[go: up one dir, main page]

HK1117295B - Client-server distributed system, client apparatus, server apparatus, and message encryption method used therefor - Google Patents

Client-server distributed system, client apparatus, server apparatus, and message encryption method used therefor Download PDF

Info

Publication number
HK1117295B
HK1117295B HK08107351.0A HK08107351A HK1117295B HK 1117295 B HK1117295 B HK 1117295B HK 08107351 A HK08107351 A HK 08107351A HK 1117295 B HK1117295 B HK 1117295B
Authority
HK
Hong Kong
Prior art keywords
sip message
sip
password
encryption
message
Prior art date
Application number
HK08107351.0A
Other languages
Chinese (zh)
Other versions
HK1117295A1 (en
Inventor
益弘麻央
渡边康弘
Original Assignee
Nec Platforms, Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2006206687A external-priority patent/JP4299846B2/en
Application filed by Nec Platforms, Ltd. filed Critical Nec Platforms, Ltd.
Publication of HK1117295A1 publication Critical patent/HK1117295A1/en
Publication of HK1117295B publication Critical patent/HK1117295B/en

Links

Description

Client/server type distributed system, client apparatus, server apparatus, and message encryption method
Technical Field
The present invention relates to a client/server type distributed system, a client apparatus, a server apparatus, and a message encryption method and program used for the same, and more particularly to a method for encrypting an SIP message between clients and servers of a client/server type distributed system corresponding to an SIP (Session initiation protocol) protocol.
Background
In a client/server type distributed system corresponding to the SIP protocol, since it is a system connected to a LAN (Local Area Network), it is necessary to ensure security, and as a countermeasure for this, an encryption method of an SIP message for controlling between a client and a server is defined. Generally, as a SIP message cipher system, SSL/TLS (Secure socket Layer/Transport Layer Security) and the like are defined.
In the SSL/TLS system, certificates are mutually required (see, for example, non-patent document 1), and when the SSL/TLS system is applied to the client/server type distributed system, the certificates need to be distributed to the client/server apparatuses in advance. In the client/server type distributed system, it is necessary to authenticate a certificate in order to prepare an authentication server and distribute a key.
Further, in the client/server type distributed system, since the entire SIP message is encrypted when the SIP message is encrypted, communication via the SIP-NAT cannot be performed in a Network in which a Network device such as the SIP-NAT (Network address translator) exists.
Since TCP (Transmission Control Protocol) is used as a Protocol of the fourth layer, it is not applicable to VoIP (Voice over Internet Protocol) communication in which real-time performance is important, and UDP (User Datagram Protocol) Protocol is generally used for VoIP communication.
As a method for transferring a key used for network authentication or the like, the following methods disclosed in patent documents 1 to 5 have been proposed.
Patent document 1: japanese patent laid-open publication No. 2004-302846
Patent document 2: japanese patent laid-open No. 2004-343782
Patent document 3: japanese patent laid-open No. 2005-045473
Patent document 4: japanese patent laid-open No. 2005-051680
Patent document 5: japanese patent laid-open No. 2005-216188
Non-patent document 1: "dark skill" is inserted at a distance from the top of the heart, into a secret, at a height of アリス chapter 14 SSL/TLS "(written in July city, ソフトバンクパブリツシング, 9/27/2003, pp.346-367)
The following problems exist in the client/server type distributed system corresponding to the above-mentioned existing SIP protocol: when encrypting an SIP message between a client and a server, since it is necessary to authenticate a certificate in order to notify a key, a certificate needs to be distributed to the client and server apparatus, a certificate management function is required, and the amount of work of a maintenance person increases.
Also, the following problems exist in the existing client/server type distributed system: when encrypting a SIP message, the whole SIP message is encrypted, and therefore, in a network in which network devices such as SIP-NAT exist, communication via SIP-NAT cannot be performed, and the network expandability is low.
Further, the following problems exist in the existing client/server type distributed system: since TCP is used as a protocol of the fourth layer, it is difficult to ensure real-time in VoIP communication.
Therefore, it is difficult to ensure real-time performance in the case of application as security of VoIP communication in the related art. Further, the conventional technique has a function of updating a key when communication increases, but cannot change other cryptographic information (presence or absence of a password, a cryptographic rule, and a cryptographic range), and therefore has a problem that the level of the cryptographic security function is low as compared with a case where SIP messages are transmitted and received while the entire cryptographic information is changed. These problems are difficult to solve even by the method of transferring a key used for authentication or the like described in patent documents 1 to 5.
Disclosure of Invention
Therefore, an object of the present invention is to solve the above-described problems and provide a client/server type distributed system, a client apparatus, a server apparatus, and a message encryption method and program used for the same, which do not require a certificate authentication function for distributing a key, holding or managing a certificate, setting an authentication server in the system, and the like, and which can realize a low-cost cryptographic security function.
A client/server type distributed system according to the present invention is configured by connecting a client device corresponding to an SIP (Session initiation Protocol) Protocol and a server device corresponding to the SIP Protocol, respectively, to a network, the SIP Protocol operating on a UDP (user datagram Protocol) Protocol, wherein the server device includes: a unit for setting password information used for SIP message transmission and reception with the client device; means for notifying the client device of the password information of the SIP message; a unit that encrypts and transmits the SIP message based on the password information when transmitting the SIP message to the client apparatus; a unit that decrypts, when receiving an encrypted SIP message from the client apparatus, the SIP message based on the cryptographic information; and a unit that performs control corresponding to the decrypted content, the client apparatus including: a unit configured to set password information of the SIP message received from the server apparatus; a unit that encrypts the SIP message based on the password information when the SIP message is transmitted to the server apparatus; a unit that decrypts, when receiving an encrypted SIP message from the server apparatus, the SIP message based on the cryptographic information; and a unit that performs control corresponding to the decrypted content.
The client apparatus of the present invention includes the means described in the client/server type distribution system.
The server apparatus of the present invention includes the means described in the client/server type distribution system.
The message encryption method of the present invention is used for a client/server type distributed system as follows: a client apparatus corresponding to a Session Initiation Protocol (SIP) Protocol and a server apparatus corresponding to the SIP Protocol are connected to a network, respectively, and the SIP Protocol operates on a User Datagram Protocol (UDP), wherein the server apparatus executes the following processing: setting password information used when the client device receives and transmits SIP messages; notifying the client device of cryptographic information of the SIP message; encrypting and transmitting the SIP message based on the password information when transmitting the SIP message to the client apparatus; decrypting the SIP message based on the cryptographic information when the SIP message that has been encrypted is received from the client device; and performing control corresponding to the decrypted content, the client apparatus executing processing of: setting password information of the SIP message received from the server apparatus; encrypting the SIP message based on the password information when the SIP message is transmitted to the server apparatus; decrypting the SIP message based on the cryptographic information upon receiving the SIP message that has been encrypted from the server apparatus; and performing control corresponding to the decrypted content.
The program of the present invention is a program to be executed by the server apparatus in a client/server type distributed system as follows: a client apparatus corresponding to a Session Initiation Protocol (SIP) Protocol and a server apparatus corresponding to the SIP Protocol are connected to a network, respectively, and the SIP Protocol operates on a User Datagram Protocol (UDP), wherein the following processing is performed in a central processing apparatus of the server apparatus: setting password information used when the client apparatus receives and transmits the SIP message; notifying the client device of cryptographic information of the SIP message; encrypting and transmitting the SIP message based on the password information when transmitting the SIP message to the client apparatus; decrypting the SIP message based on the cryptographic information when the SIP message that has been encrypted is received from the client device; and performing control corresponding to the decrypted content,
another program according to the present invention is a program to be executed by the server apparatus in a client/server type distributed system as follows: a client apparatus corresponding to a Session Initiation Protocol (SIP) Protocol and a server apparatus corresponding to the SIP Protocol are connected to a network, respectively, and the SIP Protocol operates on a User Datagram Protocol (UDP), wherein the following processing is executed in a central processing apparatus of the client apparatus: setting password information of the SIP message received from the server apparatus; encrypting the SIP message based on the password information when the SIP message is transmitted to the server apparatus; decrypting the SIP message based on the cryptographic information upon receiving the SIP message that has been encrypted from the server apparatus; and performing control corresponding to the decrypted content.
That is, the client/server type distributed system according to the present invention is a system corresponding to the sip (session Initiation protocol) protocol connected to the internet, intranet, lan (local Area network), and performs communication using udp (user data protocol) as a protocol of the fourth layer.
In the client/server type distributed system according to the present invention, a server device corresponding to the SIP protocol has a maintenance interface connected via a LAN or a serial interface, and password information (presence or absence of a password, a password rule, and a password range) for realizing the SIP message encryption function in transmitting and receiving an SIP message between client devices corresponding to the SIP protocol is inputted from the maintenance interface and set.
The server device sets the presence or absence of a password, a password rule, a password range, and a key of the SIP message by using the SIP protocol without performing authentication such as a certificate to a connected client device at the time of SIP message transmission and reception with the client device, encrypts and decrypts the SIP message based on the set presence or absence of the password, the password rule, the password range, and the key, updates the presence or absence of the password, the password rule, the password range, and the key arbitrarily or periodically, and operates the password information in different settings for each of the connected client devices.
When the client device receives an instruction of password information (password presence, password rule, password range, and key) for realizing the SIP message password function at the time of transmitting and receiving the SIP message from the server device, the client device sets the password information. When a client device transmits and receives an SIP message to and from a server device, the client device sets the presence or absence of a password, a password rule, a password range, and a key of the SIP message using the SIP protocol without performing authentication such as a certificate to the connected server device, encrypts and decrypts the SIP message based on the set presence or absence of the password, the password rule, the password range, and the key, and updates the presence or absence of the password, the password rule, the password range, and the key.
Thus, in the client/server type distributed system of the present invention, a certificate authentication function for key distribution is not required, maintenance or management of a certificate is not required, and an authentication server does not need to be provided in the system, thereby realizing a low-cost cryptographic security function.
In the client/server type distributed system according to the present invention, the encryption range of the SIP message is set to be variable, so that the encryption can be performed even in a network configuration in which an SIP-nat (network address translator) or the like exists in the network, and the encryption security function can be enhanced.
Further, in the client/server type distributed system according to the present invention, UDP is used as a protocol of the fourth layer, so that the encryption security function can be realized without impairing the real-time performance important in voip (voice over Internet protocol) communication.
Further, in the client/server type distributed system according to the present invention, it is possible to update the encryption information (the presence or absence of the encryption, the encryption rule, and the encryption range) other than the key, to set the encryption information for each device, and to automatically update the encryption information arbitrarily or periodically, thereby preventing the encryption state from being estimated and enhancing the encryption security function.
Effects of the invention
The present invention, by the above configuration and operation, can obtain the following effects: a certificate authentication function for distributing a key, holding or managing a certificate, setting an authentication server in a system, and the like are not required, and a low-cost password security function can be realized.
Drawings
Fig. 1 is a block diagram showing a configuration of a client/server type distributed system corresponding to the SIP protocol according to the first embodiment of the present invention.
Fig. 2 is a sequence diagram showing the operation of the client/server type distributed system according to the first embodiment of the present invention.
Fig. 3 is a sequence diagram showing the operation of the client/server type distributed system according to the first embodiment of the present invention.
Fig. 4 is a sequence diagram showing the operation of the client/server type distributed system according to the first embodiment of the present invention.
Fig. 5 is a sequence diagram showing the operation of the client/server type distributed system according to the second embodiment of the present invention.
Fig. 6 is a sequence diagram showing the operation of the client/server type distributed system according to the second embodiment of the present invention.
Fig. 7 is a sequence diagram showing the operation of the client/server type distributed system according to the second embodiment of the present invention.
Fig. 8 is a block diagram showing the configuration of a client/server type distributed system of a third embodiment of the present invention.
Fig. 9 is a sequence diagram showing the operation of the client/server type distributed system according to the third embodiment of the present invention.
Fig. 10 is a sequence diagram showing the operation of the client/server type distributed system according to the third embodiment of the present invention.
Fig. 11 is a diagram showing an example of the password range in the third embodiment of the present invention.
Fig. 12 is a diagram showing an example of the password range in the third embodiment of the present invention.
Fig. 13 is a block diagram showing the configuration of a client/server type distributed system according to a fourth embodiment of the present invention.
Fig. 14 is a sequence diagram showing the operation of the client/server type distributed system according to the fourth embodiment of the present invention.
Fig. 15 is a sequence diagram showing the operation of the client/server type distributed system according to the fourth embodiment of the present invention.
Fig. 16 is a sequence diagram showing the operation of the client/server type distributed system according to the fourth embodiment of the present invention.
Fig. 17 is a sequence diagram showing an operation of a client/server type distributed system according to a fifth embodiment of the present invention.
Fig. 18 is a sequence diagram showing an operation of a client/server type distributed system according to a fifth embodiment of the present invention.
Fig. 19 is a sequence diagram showing an operation of a client/server type distributed system according to a fifth embodiment of the present invention.
Fig. 20 is a sequence diagram showing an operation of a client/server type distributed system according to a sixth embodiment of the present invention.
Fig. 21 is a sequence diagram showing the operation of a client/server type distributed system according to a sixth embodiment of the present invention.
Fig. 22 is a sequence diagram showing an operation of a client/server type distributed system according to a sixth embodiment of the present invention.
Fig. 23 is a sequence diagram showing the operation of the client/server type distributed system according to the seventh embodiment of the present invention.
Fig. 24 is a sequence diagram showing the operation of the client/server type distributed system according to the seventh embodiment of the present invention.
Fig. 25 is a sequence diagram showing the operation of the client/server type distributed system according to the seventh embodiment of the present invention.
Fig. 26 is a sequence diagram showing an operation of the client/server type distributed system according to the eighth embodiment of the present invention.
Fig. 27 is a sequence diagram showing an operation of a client/server type distributed system according to the eighth embodiment of the present invention.
Fig. 28 is a sequence diagram showing an operation of the client/server type distributed system according to the eighth embodiment of the present invention.
Fig. 29 is a sequence diagram showing the operation of the client/server type distributed system according to the ninth embodiment of the present invention.
Fig. 30 is a sequence diagram showing the operation of the client/server type distributed system according to the ninth embodiment of the present invention.
Fig. 31 is a sequence diagram showing the operation of the client/server type distributed system according to the ninth embodiment of the present invention.
Fig. 32 is a sequence diagram showing an operation of a client/server type distributed system according to a tenth embodiment of the present invention.
Fig. 33 is a sequence diagram showing an operation of a client/server type distributed system according to a tenth embodiment of the present invention.
Fig. 34 is a sequence diagram showing an operation of a client/server type distributed system according to a tenth embodiment of the present invention.
Fig. 35 is a block diagram showing the configuration of a client/server type distributed system of the eleventh embodiment of the present invention.
Fig. 36 is a sequence diagram showing an operation of the client/server type distributed system according to the eleventh embodiment of the present invention.
Fig. 37 is a sequence diagram showing the operation of the client/server type distributed system according to the eleventh embodiment of the present invention.
Fig. 38 is a sequence diagram showing the operation of the client/server type distributed system according to the eleventh embodiment of the present invention.
Fig. 39 is a sequence diagram showing the operation of the client/server type distributed system according to the eleventh embodiment of the present invention.
Fig. 40 is a block diagram showing the configuration of a client/server type distributed system according to a twelfth embodiment of the present invention.
Fig. 41 is a sequence diagram showing the operation of the client/server type distributed system according to the twelfth embodiment of the present invention.
Fig. 42 is a sequence diagram showing an operation of a client/server type distributed system according to a twelfth embodiment of the present invention.
Fig. 43 is a sequence diagram showing an operation of a client/server type distributed system according to a twelfth embodiment of the present invention.
Fig. 44 is a sequence diagram showing an operation of the client/server type distributed system according to the twelfth embodiment of the present invention.
Fig. 45 is a flowchart showing operations of a server apparatus and a client apparatus according to a thirteenth embodiment of the present invention.
Fig. 46 is a sequence diagram showing an operation of a client/server type distributed system according to a fourteenth embodiment of the present invention.
Fig. 47 is a sequence diagram showing an operation of a client/server type distributed system according to the fourteenth embodiment of the present invention.
Fig. 48 is a sequence diagram showing the operation of the client/server type distributed system according to the fifteenth embodiment of the present invention.
Fig. 49 is a sequence diagram showing an operation of a client/server type distributed system according to a fifteenth embodiment of the present invention.
Fig. 50 is a sequence diagram showing the operation of the client/server type distributed system according to the sixteenth embodiment of the present invention.
Fig. 51 is a sequence diagram showing the operation of the client/server type distributed system according to the sixteenth embodiment of the present invention.
Fig. 52 is a sequence diagram showing the operation of the client/server type distribution system according to the sixteenth embodiment of the present invention.
Fig. 53 is a sequence diagram showing an operation of the client/server type distribution system according to the sixteenth embodiment of the present invention.
Fig. 54 is a sequence diagram showing the operation of the client/server type distribution system according to the sixteenth embodiment of the present invention.
Fig. 55 is a sequence diagram showing the operation of a client/server type distributed system according to the seventeenth embodiment of the present invention.
Fig. 56 is a sequence diagram showing the operation of a client/server type distributed system according to the seventeenth embodiment of the present invention.
Fig. 57 is a sequence diagram showing the operation of a client/server type distributed system according to the seventeenth embodiment of the present invention.
Fig. 58 is a sequence diagram showing the operation of a client/server type distributed system according to the seventeenth embodiment of the present invention.
Fig. 59 is a sequence diagram showing the operation of a client/server type distributed system according to the seventeenth embodiment of the present invention.
Fig. 60 is a sequence diagram showing the operation of a client/server type distributed system according to a seventeenth embodiment of the present invention.
Fig. 61 is a block diagram showing the configuration of a client/server type distributed system of an eighteenth embodiment of the present invention.
Fig. 62 is a sequence diagram showing an operation of a client/server type distributed system according to an eighteenth embodiment of the present invention.
Fig. 63 is a sequence diagram showing the operation of a client/server type distributed system according to the eighteenth embodiment of the present invention.
Fig. 64 is a block diagram showing a configuration of a server apparatus according to a nineteenth embodiment of the present invention.
Fig. 65 is a sequence diagram showing an operation of the server apparatus according to the nineteenth embodiment of the present invention.
Fig. 66 is a block diagram showing the configuration of a client/server type distributed system of a twentieth embodiment of the present invention.
Fig. 67 is a sequence diagram showing the operation of the client/server type distributed system according to the twentieth embodiment of the present invention.
Fig. 68 is a diagram showing a configuration example of the password information table of fig. 66.
Fig. 69 is a block diagram showing the configuration of a client/server type distributed system of a twenty-first embodiment of the present invention.
Fig. 70 is a sequence diagram showing the operation of a client/server type distributed system according to a twenty-first embodiment of the present invention.
Fig. 71 is a sequence diagram showing the operation of a client/server type distributed system according to a twenty-first embodiment of the present invention.
Fig. 72 is a block diagram showing the configuration of a client/server type distributed system of a twenty-second embodiment of the present invention.
Fig. 73 is a sequence diagram showing the operation of the client/server type distributed system according to the twenty-second embodiment of the present invention.
Fig. 74 is a sequence diagram showing the operation of the client/server type distributed system according to the twenty-second embodiment of the present invention.
Fig. 75 is a block diagram showing the configuration of a client/server type distributed system of a twenty-third embodiment of the present invention.
Fig. 76 is a sequence diagram showing the operation of the client/server type distributed system according to the twenty-third embodiment of the present invention.
Fig. 77 is a sequence diagram showing the operation of the client/server type distributed system according to the twenty-third embodiment of the present invention.
Fig. 78 is a sequence diagram showing the operation of the client/server type distributed system according to the twenty-fourth embodiment of the present invention.
Detailed Description
Next, an embodiment of the present invention will be described with reference to the drawings.
First embodiment
Fig. 1 is a block diagram showing a configuration of a client/server type distribution system corresponding to the sip (session Initiation protocol) protocol according to the first embodiment of the present invention. In fig. 1, a client/server type distributed system of a first embodiment of the present invention is constituted by: an SIP protocol compliant server device (hereinafter referred to as a server device) 1, a local maintenance console 2, SIP protocol compliant client devices (hereinafter referred to as client devices) 3-1 to 3-3, and a maintenance console 4. Further, the server apparatus 1, the client apparatuses 3-1 to 3-3, and the maintenance console 4 are connected to a lan (local area network)100, respectively.
The server apparatus 1 includes at least an encryption information setting unit 11, an encryption information input interface unit 12, an SIP interface unit 13, an SIP message creation unit 14, an SIP message analysis unit 15, an SIP message encryption/decryption unit 16, and a call control unit 17, and the local maintenance console 2 is connected to the server apparatus 1 via a serial cable or the like. The local maintenance console 2 is a device temporarily installed during a process of the server device 1 or the like, and may not be connected during operation.
In the server apparatus 1, the encryption information setting unit 11, the encryption information input interface unit 12, the SIP interface unit 13, the SIP message creation unit 14, the SIP message analysis unit 15, the SIP message encryption/decryption unit 16, and the call control unit 17 may be realized by executing programs by a CPU (central processing unit) (not shown).
The client apparatus 3-1 includes at least an encryption information setting unit 31, an SIP interface unit 33, an SIP message creation unit 34, an SIP message analysis unit 35, an SIP message encryption/decryption unit 36, and a call control unit 37. In the client apparatus 3-1, the encryption information setting unit 31, the SIP interface unit 33, the SIP message creating unit 34, the SIP message analyzing unit 35, the SIP message encrypting/decrypting unit 36, and the call control unit 37 may be realized by executing programs by a CPU (not shown). Further, the client apparatuses 3-2 and 3-3 have the same configuration as the client apparatus 3-1.
With the above-described configuration of the server device 1 and the client devices 3-1 to 3-3, the security of SIP message control on an ip (internet protocol) network can be enhanced by encrypting the SIP message when communication is performed between the server device 1 and the client devices 3-1 to 3-3.
Fig. 2 to 4 are sequence diagrams showing the operation of the client/server type distributed system according to the first embodiment of the present invention. The operation of the client/server type distributed system according to the first embodiment of the present invention will be described with reference to fig. 1 to 4. The processing of the server apparatus 1 and the processing of the client apparatus 3-1 shown in fig. 2 to 4 can be realized by the CPU of each of the server apparatus 1 and the client apparatus 3-1 executing a program.
When a password rule and a password range in the case of the presence/absence of a SIP message password and the presence/presence of a password are input in advance from the local maintenance console 2 connected to the server apparatus 1 at the time of SIP message transmission/reception with the client apparatus 3-1 (a 11 in fig. 2), the password information input interface section 12 receives a setting request including the information, and when the normality of the setting request can be confirmed, transmits the information to the password information setting section 11. The password information setting portion 11 stores the information including the key (hereinafter, the information group including the key is referred to as password information) (a 21 of fig. 2).
The encryption information setting unit 11 of the server apparatus 1 instructs the SIP message generation unit 14 to generate an SIP request message including the encryption information (a 22 in fig. 2). The SIP message creation unit 14 creates an SIP request message in accordance with the instruction, and transmits the created SIP request message to the SIP interface unit 33 of the client apparatus 3-1 via the SIP interface unit 13 (a 23 in fig. 2).
The SIP interface 33 of the client apparatus 3-1 receives the SIP request message including the password information, transfers the received SIP request message to the SIP message analyzer 35, and transfers the password information to the password information setting unit 31 when the normality of the password information can be confirmed by the SIP message analyzer 35. The cipher information setting unit 31 stores the cipher information, sets the cipher information in the SIP message encryption/decryption unit 36 (a 41 in fig. 2), and instructs the SIP message generation unit 34 to generate a SIP response message (a 42 in fig. 2) notifying that the cipher information setting is completed after the setting is completed. The SIP message creation unit 34 creates a SIP response message based on the instruction, and transmits the created SIP response message to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (a 43 in fig. 2).
When receiving the SIP response message notifying the completion of the setting of the password information, the SIP interface unit 13 of the server apparatus 1 transmits the received SIP response message to the SIP message analyzing unit 15. The SIP message analyzer 15 transmits a notification of the completion of the setting of the password information on the client device 3-1 side to the password information setting unit 11, and the password information setting unit 11 recognizes the completion of the setting of the password information, instructs the SIP message encryption/decryption unit 16 to set the password information (a 24 in fig. 2), and transmits the completion of the setting from the password information input interface unit 12 to the local maintenance console 2 (a 25 in fig. 2). The local maintenance console 2 displays that password information setting is completed (a 13 of fig. 2).
When a transmission request for transmitting a SIP request message to the client device 3-1 is generated in the server device 1 after the encryption information is set in the SIP message encryption/decryption unit 16 (a 27 in fig. 2), the SIP message creation unit 14 creates a SIP request message and encrypts the created SIP request message in the SIP message encryption/decryption unit 16 using the encryption information (a 28 and a29 in fig. 2). The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (a 30 in fig. 3).
When the SIP interface unit 33 receives the encrypted SIP request message from the server apparatus 1 after the encryption information is set in the SIP message encryption/decryption unit 36, the SIP interface unit 33 transfers the received SIP message to the SIP message encryption/decryption unit 36. The SIP message encrypting/decrypting section 36 decrypts the SIP request message using the currently set encryption information (a 44 in fig. 3).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (a 45 in fig. 3). Based on the call control result, the call controller 37 instructs the SIP message generator 34 to generate an SIP response message (a 46 in fig. 3). The SIP response message generated by the SIP message generator 34 is encrypted by the SIP message encryptor/decryptor 36 using the currently set encryption information (a 47 in fig. 3), and is transmitted to the SIP interface 13 of the server apparatus 1 via the SIP interface 33 (a 48 in fig. 3).
When receiving the encrypted SIP response message, the SIP interface 13 of the server apparatus 1 transfers the received SIP response message to the SIP message encryption/decryption unit 16, and the SIP message encryption/decryption unit 16 decrypts the SIP response message using the currently set encryption information (a 31 in fig. 3), analyzes the decrypted SIP response message in the SIP message analysis unit 15, and performs call control by the call control unit 17 based on the content of the message (a 32 in fig. 3).
Conversely, when a transmission request to transmit the SIP request message to the server apparatus 1 occurs in the client apparatus 3-1 (a 49 in fig. 3), the SIP message creating unit 34 creates the SIP request message and encrypts the created SIP request message by the SIP message encrypting/decrypting unit 36 using the encryption information (a 50 and a51 in fig. 3). The encrypted SIP request message is transmitted to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (a 52 in fig. 3).
When the SIP interface unit 13 receives the encrypted SIP request message from the client device 3-1, the SIP interface unit 13 transfers the received SIP message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting unit 16 decrypts the SIP request message using the currently set encryption information (a 33 in fig. 3).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (a 34 in fig. 3). Based on the call control result, the call controller 17 instructs the SIP message generator 14 to generate an SIP response message (a 35 in fig. 4). The SIP message creating unit 14 creates a SIP response message, and encrypts the created SIP response message by the SIP message encrypting/decrypting unit 16 using the currently set encryption information (a 36 in fig. 4). The encrypted SIP response message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (a 37 in fig. 4).
When receiving the encrypted SIP response message, the SIP interface section 33 of the client apparatus 3-1 transfers the received SIP response message to the SIP message encrypting/decrypting section 36. The SIP message encrypting/decrypting section 36 decrypts the SIP response message using the currently set encryption information (a 53 in fig. 4). The decrypted SIP response request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (a 54 in fig. 4).
In this way, in the present embodiment, since the system maintainer encrypts the SIP message based on the arbitrarily set encryption information, it is possible to enhance security on the IP network, and the system maintainer can distribute the encryption information used for encrypting and decrypting the set SIP message to the client devices 3-1 to 3-3 via the maintenance interface of the server device 1, thereby making it possible to collectively perform encryption capability setting in view of the entire system from one place, and to simplify maintenance work and reduce maintenance processes.
As a Security system in the conventional SIP, SSL/TLS (secure socket Layer/Transport Layer Security) is generally used. However, in the present embodiment, it is not necessary to distribute a certificate to each device, a certificate management function, and certificate authentication by an authentication server, and it is possible to realize a cryptographic function in a simpler flow than the SSL/TLS method, and it is possible to secure real-time performance and improve security because udp (user data program) is used as a protocol of the fourth layer. The operation of the client devices 3-2 and 3-3 is not described, but the same effect as that obtained when the client device 3-1 is used can be obtained.
Second embodiment
Fig. 5 to 7 are sequence diagrams showing the operation of the client/server type distributed system according to the second embodiment of the present invention. The client/server type distributed system according to the second embodiment of the present invention has the same configuration as the client/server type distributed system according to the first embodiment of the present invention shown in fig. 1, and therefore, the description of the configuration thereof will be omitted. The operation of the client/server type distributed system according to the second embodiment of the present invention will be described below with reference to fig. 1 and 5 to 7. The processing of the server apparatus 1 and the processing of the client apparatus 3-1 shown in fig. 5 to 7 can be realized by the respective CPUs of the server apparatus 1 and the client apparatus 3-1 executing programs.
When an encryption rule and an encryption range in the case of the presence/absence of an SIP message encryption and the presence of an encryption in SIP messaging with the client apparatus 3-1 are input in advance from the maintenance console 4 connected to the server apparatus 1 via the LAN 100 (b 11 in fig. 5), the encryption information input interface section 12 receives a setting request including the information (b 12 in fig. 5), and when the normality of the information can be confirmed, transmits the information to the encryption information setting section 11. The password information setting portion 11 stores the information including the key (hereinafter, the information group including the key is referred to as password information) (b 21 of fig. 5).
The encryption information setting unit 11 of the server apparatus 1 instructs the SIP message generation unit 14 to generate an SIP request message including the encryption information (b 22 in fig. 5). The SIP message creation unit 14 creates an SIP request message and transmits the created SIP request message to the SIP interface unit 33 of the client apparatus 3-1 via the SIP interface unit 13 (b 23 in fig. 5).
When the SIP interface unit 33 of the client device 3-1 receives the SIP request message including the password information, the received SIP request message is transferred to the SIP message analyzer 35. When the SIP message analysis unit 35 can confirm the normality of the encryption information, it passes the encryption information to the encryption information setting unit 31. The cipher information setting unit 31 stores the cipher information, sets the cipher information in the SIP message encryption/decryption unit 36 (b 41 in fig. 5), and instructs the SIP message generation unit 34 to generate a SIP response message notifying that the cipher information setting is completed (b 42 in fig. 5) after the setting is completed. The SIP message creation unit 34 creates a SIP response message and transmits the created SIP response message to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (b 43 in fig. 5).
When receiving the SIP response message notifying the completion of the setting of the password information, the SIP interface unit 13 of the server apparatus 1 transmits the received SIP response message to the SIP message analyzing unit 15. The SIP message analyzer 15 transmits a notification of the completion of the setting of the password information on the client device 3-1 side to the password information setting unit 11, and the password information setting unit 11 recognizes the completion of the setting of the password information, instructs the SIP message encryptor/decryptor 16 to set the password information (b 24 in fig. 5), and transmits the completion of the setting from the password information input interface unit 12 to the maintenance console 4 (b 25 in fig. 5). The maintenance console 4 displays that password information setting is completed (b 13 of fig. 5).
