Encryption communication system
First Claim
1. An encryption communication method characterized by comprising:
- the step a of causing an application to transmit a data packet in which a loopback address serving as an IP address for closed communication in a self node is set as a destination address, the application executing encryption communication with another node apparatus connected to a network; and
the step b of causing a communication encryption module operating as an independent process to receive the data packet having the loopback address set as the destination address and transmitted from the application, read out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from a first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the loopback address, rewrite the destination address of the data packet to the readout communication partner IP address, and encrypt and transmit the data packet.
1 Assignment
0 Petitions
Accused Products
Abstract
If the communication partner of a client node (A1a) is an encryption communication target node (C1), a DNS Proxy unit (A12a) in the client node rewrites a response to a name resolution request for the communication partner node of an application from the actual IP address of the communication partner node to a loopback address that changes depending on the communication partner. On the basis of the destination loopback address of a data packet transmitted from the application, a communication encryption module (A13a) in the client node identifies the communication partner and the encryption communication path to be used for communication with the communication partner. Hence, encryption communication can simultaneously be executed directly with a plurality of communication partner nodes by using the communication encryption module that operates as an independent process.
86 Citations
184 Claims
-
1. An encryption communication method characterized by comprising:
-
the step a of causing an application to transmit a data packet in which a loopback address serving as an IP address for closed communication in a self node is set as a destination address, the application executing encryption communication with another node apparatus connected to a network; and
the step b of causing a communication encryption module operating as an independent process to receive the data packet having the loopback address set as the destination address and transmitted from the application, read out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from a first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the loopback address, rewrite the destination address of the data packet to the readout communication partner IP address, and encrypt and transmit the data packet. - View Dependent Claims (2, 6, 9, 10, 14)
-
-
3. (canceled)
-
4. (canceled)
-
5. (canceled)
-
7. (canceled)
-
8. (canceled)
-
11. (canceled)
-
12. (canceled)
-
13. (canceled)
-
15. (canceled)
-
16. (canceled)
-
17. An encryption communication method characterized by comprising:
-
the step a of causing an application on a client node to transmit a data packet in which a first intercept address is set as a destination address, the application executing encryption communication with another node apparatus connected to a network; and
the step b of causing a communication encryption module provided in a communication encryption node and operating as an independent process to receive the data packet having the first intercept address set as the destination address and transmitted from the application, read out a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet from a first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the first intercept address, and encrypt and transmit the data packet in which the readout communication partner IP address is set as the destination address of the data packet. - View Dependent Claims (18, 22, 25, 26)
-
-
19. (canceled)
-
20. (canceled)
-
21. (canceled)
-
23. (canceled)
-
24. (canceled)
-
27. (canceled)
-
28. (canceled)
-
29. (canceled)
-
30. (canceled)
-
31. (canceled)
-
32. (canceled)
-
33. An encryption communication method characterized by comprising:
-
the step a of causing an application to transmit a data packet in which an IP address of another node apparatus is set as a destination address, the application executing encryption communication with said other node apparatus connected to a network;
the step b of causing a redirection unit provided in a data transmission/reception unit of a kernel unit to intercept the data packet transmitted from the application to said other node apparatus, look up a redirection table that holds a criterion to determine a data packet to be encrypted and a rewrite rule of communication partner identification information, determine on the basis of the criterion held in the redirection table whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewrite predetermined information of the data packet in accordance with the rewrite rule and redirect the data packet to a communication encryption module; and
the step c of causing the communication encryption module to rewrite the communication partner identification information of the data packet redirected from the data transmission/reception unit by looking up an encryption communication path setting table that stores a correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from the data transmission/reception unit and an IP address of another node apparatus of the application, encrypt the data packet in which the destination IP address of said other node apparatus is set, and transmit the data packet to said other node apparatus. - View Dependent Claims (34, 39)
-
-
35. (canceled)
-
36. (canceled)
-
37. (canceled)
-
38. (canceled)
-
40. (canceled)
-
41. (canceled)
-
