed. In contrast, UDP does not perform data supplementation. Repay, but relatively high speed. The communication between computers is mainly used to transmit data when using T C P, and when using IP phones to transmit sound or video, UDP is mostly used. The communication system was first proposed by the inventor of the present invention in Patent Document 1.

第5層的會期層,係規定了會期(從通訊開始至結束 爲止)之程序的層,在應用程式間開設連線而使其成爲可 通訊之狀態的層。該層中所配置的「通訊槽」(socket ) ’係意指將相當於電腦所持有之相當於網路上的住址的IP # 位址,和身爲1P位址之子位址的通訊埠號,加以組合而 成的網路位址。 在電腦彼此連線的時候,一定要指定通訊槽(IP位址 和通訊埠號的組合)才能進行連線。如圖6之B所示,先 前具有代表性的加密通訊技術S S L,就是在此會期層上實 現加密通訊。 第6層的展示層,是規定了會期(從通訊開始至結束 爲止)中所交換之資料的呈現方法或編碼、加密等等的層 。在TCP/IP協定中,並無相當於該層的部份,而是通常 -10- (8) (8)200841672 由應用程式本身來掌控串流資料的處理。 又’第7層的應用層,是爲了規定應用程式間交換資 料的層’在TCP/IP協定中,並無相當於該層的部份。例 如’電子郵件的格式,或文書的內部結構等,是規定了應 用程式間彼此需要進行資料交換時所需的共通之資料結構 的層。 圖6之A,係爲搭載著IP sec的標準協定堆疊,首先 ,在實體層(第1層)和資料鏈結層(第2層)中,設置 了 NIC Driver (網路介面卡驅動程式)。該驅動程式( Driver )’係用來將電腦等硬體連接至網路所需的介面卡 的驅動程式,其內容爲資料收送訊控制軟體。例如,其係 相當於用來連接 Ethernet (乙太網路)之 LAN機板或 LAN 卡。 第3層的網路層,係存在有一部份是延伸到傳輸層( 第4層)的IP模擬器(emulator)。該延伸至傳輸層的部 份內,並未實作有做爲傳輸層的機能。僅將網路層的機能 ,提供至會期層而已。該IP模擬器,係負責隨著用途而 切換有IPsec進行加密通訊的協定,和不進行加密通訊之 協定的IP。 又,第3層的網路層中配置著ARP ( Address Resolution Protocol,位址解析協定)。該ARP,係從IP 位址求出Ethernet的實體位址也就是MAC ( Media Access Control,媒體存取控制)位址所使用的協定。MAC,——般 稱爲媒體存取控制,是LAN等所利用的傳送控制技術’ -11 - (9) (9)200841672 是規定了資料收送訊單位的訊框之收送訊方法或訊框的格 式、錯誤訂正等之技術而被利用。 又,該網路層中,設置有:傳送IP的錯誤訊息或控 制訊息的協定 ICMP ( Internet Control Massage Protocol) ’和爲了使同一資料能有效率地配送至複數主機或接收配 送而構成的用來控制主機群組的協定IGMP ( lnternet Group Management Protocol)。然後,在網路層的上位層 之傳輸層中,配置了 TCP和UDP,在其上位層也就是會 期層中,配置了通訊槽(socket )介面。 圖6之B,係具備了 SSL作爲加密處理協定的標準協 定的例子,在網路層中不搭載IPsec,而是改以在通訊槽 (會期層)中搭載SSL。其他的協定均相同於圖6之A所 不 ° 先前之代表性的加密通訊技術中,IP sec係將IP封包 加密而進行收送訊,因此,利用TCP或UDP等之上位協 定的應用軟體是不必要意識到正在使用IP sec。 另一方面,在SSL中,在相互認證層級中是使用RSA (Rivest Shamir Adleman :取自公錄加密方式的開發者三 人的字頭)公鑰加密技術的數位憑證,在資料的加密中則 是使用DES等之共通金鑰加密技術。由於該SSL係位於 第5層的會期層,因此是依存於特定的應用程式上。 IPsec,係做爲防止OSI中之第4層(傳輸層)之更 下層的第3層(網路層)中的資料「洩漏」或「竄改」之 機能而實現者(例如,參照R.Atkinson,1995年8月’ 「 -12 - (10) 200841672The layer 5 of the session layer defines the layer of the program (from the beginning to the end of the communication), and sets up a connection between the applications to make it a layer of communication. The "communication slot" (socket) configured in this layer means the IP # address corresponding to the address on the network held by the computer, and the communication nickname which is the sub-address of the 1P address. , the combined network address. When connecting computers to each other, be sure to specify the communication slot (a combination of IP address and communication nickname) to connect. As shown in Figure 6B, the previously representative encrypted communication technology S S L is to implement encrypted communication on this session layer. The presentation layer of the sixth layer is a layer that specifies the presentation method or encoding, encryption, etc. of the data exchanged during the session (from the beginning to the end of the communication). In the TCP/IP protocol, there is no equivalent to the layer, but usually -10- (8) (8) 200841672 The application itself controls the processing of streaming data. Further, the application layer of the seventh layer is for specifying the layer of the exchange of information between applications. In the TCP/IP protocol, there is no equivalent to the layer. For example, the format of the e-mail, or the internal structure of the document, is a layer that defines the common data structure required for the exchange of data between applications. In Fig. 6, A is a standard protocol stack equipped with IP sec. First, in the physical layer (layer 1) and the data link layer (layer 2), the NIC Driver (network interface card driver) is set. . The driver (Driver) is a driver for connecting a computer and other hardware to the interface card required by the network, and the content is a data receiving and controlling software. For example, it is equivalent to a LAN board or LAN card used to connect to Ethernet (Ethernet). The layer 3 of the network layer has an IP emulator that extends to the transport layer (layer 4). The portion extending to the transport layer does not have a function as a transport layer. Only the functions of the network layer are provided to the session layer. The IP emulator is responsible for switching between IPsec for encrypted communication and IP for non-encrypted communication. Further, an ARP (Address Resolution Protocol) is placed in the network layer of the third layer. The ARP is a protocol used to determine the physical address of Ethernet from the IP address, that is, the MAC (Media Access Control) address. MAC, which is commonly referred to as media access control, is a transmission control technology used by LANs, etc. -11 - (9) (9) 200841672 is a method for receiving and transmitting messages of a data receiving and transmitting unit. The frame format, error correction, etc. are utilized. Further, the network layer is provided with an ICMP (Internet Control Massage Protocol) that transmits an IP error message or a control message, and a configuration for efficiently distributing the same data to a plurality of hosts or receiving and delivering the same data. Controls the IGMP (lnternet Group Management Protocol) of the host group. Then, in the transport layer of the upper layer of the network layer, TCP and UDP are configured, and in the upper layer, that is, the session layer, a communication slot (socket) interface is configured. Fig. 6B shows an example of SSL as a standard protocol for the encryption processing protocol. Instead of IPsec in the network layer, SSL is installed in the communication slot (session layer). The other protocols are the same as those in the previous Figure A. In the previously known encrypted communication technology, IP sec encrypts IP packets and sends and receives them. Therefore, application software using upper-party protocols such as TCP or UDP is It is not necessary to be aware that IP sec is being used. On the other hand, in SSL, in the mutual authentication level, a digital certificate using RSA (Rivest Shamir Adleman: prefix from the developer's three-way developer) public key encryption technology is used in the encryption of data. It is a common key encryption technology using DES. Since the SSL is at the layer level of the fifth layer, it is dependent on the specific application. IPsec is implemented as a function to prevent data leakage or tampering in the layer 3 (network layer) of the lower layer of the OSI layer 4 (transport layer) (for example, refer to R. Atkinson). , August 1995 ' -12 - (10) 200841672

