JP2689383B2 - Encrypted communication system - Google Patents

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an encrypted communication system, and more particularly to an encrypted communication system in a system for communicating confidential information between a plurality of systems.

[Conventional technology]

Conventionally, as an encryption technology for performing secure communication,
The standard encryption method (DES) of the United States is known. For details of this encryption technology, see Nikkei Electronics, 1
September 68, 978, pp. 68-103, "Recent cryptosystems that can hardly be solved without a key". Further, as a technique related to another encryption method, there is known a technique for generating an encryption key by a random number, as described in, for example, Japanese Patent Laid-Open No. 60-171583.

[Problems to be solved by the invention]

By the way, in the encryption system, generally, if the key (encryption key or decryption key) information and the conversion algorithm (encryption algorithm or decryption algorithm) information are known, the ciphertext can be decrypted. Therefore, poor management,
If the key information and the conversion algorithm information are stolen due to carelessness, it becomes difficult to keep the communication confidential. For this reason, for example, as disclosed in Japanese Patent Laid-Open No. 60-171583, a method in which the encryption key is not fixed and an encryption key is generated according to a random number to change the encryption output However, in such a system, a random number mechanism is required, which complicates the configuration, and between the systems that perform encrypted communication, the encryption key and the decryption key on the transmission side and the reception side are included. There is a problem that the control for managing which key is associated with each other to manage encryption becomes complicated.

As a communication system between systems that perform communication of information that requires security protection, for example, a remotely installed ATM (Autom
atic Teller Machine) and the host computer are connected by a communication line, there is a system for communication. In this system, when carrying out a transaction process of cash transfer with an ATM machine, the user must enter the password of the secret code, which is confidential information, into the AT.
Input to M machine. The password entered by the user is encrypted and transmitted through the communication line. At this time, the encrypted data of the entered password is not available on the line or ATM.
If intercepted by the machine, there is a possibility of unauthorized use, for example, by sending a copy of the ciphertext itself onto the communication line by some means without decrypting the code. That is, with respect to the ciphertext itself being stolen, there is a problem that the illegal use cannot be prevented by the encryption using the fixed conversion algorithm and the fixed key.

The present invention has been made in order to solve the above-mentioned problems of the prior art, and an object of the present invention is to provide an encrypted communication system having a high degree of security against the theft of ciphertext itself. is there.

The above and other objects and novel features of the present invention are as follows.
It will become apparent from the description of the present specification and the accompanying drawings.

[Means for solving the problem]

The following is a brief description of an outline of typical inventions among the inventions disclosed in the present application.

(1) In an encrypted communication system in which confidential information is communicated between a plurality of systems, a transmission side system includes a time series information generation unit that generates time series information, a plurality of encryption algorithms and a plurality of ciphers. A key, one of the plurality of encryption algorithms and the plurality of encryption keys
An encryption processing means for encrypting data using a set of encryption algorithms and encryption keys; and a set of encryption algorithms and encryption keys used by the encryption processing means based on the time series information, Encryption selection instructing means for selecting and instructing from among a plurality of encryption algorithms and a plurality of encryption keys, time series information generated by the time series information generating means, and data encrypted by the encryption processing means And a receiving unit, wherein the receiving system receives the time series information and the encrypted data transmitted from the transmitting system,
A plurality of decryption algorithms and a plurality of decryption keys corresponding to a plurality of encryption algorithms and a plurality of encryption keys provided in the encryption processing means of the transmission side system;
Decryption processing means for decrypting data using one set of decryption algorithms and decryption keys among the plurality of decryption algorithms and the plurality of decryption keys, and the time series information transmitted from the transmission side system On the basis of the above, a set of the decryption algorithm and the decryption key used by the decryption processing means when decrypting the encrypted data transmitted together with the time series information from the transmission side system, And a decryption selection instructing means for instructing selection from a plurality of decryption keys.

(2) In the means of (1) above, the transmission side system uses the encryption algorithm and the encryption key, which have been used until the time series information is generated, as the encryption processing means. The encrypted time series information transmitted from the transmission side system is transmitted to the reception side system, and the reception side system transmits the encrypted time series information to the reception side system. Is used to perform decoding by the decoding processing means.