In fig. 5 to 7, the operations after the end of the setting of the password information to the server apparatus 1 and the client apparatus 3-1, that is, the processing operations of b26 to b29 in fig. 5, b30 to b34, b44 to b52 in fig. 6, and b35 to b37, b53, and b54 in fig. 7 are the same as those in the first embodiment of the present invention shown in fig. 2 to 4, and therefore, the description thereof will be omitted.
Therefore, in the present embodiment, the server apparatus 1 can be set using both the local maintenance console 2 connected thereto by a serial cable or the like through the password information input interface section 12 and the maintenance console 4 connected thereto by a LAN interface, and can ensure simplicity of maintenance. Although the operation of the client devices 3-2 and 3-3 is not described, the same effect as that obtained when the client device 3-1 is used can be obtained.
Third embodiment
Fig. 8 is a block diagram showing the configuration of a client/server type distributed system of a third embodiment of the present invention. In fig. 8, the client/server type distributed system according to the third embodiment of the present invention is the same as the client/server type distributed system according to the first embodiment of the present invention shown in fig. 1 except for the password information input interface section 12a of the server apparatus 1a, the local maintenance console 2 connected to the server apparatus 1a, and the maintenance console 4 connected to the LAN 100, and the same components are denoted by the same reference numerals.
In the client/server type distributed system according to the third embodiment of the present invention, the SIP message encrypting/decrypting section 16 of the server apparatus 1a has set the encryption information, and the SIP message encrypting/decrypting section 36 of the client apparatus 3-1 has set the encryption information.
By implementing the above configuration, in the present embodiment, when communication is performed between the server apparatus 1a and the client apparatus 3-1, an arbitrary range of the SIP message is encrypted, and security of SIP message control on the IP network can be enhanced.
Fig. 9 and 10 are sequence diagrams showing the operation of the client/server type distributed system according to the third embodiment of the present invention. The operation of the client/server type distributed system according to the third embodiment of the present invention will be described with reference to fig. 8 to 10. The processing of the server device 1a and the processing of the client device 3-1 shown in fig. 9 and 10 can be realized by the CPU of each of the server device 1a and the client device 3-1 executing a program.
When a transmission request for transmitting a SIP request message to the client device 3-1 occurs in the server device 1a (c 11 in fig. 9) in a state where the encryption information is set in the SIP message encryption/decryption unit 16 in the server device 1a and the SIP message encryption/decryption unit 36 in the client device 3-1 (c 10 in fig. 9), the SIP message creation unit 14 creates a SIP request message and encrypts the created SIP request message by the SIP message encryption/decryption unit 16 using the encryption information in accordance with the designation of the encryption range (c 12 and c13 in fig. 9). The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (c 14 in fig. 9).
When receiving the SIP request message in which the set encryption range is encrypted from the server apparatus 1a, the SIP interface 33 transfers the received SIP message to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting section 36 decrypts the SIP request message according to the designation of the encryption range, using the encryption information currently set (c 31 in fig. 9).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (c 32 in fig. 9). Based on the call control result, the call controller 37 instructs the SIP message generator 34 to generate an SIP response message (c 33 in fig. 9). The SIP message creation unit 34 creates a SIP response message, and the SIP message encryption/decryption unit 36 encrypts the created SIP response message with the currently set encryption information according to the specification of the encryption range (c 34 in fig. 9). The encrypted SIP response message is transmitted to the SIP interface 13 of the server apparatus 1a via the SIP interface 33 (c 35 in fig. 9).
When receiving the encrypted SIP response message, the SIP interface unit 13 of the server apparatus 1a passes the received SIP response message to the SIP message encrypting/decrypting unit 16. The SIP message encrypting/decrypting section 16 decrypts the SIP response message in accordance with the designation of the encryption range, using the encryption information currently set (c 15 in fig. 9). The decrypted SIP response message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (c 16 in fig. 9).
Conversely, when a transmission request to transmit the SIP request message to the server device 1a occurs in the client device 3-1 (c 36 in fig. 10), the SIP message creation unit 34 creates the SIP request message, and encrypts the created SIP request message by the SIP message encryption/decryption unit 36 using the encryption information in accordance with the specification of the encryption range (c 37, c38 in fig. 10). The encrypted SIP request message is transmitted to the SIP interface 13 of the server apparatus 1a via the SIP interface 33 (c 39 in fig. 10).
When receiving the SIP request message in which the set encryption range is encrypted from the client apparatus 3-1, the SIP interface unit 13 transfers the received SIP message to the SIP message encrypting/decrypting unit 16. The SIP message encrypting/decrypting section 16 decrypts the SIP request message according to the designation of the encryption range, using the encryption information set at present (c 17 in fig. 10).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (c 18 in fig. 10). Based on the call control result, the call controller 17 instructs the SIP message generator 14 to generate an SIP response message (c 19 in fig. 10). The SIP message creating unit 14 creates a SIP response message, and the SIP message encrypting/decrypting unit 16 encrypts the created SIP response message according to the designation of the encryption range by using the currently set encryption information (c 20 in fig. 10). The encrypted SIP response message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (c 21 in fig. 10).
When receiving the encrypted SIP response message, the SIP interface section 33 of the client apparatus 3-1 transfers the received SIP response message to the SIP message encrypting/decrypting section 36. The SIP message encrypting/decrypting section 36 decrypts the SIP response message according to the designation of the encryption range, using the currently set encryption information. The decrypted SIP response request message is analyzed by the SIP message analyzer 35 (c 40 in fig. 10), and the call controller 37 performs call control based on the content of the message (c 41 in fig. 10).
In the present embodiment, by the above-described operation, when the server apparatus 1a and the client apparatus 3-1 communicate with each other, an arbitrary range of the SIP message is encrypted, thereby enhancing the security of SIP message control on the IP network. An example of the set password range will be described below.
Fig. 11 and 12 are diagrams showing examples of the password range in the third embodiment of the present invention. Fig. 11 shows an example of a cipher range for encrypting the whole SIP message. In fig. 11, the hatched portion is the encrypted data range, and in this case, in the case of the cipher range, both the SIP header a2 and the SDP (Session Description Protocol) data A3 of the SIP message are encrypted, so that security against eavesdropping or data tampering when the SIP message flows over the IP network can be enhanced.
Fig. 12 is an example of a cipher range for encrypting any portion of a SIP message. Since the shaded portion in fig. 12 is the encrypted data range, in the case of this encryption range, only an arbitrary range of the SIP message (only the SDP data B4) is encrypted, the SIP header B2, the SDP data B3, and B5 are set so as not to be encrypted and to be operable via a network device such as an SIP-NAT, and important data portions that need to be encrypted can be encrypted and transmitted and received, depending on the selection state of the encryption range, so that it is possible to enhance the encryption security and enhance the network function.
As described above, in the present embodiment, when the entire SIP header including the SIP message and the SDP data are encrypted, it is possible to achieve strong cryptographic security for preventing eavesdropping and data falsification during communication over an IP network. When any part of the SIP message is encrypted, the SIP header or SDP data is not encrypted according to the selection state of the encryption range, and is set to be operable via a network device such as SIP-NAT, and important data to be encrypted can be partially encrypted and transmitted and received, so that the encryption security can be enhanced and the network function can be enhanced.
Further, the effect of the SIP message encryption function of the present embodiment is the same as that of the first and second embodiments of the present invention described above. Although the operation of the client devices 3-2 and 3-3 is not described, the same effect as that obtained when the client device 3-1 is used can be obtained.
Fourth embodiment
Fig. 13 is a block diagram showing the configuration of a client/server type distributed system according to a fourth embodiment of the present invention. In fig. 13, the client/server type distributed system according to the fourth embodiment of the present invention has the same configuration as the client/server type distributed system according to the first embodiment of the present invention shown in fig. 1 except for the maintenance console 4 connected to the LAN 100, and the same constituent elements are denoted by the same reference numerals.
In the present embodiment, by implementing the above configuration, the security of SIP message control on the IP network can be enhanced by encrypting the SIP message at the time of communication between the server apparatus 1 and the client apparatus 3-1.
Fig. 14 to 16 are sequence diagrams showing the operation of the client/server type distribution system according to the fourth embodiment of the present invention. The operation of the client/server type distributed system according to the fourth embodiment of the present invention will be described with reference to fig. 13 to 16. The processing of the server apparatus 1 and the processing of the client apparatus 3-1 shown in fig. 14 to 16 can be realized by the respective CPUs of the server apparatus 1 and the client apparatus 3-1 executing programs.
When the password range of the SIP message is input in advance from the local maintenance console 2 connected to the server apparatus 1 when the SIP message is transmitted and received to and from the client apparatus 3-1 (d 11 in fig. 14), the password information input interface section 12 receives a setting request including the password range (d 12 in fig. 14), and when the normality of the setting request can be confirmed, transmits the password range to the password information setting section 11. The password information setting unit 11 stores the password range (d 21 in fig. 14).
The encryption information setting unit 11 of the server apparatus 1 instructs the SIP message generating unit 14 to generate an SIP request message including the encryption range (d 22 in fig. 14). The SIP message creation unit 14 creates an SIP request message and transmits the created SIP request message to the SIP interface unit 33 of the client apparatus 3-1 via the SIP interface unit 13 (d 23 in fig. 14).
When the SIP interface unit 33 of the client apparatus 3-1 receives the SIP request message including the password range, the received SIP request message is transferred to the SIP message analyzer 35. When the SIP message analysis unit 35 can confirm the normality of the encryption range, it passes the encryption range to the encryption information setting unit 31. The encryption information setting unit 31 stores the encryption range, sets the encryption range in the SIP message encryption/decryption unit 36 (d 41 in fig. 14), and instructs the SIP message generation unit 34 to generate a SIP response message notifying that the encryption range is set (d 42 in fig. 14) after the setting is completed. The SIP message creation unit 34 creates a SIP response message and transmits the created SIP response message to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (d 43 in fig. 14).
When receiving the SIP response message notifying the completion of the setting of the encryption range, the SIP interface 13 of the server apparatus 1 transmits the received SIP response message to the SIP message analyzer 15. The SIP message analyzer 15 transmits a notification of completion of setting of the password range on the client device 3-1 side to the password information setting unit 11, and the password information setting unit 11 recognizes completion of setting of the password range, instructs the SIP message encryptor/decryptor 16 to set the password range (d 24 in fig. 14), and transmits the completion of setting from the password information input interface unit 12 to the local maintenance console 2 (d 25 in fig. 14). The local maintenance console 2 displays that password range setting is completed (d 13 of fig. 14).
When a transmission request for transmitting the SIP request message to the client apparatus 3 is generated in the server apparatus 1 after the encryption range is set in the SIP message encryption/decryption unit 16 (d 27 in fig. 14), the SIP message generation unit 14 generates the SIP request message and passes the generated SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting unit 16 encrypts the encryption range of the SIP request message according to the current encryption range setting (d 28, d29 in fig. 14). The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3 via the SIP interface 13 (d 30 in fig. 15).
When the SIP interface unit 33 receives the encrypted SIP request message from the server apparatus 1 after the encryption range is set in the SIP message encryption/decryption unit 36, the received SIP request message is transferred to the SIP message encryption/decryption unit 36. The SIP message encrypting/decrypting unit 36 decrypts the encryption range of the SIP request message based on the current encryption range setting (d 44 in fig. 15).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (d 45 in fig. 15). In response to the call control result, the call controller 37 instructs the SIP message generator 34 to generate an SIP response message (d 46 in fig. 15). The SIP message creation unit 34 creates a SIP response message, and encrypts the created SIP response message by the SIP message encryption/decryption unit 36 according to the current encryption range setting, with respect to the encryption range of the SIP response message (d 47 in fig. 15). The encrypted SIP response message is transmitted to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (d 48 in fig. 15).
When receiving the encrypted SIP response message, the SIP interface section 13 of the server apparatus 1 transfers the received SIP response message to the SIP message encrypting/decrypting section 16. The SIP message encrypting/decrypting unit 16 decrypts the encryption range of the SIP response message based on the currently set encryption range setting (d 31 in fig. 15). The decrypted SIP response message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (d 32 in fig. 15).
Conversely, when a transmission request to transmit the SIP request message to the server apparatus 1 occurs in the client apparatus 3 (d 49 in fig. 15), the SIP message creating unit 34 creates the SIP request message, and encrypts the created SIP request message by the SIP message encrypting/decrypting unit 36 in accordance with the current encryption range setting, with respect to the encryption range of the SIP request message (d 50 and d51 in fig. 15). The encrypted SIP request message is transmitted to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (d 52 in fig. 15).
When receiving the encrypted SIP request message from the client apparatus 3, the SIP interface unit 13 transfers the received SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting unit 16 decrypts the encryption range of the SIP request message based on the current encryption range setting (d 33 in fig. 15).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (d 34 in fig. 15). In response to the call control result, the call controller 17 instructs the SIP message generator 14 to generate an SIP response message (d 35 in fig. 16). The SIP message creation unit 14 creates a SIP response message, and encrypts the created SIP response message by the SIP message encryption/decryption unit 16 according to the current encryption range setting, with respect to the encryption range of the SIP response message (d 36 in fig. 16). The encrypted SIP response message is transmitted to the SIP interface 33 of the client apparatus 3 via the SIP interface 13 (d 37 in fig. 16).
When receiving the encrypted SIP response message, the SIP interface section 33 of the client apparatus 3 transfers the received SIP response message to the SIP message encrypting/decrypting section 36. The SIP message encrypting/decrypting unit 36 decrypts the encryption range of the SIP response message based on the current encryption range setting (d 53 in fig. 16). The decrypted SIP response request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (d 54 in fig. 16).
As described above, in the present embodiment, in the system supporting both the system of encrypting the entire SIP message and the system of encrypting any part of the SIP message with respect to the encryption range of the SIP message, the local maintenance console 2 can arbitrarily select the encryption range, and therefore, it is possible to satisfy both the encryption security and the network functionality in the system in which the network device such as the SIP-NAT exists, and to select and realize the security level most suitable for the current network configuration.
In the present embodiment, since the server device 1 sets the password information for the client devices 3-1 to 3-3, system uniformity and ease of management by the maintainer can be achieved. Further, in this embodiment, the effect of the SIP encryption function using the set encryption range information is the same as that in the first to third embodiments of the present invention described above. Although the operation of the client devices 3-2 and 3-3 is not described, the same effect as that obtained when the client device 3-1 is used can be obtained.
Fifth embodiment
Fig. 17 to 19 are sequence diagrams showing operations of a client/server type distributed system according to a fifth embodiment of the present invention. The client/server type distributed system according to the fifth embodiment of the present invention has the same configuration as that of the client/server type distributed system according to the fourth embodiment of the present invention shown in fig. 13, and therefore, description of the configuration thereof is omitted. The operation of the client/server type distribution system according to the fifth embodiment of the present invention will be described below with reference to fig. 13 and 17 to 19. The processing of the server apparatus 1 and the processing of the client apparatus 3-1 shown in fig. 17 to 19 can be realized by the CPU of each of the server apparatus 1 and the client apparatus 3-1 executing a program.
When the presence or absence of the password of the SIP message is input in advance from the local maintenance console 2 connected to the server apparatus 1 when the SIP message is transmitted and received to and from the client apparatus 3-1 (e 11 in fig. 17), the password information input interface section 12 receives a setting request including the presence or absence of the password (e 12 in fig. 17), and when the normality of the setting request can be confirmed, the presence or absence of the password is transmitted to the password information setting section 11. The password information setting unit 11 stores the presence or absence of the password (e 21 in fig. 17).
The encryption information setting unit 11 of the server apparatus 1 instructs the SIP message generation unit 14 to generate an SIP request message including the presence or absence of encryption (e 22 in fig. 17). The SIP message creation unit 14 creates an SIP request message and transmits the created SIP request message to the SIP interface unit 33 of the client apparatus 3 via the SIP interface unit 13 (e 23 in fig. 17).
When the SIP interface unit 33 of the client apparatus 3 receives the SIP request message including the presence or absence of the password, the received SIP request message is transferred to the SIP message analysis unit 35. When the SIP message analysis unit 35 can confirm the normality of the presence or absence of the password, the presence or absence of the password is transmitted to the password information setting unit 31. The password information setting unit 31 stores the presence or absence of the password, sets the presence or absence of the password in the SIP message encrypting/decrypting unit 36 (e 41 in fig. 17), and instructs the SIP message generating unit 34 to generate a SIP response message notifying the completion of the setting of the password after the setting is completed (e 42 in fig. 17). The SIP message creation unit 34 creates a SIP response message and transmits the created SIP response message to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (e 43 in fig. 17).
When receiving the SIP response message notifying the completion of the setting of the password, the SIP interface unit 13 of the server apparatus 1 transmits the received SIP response message to the SIP message analyzing unit 15. The SIP message analyzer 15 transmits a setting completion notification of the presence or absence of the password on the client apparatus 3 side to the password information setting unit 11, and the password information setting unit 11 recognizes the completion of the setting of the password, instructs the SIP message encryptor/decryptor 16 on the setting of the password (e 24 in fig. 17), and transmits the setting completion from the password information input interface unit 12 to the local maintenance console 2 after the setting is completed (e 25 in fig. 17). The local maintenance console 2 displays whether or not the password setting is completed (e 13 in fig. 17).
When a transmission request for transmitting an SIP request message to the client apparatus 3 is generated in the server apparatus 1 after the presence or absence of the password is set in the SIP message encryption/decryption unit 16 (e 27 in fig. 17), the SIP message creation unit 14 creates an SIP request message and passes the created SIP request message to the SIP message encryption/decryption unit 16 (e 28 in fig. 17). The SIP message encrypting/decrypting unit 16 encrypts the SIP request message (e 30 in fig. 17) when the password is present (e 29 in fig. 17) according to the presence or absence of the current password setting. The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3 via the SIP interface 13 (e 31 in fig. 18).
When the SIP interface 33 receives the encrypted SIP request message from the server apparatus 1 after the presence or absence of the password is set in the SIP message encrypting/decrypting unit 36, the received SIP request message is transferred to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 decrypts the SIP request message (e 45 in fig. 18) in the case where the password is present, based on whether the current password is set (e 44 in fig. 18).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (e 46 in fig. 18). In response to the call control result, the call controller 37 instructs the SIP message generator 34 to generate an SIP response message (e 47 in fig. 18). The SIP message creating unit 34 creates a SIP response message, and passes the created SIP response message to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 encrypts the SIP response message (e 49 in fig. 18) when the password is present, based on whether the current password is set (e 48 in fig. 18). The encrypted SIP response message is transmitted to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (e 50 in fig. 18).
When receiving the encrypted SIP response message, the SIP interface section 13 of the server apparatus 1 transfers the received SIP response message to the SIP message encrypting/decrypting section 16. The SIP message encrypting/decrypting unit 16 decrypts the SIP response message (e 33 in fig. 18) in accordance with whether or not the currently set password is set, and if the password is present (e 32 in fig. 18). The decrypted SIP response message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (e 34 in fig. 18).
Conversely, when a transmission request to transmit the SIP request message to the server apparatus 1 is generated in the client apparatus 3 (e 51 in fig. 18), the SIP message creating unit 34 creates the SIP request message and passes the created SIP request message to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 encrypts the SIP request message (e 54 in fig. 19) when the password is present, based on whether the current password is set (e 52 in fig. 18, e53 in fig. 19). The encrypted SIP request message is transmitted to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (e 55 in fig. 19).
When receiving the encrypted SIP request message from the client apparatus 3, the SIP interface unit 13 transfers the received SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting unit 16 decrypts the SIP request message (e 36 in fig. 19) in accordance with the presence or absence of the current password setting, if the password is present (e 35 in fig. 19).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (e 37 in fig. 19). Based on the call control result, the call controller 17 instructs the SIP message generator 14 to generate an SIP response message (e 38 in fig. 19). The SIP message creating unit 14 creates a SIP response message, and passes the created SIP response message to the SIP message encrypting/decrypting unit 16. The SIP message encrypting/decrypting unit 16 encrypts the SIP response message (e 3a in fig. 19) in the case where the password is present (e 39 in fig. 19) according to whether the current password is set. The encrypted SIP response message is transmitted to the SIP interface 33 of the client apparatus 3 via the SIP interface 13 (e 3b in fig. 19).
When receiving the encrypted SIP response message, the SIP interface section 33 of the client apparatus 3 transfers the received SIP response message to the SIP message encrypting/decrypting section 36. The SIP message encrypting/decrypting unit 36 decrypts the SIP response message (e 57 in fig. 19) in accordance with the presence or absence of the current password setting, if the password is present (e 56 in fig. 19). The decrypted SIP response request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (e 58 in fig. 19).
As described above, in the present embodiment, since the maintainer can arbitrarily set the presence or absence of the password of the SIP message via the server apparatus 1, when the password is set, the password security function on the network can be realized, and the required password and the unnecessary password can be set differently depending on the network configuration, so that the non-password setting is easy in the maintenance operation when the SIP message log is taken, and the management of the maintainer can be simplified.
In the present embodiment, since the server apparatus 1 sets the password information for the client apparatus 3-1, system integrity can be achieved. Further, in the present embodiment, by having a function of selecting the presence or absence of a password, it is possible to ensure compatibility with the client apparatus 3-1 having no password function.
In this embodiment, the effect of the SIP encryption function using the set password presence/absence information is the same as that of the first and second embodiments of the present invention described above. The operation of the client devices 3-2 and 3-3 is not described, but the same effect as that obtained when the client device 3-1 is used can be obtained.
Sixth embodiment
Fig. 20 to 22 are sequence diagrams showing the operation of the client/server type distribution system according to the sixth embodiment of the present invention. The client/server type distributed system according to the sixth embodiment of the present invention has the same configuration as that of the client/server type distributed system according to the fourth embodiment of the present invention shown in fig. 13, and therefore, description of the configuration thereof is omitted. The operation of the client/server type distribution system according to the sixth embodiment of the present invention will be described below with reference to fig. 13 and fig. 20 to 22. The processing of the server apparatus 1 and the processing of the client apparatus 3-1 shown in fig. 20 to 22 can be realized by the respective CPUs of the server apparatus 1 and the client apparatus 3-1 executing programs.
When an encryption rule of an SIP message is input in advance from the local maintenance console 2 connected to the server apparatus 1 when an SIP message is transmitted and received to and from the client apparatus 3-1 (f 11 in fig. 20), the encryption information input interface unit 12 receives a setting request including the encryption rule (f 12 in fig. 20), and when normality of the setting request can be confirmed, transmits the encryption rule to the encryption information setting unit 11. The encryption information setting unit 11 stores the encryption rule (f 21 in fig. 20).
The encryption information setting unit 11 of the server apparatus 1 instructs the SIP message generating unit 14 to generate an SIP request message including an encryption rule (f 22 in fig. 20). The SIP message creation unit 14 creates an SIP request message and transmits the created SIP request message to the SIP interface unit 33 of the client apparatus 3-1 via the SIP interface unit 13 (f 23 in fig. 20).
When the SIP interface unit 33 of the client device 3-1 receives the SIP request message including the encryption rule, the received SIP request message is transferred to the SIP message analyzer 35. When the SIP message analysis unit 35 can confirm the normality of the encryption rule, it passes the encryption rule to the encryption information setting unit 31. The encryption information setting unit 31 stores the encryption rule, sets the encryption rule in the SIP message encryption/decryption unit 36 (f 41 in fig. 20), and instructs the SIP message generation unit 34 to generate a SIP response message notifying that the encryption rule setting is completed (f 42 in fig. 20) after the setting is completed. The SIP message creation unit 34 creates a SIP response message and transmits the created SIP response message to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (f 43 in fig. 20).
When receiving the SIP response message notifying the completion of the setting of the encryption rule, the SIP interface 13 of the server apparatus 1 transmits the received SIP response message to the SIP message analyzer 15. The SIP message analysis unit 15 transmits a notification of completion of setting of the encryption rule on the client device 3-1 side to the encryption information setting unit 11. The password information setting unit 11 receives the completion of the setting of the password rule, instructs the SIP message encryption/decryption unit 16 to set the password rule (f 24 in fig. 20), and transmits the completion of the setting from the password information input interface unit 12 to the local maintenance console 2 (f 25 in fig. 20). The local maintenance console 2 displays that the password rule setting is completed (f 13 of fig. 20).
When a transmission request for transmitting the SIP request message to the client apparatus 3 is generated in the server apparatus 1 after the encryption rule is set in the SIP message encryption/decryption unit 16 (f 27 in fig. 20), the SIP message creation unit 14 creates the SIP request message and passes the created SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting unit 16 encrypts the SIP request message according to the current encryption rule setting (f 28, f29 in fig. 20). The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (f 30 in fig. 21).
When the SIP interface unit 33 receives the encrypted SIP request message from the server apparatus 1 after the encryption rule is set in the SIP message encrypting/decrypting unit 36, the received SIP request message is transferred to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 decrypts the SIP request message according to the current encryption rule setting (f 44 in fig. 21).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (f 45 in fig. 21). Based on the call control result, the call controller 37 instructs the SIP message generator 34 to generate an SIP response message (f 46 in fig. 21). The SIP message creation unit 34 creates a SIP response message, and encrypts the created SIP response message by the SIP message encryption/decryption unit 36 according to the current encryption rule setting (f 47 in fig. 21). The encrypted SIP response message is transmitted to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (f 48 in fig. 21).
When receiving the encrypted SIP response message, the SIP interface section 13 of the server apparatus 1 transfers the received SIP response message to the SIP message encrypting/decrypting section 16. The SIP message encrypting/decrypting unit 16 decrypts the SIP response message according to the currently set encryption rule setting (f 31 in fig. 21). The decrypted SIP response message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (f 32 in fig. 21).
Conversely, when a transmission request to transmit the SIP request message to the server apparatus 1 occurs in the client apparatus 3-1 (f 49 in fig. 21), the SIP message creating unit 34 creates the SIP request message and encrypts the created SIP request message in the SIP message encrypting/decrypting unit 36 according to the current encryption rule setting (f 50, f51 in fig. 21). The encrypted SIP request message is transmitted to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (f 52 in fig. 21).
When receiving the encrypted SIP request message from the client apparatus 3-1, the SIP interface unit 13 transfers the received SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting unit 16 decrypts the SIP request message based on the current encryption rule setting (f 33 in fig. 21).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (f 34 in fig. 21). Based on the call control result, the call controller 17 instructs the SIP message generator 14 to generate an SIP response message (f 35 in fig. 22). The SIP message creation unit 14 creates a SIP response message, and encrypts the created SIP response message by the SIP message encryption/decryption unit 16 according to the current encryption rule setting (f 36 in fig. 22). The encrypted SIP response message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (f 37 in fig. 22).
When the SIP interface section 33 of the SIP protocol compliant client apparatus 3-1 receives the encrypted SIP response message, it passes the received SIP response message to the SIP message encrypting/decrypting section 36. The SIP message encrypting/decrypting unit 36 decrypts the SIP response message according to the current encryption rule setting (f 53 in fig. 22). The decrypted SIP response request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (f 54 in fig. 22).
In this way, in this embodiment, by encrypting the SIP message, the cryptographic security function on the network can be realized, and different setting of the cryptographic rules can be performed according to different network configurations, thereby enhancing the cryptographic security. In the present embodiment, the server apparatus 1 sets the encryption rule for the client apparatus 3-1, thereby achieving system integrity.
Further, in the present embodiment, when a cryptographic rule operable in the system is added in the future, a new cryptographic rule can be used without adding an interface selected by developing the cryptographic rule, and therefore, it is possible to minimize the change of the local interface and simplify the development. Further, in the present embodiment, the effect of the SIP encryption function using the set encryption rule information is the same as that in the first and second embodiments of the present invention described above. The operation of the client devices 3-2 and 3-3 is not described, but the same effect as that obtained when the client device 3-1 is used can be obtained.
Seventh embodiment
Fig. 23 to 25 are sequence diagrams showing operations of a client/server type distributed system according to a seventh embodiment of the present invention. The client/server type distributed system according to the seventh embodiment of the present invention has the same configuration as that of the client/server type distributed system according to the fourth embodiment of the present invention shown in fig. 13, and therefore, description of the configuration thereof is omitted. The operation of the client/server type distribution system according to the seventh embodiment of the present invention will be described below with reference to fig. 13 and 23 to 25. The processing of the server apparatus 1 and the processing of the client apparatus 3-1 shown in fig. 23 to 25 can be realized by the respective CPUs of the server apparatus 1 and the client apparatus 3-1 executing programs.
When the presence/absence of a password and the password range of an SIP message are input in advance from the local maintenance console 2 connected to the server apparatus 1 when the SIP message is transmitted and received to and from the client apparatus 3-1 (g 11 in fig. 23), the password information input interface section 12 receives a setting request including the presence/absence of the password and the password range (g 12 in fig. 23), and when the normality of the setting request can be confirmed, transmits the presence/absence of the password and the password range to the password information setting section 11. The password information setting unit 11 stores the password presence/absence and the password range (g 21 in fig. 23).
The encryption information setting unit 11 of the server apparatus 1 instructs the SIP message generating unit 14 to generate an SIP request message including the presence/absence of encryption and the encryption range (g 22 in fig. 23). The SIP message creation unit 14 creates an SIP request message and transmits the created SIP request message to the SIP interface unit 33 of the client apparatus 3-1 via the SIP interface unit 13 (g 23 in fig. 23).
When the SIP interface unit 33 of the client apparatus 3-1 receives the SIP request message including the presence/absence of the password and the password range, the received SIP request message is transferred to the SIP message analyzing unit 35. When the SIP message analysis unit 35 can confirm the presence or absence of the password and the normality of the password range, the password presence or absence and the password range are transmitted to the password information setting unit 31. The encryption information setting unit 31 stores the presence or absence of the encryption and the encryption range, sets the presence or absence of the encryption and the encryption range in the SIP message encrypting/decrypting unit 36 (g 41 in fig. 23), and instructs the SIP message generating unit 34 to generate a SIP response message notifying the presence or absence of the encryption and the completion of the encryption range setting after the setting is completed (g 42 in fig. 23). The SIP message creation unit 34 creates a SIP response message and transmits the created SIP response message to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (g 43 in fig. 23).
When receiving the SIP response message notifying the presence or absence of the password and the completion of the password range setting, the SIP interface unit 13 of the server apparatus 1 transmits the received SIP response message to the SIP message analysis unit 15. The SIP message analysis unit 15 transmits a notification of the presence or absence of the password and the setting completion of the password range on the client apparatus 3-1 side to the password information setting unit 11. The password information setting unit 11 recognizes the presence or absence of the password and the completion of the setting of the password range, instructs the SIP message encryption/decryption unit 16 on the presence or absence of the password and the setting of the password range (g 24 in fig. 23), and transmits the completion of the setting from the password information input interface unit 12 to the local maintenance console 2 (g 25 in fig. 23). The local maintenance console 2 displays the presence or absence of the password/completion of the password range setting (g 13 in fig. 23).
When a transmission request for transmitting an SIP request message to the client device 3-1 is generated in the server device 1 after the presence/absence of the password/password range is set in the SIP message encryption/decryption unit 16 (g 27 in fig. 23), the SIP message creation unit 14 creates an SIP request message and passes the created SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting unit 16 encrypts the encryption range of the SIP request message (g 30 in fig. 23) in the case where the password is present (g 28, g29 in fig. 23) according to the presence or absence of the current password and the setting of the encryption range. The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (g 31 in fig. 24).
