[go: up one dir, main page]

WO2017091000A1 - Système et procédé de codage et de décodage de données - Google Patents

Système et procédé de codage et de décodage de données Download PDF

Info

Publication number
WO2017091000A1
WO2017091000A1 PCT/KR2016/013609 KR2016013609W WO2017091000A1 WO 2017091000 A1 WO2017091000 A1 WO 2017091000A1 KR 2016013609 W KR2016013609 W KR 2016013609W WO 2017091000 A1 WO2017091000 A1 WO 2017091000A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
key
packet
encryption
session key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/KR2016/013609
Other languages
English (en)
Korean (ko)
Inventor
이광원
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of WO2017091000A1 publication Critical patent/WO2017091000A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation

Definitions

  • the present invention relates to a data encryption and decryption system and method, and to encrypt and decrypt data transmitted and received between terminals using various private and public networks to prevent hacking, eavesdropping, and eavesdropping, and to maintain a high level of security.
  • a data encryption and decryption system and method are described.
  • various terminals operating in a private or public network including wired or wireless, for example, PCs, laptops, VoIP phones, fax terminals, mobile phones, etc. are subjected to enormous physical or property damage due to various hacking I can wear it.
  • the user generally uses a data encryption or an encryption device to prevent data leakage or incapacitation of the security device through hacking.
  • an embodiment of the present invention encrypts data transmitted using various private networks and public networks to encrypt and prevent hacking, eavesdropping, and eavesdropping in advance. And a decoding system and method.
  • the data encryption and decryption method may include generating the encrypted data in a data encryption unit that transmits encrypted data through the communication network to a second terminal connected through a communication network, the method comprising: a) encrypting data from the first terminal; Receiving a; And b) generating the encrypted data using an encryption key in the encryption module, wherein step a) comprises: a1) a session key or a packet as an encryption level of the data before receiving the data; Determining to use at least one of the keys.
  • the encryption module acquires and holds the session key previously generated by an external or the encryption module, and the encryption level of the data is increased.
  • the encryption module may be configured to use the packet key.
  • Step b) b1) checking whether the session key holding; b2) checking whether to use the packet key; And b3) encrypting the data to generate the encrypted data.
  • step b3) if it is determined in step b1) that the session key is held, step b2) is performed. If in step b2), it is determined that the use of the packet key is set, the encrypted data is recalled. Generated using a session key and a packet key, and if it is confirmed in step b2) that the use of the packet key is not set, the encrypted data is generated using only the session key, and the session key in step b1). If it is confirmed that does not hold the encrypted data can be generated using the packet key without performing b2).
  • a data encryption and decryption method includes a data encryption unit for transmitting encrypted data through a communication network to a second terminal connected with a communication network, the data terminal being connected between a first terminal and the communication network and receiving data from the first terminal. And an encryption module for generating the encrypted data by encrypting the data using at least one of a session key and a packet key, wherein the encryption module includes the session key from a user before receiving data from the first terminal. Or receiving a setting for using at least one of the packet keys.
  • the encryption module acquires and holds the session key previously generated by an external or the encryption module before receiving data from the first terminal when the session key is set to use, and is configured to use the packet key.
  • the packet key generated using the packet header information of the packet received from the first terminal may be configured to be used.
  • the encryption module may check whether the session key is held and whether the packet key is used before encrypting the data.
  • the encryption module when the session key is set to use the packet key, encrypts the data using the session key and the packet key, and holds the session key. If it is not set to use, the data is encrypted using only the session key, and if the session key is not held, the data may be encrypted using the packet key.
  • the encryption module may include a 1-1 input / output unit configured to receive the data from the first terminal; A first security unit connected to the 1-1 input / output unit, encrypting the data, and receiving the setting from the user; And a first input / output unit connected to the first security unit and receiving the encrypted data and transmitting the encrypted data to the communication network, wherein the non-address network device generates the session key without setting an IP address. Can be.
  • a data encryption and decryption method may further include decrypting the encrypted data in a data decryption unit that receives encrypted data through the communication network from a first terminal connected to a communication network, the method comprising: a) encrypting the encryption module from the communication network; Receiving the collected data; And b) decrypting the encrypted data using a decryption key in the encryption module, wherein step a) comprises: a1) retaining the session key external to the encryption module or previously generated in the encryption module; Checking whether or not; may further include.
  • step b) when it is determined through the step a1) that the encryption module holds the session key, it is confirmed that the session key is used as the decryption key and that the session key is not held.
  • a packet key is used as the decryption key, and the packet key may be generated using header information for each packet of the encrypted data.
  • the step b) may further include performing decryption using the packet key after performing the decryption using the session key.
  • a data encryption and decryption method includes a data decryption unit that receives encrypted data through a communication network from a first terminal connected through a communication network, and transmits the encrypted data connected between the second terminal and the communication network from the communication network. And an encryption module for decrypting the encrypted data using at least one of a session key and a packet key to generate decrypted data, wherein the encryption module includes the session before receiving the encrypted data from the communication network. Make sure you have a key.
  • the encryption module decrypts the encrypted data by using the session key, and when it is determined that the encryption module does not hold the session key, a header for each packet of the encrypted data.
  • the encrypted data may be decrypted using a packet key generated using information.