[Action]

According to the above-mentioned means (1), in the encrypted communication system, a time series information generating means for generating time series information such as time information or count information, a plurality of encryption algorithms and a plurality of ciphers in the transmission side system. An encryption processing means for encrypting data using one set of encryption algorithm and an encryption key in the key, and one set used by the encryption processing means based on the time series information from the time series information generating means. Selection instructing means for instructing to select the encryption algorithm and the encryption key, and transmitting means for transmitting the time series information and the encrypted data to the receiving side system.

Further, the receiving side system includes a receiving means for receiving the time series information and the encrypted data transmitted from the transmitting side system, and a set of a plurality of decoding algorithms and a plurality of decoding keys. Decryption processing means for decrypting data using a decryption algorithm and a decryption key, and decryption processing based on the time series information generated by the time series information generation means of the transmission side system transmitted from the transmission side system Selection instructing means for selecting and instructing a set of decryption algorithm and decryption key to be used in the means are provided.

Further, according to the above-mentioned means (2), the encryption processing means of the transmission side system further uses the encryption algorithm and the encryption key used until the time series information is generated. Then, the encrypted time series information is decrypted by the decryption processing means of the receiving side system by using the decryption algorithm and the decryption key used up to that point.

That is, in the encrypted communication system of the present invention, the transmission side system uses the plurality of encryption algorithms and the plurality of encryption keys according to the time series information generated by the time series information generation means provided in the transmission side system. The encryption processing means selects a set of encryption algorithms and encryption keys, and the encryption processing means encrypts communication data, or communication data and time series information, and transmits the encrypted communication data to the receiving system.

Further, in the receiving side system, the encryption selected by the transmitting side system from the plurality of decryption algorithms and the plurality of decryption keys is performed by the time series information generated by the time series information generating means provided in the transmitting side system. Communication data received by the decryption processing means by selecting one set of decryption algorithm and decryption key corresponding to the decryption algorithm and encryption key,
Alternatively, the communication data and the time series information are decoded.

As described above, in the encrypted communication system of the present invention, the encryption process and the decryption process use the conversion algorithm and the key that are changed according to the time of communication, based on the time-series information generated by the transmission side system. Since some information about the encryption algorithm and the encryption key provided in the sending system is known to a person who illegally obtains the data, when and how the conversion algorithm and the key are used. If it is not known whether or not and will be used for encryption, the code will not be decrypted and security will be enhanced.

Even if the encryption of some data is decrypted, the data encrypted with the changed unknown encryption algorithm and encryption key will not be decrypted.

Furthermore, even if all the conversion algorithm information and all the key information are known to a third party, if the conversion algorithm and the key combination used in the obtained ciphertext are not known, the decryption is not possible. It takes a lot of time,
Therefore, the degree of safety is considerably high.

Since the conversion algorithm used for encryption and the encryption key are different depending on the time zone, even if an illegal user sends a copy of the ciphertext over the line, the effective time of the specific ciphertext is limited. , It is possible to eliminate fraudulent use of the ciphertext itself.

〔Example〕

Hereinafter, an embodiment of the present invention will be specifically described with reference to the drawings.

In FIG. 1, 10 is a terminal device such as an ATM machine serving as a transmission side system, 11 is a clock mechanism for generating time information as time series information, 12 is an address generation circuit, 13 is a table memory, 14 is a processing memory, Reference numeral 15 is a processing device that performs encryption processing, and 16 is a transmission data holding unit that holds transmission data.

Further, 20 is a host computer which is a receiving side system, 22 is an address generation circuit, 23 is a table memory, 24 is a processing memory, 25 is a processing device for performing a decoding process, and 26 is a received data holding the decoded received data. It is a holding unit.

Here, the table memory 13 stores a plurality of encryption algorithm information and a plurality of encryption keys, and similarly, the table memory 23 stores a plurality of decryption algorithm information and a plurality of decryption keys.

