Management server, communication apparatus and program implementing key allocation system for encrypted communication

US 8,238,555 B2
Filed: 10/21/2008
Issued: 08/07/2012
Est. Priority Date: 04/08/2004
Status: Expired due to Fees

First Claim

Patent Images

1. An encrypted communication management server for managing encrypted communications among a plurality of communication apparatuses, the server comprising:

a processor; and

a memory device storing a program, the processor executing the program to perform functions of;

receiving encrypted communication-purpose setting information from each of the communication apparatuses, the encrypted communication-purpose setting information including a plurality of setting items required for determining setting values in order to produce encryption keys which are used by the communication apparatuses, candidates for the setting values having been included in the plurality of setting items;

receiving from any one of the communication apparatuses, which constitutes a communication source apparatus, a connection request for performing an encrypted communication with a communication destination apparatus, the connection request containing information for specifying any other one of the communication apparatuses as the communication destination apparatus;

judging whether or not a setting value which is commonly used by the communication source apparatus and the communication destination apparatus for producing an encryption key is present in each of the plurality of setting items as to first encrypted communication-purpose setting information received from the communication source apparatus, and second encrypted communication-purpose setting information received from the communication destination apparatus, the first and second encrypted communication-purpose setting information being contained in previously-received encrypted communication-purpose setting information; and

when the setting value which is commonly used by the communication source apparatus and the communication destination apparatus for producing an encryption key is present in each of the plurality of setting items as to the first encrypted communication-purpose setting information and the second encrypted communication-purpose setting information, transmitting both the encryption key produced based upon the present setting value, and encrypted communication-purpose setting information constructed of the setting value for producing the encryption key to both the communication source apparatus and the communication destination apparatus.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Both a management server and a validation server are installed. Both a terminal and a terminal register setting information which is usable in an encrypted communication in the management server. When carrying out the encrypted communication, the management server searches the registered setting information for coincident setting information. The management server generates keys for the encrypted communications which can be used by the terminals, and delivers these generated keys in combination with the coincident setting information. The management server authenticates both the terminals in conjunction with the validation server. Since the terminals trust such results that the management server has authenticated the terminals respectively, these terminals need not authenticate the respective communication counter terminals.

42 Citations

32 Claims

1. An encrypted communication management server for managing encrypted communications among a plurality of communication apparatuses, the server comprising:
- a processor; and
  
  a memory device storing a program, the processor executing the program to perform functions of;
  
  receiving encrypted communication-purpose setting information from each of the communication apparatuses, the encrypted communication-purpose setting information including a plurality of setting items required for determining setting values in order to produce encryption keys which are used by the communication apparatuses, candidates for the setting values having been included in the plurality of setting items;
  
  receiving from any one of the communication apparatuses, which constitutes a communication source apparatus, a connection request for performing an encrypted communication with a communication destination apparatus, the connection request containing information for specifying any other one of the communication apparatuses as the communication destination apparatus;
  
  judging whether or not a setting value which is commonly used by the communication source apparatus and the communication destination apparatus for producing an encryption key is present in each of the plurality of setting items as to first encrypted communication-purpose setting information received from the communication source apparatus, and second encrypted communication-purpose setting information received from the communication destination apparatus, the first and second encrypted communication-purpose setting information being contained in previously-received encrypted communication-purpose setting information; and
  
  when the setting value which is commonly used by the communication source apparatus and the communication destination apparatus for producing an encryption key is present in each of the plurality of setting items as to the first encrypted communication-purpose setting information and the second encrypted communication-purpose setting information, transmitting both the encryption key produced based upon the present setting value, and encrypted communication-purpose setting information constructed of the setting value for producing the encryption key to both the communication source apparatus and the communication destination apparatus.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. An encrypted communication management server as claimed in claim 1, wherein:
    - the first encrypted communication-purpose setting information further contains a setting item required for determining a setting value in order to determine an alteration sensing method of communication data, the setting item containing a candidate of the setting value for determining the alteration sensing method of the communication data which is used by the communication source apparatus; and
      
