[go: up one dir, main page]

WO2017091002A1 - Système et procédé de codage et décodage de données - Google Patents

Système et procédé de codage et décodage de données Download PDF

Info

Publication number
WO2017091002A1
WO2017091002A1 PCT/KR2016/013613 KR2016013613W WO2017091002A1 WO 2017091002 A1 WO2017091002 A1 WO 2017091002A1 KR 2016013613 W KR2016013613 W KR 2016013613W WO 2017091002 A1 WO2017091002 A1 WO 2017091002A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
key
data
encryption module
encryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/KR2016/013613
Other languages
English (en)
Korean (ko)
Inventor
이광원
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of WO2017091002A1 publication Critical patent/WO2017091002A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/22Arrangements for preventing the taking of data from a data transmission channel without authorisation

Definitions

  • the present invention relates to a data encryption and decryption system and method, and to encrypt and decrypt data transmitted and received between terminals using various private and public networks to prevent hacking, eavesdropping, and eavesdropping, and to maintain a high level of security.
  • a data encryption and decryption system and method are described.
  • various terminals operating in a private or public network including wired or wireless, for example, PCs, laptops, VoIP phones, fax terminals, mobile phones, etc. are subjected to enormous physical or property damage due to various hacking I can wear it.
  • the user generally uses a data encryption or an encryption device to prevent data leakage or incapacitation of the security device through hacking.
  • an embodiment of the present invention encrypts data transmitted using various private networks and public networks to encrypt and prevent hacking, eavesdropping, and eavesdropping in advance. And a decoding system and method.
  • the data encryption and decryption system is a data encryption unit for transmitting encrypted data through the communication network to a second terminal connected through a communication network, the data connection between the first terminal and the communication network receives the data from the first terminal And an encryption module for generating a packet key required for generating the encrypted data by encrypting the encryption module, wherein the encryption module generates the packet key using packet information for each packet of the data received from the first terminal.
  • the header information includes at least one of an IP address of the first terminal, an IP address of the second terminal, and a packet ID for each packet.
  • the packet key is further generated by using at least one of a serial number of the encryption module and a preset key set by a user, and the serial number may be a unique value for distinguishing an encryption module.
  • the packet key may be generated using a sequence ID which is a value representing a sequence of the TCP communication in the case of TCP communication.
  • the encryption module generates and transmits a first public key to the communication network to generate the encrypted data, and then receives a second public key that is a response to the first public key from the communication network.
  • the session key generated using a public key algorithm which is a method of generating the session key using a public key, may be further used.
  • the encryption module when receiving the call packet from the first terminal, transmits the reprocessed call packet including the first public key to the communication network, and then sends the reprocessed response packet including the second public key. Receive and use the reprocessed response packet to generate the session key.
  • the reprocessed call packet further includes at least one of an encryption ID represented by a random value of a specific length in a payload and a serial number of the encryption module, wherein the serial number is a unique value that can distinguish the encryption module. Can be.
  • the encryption module may generate a first private key together with the first public key, and generate the session key using the first private key and the second public key after receiving the second public key.
  • the session key may be generated in the case of TCP communication, configuring the TCP communication before performing the transmission of the data.
  • the encryption module may include a 1-1 input / output unit configured to receive the data from the first terminal; A first security unit connected to the 1-1 input / output unit and generating the encrypted data and the packet key or the session key; And a first input / output unit connected to the first security unit and receiving the encrypted data and transmitting the encrypted data to the communication network, wherein the packet key or the session key is generated without an IP address being set. It may be a non-address network device.
  • a data encryption and decryption system is provided.
  • the data encryption and decryption system is a data decryption unit for receiving encrypted data through a communication network from a first terminal connected to a communication network, the second terminal and the communication network is connected between the communication network and transfer the encrypted data from the communication network
  • An encryption module for generating a packet key required for receiving and decrypting to generate decrypted data, wherein the encryption module generates the packet key using packet information for each packet of the encrypted data received from the communication network.
  • the header information includes at least one of an IP address of the first terminal, an IP address of the second terminal, and a packet ID for each packet.
  • the packet key is generated using at least one of a serial number of an encryption module that generates the encrypted data and a setting key preset by a user, and the serial number may be a unique value for distinguishing an encryption module. have.
  • the packet key may be generated using a sequence ID which is a value representing a sequence of the TCP communication in the case of TCP communication.
  • the encryption module after receiving a first public key from the communication network to generate the decrypted data, generates a second public key in response to the first public key, and converts the second public key into the communication network.
  • the session key generated using a public key algorithm which is a method of transmitting a message and generating the session key, may be further used.
  • the encryption module When receiving the reprocessed call packet including the first public key from the communication network, the encryption module generates the session key using the reprocessed call packet and delivers a response packet from the second terminal. Receive and send a reprocessed response packet containing the second public key to the communication network.
  • the reprocessed response packet may include at least one of an encryption ID represented by a random number having a specific length in a payload and a serial number of the encryption module, and the serial number may be a unique value for distinguishing an encryption module. have.
  • the encryption module may generate a second private key together with the second public key, and generate the session key using the second private key and the first public key after receiving the first public key.
  • the session key may be generated in the case of TCP communication, configuring the TCP communication before performing the transmission of the data.
  • the encryption module may include a 2-1 input / output unit configured to receive the encrypted data from the communication network; A second security unit connected to the 2-1 input / output unit and generating the decrypted data and the packet key or the session key; And a 2-2 input / output unit connected to the second security unit and transferring the decrypted data to the second terminal, wherein the packet key or the session key are generated without an IP address being set. It may be a non-address network device.