When the SIP interface 33 receives the encrypted SIP request message from the server apparatus 1 after the presence or absence of the password is set in the SIP message encrypting/decrypting unit 36, the received SIP request message is transferred to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 decrypts the encryption range of the SIP request message (g 45 in fig. 24) in accordance with the presence/absence of the current encryption and the setting of the encryption range in the case where the encryption is present (g 44 in fig. 24).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (g 46 in fig. 24). Based on the call control result, the call controller 37 instructs the SIP message generator 34 to generate an SIP response message (g 47 in fig. 24). The SIP message creating unit 34 creates a SIP response message, and passes the created SIP response message to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 encrypts the encryption range of the SIP response message (g 49 in fig. 24) in the case where the password is present, based on the presence/absence of the current password and the setting of the encryption range (g 48 in fig. 24). The encrypted SIP response message is transmitted to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (g 50 in fig. 24).
When receiving the encrypted SIP response message, the SIP interface section 13 of the server apparatus 1 transfers the received SIP response message to the SIP message encrypting/decrypting section 16. The SIP message encrypting/decrypting unit 16 decrypts the encryption range of the SIP response message (g 33 in fig. 24) in accordance with the presence or absence of the currently set encryption and the encryption range setting, if the encryption is present (g 32 in fig. 24). The decrypted SIP response message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (g 34 in fig. 24).
Conversely, when a transmission request to transmit the SIP request message to the server apparatus 1 occurs in the client apparatus 3-1 (g 51 in fig. 24), the SIP message creating unit 34 creates the SIP request message, sets the created SIP request message in the SIP message encrypting/decrypting unit 36 according to the presence or absence of the current password and the password range, and encrypts the password range of the SIP request message when the password is present (g 52 in fig. 24, g53 in fig. 25) (g 54 in fig. 25). The encrypted SIP request message is transmitted to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (g 55 in fig. 25).
When receiving the encrypted SIP request message from the client apparatus 3-1, the SIP interface unit 13 transfers the received SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting unit 16 decrypts the encryption range of the SIP request message (g 36 in fig. 25) in accordance with the presence/absence of the current encryption and the setting of the encryption range in the case where the encryption is present (g 35 in fig. 25).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (g 37 in fig. 25). Based on the call control result, the call controller 17 instructs the SIP message generator 14 to generate an SIP response message (g 38 in fig. 25). The SIP message creating unit 14 creates a SIP response message, and passes the created SIP response message to the SIP message encrypting/decrypting unit 16. The SIP message encrypting/decrypting section 16 encrypts the encryption range of the SIP response message (g 3a in fig. 25) in the case where the password exists (g 39 in fig. 25) according to the presence or absence of the current password and the setting of the encryption range. The encrypted SIP response message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (g 3b in fig. 25).
When receiving the encrypted SIP response message, the SIP interface section 33 of the client apparatus 3-1 transfers the received SIP response message to the SIP message encrypting/decrypting section 36. The SIP message encrypting/decrypting unit 36 decrypts the encryption range of the SIP response message (g 57 in fig. 25) in accordance with the presence or absence of the current encryption and the setting of the encryption range, if the encryption is present (g 56 in fig. 25). The decrypted SIP response message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (g 58 in fig. 25).
As described above, in the present embodiment, in the system supporting both the system of encrypting the entire SIP message and the system of encrypting any part of the SIP message with respect to the encryption range of the SIP message, the local maintenance console 2 can select the range to be encrypted arbitrarily, and therefore, it is possible to satisfy both the encryption security and the network functionality in the system in which the network device such as the SIP-NAT exists, and to select/realize the security level most suitable for the current network configuration.
As described above, in the present embodiment, since the maintainer can arbitrarily set the presence or absence of the password of the SIP message via the server apparatus 1, when the password is set, the password security function on the network can be realized, and the required password and the unnecessary password can be set differently depending on the network configuration, so that the non-password setting is easy in the maintenance operation when the SIP message log is taken, and the management of the maintainer can be simplified.
In the present embodiment, since the server apparatus 1 sets the password information for the client apparatus 3-1, system integrity can be achieved. Further, in the present embodiment, by having a function of selecting the presence or absence of a password, it is possible to ensure compatibility with the client apparatus 3-1 having no password function.
In this embodiment, the effect of the SIP encryption function using the set password presence/absence/password range information is the same as that of the first to fifth embodiments of the present invention. The operation of the client devices 3-2 and 3-3 is not described, but the same effect as that obtained when the client device 3-1 is used can be obtained.
Eighth embodiment
Fig. 26 to 28 are sequence diagrams showing the operation of the client/server type distribution system according to the eighth embodiment of the present invention. The client/server type distributed system according to the eighth embodiment of the present invention has the same configuration as that of the client/server type distributed system according to the fourth embodiment of the present invention shown in fig. 13, and therefore, description of the configuration thereof is omitted. The operation of the client/server type distribution system according to the eighth embodiment of the present invention will be described below with reference to fig. 13 and fig. 26 to 28. The processing of the server apparatus 1 and the processing of the client apparatus 3-1 shown in fig. 26 to 28 can be realized by the CPU of each of the server apparatus 1 and the client apparatus 3-1 executing a program.
When the presence or absence of a password and a password rule of an SIP message are input in advance from the local maintenance console 2 connected to the server apparatus 1 when the SIP message is transmitted and received to and from the client apparatus 3-1 (h 11 in fig. 26), the password information input interface section 12 receives a setting request including the presence or absence of the password and the password rule (h 12 in fig. 26), and when the normality of the setting request can be confirmed, transmits the presence or absence of the password and the password rule to the password information setting section 11. The password information setting unit 11 stores the password presence/absence and the password rule (h 21 in fig. 26).
The encryption information setting unit 11 of the server apparatus 1 instructs the SIP message generating unit 14 to generate an SIP request message including the presence or absence of encryption and the encryption rule (h 22 in fig. 26). The SIP message creation unit 14 creates an SIP request message and transmits the created SIP request message to the SIP interface unit 33 of the client apparatus 3-1 via the SIP interface unit 13 (h 23 in fig. 26).
When the SIP interface unit 33 of the client apparatus 3-1 receives the SIP request message including the presence/absence of encryption and the encryption rule, the received SIP request message is transferred to the SIP message analyzing unit 35. When the SIP message analysis unit 35 can confirm the presence or absence of the password and the normality of the password rule, the password presence or absence and the password rule are transmitted to the password information setting unit 31. The encryption information setting unit 31 stores the presence or absence of the encryption and the encryption rule, sets the presence or absence of the encryption and the encryption rule in the SIP message encrypting/decrypting unit 36 (h 41 in fig. 26), and instructs the SIP message generating unit 34 to generate a SIP response message (h 42 in fig. 26) notifying the presence or absence of the encryption and the completion of the encryption rule setting after the setting is completed. The SIP message creation unit 34 creates a SIP response message and transmits the created SIP response message to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (h 43 in fig. 26).
When receiving the SIP response message notifying the presence or absence of the password and the completion of the setting of the password rule, the SIP interface 13 of the server apparatus 1 transmits the received SIP response message to the SIP message analyzer 15. The SIP message analysis unit 15 transmits a notification of the presence or absence of the password and the setting completion of the password rule on the client device 3-1 side to the password information setting unit 11. The password information setting unit 11 recognizes the presence or absence of the password and the completion of the setting of the password rule, instructs the SIP message encryption/decryption unit 16 on the presence or absence of the password and the setting of the password rule (h 24 in fig. 26), and transmits the completion of the setting from the password information input interface unit 12 to the local maintenance console 2 (h 25 in fig. 26). The local maintenance console 2 displays the presence or absence of the password/completion of the setting of the password rule (h 13 in fig. 26).
When a transmission request for transmitting an SIP request message to the client device 3-1 is generated in the server device 1 after the encryption presence/absence/encryption rule is set in the SIP message encryption/decryption unit 16 (h 27 in fig. 26), the SIP message creation unit 14 passes the created SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting unit 16 encrypts the SIP request message with the encryption rule (h 30 in fig. 26) in the case where the password is present (h 28, h29 in fig. 26) according to the presence or absence of the current password and the encryption rule setting. The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (h 31 in fig. 27).
When the SIP interface 33 receives the encrypted SIP request message from the server apparatus 1 after the encryption presence/absence/encryption rule is set in the SIP message encryption/decryption unit 36, the received SIP request message is transferred to the SIP message encryption/decryption unit 36. The SIP message encrypting/decrypting unit 36 decrypts the SIP request message with the encryption rule (h 45 in fig. 27) in accordance with the presence or absence of the current encryption and the encryption rule setting, when the encryption is present (h 44 in fig. 24).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (h 46 in fig. 27). Based on the call control result, the call controller 37 instructs the SIP message generator 34 to generate an SIP response message (h 47 in fig. 27). The SIP message creating unit 34 creates a SIP response message, and passes the created SIP response message to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 encrypts the SIP response message with the encryption rule (h 49 in fig. 27) in accordance with the presence or absence of the current encryption and the encryption rule setting, when the encryption is present (h 48 in fig. 27). The encrypted SIP response message is transmitted to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (h 50 in fig. 27).
When receiving the encrypted SIP response message, the SIP interface section 13 of the server apparatus 1 transfers the received SIP response message to the SIP message encrypting/decrypting section 16. The SIP message encrypting/decrypting unit 16 decrypts the SIP response message with the encryption rule (h 33 in fig. 27) in accordance with the presence or absence of the currently set encryption and the encryption rule setting, when the encryption is present (h 32 in fig. 27). The decrypted SIP response message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (h 34 in fig. 27).
Conversely, when a transmission request to transmit the SIP request message to the server apparatus 1 occurs in the client apparatus 3-1 (h 51 in fig. 27), the SIP message creating unit 34 creates the SIP request message and passes the created SIP request message to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 encrypts the SIP request message with the encryption rule (h 54 in fig. 28) in the case where the password is present (h 52 in fig. 27, h53 in fig. 28) according to the presence/absence of the current password and the encryption rule setting. The encrypted SIP request message is transmitted to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (h 55 in fig. 28).
When receiving the encrypted SIP request message from the client apparatus 3-1, the SIP interface unit 13 transfers the received SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting unit 16 decrypts the SIP request message with the encryption rule (h 36 in fig. 28) in accordance with the presence or absence of the current encryption and the encryption rule setting, when the encryption is present (h 35 in fig. 28).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (h 37 in fig. 28). Based on the call control result, the call controller 17 instructs the SIP message generator 14 to generate an SIP response message (h 38 in fig. 28). The SIP message creating unit 14 creates a SIP response message, and passes the created SIP response message to the SIP message encrypting/decrypting unit 16. The SIP message encrypting/decrypting unit 16 encrypts the SIP response message with the encryption rule (h 3a in fig. 28) in accordance with the presence or absence of the current encryption and the encryption rule setting, when the encryption is present (h 39 in fig. 28). The encrypted SIP response message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (h 3b in fig. 28).
When receiving the encrypted SIP response message, the SIP interface section 33 of the client apparatus 3-1 transfers the received SIP response message to the SIP message encrypting/decrypting section 36. The SIP message encrypting/decrypting unit 36 decrypts the SIP response message according to the encryption rule if the current encryption is present or not and the encryption rule is set (h 56 in fig. 28) if the current encryption is present (h 57 in fig. 28). The decrypted SIP response message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (h 58 in fig. 28).
As described above, in the present embodiment, since the maintainer can arbitrarily set the presence or absence of the password of the SIP message via the server apparatus 1, when the password is set, the password security function on the network can be realized, and the required password and the unnecessary password can be set differently depending on the network configuration, so that the non-password setting is easy in the maintenance operation when the SIP message log is taken, and the management of the maintainer can be simplified.
Further, in the present embodiment, by having a function of selecting the presence or absence of a password, compatibility with the client apparatus 3-1 having no password function can be ensured. Further, in the present embodiment, by encrypting the SIP message, it is possible to realize the encryption security function on the network, and it is possible to set different encryption rules according to different network configurations, thereby further enhancing the encryption security.
Further, in the present embodiment, when a cryptographic rule operable in the system is added in the future, a new cryptographic rule can be used without adding an interface selected by developing the cryptographic rule, and therefore, it is possible to minimize the change of the local interface and simplify the development.
On the other hand, in the present embodiment, since the server apparatus 1 sets the password information for the client apparatus 3-1, system integrity can be achieved. The effects of the SIP message encryption function using the set password presence/absence/password rule information are the same as those of the first, second, fifth, and sixth embodiments of the present invention described in detail above, respectively. The operation of the client devices 3-2 and 3-3 is not described, but the same effect as that obtained when the client device 3-1 is used can be obtained.
Ninth embodiment
Fig. 29 to 31 are sequence diagrams showing operations of a client/server type distributed system according to a ninth embodiment of the present invention. The client/server type distributed system according to the ninth embodiment of the present invention has the same configuration as that of the client/server type distributed system according to the fourth embodiment of the present invention shown in fig. 13, and therefore, description of the configuration thereof is omitted. The operation of the client/server type distribution system according to the ninth embodiment of the present invention will be described below with reference to fig. 13 and 29 to 31. The processing of the server apparatus 1 and the processing of the client apparatus 3-1 shown in fig. 29 to 31 can be realized by the CPU of each of the server apparatus 1 and the client apparatus 3-1 executing a program.
When an encryption rule/encryption range of an SIP message is input in advance from the local maintenance console 2 connected to the server apparatus 1 when the SIP message is transmitted and received to and from the client apparatus 3-1 (i 11 in fig. 29), the encryption information input interface section 12 receives a setting request including the encryption rule/encryption range (i 12 in fig. 29), and when the normality of the setting request can be confirmed, transmits the encryption rule/encryption range to the encryption information setting section 11. The encryption information setting unit 11 stores the encryption rule/encryption range (i 21 in fig. 29).
The encryption information setting unit 11 of the server apparatus 1 instructs the SIP message generating unit 14 to generate an SIP request message including the encryption rule and the encryption range (i 22 in fig. 29). The SIP message creation unit 14 creates an SIP request message and transmits the created SIP request message to the SIP interface unit 33 of the client apparatus 3-1 via the SIP interface unit 13 (i 23 in fig. 29).
When the SIP interface unit 33 of the client apparatus 3-1 receives the SIP request message including the encryption rule and the encryption range, the received SIP request message is transferred to the SIP message analyzer 35. When the SIP message analysis unit 35 can confirm the normality of the encryption rule/encryption range, the encryption rule/encryption range is passed to the encryption information setting unit 31. The encryption information setting unit 31 stores the encryption rule/encryption range, sets the encryption rule/encryption range in the SIP message encryption/decryption unit 36 (i 41 in fig. 29), and instructs the SIP message generation unit 34 to generate a SIP response message (i 42 in fig. 29) notifying that the encryption rule/encryption range is set. The SIP message creation unit 34 creates a SIP response message and transmits the created SIP response message to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (i 43 in fig. 29).
When receiving the SIP response message notifying the completion of the setting of the encryption rule and the encryption range, the SIP interface 13 of the server apparatus 1 transfers the received SIP response message to the SIP message analyzer 15. The SIP message analysis unit 15 transmits a notification of completion of setting of the encryption rule and the encryption range on the SIP protocol-compliant client apparatus 3 side to the encryption information setting unit 11. The password information setting unit 11 receives the completion of setting the password rule/password range, instructs the SIP message encryption/decryption unit 16 to set the password rule/password range (i 24 in fig. 29), and transmits the completion of setting from the password information input interface unit 12 to the local maintenance console 2 (i 25 in fig. 29). The local maintenance console 2 displays that the password rule/password range setting is completed (i 13 of fig. 29).
When a transmission request for transmitting an SIP request message to the client device 3-1 is generated in the server device 1 after the encryption rule/encryption range is set in the SIP message encryption/decryption unit 16 (i 27 in fig. 29), the SIP message creation unit 14 creates an SIP request message and passes the created SIP request message to the SIP message encryption/decryption unit 16 (i 28 in fig. 29). The SIP message encrypting/decrypting unit 16 encrypts the encryption range of the SIP request message with the encryption rule according to the current encryption rule/encryption range setting (i 29 in fig. 29). The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (i 30 in fig. 30).
When the SIP interface 33 receives the encrypted SIP request message from the server apparatus 1 after the encryption rule/encryption range is set in the SIP message encryption/decryption unit 36, the received SIP message is transferred to the SIP message encryption/decryption unit 36. The SIP message encrypting/decrypting unit 36 decrypts the encryption range of the SIP request message by the encryption rule according to the current encryption rule/encryption range setting (i 44 in fig. 30).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (i 45 in fig. 30). Based on the call control result, the call controller 37 instructs the SIP message generator 34 to generate an SIP response message (i 46 in fig. 30). The SIP message creating unit 34 creates a SIP response message, and passes the created SIP response message to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 encrypts the encryption range of the SIP response message with the encryption rule according to the current encryption rule/encryption range setting (i 47 in fig. 30). The encrypted SIP response message is transmitted to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (i 48 in fig. 30).
When receiving the encrypted SIP response message, the SIP interface section 13 of the server apparatus 1 transfers the received SIP response message to the SIP message encrypting/decrypting section 16. The SIP message encrypting/decrypting unit 16 decrypts the encryption range of the SIP response message by the encryption rule according to the currently set encryption rule/encryption range setting (i 31 in fig. 30). The decrypted SIP response message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (i 32 in fig. 30).
Conversely, when a transmission request to transmit the SIP request message to the server apparatus 1 occurs in the client apparatus 3-1 (i 49 in fig. 30), the SIP message creating unit 34 creates the SIP request message and passes the created SIP request message to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 encrypts the encryption range of the SIP request message with the encryption rule according to the current encryption rule/encryption range setting (i 50, i51 in fig. 30). The encrypted SIP request message is transmitted to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (i 52 in fig. 30).
When receiving the encrypted SIP request message from the client apparatus 3-1, the SIP interface unit 13 transfers the received SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting unit 16 decrypts the encryption range of the SIP request message by the encryption rule according to the current encryption rule/encryption range setting (i 33 in fig. 30).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (i 34 in fig. 30). Based on the call control result, the call controller 17 instructs the SIP message generator 14 to generate an SIP response message (i 38 in fig. 31). The SIP message creating unit 14 creates a SIP response message, and passes the created SIP response message to the SIP message encrypting/decrypting unit 16. The SIP message encrypting/decrypting section 16 encrypts the encryption range of the SIP response message with the encryption rule according to the current encryption rule/encryption range setting (i 36 in fig. 31). The encrypted SIP response message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (i 37 in fig. 31).
When receiving the encrypted SIP response message, the SIP interface section 33 of the client apparatus 3-1 transfers the received SIP response message to the SIP message encrypting/decrypting section 36. The SIP message encrypting/decrypting unit 36 decrypts the encryption range of the SIP response message by the encryption rule according to the current encryption rule/encryption range setting (i 53 in fig. 31). The decrypted SIP response message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (i 54 in fig. 31).
As described above, in the present embodiment, in the system supporting both the system of encrypting the entire SIP message and the system of encrypting any part of the SIP message with respect to the encryption range of the SIP message, the local maintenance console 2 can select the range to be encrypted arbitrarily, and therefore, it is possible to satisfy both the encryption security and the network functionality in the system in which the network device such as the SIP-NAT exists, and to select and realize the security level most suitable for the current network configuration.
In addition, in this embodiment, by encrypting the SIP message, it is possible to implement a password security function on the network, and to set different password rules/password ranges according to different network structures, thereby enhancing password security. Further, in the present embodiment, the setting of the encryption rule and the encryption range of the client apparatus 3-1 can be performed via the server apparatus 1, whereby the system uniformity and the simplification of the management of the maintainer can be achieved.
Further, in the present embodiment, when a cryptographic rule operable in the system is added in the future, a new cryptographic rule can be used without adding an interface selected by developing the cryptographic rule, and therefore, it is possible to minimize the change of the local interface and simplify the development. In this embodiment, the effect of the SIP message encryption function using the set encryption rule/encryption range information is the same as that of the first to fourth and sixth embodiments of the present invention described above. The operation of the client devices 3-2 and 3-3 is not described, but the same effect as that obtained when the client device 3-1 is used can be obtained.
Tenth embodiment
Fig. 32 to 34 are sequence diagrams showing operations of a client/server type distributed system according to a tenth embodiment of the present invention. The client/server type distributed system according to the tenth embodiment of the present invention has the same configuration as that of the client/server type distributed system according to the fourth embodiment of the present invention shown in fig. 13, and therefore, description of the configuration thereof is omitted. The operation of the client/server type distribution system according to the tenth embodiment of the present invention will be described below with reference to fig. 13 and 32 to 34. The processing of the server apparatus 1 and the processing of the client apparatus 3-1 shown in fig. 32 to 34 can be realized by the CPU of each of the server apparatus 1 and the client apparatus 3-1 executing a program.
When the presence/absence of a password, the password rule, and the password range of an SIP message at the time of transmitting and receiving an SIP message to and from the client apparatus 3-1 are input in advance from the local maintenance console 2 connected to the server apparatus 1 (j 11 in fig. 32), the password information input interface section 12 receives a setting request including the presence/absence of a password, the password rule, and the password range (j 12 in fig. 32), and when the normality of the setting request can be confirmed, transmits the presence/absence of a password, the password rule, and the password range to the password information setting section 11. The password information setting unit 11 stores the password presence/absence, the password rule, and the password range (j 21 in fig. 32).
The encryption information setting unit 11 of the server apparatus 1 instructs the SIP message generating unit 14 to generate a SIP request message including the presence or absence of an encryption, an encryption rule, and an encryption range (j 22 in fig. 32). The SIP message creation unit 14 creates an SIP request message and transmits the created SIP request message to the SIP interface unit 33 of the client apparatus 3-1 via the SIP interface unit 13 (j 23 in fig. 32).
When the SIP interface unit 33 of the client apparatus 3-1 receives the SIP request message including the presence/absence of the password, the password rule, and the password range, the received SIP request message is transferred to the SIP message analyzing unit 35. When the SIP message analysis unit 35 can confirm the normality of the password presence/password rule/password range, the password presence/password rule/password range is transmitted to the password information setting unit 31. The encryption information setting unit 31 stores the presence or absence of the encryption, the encryption rule, and the encryption range, and sets the presence or absence of the encryption, the encryption rule, and the encryption range in the SIP message encryption/decryption unit 36 (j 41 in fig. 32), and after the setting is completed, instructs the SIP message generation unit 34 to generate a SIP response message (j 42 in fig. 32) notifying the presence or absence of the encryption, the encryption rule, and the encryption range are set. The SIP message creation unit 34 creates a SIP response message and transmits the created SIP response message to the SIP interface unit 13 of the server apparatus 1 via the SIP interface unit 33 (j 43 in fig. 32).
When receiving the SIP response message notifying the presence or absence of the password, the password rule, and the completion of the setting of the password range, the SIP interface unit 13 of the server apparatus 1 transmits the received SIP response message to the SIP message analyzing unit 15. The SIP message analysis unit 15 transmits a notification of the presence or absence of the password, the password rule, and the setting completion of the password range on the client device 3-1 side to the password information setting unit 11. The password information setting unit 11 recognizes the presence or absence of the password, the password rule, and the setting completion of the password range, instructs the SIP message encryption/decryption unit 16 of the presence or absence of the password, the password rule, and the setting completion (j 24 in fig. 32), and transmits the setting completion from the password information input interface unit 12 to the local maintenance console 2 (j 25 in fig. 32). The local maintenance console 2 displays the presence or absence of the password/the password rule/the completion of the setting of the password range (j 13 in fig. 32).
When a transmission request for transmitting an SIP request message to the client device 3-1 is generated in the server device 1 after the presence/absence of encryption, the encryption rule, and the encryption range are set in the SIP message encryption/decryption unit 16 (j 27 in fig. 32), the SIP message creation unit 14 creates an SIP request message and transmits the created SIP request message to the SIP message encryption/decryption unit 16 (j 28 in fig. 32). The SIP message encrypting/decrypting unit 16 encrypts the encryption range of the SIP request message with the encryption rule (j 30 in fig. 32) in the case where the password is present (j 29 in fig. 32) according to the presence/absence of the current password, the encryption rule, and the encryption range setting. The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (j 31 in fig. 33).
When the SIP interface 33 receives the encrypted SIP request message from the server apparatus 1 after the presence/absence of the encryption, the encryption rule, and the encryption range are set in the SIP message encryption/decryption unit 36, the received SIP request message is transferred to the SIP message encryption/decryption unit 36. The SIP message encrypting/decrypting unit 36 decrypts the encryption range of the SIP request message by the encryption rule (j 45 in fig. 33) in the case where the encryption is present (j 44 in fig. 33) according to the presence/absence of the current encryption, the encryption rule, and the encryption range setting.
The decrypted SIP request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (j 46 in fig. 33). Based on the call control result, the call controller 37 instructs the SIP message generator 34 to generate an SIP response message (j 47 in fig. 33). The SIP message creating unit 34 creates a SIP response message, and passes the created SIP response message to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 encrypts the encryption range of the SIP response message with the encryption rule (j 49 in fig. 33) in the case where the password is present (j 48 in fig. 33) according to the presence/absence of the current password, the encryption rule, and the encryption range setting. The encrypted SIP response message is transmitted to the SIP interface 13 of the server apparatus 1 via the SIP interface 33 (j 50 in fig. 33).
The SIP interface section 13 of the server apparatus 1 that has received the encrypted SIP response message passes the received SIP response message to the SIP message encrypting/decrypting section 16. The SIP message encrypting/decrypting unit 16 decrypts the encryption range of the SIP response message by the encryption rule (j 33 in fig. 33) in the case where the encryption is present (j 32 in fig. 33) according to the presence/absence of the currently set encryption, the encryption rule, and the encryption range. The decrypted SIP response message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (j 34 in fig. 33).
Conversely, when a transmission request to transmit the SIP request message to the server apparatus 1 occurs in the client apparatus 3-1 (j 51 in fig. 33), the SIP message creating unit 34 creates the SIP request message and passes the created SIP request message to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 encrypts the encryption range of the SIP request message with the encryption rule (j 54 in fig. 34) according to the encryption rule and the encryption rule, if the encryption is present (j 52 in fig. 33 and j53 in fig. 34) according to the current encryption presence/absence, encryption rule, and encryption range setting. The encrypted SIP request message is transmitted to the SIP interface 13 of the server apparatus 1 via the SIP interface 33 (j 55 in fig. 34).
When receiving the encrypted SIP request message from the client apparatus 3-1, the SIP interface unit 13 transfers the received SIP message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting unit 16 decrypts the encryption range of the SIP request message by the encryption rule (j 36 in fig. 34) in the case where the encryption is present (j 35 in fig. 34) according to the presence/absence of the current encryption, the encryption rule, and the encryption range setting.
The decrypted SIP request message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (j 37 in fig. 34). Based on the call control result, the call controller 17 instructs the SIP message generator 14 to generate an SIP response message (j 38 in fig. 34). The SIP message creating unit 14 creates a SIP response message, and passes the created SIP response message to the SIP message encrypting/decrypting unit 16. The SIP message encrypting/decrypting unit 16 encrypts the encryption range of the SIP response message with the encryption rule (j 3a in fig. 34) in accordance with the current encryption presence/absence, encryption rule, and encryption range setting, when the encryption is present (j 39 in fig. 34). The encrypted SIP response message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (j 3b in fig. 34).
When receiving the encrypted SIP response message, the SIP interface section 33 of the client apparatus 3-1 transfers the received SIP response message to the SIP message encrypting/decrypting section 36. The SIP message encrypting/decrypting unit 36 decrypts the encryption range of the SIP response message by the encryption rule (j 57 in fig. 34) in the case where the encryption is present (j 56 in fig. 34) according to the presence/absence of the current encryption, the encryption rule, and the encryption range setting. The decrypted SIP response message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (j 58 in fig. 34).
As described above, in the present embodiment, since the maintainer can arbitrarily set the presence or absence of the password of the SIP message via the server apparatus 1, when the password is set, the password security function on the network can be realized, and the required password and the unnecessary password can be set differently depending on the network configuration, so that the non-password setting is easy in the maintenance operation when the SIP message log is taken, and the management of the maintainer can be simplified.
Further, in the present embodiment, by having a function of selecting the presence or absence of a password, compatibility with the client apparatus 3-1 having no password function can be ensured. In the present embodiment, in a system supporting both a system of encrypting the entire SIP message and a system of encrypting a part of the SIP message with respect to the encryption range of the SIP message, the local maintenance console 2 can select the encryption range to be arbitrarily encrypted, and therefore, it is possible to satisfy both the encryption security and the network functionality in a system in which a network device such as SIP-NAT exists, and to select/realize the security level most suitable for the current network configuration.
Further, in the present embodiment, by encrypting the SIP message, it is possible to realize the encryption security function on the network, and it is possible to set different encryption rules and encryption ranges for different network configurations, thereby further enhancing the encryption security.
On the other hand, in the present embodiment, since the server apparatus 1 sets the password information for the client apparatus 3-1, system uniformity and ease of management by the maintainer can be achieved. Further, in the present embodiment, when a cryptographic rule operable in the system is added in the future, a new cryptographic rule can be used without adding an interface selected by developing the cryptographic rule, and therefore, it is possible to minimize the change of the local interface and simplify the development.
In this embodiment, the effects of the SIP message encryption function using the set password presence/absence, password rule, and password range information are the same as those in the first to ninth embodiments of the present invention described in detail above, respectively. The operation of the client devices 3-2 and 3-3 is not described, but the same effect as that obtained when the client device 3-1 is used can be obtained.
Eleventh embodiment
Fig. 35 is a block diagram showing the configuration of a client/server type distributed system of the eleventh embodiment of the present invention. In fig. 35, a client/server type distributed system according to an eleventh embodiment of the present invention has the same configuration as the client/server type distributed system according to the fourth embodiment of the present invention shown in fig. 13 except that key generation units 18 and 38 are provided in a server device 1b and client devices 3a-1 to 3a-3 (the key generation unit 38 of the client devices 3a-1 to 3a-3 is not shown), and the same components are denoted by the same reference numerals. The operation of the same components is the same as that of the fourth embodiment of the present invention.
In the present embodiment, by implementing the above configuration, the security of SIP message control on the IP network can be enhanced by encrypting the SIP message when the server device 1b communicates with the client devices 3a-1 to 3 a-3.
Fig. 36 to 39 are sequence diagrams showing the operation of the client/server type distributed system according to the eleventh embodiment of the present invention. The operation of the client/server type distributed system according to the eleventh embodiment of the present invention will be described with reference to fig. 35 to 39. The processing of the server device 1b and the processing of the client device 3a-1 shown in fig. 36 to 39 can be realized by the execution of a program by the CPU of each of the server device 1b and the client device 3 a-1.
When the initial server access request to the server apparatus 1b is generated from the client apparatus 3a-1 (k 41 in fig. 36), the SIP message generation unit 34 generates an SIP request message and transmits the generated SIP request message to the SIP interface unit 13 of the server apparatus 1b via the SIP interface unit 33 (k 42 in fig. 36).