  • the encryption module first decrypts the encrypted data using the session key, and performs the second decryption of the primary decrypted data using the packet key. can do.
  • the encryption module may include: a 2-1 input / output unit configured to transmit the encrypted data from the communication network; A second security unit connected to the 2-1 input / output unit to decrypt the encrypted data to generate decrypted data and to hold the session key; And a 2-2 input / output unit connected to the second security unit and receiving the decrypted data and transferring the decrypted data to the second terminal.
  • the non-address generating the session key without setting an IP address. It may be a network device.
  • Data encryption and decryption system and method according to an embodiment of the present invention by performing the encryption and decryption of data has the effect of preventing hacking, eavesdropping, eavesdropping and the like through a variety of private or public networks.
  • hackers can not connect to the terminal by using a non-address network device that does not need to set an IP address or account in the network device connected to each terminal For example, there is an effect that a kind of virtual private network occurs.
  • FIG. 1 is a block diagram of a data encryption and decryption system according to an embodiment of the present invention.
  • FIG. 2 is a flow chart for a) generating a session key using the system of FIG. 1 in accordance with an embodiment of the present invention, and b) a non-address, another embodiment of the system of FIG. 1 used to generate a session key.
  • FIG. 3 is a flow chart illustrating a) a method of encrypting and decrypting data using an encryption key, b) a detailed flow chart of the step of encrypting data and transmitting it to a communication network, and c) a detail of the step of decrypting and outputting encrypted data.
  • FIG. 1 is a block diagram of a data encryption and decryption system according to an embodiment of the present invention.
  • a data encryption unit 10 is connected to a data decryption unit 20 through a communication network 30.
  • the data encryption unit 10 and the data decryption unit 20 may change roles depending on a terminal to which data is to be transmitted.
  • the first terminal 11 and the first encryption module 13 are set as the data encryption unit 10 and The second terminal 21 and the second encryption module 23 may be set as the data decryption unit 20.
  • the second terminal 21 intends to transmit data from the second terminal 21 to the first terminal 11
  • the first terminal 11 and the first encryption module 13 may be set as the data decryption unit 20
  • the first terminal 21 and the second encryption module 23 may be set as the data encryption unit 10.
  • the communication network 30 may include a dedicated network or a public network, and may include a wired network such as the Internet or PSTN or a wireless network such as Zigbee or Bluetooth.
  • the first terminal 11 and the first encryption module 13 may use the data encryption unit 10 to encrypt the data
  • the second terminal 21 and the second encryption module 23 may use the data.
  • the data decoding unit 20 to decode it is obvious that the definition may be changed according to the transmission direction of the data as described above.
  • the first terminal 11 may transmit data to the second terminal 21 through the communication network 30.
  • the data encryption and decryption system 1 may include a first encryption module 13 and a second terminal connected to the first terminal 11. And a second encryption module 23 connected to 21, and may exchange session keys used for encrypting and decrypting data using the first encryption module 13 and the second encryption module 23.
  • the terminals 11 and 21 and the encryption modules 13 and 23 are represented as being connected externally, but the present invention is not limited thereto, and the encryption modules 13 and 23 may be used. May be embedded in the terminals 11 and 21 as software or hardware, respectively.
  • FIG. 2 is a flow chart for a) generating a session key using the system of FIG. 1 in accordance with an embodiment of the present invention, and b) a non-address, another embodiment of the system of FIG. 1 used to generate a session key.
  • a session key is required.
  • the session key may be leaked to the outside due to hacking or eavesdropping of the communication network.
  • the data encryption unit 10 and the data decryption unit 20 may generate a session key using a public key exchange algorithm.
  • the first encryption module transmits the reprocessed call packet to the communication network (S210).
  • the second encryption module generates a session key using the reprocessed call packet (S220), the second encryption module transmits the reprocessed response packet to the communication network (S230), and the first encryption module reconstructs Generating a session key using the processed response packet (S240).
  • the first encryption module transmits the reprocessed call packet to the communication network (step S210).
  • the first terminal generates a call packet for performing a TCP connection with the second terminal and delivers it to the first encryption module.
  • the call packet is a packet provided to generate a session key before transmitting data in earnest, and does not include data that the first terminal wants to transmit by encrypting.
  • the first encryption module receives the call packet from the first terminal and generates a first private key.
  • the first private key is a random number generated randomly in the first encryption module and is a value used for generating a session key in the first encryption module without being transmitted to the second encryption module through the communication network.
  • the first encryption module generates a specific value k using the first address and the second address included in the header portion of the call packet.
  • the first address and the second address are respectively represented as IP addresses of the first terminal and the second terminal, and the IP address of the terminal to which data is to be transmitted is represented by the first address, and the IP address of the terminal to which data is to be represented by the second address. Can be.
  • the first encryption module After generating the specific value k, the first encryption module generates the first public key by combining y, the first stored private value, and the specific value k.
  • the generated first public key may be included in the payload of the call packet and transferred to the second encryption module.
  • the payload of the call packet may be reprocessed in the first encryption module to include information for generating a session key.
  • the payload of the call packet includes at least one of an encryption ID, a serial number capable of specifying a first encryption module, and a first public key.
  • the encryption ID may be a random number having a specific length indicating that the packet has been reprocessed
  • the serial number may be a value generated to distinguish the first encryption module.
  • the second encryption module generates a session key using the reprocessed call packet (step S220).
