1. Field of the Invention
This invention relates to an apparatus for relaying data between a plaintext network and a ciphertext network and in particular to a cryptographic apparatus for encrypting plaintext data and decrypting ciphertext data, an encryptor for encrypting plaintext data, and a decryptor for decrypting ciphertext data.
2. Description of the Related Art
A basic architecture of a cryptographic apparatus using an encapsulation encryption technique typified by IPSEC (RFC2401-RFC2410) on a network assumes a router or a terminal. FIG. 12 is a block diagram to show a general network configuration in a related art. An example in which cryptographic apparatus each adopting a router or a terminal as a basic architecture are installed in the network shown in FIG. 12 for constructing a cipher communication system will be discussed.
In FIG. 12, S1 denotes a terminal connected to a local network LN1, S2 denotes a terminal connected to a local network LN2, R1 denotes a router for connecting the local network LN1 and the Internet IN, and R2 denotes a router for connecting the local network LN2 and the Internet IN; the terminals S1 and S2 communicate with each other through the Internet IN. Generally, a fire wall function of a filter, etc., often works in the routers R1 and R2 connected to the Internet IN. Generally, the local networks LN1 and LN2 contain a plurality of routers forming a part of the local network.
FIG. 13 is a block diagram to show the network configuration wherein cryptographic apparatus each adopting a router as a basic architecture, which will be hereinafter referred to as a router-type cryptographic apparatus, are installed in the network shown in FIG. 12. In FIG. 13, ROE1 denotes a router-type cryptographic apparatus in the local network LN1, ROE2 denotes a router-type cryptographic apparatus in the local network LN2,SN1 denotes a newly defined subnet to install the router-type cryptographic apparatus ROE1, SN2 denotes a newly defined subnet to install the router-type cryptographic apparatus ROE2, and internet VPN is a VPN (Virtual Private Network) on the Internet that can be configured by installing the router-type cryptographic apparatus ROE1 and the router-type cryptographic apparatus ROE2. A communication data flow from the local network LN1 to the LN2 is indicated by the heavy line arrow (plaintext is indicated by the solid line part and ciphertext is indicated by the dotted line part).
However, as shown in FIG. 13, to install the routertype cryptographic apparatus ROE1 in the local network LN1, the router of the router-type cryptographic apparatus ROE1 is newly installed in the local network LN1 and thus setting the network parameters of the terminals and the routers in the local network LN1 needs to be changed so as to match additional. installation of the router-type cryptographic apparatus ROE1. Similar change needs also to be made in the local network LN2 in which the router-type cryptographic apparatus ROE2 is installed.
FIG. 14 is a block diagram to show the network configuration wherein cryptographic apparatus each adopting a terminal as a basic architecture, which will be hereinafter referred to as terminal-type cryptographic apparatus, are installed in the network shown in FIG. 12. In FIG. 14, SE1 denotes a terminal-type cryptographic apparatus in the local network LN1, SE2 denotes a terminal-type cryptographic apparatus in the local network LN2, and internet VPN is a VPN on the Internet that can be configured by installing the terminal-type cryptographic apparatus SE1 and the terminal-type cryptographic apparatus SE2. A communication data flow from the local network LN1 to the LN2 is indicated by the heavy line arrow (plaintext is indicated by the solid line part and ciphertext is indicated by the dotted line part)
However, as shown in FIG. 14, to install the terminal-type cryptographic apparatus SE1 in the local network LN1, setting the network parameters of the terminals and the routers in the local network LN1 needs to be changed so that communication data from the local network LN1 is destined for the terminal-type cryptographic apparatus SE1. Similar change needs also to be made in the local network LN2 in which the terminal-type cryptographic apparatus SE2 is installed.
Thus, to install a new cryptographic apparatus using the encapsulation encryption technique in the network in the related art, it is necessary to change setting the network parameters of the terminals and the routers in the local network connected to the cryptographic apparatus; this is a problem.
It is therefore an object of the invention to provide a cryptographic apparatus, an encryptor, and a decryptor which eliminate the need for changing the network parameters of other machines on a network when the cryptographic apparatus is installed, and can be easily installed in an existing network system.
According to an aspect of the invention, there is provided a cryptographic apparatus for relaying data between a plaintext network and a ciphertext network, the cryptographic apparatus comprising an encryption/encapsulation processing section for encrypting plaintext data received from the plaintext network, determining a cryptographic apparatus corresponding to the address set in the header of the plaintext data based on the predetermined correspondence between addresses and different cryptographic apparatus, setting a new header based on the determined cryptographic apparatus as encapsulation processing, and transmitting ciphertext data provided thereby to the ciphertext network of the same IP (Internet Protocol) subnet as the plaintext network, and a decryption/decapsulation processing section for decrypting ciphertext data received from the ciphertext network into plaintext data, again setting a header based on the address set in the header of the plaintext data as decapsulation processing, and transmitting plaintext data provided thereby to the plaintext network of the same IP subnet as the ciphertext network.
