1. Field of the Invention
The present invention relates to an apparatus and method for generating a symmetric key used for a symmetric key cryptographic system.
2. Description of the Related Art
A cryptographic system includes a symmetric key cryptographic system (also called as a secret key cryptographic system or a common key cryptographic system) using the same key for encryption and decryption, and a public key cryptographic system using different keys for encryption and decryption. Comparing with the public key cryptographic system, the symmetric key cryptographic system has an advantage of carrying out encryption and decryption in higher speed, and therefore it is used for various purposes. Representative standard of the symmetric key cryptographic system includes the Data Encryption Standard (DES) and Advanced Encryption Standard (AES). Note that the following description calls a symmetric key summarily for an encryption key and a decryption key used for the symmetric key cryptographic system.
For the symmetric key cryptographic system, maintaining secrecy of a symmetric key from a third party is very important because a leakage of a symmetric key to the third party brings forth a high risk of a ciphertext being broken. Specifically, the viewpoints as noted in the following paragraphs (1) and (2) must be considered:
(1) Before starting an encrypted communication, a transmitter and a recipient of a message (that is, an encrypting party and a decrypting party) need to share a symmetric key. A method for sharing a symmetric key includes a method, for example, for the transmitter of a message to generate a symmetric key and transmit it to the recipient by way of a telecommunication path. In this case, however, arising is a problem of how the symmetric key can be transmitted without a third party every knowing a content of the symmetric key.
(2) A repetition of a number of encrypted communications by using a single symmetric key increases a risk of a third party intercepting cipher texts to guess the symmetric key and resulting in the cipher texts sent there after being broken. It is necessary to devise so as to be difficult to guess the symmetric key even if the cipher texts are intercepted.
Various methods have been proposed for addressing the problems as noted in the above paragraphs (1) and (2), with some being actually put to use.
As an example, a cryptography apparatus noted in a patent document 1 prevents a regular pattern from appearing periodically in a ciphertext in order to reduce the risk as described in the above paragraph (2). Specifically, when encrypting a super frame constituted by a plurality of frames, a frame synchronization pattern is detected, thereby counting a frame number(s) within the super frame and each frame is encrypted by a cryptographic key which is different for each frame number. Then, the entirety of the super frame, except for a super frame synchronization pattern, is encrypted by using yet a different cryptographic key. By the configuration as described above, the cryptography apparatus noted in the patent document 1 prevents a regular pattern from appearing in a ciphertext in a frame cycle otherwise due to the frame synchronization pattern being encrypted by the same cryptographic key.
Alternatively, it is possible to reduce a risk noted in the above paragraph (2) by updating a symmetric key at every passage of a certain time. However, the problem of the above paragraph (1) arises again when sharing a new updated symmetric key between the transmitter and recipient.
If an encrypted communication is carried out between a specific pair of transmitter and recipient, the transmitter generates a symmetric key, writes a content thereof on a piece of paper and hands it to the recipient, thereby possibly solving the problem of the above paragraph (1). The method, however, has a shortfall of not being adequate in the case of carrying out an encrypted communication with many correspondents and of requiring a cumbersome work at every time of updating a symmetric key.
If a subject of encryption is an Internet Protocol (IP) packet, it is possible to solve the problems of both of the above paragraphs (1) and (2) by means of a Security Architecture for Internet protocol (IPsec) as noted in a non-patent document 1. The IPsec is a standard for encrypting an IP packet, adopting the symmetric key cryptographic system. The IPsec is a group of a plurality of protocols and encryption algorithms, one of which is Internet Key Exchange (IKE) of a key exchange protocol.
The IKE enables a transmitter and a recipient to exchange information required for generating a symmetric key safely (that is, without a third party ever knowing a content) by way of a telecommunication path and solve the problem of the above paragraph (1) without a need of a cumbersome manual operation. Updating a symmetric key is called a “rekey”. Carrying out a rekey automatically by using the IKE at every certain time period (or at every time a telecommunication volume exceeds a predefined number of bytes) makes it possible to solve the problem of the above paragraph (2).
However, there are problems with such a system of exchanging keys automatically and dynamically, as noted in the following paragraphs (3) through (5):
(3) An encrypted communication cannot be carried out in the midst of performing a rekey.
(4) The IKE is a relatively complex system, requiring complex implementation of an apparatus such as a router, and therefore a failure tends to occur when exchanging keys.
(5) If a failure occurs in either of the apparatuses of the transmitter or recipient, the step of sharing a symmetric key must be re-performed all over again. A failure may occur in the other apparatus in the course of a key exchange process required for the above step due to the reason noted in the above paragraph (4).
Meanwhile, there is a problem with the symmetric key cryptographic system as noted in the paragraph (6) below:
(6) A different symmetric key is required for each pair of the transmitter and recipient. That is, a symmetric key k AB used between an A and a B must be different from a symmetric key k AC used between the A and a C. If the k AB is the same as the k AC , an encrypted communication between the A and B is broken by the C, thus unable to keep secret. Therefore, in the case of carrying out encrypted communications in the relationship of N to N, the respective apparatuses need to manage a different symmetric key for each correspondent.
Such a configuration for managing a plurality of symmetric keys is found in a patent document 2 for example. The patent document 2 has disclosed a technique for encrypting an Ethernet frame transmitted to a downlink direction in a Passive Optical Network (PON) system.
The downlink direction is one from a parent station to a child station. In the system according to the patent document 2, child stations, that is, a plurality of Optical Network Terminals (ONT), is connected to a parent station, that is, an Optical Line Terminal (OLT), with a plurality of terminals (i.e., personal computers and the like) being connected to each ONT. The OLT retains a different cryptographic key for each ONT. An Ethernet frame of the downlink direction is broadcast from one OLT to a plurality of ONTs connected to the OLT in which event the OLT discerns as to which ONT the terminal of a destination address of the frame is connected to, and encrypts the Ethernet frame by using a cryptographic key corresponding to the discerned ONT. Therefore, even if another ONT receives the Ethernet frame, it cannot decrypt the frame and therefore it cannot know the content.
The problem of the above paragraph (6) is not merely the number of symmetric keys to be managed being large. In order to reduce a risk of the above paragraph (2) for example, it is desirable to perform a rekey at every certain time period for each of the large number of symmetric keys; however, the problems of the above paragraphs (3) through (5) becomes more serious with the number of symmetric keys. That is, there is a limitation in scalability.
Note that the A, B and C in the description for the above paragraph (6) are commonly relay apparatuses in a network, instead of being individual terminals. In the case of encrypting an IP packet by means of the IPsec for example, it is a relay apparatus in the network layer such as a router that carries out encryption. Accurately speaking, therefore, the above paragraph (6) means that a different symmetric key is required for each pair of routers.
In the case of carrying out an encrypted communication by means of the IPsec for example in the network configured as shown in FIG. 1, the routers 8 a and 8 b store respective symmetric keys kd and an IP packet is transmitted in a state of being encrypted by the symmetric key kd in the network 3 b between the routers 8 a and 8 b . Referring to FIG. 1, the personal computers (PCs) 4 a through 4 c are connected to the router 8 a by way of the network 3 a , and the PCs 4 d through 4 f are connected to the router 8 b by way of the network 3 c.
Here, in the case of transmitting an IP packet 250 a from the PC 4 a to PC 4 d , transmitting an IP packet 250 b from the PC 4 b to PC 4 e , and transmitting an IP packet 250 c from the PC 4 c to PC 4 f , all of the three IP packets 250 a through 250 c of which the transmission sources and destinations are all different are respectively changed to encrypted IP packets 260 a through 260 c by being encrypted by using the same symmetric key kd, followed by becoming decrypted IP packets 280 a through 280 c by being decrypted by using the same symmetric key kd. That is, the symmetric key kd is determined uniquely for a pair of the routers 8 a and 8 b and therefore the same symmetric key kd is always used independent of a combination of PCs at the source and destination. In summary, the granularity of encryption is coarse as compared to the case of encrypting by using a different symmetric key for each combination of PCs at the source and destination.
Patent document 1: Laid-Open Japanese Utility Patent Application Publication No. H05-85140
Non-patent document 1: RFC4301 Security Architecture for the Internet Protocol;
http://www.ietf.org/rfc/rfc4301.txt (Confirmed through access on Oct. 6, 2006)
Patent document 2: Laid-Open Japanese Patent Application Publication No. 2003-60633
From the considerations as described above, the following is a summary of general inclination related to the symmetric key cryptographic system. In the case of setting a symmetric key manually and using the same symmetric key for an extended period of time (i.e., a symmetric key is fixedly used), a system is relatively simple and a security of encryption is low. Contrarily, in the case of carrying out a rekey automatically and dynamically, by using the IKE and such, a complex system is required with a possibility of a problem arising due to the complexity, and yet a security of encryption is high.
However, a method for making both of the complexity of system and security of encryption maintained at a middle level is appropriate depending on the purpose of carrying out an encrypted communication and the usage.
Meanwhile, as for the problem of the above paragraph (6), an elimination of a necessity of managing symmetric keys equivalent to the number of correspondents being engaged in the encrypted communications makes it possible to expand the application range of the symmetric key cryptographic system.
A purpose of the present invention is to provide a symmetric key generation apparatus which generates a symmetric key used for a symmetric key cryptographic system and which is capable of maintaining a degree of security of a encryption to an intermediate level by employing a relatively simple configuration of the apparatus while eliminating a need to manage the number of cryptographic keys equivalent to the number of correspondents of encrypted communications. Another purpose is to provide a symmetric key generation method by using such a symmetric key generation apparatus.