The SIP interface 13 of the server apparatus 1b that has received the SIP request message receives the initial access from the client apparatus 3a-1 and passes it to the password information setting unit 11. The encryption information setting unit 11 creates and stores a random parameter for key generation (k 21 in fig. 36) used for encrypting the SIP message between the server device 1b and the client device 3a-1, and instructs the SIP message creating unit 14 to create a SIP response message to which the random parameter for key generation is added. The SIP message creation unit 14 creates an SIP response message and transmits the created SIP response message to the SIP interface unit 33 of the client apparatus 3a-1 via the SIP interface unit 13 (k 22 in fig. 36).
When the SIP interface unit 33 of the client apparatus 3a-1 receives the SIP response message to which the random parameter for key generation is added, the received random parameter for key generation is passed to the encryption information setting unit 31. The encryption information setting unit 31 stores the key generation random parameter (k 43 in fig. 36).
When the server apparatus 1b and the client apparatus 3a-1 are in a no-password setting state (k 23 in fig. 36), when the presence or absence of a password, the password rule, and the password range of an SIP message for transmitting and receiving an SIP message to and from the client apparatus 3a-1 are input from the local maintenance console 2 connected to the server apparatus 1b (k 11 in fig. 36), the password information input interface unit 12 receives a setting request including the presence or absence of the password, the password rule, and the password range (k 12 in fig. 36), and when normality of the setting request can be determined, the password presence or absence, the password rule, and the password range are transmitted to the password information setting unit 11. The password information setting unit 11 stores the password presence/absence, the password rule, and the password range (k 24 in fig. 36).
The encryption information setting unit 11 of the server apparatus 1b instructs the SIP message generating unit 14 to generate an SIP request message including the presence or absence of an encryption, the encryption rule, and the encryption range (k 25 in fig. 36). The SIP message creation unit 14 creates an SIP request message and transmits the created SIP request message to the SIP interface unit 33 of the client apparatus 3a-1 via the SIP interface unit 13 (k 26 in fig. 36).
When the SIP interface unit 33 of the client apparatus 3a-1 receives the SIP request message including the presence/absence of the password, the password rule, and the password range, the received SIP request message is transferred to the SIP message analyzing unit 35. When the SIP message analysis unit 35 can confirm the normality of the password presence/password rule/password range, the password presence/password rule/password range is transmitted to the password information setting unit 31. The encryption information setting unit 31 stores the presence or absence of encryption, the encryption rule, and the encryption range, generates a key from the key generation unit 38 based on the stored random parameter for key generation (k 44 in fig. 36), and sets the presence or absence of encryption, the encryption rule, the encryption range, and the key in the SIP message encryption/decryption unit 36 (k 45 in fig. 36).
After the completion of the setting, the encryption information setting unit 31 instructs the SIP message generation unit 34 to generate a SIP response message (k 46 in fig. 36) notifying the presence or absence of the encryption, the encryption rule, and the completion of the setting of the encryption range. The SIP message creation unit 34 creates a SIP response message and transmits the created SIP response message to the SIP interface unit 13 of the server apparatus 1b via the SIP interface unit 33 (k 47 in fig. 36).
When the SIP interface unit 13 of the server apparatus 1b receives the SIP response message notifying the presence or absence of the password, the password rule, and the completion of the setting of the password range, the received SIP response message is transmitted to the SIP message analyzing unit 15. The SIP message analysis unit 15 transmits a notification of whether or not the SIP protocol is associated with the password, the password rule, and the setting of the password range on the client device 3a-1 side to the password information setting unit 11. The encryption information setting unit 11 recognizes the presence or absence of the encryption, the encryption rule, and the completion of the setting of the encryption range, generates the key from the key generation unit 18 based on the stored random parameter for key generation (k 27 in fig. 37), and instructs the SIP message encryption/decryption unit 16 of the presence or absence of the encryption, the encryption rule, the encryption range, and the setting of the key (k 28 in fig. 37).
After the setting is completed, the password information setting unit 11 transmits the setting completion from the password information input interface unit 12 to the local maintenance console 2 (k 29 in fig. 37). The local maintenance console 2 displays the presence or absence of the password/the password rule/the completion of the setting of the password range (k 13 in fig. 37).
When the server device 1b generates a transmission request for transmitting the SIP request message to the client device 3a-1 after the SIP message encryption/decryption unit 16 sets the encryption presence/absence, the encryption rule, the encryption range, and the encryption key (k 31 in fig. 37), the SIP message creation unit 14 creates the SIP request message and transmits the created SIP request message to the SIP message encryption/decryption unit 16 (k 32 in fig. 37).
The SIP message encrypting/decrypting unit 16 encrypts the encryption range of the SIP request message with the encryption rule and the key (k 34 in fig. 37) in accordance with the presence or absence of the current encryption, the encryption rule, the encryption range, and the key setting (k 33 in fig. 37) when the encryption is present. The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3a-1 via the SIP interface 13 (k 35 in fig. 37).
When the SIP interface unit 33 receives the encrypted SIP request message from the server apparatus 1b after the presence/absence of the encryption, the encryption rule, and the encryption range are set in the SIP message encryption/decryption unit 36, the received SIP request message is transferred to the SIP message encryption/decryption unit 36. The SIP message encrypting/decrypting unit 36 decrypts the encryption range of the SIP request message by the encryption rule (k 49 in fig. 37) in the case where the encryption is present (k 48 in fig. 37) according to the presence/absence of the current encryption, the encryption rule, and the encryption range setting.
The decrypted SIP request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (k 50 in fig. 37). Based on the call control result, the call controller 37 instructs the SIP message generator 34 to generate an SIP response message (k 51 in fig. 38). The SIP message creating unit 34 creates a SIP response message, and passes the created SIP response message to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 encrypts the encryption range of the SIP response message with the encryption rule (k 53 in fig. 38) in the case where the password is present (k 52 in fig. 38) according to the presence/absence of the current password, the encryption rule, and the encryption range setting. The encrypted SIP response message is transmitted to the SIP interface 13 of the server apparatus 1b via the SIP interface 33 (k 54 in fig. 38).
When receiving the encrypted SIP response message, the SIP interface unit 13 of the server apparatus 1b passes the received SIP response message to the SIP message encrypting/decrypting unit 16. The SIP message encrypting/decrypting unit 16 decrypts the encryption range of the SIP response message by the encryption rule (k 37 in fig. 38) in the case where the encryption is present (k 36 in fig. 38) according to the presence/absence of the currently set encryption, the encryption rule, and the encryption range. The decrypted SIP response message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (k 38 in fig. 38).
Conversely, when a transmission request to transmit the SIP request message to the server device 1b occurs in the client device 3a-1 (k 55 in fig. 38), the SIP message creating unit 34 creates the SIP request message and passes the created SIP request message to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 encrypts the encryption range of the SIP request message with the encryption rule (k 58 in fig. 38) in accordance with the encryption rule and the encryption range setting of the current encryption, if the encryption exists (k 56 and k57 in fig. 38). The encrypted SIP request message is transmitted to the SIP interface 13 of the server apparatus 1b via the SIP interface 33 (k 59 in fig. 38).
When receiving the encrypted SIP request message from the client apparatus 3a-1, the SIP interface unit 13 transfers the received SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting unit 16 decrypts the encryption range of the SIP request message by the encryption rule (k 3a in fig. 39) in the case where the encryption is present (k 39 in fig. 39) according to the presence/absence of the current encryption, the encryption rule, and the encryption range setting.
The decrypted SIP request message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (k 3b in fig. 39). Based on the call control result, the call controller 17 instructs the SIP message generator 14 to generate an SIP response message (k 3c in fig. 39). The SIP message creating unit 14 creates a SIP response message, and passes the created SIP response message to the SIP message encrypting/decrypting unit 16. The SIP message encrypting/decrypting unit 16 encrypts the encryption range of the SIP response message with the encryption rule (k 3e in fig. 39) in accordance with the presence or absence of the current encryption, the encryption rule, and the encryption range setting in accordance with the encryption rule in the case where the encryption exists (k 3d in fig. 39). The encrypted SIP response message is transmitted to the SIP interface 33 of the client apparatus 3a-1 via the SIP interface 13 (k 3f in fig. 39).
When receiving the encrypted SIP response message, the SIP interface section 33 of the client apparatus 3a-1 transfers the received SIP response message to the SIP message encrypting/decrypting section 36. The SIP message encrypting/decrypting unit 36 decrypts the encryption range of the SIP response message by the encryption rule (k 5b in fig. 39) in the case where the encryption is present (k 5a in fig. 39) according to the presence/absence of the current encryption, the encryption rule, and the encryption range setting. The decrypted SIP response request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (k 5c in fig. 39).
As described above, in the present embodiment, in the system for performing SIP messaging without encryption, when the encryption function is activated, encryption information other than the key is transmitted from the server apparatus to the client apparatus without being encrypted, and the key is provided with a function of generating a synchronized key in both the server apparatus and the client apparatus, so that it is possible to perform common encryption information setting between the server apparatus and the client apparatus without notifying the key via the IP network, and it is possible to enhance the encryption security function after the encryption information setting.
In this embodiment, the effect as the SIP message encryption function using the set password information is the same as that of the first to tenth embodiments of the present invention described above. Further, in the present embodiment, since the key is generated using the random parameter determined when the client apparatus makes initial access to the server apparatus, the regularity of the generated key can be eliminated, and the key security function can be enhanced.
Further, in this embodiment, the effect as the SIP message encryption function using the set encryption information is the same as that in the first to tenth embodiments of the present invention described above. Although the operation of the client devices 3a-2 and 3a-3 is not described, the same effect as that obtained when the client device 3a-1 is used can be obtained.
Twelfth embodiment
Fig. 40 is a block diagram showing the configuration of a client/server type distributed system according to a twelfth embodiment of the present invention. In fig. 40, a client/server type distributed system according to a twelfth embodiment of the present invention has the same configuration as the client/server type distributed system according to the fourth embodiment of the present invention shown in fig. 13 except that a key generation unit 18 is provided in a server device 1b, and the same components are denoted by the same reference numerals. The operation of the same components is the same as that of the fourth embodiment of the present invention.
In addition, the server device 1b and the client devices 3-1 to 3-3 perform encryption/decryption processing during SIP message transmission and reception in a state where the password information has been set. The set password information is hereinafter referred to as old password information.
In the present embodiment, by implementing the above configuration, the security of SIP message control on the IP network can be enhanced by encrypting the SIP message when the server device 1b communicates with the client devices 3-1 to 3-3.
Fig. 41 to 44 are sequence diagrams showing operations of a client/server type distributed system according to a twelfth embodiment of the present invention. The operation of the client/server type distributed system according to the twelfth embodiment of the present invention will be described with reference to fig. 40 to 44. The processing of the server device 1b and the processing of the client device 3-1 shown in fig. 41 to 44 can be realized by the CPU of each of the server device 1b and the client device 3-1 executing a program.
When the password presence/absence, the password rule, and the password range of the SIP message at the time of SIP messaging with the client apparatus 3-1 are input from the local maintenance console 2 connected to the server apparatus 1b (111 in fig. 41) when the password presence/absence, the password rule, and the password range are set between the server apparatus 1b and the client apparatus 3-1 (120 in fig. 41), the password information input interface section 12 receives a setting request including the password presence/absence, the password rule, and the password range (112 in fig. 41), and when normality of the setting request can be determined, transfers the password presence/password rule, and the password range to the password information setting section 11.
The encryption information setting unit 11 instructs the key generation unit 18 to generate a key (121 in fig. 41) to be used for SIP messaging with the client apparatus 3-1. When the key generation unit 18 generates the key, the encryption information setting unit 11 stores the key generated by the key generation unit 18 and the presence/absence of the password, the encryption rule, and the encryption range input from the local maintenance console 2 (122 in fig. 41).
The encryption information setting unit 11 instructs the SIP message generation unit 14 to generate a SIP request message (123 in fig. 41) including new encryption presence/absence, encryption rule, encryption range, and key (hereinafter, referred to as new encryption information). The SIP message creation unit 14 creates a SIP request message, and passes the created SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting section 16 encrypts the SIP request message with the old password information (124 of fig. 41). The encrypted SIP response message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (125 in fig. 41).
When receiving the SIP request message, the SIP interface section 33 of the client apparatus 3-1 transfers the received SIP request message to the SIP message encryption/decryption section 36. The SIP message encrypting/decrypting section 36 decrypts the SIP request message (141 in fig. 41). The decrypted SIP request message is passed to the SIP message analyzer 35. When the normality of the new cryptographic information can be confirmed, the SIP message analysis unit 35 passes the new cryptographic information to the cryptographic information setting unit 31.
The encryption information setting unit 31 stores the new encryption information, sets the new encryption information in the SIP message encryption/decryption unit 36 (142 in fig. 41), and instructs the SIP message generation unit 34 to generate a SIP response message (143 in fig. 41) notifying that the setting of the new encryption information is completed after the setting is completed. The SIP message creating unit 34 creates a SIP response message, and encrypts the created SIP response message with the old password information in the SIP message encrypting/decrypting unit 36 (144 in fig. 41). The encrypted SIP response message is transmitted to the SIP interface unit 13 of the server apparatus 1b via the SIP interface unit 33 (145 in fig. 41).
When receiving the SIP response message notifying the completion of setting the new encryption information, the SIP interface 13 of the server 1b instructs the SIP message encrypting/decrypting unit 16 to decrypt the SIP response message (126 in fig. 42). The SIP message encrypting/decrypting section 16 decrypts the SIP response message, and passes the decrypted SIP response message to the SIP message analyzing section 15. The SIP message analysis unit 15 transmits a new encryption information setting completion notification on the client device 3-1 side to the encryption information setting unit 11. The password information setting unit 11 receives the completion of the setting of the new password information, instructs the SIP message encryption/decryption unit 16 to set the new password information (127 in fig. 42), and transmits the completion of the setting from the password information input interface unit 12 to the local maintenance console 2 (128 in fig. 42) after the completion of the setting. The local maintenance console 2 displays the presence or absence of the password, the password rule, and the password range setting completion (113 in fig. 42).
When a transmission request for transmitting an SIP request message to the client device 3-1 is generated in the server device 1b after the new encryption information is set in the SIP message encryption/decryption unit 16 (130 in fig. 42), the SIP message creation unit 14 creates an SIP request message and passes the created SIP request message to the SIP message encryption/decryption unit 16 (131 in fig. 42). The SIP message encrypting/decrypting unit 16 sets the encryption rule, the encryption range, and the key in accordance with the current new encryption information (encryption presence/absence, encryption rule, encryption range, and key), and encrypts the encryption range of the SIP request message with the encryption rule and the key (133 of fig. 42) when the encryption is present (132 of fig. 42). The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (134 in fig. 42).
When the SIP interface 33 receives the encrypted SIP request message from the server apparatus 1b after the new encryption information is set in the SIP message encryption/decryption unit 36, the received SIP request message is transferred to the SIP message encryption/decryption unit 36. The SIP message encrypting/decrypting unit 36 sets new encryption information (encryption presence/absence, encryption rule, encryption range, and key) and decrypts the encryption range of the SIP request message with the encryption rule and the key when the encryption is present (146 in fig. 42) (147 in fig. 42).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (148 in fig. 42). Based on the call control result, the call controller 37 instructs the SIP message generator 34 to generate an SIP response message (149 in fig. 42). The SIP message creating unit 34 creates a SIP response message, and passes the created SIP response message to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 sets, based on the new password information, that the password range of the SIP response message is encrypted with the encryption rule and the key (151 in fig. 43) when the password exists (150 in fig. 43). The encrypted SIP response message is transmitted to the SIP interface unit 13 of the server apparatus 1b via the SIP interface unit 33 (152 in fig. 43).
When receiving the encrypted SIP response message, the SIP interface unit 13 of the server apparatus 1b passes the received SIP response message to the SIP message encrypting/decrypting unit 16. The SIP message encrypting/decrypting unit 16 decrypts the encryption range of the SIP response message with the encryption rule and the key (136 of fig. 43) when the encryption exists, based on the new encryption information setting (135 of fig. 43). The decrypted SIP response message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (137 in fig. 43).
Conversely, when a transmission request to transmit the SIP request message to the server device 1b is generated in the client device 3-1 (153 in fig. 43), the SIP message generating unit 34 generates the SIP request message and passes the generated SIP request message to the SIP message encrypting/decrypting unit 36. The SIP message encrypting/decrypting unit 36 encrypts the encryption range of the SIP request message with the encryption rule and the key (156 in fig. 43) when the encryption exists, based on the new encryption information setting (154, 155 in fig. 43). The encrypted SIP request message is transmitted to the SIP interface unit 13 of the server apparatus 1b via the SIP interface unit 33 (157 in fig. 43).
When receiving the encrypted SIP request message from the client apparatus 3-1, the SIP interface unit 13 transfers the received SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting unit 16 decrypts the encryption range of the SIP request message by the encryption rule and the key (139 in fig. 44) when the encryption exists, based on the new encryption information setting (138 in fig. 44).
The decrypted SIP request message is analyzed by the SIP message analyzing unit 15, and the call control unit 17 performs call control based on the content of the message (13 a in fig. 44). Based on the call control result, the call controller 17 instructs the SIP message generator 14 to generate an SIP response message (13 b in fig. 44). The SIP message creating unit 14 creates a SIP response message, and passes the created SIP response message to the SIP message encrypting/decrypting unit 16. The SIP message encrypting/decrypting unit 16 sets, based on the new password information, that the password is present (13 c in fig. 44), and encrypts the password range of the SIP response message with the encryption rule and the key (13 d in fig. 44). The encrypted SIP response message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (13 e in fig. 44).
When receiving the encrypted SIP response message, the SIP interface section 33 of the client apparatus 3-1 transfers the received SIP response message to the SIP message encrypting/decrypting section 36. The SIP message encrypting/decrypting unit 36 sets the encryption rule and the key to decrypt the encryption range of the SIP response message (159 in fig. 44) when the encryption exists, based on the new encryption information (158 in fig. 44). The decrypted SIP response request message is analyzed by the SIP message analyzing unit 35, and the call control unit 37 performs call control based on the content of the message (15 a in fig. 44).
As described above, in the present embodiment, in the system for transmitting and receiving the SIP message in the state where the password is set, when the password information is changed, the password information is transmitted between the client apparatus and the server apparatus in the state of being encrypted by the set password information, and therefore, the password security can be enhanced.
In the present embodiment, the administrator can arbitrarily set the encryption information other than the key among the newly set encryption information from the local maintenance console 2, and the system configuration is uniform, and the administrator can change the encryption information without any password when the administrator wants to record the SIP message communication state, so that the simplicity of maintenance can be ensured. Further, in the present embodiment, since the same key is not used for a long period of time and the maintenance person can change the key at an arbitrary timing, security against theft of the password information can be enhanced.
In addition, in the present embodiment, since the server apparatus 1 randomly generates a key and distributes the key to the client apparatus 3-1, it is not possible to know the key set by a third party including a maintainer, thereby preventing human error and key outflow, and further enhancing the security of the password.
In this embodiment, the effect as the SIP message encryption function set using the new password information is the same as in the first to tenth embodiments of the present invention described above. Although the operation of the client devices 3-2 and 3-3 is not described, the same effect as that obtained when the client device 3-1 is used can be obtained.
Thirteenth embodiment
Fig. 45 is a flowchart showing the operation of the client/server type distributed system according to the thirteenth embodiment of the present invention. The client/server type distributed system according to the thirteenth embodiment of the present invention has the same configuration as the client/server type distributed system according to the twelfth embodiment of the present invention shown in fig. 40, and therefore, description of the configuration thereof is omitted. The operation of the client/server type distributed system according to the thirteenth embodiment of the present invention will be described below with reference to fig. 40 and 45.
The processing of the server apparatus 1b or the client apparatus 3-1 shown in fig. 45 can be realized by the CPU of the server apparatus 1b or the client apparatus 3-1 executing a program. The processing shown in fig. 45 indicates an operation triggered by reception of an encrypted SIP message in the password information setting state, and the server apparatus 1b and the client apparatus 3-1 perform the same operation. In the following description, the operation of the server apparatus 1b will be described.
In the system in which the password is set to the existing password by the old password information (m 1 in fig. 45), when receiving the SIP message encrypted by the opposite device using the old password information, the server device 1b decrypts the received SIP message based on the old password information and performs control based on the content of the message (m 2 in fig. 45). When transmitting the SIP message, the server device 1b creates the SIP message, encrypts the message based on the old password information, and transmits the encrypted message to the partner device (m 3 in fig. 45).
When the setting of the new password information is completed between the own device and the opposite device (m 4 in fig. 45), the server device 1b sets and starts the old password information validity timer (m 5 in fig. 45) in order to set a time when it is possible to receive only the SIP message encrypted with the old password information.
Upon receiving the SIP message encrypted with the old cryptographic information (m 6 in fig. 45), the server apparatus 1b checks the timeout of the old cryptographic information validity timer (m 7 in fig. 45), and if the timeout does not occur, decrypts and controls the SIP message based on the held old cryptographic information (m 8 in fig. 45). When the old encryption information validity timer times out, the server apparatus 1b discards the received SIP message without decrypting it (m 9 in fig. 45).
When transmitting the SIP message, the server device 1b creates the SIP message (m 10 in fig. 45), encrypts the message based on the new password information, and transmits the encrypted message to the opposite device (m 11 in fig. 45). When receiving the SIP message encrypted with the new encryption information from the opposite device (m 12 in fig. 45), the server device 1b decrypts the received SIP message based on the new encryption information and performs control based on the content of the message (m 13 in fig. 45). When transmitting the SIP message, the server apparatus 1b creates the SIP message, encrypts the message based on the new password information, and transmits the encrypted message to the counterpart apparatus.
As described above, in the present embodiment, since the reception and decryption of the SIP message encrypted with the old cryptographic information can be performed for a certain period after the change to the new cryptographic information, the cryptographic information can be changed without impairing the validity of the SIP message being transmitted and received in the cryptographic information changing process, and the cryptographic information can be changed at any time. In this embodiment, the effect of the SIP message encryption function using the set password information is the same as that of the first to eleventh embodiments of the present invention.
Fourteenth embodiment
Fig. 46 and 47 are sequence diagrams showing operations of a client/server type distributed system according to a fourteenth embodiment of the present invention. The client/server type distributed system according to the fourteenth embodiment of the present invention has the same configuration as the client/server type distributed system according to the twelfth embodiment of the present invention shown in fig. 40, and therefore, description of the configuration thereof is omitted. The operation of the client/server type distributed system according to the fourteenth embodiment of the present invention will be described below with reference to fig. 40, 46, and 47.
The processing of the server apparatus 1b and the client apparatus 3-1 shown in fig. 46 and 47 can be realized by the CPU of each of the server apparatus 1b and the client apparatus 3-1 executing a program. In addition, the server apparatus 1b and the client apparatus 3-1 have already set the password information, and when there is a password, encryption/decryption processing is performed at the time of SIP messaging. The set password information is hereinafter referred to as old password information.
When the password presence/absence, the password rule, and the password range of the SIP message are input from the local maintenance console 2 connected to the server apparatus 1b when the password information set between the server apparatus 1b and the client apparatus 3-1 is in the setting state of the password (n 20 in fig. 46) through the set password information (when the password presence/absence, the password rule, and the password range are input to the client apparatus 3-1) (n 11 in fig. 46), the password information input interface section 12 receives the setting request including the password presence/absence, the password rule, and the password range, and when the normality of the setting request can be determined, passes the password presence/password rule, and the password range to the password information setting section 11.
The encryption information setting unit 11 instructs the key generation unit 18 to generate a key (n 21 in fig. 46) to be used for SIP messaging with the client apparatus 3-1, and stores the key generated by the key generation unit 18 and the presence or absence of an encryption, the encryption rule, and the encryption range input from the local maintenance console 2 (n 22 in fig. 46). The encryption information setting unit 11 instructs the SIP message generation unit 14 to generate a SIP request message including new encryption presence/absence, encryption rule, encryption range, and key (hereinafter, referred to as new encryption information) (n 23 in fig. 46). In this case, the key generated by the key generation unit 18 is encrypted based on the old encryption information. The SIP message generation unit 14 generates a SIP request message including the new encryption information, and passes the generated SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting section 16 encrypts the SIP request message based on the old password information (n 24 in fig. 46). The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (n 25 in fig. 46).
When receiving the SIP request message, the SIP interface section 33 of the client apparatus 3-1 transfers the received SIP request message to the SIP message encryption/decryption section 36. The SIP message encrypting/decrypting section 36 decrypts the SIP request message (n 41 of fig. 46). The decrypted SIP request message is passed to the SIP message analyzer 35. When the normality of the new cryptographic information can be confirmed, the SIP message analysis unit 35 passes the new cryptographic information to the cryptographic information setting unit 31. The encryption information setting unit 31 stores the new encryption information, and sets the new encryption information in the SIP message encryption/decryption unit 36 (n 42 in fig. 46).
After the completion of the setting, the encryption information setting unit 31 instructs the SIP message generating unit 34 to generate a SIP response message notifying that the setting of the new encryption information is completed (n 43 in fig. 46). The SIP message creation unit 34 creates a SIP response message, and encrypts the created SIP response message with the old password information in the SIP message encryption/decryption unit 36 (n 44 in fig. 46). The encrypted SIP response message is transmitted to the SIP interface unit 13 of the server apparatus 1b via the SIP interface unit 33 (n 45 in fig. 46).
When receiving the SIP response message notifying the completion of setting the new encryption information, the SIP interface 13 of the server 1b instructs the SIP message encrypting/decrypting unit 16 to decrypt the SIP response message (n 26 in fig. 47). The SIP message encrypting/decrypting section 16 decrypts the SIP response message, and passes the decrypted SIP response message to the SIP message analyzing section 15. The SIP message analysis unit 15 transmits a new encryption information setting completion notification on the client device 3-1 side to the encryption information setting unit 11. The encryption information setting unit 11 recognizes the completion of the setting of the new encryption information, and instructs the SIP message encrypting/decrypting unit 16 to set the new encryption information (n 27 in fig. 47).
After the setting is completed, the password information setting unit 11 transmits the setting completion from the password information input interface unit 12 to the local maintenance console 2 (n 28 in fig. 47). The local maintenance console 2 displays the presence or absence of the password/the password rule/the completion of the setting of the password range (n 29 in fig. 47).
In this embodiment, the encryption/decryption operations after setting the new password information of the server apparatus 1b and the client apparatus 3-1 are the same as those in the twelfth embodiment of the present invention, and therefore, the illustration and description thereof are omitted.
As described above, in the present embodiment, in the system for transmitting and receiving SIP messages in the state where the encryption is set, when the key to be used is distributed from the server apparatus 1b to the client apparatus 3-1, communication on the IP network is required in the state where the key is encrypted, and therefore, it is possible to prevent leakage of the key and enhance the encryption security function in encrypting the SIP messages.
In this embodiment, the effect of the SIP message encryption function using the set password information is the same as that of the twelfth embodiment of the present invention described above. Although the operation of the client devices 3-2 and 3-3 is not described, the same effect as that obtained when the client device 3-1 is used can be obtained.
Fifteenth embodiment
Fig. 48 and 49 are sequence diagrams showing the operation of the client/server type distributed system according to the fifteenth embodiment of the present invention. The client/server type distributed system according to the fifteenth embodiment of the present invention has the same configuration as that of the client/server type distributed system according to the twelfth embodiment of the present invention shown in fig. 40, and therefore, description of the configuration thereof is omitted. The operation of the client/server type distribution system according to the fifteenth embodiment of the present invention will be described below with reference to fig. 40, 48, and 49.
The processing of the server apparatus 1b and the client apparatus 3-1 shown in fig. 48 and 49 can be realized by the CPU of each of the server apparatus 1b and the client apparatus 3-1 executing a program. In the present embodiment, the server apparatus 1b and the client apparatus 3-1 have already set the encryption information, and when there is an encryption, encryption/decryption processing is performed at the time of SIP messaging. The set password information is hereinafter referred to as old password information.
When the server apparatus 1b and the client apparatus 3-1 are in a state of setting a password by the set password information (o 20 in fig. 48), when the presence or absence of a password, the password rule, and the password range of an SIP message at the time of SIP messaging with the client apparatus 3-1 are input from the local maintenance console 2 connected to the server apparatus 1b (o 11 in fig. 48), the password information input interface section 12 receives a setting request including the presence or absence of a password, the password rule, and the password range (o 12 in fig. 48), and when the normality of the setting request can be determined, the presence or absence of a password, the password rule, and the password range are transferred to the password information setting section 11.
The encryption information setting unit 11 instructs the key generation unit 18 to generate a key (o 21 in fig. 48) to be used for SIP messaging with the client apparatus 3-1, and stores the key generated by the key generation unit 18 and the presence or absence of an encryption, the encryption rule, and the encryption range input from the local maintenance console 2 (o 22 in fig. 48).
The encryption information setting unit 11 instructs the SIP message generation unit 14 to generate a SIP request message including new encryption presence/absence, encryption rule, encryption range, and key (hereinafter, referred to as new encryption information) (o 23 in fig. 48). The SIP message creation unit 14 creates a SIP request message and passes the created request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting section 16 encrypts the SIP request message based on the old password information (o 24 of fig. 48). The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3-1 via the SIP interface 13 (o 25 in fig. 48).
When receiving the SIP request message, the SIP interface section 33 of the client apparatus 3-1 transfers the received SIP request message to the SIP message encryption/decryption section 36. The SIP message encrypting/decrypting section 36 decrypts the SIP request message (o 41 of fig. 48). The decrypted SIP request message is passed to the SIP message analyzer 35. When the normality of the new cryptographic information can be confirmed, the SIP message analysis unit 35 passes the new cryptographic information to the cryptographic information setting unit 31. The encryption information setting unit 31 stores the new encryption information, and sets the new encryption information in the SIP message encryption/decryption unit 36 (o 42 in fig. 48).
After the setting is completed, the cryptographic information setting unit 31 instructs the SIP message generating unit 34 to generate a SIP response message (o 43 in fig. 48) notifying that the setting of the new cryptographic information is completed. The SIP message creation unit 34 creates a SIP response message, and encrypts the created SIP response message with the old password information in the SIP message encryption/decryption unit 36 (o 44 in fig. 48). The encrypted SIP response message is transmitted to the SIP interface unit 13 of the server apparatus 1b via the SIP interface unit 33 (o 45 in fig. 48).
When receiving the SIP response message notifying the completion of setting the new encryption information, the SIP interface 13 of the server 1b instructs the SIP message encrypting/decrypting unit 16 to decrypt the SIP response message (o 26 in fig. 49). The SIP message encrypting/decrypting section 16 decrypts the SIP response message. The decrypted SIP response message is delivered to the SIP message analyzer 15. The SIP message analyzer 15 transmits a new password information setting completion notification on the client device 3-1 side to the password information setting unit 11, and the password information setting unit 11 recognizes the completion of the new password information setting and instructs the SIP message encryptor/decryptor 16 to set the new password information (o 27 in fig. 49).
After the setting is completed, the password information setting unit 11 transmits the setting completion from the password information input interface unit 12 to the local maintenance console 2 (o 28 in fig. 49). The local maintenance console 2 displays the presence or absence of the password/the password rule/the completion of the setting of the password range (o 13 of fig. 49).