      the second encrypted communication-purpose setting information further contains a setting item required for determining a setting value in order to determine an alteration sensing method of communication data, the setting item containing a candidate of the setting value for determining the alteration sensing method of the communication data which is used by the communication destination apparatus,wherein the processor executes the program to further perform functions of;
      
      judging whether or not a setting value for determining an alteration sensing method which is commonly used by the communication source apparatus and the communication destination apparatus is present in the setting items of the first encrypted communication-purpose setting information and the second encrypted communication-purpose setting information, which are required for determining the setting value in order to determine the alteration sensing methods of the communication data; and
      
      when the setting value for determining the alteration sensing method which is commonly used by the communication source apparatus and the communication destination apparatus is present in the setting items of the first encrypted communication-purpose setting information and the second encrypted communication-purpose setting information, which are required for determining the setting value in order to determine the alteration sensing methods of the communication data, including the setting value for determining the alteration sensing method in the first and second encrypted communication-purpose setting information which are transmitted to the communication source apparatus and the communication destination apparatus.
  - 3. An encrypted communication management server as claimed in claim 2, wherein:
    - the setting value for determining the alteration sensing method in the encrypted communication is a sort of a hash function.
  - 4. An encrypted communication management server as claimed in claim 1, wherein the processor further performs functions of:
    - performing a first authentication with respect to the communication source apparatus;
      
      when the first authentication with respect to the communication source apparatus succeeds receiving the connection request so as to judge whether or not a setting value for producing an encryption key which is commonly used by the communication source apparatus and the communication destination apparatus is present in the first encrypted communication-purpose setting information and the second encrypted communication-purpose setting information;
      
      when the setting value for producing the encryption key which is commonly used by the communication source apparatus and the communication destination apparatus is present in both the first encrypted communication-purpose setting information and the second encrypted communication-purpose setting information, performing a second authentication with respect to the communication destination apparatus; and
      
      when the second authentication with respect to the communication destination apparatus succeeds, transmitting the encryption key and the encrypted communication-purpose setting information constructed of the setting value for producing the encryption key to the communication source apparatus and the communication destination apparatus.
  - 5. An encrypted communication management server as claimed in claim 4, wherein the processor further performs is functions of:
    - when the setting value for producing the encryption key which is commonly used by the communication source apparatus and the communication destination apparatus is present in both the first encrypted communication-purpose setting information and the second encrypted communication-purpose setting information, transmitting the connection request for the communication source apparatus in order to perform the encrypted communication to the communication destination apparatus;
      
      receiving a judgment result which judges whether the connection request is permitted, or not permitted from the communication destination apparatus; and
      
      when the judgment result indicates that the connection request is permitted, transmitting the encryption key and the encrypted communication-purpose setting information constructed of the setting value for producing the encryption key to the communication source apparatus and the communication destination apparatus.
  - 6. An encrypted communication management server as claimed in claim 5, wherein the processor performs the function of, when the judgment result shows that the connection request is not permitted, notifying such a fact that the required encrypted communication is not permitted with respect to the communication source apparatus.
  - 7. An encrypted communication management server as claimed in claim 1, wherein the processor performs a function of, as to the setting items including plural pieces of setting values which produce the encryption key to be commonly used by the communication source apparatus and the communication destination apparatus, selecting therefrom one setting value in accordance with a predetermined selection reference.
  - 8. An encrypted communication management server as claimed in claim 7, wherein:
    - the selection reference is made based upon;
      
      an intercommunication apparatus priority order for determining such a communication apparatus having a top priority with respect to the communication source apparatus and the communication destination apparatus; and
      
      a priority order with respect to the plurality of setting values which are determined by the communication apparatus having the top priority as to the setting items in which plural pieces of setting values are present which produce the encryption key which is commonly used by the communication source apparatus and the communication destination apparatus.
  - 9. An encrypted communication management server as claimed in claim 7, wherein:
    - the selection reference is a security level required in the encrypted communication, or a magnitude of loads processed by an encryption algorithm, which are determinedly the encrypted communication server.
  - 10. An encrypted communication management server as claimed in claim 1, wherein the processor further performs functions of:
    - performing a first authentication with respect to the communication source apparatus;
      
