Encryption communication system

US 20070160200A1
Filed: 01/12/2005
Published: 07/12/2007
Est. Priority Date: 01/14/2004
Status: Active Grant

First Claim

Patent Images

1. An encryption communication method characterized by comprising:

the step a of causing an application to transmit a data packet in which a loopback address serving as an IP address for closed communication in a self node is set as a destination address, the application executing encryption communication with another node apparatus connected to a network; and

the step b of causing a communication encryption module operating as an independent process to receive the data packet having the loopback address set as the destination address and transmitted from the application, read out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from a first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the loopback address, rewrite the destination address of the data packet to the readout communication partner IP address, and encrypt and transmit the data packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

If the communication partner of a client node (A1a) is an encryption communication target node (C1), a DNS Proxy unit (A12a) in the client node rewrites a response to a name resolution request for the communication partner node of an application from the actual IP address of the communication partner node to a loopback address that changes depending on the communication partner. On the basis of the destination loopback address of a data packet transmitted from the application, a communication encryption module (A13a) in the client node identifies the communication partner and the encryption communication path to be used for communication with the communication partner. Hence, encryption communication can simultaneously be executed directly with a plurality of communication partner nodes by using the communication encryption module that operates as an independent process.

86 Citations

View as Search Results

184 Claims

1. An encryption communication method characterized by comprising:
- the step a of causing an application to transmit a data packet in which a loopback address serving as an IP address for closed communication in a self node is set as a destination address, the application executing encryption communication with another node apparatus connected to a network; and
  
  the step b of causing a communication encryption module operating as an independent process to receive the data packet having the loopback address set as the destination address and transmitted from the application, read out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from a first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the loopback address, rewrite the destination address of the data packet to the readout communication partner IP address, and encrypt and transmit the data packet.
- View Dependent Claims (2, 6, 9, 10, 14)
- - 2. An encryption communication method according to claim 1, characterized by further comprising:
    - the step c of causing a communication method resolution unit to determine on the basis of a domain name contained in one of a name resolution query transmitted from the application to resolve an IP address of said other node and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node;
      
      the step d of causing an encryption communication path setting unit to register, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session when said other node apparatus is the encryption communication target node; and
      
      the step e of causing a name resolution query/response transmission/reception unit to replace the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmit the name resolution response to the application, wherein the step a and the step b are executed after the step c, the step d, and the step e.
  - 6. An encryption communication method according to claim 1, characterized by further comprising:
    - the step c of causing a communication method resolution unit to determine on the basis of an IP address of said other node apparatus whether said other node apparatus is an encryption communication target node;
      
      the step d of causing an encryption communication path setting unit to register, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session when said other node apparatus is the encryption communication target node; and
      
      the step e of causing a name resolution query/response transmission/reception unit to replace the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmit the name resolution response to the application, wherein the step a and the step b are executed after the step c, the step d, and the step e.
  - 9. An encryption communication method according to claim 1, characterized by further comprising:
    - the step f of causing the application to transmit a data packet in which an IP address of said other node apparatus is set as the destination address; and
      
      the step g of causing a data transmission/reception unit provided in a kernel unit to receive the data packet having the IP address of said other node apparatus set as the destination address and transmitted from the application and, if the communication partner IP address set as the destination address of the data packet is registered in a second encryption communication path setting table that holds a communication partner IP address, encrypt and transmit the data packet.
  - 10. An encryption communication method according to claim 9, characterized by further comprising:
    - the step c of causing a communication method resolution unit to determine on the basis of a domain name contained in a name resolution query transmitted from the application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node, and if said other node apparatus is the encryption communication target node, determine which of the communication encryption module and the data transmission/reception unit should encrypt communication;
      
      the step d of causing an encryption communication path setting unit to register, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node, and the communication encryption module should encrypt communication, and register, in the second encryption communication path setting table, the IP address of said other node apparatus contained in the name resolution response if it is determined that said other node apparatus is the encryption communication target node, and the data transmission/reception unit should encrypt communication; and
      
      the step e of causing a name resolution query/response transmission/reception unit to replace the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmit the name resolution response to the application if it is determined that said other node apparatus is the encryption communication target node, and the communication encryption module should encrypt communication, and otherwise, transmit the name resolution response containing the IP address of said other node apparatus to the application, wherein the step a and the step b or the step f and the step g are executed after the step c, the step d, and the step e.
  - 14. An encryption communication method according to claim 10, characterized by further comprising:
    - the step c of causing a communication method resolution unit to determine on the basis of an IP address of said other node apparatus whether said other node apparatus is an encryption communication target node, and if said other node apparatus is the encryption communication target node, determine which of the communication encryption module and the data transmission/reception unit should encrypt communication;
      
      the step d of causing an encryption communication path setting unit to register, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node, and the communication encryption module should encrypt communication, and register, in the second encryption communication path setting table, the IP address of said other node apparatus contained in the name resolution response if it is determined that said other node apparatus is the encryption communication target node, and the data transmission/reception unit should encrypt communication; and
      
      the step e of causing a name resolution query/response transmission/reception unit to replace the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmit the name resolution response to the application if it is determined that said other node apparatus is the encryption communication target node, and the communication encryption module should encrypt communication, and otherwise, transmit the name resolution response containing the IP address of said other node apparatus to the application, wherein the step a and the step b or the step f and the step g are executed after the step c, the step d, and the step e.

3. (canceled)

4. (canceled)

5. (canceled)

7. (canceled)

8. (canceled)

11. (canceled)

12. (canceled)

13. (canceled)

15. (canceled)

16. (canceled)

