1. Field of the Invention
The present invention relates to a communication device, a communication system, and an algorithm selection method, and more particularly to the selection of an encryption algorithm or the like to be used for performing data communications such as encrypted communications.
2. Description of the Background Art
<Network Appliances>
The prevalence of Internet technology in recent years has led to a trend for connecting mobile terminals, home appliances and the like to the Internet in order to provide various services thereon. Communication devices such as ep stations are being marketed as one of the first instances of home appliances capable of connecting to the Internet. An ep station is a device for realizing an ep service as illustrated in FIG. 42. An ep service has two features. Firstly, through an Internet connection between a broadcasting station and an ep station, services which combine broadcasting and communications, e.g., TV shopping or programs in which viewers can participate, can be realized. Secondly, since an ep station incorporates a hard disk drive, it can store TV programs or advertisement data which are broadcast from satellites, e-mail data received from the Internet, and the like.
A current ep station connects to the Internet by way of telephone circuits. However, high-speed Internet connection environments are becoming available in ordinary households due to the prevalence of high speed networks such as ADSL CATV, and optical fibers. Therefore, it is easily conceivable that next-generation machines for the ep station, with high-speed communication abilities, may appear.
Atsuko NOMURA, “Broad-band Kakumei-Mezase! ubiquitous network shakai”, first edition, Chuokeizai-sha, Inc., Apr. 1, 2001, pp.225-227 (ISBN4-502-57211-X)”, describes the so-called e-platform project, which is a precursor to the ep service, illustrating forms of services which combine high-quality broadcasting with data broadcasting, stored broadcast services, or high-speed Internet access. Examples of applications utilizing high-speed Internet access include download services such as video or music distribution, monitoring via videophones, or network cameras.
Among other applications, use of network cameras will be discussed. As for consumer use, network cameras maybe utilized to monitor one's children at day nurseries, one's parents who are living by themselves, or one's home when the monitor is away from it. In order to prevent such private video from being peeped at on the Internet, it is necessary to protect the video data by encryption or the like.
Encrypted communications may be required for the transmission of the aforementioned private data, exchange of data concerning E-commerce, transmission of equipment control information from an ISP to each client's system in an Internet service or the like, transmission of information concerning an operation which is made away from home with a personal terminal such as a cellular phone to a terminal device placed at the home (e.g., preparing a hot bath or turning the air conditioning on).
<Encrypted Communications>
It has been conventional practice to perform data encryption when exchanging confidential data over a public network such as the Internet. Uyless D. Black, translated by H. HATA and N. MATSUMOTO, “Internet Security Guide”, first edition, issued from Pearson Education, Nov. 20, 2001, all pages (ISBN4-89471-455-8), specifically describes dangers existing on the Internet and encryption and authentication techniques as countermeasures thereto. Publications such as “RFC2401”, issued from IETF (Internet Engineering Task Force) specifically describe IPsec (Internet Protocol Security), which is a representative encryption/authentication protocol used on the Internet.
Hereinafter, a general flow of encrypted communication processing will be described. First, the same encryption algorithm is set at both the transmitting end and the receiving end of data. At both ends, an encryption key as well as a decryption key with which to decrypt data that has been encrypted by the other end of the communication are also set. In the case where the encryption key and the decryption key are an identical key, such keys are called a shared key. The setting of the encryption algorithm and the keys may be performed manually, or through an automatic negotiation between both ends. Once such settings are completed, an encrypted communication is carried out in the following manner. First, the data-transmitting end encrypts data to be transmitted by using the encryption algorithm and encryption key which have been set, and send them out onto the Internet connection network. Then, upon receiving the encrypted packet, the receiving end decrypts the encrypted packet by using the encryption algorithm and decryption key which have been set.
FIG. 43 is a block diagram illustrating a system in which a network camera installed in a day nursery and a digital television device installed at home are connected via an Internet connection network, such that a mother at home can monitor her child's activities at the day nursery, with respect to a portion concerning encrypted communications.