A symmetric key generation apparatus according to the present invention is one generating a symmetric key used for a symmetric key cryptographic system, comprising: a reception unit for receiving input data having a header part in a state of a cleartext and a payload part; a key material storage unit for storing a key material; a key material readout unit for reading the key material from the key material storage unit and updating the key material stored in the key material storage unit in a first stage of generating the symmetric key for encrypting the input data, and reading the key material from a predetermined part of the header part in a second stage of generating the symmetric key for decrypting the input data; and a symmetric key generation unit for generating the symmetric key based on the key material read by the key material readout unit.
A symmetric key generation method according to the present invention is a method carried out by the above noted symmetric key generation apparatus.
A utilization of the symmetric key generation apparatuses by comprising the one on both of an encryption side and of a decryption side of a telecommunication path enables both of the encryption and decryption sides to respectively generate symmetric keys of the same value without exchanging a key by means of a key exchange protocol. That is, if the encryption side generates data including a key material in a predetermined part of a header part, a symmetric key generation apparatus comprised on the decryption side generates a symmetric key of the same value as one used for the encryption by the operation in the above noted second stage. The symmetric key generation apparatus comprised on the encryption side is also configured to generate a symmetric key by the operation in the above noted first stage, thereby generating a symmetric key based on a key material of which a value is updated for each encryption, that is, for each piece of input data.
A configuration of the symmetric key generation unit so appropriately that a value of a symmetric key is practically different for a different value of a key material makes it possible to generate a practically different key for every event of encryption. Also configured is that the symmetric key generation apparatuses respectively comprised on the encryption and decryption sides on a telecommunication path generate the same symmetric key. Therefore, the present invention enables an apparatus on the encryption side and one on the decryption side to respectively carry out encryption and decryption of data by using a different key practically for each piece of input data without carrying out a rekey by exchanging a key in accordance with a key exchange protocol, thereby also making it possible to reduce a risk of a cipher being broken.
FIG. 1 is an illustration diagram showing a conventional encrypted communication by utilizing IPsec;
FIG. 2 is an illustration diagram showing an encrypted communication carried out in a network including a relay apparatus comprising a symmetric key generation apparatus;
FIG. 3 is a diagram exemplifying a combination between a source and a destination;
FIG. 4 is a diagram showing information used for generating a symmetric key;
FIG. 5 is a fundamental functional block diagram of a symmetric key generation apparatus;
FIG. 6 is an illustration diagram showing an encrypted communication carried out in a network including a relay apparatus comprising a symmetric key generation apparatus;
FIG. 7 is a configuration diagram of a Layer 2 relay apparatus applied by the present invention;
FIG. 8 is a functional block diagram describing a relationship between FIGS. 7 and 5;
FIG. 9 is a diagram exemplifying a modification of FIG. 7;
FIG. 10A is a diagram exemplifying a utilization of a Layer 2 relay apparatus including a symmetric key generation apparatus;
FIG. 10B is a diagram showing the apparatus in detail by excerpting a part of FIG. 10A and also a flow of a frame;
FIG. 11 is a diagram describing a format of a frame;
FIG. 12 is a diagram showing a cryptographic header in detail;
FIG. 13 is a diagram exemplifying a configuration of a network by using a Layer 2 relay apparatus equipped with a symmetric key generation apparatus;
FIG. 14 is a diagram exemplifying a configuration of a network by using a Layer 2 relay apparatus equipped with a symmetric key generation apparatus;
FIG. 15 is a diagram exemplifying a configuration of a network by using a Layer 2 relay apparatus equipped with a symmetric key generation apparatus;
FIG. 16 is a diagram showing a more specific example of various pieces of information shown in FIG. 4;
FIG. 17 is a diagram describing a method for generating a symmetric key by utilizing an array;
FIG. 18 is a diagram describing a format of a cryptographic header for implementing a division and reassembly of a frame;
FIG. 19 is a diagram showing an encrypted communication carried out in a network including a relay apparatus comprising a symmetric key generation apparatus and a format of an IP packet;
FIG. 20 is a configuration diagram of a router applied by the present invention;
FIG. 21 is a functional block diagram describing a relationship between FIGS. 20 and 5;
FIG. 22 is a diagram describing an operation of an IPsec process unit when an unencrypted IP packet is received;
FIG. 23 is a diagram describing an operation of an IPsec process unit when an encrypted IP packet is received;
FIG. 24 is a diagram showing a format of an IP header;
FIG. 25 is a diagram showing a format of an ESP packet;
FIG. 26 is a diagram describing a generation of a master key;
FIG. 27A is a diagram describing a correlation of FIGS. 24 through 26 with each piece of information shown in FIG. 4 in a transport mode;
FIG. 27B is a diagram describing a correlation of FIGS. 24 through 26 with each piece of information shown in FIG. 4 in a tunnel mode; and
FIG. 28 is a diagram showing an example of utilizing a router comprising a symmetric key generation apparatus for a multicast.
The following is a detailed description of the preferred embodiment of the present invention by referring to the accompanying drawings. Note that the same component number or number with a different affix character is assigned to the materially same component and its description is omitted herein.
A symmetric key generation apparatus of the present invention is used for generating a symmetric key for both encrypting data and decrypting data. Accordingly, an example of a preferred embodiment is one in which the symmetric key generation apparatus according to the present invention is incorporated as a part of a relay apparatus in a network, and the following is mainly a description of such a preferred embodiment.
The first is a general description on a preferred embodiment in which the symmetric key generation apparatus according to the present invention is incorporated as a part of a relay apparatus in a network, by referring to FIGS. 2 and 3. Then described is information utilized for generating a symmetric key by the symmetric key generation apparatus according to the present invention by referring to FIG. 4, followed by describing a fundamental comprisal of the symmetric key generation apparatus by referring to FIG. 5 and describing a more preferred embodiment of FIG. 2 by referring to FIG. 6. Then, descriptions continue on a preferred embodiment in which the symmetric key generation apparatus according to the present invention is incorporated as a part of a relay apparatus for a data link layer (also named as “Layer 2”) in an OSI (Open Systems Interconnection) reference model by referring to FIGS. 7 through 18. Then, descriptions further continue on preferred embodiments in which the symmetric key generation apparatus according to the present invention is incorporated as a part of a relay apparatus for a network layer (also named as “Layer 3”) in the OSI reference model by referring to FIGS. 19 through 27B.
FIG. 2 is an illustration diagram showing an encrypted communication carried out in a network including a relay apparatus comprising a symmetric key generation apparatus according to the present invention.
Referring to FIG. 2, the relay apparatuses 2 a and 2 b , respectively comprising symmetric key generation apparatuses 1 a and 1 b , are connected to each other by way of a network 3 b . Personal computers (PC) 4 a through 4 c are connected to the relay apparatus 2 a by way of a network 3 a , while PCs 4 d through 4 f are connected to the relay apparatus 2 b by way of the network 3 c . When sending data from the PC 4 a to PC 4 d for example, the data is led through the telecommunication path including the PC 4 a , relay apparatus 2 a , relay apparatus 2 b and PC 4 d.
While leaving a detail to a later description, the relay apparatuses 2 a and 2 b may be Layer 2 relay apparatuses or Layer 3 relay apparatuses. If they are the former, transmitted data (i.e., 5 a through 5 c , 6 a through 6 c , and 7 a through 7 c ) is a MAC (Media Access Control) frame for example; and if they are the latter, transmitted data is an IP packet for example.
In the configuration of FIG. 2, when the data 5 a is transmitted from a PC (either of 4 a through 4 c ) of a transmission origin (named as “source” hereinafter) by way of the relay apparatus 2 a , the symmetric key generation apparatus 1 a comprised thereby generates a symmetric key ka based on a key material k 2 a . Then the data 5 a is changed to encrypted data 6 a by being encrypted by the symmetric key ka. While leaving a detail to a later description, the encrypted data 6 a is constituted by a part encrypted by the symmetric key ka and by a cleartext part which includes the key material k 2 a . The encrypted data 6 a is received at the relay apparatus 2 b by way of the network 3 b . After the reception, the symmetric key generation apparatus 1 b comprised in the relay apparatus 2 b generates a symmetric key ka based on the key material k 2 a . The symmetric key generation apparatuses 1 a and 1 b respectively generate symmetric keys by the same algorithm and therefore respectively generate the same symmetric key ka from the same key material k 2 a . Then the encrypted data 6 a is changed to decrypted data 7 a by being decrypted by the symmetric key ka and is transmitted to a PC (either of 4 d through 4 f ) of a transmission destination (named as “destination” hereinafter).
Likewise, the data 5 b is changed to encrypted data 6 b (including a key material k 2 b ) by being encrypted by a symmetric key kb generated based on the key material k 2 b , and the encrypted data 6 b is then changed to decrypted data 7 b by being decrypted by the symmetric key kb. Also, the data 5 c is likewise changed to encrypted data 6 c (including a key material k 2 c ) by being encrypted by a symmetric key kc generated based on the key material k 2 c , and encrypted data 6 c is then changed to decrypted data 7 c by being decrypted by the symmetric key kc.
Here, the key materials k 2 a through k 2 c have mutually different values. That is, the key materials k 2 a through k 2 c of different values are used for each of the data 5 a through 5 c . And the symmetric key generation apparatuses 1 a and 1 b are so configured as to respectively generate symmetric keys ka through kc of different values from the key materials k 2 a through k 2 c of different values (the detail is described later). Accurately speaking, the configuration may be adequate to lower a ratio of generating a symmetric key of the same value from two key materials of different values to a negligible degree of not ill influencing an actual operation (that is, a theoretical possibility of generating symmetric keys of the same value from two key materials of different values is permissible). Such configuring the symmetric key generation apparatuses 1 a and 1 b practically makes the symmetric keys ka through kc mutually different values.