  • the second encryption module receives the packet from the communication network. At this time, the second encryption module checks whether the encryption ID is included in the payload of the received packet. If the encryption ID is not included in the payload, the second encryption module may determine that the packet is not a packet transmitted from the first encryption module and drop the packet.
  • the second encryption module may determine that the packet as a reprocessed call packet transmitted from the first encryption module, and use it to generate a session key.
  • the second cryptographic module generates a second private key upon receipt of the reprocessed call packet, the second private key being a randomly generated random value in the second cryptographic module, which is not transmitted to the first cryptographic module through the communication network. It is used to generate a session key in the second encryption module.
  • the second encryption module generates a specific value k using the first address and the second address included in the header portion of the packet.
  • the second encryption module may further use the port value to generate a specific value k, and the generated specific value k may be the same as the specific value k generated in the first encryption module. This is because the first address, the second address, and the port value used to generate the specific value k, respectively, in the first and second encryption modules are the same.
  • the second encryption module may generate a session key by combining the first public key included in the payload, the decimal value y stored in the device, and the second private key.
  • the payload portion of the call packet is deleted, transformed into the same call packet generated by the first terminal, and the packet is transmitted to the second terminal.
  • the second encryption module transmits the reprocessed response packet to the communication network (step S230).
  • the second terminal After receiving the call packet from the second encryption module, the second terminal generates a response packet that is a response to the call packet, and the response packet is delivered to the second encryption module.
  • the second encryption module may generate a second public key by combining y, a second stored private value, and a specific value k.
  • the second encryption module may reprocess the response packet such that at least one of an encryption ID, a serial number capable of specifying the second encryption module, and a second public key is included in the payload of the response packet, and the reprocessed response packet Can be transmitted to the network.
  • the first encryption module generates a session key using the reprocessed response packet (step S240).
  • the first encryption module receives the packet from the communication network and checks whether the encryption ID is included in the payload of the packet. When the encryption ID is not included in the payload, the first encryption module may determine that the packet is not a packet transmitted from the second encryption module and drop the packet.
  • the first encryption module may determine the packet as a reprocessed response packet and use it to generate a session key.
  • the first encryption module may generate a session key by combining the second public key included in the payload of the reprocessed response packet, the previously stored decimal value y, and the first private key.
  • the payload portion of the response packet may be deleted and transformed into the same response packet generated by the second terminal, and then the packet may be delivered to the first terminal.
  • the method (S200) for generating a session key for data encryption and decryption according to an embodiment of the present invention described above is performed before performing data transmission in the case of TCP communication to generate a new session key for each communication It can increase security. Also, in case of UDP communication, if the communication is disconnected for more than the preset time, if the communication status changes compared to the current communication, such as when a new communication is configured or when the communication program to be used is changed, the session key is renewed. By setting to generate, security against session hijacking may be increased.
  • a session key generation algorithm that uses a public key to generate a session key as in an embodiment of the present invention, a Diffie Hellman algorithm is typically used, but this is only one example. All algorithms that can generate the session key for encryption are allowed.
  • non-address network device refers to a network device for which an IP address or MAC address, etc. necessary for communication for transmitting and receiving data is not set or an account is not required.
  • the first encryption module 13 of the data encryption and decryption system 2 may include a first-first input / output unit 131, a first security unit 133, and a first security module 133. It may be replaced by the first non-address network device 130 including the 1-2 input and output unit 135, the second encryption module 23, the 2-1 input and output unit 231, the second security unit 233 ) And the second non-address network device 230 including the second input / output unit 235. Since the first and second non-address network devices do not have IP addresses, the first and second non-address network devices cannot directly penetrate from the outside through a communication network or the like, and thus are devices having high safety from hacking into the device.
  • data transmitted from the terminals 11 and 21 may be encrypted or decrypted using a session key generated through public key exchange between non-address network devices 130 and 230 independently of the terminals 11 and 21.
  • the same effect as that of the communication using the virtual private network may be generated.
  • a data encryption and decryption system 2 using a non-address network device may include a first terminal 11, a first non-address network device 130, and a communication network. 30, the second terminal 21, and the second non-address network device 230.
  • the first terminal 11 may have a first address
  • the second terminal 21 may have a second address
  • the first terminal 11 and the second terminal 21 may each have different accounts. .
  • the first non-address network device 130 and the second non-address network device 230 must hold the same session key for encrypting and decrypting data. However, when the session key is directly shared, since the session key data is not encrypted, session key information may be leaked through hacking or eavesdropping, and thus encryption information may be attacked. Therefore, the first non-address network device 130 and the second non-address network device 230 may perform a process of generating the same session key in each device through public key exchange before sharing data.
  • 2C illustrates an example of TCP communication using a Diffie Hellman algorithm in a method for generating a session key by a data encryption and decryption system using a non-address network device according to an embodiment of the present invention.
  • the first terminal 11 has a first address represented by 192.168.123.10, is connected to the first non-address network device 130, and the second terminal 21 is represented by 192.168.456.7.
  • the second address and is connected to the second non-address network device 230.