Further, 30 is a communication line, and the communication line 30
A communication system is configured by connecting 10 and the host computer 20.

The terminal 10 is provided with a transmission means for transmitting the encrypted data and time information to the host computer 20, but it is omitted in FIG.

Similarly, the host computer 20 is provided with a receiving unit for receiving the encrypted data and time information transmitted from the terminal 10, but it is omitted in FIG.

Here, the clock mechanism 11 is the time-series information generation means of the present invention, the address generation circuit 12 and the table memory 13 are the encryption selection instruction means of the present invention, the processing memory 14, the processing device 15, and the transmission data holding section 16 Constitutes the encryption processing means of the present invention.

Further, the address generation circuit 22 and the table memory 23 constitute the decoding selection instructing means of the present invention, the processing memory 24, the processing device.
25 and the received data holding unit 26 constitute the decoding processing means of the present invention.

In the encrypted communication system shown in FIG. 1, the transmitting system is provided with a clock mechanism 11 for generating time information common to the encrypted communication system.

The time information generated by the clock mechanism 11 is given to the address generation circuit 12 of the transmission side system and the communication line 30.
Is given to the address generation circuit 22 of the receiving side system via.

When the address generation circuit 12 of the transmission side system receives the time information, in order to instruct the encryption algorithm and the encryption key to be selected corresponding to the time information, the address generation circuit 12 of the table memory 13 set in advance corresponding to the time information. Address information is generated and supplied to the table memory 13. In the table memory 13, according to the address information supplied from the address generation circuit 12,
One of the plurality of encryption algorithms and the plurality of encryption keys stored in the table memory 13 is selected and read,
An encryption algorithm to be used and an encryption key are given to the processing device 15. As a result, the processing device 15 stores the encryption algorithm and the encryption key selected and supplied from the table memory 13 in the processing memory 14, so that the encryption process can be performed using the selected encryption algorithm and encryption key. Become.
On the other hand, the transmission data to be transmitted from the transmission data holding unit 16 is supplied to the processing device 15, and the processing device 15 stores the data necessary for the processing by using the processing memory 14, Performs encryption processing. And the processing device
Reference numeral 15 transmits the encrypted transmission data to the host computer 20 of the receiving side system via the communication line 30.

On the other hand, in the host computer 20 of the receiving side system,
When the time information common to the encryption system generated by the clock mechanism 11 of the transmission side system is given to the address generation circuit 22 of the reception side system via the communication line 30, the address generation circuit 22
Receives the time information and selects the decryption algorithm and the decryption key corresponding to the time information (corresponding to the encryption algorithm and the encryption key selected by the transmission side system).
In order to instruct, the address information of the table memory 33 which is set in advance corresponding to the time zone information is generated and supplied to the table memory 23. Based on the address information supplied from the address generation circuit 22, the table memory 23 selects and reads one of the plurality of decoding algorithms and the plurality of decoding keys stored in the table memory 23, and the decoding algorithm to be used. And the decryption key to the processor 15. As a result, the processing device 25 stores the decryption algorithm and the decryption key selected and supplied from the table memory 23 in the processing memory 24, so that the decryption process of the encrypted data can be performed by the selected decryption algorithm and the decryption key. Like

On the other hand, the processing device 25 includes a communication line from the transmission side system.
The encrypted data transmitted via 30 is received and supplied, and the processing device 25 performs the decryption process of the encrypted data according to the decryption algorithm and the decryption key stored in the processing memory 24. . Then, the received data decoded by the processing device 25 is supplied to the received data holding unit 26 and held therein.

FIG. 2 is a block diagram specifically showing the processing operation of encrypted communication in the encrypted communication system of FIG. Further, FIG. 3 is a flowchart showing the operations of the encryption processing and the decryption processing in the transmission side system and the reception side system.