Note that the symmetric key generation apparatuses 1 a and 1 b respectively generate symmetric keys from a key material by the same algorithm. Provided that the algorithm is kept as secret from a third party, it is impossible for the third party to generate symmetric keys ka through kc from key materials k 2 a through k 2 c included in the encrypted data 6 a through 6 c even if the third party intercepts them. Alternatively, the symmetric key generation apparatuses 1 a and 1 b may share information secret to a third party in advance, followed by generating symmetric keys ka through kc based on both of the information and key materials k 2 a through k 2 c . This configuration prevents the third party from breaking encrypted data 6 a through 6 c by generating symmetric keys ka through kc from the key materials k 2 a through k 2 c.
In any event, the symmetric keys ka through kc are practically different values from one another. In other words, a symmetric key used for encryption is changed quite frequently in the telecommunication path between the relay apparatuses 2 a and 2 b . The fact of a high frequency of changing symmetric keys in the symmetric key cryptographic system contributes to an improvement of a security level. The system described above also has an advantage of not requiring an exchange of information by means of a complex protocol such as an Internet Key Exchange (IKE) between the symmetric key generation apparatuses 1 a and 1 b . Moreover, the key materials k 2 a through k 2 c having different values for each piece of data 5 a through 5 c may be a simple counter value for example and it is not necessary to manage a symmetric key for each pair of a source and a destination engaged in an encrypted communication.
FIG. 2 indicates the fact of symmetric keys ka through kc having mutually different values by changing orientations of hatching lines of the symmetric keys ka through kc. It also indicates the fact of the encrypted data 6 a through 6 d being encrypted by mutually different keys by changing orientations of hatching lines of the encrypted data 6 a through 6 c.
Also, the data 5 a through 5 c may be transmitted from either of the PCs 4 a through 4 c and transmitted to either of the PCs 4 d through 4 f . As shown in FIG. 3 for example, the sources and destinations of the data 5 a through 5 c may entirely be different (i.e., the case (A)), or it may be such that all of the sources may be the same and the destination may all be different (i.e., the case (B)); or that all of the sources may be different and all of the destinations are the same (i.e., the case (C)), or that all of the sources and destinations are the same (i.e., the case (D)).
In either of the cases (A) through (D), the symmetric keys ka, kb and kc are of mutually different values and both of the symmetric key generation apparatuses 1 a and 1 b respectively generate symmetric keys of the same value. This is a characteristic of the present invention, which is totally different from the encrypted communication (refer to FIG. 1) by using a conventional IPsec for example. In FIG. 1, asymmetric key kd is fixed for a pair of routers 8 a and 8 b , and therefore a value of the symmetric key kd is not changed unless a rekey is carried out. Then, the same symmetric key kd is used for the encryption and decryption of three different IP packets 250 a through 250 c . This is also indicated in the drawing by hatching with the same pattern for all of the encrypted IP packets 260 a through 260 c.
FIG. 4 is a diagram showing information used by the symmetric key generation apparatus (equivalent to the symmetric key generation apparatuses 1 a and 1 b shown in FIG. 2) according to the present invention for generating a different symmetric key for each piece of data as described above. In the showing of FIG. 4, a solid line indicates a mandatory piece of information, and a dotted line indicates a utilization being not mandatory but preferable.
The symmetric key generation apparatus according to the present invention generates a symmetric key k for encryption and decryption. Mandatory information for generating a symmetric key k is a raw material of a key (noted as “key material” herein) k 2 . A key material generally means information required for generating a key; the key material k 2 here is information meeting a specific condition, that is, “it is practically a different value for each piece of data as a subject of encryption”.
In a preferred embodiment for generating a symmetric key for encrypting a MAC frame for example, a sequence number having a different value for each MAC frame can be utilized as a key material k 2 . In a preferred embodiment for generating a symmetric key for encrypting an IP packet, a sequence number having a different value for each IP packet can be utilized as a key material k 2 . Details of these sequence numbers are described later.
As such, a generation of a symmetric key k based on a key material k 2 of a practically different value for each piece of data as a subject of encryption makes the symmetric key k a practically different value for each piece of data as a subject of encryption.
Note that a bit length of a key material k 2 is finite no matter what information is specifically used as the key material k 2 . Theoretically, therefore, the same key material k 2 can possibly be utilized for different piece of data. A use of a key material k 2 of an appropriate bit length can lower a frequency of a key material k 2 of the same value being used for a different piece of data to a practically negligible degree without causing a problem. The following description regards as “a key material k 2 is practically different value for each piece of data as a subject of encryption”.
A generation of a symmetric key k by using a key material k 2 as described above increases a frequency of symmetric key k changing in great deal as compared to a conventional configuration of performing a rekey for every certain period of time by means of the IKE for example. As a result, a symmetric key k is very difficult to be guessed even if the encrypted data is intercepted by a third party.
In order to further increase cipher strength, a use of a master key k 3 as well as destination/source information k 1 is desirable. Especially desirable is a use of the destination/source information k 1 .
Here, the destination/source information k 1 is information related to a destination and/or source of data (such as a MAC frame and IP packet) as a subject of encryption, and the information is a part or the entirety of addresses of the destination and/or source for example. The master key k 3 is information that is preset within a symmetric key generation apparatus and is recorded within a security chip for example so as not to be leaked out or tampered with. A master key k 3 may be generated in advance of a usage based on a pre-shared key k 0 that is information set by a user of the symmetric key generation apparatus. The pre-shared key k 3 is also recorded in the security chip as in the case of the master key k 3 .
The reason for the use of the destination/source information k 1 and master key k 3 in addition to the key material k 2 being desirable for generating a symmetric key k is as follows:
In the case of utilizing a sequence number for example as a key material k 2 , generating a symmetric key k only from a key material k 2 by certain generation algorithm creates a possibility of a regularity occurring in a plurality of symmetric keys k generated consecutively. Therefore, it is desirable to increase a randomness of the symmetric keys k by utilizing a destination/source information k 1 . A telecommunication in general is characterized to be irregular and difficult to predict as to when it occurs and who is engaged with whom. Therefore, the utilization of the irregularity of the destination/source information k 1 is desirable for generating a symmetric key k. Also the use of the master key k 3 which is information handled as a secret from a third party makes it possible to increase a difficulty of a symmetric key k being guessed.
FIG. 5 is a fundamental functional block diagram of a symmetric key generation apparatus according to the present invention. The symmetric key generation apparatus 1 shown in FIG. 5 comprises a reception unit 11 , a key material storage unit 12 , a key material readout unit 13 and a symmetric key generation unit 14 . The symmetric key generation apparatus 1 generates a symmetric key k upon receiving a piece of input data.
Incidentally, a generation of a symmetric key k takes place in two stages, i.e., a stage (called as “first stage” hereinafter) of encrypting input data that is plain text data and in another stage (called as “second stage” hereinafter) of decrypting input data that is ciphertext data. The input data is premised as data in a prescribed format comprising a header part and a payload part.
A MAC frame or IP packet for example has a header part and a payload part, with the header part including information of a destination and a source, and the payload part including data of a subject of transmission. Note that the input data may have a trailer part. A MAC frame for example includes a Frame Check Sequence (FCS) as a trailer part. Meanwhile, the entirety of input data is not necessarily encrypted in the second stage, and that is, the header part is in a state of a cleartext, i.e., not encrypted.
The reception unit 11 receives input data.
The key material storage unit 12 has a key material k 2 stored. If a key material k 2 is a sequence number for example as described above, hardware implementing the key material storage unit 12 may be a counter.
The key material readout unit 13 operates differently in the first and second stages; the operation is the same, however, in terms of the key material readout unit 13 reading a key material k 2 .
In the first stage, the key material readout unit 13 reads a key material k 2 from the key material storage unit 12 and updates a value of the key material k 2 stored in the key material storage unit 12 . If a key material k 2 is a sequence number and the key material storage unit 12 is a counter for example, the key material readout unit 13 reads a value of the key material k 2 , followed by incrementing the counter.
In the second stage, the key material readout unit 13 reads a key material k 2 from a prescribed part in the header part of the input data received by the reception unit 11 .
The symmetric key generation unit 14 generates a symmetric key k based on the key material k 2 read by the key material readout unit 13 . A symmetric key k may be generated by further utilizing the destination/source information k 1 and master key k 3 shown in FIG. 4 in accordance with a preferred embodiment.
Incidentally, the above description premises that input data in the second stage includes a key material k 2 as a condition. The next is a description of the premise condition by referring to FIGS. 2, 4 and 5 .
The symmetric key generation apparatus 1 shown in FIG. 5 for example can be incorporated as apart of the relay apparatuses 2 a and 2 b as in the case of the symmetric key generation apparatuses 1 a and 1 b shown in FIG. 2. Either of the symmetric keys ka through kc shown in FIG. 2 corresponds to the symmetric key k, and either of the key materials k 2 a through k 2 c shown in FIG. 2 corresponds to the key material k 2 shown in FIG. 4.
Referring to FIG. 2, the input data to the symmetric key generation apparatus 1 a is for example the data 5 a that is plaintext data to be encrypted. A key material readout unit (not shown herein) comprised by the symmetric key generation apparatus 1 a accordingly carries out an operation for the first stage. And a symmetric key generation unit (not shown herein) comprised by the symmetric key generation apparatus 1 a generates a symmetric key ka. Note that the data 5 a is changed to encrypted data 6 a by being encrypted by a symmetric key ka, and so the encrypted data 6 a includes a key material k 2 a as described above.