Security Architecture for thelnternet Protocol」, RCF1825。)。相對於此,SSL係屬於在第5層的會期層 中的加密技術,是將現在網際網路上普遍使用的WWW ( World Wide Web,全球資訊網)或 FTP ( File Transport Protocol,檔案傳輸協定)等資料予以加密,是爲了安全 地收發牽涉隱私的資訊或企業祕密資訊等所用。 圖7所不的表丨係將I p s e c和s s [的機能做一比較所 • 記載而成。就該表所見,可看出IP sec和SSL是具有彼此 相反的優點和缺點。 例如’客戶端-客戶端間的通訊中,在SSL時,由於 其指令體系和通訊內容是主從關係,換言之是會變成客戶 端/伺服器,因此在不透過伺服器的情況下是無法進行客 戶端-客戶端間的通訊。亦即,當從終端A往終端B藉由 S S L將祕密資料予以加密而發送的時候,必定要在兩者間 存在有伺服器。相對於此,IPsec就沒有這方面的限制而 # 可直接進行通訊。 又,在 PPP( Point to Point Protocol)行動環境或是 ADSL (Asymmetric Digital Subscriber Line)環境中, IPsec係在資料之加密通訊開始前,決定加密方式、進行 金鑰交換、在使用了相互認證中使用之協定也就是IKE ( Internet Key Exchange)協定的通訊中,進行連線目標對 方之認證。 因此,在PPP行動環境(遠端客戶端)或是ADSL環 境下,由於IP位址無法固定,因此IPsec的閘道間最常使 -13- (11) 200841672 用的IKE的Main模式,也就是認證之際會使用通訊對 之IP位址資訊的模式,會變成無法使用。 此外,作爲其解決方案,可以藉由使用Aggressive 式,而可在ID資訊中不使用IP位址,而在ID資訊中 用例如使用者資訊,在既知共有金鑰中使用了使用者的 碼便可將對方加以特定。但是,由於Aggressive模式中 在和金鑰交換資訊相同的訊息中發送連線對象的ID, 此ID是沒有經過加密而直接以平文的方式送訊。 又,藉由利用 XAUTH ( Extended Authentication within IKE),雖然可以解決認證的問題,但是,在防 牆的設定上,由於來自遠端客戶端的存取,ip位址爲不 ,因此必須要完全許可IKE、IP sec,因此在安全上存留 題。SSL則是在該環境下仍可通訊。 又,IPsec,還有無法支援 NAT (Network Address Translation)或IP冒充的問題。爲了支援它們,必須要 倂使用例如使其裝載入UDP之酬載內的這類其他機能 行。 NAT,係連接著網際網路的企業等,將1個全球性 IP位址分享給複數電腦的技術,是能夠將僅在組織內通 之IP位址(區域位址)和網際網路上的位址(全球性 址)予以相互轉換的技術。無法支援NAT的原因是, 標頭是納入AH ( Authentication Header )的認證範圍, 此使得從該區域位址轉成全球性位址的相互轉換變成無 進行,不同子網路的區域位址彼此間的通訊也無法進行 方 模 使 密 是 因 火 明 問 合 才 的 用 位 IP 因 法 -14- (12) 200841672 又,所謂的IP冒充,係指使得從LAN內的帶有私人 位址的複數客戶端能夠向網際網路進行存取的設計,藉由 利用此’從外部(網際網路)只能看見正在執行IP冒充 的終端,因此在安全上來看是很理想的。IP sec無法支援 IP 冒充的理由是,IP sec 的 ESP ( Encapsulation SecuritySecurity Architecture for thelnternet Protocol", RCF1825. ). In contrast, SSL belongs to the encryption technology in the layer layer of the fifth layer, and is a WWW (World Wide Web) or FTP (File Transport Protocol) commonly used on the Internet. Encrypted data is used to securely send and receive information related to privacy or corporate secret information. The appearance of Figure 7 is a comparison of the functions of I p s e c and s s [ As seen in the table, it can be seen that IP sec and SSL have the opposite advantages and disadvantages. For example, in the client-client communication, in the case of SSL, since the command system and communication contents are master-slave relationships, in other words, they become client/server, so it is impossible to perform without the server. Client-client communication. That is, when the secret data is encrypted by the terminal S from the terminal A to the terminal B, it is necessary to have a server between the two. In contrast, IPsec does not have this limitation and # can communicate directly. In the PPP (Point to Point Protocol) mobile environment or the ADSL (Asymmetric Digital Subscriber Line) environment, IPsec determines the encryption method, performs key exchange, and uses mutual authentication before the data encryption communication starts. The agreement is also the communication of the IKE (Internet Key Exchange) agreement, which authenticates the connected target. Therefore, in the PPP action environment (remote client) or ADSL environment, since the IP address cannot be fixed, the IPsec gateway is most often used for the IKE main mode of -13- (11) 200841672, that is, The mode of using the IP address information of the communication pair at the time of authentication will become unusable. In addition, as a solution, the Aggressive type can be used, and the IP address can be not used in the ID information, and the user information can be used in the ID information, for example, the user's code is used in the known shared key. The other party can be specified. However, since the ID of the connection object is sent in the same message as the key exchange information in the Aggressive mode, the ID is sent directly in plaintext without being encrypted. Moreover, by using XAUTH (Extended Authentication within IKE), although the authentication problem can be solved, in the setting of the anti-wall, the ip address is not due to access from the remote client, so IKE must be fully licensed. , IP sec, so keep a question on security. SSL is still communicating in this environment. Also, IPsec has problems that cannot support NAT (Network Address Translation) or IP impersonation. In order to support them, it is necessary to use such other functions as loading them into the payload of UDP. NAT, a technology that connects Internet-based enterprises, etc., to share a global IP address to multiple computers, is capable of passing only the IP address (area address) and the Internet on the Internet. The technology that addresses (global sites) are converted to each other. The reason why the NAT cannot be supported is that the header is included in the authentication range of the AH (Authentication Header), which causes the mutual conversion from the address of the area to the global address to become non-initial, and the regional addresses of different sub-networks are mutually The communication is also unable to carry out the square model. The secret is the use of the IP address of the fire. The law is 14- (12) 200841672 In addition, the so-called IP impersonation refers to the plural from the LAN with a private address. The design that the client can access the Internet can be seen from the outside (internet) only by seeing the terminal that is performing IP impersonation, so it is ideal for security. The reason IP sec can't support IP impersonation is IP sec ESP ( Encapsulation Security