First, with reference to FIG. 2, the structure of table data used in the processing operations of the encryption process and the decryption process will be described. In the terminal 10 of the transmission side system, the address generation circuit 12 generates an address in a table system from the given time information, so that the address generation circuit 12 has time zone information 2a, an encryption algorithm address 2b, and an encryption key address. 2c
An address generation table 2 in which is stored as table data is provided. Further, the table memory 13 stores the encryption algorithm 3b in association with the encryption algorithm address 3a and stores a plurality of encryption algorithms as table data.
And store the encryption key 4b in association with the encryption key address 4a,
An encryption key table 4 that stores a plurality of encryption keys as table data is provided.

On the other hand, also in the host computer 20 of the receiving side system, since the address generation circuit 22 similarly generates an address from the given time information by the table method, the address generation circuit 22 has time zone information 7a and decoding algorithm address 7b. An address generation table 7 storing the decryption key address 7c as table data is provided. The table memory 23 stores the decryption algorithm 8b in association with the decryption algorithm address 8a, and the decryption algorithm table 8 storing a plurality of decryption algorithms as table data and the decryption key address 9a. Corresponding decryption key 9b
And a decryption key table 9 storing a plurality of decryption keys as table data.

In FIG. 3, the flowchart on the left side is a flowchart showing the operation of the encryption processing of the transmitting side system. The flowchart on the right side is a flowchart showing the operation of the decoding process of the receiving side system.

The processing operation will be described with reference to the flow chart of FIG. 3 while referring to FIG. In the terminal of the transmission side system that performs the encryption process, first, when a transmission request is generated on the terminal side, in step 51, the clock mechanism 11 sends time information (T = T = (9:30) is sent to the address generation table 2 and the time information is transferred to the host computer side of the receiving system. At this time, the time information to be transferred to the host computer is transmitted via the encryption processing unit 5 and the decryption processing unit 6 which hold the conversion algorithm and the key used up to that time to the communication line. Is transmitted in the form of ciphertext. Then in step 52,
By referring to the time zone information 2a in the address generation table 2 from the given time information, the algorithm address of the encryption algorithm address 2b from the time zone in which the time information enters,
Read out the key address of the encryption key address 2c. That is, in the address generation table 2, the time information T = 9: 30 is used as a reference key to refer to the time zone information 2a, and the algorithm address for the encryption algorithm table 3 and the key address for the encryption key table 4 are entered from the corresponding time zone column. And are read. Next, in step 53, the algorithm b of the encryption algorithm 3b is read from the encryption algorithm table 3 using the obtained algorithm address as a reference key. Then, in step 54, the key A of the encryption key 4b is read from the encryption key table 4 using the obtained key address as a reference key. Next, in step 55, the read encryption algorithm b and key A are supplied to the encryption processing unit 5. As a result, the encryption program is set in the encryption processing unit 5 by the encryption algorithm b and the key A, and the preparation for the encryption processing for performing confidential communication is completed. next,
In step 56, the transmission data holding unit 16 sends the transmission data to the encryption processing unit 5, which encrypts the transmission data and transmits it via the communication line. In this way, encrypted communication is started.

On the other hand, in the host computer of the receiving side system that performs the decryption processing, in step 61, the time information transmitted from the terminal is received and this time information (T = 9: 30) is sent to the address generation table 7. . Then in step 62,
The given time information is used as a reference key to refer to the time zone information 7a in the address generation table 7, and the algorithm address of the decryption algorithm address 7b and the key address of the decryption key address 7c are calculated from the time zone in which the time information enters. Read. Next, at step 63, the algorithm b'of the decryption algorithm 8b is read from the decryption algorithm table 8 using the obtained algorithm address as a reference key. Then, at step 64, the key A'of the decryption key 9b is read from the decryption key table 9 using the obtained key address as a reference key. Next, in step 65, the read decryption algorithm b ′ and the key A ′ are supplied to the decryption processing unit 6.
As a result, the decryption processing unit 6 sets the decryption program with the encryption algorithm b ′ and the key A ′, and the preparation for the decryption process for the confidential communication is completed. Next, in step 66, the encrypted data is received from the terminal, the decryption processing unit 6 performs the decryption process, and the plaintext data from the ciphertext data is converted into the received data holding unit 26.
Output to

Next, a modified example of such an embodiment will be described.
According to the above-described embodiment, the encryption process of the encryption processing unit and the decryption process of the decryption processing unit use the conversion algorithm and the key, respectively, but use the conversion algorithm that does not require the key. May be. In this case, a conversion algorithm table that provides multiple conversion algorithms only is provided, and only the conversion algorithm is selected by the selection instruction based on time-series information, and the encryption processing and the decryption processing are performed using the selected conversion algorithm. And perform ciphertext communication.