  • the first terminal 11 generates a call packet for performing a TCP connection with the second terminal 21 and transmits it to the first non-address network device 130.
  • the call packet is a packet provided to generate a session key before the data is transmitted in earnest, and preferably, the first packet 11 does not include data to be encrypted and transmitted.
  • the first non-address network device 130 receives a call packet from the first terminal 11 through the 1-2 input / output unit 135 and generates a first private key in the first security unit 133.
  • the first private key is a random number generated randomly by the first security unit 133, and is not transmitted to the second non-address network device 230 through the communication network 30, and the session is performed by the first non-address network device 130.
  • Required value for generating a key Thereafter, the first security unit 133 generates a specific value k using the first address and the second address included in the header portion of the call packet. At this time, preferably, the first security unit 133 may further use the port value to generate a specific value k.
  • the first security unit 133 After generating the specific value k, the first security unit 133 generates the first public key by combining y, the first private key, and the specific value k, which are previously stored decimal values.
  • the generated first public key may be included in the payload of the call packet and transferred to the second non-address network device 230.
  • the payload of the call packet may be reprocessed by the first security unit 133 to include information for generating a session key.
  • the payload of the call packet includes at least one of an encryption ID, a serial key value of the first non-address network device 130, and a first public key.
  • the encryption ID is a random value of a specific length indicating that the packet is reprocessed
  • the serial key value may be generated for each non-address network device and may be generated to distinguish the non-address network device.
  • the reprocessed call packet is transmitted to the communication network via the 1-1 input / output unit 131 and is delivered to the second non-address network device 230.
  • the second security unit 233 of the second non-address network device 230 receives the packet through the 2-1 input / output unit 231, the second security unit 233 confirms whether an encryption ID is included in the payload of the corresponding packet. In this case, when the encryption ID is not included in the payload, the second security unit 233 may determine that the packet is not a packet transmitted from the first non-address network device 130 and drop the packet.
  • the second security unit 233 may determine that the packet is a packet transmitted from the first non-address network device 130 and use it to generate a session key.
  • the second security key When the second security unit 233 receives the reprocessed call packet, the second security key generates a second private key, and the second private key is a random number generated randomly by the second security unit 233, and is generated through the communication network 30. It is used to generate a session key at the second non-address network device 230 without being forwarded to the first non-address network device 130.
  • the second security unit 233 generates a specific value k using the first address and the second address included in the header portion of the packet.
  • the second security unit 233 may further use the port value to generate a specific value k, and the generated specific value k may be the same value as the specific value k generated by the first security unit 133. This is because the first address, the second address, and the port value used by the first and second security units 133 and 233 to generate the specific value k are the same.
  • the second security unit 233 may generate a session key by combining the first public key included in the payload, the decimal value y stored in the device, and the second private key, and reprocess after generating the session key.
  • the payload portion of the call packet is deleted and transformed into a call packet generated by the first terminal 11, and then the packet is transferred to the second terminal 21 using the second-2 input / output unit 235.
  • the second terminal 21 After receiving the call packet, the second terminal 21 generates a response packet that is a response to the call packet, and the response packet is returned to the second security unit 233 through the second-2 input / output unit 235. Is passed to.
  • the second security unit 233 generates a second public key by combining y, a second stored private value, a second private key, and a specific value k.
  • the second security unit 233 may reprocess the response packet such that at least one of the encryption ID, the serial key value of the second non-address network device 230, and the second public key is included in the payload of the response packet.
  • the processed response packet is transmitted to the communication network through the 2-1 input / output unit 231 and delivered to the first non-address network device 130.
  • the first non-address network device 130 receives the reprocessed response packet through the 1-1 input / output unit 131 and checks whether an encryption ID is included in the payload. In this case, when the encryption ID is not included in the payload, the first security unit 133 may determine that the packet is not a packet transmitted from the second non-address network device 230 and drop the packet.
  • the first security unit 133 determines that the packet is a packet transmitted from the second non-address network device 230 and uses the packet to generate a session key. .
  • the first security unit 133 may generate a session key by combining the second public key included in the payload, y, which is a previously stored decimal value, and the first private key.
  • the response packet may be reprocessed after generating the session key. After deleting the payload portion of the packet, the packet is transformed into a response packet generated by the second terminal 21 and then transmitted to the first terminal 11 using the 1-2 input / output unit 135.
  • the session key generation process described above using FIG. 2C is performed before performing data transmission in the case of TCP communication, thereby increasing security by generating a new session key for each data.
  • a new communication key is generated when the communication status changes compared to the current communication, such as when a new communication is configured or when the communication program to be used is changed. It can also increase security.
  • the data encryption and decryption system and method may perform data encryption and decryption using a packet key in addition to the above-described session key.
  • the above-described session key is a key used to encrypt or decrypt a data bundle
  • the packet key is a key used to encrypt or decrypt each data packet.
  • the packet key encrypts or decrypts each data packet, even if one packet key is leaked, another packet key is used in the next data packet, thereby having a higher security against key leakage.
  • a packet key generated to perform data encryption and decryption according to an embodiment of the present invention is generated by the first encryption module 13 and the second encryption module 23 of FIG. 1 using header information for each data packet. Can be.