Meanwhile, the input data to the symmetric key generation apparatus 1 b shown in FIG. 2 is for example the encrypted data 6 a that is the ciphertext data to be decrypted. A key material readout unit (not shown herein) comprised by the symmetric key generation apparatus 1 b accordingly carries out an operation for the second stage, that is, reads the key material k 2 a from the encrypted data 6 a.
As is apparent from the above description, when encrypting by using the symmetric key k generated in the first stage, a generation of encrypted data (i.e., the encrypted data 6 a through 6 c shown in FIG. 2) including the key material k 2 in a prescribed part guarantees that the input data includes the key material k 2 in the second stage. The symmetric key generation apparatus 1 according to the present invention is used in an environment in which a key material k 2 and a symmetric key k are utilized as described above. FIG. 2 shows an example of such an environment.
FIG. 6 is an illustration diagram showing an encrypted communication carried out in a network including a relay apparatus comprising a symmetric key generation apparatus that uses also data other than the key material k 2 . FIG. 6 well resembles FIG. 2 and therefore the description here focuses on the difference.
FIG. 2 is a diagram corresponding to the case of generating a symmetric key k by using only a key material k 2 from among the data shown in FIG. 4. Comparably, FIG. 6 is a diagram corresponding to the case of generating a symmetric key k by using all of the destination/source information k 1 , key material k 2 and master key k 3 of the data shown in FIG. 4. Therefore, FIGS. 2 and 6 are the same in terms of the point where different symmetric keys ka through kc for each of the input data 5 a through 5 c is generated, respectively, and the input data 5 a through 5 c are respectively encrypted by using different symmetric keys ka through kc.
Comparably with FIG. 2, the first characteristic of FIG. 6 lies where the fact that each of the input data 5 a through 5 c , encrypted data 6 a through 6 c and decrypted data 7 a through 7 c includes destination/source information k 1 a through k 1 c , respectively, is exhibited. The second characteristic lies where the symmetric key generation apparatuses 1 a and 1 b respectively store the master keys k 3 of the same value. The third characteristic lies where the symmetric key generation apparatuses 1 a and 1 b respectively generate symmetric keys ka through kc based on the destination/source information k 1 a through k 1 c , key materials k 2 a through k 2 c and master key k 3 .
The data 5 a , encrypted data 6 a and decrypted data 7 a as example respectively includes a destination/source information k 1 a . And the symmetric key generation apparatuses 1 a and 1 b respectively generate a symmetric key ka based on the destination/source information k 1 a , key material k 2 a and master key k 3 . The data 5 a is changed to encrypted data 6 a by being encrypted by using the symmetric key ka, and the encrypted data 6 a is changed to decrypted data 7 a by being decrypted by using the symmetric key ka. The symmetric key generation apparatuses 1 a and 1 b are capable of respectively generating the same symmetric key ka only provided that they respectively pre-store the master keys k 3 of the same value, without exchanging a key in accordance with such as IKE.
Note that, while FIG. 6 shows the master keys k 3 within the symmetric key generation apparatuses 1 a and 1 b , the master key k 3 is generated from the pre-shared key k 0 as shown in FIG. 4. Therefore, what the symmetric key generation apparatuses 1 a and 1 b pre-store respectively may be the master keys k 3 of the same value or pre-shared keys k 0 of the same value. If it is the latter, the symmetric key generation apparatuses 1 a and 1 b may respectively generate master keys k 3 every time they generate symmetric keys ka through kc. Alternatively, they may respectively generate master keys k 3 every time the power is turned on, store the generated master keys k 3 in volatile memory (not shown herein) or a TCG-compliant chip 105 (which is described later) during the power-on state and read the master key k 3 stored therein every time they respectively generate symmetric keys ka through kc. In either case, the symmetric key generation apparatuses 1 a and 1 b respectively store master keys k 3 when generating the symmetric keys ka through kc. This is why FIG. 6 shows the master keys k 3 within the symmetric key generation apparatuses 1 a and 1 b , respectively.
The next is a description on the case of utilizing the present invention for encrypting a Layer 2 communication as more specific example by referring to FIGS. 7 through 18.
FIG. 7 is a configuration diagram of a Layer 2 relay apparatus applied by the present invention. Let it be simply explained on a typical example of a Layer 2 communication before FIG. 7 is described.
A representative layer 2 communication includes an Ethernet communication, and the specification of the Ethernet specifies those of the physical layer (i.e., the Layer 1) and Layer 2 for an OSI reference model. Also, in accordance with the IEEE (Institute of Electrical and Electronics Engineers) 802.3 Standard in which the Ethernet has been standardized, the layer 2 is further divided into two sublayers, with one close to the layer 1 being the MAC (Media Access Control) sublayer and the one close to the layer 3 being the LLC (Logical Link Control) sublayer.
A relay apparatus of the layer 2 (abbreviated as “L2 relay apparatus” hereinafter; “L2” means the Layer 2) used for a layer 2 communication is also called an L2 switch, and a switching hub is its representative example. In the layer 2 communication, data is transmitted and received in a unit of a “frame”. There are plural formats varying in minute parts for a frame, such as a MAC frame of DIX Ethernet and a MAC frame of the IEEE 802.3, for example; such a difference is not important for the present invention. The following description accordingly uses the word “frame” as a generic terminology.
Incidentally, the conventional Ethernet communication is faced with the problems of not only the frame being transmitted and received without encryption, but also interception of the frame itself being easy. While it may be possible to communicate by encrypting a frame by combining a plurality of protocols, such a practice is faced with some problems such as a protocol stack becoming complex. Contrarily, a use of an L2 relay apparatus 101 (shown in FIG. 7) as a result of applying the present invention to a conventional L2 relay apparatus makes it possible to communicate by encrypting a frame by virtue of a simple configuration.
Referring to FIG. 7, the L2 relay apparatus 101 is an L2 relay apparatus for relaying a frame. It is the same as a conventional L2 relay apparatus where the L2 relay apparatus 101 comprises a plurality of physical ports for externally transmitting and receiving a frame (i.e., comprising four ports 103 a through 103 d according to the example shown in FIG. 7), and comprises a frame relay process unit 102 for relaying the frame.
The L2 relay apparatus 101 further comprises cryptographic process modules 104 a through 104 d corresponding to the respective ports 103 a through 103 d . Each of the cryptographic process modules 104 a through 104 d may be produced as a single chip. The cryptographic process modules 104 a through 114 d are respectively connected to the corresponding ports 103 a through 103 d and the frame relay process unit 102 by way of general-purpose interfaces such as GMII (Gigabit Medium Independent Interfaces) and MII (Medium Independent Interfaces). That is, both of the input and output of the cryptographic process modules 104 a through 104 d are frames. The GMII and MII are interfaces between the layer 1 and MAC sublayer, which are commonly used for the Ethernet.
Note that the cryptographic process performed by the cryptographic process modules 104 a through 104 d includes a generation of a symmetric key k, an encryption process and a decryption process while a detail is left to a later description. The following description uses a terminology “cryptographic process” for meaning an “encryption process and decryption process”. The symmetric key k is generated by utilizing the destination/source information k 1 , key material k 2 and master key k 3 in the preferred embodiment shown by FIG. 7. Specifically, MAC header information k 1 _f is utilized as destination/source information k 1 , and a sequence number k 2 _n as key material k 2 . Details of these pieces of information and a correlation of the cryptographic process modules 104 a through 104 d with the symmetric key generation apparatus 1 (shown in FIG. 5) are described later.
The L2 relay apparatus 101 is equipped with a TCG-compliant chip 105 which is a security chip in compliance with the TCG (Trusted Computing Group) specification. The TCG-compliant chip 105 stores the data such as a pre-shared key k 0 (shown in FIG. 4) that is utilized by the cryptographic process modules 104 a through 104 d . Since the data stored in the TCG-compliant chip 105 cannot be taken out by an external fraudulent operation, the use of the TCG-compliant chip 105 enables a secure storage of the data.
The L2 relay apparatus 101 also comprises a Central Processing Unit (CPU) 106 . The CPU 106 operates in accordance with a program stored in Read Only Memory (ROM; not shown herein) for example, and uses Random Access Memory (RAM; not shown herein), as work memory. As described later, the CPU 106 issues such as instructions to the cryptographic process modules 104 a through 104 d to generate data required for the cryptographic process.
The frame relay process unit 102 , cryptographic process modules 104 a through 104 d , TCG-compliant chip 105 , CPU 106 , ROM, and RAM are connected to an internal bus 107 .
In the L2 relay apparatus 101 , the cryptographic process modules 104 a through 104 d are equipped in correspondence with the respective physical ports 103 a through 103 d , and a cryptographic process is performed separately from a frame relay process performed by the frame relay process unit 102 . That is, the frame relay process unit 102 has no need to consider cryptography and therefore a frame relay process unit of a conventional relay apparatus that carries out absolutely no cryptographic process can be utilized as a frame relay process unit 102 without modification.
In order to separate the relay process and cryptographic process as described above, the interface between the frame relay process unit 102 and the cryptographic process modules 104 a through 104 d is an interface such as GMII, MII or the like. In the case of a conventional relay apparatus that performs absolutely no cryptographic process, the frame relay process unit is connected to the port by way of an interface such as GMII or MII, and performs a frame relay process via the interface. In the same manner, the frame relay process unit 102 of FIG. 7 also performs only the frame relay process via an interface such as CMII or MII.
Meanwhile, the L2 relay apparatus 101 comprises the cryptographic process modules 104 a through 104 d corresponding to the respective ports 103 a through 103 d , and therefore is capable of encrypting an Ethernet communication in an N-to-N topology commonly employed in general office environments. Note that the “N-to-N topology” mentioned here does not represent physical cable wiring but represents a situation in which a plurality of relay apparatuses performs encrypted communications respectively with a plurality of relay apparatuses. This aspect is described later by referring to FIGS. 10A, 10B and FIGS. 13 through 15.