17. An encryption communication method characterized by comprising:
- the step a of causing an application on a client node to transmit a data packet in which a first intercept address is set as a destination address, the application executing encryption communication with another node apparatus connected to a network; and
  
  the step b of causing a communication encryption module provided in a communication encryption node and operating as an independent process to receive the data packet having the first intercept address set as the destination address and transmitted from the application, read out a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet from a first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the first intercept address, and encrypt and transmit the data packet in which the readout communication partner IP address is set as the destination address of the data packet.
- View Dependent Claims (18, 22, 25, 26)
- - 18. An encryption communication method according to claim 17, characterized by further comprising:
    - the step c of causing a communication method resolution unit to determine on the basis of a domain name contained in one of a name resolution query transmitted from the application to resolve an IP address of said other node and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node;
      
      the step d of causing an encryption communication path setting unit to register, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node; and
      
      the step e of causing a name resolution query/response transmission/reception unit to transmit, to the application as the name resolution response, the first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response, wherein the step a and the step b are executed after the step c, the step d, and the step e.
  - 22. An encryption communication method according to claim 17, characterized by further comprising:
    - the step c of causing a communication method resolution unit to determine on the basis of an IP address of said other node apparatus whether said other node apparatus is an encryption communication target node;
      
      the step d of causing an encryption communication path setting unit to register, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node; and
      
      the step e of causing a name resolution query/response transmission/reception unit to transmit, to the application as the name resolution response, the first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response, wherein the step a and the step b are executed after the step c, the step d, and the step e.
  - 25. An encryption communication method according to claim 17, characterized by further comprising:
    - the step f of causing the application to transmit a data packet in which a second intercept address is set as the destination address; and
      
      the step g of causing a data transmission/reception unit provided in a kernel unit of the communication encryption node to receive the data packet having the second intercept address set as the destination address and transmitted from the application and, read out the communication partner IP address corresponding to the second intercept address set as the destination address of the data packet from a second encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the second intercept address, and encrypt and transmit the data packet in which the readout communication partner IP address is set as the destination address of the data packet.
  - 26. An encryption communication method according to claim 25, characterized by further comprising:
    - the step c of causing a communication method resolution unit to determine on the basis of a domain name contained in a name resolution query transmitted from the application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node, and if said other node apparatus is the encryption communication target node, determine which of the communication encryption module and the data transmission/reception unit should encrypt communication;
      
      the step d of causing an encryption communication path setting unit to register, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node, and the communication encryption module should encrypt communication, and register, in the second encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a second intercept address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node, and the data transmission/reception unit should encrypt communication; and
      
      the step e of causing a name resolution query/response transmission/reception unit to replace the IP address of said other node apparatus contained in the name resolution response with the first intercept address in the correspondence and transmit the name resolution response to the application if it is determined that said other node apparatus is the encryption communication target node, and the communication encryption module should encrypt communication, replace the IP address of said other node apparatus contained in the name resolution response with the second intercept address in the correspondence, and transmit the name resolution response to the application if it is determined that said other node apparatus is the encryption communication target node, and the data transmission/reception unit should encrypt communication, wherein the step a and the step b or the step f and the step g are executed after the step c, the step d, and the step e.

19. (canceled)

20. (canceled)

21. (canceled)

23. (canceled)

24. (canceled)

27. (canceled)

28. (canceled)

29. (canceled)

30. (canceled)

31. (canceled)

32. (canceled)

33. An encryption communication method characterized by comprising:
- the step a of causing an application to transmit a data packet in which an IP address of another node apparatus is set as a destination address, the application executing encryption communication with said other node apparatus connected to a network;
  
  the step b of causing a redirection unit provided in a data transmission/reception unit of a kernel unit to intercept the data packet transmitted from the application to said other node apparatus, look up a redirection table that holds a criterion to determine a data packet to be encrypted and a rewrite rule of communication partner identification information, determine on the basis of the criterion held in the redirection table whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewrite predetermined information of the data packet in accordance with the rewrite rule and redirect the data packet to a communication encryption module; and
  
  the step c of causing the communication encryption module to rewrite the communication partner identification information of the data packet redirected from the data transmission/reception unit by looking up an encryption communication path setting table that stores a correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from the data transmission/reception unit and an IP address of another node apparatus of the application, encrypt the data packet in which the destination IP address of said other node apparatus is set, and transmit the data packet to said other node apparatus.
- View Dependent Claims (34, 39)
- - 34. An encryption communication method according to claim 33, characterized by further comprising:
    - the step d of causing a communication method resolution unit to determine on the basis of a domain name contained in one of a name resolution query transmitted from the application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node; and
      
      the step e of causing an encryption communication path setting unit to register, in the redirection table, the criterion to determine the data packet to be encrypted and the rewrite rule of the communication partner identification information and register, in the encryption communication path setting table, the correspondence between the rewrite rule of the communication partner identification information of the data packet and the IP address of said other node apparatus of the application when said other node apparatus is the encryption communication target node, wherein the step a, the step b, and the step c are executed after the step d and the step e.
  - 39. An encryption communication method according to claim 33, characterized by further comprising:
    - the step d of causing a communication method resolution unit to determine on the basis of an IP address of said other node apparatus whether said other node apparatus is an encryption communication target node; and
      
      the step e of causing an encryption communication path setting unit to register, in the redirection table, the criterion to determine the data packet to be encrypted and the rewrite rule of the communication partner identification information and register, in the encryption communication path setting table, the correspondence between the rewrite rule of the communication partner identification information of the data packet and the IP address of said other node apparatus of the application when said other node apparatus is the encryption communication target node, wherein the step a, the step b, and the step c are executed after the step d and the step e.

35. (canceled)

36. (canceled)

37. (canceled)

38. (canceled)

40. (canceled)

41. (canceled)

42. (canceled)

43. An encryption communication method characterized by comprising:
- the step a of causing an application on a client node to transmit a data packet in which an intercept address corresponding to an IP address of another node apparatus is set as a destination address, the application executing encryption communication with said other node apparatus connected to a network;
  
  the step b of causing a redirection unit provided in a data transmission/reception unit of a kernel unit in a communication encryption node to intercept the data packet transmitted from the application, look up a redirection table that holds a criterion to determine a data packet to be encrypted and a rewrite rule of communication partner identification information, determine on the basis of the criterion held in the redirection table whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewrite predetermined information of the data packet in accordance with the rewrite rule and redirect the data packet to a communication encryption module provided in the communication encryption node; and
  
  the step c of causing the communication encryption module to rewrite the communication partner identification information of the data packet redirected from the data transmission/reception unit by looking up an encryption communication path setting table that stores a correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from the data transmission/reception unit and an IP address of another node apparatus of the application, encrypt the data packet in which the destination IP address of said other node apparatus is set, and transmit the data packet to said other node apparatus.
- View Dependent Claims (44, 49)
- - 44. An encryption communication method according to claim 43, characterized by further comprising:
    - the step d of causing a communication method resolution unit to determine on the basis of a domain name contained in one of a name resolution query transmitted from the application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node; and
      
      the step e of causing an encryption communication path setting unit to register, in the redirection table, the criterion to determine the data packet to be encrypted and the rewrite rule of the communication partner identification information and register, in the encryption communication path setting table, the correspondence between the rewrite rule of the communication partner identification information of the data packet and the IP address of said other node apparatus of the application when said other node apparatus is the encryption communication target node, wherein the step a, the step b, and the step c are executed after the step d and the step e.
  - 49. An encryption communication method according to claim 43, characterized by further comprising:
    - the step d of causing a communication method resolution unit to determine on the basis of an IP address of said other node apparatus whether said other node apparatus is an encryption communication target node; and
      
      the step e of causing an encryption communication path setting unit to register, in the redirection table, the criterion to determine the data packet to be encrypted and the rewrite rule of the communication partner identification information and register, in the encryption communication path setting table, the correspondence between the rewrite rule of the communication partner identification information of the data packet and the IP address of said other node apparatus of the application when said other node apparatus is the encryption communication target node, wherein the step a, the step b, and the step c are executed after the step d and the step e.