In this embodiment, the encryption/decryption operations after setting the new password information of the server apparatus 1b and the client apparatus 3-1 are the same as those in the twelfth embodiment of the present invention, and therefore, the illustration and description thereof are omitted.
As described above, in the present embodiment, in the system for transmitting and receiving SIP messages in the state where the encryption is set, when the key to be used is distributed from the server apparatus 1b to the client apparatus 3-1, communication on the IP network is performed in the state where the key is encrypted without fail, so that it is possible to prevent leakage of the key and to enhance the encryption security function in encrypting the SIP message.
In this embodiment, the effect of the SIP message encryption function using the set encryption information is the same as that of the eleventh and twelfth embodiments of the present invention described above. Although the operation of the client devices 3-2 and 3-3 is not described, the same effect as that obtained when the client device 3-1 is used can be obtained.
Sixteenth embodiment
Fig. 50 to 54 are sequence diagrams showing operations of the client/server type distribution system according to the sixteenth embodiment of the present invention. The client/server type distributed system according to the sixteenth embodiment of the present invention has the same configuration as that of the client/server type distributed system according to the eleventh embodiment of the present invention shown in fig. 35, and therefore, description of the configuration thereof is omitted. The operation of the client/server type distribution system according to the sixteenth embodiment of the present invention will be described below with reference to fig. 35 and fig. 50 to 54. The processing of the server device 1b and the processing of the client device 3a-1 shown in fig. 50 to 54 can be realized by executing programs by the CPU of each of the server device 1b and the client device 3 a-1.
When an initial server access request to the server apparatus 1b is generated from the client apparatus 3a-1 (p 41 in fig. 50), the SIP message generation unit 34 generates an SIP request message and transmits the generated SIP request message to the SIP interface unit 13 of the server apparatus 1b via the SIP interface unit 33 (p 42 in fig. 50).
When receiving the SIP request message, the SIP interface 13 of the server 1b recognizes the initial access from the client apparatus 3a-1 and passes it to the encryption information setting unit 11. The encryption information setting unit 11 creates and stores a random parameter for key generation (p 21 in fig. 50) used for encrypting the SIP message between the server device 1b and the client device 3a-1, and instructs the SIP message creating unit 14 to create a SIP response message to which the random parameter for key generation is added. The SIP message creation unit 14 creates a SIP response message and transmits the created SIP response message to the SIP interface unit 33 of the client apparatus 3a-1 via the SIP interface unit 13 (p 22 in fig. 50).
When the SIP interface unit 33 of the client apparatus 3a-1 receives the SIP response message to which the random parameter for key generation is added, the received random parameter for key generation is passed to the encryption information setting unit 31. The encryption information setting unit 31 stores the key generation random parameter (p 43 in fig. 50). This causes the server apparatus 1b and the client apparatus 3a-1 to enter a state where the password setting is completed (no or present) (p 23 in fig. 50).
When the presence/absence of a password, the password rule, and the password range of an SIP message at the time of transmitting and receiving an SIP message to and from the client apparatus 3a-1 are inputted from the local maintenance console 2 connected to the server apparatus 1b (p 11 in fig. 50), the password information input interface section 12 receives a setting request including the presence/absence of a password, the password rule, and the password range (p 12 in fig. 50), and when the normality of the setting request can be specified, transmits the presence/absence of a password, the password rule, and the password range to the password information setting section 11. The password information setting unit 11 stores the password presence/absence, the password rule, and the password range (p 24 in fig. 50).
The encryption information setting unit 11 of the server apparatus 1b instructs the SIP message generating unit 14 to generate a SIP request message including the presence or absence of an encryption, the encryption rule, and the encryption range (p 25 in fig. 50). The SIP message creation unit 14 creates an SIP request message and transmits the created SIP request message to the SIP interface unit 33 of the client apparatus 3a-1 via the SIP interface unit 13 (p 26 in fig. 50).
When the SIP interface unit 33 of the client apparatus 3a-1 receives the SIP request message including the presence/absence of the password, the password rule, and the password range, the received SIP request message is transferred to the SIP message analyzing unit 35. When the SIP message analysis unit 35 can confirm the normality of the password presence/password rule/password range, the password presence/password rule/password range is transmitted to the password information setting unit 31. The encryption information setting unit 31 stores the presence or absence of encryption, the encryption rule, and the encryption range, generates a key from the key generation unit 38 based on the stored random parameter for key generation (p 44 in fig. 50), and sets the presence or absence of encryption, the encryption rule, and the encryption range in the SIP message encryption/decryption unit 36 (p 45 in fig. 50).
After the completion of the setting, the encryption information setting unit 31 instructs the SIP message generation unit 34 to generate a SIP response message (p 46 in fig. 50) notifying the presence or absence of the encryption, the encryption rule, and the completion of the setting of the encryption range. The SIP message creation unit 34 creates a SIP response message and transmits the created SIP response message to the SIP interface unit 13 of the server apparatus 1b via the SIP interface unit 33 (p 47 in fig. 50).
When the SIP interface unit 13 of the server apparatus 1b receives the SIP response message notifying the presence or absence of the password, the password rule, and the completion of the setting of the password range, the received SIP response message is transmitted to the SIP message analyzing unit 15. The SIP message analysis unit 15 transmits a notification of whether or not the SIP protocol is associated with the password, the password rule, and the setting of the password range on the client apparatus 3 side to the password information setting unit 11. The encryption information setting unit 11 recognizes the presence or absence of the encryption, the encryption rule, and the completion of the setting of the encryption range, generates the key from the key generation unit 18 based on the stored random parameter for key generation (p 27 in fig. 51), and instructs the SIP message encryption/decryption unit 16 to set the presence or absence of the encryption, the encryption rule, and the encryption range (p 28 in fig. 51). As a result, the server device 1b and the client device 3a-1 become a set state (old password information) in which the password is set by the set password information (p 29 in fig. 51).
The following flow will be described with reference to the set password information as old password information after the presence/absence of a password, the password rule, and the password range are set in the SIP message encryption/decryption unit 16.
The encryption information setting unit 11 instructs the key generation unit 18 to generate a key (p 30 in fig. 51) used for SIP messaging with the SIP protocol compliant client apparatus 3, and stores the key generated by the key generation unit 18 and the encryption presence/encryption rule/encryption range of the old encryption information (p 31 in fig. 51).
The encryption information setting unit 11 instructs the SIP message generation unit 14 to generate a SIP request message including new encryption presence/absence, encryption rule, encryption range, and key (hereinafter, referred to as new encryption information) (p 32 in fig. 51). The SIP message creation unit 14 creates a SIP request message, and passes the created SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting section 16 encrypts the SIP request message with the old password information (p 33 of fig. 51). The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3a-1 via the SIP interface 13 (p 34 in fig. 51).
When receiving the SIP request message, the SIP interface section 33 of the client apparatus 3-1 transfers the received SIP request message to the SIP message encryption/decryption section 36. The SIP message encrypting/decrypting section 36 decrypts the SIP request message (p 48 of fig. 51). The decrypted SIP request message is passed to the SIP message analyzer 35. When the normality of the new cryptographic information can be confirmed, the SIP message analysis unit 35 passes the new cryptographic information to the cryptographic information setting unit 31.
The cipher information setting unit 31 stores the new cipher information, sets the new cipher information in the SIP message encryption/decryption unit 36 (p 49 in fig. 51), and instructs the SIP message generation unit 34 to generate a SIP response message (p 50 in fig. 51) notifying that the setting of the new cipher information is completed after the setting is completed. The SIP message creating unit 34 creates a SIP response message, and encrypts the created SIP response message with the old encryption information in the SIP message encrypting/decrypting unit 36 (p 51 in fig. 51). The encrypted SIP response message is transmitted to the SIP interface 13 of the server apparatus 1b via the SIP interface 33 (p 52 in fig. 51).
When receiving the SIP response message notifying the completion of setting the new encryption information, the SIP interface 13 of the server 1b instructs the SIP message encrypting/decrypting unit 16 to decrypt the SIP response message (p 35 in fig. 52). The SIP message encrypting/decrypting section 16 decrypts the SIP response message, and passes the decrypted SIP response message to the SIP message analyzing section 15. The SIP message analyzing unit 15 transmits a notification of completion of setting of new encryption information on the side of the SIP protocol-compliant client device 3-1 to the encryption information setting unit 11.
The password information setting unit 11 receives the completion of setting of the new password information, instructs the SIP message encryption/decryption unit 16 to set the new password information (p 36 in fig. 52), and transmits the completion of setting from the password information input interface unit 12 to the local maintenance console 2 (p 37 in fig. 52) after the completion of setting. The local maintenance console 2 displays the presence or absence of the password/the password rule/the completion of the setting of the password range (p 13 in fig. 52).
The transmission and reception operations of the SIP message with the new cipher information set in the SIP message encryption/decryption unit 16 (the operations of p39 to p3d and p53 to p55 in fig. 52, p3e to p3g and p56 to p5e in fig. 53, and p3h to p3n and p5f to p5h in fig. 54) are the same as those in the eleventh embodiment of the present invention, and therefore, the description thereof is omitted.
In this way, in the present embodiment, when the password state is changed from the password-free state, two levels of password information setting are performed as follows: first setting encryption information using a key created synchronously at both the client apparatus 3a-1 and the server apparatus 1 b; by setting the encryption information using the key automatically generated by the server device 1b thereafter, it is possible to enhance the cryptographic security function by encrypting/decrypting the actual SIP message using the key automatically generated by the server device 1b and unknown to a third party including the maintenance person. In addition, in the present embodiment, since the encrypted key for performing SIP messaging is always notified in an encrypted state, the security of the cryptographic function can be enhanced.
Further, in this embodiment, the effect as the SIP message encryption function using the set cipher information is the same as that in the eleventh to fifteenth embodiments of the present invention described above. Although the operation of the client devices 3a-2 and 3a-3 is not described, the same effect as that obtained when the client device 3a-1 is used can be obtained.
Seventeenth embodiment
Fig. 55 to 60 are sequence diagrams showing operations of a client/server type distributed system according to a seventeenth embodiment of the present invention. The client/server type distributed system according to the seventeenth embodiment of the present invention has the same configuration as that of the client/server type distributed system according to the eleventh embodiment of the present invention shown in fig. 35, and therefore, description of the configuration thereof is omitted. The operation of the client/server type distributed system according to the seventeenth embodiment of the present invention will be described below with reference to fig. 35 and 55 to 60. The processing of the server device 1b and the processing of the client device 3a-1 shown in fig. 55 to 60 can be realized by executing programs by the CPU of each of the server device 1b and the client device 3 a-1.
When an initial server access request to the server apparatus 1b is generated from the client apparatus 3a-1 (q 41 in fig. 55), the SIP message generation unit 34 generates an SIP request message and transmits the generated SIP request message to the SIP interface unit 13 of the server apparatus 1b via the SIP interface unit 33 (q 42 in fig. 55).
When receiving the SIP request message, the SIP interface 13 of the server 1b recognizes the initial access from the client apparatus 3a-1 and passes it to the encryption information setting unit 11. The encryption information setting unit 11 creates and stores a random parameter for key generation (q 21 in fig. 55) used for encrypting the SIP message between the server device 1b and the client device 3a-1, and instructs the SIP message creating unit 14 to create a SIP response message to which the random parameter for key generation is added. The SIP message creation unit 14 creates an SIP response message and transmits the created SIP response message to the SIP interface unit 33 of the client apparatus 3a-1 via the SIP interface unit 13 (q 22 in fig. 55).
When the SIP interface unit 33 of the client apparatus 3a-1 receives the SIP response message to which the random parameter for key generation is added, the received random parameter for key generation is passed to the encryption information setting unit 31. The encryption information setting unit 31 stores the key generation random parameter (q 43 in fig. 55). This causes the server apparatus 1b and the client apparatus 3a-1 to enter a state of password setting completion (absence or presence) (q 23 in fig. 55).
Thereafter, the password information setting between the server apparatus 1a and the client apparatus 3a-1 is executed. Since this password information setting operation is the same as in the eleventh embodiment of the present invention, the description of the password information setting operation is omitted, and the password information setting is completed.
When the presence/absence of a password, the password rule, and the password range of an SIP message at the time of SIP messaging with the client apparatus 3a-1 are input from the local maintenance console 2 connected to the server apparatus 1b (q 11 in fig. 55), the password information input interface section 12 receives a setting request including the presence/absence of a password, the password rule, and the password range (q 12 in fig. 55), and when the normality of the setting request can be specified, transmits the presence/absence of a password, the password rule, and the password range to the password information setting section 11.
The encryption information setting unit 11 checks the presence or absence of an encryption based on the encryption information at the present time (q 24 in fig. 55), and when there is no encryption, executes a step of encrypting/decrypting an SIP message using a key generated from a random parameter for key generation stored in the storage unit, and executes the following steps: the encryption information of the key automatically generated at random by the server apparatus 1 (new encryption information) is set using the encryption information of the key created from the stored random parameter for key generation as the old encryption information.
The encryption information setting unit 11 stores the presence or absence of encryption, the encryption rule, and the encryption range (q 25 in fig. 55), and instructs the SIP message generation unit 14 to generate a SIP request message including the presence or absence of encryption, the encryption rule, and the encryption range (q 26 in fig. 55). The SIP message creation unit 14 creates an SIP request message and transmits the created SIP request message to the SIP interface unit 33 of the client apparatus 3a-1 via the SIP interface unit 13 (q 27 in fig. 55).
When the SIP interface unit 33 of the client apparatus 3a-1 receives the SIP request message including the presence/absence of the password, the password rule, and the password range, the received SIP request message is transferred to the SIP message analyzing unit 35. When the SIP message analysis unit 35 can confirm the normality of the password presence/password rule/password range, the password presence/password rule/password range is transmitted to the password information setting unit 31.
The encryption information setting unit 31 stores the encryption presence/absence, the encryption rule, and the encryption range, generates a key from the key generation unit 38 based on the stored random parameter for key generation (q 44 in fig. 55), and sets the encryption presence/absence, the encryption rule, the encryption range, and the key in the SIP message encryption/decryption unit 36 (q 45 in fig. 55). After the setting is completed, the encryption information setting unit 31 instructs the SIP message generating unit 34 to generate a SIP response message (q 46 in fig. 56) notifying the presence or absence of the encryption, the encryption rule, and the completion of the setting of the encryption range. The SIP message creation unit 34 creates a SIP response message and transmits the created SIP response message to the SIP interface unit 13 of the server apparatus 1b via the SIP interface unit 33 (q 47 in fig. 56).
When the SIP interface unit 13 of the server apparatus 1b receives the SIP response message notifying the presence or absence of the password, the password rule, and the completion of the setting of the password range, the received SIP response message is transmitted to the SIP message analyzing unit 15. The SIP message analysis unit 15 transmits a notification of whether or not the SIP protocol is associated with the password, the password rule, and the setting of the password range on the client device 3a-1 side to the password information setting unit 11.
The encryption information setting unit 11 recognizes the presence or absence of the encryption, the encryption rule, and the completion of the setting of the encryption range, generates the key from the key generation unit 18 based on the stored random parameter for key generation (q 28 in fig. 56), and instructs the SIP message encryption/decryption unit 16 of the presence or absence of the encryption, the encryption rule, the encryption range, and the setting of the key (q 29 in fig. 56). Thus, the password setting is completed (old password information) between the server apparatus 1b and the client apparatus 3a-1 by the password information (q 30 in fig. 56).
The following flow will be described with reference to the setting of the presence/absence of a password, the password rule, the password range, and the key in the SIP message encryption/decryption unit 16 as old password information.
When the server device 1a and the client device 3a-1 are in a state of being set with a password by the old password information (q 31 in fig. 56), the password information setting unit 11 instructs the key generation unit 18 to generate a key (q 32 in fig. 56) to be used when SIP messages are transmitted to and received from the SIP protocol-compliant client device 3, and stores the key generated by the key generation unit 18 and the password presence/absence/password rule/password range of the old password information (q 33 in fig. 56).
The encryption information setting unit 11 instructs the SIP message generation unit 14 to generate a SIP request message including new encryption presence/absence, encryption rule, encryption range, and key (hereinafter, referred to as new encryption information) (q 34 in fig. 56). The SIP message creation unit 14 creates a SIP request message, and passes the created SIP request message to the SIP message encryption/decryption unit 16. The SIP message encrypting/decrypting section 16 encrypts the SIP request message with the old password information (q 35 of fig. 56). The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3a-1 via the SIP interface 13 (q 36 in fig. 56).
When the SIP interface section 33 of the client apparatus 3a-1 receives the SIP request message, it transfers the received SIP request message to the SIP message encryption/decryption section 36. The SIP message encrypting/decrypting section 36 decrypts the SIP request message (q 48 in fig. 56), and passes the decrypted SIP request message to the SIP message analyzing section 35. When the normality of the new cryptographic information can be confirmed, the SIP message analysis unit 35 passes the new cryptographic information to the cryptographic information setting unit 31.
The encryption information setting unit 31 stores the new encryption information, and sets the new encryption information in the SIP message encryption/decryption unit 36 (q 49 in fig. 57). After the setting is completed, the encryption information setting unit 31 instructs the SIP message generating unit 34 to generate a SIP response message (q 50 in fig. 57) notifying that the setting of the new encryption information is completed. The SIP message creating unit 34 creates a SIP response message, and encrypts the created SIP response message with the old encryption information in the SIP message encrypting/decrypting unit 36 (q 51 in fig. 57). The encrypted SIP response message is transmitted to the SIP interface 13 of the server apparatus 1b via the SIP interface 33 (q 52 in fig. 57).
When receiving the SIP response message notifying the completion of setting the new encryption information, the SIP interface 13 of the server 1b instructs the SIP message encrypting/decrypting unit 16 to decrypt the SIP response message (q 37 in fig. 57). The SIP message encrypting/decrypting section 16 decrypts the SIP response message, and passes the decrypted SIP response message to the SIP message analyzing section 15. The SIP message analysis unit 15 transmits a new encryption information setting completion notification to the encryption information setting unit 11 on the client device 3a-1 side.
The password information setting unit 11 receives the completion of the setting of the new password information, instructs the SIP message encryption/decryption unit 16 to set the new password information (q 38 in fig. 57), and transmits the completion of the setting from the password information input interface unit 12 to the local maintenance console 2 (q 39 in fig. 57). The local maintenance console 2 displays the presence or absence of the password/the password rule/the completion of the password range setting (q 13 in fig. 57).
When the presence or absence of a password, the password rule, and the password range of the SIP message when the SIP message is transmitted and received to and from the SIP protocol-compliant client apparatus 3 are input from the local maintenance console 2 connected to the server apparatus 1b, and the password information setting unit 11 checks that the password of the password information at the present time is present (q 24 in fig. 55), the following steps are executed: the password information of the key (new password information) automatically generated at random by the server apparatus 1b is set with the password information at the present time as the old password information.
The encryption information setting unit 11 instructs the key generation unit 18 to generate a key (q 32 in fig. 56) to be used for SIP messaging with the client apparatus 3a-1, and stores the key generated by the key generation unit 18 and the encryption presence/absence, encryption rule, and encryption range of the old encryption information (q 33 in fig. 56). The encryption information setting unit 11 instructs the SIP message generating unit 14 to generate a SIP request message including new encryption information (q 34 in fig. 56). The SIP message creating unit 14 creates a SIP request message, and passes the created SIP request message to the SIP message encrypting/decrypting unit 16. The SIP message encrypting/decrypting section 16 encrypts the SIP request message based on the old password information (q 35 of fig. 56). The encrypted SIP request message is transmitted to the SIP interface 33 of the client apparatus 3a-1 via the SIP interface 13 (q 36 in fig. 56).
When receiving the SIP request message, the SIP interface section 33 of the client apparatus 3-1 transfers the received SIP request message to the SIP message encryption/decryption section 36. The SIP message encrypting/decrypting section 36 decrypts the SIP request message (q 48 in fig. 56), and passes the decrypted SIP request message to the SIP message analyzing section 35. When the normality of the new cryptographic information can be confirmed, the SIP message analysis unit 35 passes the new cryptographic information to the cryptographic information setting unit 31.
The encryption information setting unit 31 stores the new encryption information, and sets the new encryption information in the SIP message encryption/decryption unit 36 (q 49 in fig. 57). After the setting is completed, the encryption information setting unit 31 instructs the SIP message generating unit 34 to generate a SIP response message (q 50 in fig. 57) notifying that the setting of the new encryption information is completed. The SIP message creating unit 34 creates a SIP response message, and encrypts the created SIP response message with the old encryption information in the SIP message encrypting/decrypting unit 36 (q 51 in fig. 57). The encrypted SIP response message is transmitted to the SIP interface 13 of the server apparatus 1b via the SIP interface 33 (q 52 in fig. 57).
When receiving the SIP response message notifying the completion of setting the new encryption information, the SIP interface 13 of the server 1b instructs the SIP message encrypting/decrypting unit 16 to decrypt the SIP response message (q 37 in fig. 57). The SIP message encrypting/decrypting section 16 decrypts the SIP response message, and passes the decrypted SIP response message to the SIP message analyzing section 15. The SIP message analysis unit 15 transmits a new encryption information setting completion notification to the encryption information setting unit 11 on the client device 3a-1 side.
The password information setting unit 11 receives the completion of the setting of the new password information, instructs the SIP message encryption/decryption unit 16 to set the new password information (q 38 in fig. 57), and transmits the completion of the setting from the password information input interface unit 12 to the local maintenance console 2 (q 39 in fig. 57). The local maintenance console 2 displays the presence or absence of the password/the password rule/the completion of the password range setting (q 13 in fig. 57).
The transmission/reception operation of the SIP message with the new cipher information set in the SIP message encryption/decryption unit 16 (the operations of q3b to q3f in fig. 57, q3g to q3i, q53 to q5b in fig. 58, q3j to q3p in fig. 59, p5c to p5g, and q5h in fig. 60) is the same as the eleventh embodiment of the present invention described above, and therefore, the description thereof is omitted.
As described above, in the present embodiment, the maintainer can change the password information at any time from the local maintenance console 2 via the server device 1b, and perform the SIP message transmission and reception using the new password information, thereby enhancing the password security function of the SIP message.
In addition, in the present embodiment, since the maintainer can arbitrarily set the presence or absence of the password of the SIP message to the server apparatus via the SIP protocol, when the password is set, the password security function on the network can be realized, and the required password and the unnecessary password can be set differently depending on the network configuration, so that the password-free setting is easy in the maintenance operation when the SIP message log is taken, and the management of the maintainer can be simplified.
Further, in the present embodiment, the optimum flow of the password information change flow including the key generation method can be automatically selected according to the change content of the password, and therefore the password information can be safely changed. In this embodiment, the effect of encrypting SIP messaging is the same as in the first to sixteenth embodiments of the present invention described above. Although the operation of the client devices 3a-2 and 3a-3 is not described, the same effect as that obtained when the client device 3a-1 is used can be obtained.
Eighteenth embodiment
Fig. 61 is a block diagram showing the configuration of a client/server type distributed system of an eighteenth embodiment of the present invention. In fig. 61, a client/server type distributed system according to an eighteenth embodiment of the present invention has the same configuration as that of the client/server type distributed system according to the eleventh embodiment of the present invention shown in fig. 35 except that a password information update timer control unit 19 is provided in a server device 1c, and the same components are denoted by the same reference numerals. The operation of the same constituent elements is the same as that in the eleventh embodiment of the present invention.
In the present embodiment, the server device 1c and the client devices 3a-1 to 3a-3 have already set the encryption information, and when there is an encryption, encryption/decryption processing is performed at the time of SIP messaging. The set password information is hereinafter referred to as old password information.
In the present embodiment, by implementing the above configuration, it is possible to periodically update the encryption information used for encrypting the SIP message when the server device 1c and the client devices 3a-1 to 3a-3 communicate with each other, and it is possible to enhance the security of the SIP message control on the IP network.
Fig. 62 and 63 are sequence diagrams showing operations of a client/server type distributed system according to an eighteenth embodiment of the present invention. The operation of the client/server type distributed system according to the eighteenth embodiment of the present invention will be described with reference to fig. 61 to 63. The processing of the server apparatus 1c and the client apparatus 3a-1 shown in fig. 62 and 63 can be realized by the CPU of each of the server apparatus 1c and the client apparatus 3a-1 executing a program.
When the password information is set by the password information setting unit 11 of the server device 1c, the password information update timer control unit 19 is instructed to perform the update timer control of the password information, and the password information update timer control unit 19 starts the password information update timer (r 10 and r11 in fig. 62).
The password information update timer control unit 19 periodically updates the password information update timer (r 12 in fig. 62) and checks for a timeout (r 13 in fig. 62). When the password information update timer times out, the server apparatus 1c executes the password information update step. The step of updating the password information differs depending on whether or not the password of the currently set password information is present, and in the present embodiment, the step in the case where the password is set will be described.
The encryption information setting unit 11 instructs the key generation unit 18 to generate a key (r 14 in fig. 62) to be used for SIP messaging with the client apparatus 3a-1, and stores the key generated by the key generation unit 18 and the encryption presence/encryption rule/encryption range of the old encryption information as new encryption information (r 15 in fig. 62).
The encryption information setting unit 11 instructs the SIP message generating unit 14 to generate a SIP request message including new encryption presence/absence, encryption rule, encryption range, and key (hereinafter, referred to as new encryption information) (r 16 in fig. 62). The SIP message creation unit 14 creates a SIP request message, and encrypts the created SIP request message based on the old encryption information in the SIP message encryption/decryption unit 16 (r 17 in fig. 62). The encrypted SIP response message is transmitted to the SIP interface 33 of the client apparatus 3a-1 via the SIP interface 13 (r 17 in fig. 62).
When the SIP interface section 33 of the client apparatus 3a-1 receives the SIP request message, it transfers the received SIP request message to the SIP message encryption/decryption section 36. The SIP message encrypting/decrypting section 36 decrypts the SIP request message (r 31 in fig. 62), and the decrypted SIP request message is passed to the SIP message analyzing section 35. When the normality of the new cryptographic information can be confirmed, the SIP message analysis unit 35 passes the new cryptographic information to the cryptographic information setting unit 31.
The cipher information setting unit 31 stores the new cipher information, sets the new cipher information in the SIP message encryption/decryption unit 36 (r 32 in fig. 62), and instructs the SIP message generation unit 34 to generate a SIP response message (r 33 in fig. 62) notifying that the setting of the new cipher information is completed after the setting is completed. The SIP message creation unit 34 creates a SIP response message, and encrypts the created SIP response message with the old password information in the SIP message encryption/decryption unit 36 (r 34 in fig. 62). The encrypted SIP response message is transmitted to the SIP interface 13 of the server apparatus 1c via the SIP interface 33 (r 35 in fig. 63).
When receiving the SIP response message notifying the completion of setting the new encryption information, the SIP interface 13 of the server 1c instructs the SIP message encrypting/decrypting unit 16 to decrypt the SIP response message (r 19 in fig. 63). The SIP message encrypting/decrypting section 16 decrypts the SIP response message, and passes the decrypted SIP response message to the SIP message analyzing section 15. The SIP message analysis unit 15 transmits a new encryption information setting completion notification to the encryption information setting unit 11 on the client device 3a-1 side. The encryption information setting unit 11 receives the completion of the setting of the new encryption information, and instructs the SIP message encryption/decryption unit 16 to set the new encryption information (r 20 in fig. 63).
After setting the new cipher information, the SIP message encrypting/decrypting unit 16 instructs the cipher information updating timer control unit 19 to control the cipher information updating timer, and the cipher information updating timer control unit 19 controls the cipher information updating timer to restart the cipher information updating timer (r 21 in fig. 63 and r11 in fig. 62). The subsequent operations return to the first processing operation of the present embodiment, and the above-described processing operations are repeated.
As described above, in the present embodiment, the password information is changed periodically, the SIP message can be transmitted and received using the new password information, and the password security function of the SIP message can be enhanced. In this embodiment, the effect of encrypting SIP messages is the same as that of the first to sixteenth embodiments of the present invention. Although the operation of the client devices 3a-2 and 3a-3 is not described, the same effect as that obtained when the client device 3a-1 is used can be obtained.
Nineteenth embodiment
Fig. 64 is a block diagram showing a configuration of a server apparatus according to a nineteenth embodiment of the present invention. In fig. 64, the server apparatus 1d includes at least the password information setting unit 11, the password information input interface unit 12, and the password information update timer control unit 19, and is connected to the local maintenance console 2 via a serial cable or the like. The local maintenance console 2 is temporarily installed during construction of the server apparatus 1d, and therefore may not be connected during operation.
In the present embodiment, by implementing the above configuration, the timer for periodically updating the cipher information used for encrypting the SIP message is variable when the server apparatus 1d communicates with the client apparatus not shown, and the security of SIP message control on the IP network can be enhanced.
Fig. 65 is a sequence diagram showing the operation of the server apparatus 1d according to the nineteenth embodiment of the present invention. The operation of the server apparatus 1d according to the nineteenth embodiment of the present invention will be described with reference to fig. 64 and 65. The processing of the server apparatus 1d shown in fig. 65 is realized by the CPU of the server apparatus 1d executing a program.
When the password information update timer value is input from the local maintenance console 2 connected to the server apparatus 1d (s 1 in fig. 65), the password information input interface unit 12 receives a setting request including the password information update timer value (s 2 in fig. 65), and when the normality of the setting request can be confirmed, transmits the password information update timer value to the password information setting unit 11.
The password information setting unit 11 stores the password information update timer value, instructs the password information update timer control unit 19 to notify the password information update timer value, and starts the password information update timer (s 3 to s6 in fig. 65). The control operation of the password information update timer is the same as that of the eighteenth embodiment of the present invention, and therefore, the description thereof is omitted.
As described above, in the present embodiment, the local maintenance console 2 can perform any setting of the periodic update timer, thereby changing the interval of the periodic update, and when the periodic update is performed at a short interval, it is possible to further enhance the security of the password, and it is also possible to select an optimum periodic update timer value in consideration of the load state of the network.
Twentieth embodiment
Fig. 66 is a block diagram showing the configuration of a client/server type distributed system of a twentieth embodiment of the present invention. In fig. 66, a client/server type distributed system according to a twentieth embodiment of the present invention is configured such that a server apparatus 1e and client apparatuses 3b-n to 3b-n +2 are connected to each other via a LAN 100.
The server apparatus 1e includes at least an encryption information setting unit 11, an encryption information input interface unit 12, an SIP interface unit 13, an SIP message encryption/decryption unit 16, and an encryption information table 20, and the local maintenance console 2 is connected by a serial cable or the like. Further, the local maintenance console 2 is temporarily installed during construction of the server apparatus 1e, and therefore may not be connected during operation.
The client devices 3b to n are constituted by at least an encryption information setting unit 31, an SIP interface unit 33, and an SIP message encrypting/decrypting unit 36. Although not shown, the client devices 3b-n +1 and 3b-n +2 also have the same configuration as the client devices 3 b-n.
In the present embodiment, by implementing the above configuration, it is possible to enhance the security of SIP message control on the IP network by setting the cryptographic information for encrypting the SIP message at the time of communication between the server apparatus 1e and the plurality of client apparatuses 3-n to 3b-n +2 for each of the client apparatuses 3-n to 3b-n + 2.
Fig. 67 is a sequence diagram showing the operation of the client/server type distributed system according to the twentieth embodiment of the present invention. Fig. 68 is a diagram showing a configuration example of the password information table 20 in fig. 66. The operation of the client/server type distribution system according to the twentieth embodiment of the present invention will be described with reference to fig. 66 to 68. The processing of the server apparatus 1e and the client apparatuses 3b to n shown in fig. 67 is realized by the respective CPUs of the server apparatus 1e and the client apparatuses 3b to n executing programs. And x (x is a positive integer) client apparatuses can be registered in the server apparatus 1 e.