      when the first authentication function succeeds in the first authentication with respect to the communication source apparatus, receiving the first encrypted communication-purpose setting information of the communication source apparatus;
      
      performing a second authentication with respect to the communication destination apparatus; and
      
      when the second authentication function succeeds in the second authentication with respect to the communication destination apparatus, receiving the second encrypted communication-purpose setting information of the communication destination apparatus.
  - 11. An encrypted communication management server as claimed in claim 1, wherein:
    - the plurality of setting items of the encrypted communication-purpose setting information are provided so as to set a sort of an encryption algorithm and a length of the encryption key.

12. An encrypted communication management server for managing encrypted communications among a plurality of communication apparatuses, the server comprising:
- a processor; and
  
  a memory device storing a program, the processor executing the program to perform functions of;
  
  receiving encrypted communication-purpose setting information from each of the communication apparatuses, the encrypted communication-purpose setting information including a plurality of setting items required for determining setting values in order to produce encryption keys which are employed when the one communication apparatus encrypts data to be transmitted/received with respect to other communication apparatuses, candidates of the setting values having been stored in the plurality of setting items;
  
  receiving from any one of the communication apparatuses, which constitutes a communication source apparatus, a connection request for performing an encrypted communication with a communication destination apparatus, the connection request containing information for specifying any other one of the communication apparatuses as the communication destination apparatus;
  
  judging whether or not a plurality of setting items in which ranges of the candidates of the stored setting values overlap with each other are present in the first encrypted communication-purpose setting information under reception from the communication source apparatus and in second encrypted communication-purpose setting information under reception from the communication destination apparatus, the first and second encrypted communication-purpose setting information being contained in previously-received encrypted communication-purpose setting information; and
  
  when the plurality of setting items in which ranges of the candidates of the setting values overlap with each other are present in both the first encrypted communication-purpose setting information and the second encrypted communication-purpose setting information, transmitting both the encryption key produced based upon one of the setting values within the overlap range, and encrypted communication-purpose setting information constructed of the setting value for producing the encryption key to both the communication source apparatus and the communication destination apparatus.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. An encrypted communication management server as claimed in claim 12, wherein:
    - the first encrypted communication-purpose setting information further contains a setting item required for determining a setting value in order to determine an alteration sensing method in the encrypted communication, while the setting item contains a candidate of the setting value for determining the alteration sensing method of the communication data which is used by the communication source apparatus;
      
      the second encrypted communication-purpose setting information further contains a setting item required for determining a setting value in order to determine an alteration sensing method in the encrypted communication, while the setting item contains a candidate of the setting value for determining the alteration sensing method of the communication data which is used by the communication destination apparatus,wherein the processor performs functions of;
      
      judging whether or not the ranges of the candidates of the stored setting values overlap with each other in the setting items of the first encrypted communication-purpose setting information and the second encrypted communication-purpose setting information, which are required for determining the setting value in order to determine the alteration sensing methods in the encrypted communication; and
      
      when the ranges of the candidates of the stored setting values overlap with each other in the setting items of the first encrypted communication-purpose setting information and the second encrypted communication-purpose setting information, which are required for determining the setting value in order to determine the alteration sensing methods in the encrypted communication, including the setting value within the overlap range in the encrypted communication-purpose setting information which is transmitted to the communication source apparatus and the communication destination apparatus.
  - 14. An encrypted communication management server as claimed in claim 13, wherein:
    - the setting value for determining the alteration sensing method in the encrypted communication is a sort of a hash function.
  - 15. An encrypted communication management server as claimed in claim 12, wherein the processor performs functions of:
    - performing a first authentication with respect to the communication source apparatus;
      
      when the first authentication function succeeds in the first authentication with respect to the communication source apparatus, receiving the connection request so as to judge whether or not the plurality of setting items in which the ranges of the candidates of the stored setting values overlap with each other are present in the first encrypted communication-purpose setting information and the second encrypted communication-purpose setting information;
      