45. (canceled)

46. (canceled)

47. (canceled)

48. (canceled)

50. (canceled)

51. (canceled)

52. (canceled)

53. A node apparatus characterized by comprising:
- an application that communicates with another node apparatus connected to a network; and
  
  a communication encryption module which operates as an independent process, said communication encryption module comprising a first encryption communication path setting table which holds a correspondence between a communication partner IP address and a loopback address serving as an IP address for closed communication in a self node, and a first communication encryption unit which receives the data packet having the loopback address set as the destination address and transmitted from said application, reads out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from said first encryption communication path setting table, rewrites the destination address of the data packet to the readout communication partner IP address, and encrypts and transmits the data packet.
- View Dependent Claims (54, 55, 56, 57, 58, 59, 66, 67, 68)
- - 54. A node apparatus according to claim 53, characterized in that said first encryption communication path setting table holds a plurality of correspondences between the communication partner IP address and the loopback address.
  - 55. A node apparatus according to claim 54, characterized by further comprising:
    - a communication method resolution unit which determines on the basis of a domain name contained in one of a name resolution query transmitted from said application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node;
      
      an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session when said other node apparatus is the encryption communication target node; and
      
      a name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmits the name resolution response to said application.
  - 56. A node apparatus according to claim 54, characterized by further comprising:
    - a communication method resolution unit which determines on the basis of an IP address of said other node apparatus whether said other node apparatus is an encryption communication target node;
      
      an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session when said other node apparatus is the encryption communication target node; and
      
      a name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmits the name resolution response to said application.
  - 57. A node apparatus according to claim 53, characterized by further comprising a name resolution proxy unit which relays the name resolution query transmitted from said application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query, wherein said first encryption communication path setting table holds encryption communication path setting information to be used for communication with a communication partner in correspondence with the communication partner IP address and the loopback address, said first communication encryption unit reads out, from said first encryption communication path setting table, encryption communication path setting information corresponding to the loopback address set as the destination address of the received data packet, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy unit comprises a setting table which holds a correspondence between a domain name condition to specify an encryption communication target node and encryption communication path setting information, a communication method resolution unit which determines whether a domain name of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of domain name conditions held in said setting table, an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched domain name condition, the IP address of said other node apparatus resolved by the name resolution response, and a loopback address that is not used in any other communication session, and a name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response received from the name resolution server with the loopback address in the correspondence and transmits the name resolution response to said application.
  - 58. A node apparatus according to claim 53, characterized by further comprising a name resolution proxy unit which relays the name resolution query transmitted from said application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query, wherein said first encryption communication path setting table holds encryption communication path setting information to be used for communication with a communication partner in correspondence with the communication partner IP address and the loopback address, said first communication encryption unit reads out, from said first encryption communication path setting table, encryption communication path setting information corresponding to the loopback address set as the destination address of the received data packet, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy unit comprises a setting table which holds a correspondence between an IP address condition to specify an encryption communication target node and encryption communication path setting information, a communication method resolution unit which determines whether the IP address of said other node apparatus contained in the name resolution response matches any one of IP address conditions held in said setting table, an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched IP address condition, the IP address of said other node apparatus resolved by the name resolution response, and a loopback address that is not used in any other communication session, and a name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response received from the name resolution server with the loopback address in the correspondence and transmits the name resolution response to said application.
  - 59. A node apparatus according to claim 53, characterized by further comprising a data transmission/reception unit provided in a kernel unit, said data transmission/reception unit comprising a second encryption communication path setting table which holds a communication partner IP address, and a second communication encryption unit which receives the data packet transmitted from said application and encrypts and transmits the data packet when a communication partner IP address set as the destination address of the data packet is registered in said second encryption communication path setting table.
  - 66. A node apparatus according to claim 53, characterized by further comprising a name resolution proxy unit which relays the name resolution query transmitted from said application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query, wherein said first encryption communication path setting table holds encryption communication path setting information to be used for communication with a communication partner in correspondence with the communication partner IP address and the loopback address, said first communication encryption unit reads out, from said first encryption communication path setting table, encryption communication path setting information corresponding to the loopback address set as the destination address of the received data packet, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy unit comprises a name resolution query/response transmission/reception unit which transmits, to the name resolution server, the name resolution query transmitted from said application to resolve the IP address of said other node apparatus, receives, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, replaces the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session, and transmits the name resolution response to said application if it is determined that said other node apparatus is the encryption communication target node, and an encryption communication path setting unit which registers, in said first encryption communication path setting table, the correspondence between the IP address of said other node apparatus, the encryption communication path setting information, and the loopback address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node.
  - 67. A node apparatus according to claim 54, characterized by further comprising:
    - a data transmission/reception unit provided in a kernel unit; and
      
      a name resolution proxy unit which relays the name resolution query transmitted from said application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query, said data transmission/reception unit comprising a second encryption communication path setting table which holds a communication partner IP address, and a communication encryption unit which receives the data packet transmitted from said application and encrypts and transmits the data packet when a communication partner IP address set as the destination address of the data packet is registered in said second encryption communication path setting table, and said name resolution proxy unit comprising a name resolution query/response transmission/reception unit which transmits, to the name resolution server, the name resolution query transmitted from said application to resolve the IP address of said other node apparatus, receives, from the name resolution server, the name resolution response containing the IP address of said other node apparatus and a determination result indicating whether said other node apparatus is an encryption communication target node, and if said other node apparatus is the encryption communication target node, which of said communication encryption module and said data transmission/reception unit should encrypt communication, replaces the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session, and transmits the name resolution response to said application if it is determined that said other node apparatus is the encryption communication target node, and said communication encryption module should encrypt communication, and an encryption communication path setting unit which registers, in said first encryption communication path setting table, the correspondence between the IP address of said other node apparatus and the loopback address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node, and said communication encryption module should encrypt communication, and registers, in said second encryption communication path setting table, the IP address of said other node apparatus contained in the name resolution response if it is determined that said other node apparatus is the encryption communication target node, and said data transmission/reception unit should encrypt communication.
  - 68. A node apparatus according to claim 53, characterized by further comprising:
    - a data transmission/reception unit provided in a kernel unit; and
      