Payload :加密酬載)標頭是緊接在ip標頭的後面。 實作有IP冒充的一般路由器,是將IP標頭的緊臨後 • 部,判斷成有TCP/UDP的埠號。因此,若經由安裝有ip 冒充的路由器,則會導致該埠號變更,因此被IP sec判斷 爲遭到竄改,造成主機的認證無法進行之問題。此問題’ 可以藉由利用支援用來裝載入UDP之酬載的NAT-T ( NAT_Traversal)的產品來避免。 可是,若NAT-T的穿越方式不同,則即使是同樣支 援NAT-T的產品也無法彼此連線。SSL則是在該環境下仍 可通訊。 • 相對於此,對於駭客或快客這類網路的不當侵入者對 TCP/IP發動的各種攻擊,也就是所謂DoS攻擊(Denial of Service :阻絕服務攻擊),SSL是無力抵抗。針對 TCP/IP協定堆疊的DoS攻擊,例如,若進行TCP切斷攻 擊,則TCP會期會被切斷而導致SSL的服務停止。 由於IPsec係實作在第3層(IP層),因此是在IP 層上具有安全性機能,能夠防止針對TCP/IP (第4層、第 3層)的DoS攻擊。可是,由於SSL是實作在更上位於 TCP/IP (第4層、第3層)的層(第5層)的加密協定’ -15- (13) 200841672 因此無法防止對TCP/IP的DoS攻擊。 甚至,對於實體雜訊多的通訊錯誤頻發這類惡劣通訊 環境下的通訊,SSL係比IPsec還有效果。亦即,IPsec係 在偵測出錯誤的時候,就將重送的動作交給TCP處理。 TCP雖然會將重送資料送至IP sec,但IP sec會無法認識該 重送資料,而會導致重新進行加密。SSL則由於以TCP進 行錯誤的修復處理,因此不會對同一資料進行重新加密。 # 又,在IPsec中無法進行不同LAN間的通訊。亦即, LAN內的子網路位址的頒佈管理,係由位於 LAN內的 DHCP ( Dynamic Host Configuration Protocol)伺服器所 管理,因此在LAN內,是不會發配到相同的子網路位址 ,但是在不同LAN間通訊的時候,由於彼此之LAN內的 DHCP伺服器是各自發配子網路位址,因此有可能會發配 相同的位址。 在遇到此種發配到同一位址的情況下,在IP sec中是 ^ 無法通訊。但是,若另外建立IPsec-DHCP伺服器,管理 成不會發配到相同的位址,則可以通訊。s S L則由於是位 於上述O SI參照模型的第5層(會期層),因此可以下位 層的TCP來進行錯誤修復處理,即使在上記此種惡劣環境 下仍可通訊。 又,對於不同網路環境下的通訊,由於IPsec是必須 將所有經由的節點予以管理,變更設定令其可以讓IPsec 通過,因此管理上非常辛苦,但是S S L即使在該種環境下 ’也能毫無意識到經由的節點的環境而進行通訊。 -16- (14) (14)200841672 又,由於SSL並不支援UDP的通訊,因此無法進行 UDP的加密通訊。而TCP也僅可支援特定的埠’因此無 法使TCP所有的埠都進行加密通訊。相對於此’ IPsec係 無論UDP或TCP皆可進行加密通訊。 甚至,SSL還有對應用程式不具相容性的問題點存在 。應用程式,係在進行網際網路通訊之際,將通訊槽(第 5層)當作程式介面而使用。因此,當應用程式在使用 SSL (第5層)的時候,必須要將該通訊槽介面,變更成 SSL介面。因此,SSL不具應用程式的相容性。 相對於此,IPsec由於是位於通訊槽(第5層)以下 ,因此應承程式只要將通訊槽(第5層)當作程式介面而 直接使用即可,故具應用程式之相容性。又,IPsec是以 IP位址單位來進行控制,相對於此,SSL是以資源單位( URL單位、資料夾單位)來進行控制。 甚至,IP s e c還有最大區段大小會縮小的問題。亦即 ,由於IPsec中使用了 ESP標頭(header )、ESP掛尾( trailer ),因此酬載(Payload )變小,所以會發生斷片( 封包的分割),使得吞吐量(throughput )降低。又, TCP封包中,由於斷片是被禁止的,因此必須以端點對端 點的方式,掌握讓IP s e c通過的環境,來設定不使斷片發 生的最大區段大小。對此,S S L則是由於沒有必要把握通 過的環境,因此不需要設定最大區段大小。 以上,雖然根據表1 (圖7)說明了 IPSec和SSL的 機能比較,但如上述,IPsec和SSL,其優點和缺點是彼 -17- (15) 200841672 此混合存在。相對於此,本案發明人在之前已經 含這些IPsec和SSL所有的優點,且具有更多好 性之加密通訊協定,亦即TCP2 (參照專利文獻1 亦即在專利文獻1所記載之發明中,係不需 防止對電腦終端不當入侵的「加密機能」分別實 程式內,因此,應用程式本身不需要重新作成, 援上記加密機能的通訊對方也能進行先前的平文 # 至即使在無法利用IPsec的環境(或者不想利用 下,也能受到加密或認證之恩惠。 圖8係本案發明人之前於專利文獻1中所提 通訊系統之一實施形態中所用的協定堆疊。 該專利文獻1所記載之發明中所用之協定堆 圖8所示,在相當於OSI7階層的實體層(第1 料鏈結層(第 2層)的階層中,排列有NIC Interface Card )驅動程式 1 1。該驅動程式,係 • 是用來將電腦等硬體連接至網路所需的介面卡的 ,其內容爲資料收送訊控制軟體。例如,其係相 . 連接Ethernet (乙太網路)之LAN機板或LAN ^ , 第3層的網路層,係存在有一部份是延伸到 第4層)的IP模擬器(emulator) 13。上記延伸 並未實作有做爲傳輸之機能。而是僅將網路層的 供至會期層而已。該IP模擬器1 3,係負責隨著 換使用進行加密通訊的協定亦即「IPsec on CP」 IP on CP」13a。此處,所謂的「on CP」,係指 提出,包 處的革命 〇 ) 〇 要將用來 作在應用 且和不支 通訊,甚 的狀況) 出的加密 疊,係如 層)和資 (Network 如前述, 驅動程式 當於用來 c ° 傳輸層( 部份中, 機能,提 用途而切 13b 和「 會成爲被 -18- (16) (16)200841672 侵入防護器(CP )視爲「假冒」或「侵入」「攻擊」的監 視、丟棄、切斷乃至於限制通過之對象,或是藉由設定而 可能成爲其者。Payload: The encrypted payload) header is immediately after the ip header. Implementing a general router with IP impersonation is to identify the TCP/UDP nickname immediately after the IP header. Therefore, if the nickname is changed via the router with the ip impersonation installed, the IP sec determines that it has been tampered with, causing the host's authentication to fail. This problem can be avoided by using a product that supports NAT-T (NAT_Traversal) used to load UDP payloads. However, if NAT-T traverses differently, even products that support NAT-T will not be able to connect to each other. SSL is still communicating in this environment. • In contrast, SSL is incapable of resisting various attacks on TCP/IP by improper hackers such as hackers or hackers, such as the so-called DoS attack (Denial of Service). For a DoS attack on a TCP/IP protocol stack, for example, if a TCP cut attack is performed, the TCP session will be cut off and the SSL service will be stopped. Since IPsec is implemented at Layer 3 (IP layer), it has security functions at the IP layer and can prevent DoS attacks against TCP/IP (Layer 4, Layer 3). However, since SSL is implemented in the TCP/IP (Layer 4, Layer 3) layer (Layer 5) encryption protocol ' -15- (13) 200841672, it is impossible to prevent DoS on TCP/IP. attack. Even in the case of communication errors in a bad communication environment, such as communication errors in physical noise, SSL is more effective than IPsec. That is, when IPsec detects an error, it passes the resend action to TCP processing. Although TCP will send the resend data to IP sec, IP sec will not be able to recognize the resend data, which will result in re-encryption. SSL does not re-encrypt the same data due to incorrect repair processing with TCP. # Also, communication between different LANs cannot be performed in IPsec. That is, the promulgation management of the subnet address in the LAN is managed by a DHCP (Dynamic Host Configuration Protocol) server located in the LAN, so that the same subnet address is not allocated in the LAN. However, when communicating between different LANs, since the DHCP servers in each other's LANs are each assigned a subnet address, it is possible to assign the same address. In the case of such a match to the same address, it is not possible to communicate in IPsec. However, if an IPsec-DHCP server is additionally established, the management will not be delivered to the same address, and communication can be performed. Since s S L is located at the fifth layer (phase layer) of the above O SI reference model, the lower layer TCP can be used for error repair processing, and communication can be performed even in such a harsh environment. In addition, for communication in different network environments, since IPsec must manage all the nodes that pass through, and change settings so that IPsec can pass, it is very difficult to manage, but SSL can be used even in this environment. Communicate without being aware of the environment of the node being passed. -16- (14) (14)200841672 Also, since SSL does not support UDP communication, UDP encrypted communication cannot be performed. TCP can only support specific 埠', so it is impossible to encrypt all TCP ports. In contrast to the 'IPsec system, encrypted communication can be performed regardless of UDP or TCP. Even SSL has problems with applications that are not compatible. The application uses the communication slot (layer 5) as a program interface when communicating over the Internet. Therefore, when the application is using SSL (Layer 5), the communication slot interface must be changed to the SSL interface. Therefore, SSL is not application compatible. In contrast, since IPsec is located below the communication slot (Layer 5), it should be used as long as the communication slot (Layer 5) is used as a program interface, so that application compatibility is achieved. Further, IPsec is controlled by an IP address unit, whereas SSL is controlled by a resource unit (URL unit, folder unit). Even IP s e c has the problem that the maximum segment size will shrink. That is, since the ESP header (header) and the ESP trailer are used in IPsec, the payload (Payload) becomes small, so that fragmentation (packet division) occurs, and the throughput is lowered. In addition, in the TCP packet, since the fragment is prohibited, it is necessary to grasp the environment in which the IP s e c passes by the endpoint to the end point, and set the maximum extent size that does not cause the fragment to occur. In this regard, S S L is because there is no need to grasp the passing environment, so there is no need to set the maximum segment size. Although the performance comparison between IPSec and SSL has been described according to Table 1 (Fig. 7), as described above, the advantages and disadvantages of IPsec and SSL are that -17-(15) 200841672 exists. On the other hand, the inventors of the present invention have already included all the advantages of IPsec and SSL, and have more excellent encryption communication protocols, that is, TCP2 (refer to Patent Document 1, that is, the invention described in Patent Document 1, It is not necessary to prevent the "encryption function" of improperly invading the computer terminal from being executed in the program. Therefore, the application itself does not need to be re-created, and the communication partner who can support the encryption function can also perform the previous plain text # to even if IPsec cannot be used. The environment (or the use of the encryption or the authentication, which is not intended to be used.) Fig. 8 is a protocol stack used in an embodiment of the communication system proposed by the inventor of the present invention in Patent Document 1. The invention described in Patent Document 1 As shown in Fig. 8 of the protocol stack, the driver layer 1 is arranged in the physical layer (the first layer of the first layer (the second layer) of the OSI7 hierarchy). • It is the interface card required to connect a computer and other hardware to the network, and its content is the data receiving and receiving control software. For example, its phase. Connecting to Ethernet (Ethernet) LAN board or LAN ^, Layer 3 network layer, there is a part of the extension to the 4th layer of the IP simulator (emulator) 13. The extension is not implemented As a function of transmission, it only supplies the network layer to the session layer. The IP simulator 13 is responsible for the encryption communication with the use of IPsec on CP IP on CP. 13a. Here, the so-called "on CP" refers to the revolution of the package, and the encryption stack that is used for the application and the communication is not the case. (Network As mentioned above, the driver is used as the c ° transport layer (partial, function, lift and use 13b and "will become -18- (16) (16) 200841672 intrusion protector (CP)) The surveillance, discarding, and cutting of "fake" or "intrusion" and "attack" may even limit the passage of the object, or may become the person by setting.