FIG. 8 is a functional block diagram describing a relationship between FIGS. 7 and 5. Note that an arrow attached with a sign indicates that the following information is sent in the arrow direction, i.e., “f”: frame, “k 0 ”: pre-shared key k 0 , “k 1 ”: MAC header information k 1 _f as a destination/source information k 1 , “k 2 ”: sequence number k 2 _n as a key material k 2 , “k 3 ”: master key k 3 and “k”: symmetric key k. An arrow without a sign represents a control flow. The specific contents of the signs “k 1 _f” and “k 2 _n” are described later.
Each of the cryptographic process modules 104 a through 104 d shown in FIG. 7 approximately corresponds to the symmetric key generation apparatus 1 shown in FIG. 5. That is, the L2 relay apparatus 101 includes four of the symmetric key generation apparatus. Accurately speaking, however, these four symmetric key generation apparatuses share a single TCG-compliant chip 105 , utilizing it as a part of each symmetric key generation apparatus. FIG. 8 is a diagram describing the correlation. Incidentally, the configuration of the cryptographic process modules 104 a through 104 d is the same in the example of FIG. 7, and therefore FIG. 8 simply uses “ 104 ”. And the ports corresponding to the cryptographic process modules 104 are simply indicated by the sign “ 103 ”.
The symmetric key generation apparatus 1 c shown in FIG. 8 comprises a reception unit 11 , a key material storage unit 12 , a key material readout unit 13 and a symmetric key generation unit 14 as in the case of the symmetric key generation apparatus 1 shown in FIG. 5. Specifically, these four constituent components are incorporated in the cryptographic process module 104 .
As described above, the cryptographic process module 104 is connected to the corresponding port 103 and frame relay process unit 102 by way of the interface such as GMII and MII. The reception unit 11 carries out an interface process and buffers a frame. That is, the reception unit 11 comprises buffer memory. Incidentally, the reception unit 11 comprises, physically speaking, a plurality of interfaces (i.e., an interface with the port 103 and one with the frame relay process unit 102 ) in the configuration shown in FIG. 8.
The cryptographic process module 104 also performs a cryptographic process by using a generated symmetric key k in addition to generating it as described above, and therefore further comprises a judgment unit 15 , an encryption unit 16 , a decryption unit 17 and an output unit 19 . These four constituent components are also included in the symmetric key generation apparatus 1 c in the configuration shown in FIG. 8.
The judgment unit 15 judges whether the first stage (i.e., the stage in which a symmetric key k is to be generated for encryption) or the second stage (i.e., the stage in which a symmetric key k is to be generated for decryption). The judgment unit 15 may be configured to judge as a third stage (i.e., a stage in which there is no necessity of generating a symmetric key k because there is no need to perform encryption or decryption) depending on a preferred embodiment. Then the judgment unit 15 notifies the key material readout unit 13 , symmetric key generation unit 14 , encryption unit 16 , decryption unit 17 and output unit 19 properly of the judgment result.
If the judgment unit 15 judges as the first stage, the encryption unit 16 performs an encryption process of a frame received by the reception unit 11 by using the symmetric key k generated by the symmetric key generation unit 14 and output the encrypted frame to the output unit 19 . If the judgment unit 15 judges as the second stage, the decryption unit 17 performs a decryption process of a frame received by the reception unit 11 by using the symmetric key k generated by the symmetric key generation unit 14 and outputs the decrypted frame to the output unit 19 .
Having received an input of either of the frame encrypted by the encryption unit 16 in the first stage, one decrypted by the decryption unit 17 in the second stage or one without being applied to a process after the reception unit 11 has received it in the third stage, then the output unit 19 has the function of outputting the input frame to an outside of the symmetric key generation apparatus 1 c (i.e. external to the cryptographic process module 104 ). Specifically, it outputs either of the above frames to the port 103 or frame relay process unit 102 by way of an interface such as the GMII and MII. FIG. 8, being a functional block configuration diagram, shows the reception unit 11 and output unit 19 by separate blocks; the hardware such as a wiring between them and the port 103 , however, may be shared between the reception unit 11 and output unit 19 .
The symmetric key generation apparatus 1 c shown in FIG. 8 generates a symmetric key k by utilizing also the destination/source information k 1 and master key k 3 shown in FIG. 4. That is, the symmetric key generation unit 14 extracts the destination/source information k 1 from the frame received by the reception unit 11 , reads the master key k 3 from a master key storage unit 21 and utilizes them. As described above, the L2 relay apparatus 101 includes four of the symmetric key generation apparatus. In the present embodiment, each of the four symmetric key generation apparatus is one with a sign “ 1 c ” shown in FIG. 8. The present embodiment is also configured in a manner that a master key generation unit 20 in each of the four symmetric key generation apparatuses 1 c generates a master key k 3 from the pre-shared key k 0 stored in a pre-shared key storage unit 18 every time the power to the L2 relay apparatus 101 is turned on and stores it in the master key storage unit 21 . A pre-shared key k 0 must be pre-stored within the symmetric key generation apparatus 1 c safely (that is, so as not to be read fraudulently). A part of the TCG-compliant chip 105 is utilized as the pre-shared key storage unit 18 according to the configuration shown in FIG. 8.
That is, the symmetric key generation apparatus 1 c shown in FIG. 8 comprises the single cryptographic process module 104 and the pre-shared key storage unit 18 as a part of the TCG-compliant chip 105 . Note that, if there are four cryptographic process modules 104 a through 104 d as in the case of FIG. 7, the TCG-compliant chip 105 is shared by four of the symmetric key generation apparatuses 1 c , four different zones of the TCG-compliant chip 105 may be respectively used as constituent components of the four of the symmetric key generation apparatuses 1 c , or a certain zone of the TCG-compliant chip 105 may be shared as a constituent component of the four of the symmetric key generation apparatuses 1 c.
FIG. 9 is a diagram exemplifying a modification of the L2 relay apparatus 101 shown in FIG. 7. The difference between FIGS. 9 and 7 lies where only a part of the ports (i.e., 103 a and 103 b ) are equipped with the cryptographic process modules 104 a and 104 b for the configuration of FIG. 9. The other ports (i.e., 103 c through 103 j ) are directly connected to the frame relay process unit 102 by way of the interfaces such as GMII and MII, without equipped with a cryptographic process module. That is, the L2 relay apparatus 101 may comprise a cryptographic process module(s) on a part of ports or the entirety thereof based on a necessity of an encrypted communication.
In the frame relay process unit 102 , the interface with the cryptographic process modules 104 a and 104 b , and the one with the ports 103 c through 103 j not equipped with a cryptographic process module, are all the same interfaces (e.g., GMII and MII). Therefore, the frame relay process unit 102 can concentrate on relaying a frame without distinguishing between a port equipped with a cryptographic process module and one not equipped with it.
Note that the cryptographic process modules 104 a and 104 b of FIG. 9 are also configured as one shown in FIG. 8.
FIG. 10A is a diagram exemplifying a utilization of a Layer 2 relay apparatus including a symmetric key generation apparatus, indicating a network configuration including three virtual local area networks (VLANs), i.e., VLANs 110 , 120 and 130 .
Referring to FIG. 10A, L2 relay apparatuses 101 a and 101 b are similar to the L2 relay apparatus 101 shown in FIG. 7 or FIG. 9. The L2 relay apparatus 101 according to the present invention, being a switch apparatus having the function of relaying a Layer 2 frame, may be sometimes noted as “L2SW” in FIG. 10A and thereafter. Terminals (i.e., computers) belonging to VLANs 110 , 120 and 130 are respectively connected to the L2 relay apparatuses 101 a and 101 b . That is, the L2 relay apparatuses 101 a and 101 b are edge switches connected to the terminals.
The L2 relay apparatuses 101 a and 101 b , and a firewall 143 are connected to a core L2/L3 switch 141 (i.e., a conventional switch apparatus having a layer 2 or layer 3 relay function, but no function related to a cryptographic process) that is a conventional relay apparatus. That is, the core L2/L3 switch 141 is a core switch relaying between switches. The firewall 143 is connected to a router 144 which is then connected to the Internet 145 .
Incidentally, one usage of a VLAN is to overlap a plurality of systems in the same physical network. For example, the apparatuses, i.e., the L2 relay apparatus 101 a , core L2/L3 switch 141 and L2 relay apparatus 101 b , and cables connecting these components are physical existence. And a physical network connecting these physical existences is shared by three different VLANS, i.e., VLANs 110 , 120 and 130 . That is, a plurality of systems is overlapped on the same physical network.
These plural systems may possibly include a system for primarily handling classified information and one for primarily handling Web browsing requiring no security protection. Requirements for secrecy of communication are naturally different between the former and latter. Therefore, if a VLAN is utilized, performing a cryptographic process in the unit of a physical port (e.g., a practice of the cryptographic process module 104 a encrypting all frames transmitted from the L2 relay apparatus 101 a to the core L2/L3 switch 141 ) is not preferable because an extraneous process is carried out such as encrypting even a communication including no secret data.
There are sections A, B and C in a business entity as an example. The sections A and B handle classified data, hence requiring an encrypted communication and also prohibiting a communication by way of the Internet 145 for maintaining a security. The section C on the other hand handles no classified data and primarily carries out e-mail exchanges and Web browsing (requiring a communication with the Internet 145 ). In this case, the individual sections are sometimes divided into separate VLANs to configure as shown in FIG. 11A. That is, the sections A, B and C respectively correspond to the VLANs 110 , 120 and 130 .