42. (canceled)
-
43. An encryption communication method characterized by comprising:
-
the step a of causing an application on a client node to transmit a data packet in which an intercept address corresponding to an IP address of another node apparatus is set as a destination address, the application executing encryption communication with said other node apparatus connected to a network;
the step b of causing a redirection unit provided in a data transmission/reception unit of a kernel unit in a communication encryption node to intercept the data packet transmitted from the application, look up a redirection table that holds a criterion to determine a data packet to be encrypted and a rewrite rule of communication partner identification information, determine on the basis of the criterion held in the redirection table whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewrite predetermined information of the data packet in accordance with the rewrite rule and redirect the data packet to a communication encryption module provided in the communication encryption node; and
the step c of causing the communication encryption module to rewrite the communication partner identification information of the data packet redirected from the data transmission/reception unit by looking up an encryption communication path setting table that stores a correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from the data transmission/reception unit and an IP address of another node apparatus of the application, encrypt the data packet in which the destination IP address of said other node apparatus is set, and transmit the data packet to said other node apparatus. - View Dependent Claims (44, 49)
-
-
45. (canceled)
-
46. (canceled)
-
47. (canceled)
-
48. (canceled)
-
50. (canceled)
-
51. (canceled)
-
52. (canceled)
-
53. A node apparatus characterized by comprising:
-
an application that communicates with another node apparatus connected to a network; and
a communication encryption module which operates as an independent process, said communication encryption module comprising a first encryption communication path setting table which holds a correspondence between a communication partner IP address and a loopback address serving as an IP address for closed communication in a self node, and a first communication encryption unit which receives the data packet having the loopback address set as the destination address and transmitted from said application, reads out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from said first encryption communication path setting table, rewrites the destination address of the data packet to the readout communication partner IP address, and encrypts and transmits the data packet. - View Dependent Claims (54, 55, 56, 57, 58, 59, 66, 67, 68)
-
-
60. (canceled)
-
61. (canceled)
-
62. (canceled)
-
63. (canceled)
-
64. (canceled)
-
65. (canceled)
-
69. (canceled)
-
70. (canceled)
-
71. A node apparatus characterized by comprising:
-
an application that communicates with another node apparatus connected to a network;
a communication encryption module which operates as an independent process; and
a data transmission/reception unit provided in a kernel unit, said data transmission/reception unit comprising a redirection table which holds a criterion to determine a data packet to be encrypted and a rewrite rule of communication partner identification information, and a redirection unit which intercepts a data packet transmitted from said application to said other node apparatus, determines on the basis of the criterion held in the redirection table whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewrites predetermined information of the data packet in accordance with the rewrite rule and redirects the data packet to said communication encryption module, and said communication encryption module comprising an encryption communication path setting table which holds a correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from said data transmission/reception unit and an IP address of said other node apparatus of said application, and a communication encryption unit which rewrites the communication partner identification information of the data packet redirected from said data transmission/reception unit by looking up the encryption communication path setting table, encrypts the data packet in which a destination IP address of said other node apparatus is set, and transmits the data packet to said other node apparatus. - View Dependent Claims (72, 73, 77)
-
-
74. (canceled)
-
75. (canceled)
-
76. (canceled)
-
78. (canceled)
-
79. (canceled)
-
80. A communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, characterized by comprising:
-
a communication encryption module which operates as an independent process, said communication encryption module comprising a first encryption communication path setting table which holds a correspondence between a communication partner IP address and a first intercept address, and a first communication encryption unit which receives a data packet having the first intercept address set as a destination address and transmitted from the application, reads out, from said first encryption communication path setting table, a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet, and encrypts and transmits the data packet in which the readout communication partner IP address is set as the destination address of the data packet. - View Dependent Claims (81, 82, 83, 84, 85, 86)
-
-
87. (canceled)
-
88. (canceled)
-
89. (canceled)
-
90. (canceled)
-
91. (canceled)
-
92. (canceled)
-
93. (canceled)
-
94. (canceled)
-
95. (canceled)
-
96. (canceled)
-
97. A communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, characterized by comprising:
