Encryption communication system, apparatus and method for allowing direct encryption communication with a plurality of nodes

US 8,356,169 B2
Filed: 01/12/2005
Issued: 01/15/2013
Est. Priority Date: 01/14/2004
Status: Active Grant

First Claim

Patent Images

1. An encryption communication method in which an application in a node apparatus communicates with another node apparatus in a network, the method comprising:

determining, by a processor, on a basis of a domain name contained in one of a name resolution query transmitted from the application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, whether said other node apparatus is an encryption communication target node;

registering, in a first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session when said other node apparatus is the encryption communication target node;

replacing the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmit the name resolution response to the application;

transmitting by the application a data packet in which the loopback address serving as an IP address for closed communication in a self node is set as a destination address; and

;

receiving, by a communication encryption module operating as an independent process, the data packet having the loopback address set as the destination address and transmitted from the application, read out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from the first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the loopback address, rewrite the destination address of the data packet to the readout communication partner IP address, and encrypt and transmit the data packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

If the communication partner of a client node (A1a) is an encryption communication target node (C1), a DNS Proxy unit (A12a) in the client node rewrites a response to a name resolution request for the communication partner node of an application from the actual IP address of the communication partner node to a loopback address that changes depending on the communication partner. On the basis of the destination loopback address of a data packet transmitted from the application, a communication encryption module (A13a) in the client node identifies the communication partner and the encryption communication path to be used for communication with the communication partner. Hence, encryption communication can simultaneously be executed directly with a plurality of communication partner nodes by using the communication encryption module that operates as an independent process.

Citations

53 Claims

1. An encryption communication method in which an application in a node apparatus communicates with another node apparatus in a network, the method comprising:
- determining, by a processor, on a basis of a domain name contained in one of a name resolution query transmitted from the application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, whether said other node apparatus is an encryption communication target node;
  
  registering, in a first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session when said other node apparatus is the encryption communication target node;
  
  replacing the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmit the name resolution response to the application;
  
  transmitting by the application a data packet in which the loopback address serving as an IP address for closed communication in a self node is set as a destination address; and
  
  ;
  
  receiving, by a communication encryption module operating as an independent process, the data packet having the loopback address set as the destination address and transmitted from the application, read out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from the first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the loopback address, rewrite the destination address of the data packet to the readout communication partner IP address, and encrypt and transmit the data packet.
- View Dependent Claims (2, 3, 4)
- - 2. An encryption communication method according to claim 1, further comprising:
    - determining on a basis of the IP address of said other node apparatus whether said other node apparatus is an encryption communication target node.
  - 3. An encryption communication method according to claim 1, further comprising:
    - transmitting, by the application, a data packet in which the IP address of said other node apparatus is set as the destination address; and
      
      receiving, by a data transmission/reception unit provided in a kernel unit, the data packet having the IP address of said other node apparatus set as the destination address and transmitted from the application and, if the communication partner IP address set as the destination address of the data packet is registered in a second encryption communication path setting table that holds a communication partner IP address, encrypt and transmit the data packet.
  - 4. An encryption communication method according to claim 3, further comprising:
    - if said other node apparatus is the encryption communication target node, determining which of the communication encryption module and the data transmission/reception unit should encrypt communication;
      
      registering, in the first encryption communication path setting table, the correspondence between the IP address of said other node apparatus and the loopback address that is not used in any other communication session if it is determined that the communication encryption module should encrypt communication, andregistering, in the second encryption communication path setting table, the IP address of said other node apparatus contained in the name resolution response if it is determined that the data transmission/reception unit should encrypt communication; and
      
      replacing the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmit the name resolution response to the application if it is determined that the communication encryption module should encrypt communication, andtransmitting the name resolution response containing the IP address of said other node apparatus to the application, if it is determined that the data transmission/reception unit should encrypt communication.