      a name resolution proxy unit which relays the name resolution query transmitted from said application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query, wherein said first encryption communication path setting table holds encryption communication path setting information to be used for communication with a communication partner in correspondence with the communication partner IP address and the loopback address, said first communication encryption unit reads out, from said first encryption communication path setting table, encryption communication path setting information corresponding to the loopback address set as the destination address of the received data packet, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, said data transmission/reception unit comprises a second encryption communication path setting table which holds a correspondence between a communication partner IP address and encryption communication path setting information, and a second communication encryption unit which receives the data packet transmitted from said application, when a communication partner IP address set as the destination address of the data packet is registered in said second encryption communication path setting table, reads out corresponding encryption communication path setting information from said second encryption communication path setting table, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy unit comprises a name resolution query/response transmission/reception unit which transmits, to the name resolution server, the name resolution query transmitted from said application to resolve the IP address of said other node apparatus, receives, from the name resolution server, the name resolution response containing encryption communication path setting information, the IP address of said other node apparatus, and a determination result indicating whether said other node apparatus is an encryption communication target node, and if said other node apparatus is the encryption communication target node, which of said communication encryption module and said data transmission/reception unit should encrypt communication, replaces the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session, and transmits the name resolution response to said application if it is determined that said other node apparatus is the encryption communication target node, and said communication encryption module should encrypt communication, and an encryption communication path setting unit which registers, in said first encryption communication path setting table, the correspondence between the IP address of said other node apparatus, the loopback address that is not used in any other communication session, and the encryption communication path setting information if it is determined that said other node apparatus is the encryption communication target node, and said communication encryption module should encrypt communication, and registers, in said second encryption communication path setting table, the correspondence between the IP address of said other node apparatus contained in the name resolution response and the encryption communication path setting information if it is determined that said other node apparatus is the encryption communication target node, and said data transmission/reception unit should encrypt communication.

60. (canceled)

61. (canceled)

62. (canceled)

63. (canceled)

64. (canceled)

65. (canceled)

69. (canceled)

70. (canceled)

71. A node apparatus characterized by comprising:
- an application that communicates with another node apparatus connected to a network;
  
  a communication encryption module which operates as an independent process; and
  
  a data transmission/reception unit provided in a kernel unit, said data transmission/reception unit comprising a redirection table which holds a criterion to determine a data packet to be encrypted and a rewrite rule of communication partner identification information, and a redirection unit which intercepts a data packet transmitted from said application to said other node apparatus, determines on the basis of the criterion held in the redirection table whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewrites predetermined information of the data packet in accordance with the rewrite rule and redirects the data packet to said communication encryption module, and said communication encryption module comprising an encryption communication path setting table which holds a correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from said data transmission/reception unit and an IP address of said other node apparatus of said application, and a communication encryption unit which rewrites the communication partner identification information of the data packet redirected from said data transmission/reception unit by looking up the encryption communication path setting table, encrypts the data packet in which a destination IP address of said other node apparatus is set, and transmits the data packet to said other node apparatus.
- View Dependent Claims (72, 73, 77)
- - 72. A node apparatus according to claim 71, characterized in that said redirection table holds a correspondence between an IP address of an encryption communication target node and a loopback address serving as an IP address for closed communication in a self node, said redirection unit redirects the data packet to said communication encryption module when a loopback address corresponding to an IP address set as a destination address of the intercepted data packet is held in said redirection table by rewriting the destination address of the data packet to the corresponding loopback address, said encryption communication path setting table holds a correspondence between a communication partner IP address, a loopback address, and encryption communication path setting information to be used for communication with a communication partner, and said communication encryption unit reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the loopback address set as the destination address of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the data packet to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet.
  - 73. A node apparatus according to claim 71, characterized by further comprising:
    - a communication method resolution unit which determines on the basis of a domain name contained in one of a name resolution query transmitted from said application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node; and
      
      an encryption communication path setting unit which registers, in said redirection table, the criterion to determine the data packet to be encrypted and the rewrite rule of the communication partner identification information, and registers, in said encryption communication path setting table, a correspondence between the rewrite rule of the communication partner identification information of the data packet and the IP address of said other node apparatus of said application when said other node apparatus is the encryption communication target node.
  - 77. A node apparatus according to claim 71, characterized by further comprising a name resolution proxy unit which relays the name resolution query transmitted from said application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query, wherein said redirection table holds a correspondence between an IP address of an encryption communication target node and the rewrite rule of the communication partner identification information, said redirection unit determines whether the data packet is an encryption target by comparing a destination IP address of the intercepted data packet with the IP address of the encryption communication target node held in said redirection table, and if the data packet is the encryption target, redirects the data packet to said communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of corresponding communication partner identification information on said redirection table and rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said encryption communication path setting table holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information to be used for communication with a communication partner, and said communication encryption unit reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the data packet to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy unit comprises a name resolution query/response transmission/reception unit which transmits, to the name resolution server, the name resolution query transmitted from said application to resolve the IP address of said other node apparatus, receives, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, and transmits the IP address of said other node apparatus contained in the name resolution response to said application as the name resolution response, and an encryption communication path setting unit which registers, in said encryption communication path setting table, the correspondence between the IP address of said other node apparatus, the communication partner identification information that is not used in any other communication session, and the encryption communication path setting information, and registers, in said redirection table, the correspondence between an IP address of an encryption communication target node and a rewrite rule of communication partner identification information that is not used in any other communication session when said other node apparatus is the encryption communication target node.