  • a data encryption and decryption system includes a data encryption unit for transmitting encrypted data through a communication network and a data decryption unit for receiving the encrypted data through the communication network, the first terminal and the communication network being connected to each other.
  • a first encryption module that receives the data from the first terminal and encrypts the data to generate a packet key required to generate the encrypted data;
  • a second encryption module connected between a second terminal and the communication network and generating the packet key required for receiving the encrypted data from the communication network and decrypting the encrypted data to generate decrypted data.
  • the encryption module generates the packet key using the packet information of the packet received from the first terminal, and the second encryption module generates the packet information of the packet of the encrypted data received from the communication network.
  • the packet key is generated using the packet key, and the header information includes at least one of an IP address of the first terminal, an IP address of the second terminal, and a packet ID for each packet.
  • the packet key may be generated by using at least one of a serial number of the first encryption module and a user-set key.
  • the serial number may be a unique value for distinguishing an encryption module.
  • the packet key may be generated using a sequence ID which is a value representing a sequence of the TCP communication in the case of TCP communication.
  • the first encryption module In order to generate the encrypted data, the first encryption module generates a first public key and transmits it to the communication network, and after receiving the first public key in the second encryption module, the session key and an animation first. Generating a second public key that is a response to the public key to transmit the second public key to the communication network, and wherein the first encryption module receives and uses the second public key to generate the session key.
  • the session key generated using a key algorithm can be further used.
  • the first encryption module When the first encryption module receives the call packet from the first terminal, the first encryption module transmits the reprocessed call packet including the first public key to the communication network, and then reprocesses the second packet to include the second public key. Receive a packet, generate the session key using the reprocessed response packet, and when the second encryption module receives a reprocessed call packet including the first public key from the communication network, The session key may be generated using the reprocessed call packet, the response packet may be received from the second terminal, and the reprocessed response packet including the second public key may be transmitted to the communication network.
  • the reprocessed call packet further includes at least one of an encryption ID represented by a random number of a specific length in a payload and a serial number of the first encryption module, wherein the reprocessed response packet is specified in a payload. At least one of an encryption ID represented by a random value of a length and a serial number of the second encryption module, wherein the serial number may be a unique value for distinguishing an encryption module.
  • the first encryption module generates a first private key together with the first public key, and generates the session key using the first private key and the second public key after receiving the second public key.
  • the second encryption module generates a second private key together with the second public key, and after receiving the first public key, using the second private key and the first public key Can be generated.
  • the session key may be generated in the case of TCP communication, configuring the TCP communication before performing the transmission of the data.
  • the first encryption module may include: a 1-1 input / output unit configured to receive the data from the first terminal; A first security unit connected to the 1-1 input / output unit and generating the encrypted data and the packet key or the session key; And a first input / output unit connected to the first security unit and receiving the encrypted data and transmitting the encrypted data to the communication network, wherein the packet key or the session key is generated without an IP address being set.
  • a first non-address network device wherein the second encryption module comprises: a 2-1 input / output unit configured to receive the encrypted data from the communication network; A second security unit connected to the 2-1 input / output unit and generating the decrypted data and the packet key or the session key; And a 2-2 input / output unit connected to the second security unit and transferring the decrypted data to the second terminal, wherein the packet key or the session key are generated without an IP address being set. It may be a second non-address network device.
  • Data encryption and decryption system and method according to an embodiment of the present invention by performing the encryption and decryption of data has the effect of preventing hacking, eavesdropping, eavesdropping and the like through a variety of private or public networks.
  • hackers can not connect to the terminal by using a non-address network device that does not need to set an IP address or account in the network device connected to each terminal For example, there is an effect that a kind of virtual private network occurs.
  • FIG. 1 is a block diagram of a data encryption and decryption system according to an embodiment of the present invention.
  • FIG. 2 is a flow chart for a) generating a session key using the system of FIG. 1 in accordance with an embodiment of the present invention, and b) a non-address, another embodiment of the system of FIG. 1 used to generate a session key.
  • FIG. 3 is a flow chart illustrating a) a method of encrypting and decrypting data using an encryption key, b) a detailed flow chart of the step of encrypting data and transmitting it to a communication network, and c) a detail of the step of decrypting and outputting encrypted data.
  • FIG. 1 is a block diagram of a data encryption and decryption system according to an embodiment of the present invention.
  • a data encryption unit 10 is connected to a data decryption unit 20 through a communication network 30.
  • the data encryption unit 10 and the data decryption unit 20 may change roles depending on a terminal to which data is to be transmitted.
  • the first terminal 11 and the first encryption module 13 are set as the data encryption unit 10 and The second terminal 21 and the second encryption module 23 may be set as the data decryption unit 20.
  • the second terminal 21 intends to transmit data from the second terminal 21 to the first terminal 11
  • the first terminal 11 and the first encryption module 13 may be set as the data decryption unit 20
  • the first terminal 21 and the second encryption module 23 may be set as the data encryption unit 10.
  • the communication network 30 may include a dedicated network or a public network, and may include a wired network such as the Internet or PSTN or a wireless network such as Zigbee or Bluetooth.
  • the first terminal 11 and the first encryption module 13 may use the data encryption unit 10 to encrypt the data
  • the second terminal 21 and the second encryption module 23 may use the data.
  • the data decoding unit 20 to decode it is obvious that the definition may be changed according to the transmission direction of the data as described above.
  • the first terminal 11 may transmit data to the second terminal 21 through the communication network 30.
  • the data encryption and decryption system 1 may include a first encryption module 13 and a second terminal connected to the first terminal 11. And a second encryption module 23 connected to 21, and may exchange session keys used for encrypting and decrypting data using the first encryption module 13 and the second encryption module 23.
  • the terminals 11 and 21 and the encryption modules 13 and 23 are represented as being connected externally, but the present invention is not limited thereto, and the encryption modules 13 and 23 may be used. May be embedded in the terminals 11 and 21 as software or hardware, respectively.
