(1) Field of the Invention
The present invention relates to a security communication packet processing apparatus for secret communication by a data packet and the method therefor. More specifically, the present invention relates to a technique for speeding up and reducing delay in security ensuring processing.
(2) Description of the Prior Art
As a TCP/IP network such as the Internet has rapidly become widespread in these years, various manners of net businesses such as an electronic music distribution and shopping on the Web have been spotlighted and developed one after another. Although it is the major premise of these kinds of net businesses that a secure and credible business is guaranteed between a service provider and a user, the Internet is generally considered to be an insecure network because it is always at risk of interception and pretence by a cracker. Thus, network security techniques such as electronic authentication, the encryption of communication data and a firewall have come into the picture. Although these techniques have been realized mainly by software, a demand for a high-speed processing by hardware such as a cipher processing chip and a cipher circuit board has been increased in preparation for a future broader band of communication channels in TCP/IP infrastructures.
In a computer or a network connection device having a security communication function such as IPSec (IP Security Protocol Suite), conventional processing for a packet that requires both encryption processing and authentication processing is performed, as shown in a flowchart of FIG. 1. For a packet (such as an IP packet) that requires encryption processing (Step 701), after a plaintext packet is first divided into data blocks for the encryption processing (Step 702) and the encryption processing of these data blocks is performed (Step 703), they are reconstructed as an encrypted packet (Step 704). Next, when the packet requires authentication processing (Step 705), after the encrypted packet is divided into data blocks for the authentication processing (Step 706) and the authentication processing of these data blocks is performed (Step 707), they are reconstructed as an authentication-processed packet (Step 708).
However, according to the above-mentioned method, packet construction processing needs to be performed twice (Step 704 and Step 708 in FIG. 1) for the packet that requires both encryption processing and the authentication processing. Therefore, there is a problem of speeding down (delay) of processing, a decrease of throughput and an ineffective use of an encryption processing unit or an authentication processing unit when both the encryption processing and the authentication processing are performed. Also, according to this method, there is a problem that a plaintext packet that should be processed by priority can not be processed by priority during the processing of another packet. Further, when only one encryption processing unit and authentication processing unit are respectively mounted, there is a problem that it is impossible to realize high-speed throughput by the simultaneous processing of plural packets.