74. (canceled)

75. (canceled)

76. (canceled)

78. (canceled)

79. (canceled)

80. A communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, characterized by comprising:
- a communication encryption module which operates as an independent process, said communication encryption module comprising a first encryption communication path setting table which holds a correspondence between a communication partner IP address and a first intercept address, and a first communication encryption unit which receives a data packet having the first intercept address set as a destination address and transmitted from the application, reads out, from said first encryption communication path setting table, a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet, and encrypts and transmits the data packet in which the readout communication partner IP address is set as the destination address of the data packet.
- View Dependent Claims (81, 82, 83, 84, 85, 86)
- - 81. A communication encryption node apparatus according to claim 80, characterized in that said first encryption communication path setting table holds a plurality of correspondences between the communication partner IP address and the first intercept address.
  - 82. A communication encryption node apparatus according to claim 81, characterized by further comprising:
    - a communication method resolution unit which determines on the basis of a domain name contained in a name resolution query transmitted from the application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node;
      
      an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node; and
      
      a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, a first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response.
  - 83. A communication encryption node apparatus according to claim 81, characterized by further comprising:
    - a communication method resolution unit which determines on the basis of an IP address of said other node apparatus whether said other node apparatus is an encryption communication target node;
      
      an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node; and
      
      a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, a first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response.
  - 84. A communication encryption node apparatus according to claim 80, characterized by further comprising a name resolution proxy unit which relays the name resolution query transmitted from the application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query, wherein said first encryption communication path setting table holds encryption communication path setting information to be used for communication with a communication partner in correspondence with the communication partner IP address and the first intercept address, said first communication encryption unit reads out, from said first encryption communication path setting table, encryption communication path setting information corresponding to the first intercept address set as the destination address of the received data packet, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy unit comprises a setting table which holds a correspondence between a domain name condition to specify an encryption communication target node and encryption communication path setting information, a communication method resolution unit which determines whether a domain name of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of domain name conditions held in said setting table, an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched domain name condition, the IP address of said other node apparatus resolved by the name resolution response, and a first intercept address that is not used in any other communication session, and a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, a first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response received from the name resolution server.
  - 85. A communication encryption node apparatus according to claim 80, characterized by further comprising a name resolution proxy unit which relays the name resolution query transmitted from the application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query, wherein said first encryption communication path setting table holds encryption communication path setting information to be used for communication with a communication partner in correspondence with the communication partner IP address and the first intercept address, said first communication encryption unit reads out, from said first encryption communication path setting table, encryption communication path setting information corresponding to the first intercept address set as the destination address of the received data packet, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy unit comprises a setting table which holds a correspondence between an IP address condition to specify an encryption communication target node and encryption communication path setting information, a communication method resolution unit which determines whether an IP address of said other node apparatus contained in the name resolution response matches any one of IP address conditions held in said setting table, an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched IP address condition, the IP address of said other node apparatus resolved by the name resolution response, and a first intercept address that is not used in any other communication session, and a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, a first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response received from the name resolution server.
  - 86. A communication encryption node apparatus according to claim 80, characterized by further comprising a data transmission/reception unit provided in a kernel unit, said data transmission/reception unit comprising a second encryption communication path setting table which holds a correspondence between a communication partner IP address and a second intercept address, and a communication encryption unit which receives the data packet having a second intercept address set as a destination address and transmitted from the application, reads out, from said second encryption communication path setting table, a communication partner IP address corresponding to the second intercept address set as the destination address of the data packet, and encrypts and transmits the data packet in which the readout communication partner IP address is set as the destination address of the data packet.

87. (canceled)

88. (canceled)

89. (canceled)

90. (canceled)

91. (canceled)

92. (canceled)

93. (canceled)

94. (canceled)

95. (canceled)

96. (canceled)

97. A communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, characterized by comprising:
- a communication encryption module which operates as an independent process;
  
  a data transmission/reception unit provided in a kernel unit; and
  
  a name resolution proxy unit which relays a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, said data transmission/reception unit comprising a redirection table which holds a correspondence between an intercept address and a loopback address serving as an IP address for closed communication in a self node, and a redirection unit which receives a data packet having the intercept address set as a destination address and transmitted from the application, reads out, from said redirection table, a loopback address corresponding to the intercept address set as the destination address of the data packet, and redirects the data packet to said communication encryption module by rewriting the destination address of the data packet to the readout loopback address, said communication encryption module comprising an encryption communication path setting table which holds a correspondence between a communication partner IP address, a loopback address, and encryption communication path setting information to be used for communication with a communication partner, and a communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the loopback address set as the destination address of the data packet redirected from said data transmission/reception unit, encrypts the data packet in which the readout communication partner IP address is set as the destination address of the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy unit comprising a setting table which holds a correspondence between a specifying condition to specify an encryption communication target node and encryption communication path setting information, a communication method resolution unit which determines whether information of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of specifying conditions held in said setting table, an encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched specifying condition, the IP address of said other node apparatus resolved by the name resolution response, and a loopback address that is not used in any other communication session, and registers, in said redirection table, a correspondence between the loopback address in the correspondence and an intercept address that is not used in any other communication session, and a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, an intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response received from the name resolution server.
- View Dependent Claims (98, 99)
- - 98. A communication encryption node apparatus according to claim 97, characterized in that said setting table holds a domain name condition as the specifying condition, said communication method resolution unit determines whether a domain name of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of domain name conditions held in said setting table, and said encryption communication path setting unit registers, in said encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched domain name condition, the IP address of said other node apparatus resolved by the name resolution response, and a loopback address that is not used in any other communication session.
  - 99. A communication encryption node apparatus according to claim 97, characterized in that said setting table holds an IP address condition as the specifying condition, said communication method resolution unit determines whether an IP address of said other node apparatus contained in the name resolution response matches any one of IP address conditions held in said setting table, and said encryption communication path setting unit registers, in said encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched IP address condition, the IP address of said other node apparatus resolved by the name resolution response, and a loopback address that is not used in any other communication session.

100. A communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, characterized by comprising:
- a communication encryption module which operates as an independent process;
  
  a data transmission/reception unit provided in a kernel unit; and
  
  a name resolution proxy unit which relays a name resolution query transmitted from the client node to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, said data transmission/reception unit comprising a redirection table which holds a correspondence between an intercept address and a rewrite rule of communication partner identification information, and a redirection unit which intercepts a data packet transmitted from the client node apparatus to said other node apparatus, and redirects the data packet to said communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of the communication partner identification information corresponding to an intercept address designated as a destination address of the data packet upon looking up said redirection table and by rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption module comprising an encryption communication path setting table which holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information to be used for communication with a communication partner, and a communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the other node apparatus to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy unit comprising a name resolution query/response transmission/reception unit which transmits, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receives, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, replaces the IP address of said other node apparatus contained in the name resolution response with the intercept address in the correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and an intercept address that is not used in any other communication session, and transmits the name resolution response to the client node apparatus if said other node apparatus is an encryption communication target node, and an encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and communication partner identification information that is not used in any other communication session, and registers, in said redirection table, a correspondence between a rewrite rule to the communication partner identification information that is not used in any other communication session and the intercept address that is not used in any other communication session if said other node apparatus is the encryption communication target node.