5. An encryption communication method characterized by comprising:
- determining, by a processor, on a basis of a domain name contained in one of a name resolution query transmitted from an application on a client node apparatus to resolve an IP address of another node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node;
  
  registering, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node;
  
  transmitting, to the application as the name resolution response, the first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response;
  
  transmitting, by the application on the client node apparatus, a data packet in which the first intercept address is set as a destination address, the application executing encryption communication with said other node apparatus connected to a network; and
  
  receiving, by a communication encryption module provided in a communication encryption node and operating as an independent process, the data packet having the first intercept address set as the destination address and transmitted from the application, reading out a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet from the first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the first intercept address, and encrypting and transmitting the data packet in which the readout communication partner IP address is set as the destination address of the data packet.
- View Dependent Claims (6, 7, 8)
- - 6. An encryption communication method according to claim 5, further comprising:
    - determining on a basis of an IP address of said other node apparatus whether said other node apparatus is the encryption communication target node.
  - 7. An encryption communication method according to claim 5, further comprising:
    - transmitting, by the application, a data packet in which a second intercept address is set as the destination address; and
      
      receiving, by a data transmission/reception unit provided in a kernel unit of the communication encryption node, the data packet having the second intercept address set as the destination address and transmitted from the application and, read out the communication partner IP address corresponding to the second intercept address set as the destination address of the data packet from a second encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the second intercept address, and encrypt and transmit the data packet in which the readout communication partner IP address is set as the destination address of the data packet.
  - 8. An encryption communication method according to claim 7, further comprising:
    - if the another node apparatus is the encryption communication target node, determining which of the communication encryption module and the data transmission/reception unit should encrypt communication;
      
      registering, in the first encryption communication path setting table, the correspondence between the IP address of said other node apparatus and the first intercept address that is not used in any other communication session if it is determined that communication encryption module should encrypt communication, andregistering, in the second encryption communication path setting table, the correspondence between the IP address of said other node apparatus and the second intercept address that is not used in any other communication session if it is determined that the data transmission/reception unit should encrypt communication; and
      
      replacing the IP address of said other node apparatus contained in the name resolution response with the first intercept address in the correspondence and transmit the name resolution response to the application if it is determined that the communication encryption module should encrypt communication, andreplacing the IP address of said other node apparatus contained in the name resolution response with the second intercept address in the correspondence, and transmit the name resolution response to the application if it is determined that the data transmission/reception unit should encrypt communication.

9. An encryption communication method comprising:
- determining, by a processor, on a basis of a domain name contained in one of a name resolution query transmitted from an application on a client node apparatus to resolve an IP address of another node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node;
  
  registering, in a redirection table, a criterion to determine a data packet to be encrypted and a rewrite rule of a communication partner identification information and registering, in an encryption communication path setting table, a correspondence between the rewrite rule of the communication partner identification information of the data packet and the IP address of said other node apparatus of the application when said other node apparatus is the encryption communication target node,transmitting, by the application a data packet in which the IP address of said other node apparatus is set as a destination address, the application executing encryption communication with said other node apparatus connected to a network;
  
  intercepting, by a redirection unit provided in a data transmission/reception unit of a kernel unit, the data packet transmitted from the application to said other node apparatus, looking up the redirection table that holds the criterion to determine a data packet to be encrypted and the rewrite rule of communication partner identification information, determining on a basis of the criterion held in the redirection table whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewriting predetermined information of the data packet in accordance with the rewrite rule and redirecting the data packet to a communication encryption module; and
  
  rewriting the communication partner identification information of the data packet redirected from the data transmission/reception unit by looking up the encryption communication path setting table that stores the correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from the data transmission/reception unit and the IP address of said other node apparatus of the application, encrypting the data packet in which the destination IP address of said other node apparatus is set, and transmitting the data packet to said other node apparatus.
- View Dependent Claims (10)
- - 10. An encryption communication method according to claim 9, further comprising:
    - determining on a basis of the IP address of said other node apparatus whether said other node apparatus is an encryption communication target node.