  • FIG. 2 is a flow chart for a) generating a session key using the system of FIG. 1 in accordance with an embodiment of the present invention, and b) a non-address, another embodiment of the system of FIG. 1 used to generate a session key.
  • a session key is required.
  • the session key may be leaked to the outside due to hacking or eavesdropping of the communication network.
  • the data encryption unit 10 and the data decryption unit 20 may generate a session key using a public key exchange algorithm.
  • the first encryption module transmits the reprocessed call packet to the communication network (S210).
  • the second encryption module generates a session key using the reprocessed call packet (S220), the second encryption module transmits the reprocessed response packet to the communication network (S230), and the first encryption module reconstructs Generating a session key using the processed response packet (S240).
  • the first encryption module transmits the reprocessed call packet to the communication network (step S210).
  • the first terminal generates a call packet for performing a TCP connection with the second terminal and delivers it to the first encryption module.
  • the call packet is a packet provided to generate a session key before transmitting data in earnest, and does not include data that the first terminal wants to transmit by encrypting.
  • the first encryption module receives the call packet from the first terminal and generates a first private key.
  • the first private key is a random number generated randomly in the first encryption module and is a value used for generating a session key in the first encryption module without being transmitted to the second encryption module through the communication network.
  • the first encryption module generates a specific value k using the first address and the second address included in the header portion of the call packet.
  • the first address and the second address are respectively represented as IP addresses of the first terminal and the second terminal, and the IP address of the terminal to which data is to be transmitted is represented by the first address, and the IP address of the terminal to which data is to be represented by the second address. Can be.
  • the first encryption module After generating the specific value k, the first encryption module generates the first public key by combining y, the first stored private value, and the specific value k.
  • the generated first public key may be included in the payload of the call packet and transferred to the second encryption module.
  • the payload of the call packet may be reprocessed in the first encryption module to include information for generating a session key.
  • the payload of the call packet includes at least one of an encryption ID, a serial number capable of specifying a first encryption module, and a first public key.
  • the encryption ID may be a random number having a specific length indicating that the packet has been reprocessed
  • the serial number may be a value generated to distinguish the first encryption module.
  • the second encryption module generates a session key using the reprocessed call packet (step S220).
  • the second encryption module receives the packet from the communication network. At this time, the second encryption module checks whether the encryption ID is included in the payload of the received packet. If the encryption ID is not included in the payload, the second encryption module may determine that the packet is not a packet transmitted from the first encryption module and drop the packet.
  • the second encryption module may determine that the packet as a reprocessed call packet transmitted from the first encryption module, and use it to generate a session key.
  • the second cryptographic module generates a second private key upon receipt of the reprocessed call packet, the second private key being a randomly generated random value in the second cryptographic module, which is not transmitted to the first cryptographic module through the communication network. It is used to generate a session key in the second encryption module.
  • the second encryption module generates a specific value k using the first address and the second address included in the header portion of the packet.
  • the second encryption module may further use the port value to generate a specific value k, and the generated specific value k may be the same as the specific value k generated in the first encryption module. This is because the first address, the second address, and the port value used to generate the specific value k, respectively, in the first and second encryption modules are the same.
  • the second encryption module may generate a session key by combining the first public key included in the payload, the decimal value y stored in the device, and the second private key.
  • the payload portion of the call packet is deleted, transformed into the same call packet generated by the first terminal, and the packet is transmitted to the second terminal.
  • the second encryption module transmits the reprocessed response packet to the communication network (step S230).
  • the second terminal After receiving the call packet from the second encryption module, the second terminal generates a response packet that is a response to the call packet, and the response packet is delivered to the second encryption module.
  • the second encryption module may generate a second public key by combining y, a second stored private value, and a specific value k.
  • the second encryption module may reprocess the response packet such that at least one of an encryption ID, a serial number capable of specifying the second encryption module, and a second public key is included in the payload of the response packet, and the reprocessed response packet Can be transmitted to the network.
  • the first encryption module generates a session key using the reprocessed response packet (step S240).
  • the first encryption module receives the packet from the communication network and checks whether the encryption ID is included in the payload of the packet. When the encryption ID is not included in the payload, the first encryption module may determine that the packet is not a packet transmitted from the second encryption module and drop the packet.
  • the first encryption module may determine the packet as a reprocessed response packet and use it to generate a session key.
  • the first encryption module may generate a session key by combining the second public key included in the payload of the reprocessed response packet, the previously stored decimal value y, and the first private key.
  • the payload portion of the response packet may be deleted and transformed into the same response packet generated by the second terminal, and then the packet may be delivered to the first terminal.
  • the method (S200) for generating a session key for data encryption and decryption according to an embodiment of the present invention described above is performed before performing data transmission in the case of TCP communication to generate a new session key for each communication It can increase security. Also, in case of UDP communication, if the communication is disconnected for more than the preset time, if the communication status changes compared to the current communication, such as when a new communication is configured or when the communication program to be used is changed, the session key is renewed. By setting to generate, security against session hijacking may be increased.
  • a session key generation algorithm that uses a public key to generate a session key as in an embodiment of the present invention, a Diffie Hellman algorithm is typically used, but this is only one example. All algorithms that can generate the session key for encryption are allowed.
  • non-address network device refers to a network device for which an IP address or MAC address, etc. necessary for communication for transmitting and receiving data is not set or an account is not required.