The present invention enables a selection of whether or not encrypting for each VLAN and an avoidance of an unnecessary cryptographic process. That is, it makes it possible to select the VLANs 110 and 120 as subject of encryption and the VLAN 130 as the outside of a subject thereof. Also enabled is to configure a network by the L2 relay apparatuses 101 a and 101 b according to the present invention intermingling with the core L2/L3 switch 141 that is a conventional relay apparatus as shown in FIG. 10A. This practice is described in the following.
As shown by an excerpt in FIG. 10B, the L2 relay apparatus 101 a has ports 103 a through 103 d , with the ports 103 a , 103 b and 103 c being assigned to the VLANs 110 , 120 and 130 , respectively. This assignment is preset by a network administrator. The port 103 d is one connected to the core L2/L3 switch 141 . On the inside of the L2 relay apparatus 101 a , the port 103 d is connected to the cryptographic process module 104 a by way of the interface such as the GMII and MII. The ports 103 a through 103 c and cryptographic process module 104 a are respectively connected to the frame relay process unit 102 a by way of the interface such as the GMII and MII.
Likewise, the L2 relay apparatus 101 b comprises ports 103 e through 103 h , with the ports 103 e , 103 f and 103 g being assigned to the VLANs 110 , 120 and 130 , respectively. And the port 103 h is one connected to the core L2/L3 switch 141 .
Note that FIG. 10A shows cryptographic process modules 104 a and 104 b on the outside of rectangles indicating the L2 relay apparatuses 101 a and 101 b for convenience of display; the cryptographic process modules, however, are respectively on the inside of the relay apparatuses in the actual configuration as shown in FIGS. 7, 9 and 10 B. The drawings hereafter may represent in the similar manner. Also note that FIG. 10B omits such as TCG-compliant chip among the constituent components of the L2 relay apparatuses 101 a and 101 b.
When transmitting a frame within the same VLAN from the left to right in the delineation of FIG. 10A, the frame travels by way of the L2 relay apparatus 101 a , core L2/L3 switch 141 and L2 relay apparatus 101 b in any VLAN. Describing in more detail by referring to FIG. 10B, the frame travels by way of the frame relay process unit 102 a , cryptographic process module 104 a , port 103 d , core L2/L3 switch 141 , port 103 h , cryptographic process module 104 b and frame relay process unit 102 b in any VLAN. Of the path in which the frame travels, the parts which differ for each VLAN are a part on the left side of the frame relay process unit 102 a and a part on the right side of the frame relay process unit 102 b in the delineation of FIG. 10B.
In FIGS. 10A and 10B, the terminals belonging to the VLAN 130 are assumed to communicate with the Internet 145 as described above. The communication with the Internet 145 is indicated by two bold line arrows (i.e., one arrow starting at the L2 relay apparatus 101 a , traveling by way of the core L2/L3 switch 141 , firewall 143 and router 144 , and reaching the Internet 145 ; and the other starting at the L2 relay apparatus 101 b , traveling by way of the core L2/L3 switch 141 , firewall 143 and router 144 , and reaching the Internet 145 ) in the delineation of FIG. 10A.
As such, in the case of communicating within any VLAN or with an external network such as the Internet 145 , a frame travels between the port 103 d and core L2/L3 switch 141 , and/or between the port 103 h and core L2/L3 switch 141 . That is, the physical communication paths (i.e., a cable) between the port 103 d and core L2/L3 switch 141 , and between the port 103 h and core L2/L3 switch 141 are shared among a plurality of VLANs. Such communication paths ( 142 a and 142 b ) are called “0.1Q trunk” named after the IEEE 802.1Q that is a standard for VLAN.
The port 103 a and such are fixedly assigned to a single VLAN, while the ports 103 d and 103 h are shared among a plurality of VLANs. The port 103 d or 103 h is called a “tagged VLAN port”. The administrator presets the ports 103 d and 103 h as the tagged VLAN ports. A corresponding VLAN cannot be uniquely determined for the tagged VLAN port, and therefore a frame transmitted and received between the ports 103 d and 103 h (more accurately describing, between the frame relay process units 102 a and 102 b ) is attached with a VLAN-ID that is information for identifying a VLAN (which is described later in association with FIG. 11).
As described above, the VLAN 110 and VLAN 120 are subjects of encryption and the VLAN 130 is not in the example shown in FIG. 10A. The administrator inputs, in the L2 relay apparatus 101 a , a setup as to which VLAN is to be a subject of encryption. Then, a CPU (corresponding to the CPU 106 shown in FIG. 7) (not shown in FIG. 10B) instructs the cryptographic process module 104 a to set the input content. The same process is performed on the L2 relay apparatus 101 b . As a result, the cryptographic process modules 104 a and 104 b apply a cryptographic process only to a frame requiring the cryptographic process based on the setup input by the administrator.
When transmitting a frame within the VLAN 110 from the left to right in the delineation of FIG. 10B for example, a frame received at the port 103 a (i.e., the frame transmitted from a terminal connected to the port 103 a ) is transmitted to the cryptographic process module 104 a by way of the frame relay process unit 102 a . This prompts the respective constituent components, which are shown in FIG. 8, of the cryptographic process module 104 a to operate as follows:
First, the reception unit 11 receives the frame.
The judgment unit 15 judges as the first stage (i.e., the stage in which a symmetric key k is to be generated for encrypting the frame) based on the fact of receiving the frame from the frame relay process unit 102 a in place of the port 103 d , the VLAN-ID included in the frame and the above described setup content.
Then, in accordance with the judgment of the judgment unit 15 , the key material readout unit 13 reads a sequence number k 2 _s as a key material k 2 from the key material storage unit 12 and updates a value stored in the key material storage unit 12 .
The symmetric key generation unit 14 obtains MAC header information k 1 _f, the sequence number k 2 _s and a master key k 3 for generating a symmetric key k based on the judgment of the judgment unit 15 . The MAC header information k 1 _f is extracted from the frame received by the reception unit 11 . The sequence number k 2 _s is the value read by the key material readout unit 13 . The master key k 3 is stored in the master key storage unit 21 . The symmetric key generation unit 14 generates a symmetric key k based on the obtained three pieces of data.
The encryption unit 16 receives the symmetric key k from the symmetric key generation unit 14 based on the judgment of the judgment unit 15 , reads the frame buffered at the reception unit 11 and encrypts the frame by using the symmetric key k.
The encrypted frame is output to the port 103 d shown in FIG. 10B by way of the output unit 19 . Returning to FIG. 10B here, the encrypted frame is transmitted to the cryptographic process module 104 b by way of the port 103 d , core L2/L3 switch 141 and port 103 h . This prompts the respective constituent components, which are shown in FIG. 8, of the cryptographic process module 104 b to operate as follows:
First, the reception unit 11 receives the frame.
The judgment unit 15 judges as the second stage (i.e., the stage in which a symmetric key k is to be generated for decrypting the frame) based on the fact of receiving the frame from the port 103 h in place of frame relay process unit 102 b , the VLAN-ID included in the frame and the above described setup content. Or it judges as the frame being a subject of decryption based on the fact of the frame including a cryptographic header 171 that is described later.
Then, in accordance with the judgment of the judgment unit 15 , the key material readout unit 13 reads a sequence number k 2 _r as a key material k 2 from the received frame. The operation of the symmetric key generation unit 14 is a similar to that of the symmetric key generation unit 14 of the cryptographic process module 104 a.
The decryption unit 17 receives the symmetric key k from the symmetric key generation unit 14 based on the judgment of the judgment unit 15 , reads the frame buffered at the reception unit 11 and decrypts the frame by using the symmetric key k.
The decrypted frame is transmitted to the frame relay process unit 102 b shown in FIG. 10B by way of the output unit 19 and relayed to the port 103 e , followed by being transmitted therefrom to a terminal connected to the port 103 e.
That is, the frame is transmitted in a state of plaintext (i.e., the state of not being encrypted) in the paths from the terminal to the cryptographic process module 104 a by way of the port 103 a and from the cryptographic process module 104 b to the terminal by way of the port 103 e . Contrarily, the frame is transmitted in a state of being encrypted between the cryptographic process module 104 a and cryptographic process module 104 b . It is the same when transmitting a frame within the VLAN 120 .
A frame in the state of a plaintext is named as “plaintext frame” and one in the state of being encrypted is named as “encrypted frame” hereinafter. A transmission of a plaintext frame is indicated by a solid line arrow and that of an encrypted frame is indicated by a dotted line arrow according to the delineation of FIG. 10B.
When transmitting a frame within the VLAN 130 from the left to right according to the delineation of FIG. 10B, the cryptographic process module 104 a judges that the frame is other than a subject of encryption based on the VLAN-ID included in the frame and the above-described setup content and that an encryption process is unnecessary, followed by transmitting the frame to the port 103 d in the same state of the plaintext. That is, the judgment unit 15 (of FIG. 8) judges as the third stage (i.e., an encryption process is unnecessary, not requiring a generation of a symmetric key k) within the cryptographic process module 104 a , and the cryptographic process module 104 a outputs the frame, as is, buffered at the reception unit 11 to the port 103 d by way of the output unit 19 in accordance with the judgment.
Meanwhile, in the cryptographic process module 104 b the judgment is that the frame is other than a subject of encryption and therefore decryption process is unnecessary based on the VLAN-ID included in the frame and the above-described setup content (or, a cryptographic header 171 is not included in the received frame and therefore a decryption process is unnecessary), followed by transmitting the received plaintext frame, as is, to the frame relay process unit 102 b . That is, the judgment unit 15 (shown in FIG. 8) judges as the third stage within the cryptographic process module 104 b , and the cryptographic process module 104 b outputs the frame, as is, buffered at the reception unit 11 to the frame relay process unit 102 b by way of the output unit 19 in accordance with the judgment.