11. An encryption communication method characterized by comprising:
- determining, on a basis of a domain name contained in one of a name resolution query transmitted from an application on a client node apparatus to resolve an IP address of another node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node; and
  
  registering, in the redirection table, a criterion to determine a data packet to be encrypted and a rewrite rule of a communication partner identification information, and registering, in an encryption communication path setting table, a correspondence between the rewrite rule of the communication partner identification information of the data packet and the IP address of said other node apparatus of the application when said other node apparatus is the encryption communication target node;
  
  transmitting, by the application, the data packet in which an intercept address corresponding to an IP address of said other node apparatus is set as a destination address, the application executing encryption communication with said other node apparatus connected to a network;
  
  intercepting, by a redirection unit provided in a data transmission/reception unit of a kernel unit in a communication encryption node, the data packet transmitted from the application, looking up a redirection table that holds the criterion to determine a data packet to be encrypted and the rewrite rule of communication partner identification information, determining on the basis of the criterion held in the redirection table whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewriting predetermined information of the data packet in accordance with the rewrite rule and redirecting the data packet to a communication encryption module provided in the communication encryption node; and
  
  rewriting the communication partner identification information of the data packet redirected from the data transmission/reception unit by looking up the encryption communication path setting table that stores the correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from the data transmission/reception unit and the IP address of said other node apparatus of the application, encrypting the data packet in which the destination IP address of said other node apparatus is set, and transmitting the data packet to said other node apparatus.
- View Dependent Claims (12)
- - 12. An encryption communication method according to claim 11, further comprising:
    - determining on a basis of the IP address of said other node apparatus whether said other node apparatus is an encryption communication target node.

13. A node apparatus characterized by comprising:
- an application that communicates with another node apparatus connected to a network; and
  
  a communication encryption module which operates as an independent process,said communication encryption module comprisinga first encryption communication path setting table which holds a correspondence between a communication partner IP address and a loopback address serving as an IP address for closed communication in a self node,a first communication encryption unit which receives the data packet having the loopback address set as the destination address and transmitted from said application, reads out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from said first encryption communication path setting table, rewrites the destination address of the data packet to the readout communication partner IP address, and encrypts and transmits the data packet;
  
  a communication method resolution unit which determines on the basis of a domain name contained in one of a name resolution query transmitted from said application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node;
  
  an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session when said other node apparatus is the encryption communication target node; and
  