又,在網路層中,配置了 「ARP on CP ( Address Resolution Protocol on Cracking Protector)」。該 ARP on CP,係從具備對抗侵入者(Cracker )保護對策之IP位 址來推求 Ethernet之實體位址亦即 MAC ( Media Access Control )位址時所使用的協定。MAC,一般稱爲媒體存取 控制,是LAN等所利用的傳送控制技術,是規定了資料 收送訊單位的訊框之收送訊方法或訊框的格式、錯誤訂正 等之技術而被利用。 此處,IP模擬器1 3,係爲了將本發明所述之各種安 全性機能,整合進先前之IP周邊堆疊所需之軟體或韌體 。亦即,是爲了整合傳送IP的錯誤訊息或控制訊息的協 定 ICMP (Internet Control Massage Protocol) 14a,和爲 了使同一資料能有效率地配送至複數主機或接收配送而構 成的用來控制主機群組的協定 IGMP ( Internet Group Management Protocol) 14b、TCP15、UDP16 還有通訊槽 (Socket)介面17,所需之軟體或靭體甚至是硬體(電子 電路、電子零件)。藉由該IP模擬器13,就能進行IP see 的加密•解密及必要之認證資訊附加•認證等之前後的適 宜處理。 該IP模擬器1 3上層的傳輸層(第4層)中,配置著 TCP模擬器15和UDP模擬器16。TCP模擬器15,係負 -19- (17) (17)200841672 責隨著用途而切換使用一屬於進行加密通訊之協定的「 TCPsec on CP」15b,和一屬於通常通訊協定之「TCP on CP」1 5a。同樣地,UDP模擬器16,係負責隨著用途而切 換使用一屬於進行加密通訊之協定的「UDPsec on CP」 16b,和一屬於通常通訊協定之「UDP on CP」16a。 該專利文獻1最大的特徵點,在於該傳輸層(第4層 )中,搭載有TCPsecl5b和UDPsecl6b之加密通訊協定。 關於TCPsecl 5b和UDPsecl 6b的詳細將於後述。 該傳輸層(第4層)上層的會期層(第5層)中,設 有和TCP及UDP等協定進行資料交換的通訊槽(Socket )介面1 7。該通訊槽的意義,如之前所述,係意指將相當 於電腦所持有之相當於網路上之住址的IP位址,和身爲 IP位址的子位址的通訊埠號,加以組合而成的網路位址, 實際而言,是將一連串之標頭的追加乃至消除予以統合進 行,是由單一的軟體程式模組(執行程式等)或單一的硬 體模組(電子電路、電子零件等)所構成。 該通訊槽介面1 7,係屬於提供來自更上位之應用程式 (圖2所示之EC應用程式及圖3所示的播送應用程式等 )的統一存取方式,其參數的種類和型式係設計成保持相 同於先前的介面。 TCP模擬器15,係在傳輸層中,負責將封包區分成, 具有資料洩漏•竄改的防止機能、亦即加密、完整性認證 及對方認證等機能的TCPsec 15b,和不具有此種加密、完 整性認證及對方認證等機能的通常之協定TCPl5a之任一 -20- (18) (18)200841672 者。又,由於無論TCPsec 15b及TCP 15a都具備侵入防護 器(CP ),因此無論選擇哪一者的情況,都能實現對快客 所致之「侵入」、「攻擊」的防禦機能。TCP模擬器15 亦擔任和位於上層之通訊槽之間的介面角色。 又,如之前所述,相對於TCP具有錯誤補償機能, UDP是不具有錯誤補償機能,但是,其所換來的是傳送速 度較快,且具備廣播機能,爲其特徵。UDP模擬器16, 係和TCP模擬器1 5同樣地,在傳輸層中,負責將封包區 分成,具有資料洩漏•竄改的防止機能、亦即加密、完整 性認證及對方認證等機能的UDP sec 16b,和不具有此種加 密、完整性認證及對方認證等機能的通常之協定UDP 1 6a 之任一者。 如圖8所示,由通訊槽17、TCP模擬器15、UDP模 擬器1 6、 「TCPsec on CP」1 5b、「UDPsec ο n C P」 16b、 「TCP on CP」15a、 「 UDP on CP」1 6a、 「 ICMP on CP」 14a、 「IGMP on CP」 14b、IP模擬器13、 「IP on CP」 13a、及「ARP on CP」12所成之協定堆疊係爲用來進行 本發明之加密處理的協定堆疊,以下將該協定堆疊總稱爲 TCP2。 此外,在TCP2中「IPsec on CP」13b雖然不是必須 含有的構成,但是亦可將「IP sec on CP」13b含於其中而 視爲TCP2。 專利文獻1所揭露的TCP2,係除了上述用來進行加 密處理的協定堆疊以外,亦包含有TCP、UDP、IP、IPsec -21 - (19) (19)200841672 、ICMP、IGMP、ARP之標準協定堆疊。而且,是在這些 標準協定中實作CP (侵入防護器)’而使其能防禦來自 對各協定堆疊通訊的攻擊,以及來自應用程式的攻擊(特 洛伊木馬、程式的竄改、正規使用者的不當使用)。 又,在TCP2中,實作有TCP模擬器15,該TCP模 擬器15從位於會期層的通訊槽(Socket ) 17 ’及位於網 路層的IP模擬器13來看,是保有相容性’因此從外部看 來是能夠和標準的T C P相同。實際上,T C P 2的機能,是 將TCP和TCP sec予以切換而執行。TCP sec,係本發明之 位於傳輸層的加密及認證機能。 又,同樣地,在TCP2中,實作有UDP模擬器16’ 而UDP模擬器16,從位於會期層的通訊槽(Socket ) 17 、及位於網路層的IP模擬器1 3來看,是保有相容性,因 此從外部看來是能夠和標準的UDP相同。實際上,TCP2 的機能,是將UDP和UDPsec予以切換而執行。UDPsec, 係專利文獻1所記載之發明的傳輸層中的加密及認證機能 〇 其次,針對TCP2中,屬於特別重要的機能也就是「 資料洩漏」防止機能的TCPsec 15b及UDPsec 16b,來加以 說明。 作爲TCPsecl5b及UDPsecl6b所用之加密•解密方法 (演算法、邏輯),係採用公知的祕密金鑰(共通金鑰) 加密演算法。例如,在1 960年代由IBM公司所開發的屬 於祕密金鑰加密演算法之DE S ( Data Encryption Standard -22- (20) (20)200841672 ),或採用其改良版的3 D E S。 又,亦可採用1992年瑞士工科大學的James L. Massey 氏和 Xuejia Lai 氏所發表的 IDEA ( International Data Encryption Algorithm),來做爲其他加密演算法。 該加密演算法,係將資料切割成64位元的區塊而予以加 密,且加密金鑰的長度爲1 2 8位元。是被設計成對於可高 效率破解祕密金鑰加密的線性密碼分析法或差分密碼分析 法,仍具有充分的強度。 又,做爲本發明所用之TCPsecl5b及UDPsecl6b的加 密方式,除了 可利用 FEAL( Fast data Encipherment ALgorithm ) 、MISTY、AES ( Advanced EncryptionFurther, "ARP on CP (Address Resolution Protocol on Cracking Protector)" is placed in the network layer. The ARP on CP is a protocol used to derive a physical address of Ethernet, that is, a MAC (Media Access Control) address, from an IP address that protects against cracker protection. MAC, generally referred to as media access control, is a transmission control technology used by LANs, etc., and is used to specify the format of the receiving and transmitting method of the data receiving and transmitting unit, the format of the frame, and the error correction. . Here, the IP simulator 13 integrates the software or firmware required for the previous IP peripheral stack in order to implement the various security functions described in the present invention. That is, it is an ICMP (Internet Control Massage Protocol) 14a for integrating an error message or a control message for transmitting IP, and a control group for controlling the host to efficiently deliver the same data to a plurality of hosts or receive distribution. Protocol IGMP (Internet Group Management Protocol) 14b, TCP15, UDP16 and Socket interface 17, the required software or firmware or even hardware (electronic circuits, electronic components). With the IP simulator 13, it is possible to perform IP before encryption and decryption, and necessary authentication information addition and authentication, and the like. In the transport layer (layer 4) of the upper layer of the IP simulator 13, a TCP emulator 15 and a UDP emulator 16 are arranged. TCP Simulator 15, which is negative -19- (17) (17) 200841672 Responsible for switching to use "TCPsec on CP" 15b, which is a protocol for encrypted communication, and "TCP on CP", which is a general communication protocol. 1 5a. Similarly, the UDP emulator 16 is responsible for switching between "UDPsec on CP" 16b, which is a protocol for performing encrypted communication, and "UDP on CP" 16a, which is a general communication protocol, for use. The most characteristic feature of Patent Document 1 is that an encrypted communication protocol of TCPsec 15b and UDPsec 16b is mounted in the transport layer (fourth layer). Details of TCPsecl 5b and UDPsecl 6b will be described later. In the session layer (the fifth layer) of the upper layer of the transport layer (the fourth layer), a communication slot (Socket) interface 17 for exchanging data with protocols such as TCP and UDP is provided. The meaning of the communication slot, as described above, means combining the IP address equivalent to the address on the network held by the computer and the communication number of the sub-address as the IP address. The network address is actually a combination of a series of headers and executions, a single software module (executive program, etc.) or a single hardware module (electronic circuit, Electronic components, etc.). The communication slot interface 17 is a unified access method for providing applications from higher-level applications (the EC application shown in FIG. 2 and the broadcast application shown in FIG. 3), and the types and types of parameters are designed. The same remains the same as the previous interface. The TCP emulator 15 is in the transport layer and is responsible for distinguishing packets into TCPsec 15b with data leakage and tampering prevention functions, that is, encryption, integrity authentication, and peer authentication, and does not have such encryption and integrity. Sexual certification and the other party's usual functions such as TCPl5a -20- (18) (18) 200841672. Further, since both the TCPsec 15b and the TCP 15a are provided with an intrusion preventer (CP), the defense function of "intrusion" and "attack" caused by the fast passenger can be realized regardless of which one is selected. The TCP emulator 15 also acts as an interface between the communication slots located on the upper layer. Further, as described earlier, UDP has an error compensation function with respect to TCP, and UDP does not have an error compensation function, but it is characterized by a faster transmission speed and a broadcast function. The UDP emulator 16 is similar to the TCP emulator 15. In the transport layer, it is responsible for distinguishing packets into UDP sec with data leakage and tampering prevention functions, that is, encryption, integrity authentication, and peer authentication. 16b, and any of the usual protocols UDP 1 6a that do not have such functions as encryption, integrity authentication, and counterpart authentication. As shown in FIG. 8, the communication slot 17, the TCP emulator 15, the UDP emulator 16, the "TCPsec on CP" 15b, the "UDPsec ο n CP" 16b, the "TCP on CP" 15a, and the "UDP on CP" are shown. 1 6a, "ICMP on CP" 14a, "IGMP on CP" 14b, IP simulator 13, "IP on CP" 13a, and "ARP on CP" 12 are formed by agreement stacking for performing the present invention. The agreed protocol stack, which is collectively referred to as TCP2 below. Further, although "IPsec on CP" 13b is not necessarily included in TCP2, "IP sec on CP" 13b may be included as TCP2. The TCP 2 disclosed in Patent Document 1 is a standard protocol including TCP, UDP, IP, IPsec -21 - (19) (19) 200841672, ICMP, IGMP, and ARP in addition to the above-mentioned protocol stack for performing encryption processing. Stacking. Moreover, CP (intrusion protector) is implemented in these standard protocols to protect against attacks from stack communication of various protocols, as well as attacks from applications (Trojan horses, tampering of programs, improper use of regular users) use). Further, in TCP2, there is implemented a TCP emulator 15, which is compatible from the communication slot (Socket) 17' located at the session level and the IP emulator 13 located at the network layer. 'So from the outside it is the same as the standard TCP. In fact, the function of T C P 2 is performed by switching between TCP and TCP sec. TCP sec is the encryption and authentication function of the present invention at the transport layer. Further, similarly, in TCP2, a UDP emulator 16' is implemented, and the UDP emulator 16 is viewed from a communication slot (Socket) 17 located at the session level and an IP emulator 13 located at the network layer. It is compatible, so it can be the same as the standard UDP from the outside. In fact, the function of TCP2 is to switch between UDP and UDPsec. UDPsec is an encryption and authentication function in the transport layer of the invention described in Patent Document 1. Next, TCPsec 15b and UDPsec 16b, which are particularly important functions in TCP2, are "data leakage" prevention functions. As the encryption/decryption method (algorithm, logic) used by TCPsecl5b and UDPsecl6b, a well-known secret key (common key) encryption algorithm is used. For example, DE S (Data Encryption Standard -22-(20) (20) 200841672), developed by IBM Corporation in the 1960s, is a secret key encryption algorithm, or a modified version of 3 D E S. Also, the IDEA (International Data Encryption Algorithm) published by James L. Massey and Xuejia Lai of the Swiss Engineering University in 1992 can be used as other encryption algorithms. The encryption algorithm encrypts the data by cutting it into 64-bit blocks, and the length of the encryption key is 1 2 8 bits. It is designed to be linear cryptanalytic or differential cryptanalysis that can efficiently crack secret key encryption and still has sufficient strength. Further, as the encryption method of TCPsecl5b and UDPsecl6b used in the present invention, in addition to FEAL (Fast data Encipherment ALgorithm), MISTY, AES (Advanced Encryption)