-
a communication encryption module which operates as an independent process;
a data transmission/reception unit provided in a kernel unit; and
a name resolution proxy unit which relays a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, said data transmission/reception unit comprising a redirection table which holds a correspondence between an intercept address and a loopback address serving as an IP address for closed communication in a self node, and a redirection unit which receives a data packet having the intercept address set as a destination address and transmitted from the application, reads out, from said redirection table, a loopback address corresponding to the intercept address set as the destination address of the data packet, and redirects the data packet to said communication encryption module by rewriting the destination address of the data packet to the readout loopback address, said communication encryption module comprising an encryption communication path setting table which holds a correspondence between a communication partner IP address, a loopback address, and encryption communication path setting information to be used for communication with a communication partner, and a communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the loopback address set as the destination address of the data packet redirected from said data transmission/reception unit, encrypts the data packet in which the readout communication partner IP address is set as the destination address of the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy unit comprising a setting table which holds a correspondence between a specifying condition to specify an encryption communication target node and encryption communication path setting information, a communication method resolution unit which determines whether information of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of specifying conditions held in said setting table, an encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched specifying condition, the IP address of said other node apparatus resolved by the name resolution response, and a loopback address that is not used in any other communication session, and registers, in said redirection table, a correspondence between the loopback address in the correspondence and an intercept address that is not used in any other communication session, and a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, an intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response received from the name resolution server. - View Dependent Claims (98, 99)
-
-
100. A communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, characterized by comprising:
-
a communication encryption module which operates as an independent process;
a data transmission/reception unit provided in a kernel unit; and
a name resolution proxy unit which relays a name resolution query transmitted from the client node to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, said data transmission/reception unit comprising a redirection table which holds a correspondence between an intercept address and a rewrite rule of communication partner identification information, and a redirection unit which intercepts a data packet transmitted from the client node apparatus to said other node apparatus, and redirects the data packet to said communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of the communication partner identification information corresponding to an intercept address designated as a destination address of the data packet upon looking up said redirection table and by rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption module comprising an encryption communication path setting table which holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information to be used for communication with a communication partner, and a communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the other node apparatus to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy unit comprising a name resolution query/response transmission/reception unit which transmits, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receives, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, replaces the IP address of said other node apparatus contained in the name resolution response with the intercept address in the correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and an intercept address that is not used in any other communication session, and transmits the name resolution response to the client node apparatus if said other node apparatus is an encryption communication target node, and an encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and communication partner identification information that is not used in any other communication session, and registers, in said redirection table, a correspondence between a rewrite rule to the communication partner identification information that is not used in any other communication session and the intercept address that is not used in any other communication session if said other node apparatus is the encryption communication target node.
-
-
101. (canceled)
- 102. A name resolution server characterized in that, for a name resolution query to resolve an IP address corresponding to a domain name, whether communication to be executed in a query source of the name resolution query by using a response result to the name resolution query is a target to be encrypted is identified on the basis of the domain name, and if it is determined that the communication is an encryption communication target, a name resolution response containing information necessary for the encryption communication in addition to the IP address corresponding to the domain name is returned.