  • the first encryption module 13 of the data encryption and decryption system 2 may include a first-first input / output unit 131, a first security unit 133, and a first security module 133. It may be replaced by the first non-address network device 130 including the 1-2 input and output unit 135, the second encryption module 23, the 2-1 input and output unit 231, the second security unit 233 ) And the second non-address network device 230 including the second input / output unit 235. Since the first and second non-address network devices do not have IP addresses, the first and second non-address network devices cannot directly penetrate from the outside through a communication network or the like, and thus are devices having high safety from hacking into the device.
  • data transmitted from the terminals 11 and 21 may be encrypted or decrypted using a session key generated through public key exchange between non-address network devices 130 and 230 independently of the terminals 11 and 21.
  • the same effect as that of the communication using the virtual private network may be generated.
  • a data encryption and decryption system 2 using a non-address network device may include a first terminal 11, a first non-address network device 130, and a communication network. 30, the second terminal 21, and the second non-address network device 230.
  • the first terminal 11 may have a first address
  • the second terminal 21 may have a second address
  • the first terminal 11 and the second terminal 21 may each have different accounts. .
  • the first non-address network device 130 and the second non-address network device 230 must hold the same session key for encrypting and decrypting data. However, when the session key is directly shared, since the session key data is not encrypted, session key information may be leaked through hacking or eavesdropping, and thus encryption information may be attacked. Therefore, the first non-address network device 130 and the second non-address network device 230 may perform a process of generating the same session key in each device through public key exchange before sharing data.
  • 2C illustrates an example of TCP communication using a Diffie Hellman algorithm in a method for generating a session key by a data encryption and decryption system using a non-address network device according to an embodiment of the present invention.
  • the first terminal 11 has a first address represented by 192.168.123.10, is connected to the first non-address network device 130, and the second terminal 21 is represented by 192.168.456.7.
  • the second address and is connected to the second non-address network device 230.
  • the first terminal 11 generates a call packet for performing a TCP connection with the second terminal 21 and transmits it to the first non-address network device 130.
  • the call packet is a packet provided to generate a session key before the data is transmitted in earnest, and preferably, the first packet 11 does not include data to be encrypted and transmitted.
  • the first non-address network device 130 receives a call packet from the first terminal 11 through the 1-2 input / output unit 135 and generates a first private key in the first security unit 133.
  • the first private key is a random number generated randomly by the first security unit 133, and is not transmitted to the second non-address network device 230 through the communication network 30, and the session is performed by the first non-address network device 130.
  • Required value for generating a key Thereafter, the first security unit 133 generates a specific value k using the first address and the second address included in the header portion of the call packet. At this time, preferably, the first security unit 133 may further use the port value to generate a specific value k.
  • the first security unit 133 After generating the specific value k, the first security unit 133 generates the first public key by combining y, the first private key, and the specific value k, which are previously stored decimal values.
  • the generated first public key may be included in the payload of the call packet and transferred to the second non-address network device 230.
  • the payload of the call packet may be reprocessed by the first security unit 133 to include information for generating a session key.
  • the payload of the call packet includes at least one of an encryption ID, a serial key value of the first non-address network device 130, and a first public key.
  • the encryption ID is a random value of a specific length indicating that the packet is reprocessed
  • the serial key value may be generated for each non-address network device and may be generated to distinguish the non-address network device.
  • the reprocessed call packet is transmitted to the communication network via the 1-1 input / output unit 131 and is delivered to the second non-address network device 230.
  • the second security unit 233 of the second non-address network device 230 receives the packet through the 2-1 input / output unit 231, the second security unit 233 confirms whether an encryption ID is included in the payload of the corresponding packet. In this case, when the encryption ID is not included in the payload, the second security unit 233 may determine that the packet is not a packet transmitted from the first non-address network device 130 and drop the packet.
  • the second security unit 233 may determine that the packet is a packet transmitted from the first non-address network device 130 and use it to generate a session key.
  • the second security key When the second security unit 233 receives the reprocessed call packet, the second security key generates a second private key, and the second private key is a random number generated randomly by the second security unit 233, and is generated through the communication network 30. It is used to generate a session key at the second non-address network device 230 without being forwarded to the first non-address network device 130.
  • the second security unit 233 generates a specific value k using the first address and the second address included in the header portion of the packet.
  • the second security unit 233 may further use the port value to generate a specific value k, and the generated specific value k may be the same value as the specific value k generated by the first security unit 133. This is because the first address, the second address, and the port value used by the first and second security units 133 and 233 to generate the specific value k are the same.
  • the second security unit 233 may generate a session key by combining the first public key included in the payload, the decimal value y stored in the device, and the second private key, and reprocess after generating the session key.
  • the payload portion of the call packet is deleted and transformed into a call packet generated by the first terminal 11, and then the packet is transferred to the second terminal 21 using the second-2 input / output unit 235.
  • the second terminal 21 After receiving the call packet, the second terminal 21 generates a response packet that is a response to the call packet, and the response packet is returned to the second security unit 233 through the second-2 input / output unit 235. Is passed to.
  • the second security unit 233 generates a second public key by combining y, a second stored private value, a second private key, and a specific value k.
  • the second security unit 233 may reprocess the response packet such that at least one of the encryption ID, the serial key value of the second non-address network device 230, and the second public key is included in the payload of the response packet.
  • the processed response packet is transmitted to the communication network through the 2-1 input / output unit 231 and delivered to the first non-address network device 130.
  • the first non-address network device 130 receives the reprocessed response packet through the 1-1 input / output unit 131 and checks whether an encryption ID is included in the payload. In this case, when the encryption ID is not included in the payload, the first security unit 133 may determine that the packet is not a packet transmitted from the second non-address network device 230 and drop the packet.
  • the first security unit 133 determines that the packet is a packet transmitted from the second non-address network device 230 and uses the packet to generate a session key. .