  a name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmits the name resolution response to said application.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. A node apparatus according to claim 13, wherein said first encryption communication path setting table holds a plurality of correspondences between the communication partner IP address and the loopback address.
  - 15. A node apparatus according to claim 14, whereinthe communication method resolution unit determines on a basis of the IP address of said other node apparatus whether said other node apparatus is an encryption communication target node.
  - 16. A node apparatus according to claim 13, comprising:
    - a name resolution proxy unit which relays the name resolution query transmitted from said application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query,wherein said first encryption communication path setting table holds encryption communication path setting information to be used for communication with a communication partner in correspondence with the communication partner IP address and the loopback address,said first communication encryption unit reads out, from said first encryption communication path setting table, encryption communication path setting information corresponding to the loopback address set as the destination address of the received data packet, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, andsaid name resolution proxy unit comprisesa setting table which holds a correspondence between a domain name condition to specify an encryption communication target node and encryption communication path setting information,the communication method resolution unit which determines whether a domain name of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of domain name conditions held in said setting table,the encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched domain name condition, the IP address of said other node apparatus resolved by the name resolution response, and a loopback address that is not used in any other communication session, andthe name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response received from the name resolution server with the loopback address in the correspondence and transmits the name resolution response to said application.
  - 17. A node apparatus according to claim 13, further comprising:
    - a name resolution proxy unit which relays the name resolution query transmitted from said application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query,wherein said first encryption communication path setting table holds encryption communication path setting information to be used for communication with a communication partner in correspondence with the communication partner IP address and the loopback address,said first communication encryption unit reads out, from said first encryption communication path setting table, encryption communication path setting information corresponding to the loopback address set as the destination address of the received data packet, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, andsaid name resolution proxy unit comprisesa setting table which holds a correspondence between an IP address condition to specify an encryption communication target node and encryption communication path setting information,the communication method resolution unit which determines whether the IP address of said other node apparatus contained in the name resolution response matches any one of IP address conditions held in said setting table,the encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched IP address condition, the IP address of said other node apparatus resolved by the name resolution response, and a loopback address that is not used in any other communication session, andthe name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response received from the name resolution server with the loopback address in the correspondence and transmits the name resolution response to said application.
  - 18. A node apparatus according to claim 13, further comprising a data transmission/reception unit provided in a kernel unit,said data transmission/reception unit comprising:
    - a second encryption communication path setting table which holds a communication partner IP address, anda second communication encryption unit which receives the data packet transmitted from said application and encrypts and transmits the data packet when a communication partner IP address set as the destination address of the data packet is registered in said second encryption communication path setting table.
  - 19. A node apparatus according to claim 13, further comprising:
    - a name resolution proxy unit which relays the name resolution query transmitted from said application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query,wherein said first encryption communication path setting table holds encryption communication path setting information to be used for communication with a communication partner in correspondence with the communication partner IP address and the loopback address,said first communication encryption unit reads out, from said first encryption communication path setting table, encryption communication path setting information corresponding to the loopback address set as the destination address of the received data packet, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, andsaid name resolution proxy unit comprisesthe name resolution query/response transmission/reception unit which transmits, to the name resolution server, the name resolution query transmitted from said application to resolve the IP address of said other node apparatus, receives, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, replaces the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session, and transmits the name resolution response to said application if it is determined that said other node apparatus is the encryption communication target node, andthe encryption communication path setting unit which registers, in said first encryption communication path setting table, the correspondence between the IP address of said other node apparatus, the encryption communication path setting information, and the loopback address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node.
  - 20. A node apparatus according to claim 14, further comprising:
    - a data transmission/reception unit provided in a kernel unit; and
      
      a name resolution proxy unit which relays the name resolution query transmitted from said application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query,said data transmission/reception unit comprisinga second encryption communication path setting table which holds a communication partner IP address, anda communication encryption unit which receives the data packet transmitted from said application and encrypts and transmits the data packet when a communication partner IP address set as the destination address of the data packet is registered in said second encryption communication path setting table, andsaid name resolution proxy unit comprisinga name resolution query/response transmission/reception unit which transmits, to the name resolution server, the name resolution query transmitted from said application to resolve the IP address of said other node apparatus, receives, from the name resolution server, the name resolution response containing the IP address of said other node apparatus and a determination result indicating whether said other node apparatus is an encryption communication target node, and if said other node apparatus is the encryption communication target node, which of said communication encryption module and said data transmission/reception unit should encrypt communication, replaces the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session, and transmits the name resolution response to said application if it is determined that said other node apparatus is the encryption communication target node, and said communication encryption module should encrypt communication, andan encryption communication path setting unit which registers, in said first encryption communication path setting table, the correspondence between the IP address of said other node apparatus and the loopback address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node, and said communication encryption module should encrypt communication, and registers, in said second encryption communication path setting table, the IP address of said other node apparatus contained in the name resolution response if it is determined that said other node apparatus is the encryption communication target node, and said data transmission/reception unit should encrypt communication.
  - 21. A node apparatus according to claim 13, further comprising:
    - a data transmission/reception unit provided in a kernel unit; and
      