101. (canceled)

102. A name resolution server characterized in that, for a name resolution query to resolve an IP address corresponding to a domain name, whether communication to be executed in a query source of the name resolution query by using a response result to the name resolution query is a target to be encrypted is identified on the basis of the domain name, and if it is determined that the communication is an encryption communication target, a name resolution response containing information necessary for the encryption communication in addition to the IP address corresponding to the domain name is returned.
- View Dependent Claims (103)
- - 103. A name resolution server according to claim 102, characterized by further comprising a name resolution query/response transmission/reception unit which transmits/receives the name resolution query and the name resolution response as a response to the name resolution query, and a communication method resolution unit which identifies for the name resolution query on the basis of the domain name whether the communication to be executed in the query source of the name resolution query by using the response result to the name resolution query is the target to be encrypted, wherein for the name resolution query received by said name resolution query/response transmission/reception unit, said communication method resolution unit identifies on the basis of information contained in one of the name resolution query and the response to the name resolution query whether the communication to be executed in the query source of the name resolution query by using the response result to the name resolution query is the encryption communication target, and if it is determined that the communication is the encryption communication target, said name resolution query/response transmission/reception unit returns the name resolution response containing information necessary for the encryption communication in addition to the IP address corresponding to the domain name.

104. (canceled)

105. (canceled)

106. An encryption communication system characterized by comprising:
- a node apparatus in which an application that communicates with another node apparatus connected to a network operates; and
  
  a name resolution server to cause the application to resolve an IP address of said other node apparatus, said node apparatus comprising a communication encryption module which operates as an independent process, and said communication encryption module comprising a first encryption communication path setting table which holds a correspondence between a communication partner IP address and a loopback address serving as an IP address for closed communication in a self node, and a first communication encryption unit which receives a data packet having the loopback address set as a destination address and transmitted from the application, reads out, from said first encryption communication path setting table, a communication partner IP address corresponding to the loopback address set as the destination address of the data packet, rewrites the destination address of the data packet to the readout communication partner IP address, and encrypts and transmits the data packet.
- View Dependent Claims (108, 109)
- - 108. An encryption communication system according to claim 106, characterized in that said name resolution server comprises a communication method resolution unit which determines on the basis of a domain name contained in one of a name resolution query transmitted from the application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node, and said node apparatus further comprises an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node, and a name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmits the name resolution response to the application.
  - 109. An encryption communication system according to claim 106, characterized in that said name resolution server comprises a communication method resolution unit which determines on the basis of an IP address of said other node apparatus whether said other node apparatus is an encryption communication target node, and said node apparatus further comprises an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node, and a name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmits the name resolution response to the application.

107. (canceled)

110. (canceled)

111. (canceled)

112. (canceled)

113. (canceled)

114. (canceled)

115. (canceled)

116. (canceled)

117. (canceled)

118. An encryption communication system characterized by comprising:
- a client node apparatus in which an application that communicates with another node apparatus connected to a network operates;
  
  a communication encryption node apparatus connected to said client node apparatus through the network; and
  
  a name resolution server to cause the application to resolve an IP address of said other node apparatus, said communication encryption node apparatus comprising a communication encryption module which operates as an independent process, and a name resolution proxy unit which relays the name resolution query transmitted from the application to said name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query, and said communication encryption module comprising a first encryption communication path setting table which holds a correspondence between a communication partner IP address and a first intercept address, and a first communication encryption unit which receives a data packet having the first intercept address set as a destination address and transmitted from the application, reads out, from said first encryption communication path setting table, a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet, and encrypts and transmits the data packet in which the readout communication partner IP address is set as the destination address of the data packet.
- View Dependent Claims (121)
- - 121. An encryption communication system according to claim 118, characterized in that said name resolution server comprises a communication method resolution unit which determines on the basis of an IP address of said other node apparatus whether said other node apparatus is an encryption communication target node, and said name resolution proxy unit of said communication encryption node apparatus comprises an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node;
    - and a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, a first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response.

119. (canceled)

120. (canceled)

122. (canceled)

123. (canceled)

124. (canceled)

125. (canceled)

126. (canceled)

127. (canceled)

128. (canceled)

129. (canceled)

130. An encryption communication system characterized by comprising:
- a node apparatus in which an application that communicates with another node apparatus connected to a network operates; and
  
  a name resolution server to cause the application to resolve an IP address of said other node apparatus, said node apparatus comprising a communication encryption module which operates as an independent process, a data transmission/reception unit provided in a kernel unit, and a name resolution proxy unit which relays a name resolution query transmitted from the application to said name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, said data transmission/reception unit comprising a redirection table which holds a correspondence between an IP address of an encryption communication target node and a rewrite rule of communication partner identification information, and a redirection unit which intercepts a data packet transmitted from the application to said other node apparatus, determines whether the data packet is an encryption target by comparing a destination IP address of the data packet with the IP address of the encryption communication target node registered in said redirection table, and if the data packet is the encryption target, redirects the data packet to said communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of the corresponding communication partner identification information on the redirection table and rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption module comprising an encryption communication path setting table which holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information to be used for communication with a communication partner, and a communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the other node apparatus to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution server comprising, in addition to a function related to name resolution, a setting table which holds a correspondence between a specifying condition to specify an encryption communication target node and encryption communication path setting information, a communication method resolution unit which determines whether information of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of specifying conditions held in said setting table, and a name resolution response/query transmission/reception unit which adds encryption communication path setting information corresponding to the matched specifying condition to the name resolution response and transmits the name resolution response, and said name resolution proxy unit comprising an encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and communication partner identification information that is not used in any other communication session, and registers, in said redirection table, a correspondence between IP address of the encryption communication target node and a rewrite rule of communication partner identification information that is not used in any other communication session upon receiving the name resolution response added the encryption communication path setting information from said name resolution server, and a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, the IP address of said other node apparatus contained in the name resolution response received from said name resolution server.