-
104. (canceled)
-
105. (canceled)
-
106. An encryption communication system characterized by comprising:
-
a node apparatus in which an application that communicates with another node apparatus connected to a network operates; and
a name resolution server to cause the application to resolve an IP address of said other node apparatus, said node apparatus comprising a communication encryption module which operates as an independent process, and said communication encryption module comprising a first encryption communication path setting table which holds a correspondence between a communication partner IP address and a loopback address serving as an IP address for closed communication in a self node, and a first communication encryption unit which receives a data packet having the loopback address set as a destination address and transmitted from the application, reads out, from said first encryption communication path setting table, a communication partner IP address corresponding to the loopback address set as the destination address of the data packet, rewrites the destination address of the data packet to the readout communication partner IP address, and encrypts and transmits the data packet. - View Dependent Claims (108, 109)
-
-
107. (canceled)
-
110. (canceled)
-
111. (canceled)
-
112. (canceled)
-
113. (canceled)
-
114. (canceled)
-
115. (canceled)
-
116. (canceled)
-
117. (canceled)
-
118. An encryption communication system characterized by comprising:
-
a client node apparatus in which an application that communicates with another node apparatus connected to a network operates;
a communication encryption node apparatus connected to said client node apparatus through the network; and
a name resolution server to cause the application to resolve an IP address of said other node apparatus, said communication encryption node apparatus comprising a communication encryption module which operates as an independent process, and a name resolution proxy unit which relays the name resolution query transmitted from the application to said name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query, and said communication encryption module comprising a first encryption communication path setting table which holds a correspondence between a communication partner IP address and a first intercept address, and a first communication encryption unit which receives a data packet having the first intercept address set as a destination address and transmitted from the application, reads out, from said first encryption communication path setting table, a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet, and encrypts and transmits the data packet in which the readout communication partner IP address is set as the destination address of the data packet. - View Dependent Claims (121)
-
-
119. (canceled)
-
120. (canceled)
-
122. (canceled)
-
123. (canceled)
-
124. (canceled)
-
125. (canceled)
-
126. (canceled)
-
127. (canceled)
-
128. (canceled)
-
129. (canceled)
-
130. An encryption communication system characterized by comprising:
-
a node apparatus in which an application that communicates with another node apparatus connected to a network operates; and
a name resolution server to cause the application to resolve an IP address of said other node apparatus, said node apparatus comprising a communication encryption module which operates as an independent process, a data transmission/reception unit provided in a kernel unit, and a name resolution proxy unit which relays a name resolution query transmitted from the application to said name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, said data transmission/reception unit comprising a redirection table which holds a correspondence between an IP address of an encryption communication target node and a rewrite rule of communication partner identification information, and a redirection unit which intercepts a data packet transmitted from the application to said other node apparatus, determines whether the data packet is an encryption target by comparing a destination IP address of the data packet with the IP address of the encryption communication target node registered in said redirection table, and if the data packet is the encryption target, redirects the data packet to said communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of the corresponding communication partner identification information on the redirection table and rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption module comprising an encryption communication path setting table which holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information to be used for communication with a communication partner, and a communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the other node apparatus to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution server comprising, in addition to a function related to name resolution, a setting table which holds a correspondence between a specifying condition to specify an encryption communication target node and encryption communication path setting information, a communication method resolution unit which determines whether information of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of specifying conditions held in said setting table, and a name resolution response/query transmission/reception unit which adds encryption communication path setting information corresponding to the matched specifying condition to the name resolution response and transmits the name resolution response, and said name resolution proxy unit comprising an encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and communication partner identification information that is not used in any other communication session, and registers, in said redirection table, a correspondence between IP address of the encryption communication target node and a rewrite rule of communication partner identification information that is not used in any other communication session upon receiving the name resolution response added the encryption communication path setting information from said name resolution server, and a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, the IP address of said other node apparatus contained in the name resolution response received from said name resolution server.
-
-
131. (canceled)
-
132. (canceled)
-
133. (canceled)
-
134. An encryption communication system characterized by comprising:
-
a client node apparatus in which an application that communicates with another node apparatus connected to a network operates;
a communication encryption node apparatus connected to said client node apparatus through the network; and
a name resolution server to cause the application to resolve an IP address of said other node apparatus, said communication encryption node apparatus comprising a communication encryption module which operates as an independent process, a data transmission/reception unit provided in a kernel unit, and a name resolution proxy unit which relays a name resolution query transmitted from the client node to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, said data transmission/reception unit comprising a redirection table which holds a correspondence between an intercept address and a rewrite rule of communication partner identification information, and a redirection unit which intercepts a data packet transmitted from the client node apparatus to said other node apparatus, and redirects the data packet to said communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of the communication partner identification information corresponding to an intercept address designated as a destination address of the data packet upon looking up said redirection table and by rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption module comprising an encryption communication path setting table which holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information to be used for communication with a communication partner, and a communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the other node apparatus to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, said name resolution server comprising, in addition to a function related to name resolution, a setting table which holds a correspondence between a specifying condition to specify an encryption communication target node and encryption communication path setting information, a communication method resolution unit which determines whether information of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of specifying conditions held in said setting table, and a name resolution response/query transmission/reception unit which adds encryption communication path setting information corresponding to the matched specifying condition to the name resolution response and transmits the name resolution response, and said name resolution proxy unit comprising an encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and communication partner identification information that is not used in any other communication session, and registers, in said redirection table, a correspondence between a rewrite rule of communication partner identification information that is not used in any other communication session and an intercept address that is not used in any other communication session upon receiving the name resolution response added the encryption communication path setting information from said name resolution server, and a name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response received from said name resolution server with the intercept address in the correspondence and transmits the name resolution response to said client node apparatus.