  • the first security unit 133 may generate a session key by combining the second public key included in the payload, y, which is a previously stored decimal value, and the first private key.
  • the response packet may be reprocessed after generating the session key. After deleting the payload portion of the packet, the packet is transformed into a response packet generated by the second terminal 21 and then transmitted to the first terminal 11 using the 1-2 input / output unit 135.
  • the session key generation process described above using FIG. 2C is performed before performing data transmission in the case of TCP communication, thereby increasing security by generating a new session key for each data.
  • a new communication key is generated when the communication status changes compared to the current communication, such as when a new communication is configured or when the communication program to be used is changed. It can also increase security.
  • the data encryption and decryption system and method may perform data encryption and decryption using a packet key in addition to the above-described session key.
  • the above-described session key is a key used to encrypt or decrypt a data bundle
  • the packet key is a key used to encrypt or decrypt each data packet.
  • the packet key encrypts or decrypts each data packet, even if one packet key is leaked, another packet key is used in the next data packet, thereby having a higher security against key leakage.
  • a packet key generated to perform data encryption and decryption according to an embodiment of the present invention is generated by the first encryption module 13 and the second encryption module 23 of FIG. 1 using header information for each data packet. Can be.
  • the packet key generated by the first encryption module 13 encrypts data transmitted from the first terminal 11 in packet units, and the packet key generated by the second encryption module 23 is encrypted from the communication network 30. It is used to receive data and decrypt the data.
  • the first encryption module 13 may use the header information and the additional information of the data packet to generate the packet key.
  • the header information may be at least one of a first address (originating IP address), which is an IP address of a first terminal, a second address (destination IP address), and a packet ID, which is an IP address of a second terminal. It may be at least one of a number or a setting key.
  • the serial number is a value generated to distinguish the first encryption module
  • the setting key is a specific key that changes according to the user's setting.
  • the first encryption module may further use the sequence ID of the TCP packet to generate the packet key.
  • the first address, the second address, the serial number of the first encryption module, and the configuration key are fixed values that do not change during the communication session.
  • the packet ID is an ID generated to distinguish the packets, and in the case of TCP communication, since the sequence ID is a change value that changes every time the communication session is reconfigured, data is generated using a different packet key for each data packet and communication session. Because it can encrypt, high security can be maintained.
  • the second encryption module 23 generates a packet key for decrypting the data.
  • the second encryption module 23 may receive the encrypted data from the communication network 30 and generate a packet key for decrypting the data using the received header data and additional information for each data packet.
  • the header information may be at least one of a first address (originating IP address), a second address (destination IP address), and a packet ID, and the additional information may be at least one of a serial number or a setting key.
  • the serial number is the serial number of the first encryption module
  • the second encryption module 230 may obtain the serial number of the first encryption module before receiving the encrypted data from the communication network 30, in particular, TCP
  • the communication session may be acquired and stored in advance in the step of configuring the communication session.
  • the setting key may be the same key as the first encryption module set by the user as a specific key that changes according to the setting of the user.
  • the second encryption module may further use the sequence ID of the TCP packet to generate the packet key.
  • first and second encryption modules for generating the packet key may be replaced with the first and second non-address network devices, respectively, as in the example of the system for generating the session key described above with reference to FIG. 2B.
  • the first non-address network device 130 transmits data to be encrypted from the first terminal 11 to the first security unit 133 through the 1-2 input / output unit 135.
  • the first security unit 133 may include at least one of at least one of a first address (originating IP address), a second address (destination IP address), and a packet ID from the header information of the received data, and at least one of a serial number or a setting key as additional information.
  • a packet key is generated using one piece of information.
  • the first security unit 133 may generate a packet key using all of the first address, the second address, the packet ID, the serial number, and the setting key.
  • the serial number is the ID value of the non-address network device that is generated to identify the non-address network device.
  • the serial number is generated by combining a time value at the moment the power is supplied to the first non-address network device 130 and a random number of specific digits. Since the generated serial number is not a fixed value for each device, the first non-address network device 130 may be rebooted as needed to irregularly change the serial number of the device, thereby preventing the leakage of the serial number. have.
  • the setting key is a key that can be arbitrarily set by the user.
  • the setting key may generate an encryption group by setting the same setting key value to devices to which the user wants to perform encrypted communication, thereby increasing security capability.
  • the first security unit 133 may further use the sequence ID of the TCP communication session generated for data transmission to generate a packet key.
  • the packet key generated by the first non-address network device 130 is used by the first security unit 133 to encrypt the packet. That is, when a packet key is generated using the header information of the A data packet, the first security unit 133 encrypts the A data packet using the a packet key and communicates with the communication network through the 1-1 input / output unit 131. An encrypted A data packet can be transmitted at 30.
  • the encrypted data packet is transmitted to the second non-address network device 230 through the communication network 30.
  • the second non-address network device 230 receives the encrypted data packet through the 2-1 input / output unit 231 and transmits the encrypted data packet to the second security unit 233.
  • the second security unit 233 may generate a packet key for decrypting data using the header information of the encrypted data packet.
  • the second security unit 233 may include at least one of a first address (originating IP address), a second address (destination IP address), and a packet ID from the header information of the encrypted data packet, and a serial number or setting key which is additional information.
  • a packet key is generated using at least one information.
  • the second security unit 133 may generate a packet key using all of the first address, the second address, the packet ID, the serial number, and the setting key.
  • the serial number of the additional information used to generate the packet key in the second security unit 233 may be a serial number of the first non-address network device 130
  • the second security unit 233 is a communication in TCP communication
  • the serial number of the first non-address network device 130 may be obtained and stored to generate a packet key.