  • the packet key generated by the first encryption module 13 encrypts data transmitted from the first terminal 11 in packet units, and the packet key generated by the second encryption module 23 is encrypted from the communication network 30. It is used to receive data and decrypt the data.
  • the first encryption module 13 may use the header information and the additional information of the data packet to generate the packet key.
  • the header information may be at least one of a first address (originating IP address), which is an IP address of a first terminal, a second address (destination IP address), and a packet ID, which is an IP address of a second terminal. It may be at least one of a number or a setting key.
  • the serial number is a value generated to distinguish the first encryption module
  • the setting key is a specific key that changes according to the user's setting.
  • the first encryption module may further use the sequence ID of the TCP packet to generate the packet key.
  • the first address, the second address, the serial number of the first encryption module, and the configuration key are fixed values that do not change during the communication session.
  • the packet ID is an ID generated to distinguish the packets, and in the case of TCP communication, since the sequence ID is a change value that changes every time the communication session is reconfigured, data is generated using a different packet key for each data packet and communication session. Because it can encrypt, high security can be maintained.
  • the second encryption module 23 generates a packet key for decrypting the data.
  • the second encryption module 23 may receive the encrypted data from the communication network 30 and generate a packet key for decrypting the data using the received header data and additional information for each data packet.
  • the header information may be at least one of a first address (originating IP address), a second address (destination IP address), and a packet ID, and the additional information may be at least one of a serial number or a setting key.
  • the serial number is the serial number of the first encryption module
  • the second encryption module 230 may obtain the serial number of the first encryption module before receiving the encrypted data from the communication network 30, in particular, TCP
  • the communication session may be acquired and stored in advance in the step of configuring the communication session.
  • the setting key may be the same key as the first encryption module set by the user as a specific key that changes according to the setting of the user.
  • the second encryption module may further use the sequence ID of the TCP packet to generate the packet key.
  • first and second encryption modules for generating the packet key may be replaced with the first and second non-address network devices, respectively, as in the example of the system for generating the session key described above with reference to FIG. 2B.
  • the first non-address network device 130 transmits data to be encrypted from the first terminal 11 to the first security unit 133 through the 1-2 input / output unit 135.
  • the first security unit 133 may include at least one of at least one of a first address (originating IP address), a second address (destination IP address), and a packet ID from the header information of the received data, and at least one of a serial number or a setting key as additional information.
  • a packet key is generated using one piece of information.
  • the first security unit 133 may generate a packet key using all of the first address, the second address, the packet ID, the serial number, and the setting key.
  • the serial number is the ID value of the non-address network device that is generated to identify the non-address network device.
  • the serial number is generated by combining a time value at the moment the power is supplied to the first non-address network device 130 and a random number of specific digits. Since the generated serial number is not a fixed value for each device, the first non-address network device 130 may be rebooted as needed to irregularly change the serial number of the device, thereby preventing the leakage of the serial number. have.
  • the setting key is a key that can be arbitrarily set by the user.
  • the setting key may generate an encryption group by setting the same setting key value to devices to which the user wants to perform encrypted communication, thereby increasing security capability.
  • the first security unit 133 may further use the sequence ID of the TCP communication session generated for data transmission to generate a packet key.
  • the packet key generated by the first non-address network device 130 is used by the first security unit 133 to encrypt the packet. That is, when a packet key is generated using the header information of the A data packet, the first security unit 133 encrypts the A data packet using the a packet key and communicates with the communication network through the 1-1 input / output unit 131. An encrypted A data packet can be transmitted at 30.
  • the encrypted data packet is transmitted to the second non-address network device 230 through the communication network 30.
  • the second non-address network device 230 receives the encrypted data packet through the 2-1 input / output unit 231 and transmits the encrypted data packet to the second security unit 233.
  • the second security unit 233 may generate a packet key for decrypting data using the header information of the encrypted data packet.
  • the second security unit 233 may include at least one of a first address (originating IP address), a second address (destination IP address), and a packet ID from the header information of the encrypted data packet, and a serial number or setting key which is additional information.
  • a packet key is generated using at least one information.
  • the second security unit 133 may generate a packet key using all of the first address, the second address, the packet ID, the serial number, and the setting key.
  • the serial number of the additional information used to generate the packet key in the second security unit 233 may be a serial number of the first non-address network device 130
  • the second security unit 233 is a communication in TCP communication
  • the serial number of the first non-address network device 130 may be obtained and stored to generate a packet key.
  • the first security unit 133 may further use the sequence ID of the TCP communication session generated for data transmission to generate a packet key.
  • the packet information and additional information used by the second security unit 233 to generate the packet key are the same as the information used by the first security unit 133 to generate the packet key. If the encrypted A data packet is generated and transmitted by generating the packet key, the second security unit 233 generates the same a packet key generated by the first security unit 133 by using the header information of the encrypted A data packet. As a result, the encrypted A data packet can be decrypted.
  • the data encryption and decryption system may encrypt or decrypt data in the same manner as the flowchart shown in FIG. 3A.