      a name resolution proxy unit which relays the name resolution query transmitted from said application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query,wherein said first encryption communication path setting table holds encryption communication path setting information to be used for communication with a communication partner in correspondence with the communication partner IP address and the loopback address,said first communication encryption unit reads out, from said first encryption communication path setting table, encryption communication path setting information corresponding to the loopback address set as the destination address of the received data packet, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet,said data transmission/reception unit comprisesa second encryption communication path setting table which holds a correspondence between a communication partner IP address and encryption communication path setting information, anda second communication encryption unit which receives the data packet transmitted from said application, when a communication partner IP address set as the destination address of the data packet is registered in said second encryption communication path setting table, reads out corresponding encryption communication path setting information from said second encryption communication path setting table, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, andsaid name resolution proxy unit comprisesthe name resolution query/response transmission/reception unit which transmits, to the name resolution server, the name resolution query transmitted from said application to resolve the IP address of said other node apparatus, receives, from the name resolution server, the name resolution response containing encryption communication path setting information, the IP address of said other node apparatus, and a determination result indicating whether said other node apparatus is an encryption communication target node, and if said other node apparatus is the encryption communication target node, which of said communication encryption module and said data transmission/reception unit should encrypt communication, replaces the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session, and transmits the name resolution response to said application if it is determined that said other node apparatus is the encryption communication target node, and said communication encryption module should encrypt communication, andan encryption communication path setting unit which registers, in said first encryption communication path setting table, the correspondence between the IP address of said other node apparatus, the loopback address that is not used in any other communication session, and the encryption communication path setting information if it is determined that said other node apparatus is the encryption communication target node, and said communication encryption module should encrypt communication, and registers, in said second encryption communication path setting table, the correspondence between the IP address of said other node apparatus contained in the name resolution response and the encryption communication path setting information if it is determined that said other node apparatus is the encryption communication target node, and said data transmission/reception unit should encrypt communication.

22. A node apparatus comprising:
- an application that communicates with another node apparatus connected to a network;
  
  a communication encryption module which operates as an independent process; and
  
  a data transmission/reception unit provided in a kernel unit,said data transmission/reception unit comprisinga redirection table which holds a criterion to determine a data packet to be encrypted and a rewrite rule of communication partner identification information, anda redirection unit which intercepts a data packet transmitted from said application to said other node apparatus, determines on the basis of the criterion held in the redirection table whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewrites predetermined information of the data packet in accordance with the rewrite rule and redirects the data packet to said communication encryption module, andsaid communication encryption module comprisingan encryption communication path setting table which holds a correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from said data transmission/reception unit and an IP address of said other node apparatus of said application;
  
  a communication encryption unit which rewrites the communication partner identification information of the data packet redirected from said data transmission/reception unit by looking up the encryption communication path setting table, encrypts the data packet in which a destination IP address of said other node apparatus is set, and transmits the data packet to said other node apparatus;
  
  a communication method resolution unit which determines on the basis of a domain name contained in one of a name resolution query transmitted from said application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node; and
  
  an encryption communication path setting unit which registers, in said redirection table, the criterion to determine the data packet to be encrypted and the rewrite rule of the communication partner identification information, and registers, in said encryption communication path setting table, a correspondence between the rewrite rule of the communication partner identification information of the data packet and the IP address of said other node apparatus of said application when said other node apparatus is the encryption communication target node.
- View Dependent Claims (23, 24)
- - 23. A node apparatus according to claim 22, whereinsaid redirection table holds a correspondence between an IP address of an encryption communication target node and a loopback address serving as an IP address for closed communication in a self node,said redirection unit redirects the data packet to said communication encryption module when a loopback address corresponding to an IP address set as a destination address of the intercepted data packet is held in said redirection table by rewriting the destination address of the data packet to the corresponding loopback address,said encryption communication path setting table holds a correspondence between a communication partner IP address, a loopback address, and encryption communication path setting information to be used for communication with a communication partner, andsaid communication encryption unit reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the loopback address set as the destination address of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the data packet to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet.
  - 24. A node apparatus according to claim 22, further comprising a name resolution proxy unit which relays the name resolution query transmitted from said application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query,wherein said redirection table holds a correspondence between an IP address of an encryption communication target node and the rewrite rule of the communication partner identification information,said redirection unit determines whether the data packet is an encryption target by comparing a destination IP address of the intercepted data packet with the IP address of the encryption communication target node held in said redirection table, and if the data packet is the encryption target, redirects the data packet to said communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of corresponding communication partner identification information on said redirection table and rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node,said encryption communication path setting table holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information to be used for communication with a communication partner, andsaid communication encryption unit reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the data packet to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, andsaid name resolution proxy unit comprisesa name resolution query/response transmission/reception unit which transmits, to the name resolution server, the name resolution query transmitted from said application to resolve the IP address of said other node apparatus, receives, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, and transmits the IP address of said other node apparatus contained in the name resolution response to said application as the name resolution response, andthe encryption communication path setting unit which registers, in said encryption communication path setting table, the correspondence between the IP address of said other node apparatus, the communication partner identification information that is not used in any other communication session, and the encryption communication path setting information, and registers, in said redirection table, the correspondence between an IP address of an encryption communication target node and a rewrite rule of communication partner identification information that is not used in any other communication session when said other node apparatus is the encryption communication target node.