  • the first security unit 133 may further use the sequence ID of the TCP communication session generated for data transmission to generate a packet key.
  • the packet information and additional information used by the second security unit 233 to generate the packet key are the same as the information used by the first security unit 133 to generate the packet key. If the encrypted A data packet is generated and transmitted by generating the packet key, the second security unit 233 generates the same a packet key generated by the first security unit 133 by using the header information of the encrypted A data packet. As a result, the encrypted A data packet can be decrypted.
  • the data encryption and decryption system may encrypt or decrypt data in the same manner as the flowchart shown in FIG. 3A.
  • a data encryption and decryption method will be described based on the first encryption module and the first terminal.
  • the present invention is not limited thereto, and the second encryption module and the second terminal may also encrypt and decrypt data in the same manner. Can be done.
  • the first encryption module and the second encryption module may be set to perform only one of encryption and decryption.
  • the data encryption and decryption method 300 includes setting a data encryption level (S310), determining whether data is transmitted from a terminal (S320), and data. And transmitting the encrypted data (S330), determining whether the encrypted data is received from the communication network (S340), and decrypting and outputting the encrypted data (S350).
  • the user sets the data encryption level (step S310).
  • the user may set a data encryption level such that the first encryption module uses at least one of a session key and a packet key for data encryption. .
  • the setting in step S310 may not be applied in the process of decrypting data since the decryption level is determined according to the degree of encryption of the received data when the first encryption module decrypts the data.
  • the first encryption module may directly generate the session key as described with reference to FIG. 2 or may receive the previously generated session key from the outside.
  • the first encryption module determines whether data is transmitted from the first terminal (step S320).
  • the first encryption module performs step S330 of encrypting the data and transmitting the data to the communication network, and determining whether to receive the encrypted data from the communication network if the data is not received from the terminal. Can be done.
  • the first encryption module encrypts data and transmits the data to the communication network, as illustrated in FIG. 3B, confirming whether a session key is held in operation S331, and checking whether packet key usage is set in operation S332. Encrypting the data using both the session key and the packet key (S333), encrypting the data using the session key (S334), encrypting the data using the packet key (S335), and encrypting the data. Transmitting to the communication network (S336).
  • the first encryption module first checks whether a session key is held (step S331). In this case, if it is determined in step S310 that the session key is held, it is checked whether the packet key is used or not (step S332), and if it is determined that the session key is not held, data is encrypted using only the packet key. (Step S335).
  • the first encryption module checks whether the packet key is set for use (step S332). If the first encryption module does not set the packet key to be used in step S310, the first encryption module encrypts the data using only the session key (step S334). If the packet key is set to use the packet key, the first encryption module uses both the session key and the packet key to encrypt the data. Encrypt (step S333).
  • the packet key used to encrypt data in the first encryption module may be generated using header information for each data packet to be encrypted in the first encryption module.
  • the first encryption module transmits the encrypted data to the communication network in steps S333 to S335 (step S336).
  • the first encryption module determines whether it receives the encrypted data from the communication network (step S340). In this case, when it is determined that the first encryption module does not receive the encrypted data from the communication network, the first encryption module does not receive data from both the terminal and the communication network, and thus repeats step S320.
  • the first encryption module decrypts the received encryption data and transfers the received encryption data to the first terminal to output the data to the user (step S350).
  • the first encryption module decrypts and outputs the encrypted data (S350), as shown in FIG. 3C, confirming whether or not the session key is held (S351), and performing decryption of the data using the held session key.
  • Step S352 checking whether the data packet is encrypted (S353), generating a packet key to perform decryption of the data packet (S354), and delivering and decrypting the decrypted data to the terminal (S355).
  • the first encryption module Upon receiving the encrypted data from the communication network, the first encryption module first checks whether a session key is held (step S351). In this case, when it is determined in step S310 that the session key is held, the first encryption module decrypts the encrypted data received from the communication network using the held session key (step S352). In addition, if it is determined that the first encryption module does not hold the session key, the first encryption module may determine that the session key is not used in the process of encrypting the encrypted data received from the communication network, and may not perform step S352. have.
  • the first encryption module checks whether the received data packet is encrypted (step S353).
  • the first encryption module checks whether the encrypted data received from step S352 or the communication network is encrypted for each packet, and if it is determined that encryption for each packet is performed, the first encryption module generates a packet key to decrypt the corresponding data packet ( Step S354).
  • the first encryption module may not perform step S354.
  • the data packet may preferably be data obtained by performing step S352, since the first encryption module needs to perform at least one data decryption process by receiving encrypted data through a communication network.
  • the first encryption module delivers the data that has performed at least one decryption step of step S352 or step S354 to the first terminal (step S355), and the first terminal outputs the received data to the user to decrypt the data. You can end the process.
  • the data encryption and decryption method according to an embodiment of the present invention illustrated in FIGS. 3A to 3C described above may be implemented through a data encryption and decryption system including the non-address network device shown in FIG. 2B.
  • the first encryption module is replaced with the first non-address network device, and the first security unit may perform each step.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention concerne un système et un procédé de codage et décodage de données. Selon un mode de réalisation de la présente invention, un système de codage et de décodage de données, dans une unité de codage de données transmettant des données codées via un réseau de communication à un deuxième terminal connecté au réseau de communication, comprend un module de codage connecté entre un premier terminal et un réseau de communication et pour recevoir des données du premier terminal, les coder et générer une clé de paquet requise pour la génération des données codées. Le module de codage génère la clé de paquet au moyen d'informations d'en-tête pour chaque paquet de données reçu en provenance du premier terminal. Les informations d'en-tête comprennent un ou plusieurs éléments parmi une adresse IP du premier terminal, une adresse IP d'un second terminal et un ID de paquet pour chaque paquet.
PCT/KR2016/013613 2015-11-24 2016-11-24 Système et procédé de codage et décodage de données Ceased WO2017091002A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2015-0164630 2015-11-24
KR1020150164630 2015-11-24