Standard )這類加密方式,其他還可利用自行作成的祕密 之加密•解密演算法。此處,FEAL係日本電信電話株式 會社(當時)所開發的加密方式,是屬於加密及解密都使 用相同金鑰的祕密金鑰型加密方式。該FEAL的優點,是 比DES能更高速地進行加密及解密。 其次,同樣屬於本發明所利用的加密方式的MISTY, 係三菱電機株式會社所開發的祕密金鑰型加密方式,和 IDEA同樣地將資料切割成64位元的區塊而予以加密。金 鑰長度爲1 2 8位元。加密和解密都使用相同金鑰這點和 DES等相同。該方式也是被設計成,對於可高效率破解祕 密金鑰加密的線性密碼分析法或差分密碼分析法,仍具有 充分的強度。 又’ AES,係美國商務部標準技術局所舉行的選定作 -23- (21) (21)200841672 業中,做爲美國政府下一世代標準加密方式,而取代現行 之標準加密方式的DES的次世代加密標準而著手開發者。 是從世界公開募集所蒐集來的數種加密方式中,於2000 年1〇月,採用了比利時的密碼開發者Joan Daemen氏和 Vincent Rij men氏所開發之名叫Rij ndael的方式。 如此,本發明的TCPsecl5b及UDPsecl6b的加密方式 ,除了可利用既知的各種祕密金鑰加密演算法,還可採用 使用者自行開發的祕密金鑰(共通金鑰)加密方式。 甚至,做爲用來防止所謂「僞裝」及「資料竄改」等 之「對方認證」及「完整性認證」的方法,是使用了利用 公繪或事前祕密共享(Pre-shared )的演算法,例如MD5 (Message Digest 5) 、SHA1 ( Secure Hash Algorithm 1 )等之認證演算法。又,亦可取代此類公知認證演算法, 改採用利用了自行開發的單方向函數的演算法。 該M D 5,係屬於一種被認證或數位簽章所使用的雜揍 函數(單向摘要函數),是以原文爲基礎而產生一固定長 度的雜湊値,藉由在通訊經路的兩端進行其之比對,就可 偵測出該原文在通訊途中是否遭到竄改。該雜湊値是取成 看似亂數的値,而若以其爲基礎是無法再生回原文的。又 ,其他的訊息要產生相同的雜湊値也是很困難的。 SHA1也是屬於一種被認證或數位簽章所使用的雜揍 函數,是從2的64次方位元以下的原文生成160位元的 雜湊値,藉由在通訊經路的兩端進行其之比對,就可偵測 出該原文在通訊途中是否遭到竄改。該認證演算法係亦被 -24- (22) 200841672 先前網際網路之加密通訊中具代表性的IPsec所j 此外,關於這些演算法,是被設計成可藉由 Diffie-Hellman)公鑰配送法,或和ipsec相同的 Internet Key Exchange)協定(UDP 璋號 500 ) 全的金鑰交換,而且,加密/完整性認證演算法 本身或其所需之金鑰的集合/定義區是會定期地 被協定驅動程式(TCPsecl5b、UDPsecl6b等) 〇 如上述專利文獻1所記載之發明中,藉由使 明人所提出之TCP2,就可實現不改變上位應用 強化資料之洩漏、竄改、僞裝、入侵、攻撃的防 提供了在送訊側和收訊側進行加密•解密邏輯的 其適用至存在於傳輸層之TCP或UDP所該當之 載上的新型加密系統。 可是於上述專利文獻1所記載之發明中,本 所提出的TCP2,是在個人電腦上以軟體、或是 式實裝。可是在此同時,爲了將此種軟體或硬體 人電腦上,必須要進行實裝所需之作業,或因爲 或硬體的實裝,也會使個人電腦本身的負擔增大 亦即’爲了將軟體或硬體安裝在個人電腦上 進行如上述之實裝所需作業,且對個人電腦本身 會增大。另一方面,上述使用T C P 2之加密系統 來防止網際網路上的資料「洩漏」及「竄改」、 裝」、「入侵」乃至「攻擊」的系統,是專門利 采用。 DH ( IKE ( 等進行安 (邏輯) 變更,而 排入時程 用本案發 程式而可 止機能, 取決,將 協定之酬 案發明人 硬體的形 實裝在個 此種軟體 〇 ,必須要 的負擔也 ,係爲用 甚至「僞 用在個人 -25- (23) 200841672 電腦和外部的通訊上。 本發明係有鑑於如此問題點而硏發, 於,對個人電腦係不須花費實裝軟體或硬 個人電腦和外部之通訊中,以簡單的手段 明人先前所提出的TCP2之機能。 【發明內容】 # 爲了解決上記課題,並達成本發明之 所記載之發明,係一種中繼裝置,係屬於 TCP或UDP協定追加加密機能而進行電 際所使用的理想之中繼裝置,其特徵爲, ,在與相對之對方裝置之間,取決所對應 輯;和協定加密手段,作爲收送訊之資訊 ,至少將協定之酬載,依照已被取決手段 輯,進行加密而送訊;和協定解密手段, ® 密之TCP或UDP協定之酬載,依照取決 密邏輯而進行解密;使用傳輸層之TCP驾 . 行基於加密及解密邏輯之通訊。 . 又,申請項2所記載之中繼裝置中, 密及解密邏輯之取決手段所作之可能成爲 及解密邏輯,記憶在記憶體乃至於實裝在 邏輯變更手段,將該已記憶乃至實裝之可 的加密及解密邏輯,定期地予以更新。 申請項3所記載之中繼裝置中,加密 本發明的目的在 體的負擔,而於 就能實現本案發 目的,申請項1 對位於傳輸層之 子化資訊通訊之 具備:取決手段 之加密及解密邏 單位的封包當中 所取決之加密邏 將已接收之已加 手段所取決之解 5 UDP協定來進 其特徵爲,將加 取決候補的加密 電路中;更具備 能成爲取決候補 及解密邏輯之取 -26 - (24) (24)200841672 決手段,係可關連於加密及解密邏輯,取決以不進行加密 的方式來對待平文之意旨。 【實施方式】 以下,參照圖面來說明本發明,圖1係適用了本發明 之中繼裝置的一實施形態之構成的區塊圖。 於圖1中,中繼裝置1 00,係其本身具有和個人電腦 同等之機能。然後該中繼裝置1 〇 〇,係設置有分別和網路 2 00、300 連接之 NIC (Network Interface Card)驅動程式 1 a、1 b。又,對於含有這些NIC驅動程式1 a、1 b的實體 層和資料鏈結層,設置含有「TCP/IP」2之網路層和傳輸 層,其係用來規定存在於網路200、3 00上的任意2節點 間,一面進行繞送(routing ) —面進行通訊所需之通訊方 法。 然後在這些資料鏈結層和網路層之間,係可設置本案 發明人之前所提出的「TCP2」3之機能。亦即該「TCP2」 3之機能,係除了可以軟體或硬體方式設置,還更可以將 用來控制該「TCP2」3之機能,或定期地變更加密及解密 邏輯,因應需要而以不進行加密的方式來對待平文之要旨 的取決等等所需之手段,當成外部機能(EXP·) 4而設置 〇 因此,在本實施形態中,藉由在中繼裝置內裝備了本 案發明人之前所提出的TCP2之機能,就可使得對個人電 腦係不須花費實裝軟體或硬體的負擔,而於個人電腦和外 -27- (25) (25)200841672 部之通訊中,防止網際網路上的資料「洩漏」及「竄改」 甚至「僞裝」、「侵入」乃至「攻擊」。 亦即本發明之中繼裝置1 00,係例如槪念圖的圖2所 示’是將TCP2實現成,進行加密通訊以及認證之通訊線 路上所連接之安全性閘道。 該圖2中含有TCP2之中繼裝置101、102,係由於不 依存於通訊的實體介面,因此可以連接於各式各樣的介面 。此處,包含 Ethernet、FDDI、PPP、無線 LAN、 IEEE 1 3 94的各種通訊介面,可以拿來作爲介面A (網路 300)、介面 B (網路 201、202)。 然後中繼裝置1 0 1,係將來自介面A的現有通訊資料 予以輸入,以TCP2加密,當成送往介面B的加密資料而 輸出。又,中繼裝置102,係將來自介面B的已加密之通 訊資料予以輸入,以TCP2解密,當成送往介面A的現有 通訊資料而輸出。此外,中繼裝置1 0 1和1 02,係在開始 通訊之際,用來認證彼此的TCP2的機能,當認證無法成 功時,則強制結束通訊。 於是,在此種通訊系統中,現有之通訊機器401和中 繼裝置101、現有之通訊機器402和中繼裝置102之間, 雖然分別進行現有通訊資料的交換,但由於中繼裝置1 〇 1 和中繼裝置1 〇 2之間是交換著加密通訊資料,因此可以防 止此部份的資料「洩漏」及「竄改」、甚至「僞裝」、「 入侵」乃至「攻擊」。 又’圖3中係圖示了更具體的通訊網路之一實施形態 -28- (26) (26)200841672 。於圖3中,在主機電腦A側,複數之個人電腦4〗i、 412、413是藉由Ethernet等網路201而連接,形成所謂 的LAN ( Local Area Network,區域網路)環境。因此, 此時用來進行與外部網路3 0 0之連接的中繼裝置1 〇 1,係 爲路由器。 另一方面,主機電腦主機電腦B側係設置單獨的個人 電腦420。因此’此時用來進行與外部網路3 00之連接的 中繼裝置102,係爲閘道,其與個人電腦420之間,例如 是被Ethernet所致之網路202所連接。然後,此時的外部 網路3 00,也是例如藉由Ethernet所連接。 然後,於此種通訊網路中,網路2 0 1、2 0 2之範圍係 進行現有通訊資料所致之交訊;於外部網路3 00的部份, 則是進行加密通訊資料所致之交訊。然後在此外部網路 3 〇〇部份的資料「洩漏」及「竄改」、甚至「僞裝」、「 入侵」乃至「攻擊」,就可被防止。 如此若依據本發明之中繼裝置,則將位於傳輸層之協 定予以加密而進行電子化資訊通訊之際所使用,具備··取 決手段,在與相對之對方裝置之間,取決所對應之加密及 解密邏輯;和協定加密手段,作爲收送訊之資訊單位的封 包當中,至少將協定之酬載,依照已被取決手段所取決之 加密邏輯,進行加密而送訊;和協定解密手段,將已接收 之已加密之協定之酬載,依照取決手段所取決之解密邏輯 而進行解密;使用傳輸層之TCP或UDP協定來進行基於 加密及解密邏輯之通訊,藉此,就可使得對個人電腦係不 -29- (27) 200841672 須花費實裝軟體或硬體的負擔,而於個人電腦和外部之通 訊中,能夠防止網際網路上的資料「洩漏」及「竄改」甚 至「僞裝」、「侵入」乃至「攻擊」。 最後,針對本發明之TCP2,相較於先前之ipsec或 SSL是具有哪些優點,根據圖4所示的表2及圖5來說明 。圖4的表2,係將上述圖7的表1之ipsec和SSL的機 能比較表中,追加TCP2的機能來圖示。 φ 由該表2可知,IPsec和SSL的各種問題點(這些都 在發明所屬之技術領域中說明過了),可藉由採用TCP2 而--解決。例如,在S S L中很難支援的,客戶端-客戶 端間之通訊、·針對TCP/IP協定的DoS攻擊,所有UDP或 TCP埠的安全通訊、應用程式必須變更通訊槽程式之限制 等,TCP2可完全支援。 又,對於在IPsec中很難支援的,錯誤頻發之惡劣環 境下的通訊、不同LAN間的通訊、經由複數電信公司的 # 連接、PPP行動環境、ADSL環境下的通訊,TCP2可完全 支援。甚至,對於在行動環境下或ADSL環境下使用VoIP (Voice over Internet Protocol)的網際網路電話,雖然 . IPsec及SSL具有表1及表2所示的問題,但若根據本發 明之TCP2,則無論在哪種環境下都可支援。 又,對於在不同LAN間或經由複數電信公司繞送的 LAN間,使用VoIP的網際網路電話,雖然IPsec和SSL 都無法支援,但若根據本發明之TCP2則可完全支援。 圖5係爲了說明TCP2的優越性的圖,是將沒有安全 -30- (28) (28)200841672 性的協定堆疊(a),和適用了先前之SSL的案例(b )、 適用了先前之IP sec的案例(c)、適用了本發明之TCP2 (TCPsec/UDPsec)的案例(d)的比較圖。 圖5(b)的SSL係如前述,由於是設在會期層(第5 層)的通訊槽上,因此不具有對上位的應用程式的相容性 。因此,S S L本身,還是存有上述問題。又,圖5 ( c )的 IP sec,係位於網路層(第3層),在IP層上沒有相容性 ,因此會受到構成網路上的上述各種限制。 相對於此,圖 24(d)的 TCP2(TCPsec/UDPsec), 係屬於在傳輸層(第4層)導入之加密技術,因此從應用 程式來看可直接利用,且從網路來看IP也能直接利用, 因此不會受到構成網路上的限制。 如以上所述,本發明的中繼裝置,係藉由使用本案發 明人先前提出的 TCP2,而和既有的加密處理系統相比較 ,尤其對於資料洩漏、竄改、僞裝、侵入以及攻擊,是具 有極高的安全性機能。 此外,本發明並非被限定於以上說明的實施形態,在 不脫離申請專利範圍所記載的本發明之宗旨的範圍內,當 然還包含更多實施形態。 【圖式簡單說明】 〔圖1〕適用了本發明之中繼裝置的一實施形態之構 成的區塊圖。 〔圖2〕將1^?2實現成,進行加密通訊以及認證之 -31 - (29) 200841672 通訊線路上所連接之安全性閘道的槪念圖。 〔圖3〕適用了本發明所述之中繼裝置的具體通訊網 路之一實施形態的構成圖。 〔圖4〕用來進行和先前技術之比較之說明的表圖。 〔圖5〕用來進行和先前技術之比較之說明的說明圖 〇 〔圖6〕先前之使用IPsec及SSL的標準通訊協定堆 疊的圖示。 〔圖7〕用來進行先前技術之說明的表圖。 〔圖8〕本案發明人之前所提出的TCP2之協定堆疊 的圖示。 【主要元件之符號說明】 la,lb,1 1 : NIC 驅動程式、 2 : TCP/IP、Standard) This type of encryption, other methods can also use the secret encryption and decryption algorithms. Here, FEAL is a secret key type encryption method developed by Japan Telecom Telephone Co., Ltd. (at the time), which is a secret key type encryption method that uses the same key for both encryption and decryption. The advantage of this FEAL is that it can encrypt and decrypt at a higher speed than DES. Next, the MISTY, which is also an encryption method used in the present invention, is a secret key type encryption method developed by Mitsubishi Electric Corporation, and is encrypted by cutting the data into 64-bit blocks in the same manner as IDEA. The key length is 1 2 8 bits. Both encryption and decryption use the same key as DES and so on. This approach is also designed to be sufficiently robust for linear cryptanalysis or differential cryptanalysis, which can efficiently decrypt secret key cryptography. Also, 'AES, selected by the Standards and Technology Bureau of the US Department of Commerce, -23-(21) (21)200841672, as the next generation of standard encryption for the US government, replaces the DES of the current standard encryption method. Developers of generational encryption standards. Among the several encryption methods collected from the public collection in the world, in the month of 2000, the method developed by Belgian password developers Joan Daemen and Vincent Rijmen was called Rij ndael. As described above, the encryption methods of TCPsecl5b and UDPsec16b of the present invention can be performed by using a known secret key encryption algorithm, and a secret key (common key) encryption method developed by the user. In addition, as a method for preventing "party authentication" and "integrity authentication" such as "disguise" and "data tampering", an algorithm using public painting or pre-shared