In this case, an encryption/decryption processing section 218 in the digital television device performs communications of various data in packet format with an encryption/decryption processing section 204 of the network camera, via a communication processing section 216 of the digital television device itself, the Internet connection network, and a communication processing section 206 in the network camera. In order for the data-transmitting end and the data-receiving end to use the same encryption algorithm, the aforementioned negotiation is performed between the two ends. In a negotiation of an encryption algorithm, packets for the negotiation are exchanged with each end. First, the encryption information determination section 214 of the digital television device generates a negotiation packet for transmission in a predetermined format, and proposes to the network camera an encryption algorithm to be used. At the network camera, the proposed encryption algorithm which has been obtained via the communication processing section 206 and the encryption/decryption processing section 204 is passed to the encryption information determination section 202 as encryption/decryption information, and the encryption information determination section 202 determines whether the proposed encryption algorithm is usable. Then, a reply indicating the usability of the proposed encryption algorithm is given via the encryption/decryption processing section 204 and the communication processing section 206. The encryption information determination section 214 in the digital television device receives this reply via the communication processing section 216 and the encryption/decryption processing section 218, and if the received reply is “usable”, it is notified, in the form of a negotiation packet, to the network camera that the proposed usable encryption algorithm is finalized; thus, the negotiation for the encryption algorithm to be used is ended. Moreover, the encryption information determination section 214 notifies the determined encryption algorithm to the encryption/decryption processing section 218, and instructs this algorithm to beset. Furthermore, the encryption information determination section 202 also notifies the determined encryption algorithm to the encryption/decryption processing section 204, and instructs this algorithm to be set. Next, the encryption information determination sections 214 and 202 and the encryption/decryption processing sections 218 and 204 perform predetermined communications with each other, and, through a procedure which is determined in accordance with the set encryption algorithm, generate and set an encryption key and a decryption key of a predetermined format. Once the encryption key and the decryption key are generated, encrypted communications are enabled. An encrypted communication application 200 passes Video data which is imaged by an imaging section (not shown) to the encryption/decryption processing section 204. By using the set encryption algorithm, the encryption/decryption processing section 204 encrypts the video data, and sends it as data packets to the digital television device via the communication processing section 206 and the Internet connection network. At the digital television device, the data packets are received by the communication processing section 216 and thereafter decrypted by the encryption/decryption processing section 218, and the decrypted video data is passed to the encrypted communication application 210. The encrypted communication application 210 performs a process of displaying the video data from the network camera, at a predetermined position and in a predetermined size on a display of the television device.
When proposing an encryption algorithm in such a conventional negotiation, the encryption information determination section 214 selects from among the encryption algorithms held therein one or more encryption algorithms that have been set by the user or preselected in the program, and proposes it or them to the other end. When a proposal from the other end is received, as a response to the proposal, the encryption information determination section 214 selects and notifies the highest-priority encryption algorithm among the encryption algorithms that are held.
In the case where there are a plurality of applications which need to perform encryption/decryption using encryption algorithms, e.g., the encrypted communication applications 210 and 212, such that a plurality of types of data are subjected to encryption/decryption processing in parallel, adopting algorithms having a high encryption strength for both would result in a system failure, because, encryption algorithms generally require a large CPU resource, such that the total load associated with the processing of the plurality of encrypted communication applications and a plurality of encryption processes therefor might exceed the CPU performance. In order to prevent such a situation, according to Japanese Patent Laid-Open Publication No.2002-190798 (page 6, FIG. 6), communication data are split in a plurality of blocks, such that an encryption algorithm having a high encryption strength is used for blocks in which highly important data is stored, whereas an encryption algorithm having a low encryption strength is used for blocks in which less important data is stored, thereby reducing the necessary amount of CPU processing resource.
As described above, encryption processes which are performed in encrypted communications entail complicated processing for the transmitted/received data. Therefore, encrypted communications impose a very high processing load as compared to communications which do not involve any encryption. For example, in the case where a decryption process for network camera data (encrypted communication application 210) concurrently occurs with a recording of TV broadcast video data (application 208), both of which are high-load processes that require real time processing, the aforementioned sort of negotiation will select an encryption algorithm having the highest possible encryption strength, so that it may not be possible to simultaneously process both processes, given the CPU performance. In other words, problems may occur such that the recording of the TV broadcast may fail, or the video of the network camera may be disturbed or stopped. FIG. 44 shows a relationship between the CPU performance, and the CPU resource necessary for receiving/displaying the network camera video and the CPU resource necessary for the TV recording. Thus, the aforementioned problem occurs only when the total of the CPU resource necessary for receiving/displaying the network camera video and the CPU resource necessary for the TV recording exceeds the CPU performance, as shown in FIG. 44.