Search

EP-4152690-B1 - COMMUNICATION DEVICE, COMMUNICATION METHOD, AND COMMUNICATION SYSTEM

EP4152690B1EP 4152690 B1EP4152690 B1EP 4152690B1EP-4152690-B1

Inventors

  • TANAKA, YASUYUKI
  • TANIZAWA, YOSHIMICHI

Dates

Publication Date
20260513
Application Date
20220203

Claims (10)

  1. A communication device (100a) comprising: a key sharing unit (101) that shares encryption keys with a plurality of external communication devices (100b, 200); a deciding unit (105) that decides on a route for sending transmission data, based on residual quantities of the encryption keys; an encrypting unit (106) that encrypts, for each external communication device of one or more external communication devices (100b, 200) included in the route, a header in which the external communication device (100b, 200) is set as a destination, using an encryption key shared with the external communication device (100b, 200); a packet generating unit (104) that generates a packet that includes the transmission data and the one or more encrypted headers; and a sending unit (107) that sends the generated packet along the route, wherein the deciding unit (105) decides on the route that includes external communication devices (100b, 200), a number of which is equal to or greater than a prescribed number, from among the plurality of external communication devices (100b, 200).
  2. The communication device (100a) according to claim 1, wherein the deciding unit (105) decides on the route in such a way that a same route is not used again within a predetermined period of time.
  3. The communication device (100a) according to claim 1, wherein the deciding unit (105) decides on the route in such a way that an amount of time from when the packet is transmitted to when the packet arrives at an external communication device that is a receiving device (100b) for receiving the transmission data, is within a stipulated amount of time.
  4. The communication device (100a) according to claim 1, wherein the deciding unit (105) identifies one or more external communication devices (100b, 200) capable of sending the transmission data, based on the residual quantities of the encryption keys, and decides on the route that includes one or more external communication devices (100b, 200) from among the identified external communication devices (100b, 200).
  5. The communication device (100a) according to claim 1, further comprising a key managing unit (102) that manages the encryption keys, which are shared by the key sharing unit (101), in such a way that a length of a first encryption key is different than a length of a second encryption key, the first encryption key being used for encrypting a header in a case in which an external communication device is a receiving device (100b) that receives the transmission data, the second encryption key being used for encrypting a header in a case in which an external communication device is a relay device (200) that relays the transmission data to another external communication device (100b, 200).
  6. The communication device (100a) according to claim 1, wherein the key sharing unit (101) uses a quantum key distribution for sharing the encryption keys with the plurality of external communication devices (100b, 200).
  7. The communication device (100a) according to claim 1, wherein the encrypting unit (106) encrypts the header using the encryption key according to one-time encryption.
  8. The communication device (100a) according to claim 1, wherein at least some of the plurality of external communication devices (100b, 200) are mobile terminals that are used while being moved, and the sending unit (107) sends the packet via a network (400) capable of connecting to the mobile terminals.
  9. A communication method implemented by a communication device, comprising: sharing encryption keys with a plurality of external communication devices (100b, 200); deciding on a route for sending transmission data, based on residual quantities of the encryption keys; encrypting, for each external communication device of one or more external communication devices (100b, 200) included in the route, a header in which the external communication device (100b, 200) is set as a destination, using an encryption key shared with the external communication device (100b, 200); generating a packet that includes the transmission data and the one or more encrypted headers; and sending the generated packet along the route, wherein the deciding includes deciding on the route that includes external communication devices (100b, 200), a number of which is equal to or greater than a prescribed number, from among the plurality of external communication devices (100b, 200).
  10. A communication system comprising: one or more transmission devices (100a); one or more relay devices (200); and one or more receiving devices (100b), wherein the one or more transmission devices (100a) each include: a key sharing unit (101) that shares encryption keys with a plurality of external communication devices (100b, 200) including the one or more relay devices (200) and the one or more receiving devices (100b); a deciding unit (105) that decides on a route for sending transmission data to a receiving device (100b), based on residual quantities of the encryption keys; an encrypting unit (106) that encrypts, for each external communication device of one or more external communication devices (100b, 200) included in the route, a header in which the external communication device (100b, 200) is set as a destination, using an encryption key shared with the external communication device (100b, 200); a packet generating unit (104) that generates a packet that includes the transmission data and the one or more encrypted headers; and a sending unit (107) that sends the generated packet along the route, wherein the deciding unit (105) decides on the route that includes external communication devices (100b, 200), a number of which is equal to or greater than a prescribed number, from among the plurality of external communication devices (100b, 200).