      when the plurality of setting value in which the ranges of the candidates of the setting values overlap with each other are present in both the first encrypted communication-purpose setting information and the second encrypted communication-purpose setting information, performing a second authentication with respect to the communication destination apparatus; and
      
      when the second authentication function succeeds in the second authentication with respect to the communication destination apparatus, the encrypted communication management server transmits the encryption key and the encrypted communication-purpose setting information constructed of the setting value for producing the encryption key to the communication source apparatus and the communication destination apparatus.
  - 16. An encrypted communication management server as claimed in claim 12, wherein the processor further performs functions of:
    - when the setting items in which the ranges of the candidates of the stored setting values overlap with each other are present in both the first encrypted communication-purpose setting information and the second encrypted communication-purpose setting information, transmitting the connection request for the communication source apparatus in order to perform the encrypted communication to the communication destination apparatus;
      
      receiving a judgment result which judges whether the connection request is permitted, or not permitted from the communication destination apparatus; and
      
      when the judgment result indicates that the connection request is permitted, transmitting the encryption key and the encrypted communication-purpose setting information constructed of the setting value for producing the encryption key to both the communication source apparatus and the communication destination apparatus.
  - 17. An encrypted communication management server as claimed in claim 16, wherein the processor performs a function of, when the judgment result shows that the connection request is not permitted, notifying such a fact that the required encrypted communication is not permitted with respect to the communication source apparatus.
  - 18. An encrypted communication management server as claimed in claim 12, wherein the processor further performs a function of, as to the setting items in which plural pieces of setting values are present within the overlap ranges of the candidates of the setting values, selecting therefrom one setting value in accordance with a predetermined selection reference.
  - 19. An encrypted communication management server as claimed in claim 18, wherein:
    - the selection reference is made based upon;
      
      an intercommunication apparatus priority order for determining such a communication apparatus having a top priority with respect to the communication source apparatus and the communication destination apparatus; and
      
      a priority order with respect to the plurality of setting values which are determined by the communication apparatus having the top priority as to the setting items in which plural pieces of setting values are present within the overlap ranges of the candidates of the setting values.
  - 20. An encrypted communication management server as claimed in claim 18, wherein:
    - the selection reference is a security level required in the encrypted communication, or a magnitude of loads processed by an encryption algorithm, which are determinedly the encrypted communication server.
  - 21. An encrypted communication management server as claimed in claim 12, wherein the processor further performs functions of:
    - performing a first authentication with respect to the communication source apparatus;
      
      when the first authentication function succeeds in the first authentication with respect to the communication source apparatus, receiving the first encrypted communication-purpose setting information of the communication source apparatus;
      
      performing a second authentication with respect to the communication destination apparatus; and
      
      when the second authentication function succeeds in the second authentication with respect to the communication destination apparatus, receiving the second encrypted communication-purpose setting information of the communication destination apparatus.
  - 22. An encrypted communication management server as claimed in claim 12, wherein:
    - the plurality of setting items of the encrypted communication-purpose setting information are provided so as to set a sort of an encryption algorithm and a length of the encryption key.

23. A communication apparatus connected via a network to a management server for managing a communication session, the apparatus comprising:
- a processor; and
  
  a memory having a program, the processor executing the program to perform functions of;
  
  transmitting first encrypted communication-purpose setting information to the management server in order to encrypt a communication with another communication apparatus, wherein the first encrypted communication-purpose setting information includes a plurality of setting items required for determining a plurality of setting values, and candidates of the setting values have been included in the plurality of setting items;
  
  receiving from the management server, both an encryption key produced based upon such a setting value selected from the candidates of the setting values, which is used in the another communication apparatus, and second encrypted communication-purpose setting information which contains the setting value for producing the encryption key; and
  
  performing an encrypted communication with the another communication apparatus without via the management server by employing the encryption key and the second encrypted communication-purpose setting information.
- View Dependent Claims (24, 25, 26, 27)
- - 24. A communication apparatus as claimed in claim 23, wherein:
    - the first encrypted communication-purpose setting information further contains a setting item required for determining a setting value in order to determine an alteration sensing method of communication data, while the setting item contains a candidate of the setting value for determining the alteration sensing method of the communication data which is used by the communication apparatus; and
      