Further, in the above-described embodiment, at the timing of referring to the address generation table 2 as the timing of changing the conversion algorithm and the key in the encryption processing unit and the decryption processing unit, a communication request is generated in the terminal device and Although the time is set to the time when the time stamp is performed, the timing may be, for example, for each communication session, each text, or every certain time interval.

In addition, the table storing the table data used in the processing operations of the encryption processing and the decryption processing is all rewritable memory (RAM: Randam Access Mem
Each table data of the terminal 10 can be rewritten by online loading from the host computer 20 or by delivering a medium such as a floppy disk created by the host computer 20. Is also good. As a result, the conversion algorithm and the type of key to be used can be varied over a wider range, and the security level of confidential communication is further enhanced. Also, if the host computer has a conversion algorithm and a key database, the possible combinations can be made even larger, so the security level of confidential communication becomes very high.

Further, in the above description of the embodiments, the encrypted communication shows only one-way communication from the terminal 10 to the host computer 20, but in the case of two-way communication, the decryption processing unit is included in the terminal 10. Since the host computer 20 is provided with an encryption processing unit, bidirectional encrypted communication can be similarly performed.

Further, in the present embodiment, the timepiece itself is used as the timepiece mechanism 11, but any kind of timepiece information can be used as long as it is capable of generating time-series information such as a counting function and a clock function. good. Further, although the address generation circuits 12 and 22 use the table reference method, the present invention is not limited to this, and a circuit means for generating a predetermined address by, for example, a function operation may be used.

Furthermore, the clock mechanism 11 may be provided not on the terminal 10 side but on the host computer 20 side. This clock mechanism
11 may be installed anywhere as long as it can generate time-series information common to the encryption system, for example, by using the clock mechanism of the host computer, all connected to the host computer. The time information of the terminal may be based on the time stamp of the clock mechanism of the host computer.

When operating the above-described encrypted communication system of the present embodiment, for example, if the address generation table is rewritten every day or at regular intervals so that the same conversion algorithm and key are not used every day at the same time, The safety level of the system can be further increased. However, in this case, it is necessary to complete the setting of the necessary table data between the systems that perform the confidential communication, and to determine in advance from what time the communication will be performed according to the contents of the updated table data.

FIG. 4 is a diagram showing an example of an address generation table for operating this encrypted communication system. As shown in FIG. 4, the address generation table 2 is created by associating it according to the daily work schedule 40 that is already determined by the center (host computer). By creating such an address generation table, it is possible to perform an appropriate encryption process during a day or a certain time period of a certain period. For example, in Fig. 4, the system setup time from 8:00 to 8:30 is the time for data transfer for exchanging system setup information between the host computer and the terminal, so confidential information is not transferred. Absent. Therefore, the encryption process is not performed, and the conversion algorithm and the key for this are not set. Between 8:31 and 9:00 of the next time period, since it is a time period for transferring the sales information of the previous day, encryption processing that is difficult to decipher to some extent is performed. Therefore, algorithm a is used as the conversion algorithm and key A is used as the key. To set. From 9:01 to 12:00, which is the next time zone, is the time zone during which customer information is transferred, so algorithm b is used as the conversion algorithm and key is used as the key so as to perform encryption processing that is extremely difficult to decipher. B
Set. Similarly, a conversion algorithm and a key are set for each time zone to create an address generation table. By operating the encrypted communication system from the address generation table created in this way, flexible confidential communication can be performed.

As mentioned above, although the present invention was explained concretely based on an example, the present invention is not limited to the above-mentioned example.
It goes without saying that various changes can be made without departing from the scope of the invention.