Description

FIELD The present disclosure relates to a communication device, a communication method, and a communication system. BACKGROUND In the communication performed using a public network such as the Internet, there are times when encryption is performed in order to keep the packets confidential. For example, the transmission node shares an encryption key in advance with the receiving node; and encrypts a transmission packet using that encryption key according to one-time encryption. Then, the receiving node decrypts the received packet using the same encryption key. Sometimes the packets are transferred via one or more relay nodes. For example, in a configuration in which a plurality of relay nodes is present in between the transmission node and the receiving node, a plurality of pairs of neighboring nodes present on the relay route for the packet share an encryption key in advance. The transmission node or a relay node encrypts a transmission packet according to one-time encryption. Then, either the next relay node or the receiving node decrypts the received packet using the concerned encryption key. US 2011/075845 relates to communication nodes that act as intermediate routers for communication packets transmitted between a source node and a destination node and are provided with different access rights to the fields of the routed communication packets. Routes of intermediate routers between the source node and the destination node are discovered and the identities of intermediate routers on the discovered routes are collected. The aggregate trust levels of the intermediate routers are computed allowing the most trusted route to be selected. Encryption keys are securely distributed to intermediate routers on the most trusted route based on the trust level of the intermediate routers and fields of the communication packets are encrypted with encryption keys corresponding to the assigned trust level. Intermediated nodes are thereby prevented from accessing selected fields of the communication packets. US 2020/304477 relates to a point-to-point Virtual Private Network (VPN) tunnel which is established for facilitating fully cloaked transmission of a data packet from a source endpoint device to a destination endpoint device. The data packet includes a payload portion, an inner header, and an outer header. An 'end-to-end key', a 'next-hop-destination key' and a plurality of 'next-hop' keys are calculated. The end-to-end key is used at the source endpoint device and the destination endpoint device respectively to encrypt and decrypt the payload portion. The next-hop keys are used to encrypt the inner header during the hop-to-hop communication from one intermediary node to another, along the incrementally constructed path connecting the source endpoint device with the destination endpoint device. The encryption of the payload portion is maintained throughout the hop-to-hop communication regardless of the number of intermediary nodes traversed by the data packet en route to the destination endpoint device. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram illustrating an exemplary configuration of a communication system that includes communication devices according to an arrangement;FIG. 2 is a functional block diagram of a transmission node;FIGS. 3 and 4 are diagrams illustrating examples of a method implemented by a key managing unit for managing encryption keys;FIG. 5 is a diagram illustrating an example of a relay header;FIG. 6 is a diagram illustrating an example of the relationship between the regions to be encrypted and the encryption keys;FIG. 7 is a functional block diagram of a relay node;FIG. 8 is a diagram illustrating an example of the result of updating the header of a packet;FIG. 9 is a diagram illustrating an example of a packet that is sent from a relay node to a receiving node;FIG. 10 is a functional block diagram of a receiving node;FIG. 11 is a flowchart for explaining an example of a transmission operation performed according to the present arrangement;FIG. 12 is a flowchart for explaining an example of a relay operation performed according to the present arrangement;FIG. 13 is a flowchart for explaining an example of a receiving operation according to the present arrangement;FIG. 14 is a block diagram illustrating a communication system according to a first modification example; andFIG. 15 is a diagram illustrating an exemplary hardware configuration of the communication devices. DETAILED DESCRIPTION The present invention is defined in the independent claims. Preferred embodiments are defined in the dependent claims. In a first aspect, a communication device is provided as recited in claim 1. In a second aspect, a communication method is provided as recited in claim 9. In a third aspect, a communication system is provided as recited in claim 10. An exemplary arrangement of a communication device according to the present invention is described below in detail with reference to the accompa