  • a data encryption and decryption method will be described based on the first encryption module and the first terminal.
  • the present invention is not limited thereto, and the second encryption module and the second terminal may also encrypt and decrypt data in the same manner. Can be done.
  • the first encryption module and the second encryption module may be set to perform only one of encryption and decryption.
  • the data encryption and decryption method 300 includes setting a data encryption level (S310), determining whether data is transmitted from a terminal (S320), and data. And transmitting the encrypted data (S330), determining whether the encrypted data is received from the communication network (S340), and decrypting and outputting the encrypted data (S350).
  • the user sets the data encryption level (step S310).
  • the user may set a data encryption level such that the first encryption module uses at least one of a session key and a packet key for data encryption. .
  • the setting in step S310 may not be applied in the process of decrypting data since the decryption level is determined according to the degree of encryption of the received data when the first encryption module decrypts the data.
  • the first encryption module may directly generate the session key as described with reference to FIG. 2 or may receive the previously generated session key from the outside.
  • the first encryption module determines whether data is transmitted from the first terminal (step S320).
  • the first encryption module performs step S330 of encrypting the data and transmitting the data to the communication network, and determining whether to receive the encrypted data from the communication network if the data is not received from the terminal. Can be done.
  • the first encryption module encrypts data and transmits the data to the communication network, as illustrated in FIG. 3B, confirming whether a session key is held in operation S331, and checking whether packet key usage is set in operation S332. Encrypting the data using both the session key and the packet key (S333), encrypting the data using the session key (S334), encrypting the data using the packet key (S335), and encrypting the data. Transmitting to the communication network (S336).
  • the first encryption module first checks whether a session key is held (step S331). In this case, if it is determined in step S310 that the session key is held, it is checked whether the packet key is used or not (step S332), and if it is determined that the session key is not held, data is encrypted using only the packet key. (Step S335).
  • the first encryption module checks whether the packet key is set for use (step S332). If the first encryption module does not set the packet key to be used in step S310, the first encryption module encrypts the data using only the session key (step S334). If the packet key is set to use the packet key, the first encryption module uses both the session key and the packet key to encrypt the data. Encrypt (step S333).
  • the packet key used to encrypt data in the first encryption module may be generated using header information for each data packet to be encrypted in the first encryption module.
  • the first encryption module transmits the encrypted data to the communication network in steps S333 to S335 (step S336).
  • the first encryption module determines whether it receives the encrypted data from the communication network (step S340). In this case, when it is determined that the first encryption module does not receive the encrypted data from the communication network, the first encryption module does not receive data from both the terminal and the communication network, and thus repeats step S320.
  • the first encryption module decrypts the received encryption data and transfers the received encryption data to the first terminal to output the data to the user (step S350).
  • the first encryption module decrypts and outputs the encrypted data (S350), as shown in FIG. 3C, confirming whether or not the session key is held (S351), and performing decryption of the data using the held session key.
  • Step S352 checking whether the data packet is encrypted (S353), generating a packet key to perform decryption of the data packet (S354), and delivering and decrypting the decrypted data to the terminal (S355).
  • the first encryption module Upon receiving the encrypted data from the communication network, the first encryption module first checks whether a session key is held (step S351). In this case, when it is determined in step S310 that the session key is held, the first encryption module decrypts the encrypted data received from the communication network using the held session key (step S352). In addition, if it is determined that the first encryption module does not hold the session key, the first encryption module may determine that the session key is not used in the process of encrypting the encrypted data received from the communication network, and may not perform step S352. have.
  • the first encryption module checks whether the received data packet is encrypted (step S353).
  • the first encryption module checks whether the encrypted data received from step S352 or the communication network is encrypted for each packet, and if it is determined that encryption for each packet is performed, the first encryption module generates a packet key to decrypt the corresponding data packet ( Step S354).
  • the first encryption module may not perform step S354.
  • the data packet may preferably be data obtained by performing step S352, since the first encryption module needs to perform at least one data decryption process by receiving encrypted data through a communication network.
  • the first encryption module delivers the data that has performed at least one decryption step of step S352 or step S354 to the first terminal (step S355), and the first terminal outputs the received data to the user to decrypt the data. You can end the process.
  • the data encryption and decryption method according to an embodiment of the present invention illustrated in FIGS. 3A to 3C described above may be implemented through a data encryption and decryption system including the non-address network device shown in FIG. 2B.
  • the first encryption module is replaced with the first non-address network device, and the first security unit may perform each step.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention concerne un procédé de codage et de décodage de données. Selon un mode de réalisation de la présente invention, un procédé de codage et de décodage de données, dans un procédé pour générer des données codées dans une unité de codage de données qui transmet les données codées par l'intermédiaire d'un réseau de communication à un second terminal connecté au réseau de communication, comprend les étapes suivantes : a) un module de codage reçoit une transmission de données à partir d'un premier terminal ; et b) générer des données codées au moyen d'une clé de codage dans le module de codage, l'étape a) comprenant l'étape a1) pour déterminer, avant la réception de la transmission des données, un niveau de codage des données de telle sorte qu'une clé de session et/ou une clé de paquet sont utilisées.
PCT/KR2016/013609 2015-11-24 2016-11-24 Système et procédé de codage et de décodage de données Ceased WO2017091000A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2015-0164630 2015-11-24
KR1020150164630 2015-11-24