The operation of setting the password information between the server apparatus 1e and the client apparatuses 3b to n is the same as the operation of setting the password information in the twelfth embodiment of the present invention, and therefore, the detailed description of the operation of setting the password information is omitted.
When password information used for SIP messaging with the client apparatuses 3b to n from the local maintenance console 2 via the password information input interface unit 12 is set (t 11 in fig. 67), if the password information is password information that can be set in the server apparatus 1e, the password information setting unit 11 stores the password information in the area of the client apparatuses 3b to n in the password information table 20 (t 21 in fig. 67), and notifies the client apparatuses 3b to n of the password information (t 22, t23 in fig. 67).
The client devices 3b to n store the encryption information in the encryption information setting unit 31, set the encryption information in the SIP message encrypting/decrypting unit 36 (t 31 in fig. 67), and notify the server device 1e of completion of the encryption information setting (t 32, t33 in fig. 67).
When the server apparatus 1e receives the notification of completion of setting of the password information, the SIP message encrypting/decrypting unit 16 sets the password information (t 24 in fig. 67) and completes setting of the password information of the client apparatuses 3b-n (t 25 and t13 in fig. 67).
In the same manner as the above-described setting operation, when password information of the client devices 3b-n +1 and 3b-n +2 is input from the local maintenance console 2, the server device 1e stores the password information in the areas of the SIP protocol-compliant client devices 3b-n +1 and 3b-n +2 of the password information table 20 in the password information setting unit 11, and executes the same password information setting procedure as described above.
As described above, in the present embodiment, the server apparatus 1e can set different encryption information for each of the client apparatuses 3b-n to 3b-n +2, and can use the encryption rule, the encryption range, and the encryption key for each of the client apparatuses 3b-n to 3b +2, so that it is difficult to estimate the encryption information between other apparatuses from the encryption state between the client apparatuses 3b-n to 3b-n +2, and the encryption security function can be enhanced.
In this embodiment, the cryptographic functions of the client devices 3b-n to 3b-n +2 do not need to be matched in the system, and the cryptographic functions in the system can be realized as long as the cryptographic functions of the server device 1e and the client devices 3b-n to 3b-n +2 are matched. In the present embodiment, the effect of encrypting SIP messaging is the same as in the first to nineteenth embodiments of the present invention.
Twenty-first embodiment
Fig. 69 is a block diagram showing the configuration of a client/server type distributed system of a twenty-first embodiment of the present invention. In fig. 69, a client/server type distribution system according to a twenty-first embodiment of the present invention is configured such that a server device 1f and client devices 3c-1, 3c-2, 3d-1, and 3d-2 are connected to each other via a LAN 100.
The server device 1f is configured by at least an encryption information setting unit 11, an encryption information input interface unit 12, an SIP interface unit 13, an SIP message encryption/decryption unit 16, a key creation unit 18, and an encryption capability management unit 21, and is connected to the local maintenance console 2 via a serial cable or the like. Further, the local maintenance console 2 is temporarily installed during construction of the server apparatus 1e, and therefore may not be connected during operation.
The client devices 3c-1 and 3c-2 are constituted by at least an encryption information setting unit 31, an SIP interface unit 33, an SIP message encrypting/decrypting unit 36, a key creating unit 38, and an encryption capability managing unit 41, and the client devices 3d-1 and 3d-2 have at least the SIP interface unit 33.
In the present embodiment, by implementing the above configuration, the cryptographic information used for the SIP message encryption when the server apparatus 1f communicates with the plurality of client apparatuses 3c-1, 3c-2, 3d-1, and 3d-2 is provided for each of the client apparatuses 3c-1 and 3c-2, and the optimum security state can be maintained regardless of the difference in cryptographic capability of the client apparatuses.
Fig. 70 and 71 are sequence diagrams showing the operation of a client/server type distribution system according to a twenty-first embodiment of the present invention. The operation of the client/server type distributed system according to the twenty-first embodiment of the present invention will be described with reference to fig. 69 to 71 described above. The processing of the server device 1f and the client devices 3c-1, 3c-2, 3d-1, and 3d-2 shown in fig. 70 and 71 can be realized by executing a program by the respective CPUs of the server device 1f and the client devices 3c-1, 3c-2, 3d-1, and 3 d-2.
When the initial server access request to the server apparatus 1f is generated from the client apparatus 3c-1 (u 41 in fig. 70), the cryptographic capability management unit 41 adds the cryptographic capability data held by the client apparatus 3c-1 to the transmitted SIP request message (u 42 in fig. 70), and transmits the result to the SIP interface unit 13 of the server apparatus 1f via the SIP interface unit 33 (u 43 in fig. 70).
When receiving the SIP request message, the SIP interface 13 of the server 1f acquires the initial access from the client apparatus 3c-1 and passes it to the encryption information setting unit 11. The cryptographic information setting unit 11 notifies the cryptographic capability management unit 21 of the cryptographic capability held by the client apparatus 3c-1, and the cryptographic capability management unit 21 stores the cryptographic capability (u 21 in fig. 70).
The cryptographic information setting unit 11 creates and stores a random parameter for key generation (u 22 in fig. 70) used for encrypting the SIP message between the server apparatus 1f and the client apparatus 3c-1, and transmits the SIP response message to which the random parameter for key generation is added to the SIP interface unit 33 in the client apparatus 3c-1 via the SIP interface unit 13 (u 23 in fig. 70).
When the SIP interface unit 33 of the client apparatus 3c-1 receives the SIP response message to which the random parameter for key generation is added, the received random parameter for key generation is passed to the encryption information setting unit 31. The encryption information setting unit 31 stores the key generation random parameter (u 44 in fig. 70).
On the other hand, when the client apparatus 3d-1 makes a request for initial server access to the server apparatus 1f (u 61 in fig. 70), the cryptographic capability data is not added to the SIP request message, but is transmitted to the SIP interface unit 13 of the server apparatus 1f via the SIP interface unit 33 (u 62 in fig. 70).
When receiving the SIP request message, the SIP interface 13 of the server 1f acquires the initial access from the client apparatus 3d-1 and passes it to the encryption information setting unit 11. The cryptographic information setting unit 11 notifies the cryptographic capability management unit 21 that the client device 3d-1 is not cryptographic capability based on the fact that the cryptographic capability data is not added to the SIP request message, and the cryptographic capability management unit 20 stores the fact that the client device 3d-1 is not cryptographic capability (u 24 in fig. 70). The cryptographic information setting unit 11 transmits the SIP response message to the SIP interface unit 33 of the client apparatus 3d-1 via the SIP interface unit 13 without adding the key generation random parameter (u 25 in fig. 70).
When password information of an SIP message for SIP messaging with the client apparatus 3c-1 is input from the local maintenance console 2 connected to the server apparatus 1f (u 11 in fig. 70), the password information input interface section 12 receives a setting request including the password information (u 12 in fig. 70), and when normality of the setting request can be specified, transmits the password message to the password information setting section 11. The encryption information setting unit 11 instructs the encryption capability management unit 21 to confirm whether or not the encryption capability of the client apparatus 3c-1 is present, and the client apparatus 3c-1 retains the encryption capability (u 26 in fig. 70), and stores the encryption information (u 27 in fig. 71). The server apparatus 1f transmits the SIP request message including the password information to the SIP interface section 33 of the client apparatus 3c-1 via the SIP interface section 13.
The SIP interface section 33 of the client apparatus 3c-1 receives the SIP request message including the password information and passes the password information to the password information setting section 31. The encryption information setting unit 31 stores the encryption information, generates a key from the stored random parameter for key generation, sets the encryption information in the SIP message encrypting/decrypting unit 36, and transmits a SIP response message notifying that the encryption information setting is completed to the SIP interface unit 13 of the server apparatus 1f via the SIP interface unit 33 after the setting is completed.
When the SIP interface unit 13 of the server 1f receives the SIP response message notifying the presence or absence of the password, the password rule, and the completion of the setting of the password range, the received SIP response message is transmitted to the password information setting unit 11. The password information setting unit 11 receives the notification of completion of setting of the password information on the client apparatus 3c-1 side, generates a key based on the stored random parameter for key generation, instructs the SIP message encryption/decryption unit 16 to set the password information, and transmits the completion of setting from the password information input interface unit 12 to the local maintenance console 2 (u 28 in fig. 71). The local maintenance console 2 displays that password information setting is completed (u 13 of fig. 71). Thereafter, at the time of SIP message transmission/reception, the set encryption information is used to encrypt/decrypt the message (u 29 in fig. 71).
When password information of an SIP message for SIP messaging with the client apparatus 3d-1 is input from the local maintenance console 2 connected to the server apparatus 1f (u 14 in fig. 71), the password information input interface section 12 receives a setting request including the password information (u 15 in fig. 71), and when normality of the setting request can be specified, transmits the password message to the password information setting section 11. The cryptographic information setting unit 11 instructs the cryptographic capability management unit 21 to confirm whether or not the cryptographic capability of the client apparatus 3d-1 is present (u 30 in fig. 71), and the client apparatus 3d-1 does not have the cryptographic capability, and thus knows that the cryptographic information is not settable (u 31 in fig. 71).
The password information setting unit 11, which knows that the password information cannot be set to the client apparatus 3d-1, transmits a setting failure from the password information input interface unit 12 to the local maintenance console 2 (u 32 in fig. 71). The local maintenance console 2 displays that the password information setting has failed (u 16 of fig. 71). Thereafter, when SIP messaging is performed, transmission and reception of a message are performed without encryption (u 33 in fig. 71).
As described above, in the present embodiment, when the server apparatus 1f holds the SIP message encryption/decryption function, and when the client apparatuses 3c-1 and 3c-2 holding the SIP message encryption/decryption function and the client apparatuses 3d-1 and 3d-2 not holding the SIP message encryption/decryption function are mixed in the system, only the encryption/decryption functions of the client apparatuses 3c-1 and 3c-2 holding the encryption/decryption functions can be enabled, and therefore, it is not necessary to match the levels of holding functions of the client apparatuses, and the encryption/decryption functions can be enabled only between apparatuses capable of encryption/decryption, thereby enhancing the cryptographic security function as the system.
Further, in the present embodiment, the effect of performing SIP messaging encryption is the same as in the first and second embodiments of the present invention described above. Although the operation of the client devices 3c-2 and 3d-2 is not described, the same effect as that obtained when the client devices 3c-1 and 3d-1 are used can be obtained.
Twenty-second embodiment
Fig. 72 is a block diagram showing the configuration of a client/server type distributed system of a twenty-second embodiment of the present invention. In fig. 72, a client/server type distribution system according to a twenty-second embodiment of the present invention is configured such that a server apparatus 1g and client apparatuses 3c-1, 3c-2, 3d-1, and 3d-2 are connected to each other via a LAN 100.
The server apparatus 1g has at least a maintenance console interface section 12 and an SIP interface section 13, and is connected to the local maintenance console 2 via a serial cable or the like. Further, the local maintenance console 2 is temporarily installed during construction of the server apparatus 1e, and therefore may not be connected during operation.
The client devices 3c-1 and 3c-2 include at least an encryption information setting unit 31, an SIP interface unit 33, an SIP message encrypting/decrypting unit 36, a key creating unit 38, and an encryption capability managing unit 41. The client devices 3d-1 and 3d-2 have at least an SIP interface 33.
In the present embodiment, by implementing the above configuration, it is possible to perform SIP messaging between the server apparatus 1g having no encryption function and a client apparatus group in which a plurality of client apparatuses 3c-1 and 3c-2 having encryption functions and client apparatuses 3d-1 and 3d-3 having no encryption functions are mixedly present.
Fig. 73 and 74 are sequence diagrams showing the operation of the client/server type distribution system according to the twenty-second embodiment of the present invention. The operation of the client/server type distribution system according to the twenty-second embodiment of the present invention will be described with reference to fig. 72 to 74 described above. The processing of the server apparatus 1g and the client apparatuses 3c-1, 3c-2, 3d-1, and 3d-2 shown in fig. 73 and 74 can be realized by the respective CPUs of the server apparatus 1g and the client apparatuses 3c-1, 3c-2, 3d-1, and 3d-2 executing programs.
When the initial server access request to the server apparatus 1g is generated from the client apparatus 3c-1 (v 41 in fig. 73), the cryptographic capability management unit 41 adds the cryptographic capability data held by the client apparatus 3c-1 to the transmitted SIP request message (v 42 in fig. 73) and transmits the result to the SIP interface unit 13 of the server apparatus 1g via the SIP interface unit 33 (v 43 in fig. 73).
When the SIP interface unit 13 of the server apparatus 1g receives the SIP request message, the cryptographic capability data added to the SIP request message (v 42 in fig. 73) is sent to the SIP interface unit 33 of the client apparatus 3c-1 via the SIP interface unit 13 (v 22 in fig. 73).
When the SIP interface unit 33 of the client apparatus 3c-1 receives the SIP response message to which the random parameter for key generation is not added, it passes the received SIP response message to the encryption information setting unit 31 that the random parameter for key generation is not added. The password information setting unit 31 recognizes that there is no SIP messaging password between the server device 1g and the client device 3c-1 (v 44 in fig. 73), and stores the absence of the password (v 45 in fig. 73).
When the client apparatus 3d-1 makes a request for initial server access to the server apparatus 1g (v 61 in fig. 73), it transmits the request to the SIP interface unit 13 of the server apparatus 1g via the SIP interface unit 33 without adding cryptographic capability data to the SIP request message (v 62 in fig. 73).
When receiving the SIP request message, the SIP interface 13 of the server apparatus 1g transmits a SIP response message to the SIP interface 33 of the client apparatus 3d-1 via the SIP interface 13 (v 23 in fig. 73).
When password information of a SIP message for SIP messaging with the client device 3c-1 is input from the local maintenance console 2 connected to the server device 1g (v 11 in fig. 73), the maintenance console interface section 12 receives a setting request including the password information (v 12 in fig. 73), and fails to set the password, and transmits the setting failure to the local maintenance console 2 (v 24 in fig. 73, v25 in fig. 74). The local maintenance console 2 displays that the password information setting has failed (v 13 of fig. 74). When the SIP message is transmitted and received between the server device 1g and the client device 3d-1, the message is transmitted and received without encryption (v 29 in fig. 73).
As described above, in the present embodiment, when the client apparatus 3c-1 holds the SIP message encryption/decryption function and the server apparatus 1g that transmits and receives SIP messages in the system does not hold the SIP message encryption/decryption function, the encryption/decryption function can be operated in an invalid manner, and therefore, it is not necessary to match the holding function levels of the client apparatus and the server apparatus to each other and it is possible to transmit and receive SIP messages. In the present embodiment, the effect of performing SIP messaging encryption is the same as in the first and second embodiments of the present invention described above. Although the operation of the client devices 3c-2 and 3d-2 is not described, the same effect as that obtained when the client devices 3c-1 and 3d-1 are used can be obtained.
Twenty-third embodiment
Fig. 75 is a block diagram showing the configuration of a client/server type distributed system of a twenty-third embodiment of the present invention. In fig. 75, a client/server type distributed system according to a twenty-third embodiment of the present invention is configured such that a server device 1f and client devices 3d-1 to 3d-4 are connected to each other via a LAN 100.
The server device 1f is configured by at least an encryption information setting unit 11, an encryption information input interface unit 12, an SIP interface unit 13, an SIP message encryption/decryption unit 16, a key creation unit 18, and an encryption capability management unit 21, and is connected to the local maintenance console 2 via a serial cable or the like. Further, the local maintenance console 2 is temporarily installed during construction of the server apparatus 1e, and therefore may not be connected during operation. The client devices 3d-1 to 3d-4 have at least SIP interfaces 33-1 to 33-4.
In the present embodiment, by implementing the above configuration, when the server device 1f communicates with the plurality of client devices 3d-1 to 3d-4 that do not have the SIP message encryption/decryption function, the server device 1f can transmit and receive SIP messages without encryption even if the server device 1f has the SIP message encryption/decryption function.
Fig. 76 and 77 are sequence diagrams showing the operation of the client/server type distribution system according to the twenty-third embodiment of the present invention. The operation of the client/server type distribution system according to the twenty-third embodiment of the present invention will be described with reference to fig. 75 to 77. The processing of the server device 1f and the client devices 3d-1 to 3d-4 shown in fig. 76 and 77 can be realized by the execution of a program by the CPU of each of the server device 1f and the client devices 3d-1 to 3 d-4.
When the client apparatus 3d-1 makes a request for initial server access to the server apparatus 1f (w 31 in fig. 76), it transmits the request to the SIP interface unit 13 of the server apparatus 1f via the SIP interface unit 33-1 without adding cryptographic capability data to the SIP request message (w 32 in fig. 76).
When receiving the SIP request message, the SIP interface 13 of the server 1f acquires the initial access from the client apparatus 3d-1 and passes it to the encryption information setting unit 11. The cryptographic information setting unit 11 notifies the cryptographic capability management unit 21 that the client device 3d-1 is not cryptographic capability, based on the fact that the cryptographic capability data is not added to the SIP request message, and the cryptographic capability management unit 21 stores that the client device 3d-1 is not cryptographic capability (w 21 in fig. 76). The encryption information setting unit 11 transmits the SIP response message to the SIP interface unit 33-1 of the client apparatus 3d-1 via the SIP interface unit 13 without adding the key generation random parameter (w 22 in fig. 76).
When the client apparatus 3d-2 makes a request for initial server access to the server apparatus 1f (u 61 in fig. 70), it transmits the request to the SIP interface unit 13 of the server apparatus 1f via the SIP interface unit 33-2 without adding cryptographic capability data to the SIP request message (w 42 in fig. 76) in the same manner as described above.
When receiving the SIP request message, the SIP interface 13 of the server 1f acquires the initial access from the client apparatus 3d-2 and passes it to the encryption information setting unit 11. The cryptographic information setting unit 11 notifies the cryptographic capability management unit 21 that the client device 3d-2 is not cryptographic capability based on the fact that the cryptographic capability data is not added to the SIP request message, and the cryptographic capability management unit 21 stores that the client device 3d-2 is not cryptographic capability (w 23 in fig. 76). The encryption information setting unit 11 transmits the SIP response message to the SIP interface unit 33-2 of the client apparatus 3d-2 via the SIP interface unit 13 without adding the key generation random parameter (w 24 in fig. 76).
When password information of an SIP message for SIP messaging with the client apparatus 3d-1 is input from the local maintenance console 2 connected to the server apparatus 1f (w 11 in fig. 76), the password information input interface unit 12 receives a setting request including the password information (w 12 in fig. 76), and when normality of the setting request can be specified, transmits the password message to the password information setting unit 11. The encryption information setting unit 11 instructs the encryption capability management unit 21 to confirm whether or not the encryption capability of the client apparatus 3d-1 is present (w 25 in fig. 76), and the client apparatus 3d-1 does not have the encryption capability, and thus knows that the encryption information cannot be set (w 26 in fig. 76).
The password information setting unit 11, which knows that the password information cannot be set to the client apparatus 3d-1, transmits a setting failure from the password information input interface unit 12 to the local maintenance console 2 (w 27 in fig. 76). The local maintenance console 2 displays that password information setting has failed (w 13 of fig. 76). Thereafter, at the time of SIP messaging, transmission and reception of a message are performed without encryption (w 33 of fig. 76).
When password information of an SIP message for SIP messaging with the client apparatus 3d-2 is input from the local maintenance console 2 connected to the server apparatus 1f (w 14 in fig. 77), the password information input interface unit 12 receives a setting request including the password information (w 15 in fig. 77), and when the normality of the setting request can be confirmed, transmits the password message to the password information setting unit 11. The cryptographic information setting unit 11 instructs the cryptographic capability management unit 21 to confirm whether or not the cryptographic capability of the client apparatus 3d-2 is present (w 28 in fig. 77), and the client apparatus 3d-2 does not have the cryptographic capability, and thus knows that the cryptographic information is not settable (w 29 in fig. 77).
The password information setting unit 11, which knows that the password information cannot be set to the client apparatus 3d-2, transmits a setting failure from the password information input interface unit 12 to the local maintenance console 2 (w 16 in fig. 77). The local maintenance console 2 displays that the password information setting has failed (w 16 of fig. 77). Thereafter, at the time of SIP messaging, transmission and reception of a message are performed without encryption (w 43 of fig. 77).
As described above, in the present embodiment, when the server device 1f holds the SIP message encryption/decryption function, and only the client devices 3d-1 to 3d-4 not holding the SIP message encryption/decryption function exist in the system, the SIP message can be transmitted and received without encryption between the client devices 3d-1 to 3d-4 not holding the encryption/decryption function, and therefore the SIP message can be transmitted and received without making the holding function levels of the client devices uniform. Although the operation of the client devices 3d-3 and 3d-4 is not described, the same effect as that obtained when the client devices 3d-1 and 3d-2 are used can be obtained.
Twenty-fourth embodiment
Fig. 78 is a sequence diagram showing the operation of the client/server type distributed system according to the twenty-fourth embodiment of the present invention. The client/server type distributed system according to the twenty-fourth embodiment of the present invention has the same configuration as that of the client/server type distributed system according to the twenty-first embodiment shown in fig. 69, and therefore, description of the configuration thereof is omitted. The operation of the client/server type distribution system according to the twenty-fourth embodiment of the present invention will be described below with reference to fig. 69 and 78. The processing of the server device 1f and the client device 3c-1 shown in fig. 78 can be realized by the CPU of each of the server device 1f and the client device 3c-1 executing a program.
The cryptographic ability management unit 41 of the client apparatus 3c-1 identifies one or more (one or more) types of cryptographic rules that can be encrypted/decrypted and that are held by the client apparatus 3c-1, and stores the identified cryptographic rules as a cryptographic rule list.
By implementing the above configuration, in a client/server type distributed system including a client apparatus 3c-1 holding one or more types of encryption rules usable as encryption capabilities, the server apparatus 1c can select the encryption rule to use, and encrypted SIP messaging between the server apparatus 1f and the client apparatus 3c-1 can be performed.
When an initial server access request to the server apparatus 1f is generated from the client apparatus 3c-1 (x 11 in fig. 78), the cryptographic capability management unit 41 adds a list of cryptographic rules held by the client apparatus 3c-1 to the transmitted SIP request message (x 12 in fig. 78), and transmits the result to the SIP interface unit 13 of the server apparatus 1f via the SIP interface unit 33 (x 13 in fig. 78).
When receiving the SIP request message, the SIP interface 13 of the server 1f reads the encryption rule list from the client apparatus 3c-1 and transmits the encryption rule list to the encryption information setting unit 11. The encryption information setting unit 11 notifies the encryption capability management unit 21 of the encryption rule list held by the client apparatus 3 c-1. The password capability management unit 21 stores the password rule list (x 1 in fig. 78). The cryptographic information setting unit 11 then transmits the SIP response message to the SIP interface unit 33 of the client apparatus 3c-1 via the SIP interface unit 13 (x 2 in fig. 78).
When the cryptographic capability management unit 21 of the server device 1 determines cryptographic information to be used for encrypting and decrypting an SIP message during SIP messaging with the client device 3c-1, if the presence or absence of the password is a password, the cryptographic capability management unit selects a cryptographic rule to be used from the stored cryptographic rule list, determines cryptographic information including the cryptographic rule, and passes the cryptographic information to the cryptographic information setting unit 11 (x 3 in fig. 78). The password information setting unit 11 stores the password information.
The subsequent processing is the same operation as the password information setting procedure from the server apparatus 1 to the client apparatus 3-1 according to the first embodiment of the present invention, and therefore, the description thereof is omitted.
As described above, in the present embodiment, when the server device 1f and the client device 3c-1 hold the encryption/decryption function using a plurality of encryption rules, the encryption/decryption function can be automatically determined without giving an instruction to set an encryption rule that cannot be used by the client device 3c-1 from the server device 1 f. In this embodiment, the effect of encrypting SIP messaging is the same as that of the first and second embodiments of the present invention. Although the operation of the client apparatus 3c-2 is not described, the same effect as that obtained when the client apparatus 3c-1 is used can be obtained.
As described above, in the present invention, in the client/server type distributed system corresponding to the SIP protocol, the security on the IP network can be enhanced by the maintenance person encrypting the SIP message based on the arbitrarily set encryption information, and the encryption information used for encrypting and decrypting the SIP message set by the system maintenance person can be distributed to the client apparatus via the maintenance console interface of the server apparatus, so that the encryption capability setting in view of the entire system can be performed from one place, and the simplification of the maintenance operation and the reduction of the maintenance operation amount can be achieved.
Furthermore, SSL/TLS is generally used as a security method in existing SIP. However, in the present invention, it is not necessary to distribute a certificate to each device, or to perform certificate authentication by a certificate management function and an authentication server, and the cryptographic function can be realized by a simpler flow than the SSL/TLS method.
The invention has the following effects: the server apparatus 1 can use both a local maintenance console connected by a serial cable or the like and a maintenance console connected by a LAN interface, and can ensure simplicity of maintenance.
In the present invention, when the whole of the SIP header including the SIP message and the SDP data is encrypted, it is possible to realize strong cryptographic security for preventing eavesdropping or data falsification at the time of communication over an IP network. When any part of the SIP message is encrypted, the SIP header or SDP data is not encrypted and set to be operable via a network device such as SIP-NAT according to the selection state of the encryption range, and important data to be encrypted can be partially encrypted and transmitted and received.
In the present invention, since the maintainer can arbitrarily set the presence or absence of the password of the SIP message via the server device, when the password is set, the password security function on the network can be realized, and different settings can be made for the required password and the unnecessary password depending on the network configuration.
In the present invention, the function of selecting the presence or absence of a password is provided, so that it is possible to ensure compatibility with a client apparatus having no password function. Further, in the present invention, in a system supporting both a method of encrypting the entire SIP message and a method of encrypting any part of the SIP message with respect to the encryption range of the SIP message, the local maintenance console can select the range to be encrypted arbitrarily, and therefore, it is possible to satisfy both the encryption security and the network functionality in a system in which a network device such as SIP-NAT exists, and to have an effect of selecting and realizing the most appropriate security level for the current network configuration.
In the invention, the SIP message encryption is carried out, so that the password security function on the network can be realized, and the password existence/password rule/password range can be set for different network structures, thereby further enhancing the password security.
In the present invention, by setting the password information of the client device from the server device, system uniformity and simplification of the management of the maintainer can be achieved.
In the present invention, when a cryptographic rule operable in a system is added in the future, a new cryptographic rule can be used without additionally developing an interface selected by the cryptographic rule, and therefore, the present invention has an effect of minimizing the change of a local interface and simplifying the development.
In the present invention, in a system for performing SIP messaging without encryption, when the encryption function is activated, encryption information other than a key is transmitted from a server apparatus to a client apparatus without being encrypted, the key has a function of generating a synchronized key in both the server apparatus and the client apparatus, and the key is set for common encryption information between the server apparatus and the client apparatus without being notified via an IP network, so that the encryption security function after the setting of the encryption information can be enhanced.
In the present invention, since the key is generated using the determined random parameter at the time of initial access from the client apparatus to the server apparatus, the regularity of the generated key can be eliminated, and the key security function can be enhanced.
In the present invention, in a system that transmits and receives SIP messages with a password set, when password information is changed, the password information is transmitted between the client apparatus and the server apparatus in a state in which the password information is encrypted using the set password information, and therefore, there is an effect that password security can be enhanced.
In the present invention, since the maintenance operator can arbitrarily set the encryption information other than the key among the newly set encryption information from the maintenance console, the system construction is uniform, and the maintenance operator can change the communication state of the SIP message to the non-encryption state when the maintenance operator wants to record the communication state, thereby ensuring the simplicity of maintenance. In addition, in the present invention, since the same key is not used for a long time and the maintenance person can change the key at any time, it is possible to enhance the security against the theft of the password information.
In the present invention, since the server apparatus randomly generates and distributes the key to the client apparatus, the key set by a third party including the maintainer is not known, so that human error or key outflow can be prevented, and the security of the password can be further enhanced.
In the present invention, since the reception and decryption of the SIP message encrypted with the old cryptographic information can be performed for a certain period of time after the change to the new cryptographic information, the cryptographic information can be changed without impairing the validity of the SIP message being transmitted and received during the cryptographic information change process, and the cryptographic information can be changed at any time.
In the present invention, in a system for transmitting and receiving an SIP message in a state in which a password is set, when a key to be used is distributed from a server apparatus to a client apparatus, communication on the IP network is required in a state in which the key is encrypted.
In the present invention, in a system for transmitting and receiving SIP messages in a state in which a password is set, when a key to be used is distributed from a server apparatus to a client apparatus, communication over an IP network is required in a state in which the key is encrypted, and therefore, it is possible to prevent leakage of the key and enhance the password security function in encrypting the SIP message, but it is possible to encrypt and distribute other password information (password presence/absence, password rule/password range), and thus it is difficult to estimate the key, and it is possible to further enhance the password security.
In the present invention, when the password state is changed from the non-password state to the password state, the following two levels of password information setting are performed: first setting encryption information using a key created synchronously at both the client apparatus 3a-1 and the server apparatus 1 b; by setting the encryption information using the key automatically generated by the server device 1b, it is possible to enhance the cryptographic security function by encrypting/decrypting the actual SIP message using the key automatically generated by the server device 1b and unknown to a third party including the maintenance person. In addition, in the present embodiment, since the encrypted key for performing SIP messaging is always notified in an encrypted state, there is an effect that the security of the cryptographic function can be enhanced.
In the present invention, the maintenance person changes the password information at any time from the maintenance console via the server device, and performs SIP message transmission and reception using the new password information, which has an effect of enhancing the password security function of the SIP message.
In the present invention, since the maintainer can arbitrarily set the presence or absence of the password of the SIP message via the server device, when the password is set, the password security function on the network can be realized, and different settings can be made for the required password and the unnecessary password depending on the network configuration.
In the present invention, the optimum flow of the password information change flow including the key generation method can be automatically selected according to the change contents of the password, and therefore, the password information can be safely changed.
In the invention, the password information is changed periodically, SIP message can be transmitted and received by using the new password information, and the effect of enhancing the password security function of the SIP message is achieved.
In the present invention, the maintenance console can perform any setting of the timer value to be periodically updated, thereby providing the following effects: when the periodic update interval can be changed and the periodic update is performed at a short interval, the password security can be further enhanced, and the optimal periodic update timer value can be selected in consideration of the load state of the network.
In the present invention, the server device can set different encryption information for each client device, and can use the encryption rule, encryption range, and encryption key for each client device, so that it is difficult to estimate the encryption information between other devices from the encryption state between each client device, and the effect of enhancing the encryption security function can be obtained.
In the present invention, the cryptographic function of the client device does not need to be matched in the system, and the cryptographic function in the system can be realized as long as the cryptographic functions of the server device and the client device are matched.
In the present invention, when a client device having an SIP message encryption/decryption function and a client device not having an SIP message encryption/decryption function are mixed in a system when the server device has the SIP message encryption/decryption function, only the encryption/decryption function of the client device having the encryption/decryption function can be enabled, and therefore, it is not necessary to match the level of the encryption/decryption function of the client device, the encryption/decryption function can be enabled only between devices capable of encryption/decryption, and the effect of enhancing the cryptographic security function as a system is obtained.
In the present invention, when the client apparatus holds the SIP message encryption/decryption function and when the server apparatus that transmits and receives SIP messages in the system does not hold the SIP message encryption/decryption function, the encryption/decryption function can be operated inefficiently, and therefore, there is an effect that the SIP messages can be transmitted and received without the need for the holding function levels of the client apparatus and the server apparatus to coincide.