secret sharing is used. For example, authentication algorithms such as MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm 1). In addition, it is also possible to replace such a well-known authentication algorithm and adopt an algorithm that utilizes a self-developed one-way function. The MD 5 belongs to a hash function (one-way digest function) used by an authenticated or digital signature, and generates a fixed length of hashes based on the original text, by performing at both ends of the communication path. The comparison can detect whether the original text has been tampered with during the communication. The hash is taken as a random number, and if it is based on it, it cannot be reproduced back to the original. Also, it is very difficult for other messages to produce the same hash. SHA1 is also a miscellaneous function used by a certified or digital signature. It generates a 160-bit hash from the original text of 64 or less elements of 2, and compares them at both ends of the communication path. It can detect whether the original text has been tampered with during the communication. The authentication algorithm is also representative of IPsec in the encrypted communication of the previous Internet by -24- (22) 200841672. In addition, these algorithms are designed to be distributed by Diffie-Hellman public key. Method, or the same Internet Key Exchange protocol as ipsec (UDP nickname 500) full key exchange, and the encryption/integrity authentication algorithm itself or the set/definition area of the required key is periodically By the protocol driver (TCPsecl5b, UDPsecl6b, etc.), as in the invention described in the above Patent Document 1, by making TCP2 proposed by the person, it is possible to realize leakage, tampering, camouflage, intrusion, The attack defense provides encryption and decryption logic on the transmitting and receiving sides that apply to the new encryption system that is present on the transport layer's TCP or UDP. However, in the invention described in the above Patent Document 1, the TCP 2 proposed in the present invention is implemented in a software or a form on a personal computer. However, at the same time, in order to put such a software or hardware on the computer, it is necessary to carry out the work required for the installation, or because of the hardware installation, the burden on the personal computer itself is increased. The software or hardware is installed on a personal computer to perform the work required for the above-described mounting, and the personal computer itself is increased. On the other hand, the above-mentioned system using the T C P 2 encryption system to prevent "leakage" and "tampering", "installation", "intrusion" and even "attack" of data on the Internet is specifically used. DH ( IKE (such as the security (logical) change, and the time-of-flight process can be used in this case to stop the function, depending on the hardware form of the inventor of the agreement, must be installed in such a software, must The burden is also used or even "pseudo-applied in the personal-25- (23) 200841672 computer and external communication. The present invention has been made in view of such a problem, and it is not necessary to pay for the personal computer system. In the communication of the software or the hard personal computer and the external communication, the function of TCP2 previously proposed by the person is clarified by a simple means. [Invention] In order to solve the above problem, the invention described in the present invention is achieved, and is a relay. The device is an ideal relay device used for electrical connection by adding an encryption function to the TCP or UDP protocol, and is characterized in that, depending on the corresponding device, the corresponding device is used; The information of the communication, at least the payment of the agreement, according to the method that has been determined, is encrypted and sent; and the agreement decryption means, the payload of the TCP or UDP agreement, according to the decision And decryption; using the transport layer of the TCP driver to communicate based on the encryption and decryption logic. In addition, in the relay device described in the application 2, the means of the secret and decryption logic may become the decryption logic, the memory In the memory and even in the logic change means, the encryption and decryption logic that has been memorized and installed can be periodically updated. In the relay device described in claim 3, the purpose of the present invention is encrypted. The burden can be achieved in this case. The application item 1 has the sub-information information communication at the transport layer: the encryption method of the means of decryption and the encryption logic determined by the packet of the decryption logic unit will have been received. The solution to the 5 UDP protocol is characterized by the fact that it will be added to the encryption circuit of the candidate; it can be used as a means of relying on the candidate and decryption logic -26 - (24) (24) 200841672 The encryption and decryption logics are based on the concept of plain text without encryption. [Embodiment] Hereinafter, the present invention will be described with reference to the drawings. A block diagram of an embodiment of the relay device of the present invention. In Fig. 1, the relay device 100 has its own function equivalent to that of a personal computer. Then, the relay device 1 is The NIC (Network Interface Card) drivers 1 a and 1 b are respectively connected to the network 200, 300. Further, for the physical layer and the data link layer including these NIC drivers 1 a and 1 b, A network layer and a transport layer containing "TCP/IP" 2, which are used to specify the communication required to communicate between any two nodes on the network 200, 300, while routing method. Then between these data link layers and the network layer, the function of "TCP2" 3 proposed by the inventor of the present invention can be set. That is to say, the function of "TCP2" 3 can be used to control the function of "TCP2" 3 or to change the encryption and decryption logic periodically, in addition to being able to be set in software or hardware. In the embodiment, the inventor of the present invention is equipped in the relay device by means of the encryption method to treat the essentials of the plain text, etc., as the external function (EXP·) 4 is set. The proposed function of TCP2 can prevent the personal computer from being burdened with software or hardware. In the communication between the personal computer and the external -27-(25) (25) 200841672, the Internet is prevented. The information "leakage" and "tampering" and even "disguise", "intrusion" and even "attack". That is, the relay device 100 of the present invention, as shown in Fig. 2 of the commemorative diagram, is a security gateway connected to the communication line which implements TCP2 for encrypted communication and authentication. The relay devices 101 and 102 including TCP 2 in Fig. 2 are connected to a wide variety of interfaces because they do not depend on the physical interface of the communication. Here, various communication interfaces including Ethernet, FDDI, PPP, wireless LAN, and IEEE 1 3 94 can be used as interface A (network 300) and interface B (network 201, 202). Then, the relay device 101 inputs the existing communication data from the interface