Publications (1)

Publication Number Publication Date
WO2017091000A1 true WO2017091000A1 (fr) 2017-06-01

Family

ID=58763383

Family Applications (4)

Application Number Title Priority Date Filing Date
PCT/KR2015/012715 Ceased WO2017090789A1 (fr) 2015-11-24 2015-11-25 Système et procédé de sécurité des communications utilisant un équipement de réseau non adressé
PCT/KR2016/013600 Ceased WO2017090996A1 (fr) 2015-11-24 2016-11-24 Système et procédé de codage et de décodage de données
PCT/KR2016/013613 Ceased WO2017091002A1 (fr) 2015-11-24 2016-11-24 Système et procédé de codage et décodage de données
PCT/KR2016/013609 Ceased WO2017091000A1 (fr) 2015-11-24 2016-11-24 Système et procédé de codage et de décodage de données

Family Applications Before (3)

Application Number Title Priority Date Filing Date
PCT/KR2015/012715 Ceased WO2017090789A1 (fr) 2015-11-24 2015-11-25 Système et procédé de sécurité des communications utilisant un équipement de réseau non adressé
PCT/KR2016/013600 Ceased WO2017090996A1 (fr) 2015-11-24 2016-11-24 Système et procédé de codage et de décodage de données
PCT/KR2016/013613 Ceased WO2017091002A1 (fr) 2015-11-24 2016-11-24 Système et procédé de codage et décodage de données

Country Status (1)

Country Link
WO (4) WO2017090789A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6067620A (en) * 1996-07-30 2000-05-23 Holden; James M. Stand alone security device for computer networks
US6430691B1 (en) * 1999-06-21 2002-08-06 Copytele, Inc. Stand-alone telecommunications security device
US7983419B2 (en) * 2001-08-09 2011-07-19 Trimble Navigation Limited Wireless device to network server encryption
US8583929B2 (en) * 2006-05-26 2013-11-12 Alcatel Lucent Encryption method for secure packet transmission
US20140195798A1 (en) * 2013-01-09 2014-07-10 International Business Machines Corporation Transparent Encryption/Decryption Gateway for Cloud Storage Services