When a computer belonging to the VLAN 130 transmits an IP packet to the Internet 145 , a frame corresponding to the IP packet is transmitted by way of the port 103 d or port 103 h . In the L2 relay apparatus 101 a for example, the port 103 c assigned to the VLAN 130 is connected to the frame relay process unit 102 a that is connected to the cryptographic process module 104 a that is then connected to the port 103 d , and therefore a frame not requiring a cryptographic process is also transmitted via the cryptographic process module 104 a without an exception.
When relaying, to the port 103 d , a frame received at the port 103 c assigned to the VLAN 130 , the cryptographic process module 104 a judges as a cryptographic process being unnecessary and accordingly transmits the plaintext frame as is to the port 103 d likewise the case of transmitting a frame within the VLAN 130 . This practice corresponds to the fact of the solid line arrow (indicating a transmission of a plaintext frame) heading from the L2 relay apparatus 101 a toward the firewall 143 by way of the core L2/L3 switch 141 in FIG. 10B.
As described above, the configuration shown in FIG. 10A sets whether or not a subject of encryption for each VLAN. That is, FIG. 10A makes the granularity of encryption finer than the case of encrypting all frames being transmitted along the 0.1Q trunk 142 a between the port 103 d and core L2/L3 switch 141 for example. Fine granularity is advantageous in avoiding an extraneous encryption of a communication not including classified data.
Such capability of setting for the cryptographic process modules 104 a and 104 b as to whether or not to make a subject of encryption selectively for each VLAN makes it possible to have the core L2/L3 switch 141 that is a conventional relay apparatus intervene between the L2 relay apparatuses 101 a and 101 b so as to connect the core L2/L3 switch 141 directly to the firewall 143 .
Assuming an incapability of setting for each VLAN in FIG. 10A, a frame will be encrypted by the cryptographic process module 104 a even when a terminal belonging to the VLAN 130 communicates with the Internet 145 . Therefore, it is necessary to make the L2 relay apparatus 101 that comprises a cryptographic process module intervene between the core L2/L3 switch 141 and firewall 143 in order to decrypt the encrypted frame and transmit the decrypted frame to the outside of the firewall 143 .
That is, enabling a setup for each VLAN makes it possible to reduce the number of required apparatuses. In other words, a limitation can be reduced when configuring a network. In brief, the present invention is applicable to various configurations.
FIG. 11 is a diagram describing a format of a frame utilized for the present invention. The present invention is contrived to encrypt only the data part of a frame.
A frame 150 shown in the upper row of FIG. 11 is a common frame transmitted and received in the Layer 2. The frame 150 is constituted by a 6-byte of a destination MAC address 151 , a 6-byte of source MAC address 152 , a data part 153 and a 4-byte of error detection-use FCS 154 .
In the case of a MAC frame of DIX Ethernet, the head of the data part 153 is a type expressed by 2 bytes followed by data of between 46 and 1500 bytes. Therefore, a frame is a maximum of 1518 bytes (i.e., 6+6+2+1500+4=1518). In the case of the MAC frame according to the IEEE 802.3 Standard, the head of a data part 153 is a length/type expressed by 2 bytes. It is followed, although different for a specific frame format, by a 3-byte of LLC header and/or a 5-byte of SNAP (Sub NetworkAccess Protocol) header and further followed by data. The length of the data part 153 is between 46 and 1500 bytes including the LLC header and/or SNAP header. The maximum length of one frame is therefore 1518 bytes.
As described before, while the premise is that a piece of input data to the symmetric key generation apparatus 1 is constituted by the header part and payload part, if input data is a frame 150 , the header part is constituted by the destination MAC address 151 and source MAC address 152 , and the payload part is the data part 153 .
A tagged frame 160 shown in the middle row of FIG. 11 is a result of inserting a VLAN tag into a frame 150 . The tagged frame 160 is similar to the frame 150 except for a 2-byte of TPID (Tag Protocol Identifier) 161 and a 2-byte of TCI (Tag Control Information) 162 being inserted between the source MAC address 152 and data part 153 . In the case of the Ethernet, a value of the TPID 161 indicating a VLAN is a 0x8100 (meaning 8100 in a hexadecimal notation). The TCI 162 includes a 12-bit of VLAN-ID for identifying a VLAN. The TPID 161 and TCI 162 are sometimes added at a source terminal of a frame; they are more commonly added at a relay apparatus, however. In the latter case, a recalculation of an FCS 154 is also performed at the relay apparatus.
In the case of setting whether or not to perform a cryptographic process for each VLAN as in FIG. 10A, the cryptographic process module 104 judges a necessity or not of the cryptographic process based on a value of the VLAN-ID included in the TCI 162 .
If input data to the symmetric key generation apparatus 1 is a tagged frame 160 , the header part is a part between the destination MAC address 151 and TCI 162 , the payload part is the data part 153 and the trailer part is the FCS 154 .
An encrypted frame 170 shown in the lower row of FIG. 11 is one obtained by encrypting a tagged frame 160 and contains a field unique to the present invention. Comparing the encrypted frame 170 with the tagged frame 160 , the difference lies where a cryptographic header 171 is inserted immediately after the TCI 162 , the data part 153 is encrypted to be an encrypted data part 172 , and an ICV (Integrity Check Value) 173 is inserted immediately after the encrypted data part 172 . The cryptographic header 171 includes a key material k 2 necessary for decryption. The ICV 173 is a type of a check sum calculated based on a range between the destination MAC address 151 and the encrypted data part 172 . In addition, the cryptographic process module 104 also performs a recalculation of the FCS 154 when encrypting a frame.
If input data to the symmetric key generation apparatus 1 is an encrypted frame 170 , the header part is a part between the destination MAC address 151 and the cryptographic header 171 , the payload part is the encrypted data part 172 , and the trailer part is the ICV 173 and FCS 154 .
The first characteristic of the encrypted frame 170 lies where only the data part 153 is encrypted, whereas the MAC header (i.e., the part constituted by the destination MAC address 151 and source MAC address 152 ) is not encrypted. The second characteristic lies where the cryptographic header 171 is placed posterior to the TCI 162 .
The first characteristic leads to an advantage that an increase in size of the frame or in a complexity of the process can be avoided as described below.
The method of encrypting a frame including the MAC header provides a higher degree of security because the information as to which terminals are engaged in a communication can also be concealed. When transmitting a frame from a terminal Xt connected to a switch Xs (that is a relay apparatus) to a terminal Yt connected to a switch Ys for example, the MAC address of the terminal Yt is written on the destination MAC address 151 of the frame and the MAC address of the terminal Xt is written on the source MAC address 152 . In the case of encrypting the frame including the MAC header, the post-encryption frame is an encapsulated frame prefixed with another MAC header. That is, the MAC address of the switch Ys is written as the destination MAC address 151 for an outer frame, and the MAC address of the switch Xs is written as the source MAC address 152 for an outer frame.
In the encapsulated frame, the information of the terminal Xt and the terminal Yt being engaged in a communication is encrypted, thereby providing a high level of security. However, the size of the frame is increased by the size of the added MAC header, which leads to an occurrence of an overhead. In addition, for the encapsulation as described above, the frame relay process unit of the switch must determine a switch as a relay destination for each frame and add the MAC header based on the determination (in the present example, the switch Xs needs to identify the MAC address of the switch Ys from the MAC address of the destination terminal Yt). Thus, the relay process is complicated.
By contrast, in the encrypted frame 170 , neither the destination MAC address 151 nor source MAC address 152 is encrypted, providing a slightly lower level of security than the above described method. However, since there is no need to add another MAC header to the frame, the size of the frame can be suppressed to be smaller than the above described method.
Also, the frame relay process unit 102 is only required to perform the normal relay process (e.g., there is not need to identify the MAC address of the switch Ys from the MAC address of the destination terminal Yt). Therefore, the present invention can utilize a frame relay process unit 102 similar to one in a conventional switch apparatus that does not perform a cryptographic process as shown in FIGS. 7 and 9. And, the function related to encryption/decryption can be off-loaded onto a cryptographic process modules ( 104 a and such) equipped corresponding to the respective ports equipped on an as required basis.
The next is a description on the second characteristic of the cryptographic header 171 being placed posterior to the TCI 162 . The second characteristic leads to an advantage that the L2 relay apparatus 101 of the present invention and a normal Layer 2 relay apparatus without a cryptographic process function can be intermingled for configuring a network.
Assuming an adoption of a method for encryption including the TPID 161 and TCI 162 , it is natural to insert a cryptographic header 171 immediately after the MAC header (that is, immediately after the source MAC address 152 ) and continue with the encrypted TPID 161 and TCI 162 thereafter. This method, however, negates a discernment of a VLAN to which a pre-encryption original tagged frame 160 belongs unless the encrypted frame is decrypted. Consequently, making a normal Layer 2 relay apparatus not comprising a cryptographic process function mingle in the middle of a telecommunication path of a network, the aforementioned relay apparatus is unable to judge as for which VLAN the frame corresponds to, thus unable to relay the frame appropriately. Therefore, if this method is adopted, it is not possible to make the normal Layer 2 relay apparatus not comprising a cryptographic process function mingle.
Contrarily, in the encrypted frame 170 of FIG. 11, the cryptographic header 171 and encrypted data part 172 are placed following the TPID 161 and TCI 162 which are in a cleartext state. Therefore, the normal Layer 2 relay apparatus without the cryptographic process function can also judge as for which VLAN the frame corresponds to, and relay the frame appropriately. In this case, the normal Layer 2 relay apparatus recognizes the encrypted frame 170 simply as a tagged frame. Therefore, according to the present invention, the normal Layer 2 relay apparatus can be mingled in configuring a network, enabling an efficient utilization of the existing apparatus. In addition, the L2 relay apparatus 101 comprising the symmetric key generation apparatus 1 can be utilized in various network configurations.