Publications (1)

Publication Number Publication Date
WO2017091002A1 true WO2017091002A1 (fr) 2017-06-01

Family

ID=58763383

Family Applications (4)

Application Number Title Priority Date Filing Date
PCT/KR2015/012715 Ceased WO2017090789A1 (fr) 2015-11-24 2015-11-25 Système et procédé de sécurité des communications utilisant un équipement de réseau non adressé
PCT/KR2016/013600 Ceased WO2017090996A1 (fr) 2015-11-24 2016-11-24 Système et procédé de codage et de décodage de données
PCT/KR2016/013613 Ceased WO2017091002A1 (fr) 2015-11-24 2016-11-24 Système et procédé de codage et décodage de données
PCT/KR2016/013609 Ceased WO2017091000A1 (fr) 2015-11-24 2016-11-24 Système et procédé de codage et de décodage de données

Family Applications Before (2)

Application Number Title Priority Date Filing Date
PCT/KR2015/012715 Ceased WO2017090789A1 (fr) 2015-11-24 2015-11-25 Système et procédé de sécurité des communications utilisant un équipement de réseau non adressé
PCT/KR2016/013600 Ceased WO2017090996A1 (fr) 2015-11-24 2016-11-24 Système et procédé de codage et de décodage de données

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/KR2016/013609 Ceased WO2017091000A1 (fr) 2015-11-24 2016-11-24 Système et procédé de codage et de décodage de données

Country Status (1)

Country Link
WO (4) WO2017090789A1 (fr)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6240513B1 (en) * 1997-01-03 2001-05-29 Fortress Technologies, Inc. Network security device
US7100048B1 (en) * 2000-01-25 2006-08-29 Space Micro Inc. Encrypted internet and intranet communication device
US20140223540A1 (en) * 2002-09-20 2014-08-07 Fortinet, Inc. Firewall interface configuration to enable bi-directional voip traversal communications
US20140233734A1 (en) * 2013-02-21 2014-08-21 Meru Networks Restricting broadcast and multicast traffic in a wireless network to a vlan
US20140362988A1 (en) * 2003-09-30 2014-12-11 Cisco Technology, Inc. Method and apparatus of communicating security/encryption information to a physical layer transceiver