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6240513B1 (en) * 1997-01-03 2001-05-29 Fortress Technologies, Inc. Network security device
KR100333530B1 (ko) * 1999-09-29 2002-04-25 최명렬 네트워크 주소 변환(nat) 기능을 이용한 가상 사설망(vpn) 구성 방법 및 이를 실현시키기 위한 프로그램을 기록한 컴퓨터로 읽을 수 있는 기록 매체
US7100048B1 (en) * 2000-01-25 2006-08-29 Space Micro Inc. Encrypted internet and intranet communication device
US7716725B2 (en) * 2002-09-20 2010-05-11 Fortinet, Inc. Firewall interface configuration and processes to enable bi-directional VoIP traversal communications
US7711948B2 (en) * 2003-09-30 2010-05-04 Cisco Technology, Inc. Method and apparatus of communicating security/encryption information to a physical layer transceiver
KR100580844B1 (ko) * 2003-12-17 2006-05-16 한국전자통신연구원 무선 랜(lan) 시스템에서의 데이터 보안 및 운용장치와 그 방법
US8316152B2 (en) * 2005-02-15 2012-11-20 Qualcomm Incorporated Methods and apparatus for machine-to-machine communications
US9326144B2 (en) * 2013-02-21 2016-04-26 Fortinet, Inc. Restricting broadcast and multicast traffic in a wireless network to a VLAN

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6067620A (en) * 1996-07-30 2000-05-23 Holden; James M. Stand alone security device for computer networks
US6430691B1 (en) * 1999-06-21 2002-08-06 Copytele, Inc. Stand-alone telecommunications security device
US7983419B2 (en) * 2001-08-09 2011-07-19 Trimble Navigation Limited Wireless device to network server encryption
US8583929B2 (en) * 2006-05-26 2013-11-12 Alcatel Lucent Encryption method for secure packet transmission
US20140195798A1 (en) * 2013-01-09 2014-07-10 International Business Machines Corporation Transparent Encryption/Decryption Gateway for Cloud Storage Services

Also Published As

Publication number Publication date
WO2017090996A1 (fr) 2017-06-01
WO2017091002A1 (fr) 2017-06-01
WO2017090789A1 (fr) 2017-06-01

Similar Documents

Publication Publication Date Title
WO2016137304A1 (fr) Sécurité de bout en bout sur la base de zone de confiance
EP3646553B1 (fr) Introduction de boîtiers intermédiaires dans des communications sécurisées entre un client et un serveur
WO2016021981A1 (fr) Système et procédé de gestion de compteur et de mise à jour de clé de sécurité pour communication de groupe de dispositif à dispositif
WO2021054693A1 (fr) Procédé, dispositif, et système de distribution de clé quantique
WO2012093900A2 (fr) Procédé et dispositif pour authentifier une entité de réseau personnel
WO2014069778A1 (fr) Procédé de chiffrement et de déchiffrement à base d'id et appareil pour sa mise en œuvre
JP2005525047A (ja) セキュアな無線ローカルエリアネットワーク又は無線メトロポリタンエリアネットワーク、及び関連する方法
TW200307423A (en) Password device and method, password system
US7039190B1 (en) Wireless LAN WEP initialization vector partitioning scheme
CN101529805A (zh) 中间设备
WO2018139910A1 (fr) Procédé pour fournir une sécurité de bout en bout sur un plan de signalisation dans un système de communication de données critiques de mission
CN105656655A (zh) 一种网络安全管理方法、装置,及系统
WO2020067734A1 (fr) Équipement réseau sans adresse et système de sécurité de communication l'utilisant
CN115801316A (zh) 数据传输方法和装置、设备及存储介质
CN113225298A (zh) 一种报文验证方法及装置
WO2018004114A2 (fr) Système d'authentification de proxy, et procédé d'authentification pour fournir un service de proxy
WO2016111407A1 (fr) Procédé de communication en réseau avec fonction de récupération de session de terminal
CN109347836B (zh) 一种IPv6网络节点身份安全保护方法
CN110832806A (zh) 针对面向身份的网络的基于id的数据面安全
WO2023008940A1 (fr) Procédé et système de gestion sécurisée de reconnexion de dispositifs clients à un réseau sans fil
WO2012165901A2 (fr) Procédé destiné à une canalisation de sécurité entre terminaux
WO2017091000A1 (fr) Système et procédé de codage et de décodage de données
WO2019045424A1 (fr) Procédé de déchiffrement de couche de prise de sécurité destinée à la sécurité
WO2021025185A1 (fr) Appareil et procédé de codage de cryptographie en boîte blanche en utilisant une fonction anti-inversion
WO2019103360A1 (fr) Procédé et système de gestion de données basés sur un rechiffrement de serveur mandataire dans un environnement de terminal léger ido

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16868896

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 11/10/2018)

122 Ep: pct application non-entry in european phase

Ref document number: 16868896

Country of ref document: EP

Kind code of ref document: A1