131. (canceled)

132. (canceled)

133. (canceled)

134. An encryption communication system characterized by comprising:
- a client node apparatus in which an application that communicates with another node apparatus connected to a network operates;
  
  a communication encryption node apparatus connected to said client node apparatus through the network; and
  
  a name resolution server to cause the application to resolve an IP address of said other node apparatus, said communication encryption node apparatus comprising a communication encryption module which operates as an independent process, a data transmission/reception unit provided in a kernel unit, and a name resolution proxy unit which relays a name resolution query transmitted from the client node to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, said data transmission/reception unit comprising a redirection table which holds a correspondence between an intercept address and a rewrite rule of communication partner identification information, and a redirection unit which intercepts a data packet transmitted from the client node apparatus to said other node apparatus, and redirects the data packet to said communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of the communication partner identification information corresponding to an intercept address designated as a destination address of the data packet upon looking up said redirection table and by rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption module comprising an encryption communication path setting table which holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information to be used for communication with a communication partner, and a communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the other node apparatus to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, said name resolution server comprising, in addition to a function related to name resolution, a setting table which holds a correspondence between a specifying condition to specify an encryption communication target node and encryption communication path setting information, a communication method resolution unit which determines whether information of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of specifying conditions held in said setting table, and a name resolution response/query transmission/reception unit which adds encryption communication path setting information corresponding to the matched specifying condition to the name resolution response and transmits the name resolution response, and said name resolution proxy unit comprising an encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and communication partner identification information that is not used in any other communication session, and registers, in said redirection table, a correspondence between a rewrite rule of communication partner identification information that is not used in any other communication session and an intercept address that is not used in any other communication session upon receiving the name resolution response added the encryption communication path setting information from said name resolution server, and a name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response received from said name resolution server with the intercept address in the correspondence and transmits the name resolution response to said client node apparatus.

135. (canceled)

136. (canceled)

137. (canceled)

138. A program which causes a computer included in a node apparatus in which an application that communicates with another node apparatus connected to a network operates to function as communication encryption means provided in a communication encryption module which operates as an independent process, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, characterized in that said communication encryption means receives a data packet transmitted from the application, in which a loopback address serving as an IP address for closed communication in a self node is set as a destination address, reads out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from a first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the loopback address, rewrites the destination address of the data packet to the readout communication partner IP address, and encrypts and transmits the data packet.
- View Dependent Claims (139, 140, 147)
- - 139. A program according to claim 138, characterized in that said name resolution proxy means comprises communication method resolution means for determining on the basis of a domain name contained in one of the name resolution query transmitted from the application to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query whether said other node apparatus is an encryption communication target node, encryption communication path setting means for registering, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session when said other node apparatus is the encryption communication target node, and name resolution query/response transmission/reception means for replacing the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmitting the name resolution response to the application.
  - 140. A program according to claim 138, characterized in that said name resolution proxy means comprises communication method resolution means for determining on the basis of the IP address of said other node apparatus whether said other node apparatus is an encryption communication target node, encryption communication path setting means for registering, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session when said other node apparatus is the encryption communication target node, and name resolution query/response transmission/reception means for replacing the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmitting the name resolution response to the application.
  - 147. A program according to claim 138, characterized in that said name resolution proxy means comprises name resolution query/response transmission/reception means for transmitting, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receiving, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node and the IP address of said other node apparatus, replacing the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session, and transmitting the name resolution response to the application if it is determined that said other node apparatus is the encryption communication target node, and encryption communication path setting means for registering, in the first encryption communication path setting table, the correspondence between the IP address of said other node apparatus and the loopback address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node.

141. (canceled)

142. (canceled)

143. (canceled)

144. (canceled)

145. (canceled)

146. (canceled)

148. (canceled)

149. (canceled)

150. (canceled)

151. A program which causes a computer included in a communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates to function as communication encryption means provided in a communication encryption module which operates as an independent process, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, characterized in that said communication encryption means receives a data packet having a first intercept address set as a destination address and transmitted from the application, reads out a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet from a first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the first intercept address, and encrypts and transmits the data packet in which the readout communication partner IP address is set as the destination address of the data packet.
- View Dependent Claims (152, 153, 160, 161)
- - 152. A program according to claim 151, characterized in that said name resolution proxy means comprises communication method resolution means for determining on the basis of a domain name contained in the name resolution query transmitted from the application to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query whether said other node apparatus is an encryption communication target node, encryption communication path setting means for registering, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node, and name resolution query/response transmission/reception means for replacing the IP address of said other node apparatus contained in the name resolution response with the first intercept address in the correspondence and transmitting the name resolution response to the application.
  - 153. A program according to claim 151, characterized in that said name resolution proxy means comprises communication method resolution means for determining on the basis of the IP address of said other node apparatus whether said other node apparatus is an encryption communication target node, encryption communication path setting means for registering, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node, and name resolution query/response transmission/reception means for replacing the IP address of said other node apparatus contained in the name resolution response with the first intercept address in the correspondence and transmitting the name resolution response to the application.
  - 160. A program according to claim 151, characterized in that said name resolution proxy means comprises name resolution query/response transmission/reception means for transmitting, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receiving, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node and the IP address of said other node apparatus, replacing the IP address of said other node apparatus contained in the name resolution response with the first intercept address in the correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session, and transmitting the name resolution response to the application if it is determined that said other node apparatus is the encryption communication target node, and encryption communication path setting means for registering, in the first encryption communication path setting table, the correspondence between the IP address of said other node apparatus and the first intercept address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node.
  - 161. A program according to claim 151, characterized in that said communication encryption means receives the data packet having the first intercept address set as the destination address and transmitted from the application, reads out encryption communication path setting information and a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet from the first encryption communication path setting table that holds the correspondence between a communication partner IP address, a first intercept address, and encryption communication path setting information, encrypts the data packet in which the readout communication partner IP address is set as the destination address of the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy means comprises name resolution query/response transmission/reception means for transmitting, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receiving, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, replacing the IP address of said other node apparatus contained in the name resolution response with the first intercept address in the correspondence between the IP address of said other node apparatus, the encryption communication path setting information, and a first intercept address that is not used in any other communication session, and transmitting the name resolution response to the application if it is determined that said other node apparatus is the encryption communication target node, and encryption communication path setting means for registering, in the first encryption communication path setting table, the correspondence between the IP address of said other node apparatus, the first intercept address that is not used in any other communication session, and the encryption communication path setting information if said other node apparatus is the encryption communication target node.