Meanwhile, focusing attention on the fact that also the frame relay process unit 102 comprised by the L2 relay apparatus 101 shown in FIGS. 7 and 9 does not have a cryptographic process function, the second characteristic leads to the following advantage. That is, the frame relay process unit 102 simply recognizes the encrypted frame 170 of FIG. 11 similar to the tagged frame 160 and can perform a relay process without any consideration of encryption. That is, the frame relay process unit 102 is required to merely perform the identical process to the frame relay process unit comprised by a conventional Layer 2 relay apparatus without a cryptographic process function. Also, as shown in FIG. 9, there is no need to equip all ports with the cryptographic process modules.
Meanwhile, in an environment not using a VLAN, encryption is performed not for a tagged frame 160 but for a frame 150 . Therefore, an encrypted frame in such a case is in the form of the encrypted frame 170 of FIG. 11 with the TPID 161 and TCI 162 being removed.
FIG. 12 shows details of the cryptographic header 171 . The length of the cryptographic header 171 is 12 bytes as shown in FIG. 12. The cryptographic header 171 is constituted by a 2-byte of type 1711 , a 1-byte of subtype 1712 , a 1-byte of reserved field 1713 , and an 8-byte of sequence number 1714 as shown in FIG. 12 in the described order.
The type 1711 is the field storing a global unique value representing the type of the frame. In order to make the type 1711 a global unique value, a request for the assignment of a value to the IEEE and the assignment of the value by the IEEE are necessary. The reason that the type 1711 must be a global unique value is as follows.
As is apparent from FIG. 11 and FIG. 12, the type 1711 is placed immediately following the TCI 162 in an environment using a VLAN; and the type 1711 is placed immediately following the source MAC address 152 in an environment not using a VLAN. Therefore, the type (placed at the head of the data part 153 ) in the frame 150 or in the tagged frame 160 is in the same position as the type 1711 in the encrypted frame 170 . Accordingly, it is necessary to discern a presence or absence of the cryptographic header 171 based on a value of the type 1711 .
The type placed at the head of the data part 153 in the frame 150 and the tagged frame 160 is a global unique value for identifying a protocol used by the upper layer, that is, Layer 3. For example, 0x0800 represents the IP. If the value of the type is 0x0800, the data part 153 is data in accordance with the IP format.
Therefore, the assignment of a specific global unique value (assumed as Z) to the type 1711 enables a discernment of a presence or absence of the cryptographic header 171 . That is, if the value of 2 bytes immediately following the TCI 162 is Z, the presence of the cryptographic header 171 can be determined in the environment using a VLAN; and, if the value of 2 bytes immediately following the source MAC address 152 is Z, the presence of the cryptographic header 171 can be determined in the environment not using a VLAN.
Thus enabling the determination of the presence or absence of the cryptographic header 171 enables the cryptographic process module 104 b for example, having received a frame from the port 103 h shown in FIG. 10B, to judge whether the received frame is an encrypted frame or a plaintext frame on the basis of the presence or absence of the cryptographic header 171 .
The subtype 1712 is the field for utilizing the single value (i.e., the Z mentioned above) assigned by the IEEE for various purposes. The type 1711 and subtype 1712 are required to merely indicate what the data in the upper layer represents, and their numerical values per se are meaning less. It is possible to define such as “if the type 1711 is a Z and the value of the subtype 1712 is 0x01, it represents that an encrypted Ethernet communication is performed and the fact that the cryptographic header 171 is followed by the encrypted data part 172 ”, for example.
The reserved field 1713 consists of 1 byte reserved for a future use. A usage example is described later in association with FIG. 18.
The sequence number 1714 is the field for storing a sequence number k 2 _r as a key material. Since the field length of the sequence number 1714 is 8 bytes, i.e., 64 bits, 2 64 sequence numbers are available. Therefore, even with high-speed lines such as 1 Gbps or 10 Gbps, it takes a tremendously long time for the same sequence number is to be used.
For example, when a cryptographic process module encrypts 1 G pieces of frames per second, it takes,
2 64 /10 9 =1.84×10 10 seconds≅585 years
to return to the same sequence number. Therefore, the sequence number 1714 can be regarded to be essentially unique.
However, it is possible for two or more cryptographic process modules 104 to accidentally use the same value. Given this possibility, it is desirable to set a start value (i.e., an initial value of the key material storage unit 12 ) of the sequence number randomly in each cryptographic process module 104 to reduce a possibility of two or more cryptographic process modules 104 using the same value accidentally.
FIGS. 13 through 15 each is a diagram exemplifying a configuration of a network by using the L2 relay apparatus 101 equipped with the symmetric key generation apparatus 1 . The L2 relay apparatus 101 is variously different depending on an embodiment where with which port a cryptographic process module (such as 104 a ) is to be equipped, as shown in FIGS. 7 and 9. Moreover, each cryptographic process module is different depending on a preferred embodiment where the module performs either of encryption or decryption in accordance with the direction of transmitting a frame.
A price of the L2 relay apparatus 101 and a method for configuring a network to accomplish an encrypted communication in Layer 2 differ with a combination of the above variations. That is, the present invention is contrived to enable preferred embodiments in various configurations suitable to a convenience of the user, and therefore is highly flexible.
Note that FIGS. 13 through 15 each omits some constituent components such as a TCG-compliant chip. Also, a plaintext frame and an encrypted frame respectively correspond to the solid line arrow and dotted line arrow. And the range of carrying out an encrypted communication is indicated by mesh shading.
The network configuration shown in FIG. 13 only employs a conventional L2 switch 141 b and a low cost L2 relay apparatuses 101 a through 101 e comprising a cryptographic process module at only one port.
Four PCs 4 a through 4 d are respectively connected to L2 relay apparatuses 101 a through 101 d in the configuration shown in FIG. 13. All of the L2 relay apparatuses 101 a through 101 d are connected to a conventional L2 switch 141 b not performing a cryptographic process. And the L2 switch 141 b is connected to the L2 relay apparatus 101 e . That is, the topology of FIG. 13 is very similar to a one-to-N star switch topology in a physical sense, i.e., the wiring of cables; it is, however, a topology of N-to-N relationship in a logical sense, i.e., a pair carrying out an encrypted communication. That is, since the encrypted communications are carried out in combinations such as a pair of L2 relay apparatuses 101 a and 101 b a pair of L2 relay apparatuses 101 a and 101 c , a pair of L2 relay apparatuses 101 a and 101 d , a pair of L2 relay apparatuses 101 b and 110 c , a pair of L2 relay apparatuses 101 b and 101 d and so on, and therefore the relationship is N-to-N.
The L2 relay apparatuses 101 a through 101 d are respectively equipped with cryptographic process modules 104 a through 104 d corresponding to the ports connected to the L2 switch 141 b . The other ports are not equipped with a cryptographic process module. The L2 relay apparatus 101 e is equipped with a cryptographic process module 104 e corresponding to the port connected to the L2 switch 141 b , and the other ports of the L2 relay apparatus 101 e are not equipped with a cryptographic process module. The L2 relay apparatus 101 e is also connected to the firewall 143 , and the firewall 143 is connected to a router 144 . A communication with an external network such as the Internet 145 is carried out via the router 144 .
The L2 relay apparatuses 101 a through 101 e shown in FIG. 13 can be produced inexpensively since the cryptographic process module is provided only for one port in each of them. In addition, the cryptographic process modules 104 a through 104 e each encrypts a frame when transmitting it to the corresponding port and decrypts a frame when receiving it from the corresponding port.
Describing it in relation with FIG. 8, if the reception unit 11 receives a frame from the frame relay process unit 102 , the judgment unit 15 judges as the first stage (i.e., a stage for encryption), the symmetric key generation unit 14 generates a symmetric key k and the encryption unit 16 encrypts the frame. On the other hand, if the reception unit 11 receives a frame from the corresponding port 103 , the judgment unit 15 judges as the second stage (i.e., a stage for decryption), the symmetric key generation unit 14 generates a symmetric key k and the decryption unit 17 decrypts the frame.
The next is a description of an example of communication in the case of configuring as described above. Referring to FIG. 13 r when transmitting a frame 150 shown in FIG. 11 from the PC 4 a to PC 4 b , the frame 150 is encrypted when it is transmitted via the cryptographic process module 104 a . The example shown in FIG. 13 does not utilize a VLAN and therefore an encrypted frame is in the form of the TPID 161 and TCI 162 having been deleted from the encrypted frame 170 shown in FIG. 11.
The encrypted frame is transmitted from the L2 relay apparatus 101 a to the L2 switch 141 b and relayed to the L2 relay apparatus 101 b connected to the PC 4 b . The MAC header of the encrypted frame is not encrypted, and therefore the L2 switch 141 b can relay it in the same manner as a normal frame 150 without carrying out a process related to cryptography.
The encrypted frame is received at the L2 relay apparatus 101 b and decrypted when the encrypted frame is transmitted via the cryptographic process module 104 b comprised by the L2 relay apparatus 101 b . The decrypted frame is relayed by a frame relay process unit comprised by the L2 relay apparatus 101 b to a port that is connected to the PC 4 b , followed by being transmitted to the PC 4 b from the port.
The next is a description of an example of transmitting an IP packet from the PC 4 a to the Internet 145 in the configuration of FIG. 13. A frame corresponding to the IP packet is transmitted from the PC 4 a to the L2 relay apparatus 101 e by way of the L2 relay apparatus 101 a and L2 switch 141 b.
The path from the PC 4