Claims (40)

1. A client/server type distributed system configured by connecting a client device corresponding to an SIP protocol and a server device corresponding to the SIP protocol, respectively, to a network, the SIP protocol operating on a UDP protocol,
the server device includes: a unit for setting password information used for SIP message transmission and reception with the client device; means for notifying the client device of the password information of the SIP message; a unit that encrypts and transmits the SIP message based on the password information when transmitting the SIP message to the client apparatus; a unit that decrypts, when receiving an encrypted SIP message from the client apparatus, the SIP message based on the cryptographic information; and a unit that performs control corresponding to the decrypted content,
the client apparatus has: a unit configured to set password information of the SIP message received from the server apparatus; a unit that encrypts the SIP message based on the password information when the SIP message is transmitted to the server apparatus; a unit that decrypts, when receiving an encrypted SIP message from the server apparatus, the SIP message based on the cryptographic information; and a unit that performs control corresponding to the decrypted content,
The password information includes at least the password existence, the password rule, the password range of the SIP message that can be input from the outside, and the key of the SIP message that cannot be input from the outside.
2. The client/server type distributed system according to claim 1,
the server apparatus encrypts and decrypts at least one of: a SIP message whole including a SIP header portion of the SIP message; and removing the SIP header portion of the SIP message and the SIP message outside the range arbitrarily set in the data following the SIP header,
the client device encrypts and decrypts at least one of: a SIP message whole including a SIP header portion of the SIP message; and removing the SIP header portion of the SIP message and the SIP message outside the range arbitrarily set in the data after the SIP header.
3. The client/server type distributed system according to claim 1,
the server device includes: a unit for setting a password range of the SIP message inputted from the outside; a unit that notifies the client apparatus of the password range of the SIP message; and a unit that decides whether to encrypt and decrypt at least any one of the following two based on the password range: the whole SIP message and the SIP message except the SIP header part of the SIP message and the SIP message outside the range arbitrarily set in the data after the SIP header,
The client apparatus has: a unit that sets a password range of the SIP message received from the server apparatus; and a unit that decides whether to encrypt and decrypt at least any one of the following two based on the password range: the whole SIP message and the SIP message except the SIP header part of the SIP message and the SIP message outside the range arbitrarily set in the data after the SIP header.
4. The client/server type distributed system according to claim 1,
the server device includes: a unit for setting the existence of the password of the SIP message input from the outside; a unit that notifies the client device of the presence or absence of the password of the SIP message; means for encrypting the SIP message and transmitting the encrypted SIP message to the client apparatus during password transmission/reception of the SIP message; and a unit which decrypts the encrypted SIP message received from the client device in the encrypted transmission/reception of the SIP message,
the client apparatus has: means for setting the presence or absence of a password of the SIP message received from the server device; means for encrypting and transmitting the SIP message to the server apparatus during the transmission/reception of the SIP message with the password; and a unit configured to decrypt the encrypted SIP message received from the server device during transmission and reception of the SIP message with the password.
5. The client/server type distributed system according to claim 1,
the server device includes: a unit configured to set a cryptographic rule used for encryption of the SIP message inputted from outside; means for notifying the client device of the cryptographic rule; means for encrypting the SIP message using the encryption rule and transmitting the encrypted SIP message to the client apparatus during encrypted transmission/reception of the SIP message; and a unit that decrypts a SIP message that has been received from the client device and that has been encrypted using the cryptographic rule,
the client apparatus has: a unit that sets a cryptographic rule of the SIP message received from the server apparatus; means for encrypting the SIP message using the encryption rule and transmitting the encrypted SIP message to the server apparatus during transmission and reception of the SIP message with the encryption; and a unit configured to decrypt the SIP message that is received from the server device and encrypted by the encryption rule, during transmission and reception of the SIP message with the encryption.
6. The client/server type distributed system according to claim 1,
the server device includes: a unit configured to set a password range of the SIP message and the presence or absence of a password of the SIP message input from outside; a unit configured to notify the client device of the presence or absence of the password and the password range of the SIP message; means for encrypting a password range of the SIP message and transmitting the encrypted SIP message to the client apparatus during password transmission/reception of the SIP message; and a unit decrypting a SIP message received from the client device and the password range having been encrypted,
The client apparatus has: a unit configured to set a password range and the presence/absence of a password of the SIP message received from the server device; means for encrypting a password range of the SIP message and transmitting the encrypted SIP message to the server apparatus during transmission and reception of the SIP message with a password; and a unit configured to decrypt the SIP message received from the server device and having the encrypted encryption range, in the encrypted SIP message transmission/reception.
7. The client/server type distributed system according to claim 1,
the server device includes: a unit configured to set a password rule used for encryption of the SIP message and whether or not a password of the SIP message is inputted from outside; a unit configured to notify the client device of the presence or absence of the password of the SIP message and a password rule; means for encrypting the SIP message using the encryption rule and transmitting the encrypted SIP message to the client apparatus during password transmission and reception of the SIP message; and a unit which decrypts a SIP message which is received from the client apparatus and has been encrypted by the encryption rule, in the password-mediated transmission/reception of the SIP message,
the client apparatus has: a unit configured to set a password rule and the presence or absence of a password of the SIP message received from the server device; means for encrypting the SIP message using the encryption rule and transmitting the encrypted SIP message to the server apparatus during the transmission/reception of the SIP message with the encryption; and a unit configured to decrypt the SIP message received from the server device and encrypted by the encryption rule during the encrypted transmission/reception of the SIP message.
8. The client/server type distributed system according to claim 1,
the server device includes: a unit configured to set a cipher rule used for encrypting the SIP message inputted from the outside and a cipher range of the SIP message; a unit configured to notify the client apparatus of a password rule and a password range of the SIP message; means for encrypting and transmitting a cryptographic range of the SIP message to the client device using the cryptographic rule; and a unit for decrypting a SIP message received from the client device and the cryptographic range having been encrypted with the cryptographic rule,
the client apparatus has: a unit that sets a cipher rule and a cipher range of the SIP message received from the server device; a unit that encrypts and transmits a cipher range of a SIP message to the server apparatus using the cipher rule; and means for decrypting a SIP message received from the server device and the cryptographic range having been encrypted with the cryptographic rule.
9. The client/server type distributed system according to claim 1,
the server device includes: a unit configured to set a password of the SIP message input from outside, a password rule used for encrypting the SIP message, and a password range of the SIP message; a unit configured to notify the client apparatus of the presence or absence of a password, a password rule, and a password range of the SIP message; means for encrypting a password range of the SIP message by using the password rule and transmitting the encrypted SIP message to the client apparatus during the transmission/reception of the SIP message with a password; and a unit configured to decrypt a SIP message which is received from the client apparatus and has the encryption range encrypted by the encryption rule, in the encrypted transmission/reception of the SIP message,
The client apparatus has: a unit configured to set a password rule, a password range, and the presence or absence of a password of the SIP message received from the server device; means for encrypting a cipher range of the SIP message by using the cipher rule and transmitting the encrypted range to the server apparatus during transmission and reception of the SIP message with a cipher; and a unit configured to decrypt the SIP message, which is received from the server device and has the encryption range encrypted by the encryption rule, during transmission and reception of the SIP message with the encryption.
10. The client/server type distributed system according to claim 1,
the server device includes: a unit configured to set, when a password is set to be absent with the client apparatus, whether or not a password of the SIP message is externally input, a password rule used for encrypting the SIP message, and a password range of the SIP message; a unit configured to notify the client apparatus of the presence or absence of a password, a password rule, and a password range of the SIP message; a unit that generates a key for encrypting the SIP message; means for encrypting a cipher range of the SIP message by using the cipher rule and the key and transmitting the encrypted range to the client apparatus during the encrypted transmission/reception of the SIP message; and a unit configured to decrypt, in the cryptographical transmission/reception of the SIP message, the SIP message which is received from the client apparatus and the cryptographical range of which has been encrypted using the cryptographical rule and the key,
The client apparatus has: a unit configured to set a password rule, a password range, and the presence or absence of a password of the SIP message received from the server device; a unit that generates a key for encrypting the SIP message; means for encrypting a cipher range of the SIP message by using the cipher rule and the key and transmitting the encrypted range to the server apparatus during transmission and reception of the SIP message with a cipher; and a unit configured to decrypt, in the encrypted transmission/reception of the SIP message, the SIP message that is received from the server device and that has the encryption range encrypted by the encryption rule and the key.
11. The client/server type distributed system according to claim 10,
the keys generated in the server device and the client device are synchronized with each other, and are generated based on random parameters determined in a unified manner when the client device initially accesses the server device.
12. The client/server type distributed system according to claim 1,
When the encryption information is set in both the client apparatus and the server apparatus and the encryption and decryption of the SIP message are performed based on the encryption information,
the server apparatus includes: a unit for setting password information inputted from outside for use in SIP message transmission and reception with the client device; a unit that randomly generates a key for encrypting the SIP message; a unit that encrypts new cryptographic information including the key using the cryptographic information currently in use and notifies the client apparatus of the new cryptographic information; means for encrypting and transmitting the SIP message using the new password information when transmitting the SIP message to the client apparatus during the transmission and reception of the SIP message; and a unit for decrypting the SIP message which has been received from the client apparatus and has been encrypted, using the new cryptographic information,
receiving and decrypting data encrypted by the cryptographic information used last time during a certain period after the change of the cryptographic information,
and, the client apparatus includes: a unit that decrypts and sets new password information that is received from the server device and that has been encrypted with password information currently in use; means for encrypting and transmitting the SIP message using the new password information when transmitting the SIP message to the server apparatus during transmission and reception of the SIP message; and a unit that decrypts with the new cryptographic information a SIP message that has been received from the server apparatus and that has been encrypted with the new cryptographic information,
And receiving and decrypting data encrypted by the last used cryptographic information within a certain period after the cryptographic information is changed.
13. The client/server type distributed system according to claim 12,
in distributing the key generated by the server apparatus, the key is necessarily encrypted in the SIP messaging between the server apparatus and the client apparatus.
14. The client/server type distributed system according to claim 12,
in distributing the key generated by the server apparatus, new cryptographic information including cryptographic information other than the key is encrypted in its entirety in the SIP messaging between the server apparatus and the client apparatus.
15. The client/server type distributed system according to claim 12,
when the client device and the server device change from a non-encryption state to an encryption state in the SIP message transmission/reception between the client device and the server device, after the setting of encryption information using keys generated in synchronization in both the client device and the server device is completed, a new key automatically generated by the server device is encrypted and distributed, and the encryption setting of the transmission/reception of the SIP message is completed using the new encryption information.
16. The client/server type distributed system according to claim 1,
the client apparatus and the server apparatus are both provided with the encryption information, and in a state where the encryption and decryption of the SIP message are performed based on the set encryption information,
the server device includes: a unit for setting password information inputted from outside; a unit for determining a key information change flow including a key generation method according to whether the password of the new password information is set and whether the currently set password is set when the new password information is input from the outside; means for notifying the client device of the new password information; and a unit that updates settings to encrypt and decrypt based on the new cryptographic information,
the client apparatus has: a unit that sets new password information received from the server apparatus; a unit for deciding any mode of the key generation and setting modes according to the received new password information and the current password existence state; and a unit that updates settings to encrypt and decrypt based on the new cryptographic information,
after the update of the setting is completed, the password information is changed and set in synchronization between the client apparatus and the server apparatus, and the encryption and decryption of the SIP message are started with the new password information.
17. The client/server type distributed system according to claim 1,
the client apparatus and the server apparatus are both provided with the encryption information, and in a state where the encryption and decryption of the SIP message are performed based on the set encryption information,
the server device has a periodic update timer function for counting an update cycle of the password information, and includes: means for initializing the periodic update timer function when the password information is set, and automatically updating the password information when the password information is overtime; means for notifying the client device of the updated new password information; and a unit for resetting the periodic update timer function of the password information after the update and notification of the new password information,
the client apparatus has a unit that sets new password information received from the server apparatus,
after the notification of the new password information is completed, the client apparatus and the server apparatus synchronously change and set the password information, and start the encryption and decryption of the SIP message with the new password information.
18. The client/server type distributed system according to claim 17,
the client device and the server device are both provided with the encryption information, and in a state where the encryption and decryption of the SIP message are performed based on the set encryption information and the encryption information is periodically updated,
the server device includes a unit that sets a timer value for periodically updating the password information inputted from the outside.
19. Client/server type distribution system according to claim 1,
the server device includes: and a unit for setting the password information of the SIP message for each of a plurality of client devices existing in the system.
20. The client/server type distributed system according to claim 1,
the client apparatus has: a function of storing one or more cipher rules usable in the SIP message encryption/decryption process; and a function of notifying the server apparatus of a list of password rules that can be used as password capability information in advance,
the server device includes: and selecting one from the notified list of the password rules according to an instruction from the outside, and determining a function of the password information.
21. A message encryption method for a client/server type distributed system of: a client device corresponding to an SIP protocol and a server device corresponding to the SIP protocol, which are respectively connected to a network, the SIP protocol operating over a UDP protocol, the message encryption method being characterized in that,
the server apparatus executes the following processing: setting password information used when the client device receives and transmits SIP messages; notifying the client device of cryptographic information of the SIP message; encrypting and transmitting the SIP message based on the password information when transmitting the SIP message to the client apparatus; decrypting the SIP message based on the cryptographic information when the SIP message that has been encrypted is received from the client device; and performing control corresponding to the decrypted content,
the client apparatus performs the following processing: setting password information of the SIP message received from the server apparatus; encrypting the SIP message based on the password information when the SIP message is transmitted to the server apparatus; decrypting the SIP message based on the cryptographic information upon receiving the SIP message that has been encrypted from the server apparatus; and performing control corresponding to the decrypted content,
The password information includes at least the password existence, the password rule, the password range of the SIP message that can be input from the outside, and the key of the SIP message that cannot be input from the outside.
22. The message encryption method according to claim 21,
the server apparatus encrypts and decrypts at least one of: a SIP message whole including a SIP header portion of the SIP message; and removing the SIP header portion of the SIP message and the SIP message outside the range arbitrarily set in the data following the SIP header,
the client device encrypts and decrypts at least one of: a SIP message whole including a SIP header portion of the SIP message; and removing the SIP header portion of the SIP message and the SIP message outside the range arbitrarily set in the data after the SIP header.
23. The message encryption method according to claim 21,
the server apparatus executes the following processing: setting a password range of the SIP message input from the outside; notifying the client device of the password range of the SIP message; and deciding whether to encrypt and decrypt at least any one of the following two based on the password range: the whole SIP message and the SIP message except the SIP header part of the SIP message and the SIP message outside the range arbitrarily set in the data after the SIP header,
The client apparatus performs the following processing: setting a password range of the SIP message received from the server apparatus; and deciding whether to encrypt and decrypt at least any one of the following two based on the password range: the whole SIP message and the SIP message except the SIP header part of the SIP message and the SIP message outside the range arbitrarily set in the data after the SIP header.
24. The message encryption method according to claim 21,
the server apparatus executes the following processing: setting the existence of the password of the SIP message input from the outside; notifying the client device of the presence or absence of the password of the SIP message; encrypting and transmitting the SIP message to the client apparatus in the password-mediated transmission and reception of the SIP message; and decrypting the encrypted SIP message received from the client device in the cryptographical transceiving of the SIP message,
the client apparatus performs the following processing: setting the presence or absence of a password of the SIP message received from the server apparatus; encrypting and transmitting the SIP message to the server apparatus during the password-mediated transmission and reception of the SIP message; and decrypting the encrypted SIP message received from the server device during the password-mediated transmission and reception of the SIP message.
25. The message encryption method according to claim 21,
the server apparatus executes the following processing: setting a cryptographic rule used for encryption of the SIP message inputted from the outside; notifying the client device of the cryptographic rule; encrypting the SIP message by using the encryption rule in the encrypted transmission and reception of the SIP message, and transmitting the SIP message to the client device; and decrypting a SIP message received from the client device and having been encrypted using the cryptographic rule,
the client apparatus performs the following processing: setting a cryptographic rule of the SIP message received from the server apparatus; encrypting the SIP message by using the encryption rule and transmitting the encrypted SIP message to the server apparatus during the transmission and reception of the SIP message with the encryption; and decrypting the SIP message which is received from the server device and encrypted by the encryption rule during the password-based transmission and reception of the SIP message.
26. The message encryption method according to claim 21,
the server apparatus executes the following processing: setting the existence of the password of the SIP message input from the outside and the password range of the SIP message; notifying the client device of the presence or absence of a password and a password range of the SIP message; encrypting and transmitting a password range of the SIP message to the client apparatus during password-mediated transmission and reception of the SIP message; and decrypting a SIP message received from the client device and the cryptographic range having been encrypted,
The client apparatus performs the following processing: setting the presence or absence of a password and a password range of the SIP message received from the server device; encrypting a password range of the SIP message and transmitting the encrypted SIP message to the server apparatus during the transmission and reception of the SIP message with the password; in the password-contingent transmission and reception of the SIP message, the SIP message that is received from the server device and the password range of which has been encrypted is decrypted.
27. The message encryption method according to claim 21,
the server apparatus executes the following processing: setting the existence of a password of the SIP message input from the outside and a password rule used for encrypting the SIP message; notifying the client device of the presence or absence of a password and a password rule of the SIP message; encrypting the SIP message by using the encryption rule in the password-free transmission and reception of the SIP message and transmitting the SIP message to the client device; and decrypting the SIP message received from the client device and encrypted by the encryption rule in the crypto-temporal transceiving of the SIP message,
the client apparatus performs the following processing: setting a password rule and the presence or absence of a password of the SIP message received from the server apparatus; encrypting the SIP message by using the cipher rule in the process of sending and receiving the SIP message with the cipher and sending the SIP message to the server device; in the password-contingent transmission and reception of the SIP message, the SIP message that is received from the server device and that has been encrypted with the password rule is decrypted.
28. The message encryption method according to claim 21,
the server apparatus executes the following processing: setting a password rule used for encrypting the SIP message input from the outside and a password range of the SIP message; notifying the client device of the cryptographic rules and cryptographic ranges of the SIP message; encrypting and sending a cryptographic range of the SIP message to the client device using the cryptographic rule; and decrypting a SIP message received from the client device and the cryptographic range having been encrypted with the cryptographic rule,
the client apparatus performs the following processing: setting a password rule and a password range of the SIP message received from the server device; encrypting and transmitting a cipher range of a SIP message to the server device using the cipher rule; and decrypting a SIP message received from the server device and the cryptographic range having been encrypted with the cryptographic rule.
29. The message encryption method according to claim 21,
the server apparatus executes the following processing: setting the existence of a password of the SIP message input from the outside, a password rule used for encrypting the SIP message and a password range of the SIP message; notifying the client device of the presence or absence of a password, a password rule, and a password range of the SIP message; encrypting the encryption range of the SIP message by using the encryption rule in the password-free transmission and reception of the SIP message and transmitting the encrypted encryption range to the client device; and decrypting the SIP message received from the client device and the cryptographic range having been encrypted using the cryptographic rule in the cryptographical transceiving of the SIP message,
The client apparatus performs the following processing: setting the presence or absence of a password, a password rule, and a password range of the SIP message received from the server apparatus; encrypting a password range of the SIP message by using the password rule and transmitting the encrypted SIP message to the server apparatus during the transmission and reception of the SIP message with the password; and decrypting the SIP message which is received from the server device and the encryption range is encrypted by the encryption rule in the password-time transmission and reception of the SIP message.
30. The message encryption method according to claim 21,
the server apparatus executes the following processing: setting, when a password is set to be absent with the client apparatus, whether or not a password of the SIP message input from outside, a password rule used for encrypting the SIP message, and a password range of the SIP message; notifying the client device of the presence or absence of a password, a password rule, and a password range of the SIP message; generating a key for encrypting the SIP message; encrypting a cipher range of the SIP message by using the cipher rule and the key and transmitting the encrypted range to the client apparatus in the encrypted transmission/reception of the SIP message; and decrypting the SIP message received from the client device and the cryptographic range having been encrypted using the cryptographic rule and the key in the cryptographically timed transceiving of the SIP message,
The client apparatus performs the following processing: setting the presence or absence of a password, a password rule, and a password range of the SIP message received from the server apparatus; generating a key for encrypting the SIP message; encrypting a cipher range of the SIP message by using the cipher rule and the key and transmitting the encrypted range to the server apparatus in the transmission and reception of the SIP message with the cipher; and decrypting the SIP message, which is received from the server device and the encryption range of which has been encrypted using the encryption rule and the key, in the crypto-temporal transceiving of the SIP message.
31. The message encryption method of claim 30,
the keys generated in the server device and the client device are synchronized with each other, and are generated based on random parameters determined in a unified manner when the client device initially accesses the server device.
32. The message encryption method according to claim 21,
when the encryption information is set in both the client apparatus and the server apparatus and the encryption and decryption of the SIP message are performed based on the encryption information,
The server apparatus executes the following processing: setting password information inputted from the outside for use in the SIP message transmission/reception with the client apparatus; randomly generating a key for encrypting the SIP message; encrypting new cryptographic information including the key using the cryptographic information currently in use and notifying the client device; encrypting and transmitting the SIP message using the new password information when transmitting the SIP message to the client apparatus in the transmission and reception of the SIP message; and decrypting the SIP message received from the client device and encrypted using the new cryptographic information,
receiving and decrypting data encrypted by the cryptographic information used last time during a certain period after the change of the cryptographic information,
and, the client apparatus executes the following processing: decrypting and setting new password information which is received from the server apparatus and has been encrypted with the password information currently in use; encrypting and transmitting the SIP message by using the new password information when the SIP message is transmitted to the server device during the transmission and reception of the SIP message; and decrypting the SIP message received from the server device and encrypted with the new cryptographic information,
And receiving and decrypting data encrypted by the last used cryptographic information within a certain period after the cryptographic information is changed.
33. The message encryption method of claim 32,
in distributing the key generated by the server apparatus, the key is necessarily encrypted in the SIP messaging between the server apparatus and the client apparatus.
34. The message encryption method of claim 32,
in distributing the key generated by the server apparatus, new cryptographic information including cryptographic information other than the key is encrypted in its entirety in the SIP messaging between the server apparatus and the client apparatus.
35. The message encryption method of claim 32,
when the client device and the server device change from a non-encryption state to an encryption state in the SIP message transmission/reception between the client device and the server device, after the setting of encryption information using keys generated in synchronization in both the client device and the server device is completed, a new key automatically generated by the server device is encrypted and distributed, and the encryption setting of the transmission/reception of the SIP message is completed using the new encryption information.
36. The message encryption method according to claim 21,
the client apparatus and the server apparatus are both provided with the encryption information, and in a state where the encryption and decryption of the SIP message are performed based on the set encryption information,
the server apparatus executes the following processing: setting password information input from the outside; when inputting new password information from outside, determining a key information change flow including a key generation mode according to the existence of the password of the new password information and the existence of the current set password; notifying the client device of the new password information; and updating settings to encrypt and decrypt based on the new cryptographic information,
the client apparatus performs the following processing: setting new password information received from the server apparatus; determining any mode of key generation and setting modes according to the received new password information and the current password state; and updating settings to encrypt and decrypt based on the new cryptographic information,
after the update of the setting is completed, the password information is changed and set in synchronization between the client apparatus and the server apparatus, and the encryption and decryption of the SIP message are started with the new password information.
37. The message encryption method according to claim 21,
the client apparatus and the server apparatus are both provided with the encryption information, and in a state where the encryption and decryption of the SIP message are performed based on the set encryption information,
the server device has a periodic update timer function for counting an update cycle of the password information, and executes: initializing and setting the periodic updating timer function when the password information is set, and automatically updating the password information when the password information is overtime; notifying the client device of the updated new password information; and resetting the periodic update timer function of the password information after the update and notification of the new password information,
the client apparatus performs a process of setting new password information received from the server apparatus,
after the notification of the new password information is completed, the client apparatus and the server apparatus synchronously change and set the password information, and start the encryption and decryption of the SIP message with the new password information.
38. The message encryption method of claim 37,
The client device and the server device are both provided with the encryption information, and in a state where the encryption and decryption of the SIP message are performed based on the set encryption information and the encryption information is periodically updated,
the server device executes a process of setting a timer value for periodically updating the password information inputted from the outside.
39. The message encryption method according to claim 21,
the server apparatus executes the following processing: for a plurality of client devices existing in the system, password information of the SIP message is set for each of the client devices.
40. The message encryption method according to claim 21,
the client device holds one or more cryptographic rules that can be used in the SIP message encryption/decryption process, and notifies the server device in advance of a list of cryptographic rules that can be used as cryptographic capability information,
the server device determines the password information by selecting one from the notified list of the password rules according to an instruction from the outside.
HK08107351.0A 2006-07-28 2008-07-03 Client-server distributed system, client apparatus, server apparatus, and message encryption method used therefor HK1117295B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2006-206687 2006-07-28
JP2006206687A JP4299846B2 (en) 2006-07-28 2006-07-28 Client / server distributed system, client device, server device, and message encryption method used therefor