154. (canceled)

155. (canceled)

156. (canceled)

157. (canceled)

158. (canceled)

159. (canceled)

162. (canceled)

163. (canceled)

164. A program which causes a computer included in a node apparatus in which an application that communicates with another node apparatus connected to a network operates to function as communication encryption means provided in a communication encryption module which operates as an independent process, and a redirection means provided in a data transmission/reception unit of a kernel unit, characterized in that said redirection means intercepts a data packet transmitted from the application to said other node apparatus, determines on the basis of a criterion held in a redirection table that holds the criterion to determine a data packet to be encrypted and a rewrite rule of communication partner identification information whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewrites predetermined information of the data packet in accordance with the rewrite rule and redirects the data packet to the communication encryption module, and said communication encryption means rewrites the communication partner identification information of the data packet redirected from the data transmission/reception unit by looking up an encryption communication path setting table that holds a correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from the data transmission/reception unit and an IP address of said other node apparatus of the application, encrypts the data packet in which a destination IP address of said other node apparatus is set, and transmits the data packet to said other node apparatus.

165. (canceled)

166. (canceled)

167. (canceled)

168. (canceled)

169. (canceled)

170. A program which causes a computer included in a communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates to function as communication encryption means provided in a communication encryption module which operates as an independent process, redirection means provided in a data transmission/reception unit of a kernel unit, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, characterized in that said redirection means receives a data packet having an intercept address set as a destination address and transmitted from the application, reads out, from a redirection table that holds a correspondence between an intercept address and a loopback address, a loopback address corresponding to the intercept address set as the destination address of the data packet, and redirects the data packet to the communication encryption module by rewriting the destination address of the data packet to the readout loopback address, and said communication encryption means reads out, from an encryption communication path setting table that holds a correspondence between a communication partner IP address, a loopback address, and encryption communication path setting information, encryption communication path setting information and a communication partner IP address corresponding to the loopback address set as the destination address of the data packet redirected from the data transmission/reception unit, encrypts the data packet in which the readout communication partner IP address is set as the destination address of the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet.

171. (canceled)

172. (canceled)

173. A program which causes a computer included in a node apparatus in which an application that communicates with another node apparatus connected to a network operates to function as communication encryption means provided in a communication encryption module which operates as an independent process, redirection means provided in a data transmission/reception unit of a kernel unit, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, characterized in that said redirection means intercepts a data packet transmitted from the application to said other node apparatus, determines whether the data packet is an encryption target by comparing a destination IP address of the intercepted data packet with an IP address of an encryption communication target node held in a redirection table that holds a correspondence between an IP address of an encryption communication target node and a rewrite rule of communication partner identification information, and if the data packet is the encryption target, redirects the data packet to the communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of corresponding communication partner identification information on the redirection table and rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption means reads out, from an encryption communication path setting table that holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from the data transmission/reception unit, rewrites the destination address of the data packet to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy means comprises name resolution query/response transmission/reception means for transmitting, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receiving, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, and transmitting, to the application as the name resolution response, the IP address of said other node apparatus contained in the name resolution response, and encryption communication path setting means for registering, in the encryption communication path setting table, the correspondence between the IP address of said other node apparatus, the communication partner identification information that is not used in any other communication session, and the encryption communication path setting information, and registering, in the redirection table, the correspondence between an IP address of an encryption communication target node and a rewrite rule of communication partner identification information that is not used in any other communication session when said other node apparatus is the encryption communication target node.

174. A program which causes a computer included in a communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates to function as communication encryption means provided in a communication encryption module which operates as an independent process, redirection means provided in a data transmission/reception unit of a kernel unit, and name resolution proxy means for relaying a name resolution query transmitted from the client node to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, characterized in that said redirection means intercepts a data packet transmitted from the client node apparatus to said other node apparatus, and redirects the data packet to the communication encryption module by rewriting communication partner identification information of the data packet in accordance with a rewrite rule of communication partner identification information corresponding to an intercept address designated as a destination address of the data packet while looking up a redirection table that holds a correspondence between an intercept address and a rewrite rule of communication partner identification information, and rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption means reads out, from an encryption communication path setting table that holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from the data transmission/reception unit, rewrites the destination address of the data packet to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy means comprises name resolution query/response transmission/reception means for transmitting, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receiving, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, and if said other node apparatus is the encryption communication target node, replacing the IP address of said other node apparatus contained in the name resolution response to the intercept address in a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and an intercept address that is not used in any other communication session, and transmitting the name resolution response to the client node apparatus, and encryption communication path setting means for registering, in the encryption communication path setting table, the correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and the communication partner identification information that is not used in any other communication session, and registering, in the redirection table, the correspondence between a rewrite rule of communication partner identification information that is not used in any other communication session and the intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node.

175. (canceled)

176. (canceled)

177. (canceled)

178. (canceled)

179. (canceled)

180. (canceled)

181. (canceled)

182. A program characterized by causing a computer included in a name resolution server to function as:
- name resolution query/response transmission/reception means for transmitting/receiving a name resolution query to resolve an IP address corresponding to a domain name and a name resolution response as a response to the name resolution query; and
  
  communication method resolution means for identifying for the name resolution query on the basis of the domain name whether communication to be executed in a query source of the name resolution query by using a response result to the name resolution query is a target to be encrypted, for the name resolution query received by said name resolution query/response transmission/reception means, said communication method resolution means identifying on the basis of information contained in one of the name resolution query and the response to the name resolution query whether the communication to be executed in the query source of the name resolution query by using the response result to the name resolution query is the encryption communication target, and if it is determined that the communication is the encryption communication target, returning, through said name resolution query/response transmission/reception unit, the name resolution response containing information necessary for the encryption communication in addition to the IP address corresponding to the domain name.
- View Dependent Claims (183)
- - 183. A name resolution server according to claim 182, characterized in that said communication method resolution means identifies whether the communication to be executed in the query source of the name resolution query by using the response result to the name resolution query is the encryption communication target by checking whether the domain name for name resolution matches the domain name set on a database in which at least part of the domain name as the encryption communication target is set.

184. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Iwata, Atsushi, Ishikawa, Yuichi, Fujita, Norihito, Iijima, Akio

Granted Patent

US 8,356,169 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/30
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 61/59   using proxies for addressing

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

Encryption communication system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

86 Citations

184 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption communication system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

184 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links