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6067620A (en) * 1996-07-30 2000-05-23 Holden; James M. Stand alone security device for computer networks
US6430691B1 (en) * 1999-06-21 2002-08-06 Copytele, Inc. Stand-alone telecommunications security device
KR100333530B1 (ko) * 1999-09-29 2002-04-25 최명렬 네트워크 주소 변환(nat) 기능을 이용한 가상 사설망(vpn) 구성 방법 및 이를 실현시키기 위한 프로그램을 기록한 컴퓨터로 읽을 수 있는 기록 매체
US7983419B2 (en) * 2001-08-09 2011-07-19 Trimble Navigation Limited Wireless device to network server encryption
KR100580844B1 (ko) * 2003-12-17 2006-05-16 한국전자통신연구원 무선 랜(lan) 시스템에서의 데이터 보안 및 운용장치와 그 방법
US8316152B2 (en) * 2005-02-15 2012-11-20 Qualcomm Incorporated Methods and apparatus for machine-to-machine communications
US8583929B2 (en) * 2006-05-26 2013-11-12 Alcatel Lucent Encryption method for secure packet transmission
GB2509709A (en) * 2013-01-09 2014-07-16 Ibm Transparent encryption/decryption gateway for cloud storage services

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6240513B1 (en) * 1997-01-03 2001-05-29 Fortress Technologies, Inc. Network security device
US7100048B1 (en) * 2000-01-25 2006-08-29 Space Micro Inc. Encrypted internet and intranet communication device
US20140223540A1 (en) * 2002-09-20 2014-08-07 Fortinet, Inc. Firewall interface configuration to enable bi-directional voip traversal communications
US20140362988A1 (en) * 2003-09-30 2014-12-11 Cisco Technology, Inc. Method and apparatus of communicating security/encryption information to a physical layer transceiver
US20140233734A1 (en) * 2013-02-21 2014-08-21 Meru Networks Restricting broadcast and multicast traffic in a wireless network to a vlan

Also Published As

Publication number Publication date
WO2017091000A1 (fr) 2017-06-01
WO2017090996A1 (fr) 2017-06-01
WO2017090789A1 (fr) 2017-06-01

Similar Documents

Publication Publication Date Title
WO2016137304A1 (fr) Sécurité de bout en bout sur la base de zone de confiance
EP1508222B1 (fr) Reseau local ou metropolitain sans fil securise et procedes s'y rapportant
WO2016021981A1 (fr) Système et procédé de gestion de compteur et de mise à jour de clé de sécurité pour communication de groupe de dispositif à dispositif
WO2021054693A1 (fr) Procédé, dispositif, et système de distribution de clé quantique
WO2012093900A2 (fr) Procédé et dispositif pour authentifier une entité de réseau personnel
WO2014069778A1 (fr) Procédé de chiffrement et de déchiffrement à base d'id et appareil pour sa mise en œuvre
WO2018151390A1 (fr) Dispositif de l'internet des objets
TW200307423A (en) Password device and method, password system
WO2014063455A1 (fr) Procédé et système de messagerie instantanée
WO2018139910A1 (fr) Procédé pour fournir une sécurité de bout en bout sur un plan de signalisation dans un système de communication de données critiques de mission
CN101529805A (zh) 中间设备
CN105656655A (zh) 一种网络安全管理方法、装置,及系统
WO2020067734A1 (fr) Équipement réseau sans adresse et système de sécurité de communication l'utilisant
WO2019182377A1 (fr) Procédé, dispositif électronique et support d'enregistrement lisible par ordinateur permettant de générer des informations d'adresse utilisées pour une transaction de cryptomonnaie à base de chaîne de blocs
CN115801316A (zh) 数据传输方法和装置、设备及存储介质
CN113225298A (zh) 一种报文验证方法及装置
CN109347836B (zh) 一种IPv6网络节点身份安全保护方法
WO2018004114A2 (fr) Système d'authentification de proxy, et procédé d'authentification pour fournir un service de proxy
WO2023008940A1 (fr) Procédé et système de gestion sécurisée de reconnexion de dispositifs clients à un réseau sans fil
JP2005244379A (ja) Vpnシステム、vpn装置及びそれらに用いる暗号化鍵配布方法
JP3789098B2 (ja) ネットワークシステム、ネットワークアクセス装置、ネットワークサーバ及びネットワークアクセス制御方法
CN110832806A (zh) 针对面向身份的网络的基于id的数据面安全
JP2007039166A (ja) エレベータの遠隔監視システム
WO2017091002A1 (fr) Système et procédé de codage et décodage de données
WO2012165901A2 (fr) Procédé destiné à une canalisation de sécurité entre terminaux

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16868898

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 15/10/2018)

122 Ep: pct application non-entry in european phase

Ref document number: 16868898

Country of ref document: EP

Kind code of ref document: A1