      the second encrypted communication purpose setting information contains a setting item which is used by the another communication apparatus among the candidates of the setting values.
  - 25. A communication apparatus as claimed in claim 23, wherein:
    - the communication apparatus is authenticated by the management server prior to the transmission of the first encrypted communication-purpose setting information; and
      
      the processor further performs a function of, when the communication apparatus succeeds in the authentication, transmitting the first encrypted communication-purpose setting information.
  - 26. A communication apparatus as claimed in claim 23, wherein:
    - since the communication apparatus transmits a connection request to the management server, while the connection request contains information for specifying the another communication apparatus and is employed in order to be communicated with the another communication apparatus, the communication apparatus receives both the encryption key and the second encrypted communication-purpose setting information from the management server.
  - 27. A communication apparatus as claimed in claim 23, wherein the processor performs a function of, when the communication apparatus receives from the management server, a connection request for requiring a communication by the another communication apparatus, which contains the information for specifying the another communication apparatus, the encryption key, and the second encrypted communication-purpose setting information, executing an encrypted communication with the another communication apparatus without communication via the management server.

28. A non-transitory tangible computer-readable medium having a program, for a processor of a communication apparatus to be connected via a network to a management server for managing a communication session, the program, when executed, causing the processor to perform functions of:
- transmitting first encrypted communication-purpose setting information to the management server in order to encrypt a communication with another communication apparatus, wherein the first encrypted communication-purpose setting information includes a plurality of setting items required for determining setting values, and candidates of the setting values have been included in the plurality of setting items;
  
  receiving both an encryption key produced based upon such a setting value selected from the candidates of the setting values, which is used in the another communication apparatus, and second encrypted communication-purpose setting information which contains the setting value for producing the encryption key from the management server; and
  
  performing an encrypted communication with the another communication apparatus by employing the encryption key and the second encrypted communication-purpose setting information, without the management server relaying data of the encrypted communication with the another communication apparatus.
- View Dependent Claims (29, 30, 31, 32)
- - 29. The non-transitory tangible computer-readable medium as claimed in claim 28, wherein:
    - the first encrypted communication-purpose setting information further contains a setting item required for determining a setting value in order to determine an alteration sensing method of communication data, while the setting item contains a candidate of the setting value for determining the alteration sensing method of the communication data which is used by the program; and
      
      the second encrypted communication-purpose setting information contains a setting item which is used by the another communication apparatus among the candidates of the setting values.
  - 30. The non-transitory tangible computer-readable medium as claimed in claim 28, wherein:
    - the program is authenticated by the management server prior to the transmission of the first encrypted communication-purpose setting information; and
      
      when the program succeeds in the authentication, the first encrypted communication-purpose setting information is transmitted.
  - 31. The non-transitory tangible computer-readable medium as claimed in claim 28, wherein:
    - since a connection request is transmitted to the management server, while the connection request contains information for specifying the another communication apparatus and is employed in order to be communicated with the another communication apparatus, both the encryption key and the second encrypted communication-purpose setting information are received from the management server.
  - 32. The non-transitory tangible computer-readable medium as claimed in claim 28, wherein:
    - when a connection request for requiring a communication by the another communication apparatus, which contains the information for specifying the another communication apparatus, the encryption key, and the second encrypted communication-purpose setting information are received from the management server, an encrypted communication is carried out with the another communication apparatus without communication via the management server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Takata, Osamu, Fujishiro, Takahiro, Kaji, Tadashi, Hoshino, Kazuyoshi
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US12/255,200
Publication Number

US 20090055649A1
Time in Patent Office

1,386 Days
Field of Search

713/153, 713/155, 380/259, 380/279
US Class Current

380/259
CPC Class Codes

H04L 63/0428 wherein the data content is...

H04L 63/062 for key distribution, e.g. ...

Management server, communication apparatus and program implementing key allocation system for encrypted communication

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Management server, communication apparatus and program implementing key allocation system for encrypted communication

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links