A, encrypts it with TCP2, and outputs it as encrypted data sent to the interface B. Further, the relay device 102 inputs the encrypted communication material from the interface B, decrypts it by TCP2, and outputs it as the existing communication material sent to the interface A. Further, the relay apparatuses 1 0 1 and 102 are used to authenticate the functions of each other's TCP 2 at the time of starting communication, and when the authentication cannot be successful, the communication is forcibly terminated. Therefore, in such a communication system, the existing communication device 401 and the relay device 101, the existing communication device 402, and the relay device 102 exchange the existing communication materials, respectively, but the relay device 1 〇1 The exchange of encrypted communication data with the relay device 1 〇 2 can prevent this part of the data from being "leaked" and "tampered", or even "disguised", "invaded" or even "attacked". Further, Fig. 3 illustrates an embodiment of a more specific communication network -28-(26) (26)200841672. In Fig. 3, on the host computer A side, a plurality of personal computers 4, i, 412, and 413 are connected by a network 201 such as Ethernet to form a so-called LAN (Local Area Network) environment. Therefore, the relay device 1 〇 1, which is used to connect to the external network 300 at this time, is a router. On the other hand, a separate personal computer 420 is provided on the host computer B side of the host computer. Therefore, the relay device 102 for connecting to the external network 300 at this time is a gateway which is connected to the personal computer 420, for example, the network 202 by Ethernet. Then, the external network 300 at this time is also connected by, for example, Ethernet. Then, in such a communication network, the range of the network 2 0 1 , 2 0 2 is the communication caused by the existing communication data; the part of the external network 3 00 is caused by the encrypted communication data. Communication. Then, some of the information on the external network, "leakage" and "tampering", or even "disguise", "intrusion" and even "attack" can be prevented. As described above, according to the relay device of the present invention, when the protocol located at the transport layer is encrypted and used for electronic information communication, there is a means for determining, and the corresponding encryption is determined between the opposite device and the opposite device. And the decryption logic; and the agreement encryption means, as the information unit of the receiving and dispatching information, at least the agreement payload, according to the encryption logic determined by the means of the decision, is encrypted and sent; and the agreement decryption means, The received payload of the encrypted agreement is decrypted according to the decryption logic determined by the means of resolution; the TCP or UDP protocol of the transport layer is used for communication based on encryption and decryption logic, thereby enabling the personal computer不不-29- (27) 200841672 It is necessary to spend the burden of installing software or hardware, and in the personal computer and external communication, it can prevent the data on the Internet from being "leaked" and "tampered" or even "disguised". Invade and even "attack." Finally, the advantages of TCP2 of the present invention over previous ipsec or SSL are illustrated in accordance with Table 2 and Figure 5 shown in FIG. Table 2 of Fig. 4 shows the function of adding TCP 2 to the function comparison table of ipsec and SSL in Table 1 of Fig. 7 described above. φ As can be seen from Table 2, various problems of IPsec and SSL (all of which are described in the technical field to which the invention pertains) can be solved by using TCP2. For example, it is difficult to support in SSL, client-client communication, DoS attack against TCP/IP protocol, secure communication for all UDP or TCP ports, application must change the limitation of communication slot program, etc., TCP2 Fully supported. In addition, it is difficult to support in IPsec, communication in a bad environment with frequent errors, communication between different LANs, communication via multiple telecommunications companies, connection in PPP, and communication in ADSL environment. TCP2 is fully supported. Even for Internet telephony using VoIP (Voice over Internet Protocol) in a mobile environment or in an ADSL environment, although IPsec and SSL have the problems shown in Tables 1 and 2, if TCP2 is according to the present invention, It can be supported in any environment. Further, for Internet telephony using VoIP between LANs or between LANs that are circulated by a plurality of telecommunication companies, IPsec and SSL cannot be supported, but TCP2 according to the present invention can be fully supported. Figure 5 is a diagram for explaining the superiority of TCP2, which is a stack of agreements (a) without security -30-(28) (28)200841672, and a case (b) to which previous SSL is applied, applying the previous Case (c) of IP sec, comparison diagram of case (d) to which TCP2 (TCPsec/UDPsec) of the present invention is applied. The SSL of Fig. 5(b) is as described above, and since it is provided in the communication slot of the session layer (the fifth layer), it does not have compatibility with the upper application. Therefore, S S L itself still has the above problems. Moreover, the IP sec of FIG. 5(c) is located at the network layer (Layer 3) and has no compatibility at the IP layer, and thus is subject to the above various limitations on the network. On the other hand, TCP2 (TCPsec/UDPsec) of FIG. 24(d) belongs to the encryption technology introduced at the transport layer (layer 4), so it can be directly used from the perspective of the application, and the IP is also viewed from the network. It can be used directly, so it will not be subject to restrictions on the network. As described above, the relay device of the present invention is compared with the existing encryption processing system by using the TCP2 previously proposed by the inventor of the present invention, especially for data leakage, tampering, camouflage, intrusion, and attack. Extremely high security. In addition, the present invention is not limited to the embodiments described above, and various embodiments are of course included in the scope of the invention as set forth in the appended claims. BRIEF DESCRIPTION OF THE DRAWINGS [Fig. 1] A block diagram of a configuration of an embodiment of a relay device of the present invention is applied. [Fig. 2] Implementing 1^?2 for encrypted communication and authentication -31 - (29) 200841672 A memorial view of the security gateway connected to the communication line. Fig. 3 is a view showing the configuration of an embodiment of a specific communication network to which the relay device according to the present invention is applied. [Fig. 4] A table diagram for explaining the comparison with the prior art. [Fig. 5] An explanatory diagram for explaining the comparison with the prior art 〔 [Fig. 6] A diagram showing the previous standard communication protocol stack using IPsec and SSL. [Fig. 7] A table diagram for explaining the prior art. [Fig. 8] An illustration of the protocol stack of TCP2 proposed by the inventor of the present invention. [Symbol description of main components] la, lb, 1 1 : NIC driver, 2: TCP/IP,

