1. Field of the Invention
The present invention relates to an encryption communication system in which the respective encrypt apparatuses for relaying communication data among communication terminals installed in a communication network perform encryption communications after learning own encrypt keys.
2. Description of the Related Art
Recently, in connection with popularization of computer networks, strong demands are increasingly made of encrypt techniques for communication data in order to keep secrecies of communication data used in computer networks. In general, a data encrypting /decrypting method is carried out in accordance with a table containing encrypt keys (will be referred to as an "encrypt key table" hereinafter), as described in, for example, Japanese Unexamined Patent Publication No. Hei 6-209313. This conventional encrypt technique is shown in FIG. 46, which employs the encrypt keys corresponding to one, or both of the destination addresses and the transmission source addresses of the communication data within the encrypt apparatus.
In FIG. 46, reference numeral 7 indicates the encrypt apparatus, reference numeral 2 denotes the encrypt/decrypt processing unit for encrypting/decrypting the communication data, reference numeral 3 represents the transparent relay processing unit for transparently relaying the communication data, and reference numeral 4 shows the discard processing unit for discarding the communication data. Also, reference numeral 6 is the transmission/reception processing unit for processing transmission/reception data, and reference numeral 8 shows the encrypt key table for indicating the processing method of the communication data. As shown in FIG. 48, the communication data processing methods are set as to each pair of the destination terminal and the transmission source terminal of the communication data.
As the communication data processing method, there are three different sorts of processing methods, i.e., encrypt/decrypt processing, transparent relay processing, and discard processing. In the case of the encrypt/decrypt processing method, the identifiers (will be referred to as "IDs" hereinafter) of the encrypt keys used in the encrypting/decrypting operations are set to the encrypt key table 8. In the case of the transparent relay processing method and the discard processing method, the respective processes are registered into the encrypt key table 8.
When the communication data is received by the encrypt apparatus 7, the transmission/reception processing unit 6 retrieves from the encrypt key table 8 the communication data processing method corresponding to the pair of the destination terminal and the transmission source terminal for the communication data. When the ID of the encrypt key is registered, the received communication data is notified to the encrypt/decrypt processing unit 2, and then the communication data is transmitted from such a transmission/reception processing unit 6 located opposite to the transmission/reception processing unit 6 which has received the communication data. In the case that the transparent relay processing method and the discard processing method are registered, the received communication data is notified to the transparent relay processing unit 3 and the discard processing unit 4. When the transparent relay processing method is registered, the communication data is transmitted from such a transmission/reception processing unit 6 located opposite to the transmission/reception processing unit 6 which has received the communication data. When the discard processing method is registered, the communication data is discarded.
One example of the encryption communication when the encrypt apparatus 7 is arranged as shown in FIG. 47 will now be described. It is now assumed that an encrypt apparatus 71 owns an encrypt key 1, an encrypt apparatus 72 owns an encrypt key 3, an encrypt apparatus 73 owns encrypt keys 1 and 2, an encrypt apparatus 74 owns the encrypt key 3, and an encrypt apparatus 75 owns the encrypt key 2. At a terminal A and a terminal B, communication data. is encrypted/decrypted by using the encrypt key 1 in the encrypt apparatuses 71, 73, and the communication is performed by transparently relaying the communication data between the terminals A and B in the encrypt apparatus 72 on the relay path. At the terminal B and a terminal C, the communication data is encrypted/decrypted by using the encrypt key 2 in the encrypt apparatuses 73, 75, and is further encrypted/decrypted by using the encrypt key 3 in the encrypt apparatuses 72, 74 to execute the communication. At the terminal A and the terminal C, since there are no encrypt keys made coincident with each other in the encrypt apparatuses 71, 74, 75 existing on the communication data path, the data communication cannot be executed.
To realize the above-described encryption communication, each of the encrypt apparatuses 7 employs such an encrypt key table 8 as shown in FIG. 48. Into the encrypt key table 8, the destination terminal addresses and the transmission source terminal addresses of the communication data, and also the respective processing methods adapted to the communication data are set. For instance, in the encrypt apparatus 71, when the communication data between the terminal A and the terminal B is received, the communication data is encrypted/decrypted by using the encrypt key 1, whereas when the communication data between the terminal A and the terminal C is received, this communication data is discarded. Also, in the encrypt apparatus 72, when the communication data between the terminal A and the terminal B is received, the communication data is transparently relayed, whereas when the communication data between the terminal B and the terminal C is received, this communication data is encrypted/decrypted by using the encrypt key 3. As previously explained, the encrypt key tables for describing the communication data processing methods are requested in the respective encrypt apparatuses 7.
In general, the above-described encrypt key tables are stored in the respective encrypt apparatuses, or stored in a management apparatus capable of managing in a batch mode the encrypt keys arranged on a network. In the latter case, when a data communication is commenced, an interrogation is issued from an encrypt apparatus to the management apparatus so as to acquire an encrypt key.
As represented in FIG. 48, since the encrypt key tables are different from each other with respect to each of these encrypt apparatuses, a network manager is required to form the suitable encrypt key tables for the respective encrypt apparatuses, taking account of a structure of a network. Also, when a scale of a network becomes large, a total number of communication terminals is increased, and the contents of the encrypt key tables become key complex. Therefore, there is a problem that these aspects cannot be managed by the network manager. Furthermore, the access control means for preventing the unauthorized access issued from the external network is required.