In the cryptographic apparatus according to the invention, the encryption/encapsulation processing section comprises an encryption/encapsulation processing block for encrypting plaintext data received from the plaintext network and determining the cryptographic apparatus corresponding to the address set in the IP (Internet Protocol) header of the plaintext data based on the predetermined correspondence between addresses and different cryptographic apparatus, and setting a new IP header based on the determined cryptographic apparatus as encapsulation processing, and a ciphertext MAC address resolution block for setting a MAC header based on the IP header set in the encryption/encapsulation processing block, preparing ciphertext data, and transmitting the prepared ciphertext data to the ciphertext network of the same IP subnet as the plaintext network, and the decryption/decapsulation processing section comprises a decryption/decapsulation processing block for decrypting ciphertext data received from the ciphertext network into plaintext data and again setting an IP header based on the address set in the IP header of the plaintext data as decapsulation processing, and a plaintext MAC address resolution block for setting a MAC header based on the IP header again set in the decryption/decapsulation processing block, preparing plaintext data, and transmitting the prepared plaintext data to the plaintext network of the same IP subnet as the ciphertext network.
The cryptographic apparatus according to the invention further includes a plaintext filter for determining the ciphertext data received from the ciphertext network to be transparent relay information, discard information, or plaintext information based on the decryption result of the decryption/decapsulation processing block and allowing the ciphertext data to be transmitted to the plaintext network if the ciphertext data is transparent relay information, discarding the ciphertext data if the ciphertext data is discard information, or outputting plaintext data decrypted by the decryption/decapsulation processing block to the plaintext MAC address resolution block if the ciphertext data is plaintext information, wherein the plaintext MAC address resolution block sets a MAC header in the plaintext data output from the plaintext filter and transmits the plaintext data to the plaintext network.
The cryptographic apparatus according to the invention further includes a ciphertext filter for determining the plaintext data received from the plaintext network to be transparent relay information, discard information, or ciphertext information and allowing the plaintext data to be transmitted to the ciphertext network if the plaintext data is transparent relay information, discarding the plaintext data if the plaintext data is discard information, or outputting the plaintext data to the decryption/decapsulation processing section if the plaintext data is ciphertext information, wherein the encryption/encapsulation processing section prepares ciphertext data from the plaintext data output from the ciphertext filter and transmits the ciphertext data to the ciphertext network.
The cryptographic apparatus according to the invention further includes a terminal function block for processing information addressed to the home station, transmitted to the home station, a plaintext home station filter for determining whether the plaintext data received from the plaintext network is information addressed to the home station or discard information and outputting the plaintext data to the terminal function block if the plaintext data is information addressed to the home station or discarding the plaintext data or ciphertext data if the plaintext data is discard information, a ciphertext home station filter for determining whether the ciphertext data received from the ciphertext network is information addressed to the home station or discard information and outputting the ciphertext data to the terminal function block if the ciphertext data is information addressed to the home station or discarding the ciphertext data if the ciphertext data is discard information, a home station plaintext filter for determining whether or not home station output information output from the terminal function block is transparent relay information to the plaintext network and allowing the home station output information to be transmitted to the plaintext network if the home station output information is transparent relay information to the plaintext network, a home station ciphertext filter for determining whether or not the home station output information output from the terminal function block is ciphertext information to the ciphertext network and outputting the home station output information to the decryption/decapsulation processing section if the home station output information is ciphertext information to the ciphertext network, and a home station discard filter for determining whether or not the home station output information output from the terminal function block is discard information and discarding the home station output information if the home station output information is discard information.
According to another aspect of the invention, there is provided an encryptor for relaying data between a plaintext network and a ciphertext network, the encryptor comprising an encryption/encapsulation processing section for encrypting plaintext data received from the plaintext network, determining a cryptographic apparatus corresponding to the address set in the header of the plaintext data based on the predetermined correspondence between addresses and different cryptographic apparatus, setting a new header based on the determined cryptographic apparatus as encapsulation processing, and transmitting ciphertext data provided thereby to the ciphertext network of the same IP subnet as the plaintext network.
According to another aspect of the invention, there is provided a decryptor for relaying data between a plaintext network and a ciphertext network, the decryptor comprising a decryption/decapsulation processing section for decrypting ciphertext data received from the ciphertext network into plaintext data, again setting a header based on the address set in the header of the plaintext data as decapsulation processing, and transmitting plaintext data provided thereby to the plaintext network of the same IP subnet as the ciphertext network.