-
-
135. (canceled)
-
136. (canceled)
-
137. (canceled)
-
138. A program which causes a computer included in a node apparatus in which an application that communicates with another node apparatus connected to a network operates to function as
communication encryption means provided in a communication encryption module which operates as an independent process, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, characterized in that said communication encryption means receives a data packet transmitted from the application, in which a loopback address serving as an IP address for closed communication in a self node is set as a destination address, reads out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from a first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the loopback address, rewrites the destination address of the data packet to the readout communication partner IP address, and encrypts and transmits the data packet.
-
141. (canceled)
-
142. (canceled)
-
143. (canceled)
-
144. (canceled)
-
145. (canceled)
-
146. (canceled)
-
148. (canceled)
-
149. (canceled)
-
150. (canceled)
-
151. A program which causes a computer included in a communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates to function as
communication encryption means provided in a communication encryption module which operates as an independent process, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, characterized in that said communication encryption means receives a data packet having a first intercept address set as a destination address and transmitted from the application, reads out a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet from a first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the first intercept address, and encrypts and transmits the data packet in which the readout communication partner IP address is set as the destination address of the data packet.
-
154. (canceled)
-
155. (canceled)
-
156. (canceled)
-
157. (canceled)
-
158. (canceled)
-
159. (canceled)
-
162. (canceled)
-
163. (canceled)
-
164. A program which causes a computer included in a node apparatus in which an application that communicates with another node apparatus connected to a network operates to function as
communication encryption means provided in a communication encryption module which operates as an independent process, and a redirection means provided in a data transmission/reception unit of a kernel unit, characterized in that said redirection means intercepts a data packet transmitted from the application to said other node apparatus, determines on the basis of a criterion held in a redirection table that holds the criterion to determine a data packet to be encrypted and a rewrite rule of communication partner identification information whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewrites predetermined information of the data packet in accordance with the rewrite rule and redirects the data packet to the communication encryption module, and said communication encryption means rewrites the communication partner identification information of the data packet redirected from the data transmission/reception unit by looking up an encryption communication path setting table that holds a correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from the data transmission/reception unit and an IP address of said other node apparatus of the application, encrypts the data packet in which a destination IP address of said other node apparatus is set, and transmits the data packet to said other node apparatus.
-
165. (canceled)
-
166. (canceled)
-
167. (canceled)
-
168. (canceled)
-
169. (canceled)
-
170. A program which causes a computer included in a communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates to function as
communication encryption means provided in a communication encryption module which operates as an independent process, redirection means provided in a data transmission/reception unit of a kernel unit, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, characterized in that said redirection means receives a data packet having an intercept address set as a destination address and transmitted from the application, reads out, from a redirection table that holds a correspondence between an intercept address and a loopback address, a loopback address corresponding to the intercept address set as the destination address of the data packet, and redirects the data packet to the communication encryption module by rewriting the destination address of the data packet to the readout loopback address, and said communication encryption means reads out, from an encryption communication path setting table that holds a correspondence between a communication partner IP address, a loopback address, and encryption communication path setting information, encryption communication path setting information and a communication partner IP address corresponding to the loopback address set as the destination address of the data packet redirected from the data transmission/reception unit, encrypts the data packet in which the readout communication partner IP address is set as the destination address of the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet.