〔The invention's effect〕

The effects obtained by the representative one of the inventions disclosed in the present application will be briefly described as follows.

(1) According to the present invention, the transmission system changes the encryption algorithm and the encryption key based on the time-series information generated by the transmission system, and the reception system determines the decryption algorithm and the decryption key. Since the encrypted communication is changed and the encrypted communication is performed, the security of the encrypted communication system is increased.

(2) According to the present invention, since a plurality of keys and a plurality of conversion algorithms are used, even when a part of the information of the encryption key and the encryption algorithm is stolen, which encryption key and which encryption algorithm are used at any time. Without knowing whether or not to perform encryption, the encryption of the illegally obtained ciphertext cannot be deciphered, and the security of the encrypted communication system increases.

(3) According to the present invention, even if all the encryption algorithm information and all the encryption key information are known to a third party, all the encryption algorithms are required to decrypt the obtained ciphertext. And all encryption key combinations have to be tried, so decrypting takes a lot of time,
Therefore, the security of the encrypted communication system is increased.

(4) According to the present invention, since the conversion algorithm and the encryption key used for encryption are changed depending on the time zone, the result of encryption processing of certain data is not always the same, and fraud caused by the illegal use of the ciphertext itself can be prevented. Can be prevented.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a configuration of a main part of a cryptographic communication mechanism of an encrypted communication system according to an embodiment of the present invention, and FIG. 2 is a process of encrypted communication in the encrypted communication system of FIG. FIG. 3 is a block diagram showing the operation, FIG. 3 is a flowchart showing the operation of the encryption processing and the decryption processing in the transmission side system and the reception side system, and FIG. 4 is an address generation table for operating the encryption communication system. It is a figure which shows an example. In the figure, 10 ... Terminal (sending system), 11 ... Clock mechanism, 12 ... Address generation circuit, 13 ... Table memory, 14 ...
… Processing memory, 15 …… Processing device, 16 …… Sending data storage unit, 20 …… Host computer (receiving system), 22 ……
Address generation circuit, 23 ... table memory, 24 ... processing memory, 25 ... processing device, 26 ... reception data holding unit, 30 ...
… Communication line.

Claims (2)

(57) [Claims] 1. In an encrypted communication system for communicating confidential information between a plurality of systems, a transmitting system includes a time-series information generating means for generating time-series information, a plurality of encryption algorithms and a plurality of encryption algorithms. An encryption processing means for encrypting data using the plurality of encryption algorithms and one set of the encryption algorithms and the encryption keys among the plurality of encryption keys; and based on the time series information. And an encryption selection instructing means for instructing selection of a set of encryption algorithms and encryption keys used in the encryption processing means from the plurality of encryption algorithms and the plurality of encryption keys, and the time series information generation means. The time-series information generated in, and a transmission means for transmitting the data encrypted by the encryption processing means to the reception side system, the reception side system, A receiving means for receiving the time series information and the encrypted data transmitted from the transmitting side system, and a plurality of encryption algorithms and a plurality of encryption keys provided in the encryption processing means of the transmitting side system. A decryption process comprising a plurality of corresponding decryption algorithms and a plurality of decryption keys, and decrypting data using a set of the decryption algorithms and the decryption keys among the decryption algorithms and the decryption keys. Means, based on the time series information transmitted from the transmitting system,
A set of decryption algorithms and a decryption key used by the decryption processing unit when decrypting the encrypted data transmitted together with the time-series information from the transmission side system are the plurality of decryption algorithms and the plurality of decryption algorithms. And a decryption selection instructing means for instructing selection from among the decryption keys. 2. The transmission side system encrypts the time series information by the encryption processing means using the encryption algorithm and the encryption key used until the time series information is generated, The receiving side system transmits the encrypted time series information transmitted from the transmitting side system to the receiving side system by using a decryption algorithm and a decryption key that have been used up to that point. The encrypted communication system according to claim 1, wherein the encrypted communication system is decrypted by means.