25. A communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, comprising:
- a communication encryption module which operates as an independent process,said communication encryption module comprisinga first encryption communication path setting table which holds a correspondence between a communication partner IP address and a first intercept address, anda first communication encryption unit which receives a data packet having the first intercept address set as a destination address and transmitted from the application, reads out, from said first encryption communication path setting table, a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet, and encrypts and transmits the data packet in which the readout communication partner IP address is set as the destination address of the data packet;
  
  a communication method resolution unit which determines on the basis of a domain name contained in a name resolution query transmitted from the application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node;
  
  an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node; and
  
  a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, the first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. A communication encryption node apparatus according to claim 25, wherein said first encryption communication path setting table holds a plurality of correspondences between the communication partner IP address and the first intercept address.
  - 27. A communication encryption node apparatus according to claim 26, wherein:
    - the communication method resolution unit further determines on the basis of an IP address of said other node apparatus whether said other node apparatus is an encryption communication target node.
  - 28. A communication encryption node apparatus according to claim 25, further comprising a name resolution proxy unit which relays the name resolution query transmitted from the application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query,wherein said first encryption communication path setting table holds encryption communication path setting information to be used for communication with a communication partner in correspondence with the communication partner IP address and the first intercept address,said first communication encryption unit reads out, from said first encryption communication path setting table, encryption communication path setting information corresponding to the first intercept address set as the destination address of the received data packet, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, andsaid name resolution proxy unit comprisesa setting table which holds a correspondence between a domain name condition to specify an encryption communication target node and encryption communication path setting information,the communication method resolution unit which further determines whether a domain name of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of domain name conditions held in said setting table,the encryption communication path setting unit which further registers, in said first encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched domain name condition, the IP address of said other node apparatus resolved by the name resolution response, and a first intercept address that is not used in any other communication session, andthe name resolution query/response transmission/reception unit which further transmits, to the application as the name resolution response, a first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response received from the name resolution server.
  - 29. A communication encryption node apparatus according to claim 25, further comprising:
    - a name resolution proxy unit which relays the name resolution query transmitted from the application to a name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query,wherein said first encryption communication path setting table holds encryption communication path setting information to be used for communication with a communication partner in correspondence with the communication partner IP address and the first intercept address,said first communication encryption unit reads out, from said first encryption communication path setting table, encryption communication path setting information corresponding to the first intercept address set as the destination address of the received data packet, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, andsaid name resolution proxy unit comprisesa setting table which holds a correspondence between an IP address condition to specify an encryption communication target node and encryption communication path setting information,the communication method resolution unit which further determines whether an IP address of said other node apparatus contained in the name resolution response matches any one of IP address conditions held in said setting table,the encryption communication path setting unit which further registers, in said first encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched IP address condition, the IP address of said other node apparatus resolved by the name resolution response, and a first intercept address that is not used in any other communication session, andthe name resolution query/response transmission/reception unit which further transmits, to the application as the name resolution response, a first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response received from the name resolution server.
  - 30. A communication encryption node apparatus according to claim 25, further comprising:
    - a data transmission/reception unit provided in a kernel unit,said data transmission/reception unit comprising;
      
      a second encryption communication path setting table which holds a correspondence between a communication partner IP address and a second intercept address, anda communication encryption unit which receives the data packet having a second intercept address set as a destination address and transmitted from the application, reads out, from said second encryption communication path setting table, a communication partner IP address corresponding to the second intercept address set as the destination address of the data packet, and encrypts and transmits the data packet in which the readout communication partner IP address is set as the destination address of the data packet.

