Cryptographic apparatus, encryptor, and decryptor

Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Particular node for directing data and applying cryptography

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

C713S152000, C713S162000

Reexamination Certificate

active

06775769

ABSTRACT:

BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to an apparatus for relaying data between a plaintext network and a ciphertext network and in particular to a cryptographic apparatus for encrypting plaintext data and decrypting ciphertext data, an encryptor for encrypting plaintext data, and a decryptor for decrypting ciphertext data.
2. Description of the Related Art
A basic architecture of a cryptographic apparatus using an encapsulation encryption technique typified by IPSEC (RFC2401-RFC2410) on a network assumes a router or a terminal.
FIG. 12
is a block diagram to show a general network configuration in a related art. An example in which cryptographic apparatus each adopting a router or a terminal as a basic architecture are installed in the network shown in
FIG. 12
for constructing a cipher communication system will be discussed.
In
FIG. 12
, S
1
denotes a terminal connected to a local network LN
1
, S
2
denotes a terminal connected to a local network LN
2
, R
1
denotes a router for connecting the local network LN
1
and the Internet IN, and R
2
denotes a router for connecting the local network LN
2
and the Internet IN; the terminals S
1
and S
2
communicate with each other through the Internet IN. Generally, a fire wall function of a filter, etc., often works in the routers R
1
and R
2
connected to the Internet IN. Generally, the local networks LN
1
and LN
2
contain a plurality of routers forming a part of the local network.
FIG. 13
is a block diagram to show the network configuration wherein cryptographic apparatus each adopting a router as a basic architecture, which will be hereinafter referred to as a router-type cryptographic apparatus, are installed in the network shown in FIG.
12
. In
FIG. 13
, ROE
1
denotes a router-type cryptographic apparatus in the local network LN
1
, ROE
2
denotes a router-type cryptographic apparatus in the local network LN
2
,SN
1
denotes a newly defined subnet to install the router-type cryptographic apparatus ROE
1
, SN
2
denotes a newly defined subnet to install the router-type cryptographic apparatus ROE
2
, and internet VPN is a VPN (Virtual Private Network) on the Internet that can be configured by installing the router-type cryptographic apparatus ROE
1
and the router-type cryptographic apparatus ROE
2
. A communication data flow from the local network LN
1
to the LN
2
is indicated by the heavy line arrow (plaintext is indicated by the solid line part and ciphertext is indicated by the dotted line part).
However, as shown in
FIG. 13
, to install the routertype cryptographic apparatus ROE
1
in the local network LN
1
, the router of the router-type cryptographic apparatus ROE
1
is newly installed in the local network LN
1
and thus setting the network parameters of the terminals and the routers in the local network LN
1
needs to be changed so as to match additional. installation of the router-type cryptographic apparatus ROE
1
. Similar change needs also to be made in the local network LN
2
in which the router-type cryptographic apparatus ROE
2
is installed.
FIG. 14
is a block diagram to show the network configuration wherein cryptographic apparatus each adopting a terminal as a basic architecture, which will be hereinafter referred to as terminal-type cryptographic apparatus, are installed in the network shown in FIG.
12
. In
FIG. 14
, SE
1
denotes a terminal-type cryptographic apparatus in the local network LN
1
, SE
2
denotes a terminal-type cryptographic apparatus in the local network LN
2
, and internet VPN is a VPN on the Internet that can be configured by installing the terminal-type cryptographic apparatus SE
1
and the terminal-type cryptographic apparatus SE
2
. A communication data flow from the local network LN
1
to the LN
2
is indicated by the heavy line arrow (plaintext is indicated by the solid line part and ciphertext is indicated by the dotted line part)
However, as shown in
FIG. 14
, to install the terminal-type cryptographic apparatus SE
1
in the local network LN
1
, setting the network parameters of the terminals and the routers in the local network LN
1
needs to be changed so that communication data from the local network LN
1
is destined for the terminal-type cryptographic apparatus SE
1
. Similar change needs also to be made in the local network LN
2
in which the terminal-type cryptographic apparatus SE
2
is installed.
Thus, to install a new cryptographic apparatus using the encapsulation encryption technique in the network in the related art, it is necessary to change setting the network parameters of the terminals and the routers in the local network connected to the cryptographic apparatus; this is a problem.
SUMMARY OF THE INVENTION
It is therefore an object of the invention to provide a cryptographic apparatus, an encryptor, and a decryptor which eliminate the need for changing the network parameters of other machines on a network when the cryptographic apparatus is installed, and can be easily installed in an existing network system.
According to an aspect of the invention, there is provided a cryptographic apparatus for relaying data between a plaintext network and a ciphertext network, the cryptographic apparatus comprising an encryption/encapsulation processing section for encrypting plaintext data received from the plaintext network, determining a cryptographic apparatus corresponding to the address set in the header of the plaintext data based on the predetermined correspondence between addresses and different cryptographic apparatus, setting a new header based on the determined cryptographic apparatus as encapsulation processing, and transmitting ciphertext data provided thereby to the ciphertext network of the same IP (Internet Protocol) subnet as the plaintext network, and a decryption/decapsulation processing section for decrypting ciphertext data received from the ciphertext network into plaintext data, again setting a header based on the address set in the header of the plaintext data as decapsulation processing, and transmitting plaintext data provided thereby to the plaintext network of the same IP subnet as the ciphertext network.
In the cryptographic apparatus according to the invention, the encryption/encapsulation processing section comprises an encryption/encapsulation processing block for encrypting plaintext data received from the plaintext network and determining the cryptographic apparatus corresponding to the address set in the IP (Internet Protocol) header of the plaintext data based on the predetermined correspondence between addresses and different cryptographic apparatus, and setting a new IP header based on the determined cryptographic apparatus as encapsulation processing, and a ciphertext MAC address resolution block for setting a MAC header based on the IP header set in the encryption/encapsulation processing block, preparing ciphertext data, and transmitting the prepared ciphertext data to the ciphertext network of the same IP subnet as the plaintext network, and the decryption/decapsulation processing section comprises a decryption/decapsulation processing block for decrypting ciphertext data received from the ciphertext network into plaintext data and again setting an IP header based on the address set in the IP header of the plaintext data as decapsulation processing, and a plaintext MAC address resolution block for setting a MAC header based on the IP header again set in the decryption/decapsulation processing block, preparing plaintext data, and transmitting the prepared plaintext data to the plaintext network of the same IP subnet as the ciphertext network.
The cryptographic apparatus according to the invention further includes a plaintext filter for determining the ciphertext data received from the ciphertext network to be transparent relay information, discard information, or plaintext information based on the decryption result of the decryption/decapsulation processing block and allowing the ciphertext data to be transmitted to the plaintext network if the ciphertext data is transparent relay

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

Cryptographic apparatus, encryptor, and decryptor does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Cryptographic apparatus, encryptor, and decryptor, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Cryptographic apparatus, encryptor, and decryptor will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-3286245

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.