3 : TCP2、 4 :外部電路、 12 : ARP on CP、 13 : IP模擬器、 13a: IP on CP、 1 3b : IPsec on CP、 14a : ICMP、 14b : IGMP、 15 : TCP、 -32- (30) 200841672 16 : UDP、 1 7 :通訊槽介面、 100,101,102:中繼裝置、 200,201,202,300:網路、 401,402 :現有之通訊機器、 411,412,413,420 :個人電腦3: TCP2, 4: external circuit, 12: ARP on CP, 13: IP simulator, 13a: IP on CP, 1 3b: IPsec on CP, 14a: ICMP, 14b: IGMP, 15: TCP, -32- ( 30) 200841672 16 : UDP, 1 7 : communication slot interface, 100, 101, 102: relay device, 200, 201, 202, 300: network, 401, 402: existing communication device, 411, 412, 413, 420: Personal computer

Claims (1)

(1) 200841672 十、申請專利範圍 1. 一種中繼裝置,係屬於對位於傳輸層之tcp或 UDP協定追加加密機能而進行電子化資訊通訊之際所使用 的理想之中繼裝置,其特徵爲, 具備: 取決手段,在與相對之對方裝置之間,取決所對應之 加密及解密邏輯;和 # 協定加密手段,作爲收送訊之資訊單位的封包當中, 至少將前記協定之酬載,依照已被前記取決手段所取決之 加密邏輯,進行加密而送訊;和 協定解密手段,將已接收之前記已加密之TCP或 UDP協定之酬載,依照前記取決手段所取決之解密邏輯而 進行解密; 使用前記傳輸層之TCP或UDP協定來進行基於前記 加密及解密邏輯之通訊。 • 2.如申請專利範圍第1項所記載之中繼裝置,其中 將前記加密及解密邏輯之取決手段所作之可能成爲取 .決候補的加密及解密邏輯,記憶在記憶體乃至於實裝在電 路中; 更具備邏輯變更手段,將該已記憶乃至實裝之可能成 爲取決候補的加密及解密邏輯,定期地予以更新。 3 ·如申請專利範圍第1項或第2項所記載之中繼裝 置,其中, -34- (2)200841672 前記加密及解密邏輯之取決手段,係可關連於前記加 密及解密邏輯,取決以不進行加密的方式來對待平文之意 旨。(1) 200841672 X. Patent application scope 1. A relay device is an ideal relay device used when electronic information communication is performed by adding encryption function to the tcp or UDP protocol of the transport layer. , with: relying on means, between the opposite device, depending on the corresponding encryption and decryption logic; and # agreement encryption means, as the information unit of the receiving and receiving information, at least the pre-record agreement payload, in accordance with The encryption logic that has been determined by the pre-recording method is encrypted and sent; and the protocol decryption means decrypts the payload of the TCP or UDP protocol that has been encrypted before it is received, according to the decryption logic determined by the pre-determined means. Communication using pre-recorded encryption and decryption logic using the TCP or UDP protocol of the pre-recorded transport layer. 2. 2. As claimed in claim 1, the relay device described in the first paragraph of the patent application, wherein the pre-recording encryption and decryption logic is determined by the means of encryption and decryption logic, which is stored in the memory and even in the memory. In the circuit; more logical means of change, the memory and even the installation may be the encryption and decryption logic depending on the candidate, regularly updated. 3 · As described in the patent device scope 1 or 2 of the relay device, where -34- (2) 200841672 pre-recorded encryption and decryption logic depends on the pre-record encryption and decryption logic, depending on The purpose of the plain text is not to be encrypted. -35--35-
TW96112719A 2005-04-07 2007-04-11 Relaying apparatus TW200841672A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2005111231A JP2006295401A (en) 2005-04-07 2005-04-07 Relaying apparatus

Publications (1)

Publication Number Publication Date
TW200841672A true TW200841672A (en) 2008-10-16

Family

ID=37415503

Family Applications (1)

Application Number Title Priority Date Filing Date
TW96112719A TW200841672A (en) 2005-04-07 2007-04-11 Relaying apparatus

Country Status (2)

Country Link
JP (1) JP2006295401A (en)
TW (1) TW200841672A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111801925A (en) * 2018-02-13 2020-10-20 区块链控股有限公司 Block chain based system and method for propagating data in a network

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111801925A (en) * 2018-02-13 2020-10-20 区块链控股有限公司 Block chain based system and method for propagating data in a network
CN111801925B (en) * 2018-02-13 2023-04-18 区块链控股有限公司 Block chain based system and method for propagating data in a network

Also Published As

Publication number Publication date
JP2006295401A (en) 2006-10-26

Similar Documents

Publication Publication Date Title
JP3783142B2 (en) Communication system, communication device, communication method, and communication program for realizing the same
US20100077203A1 (en) Relay device
Rescorla et al. Guidelines for writing RFC text on security considerations
US8886934B2 (en) Authorizing physical access-links for secure network connections
US20080141020A1 (en) Method and Apparatus for Providing Secure Streaming Data Transmission Facilities Using Unreliable Protocols
US20080133915A1 (en) Communication apparatus and communication method
Loughney et al. Security considerations for signaling Transport (SIGTRAN) Protocols
Cisco Introduction to Cisco IPsec Technology
Cisco Introduction to Cisco IPsec Technology
JP4757088B2 (en) Relay device
TW200841672A (en) Relaying apparatus
Stergiou et al. An alternative architectural framework to the OSI security model
JP4783665B2 (en) Mail server device
Rescorla et al. RFC3552: Guidelines for Writing RFC Text on Security Considerations
JP2007019633A (en) Relay connector device and semiconductor circuit device
Gabriel-Robez VPN and Firewall Traversal
JP2007019632A (en) Communication board and communication method
KR20090032072A (en) Relay device
JP2007329750A (en) Encrypted communication system
Raghavan et al. Virtual private networks and their role in e-business
Tiruchendur An Efficient Approach to Secure VPN based on Firewall using IPSec & IPtables
Thomas et al. A transparent end-to-end security solution
JP2007329751A (en) Encrypted communication system
WO2008021159A2 (en) Enforcing security groups in network of data processors