-
171. (canceled)
-
172. (canceled)
-
173. A program which causes a computer included in a node apparatus in which an application that communicates with another node apparatus connected to a network operates to function as
communication encryption means provided in a communication encryption module which operates as an independent process, redirection means provided in a data transmission/reception unit of a kernel unit, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, characterized in that said redirection means intercepts a data packet transmitted from the application to said other node apparatus, determines whether the data packet is an encryption target by comparing a destination IP address of the intercepted data packet with an IP address of an encryption communication target node held in a redirection table that holds a correspondence between an IP address of an encryption communication target node and a rewrite rule of communication partner identification information, and if the data packet is the encryption target, redirects the data packet to the communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of corresponding communication partner identification information on the redirection table and rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption means reads out, from an encryption communication path setting table that holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from the data transmission/reception unit, rewrites the destination address of the data packet to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy means comprises name resolution query/response transmission/reception means for transmitting, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receiving, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, and transmitting, to the application as the name resolution response, the IP address of said other node apparatus contained in the name resolution response, and encryption communication path setting means for registering, in the encryption communication path setting table, the correspondence between the IP address of said other node apparatus, the communication partner identification information that is not used in any other communication session, and the encryption communication path setting information, and registering, in the redirection table, the correspondence between an IP address of an encryption communication target node and a rewrite rule of communication partner identification information that is not used in any other communication session when said other node apparatus is the encryption communication target node.
-
174. A program which causes a computer included in a communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates to function as
communication encryption means provided in a communication encryption module which operates as an independent process, redirection means provided in a data transmission/reception unit of a kernel unit, and name resolution proxy means for relaying a name resolution query transmitted from the client node to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, characterized in that said redirection means intercepts a data packet transmitted from the client node apparatus to said other node apparatus, and redirects the data packet to the communication encryption module by rewriting communication partner identification information of the data packet in accordance with a rewrite rule of communication partner identification information corresponding to an intercept address designated as a destination address of the data packet while looking up a redirection table that holds a correspondence between an intercept address and a rewrite rule of communication partner identification information, and rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption means reads out, from an encryption communication path setting table that holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from the data transmission/reception unit, rewrites the destination address of the data packet to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy means comprises name resolution query/response transmission/reception means for transmitting, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receiving, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, and if said other node apparatus is the encryption communication target node, replacing the IP address of said other node apparatus contained in the name resolution response to the intercept address in a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and an intercept address that is not used in any other communication session, and transmitting the name resolution response to the client node apparatus, and encryption communication path setting means for registering, in the encryption communication path setting table, the correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and the communication partner identification information that is not used in any other communication session, and registering, in the redirection table, the correspondence between a rewrite rule of communication partner identification information that is not used in any other communication session and the intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node.
-
175. (canceled)
-
176. (canceled)
-
177. (canceled)
-
178. (canceled)
-
179. (canceled)
-
180. (canceled)
-
181. (canceled)
-
182. A program characterized by causing a computer included in a name resolution server to function as:
-
name resolution query/response transmission/reception means for transmitting/receiving a name resolution query to resolve an IP address corresponding to a domain name and a name resolution response as a response to the name resolution query; and
communication method resolution means for identifying for the name resolution query on the basis of the domain name whether communication to be executed in a query source of the name resolution query by using a response result to the name resolution query is a target to be encrypted, for the name resolution query received by said name resolution query/response transmission/reception means, said communication method resolution means identifying on the basis of information contained in one of the name resolution query and the response to the name resolution query whether the communication to be executed in the query source of the name resolution query by using the response result to the name resolution query is the encryption communication target, and if it is determined that the communication is the encryption communication target, returning, through said name resolution query/response transmission/reception unit, the name resolution response containing information necessary for the encryption communication in addition to the IP address corresponding to the domain name. - View Dependent Claims (183)
-
-
184. (canceled)
Specification