Publications (2)

Publication Number Publication Date
HK1117295A1 HK1117295A1 (en) 2009-01-09
HK1117295B true HK1117295B (en) 2013-11-01

Family

ID=

Similar Documents

Publication Publication Date Title
US8166293B2 (en) Client server distributed system, client apparatus, server apparatus, and message encryption method used therefor
US5812671A (en) Cryptographic communication system
JP4603043B2 (en) Method for transmitting sync ML synchronization data
KR101394730B1 (en) Identity based authenticated key agreement protocol
JP4814339B2 (en) Constrained encryption key
US20070271606A1 (en) Apparatus and method for establishing a VPN tunnel between a wireless device and a LAN
JP2013502782A (en) Method, device, and network system for negotiating encryption information
US20080025516A1 (en) Client server distributed system, server apparatus, client apparatus, and inter-client rtp encrypting method used for them
CN108847938A (en) A kind of connection method for building up and device
US8793494B2 (en) Method and apparatus for recovering sessions
WO2016134631A1 (en) Processing method for openflow message, and network element
Elemam et al. A secure MQTT protocol, telemedicine IoT case study
US10848471B2 (en) Communication apparatus, communication method, and program
HK1117295B (en) Client-server distributed system, client apparatus, server apparatus, and message encryption method used therefor
CA2561644C (en) A method to leverage a secure device to grant trust and identity to a second device
JP2023138927A (en) System and method for managing data-file transmission and access right to data file
CN111130796B (en) Secure online cloud storage method in instant messaging
WO2000038392A2 (en) Apparatus and method for distributing authentication keys to network devices in a multicast
JP2009071481A (en) Communication control system, terminal, and program
CN115941177B (en) A virtual server-side distributed key authentication system and method
KR100545628B1 (en) Security association negotiation and key exchange system and method
HK1116954B (en) Client-server distributed system and inter-client rtp encrypting method
Bonachea et al. SafeTP: Transparently securing FTP network services
Cvrk et al. H. 323 client-independent security approach
HK40012131A (en) Method and system for accessing to-be-distributed network equipment to netwokr hotspot equipment