31. A communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, comprising:
- a communication encryption module which operates as an independent process;
  
  a data transmission/reception unit provided in a kernel unit; and
  
  a name resolution proxy unit which relays a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query,said data transmission/reception unit comprisinga redirection table which holds a correspondence between an intercept address and a loopback address serving as an IP address for closed communication in a self node, anda redirection unit which receives a data packet having the intercept address set as a destination address and transmitted from the application, reads out, from said redirection table, a loopback address corresponding to the intercept address set as the destination address of the data packet, and redirects the data packet to said communication encryption module by rewriting the destination address of the data packet to the readout loopback address,said communication encryption module comprisingan encryption communication path setting table which holds a correspondence between a communication partner IP address, a loopback address, and encryption communication path setting information to be used for communication with a communication partner, anda communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the loopback address set as the destination address of the data packet redirected from said data transmission/reception unit, encrypts the data packet in which the readout communication partner IP address is set as the destination address of the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, andsaid name resolution proxy unit comprisinga setting table which holds a correspondence between a specifying condition to specify an encryption communication target node and encryption communication path setting information,a communication method resolution unit which determines whether information of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of specifying conditions held in said setting table,an encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched specifying condition, the IP address of said other node apparatus resolved by the name resolution response, and a loopback address that is not used in any other communication session, and registers, in said redirection table, a correspondence between the loopback address in the correspondence and an intercept address that is not used in any other communication session, anda name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, an intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response received from the name resolution server.
- View Dependent Claims (32, 33)
- - 32. A communication encryption node apparatus according to claim 31, whereinsaid setting table holds a domain name condition as the specifying condition,said communication method resolution unit determines whether a domain name of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of domain name conditions held in said setting table, andsaid encryption communication path setting unit registers, in said encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched domain name condition, the IP address of said other node apparatus resolved by the name resolution response, and a loopback address that is not used in any other communication session.
  - 33. A communication encryption node apparatus according to claim 31, whereinsaid setting table holds an IP address condition as the specifying condition,said communication method resolution unit determines whether an IP address of said other node apparatus contained in the name resolution response matches any one of IP address conditions held in said setting table, andsaid encryption communication path setting unit registers, in said encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched IP address condition, the IP address of said other node apparatus resolved by the name resolution response, and a loopback address that is not used in any other communication session.

34. A communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, comprising:
- a communication encryption module which operates as an independent process;
  
  a data transmission/reception unit provided in a kernel unit; and
  
  a name resolution proxy unit which relays a name resolution query transmitted from the client node to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query,said data transmission/reception unit comprisinga redirection table which holds a correspondence between an intercept address and a rewrite rule of communication partner identification information, anda redirection unit which intercepts a data packet transmitted from the client node apparatus to said other node apparatus, and redirects the data packet to said communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of the communication partner identification information corresponding to an intercept address designated as a destination address of the data packet upon looking up said redirection table and by rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node,said communication encryption module comprisingan encryption communication path setting table which holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information to be used for communication with a communication partner, anda communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the other node apparatus to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, andsaid name resolution proxy unit comprisinga name resolution query/response transmission/reception unit which transmits, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receives, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, replaces the IP address of said other node apparatus contained in the name resolution response with the intercept address in the correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and an intercept address that is not used in any other communication session, and transmits the name resolution response to the client node apparatus if said other node apparatus is an encryption communication target node, andan encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and communication partner identification information that is not used in any other communication session, and registers, in said redirection table, a correspondence between a rewrite rule to the communication partner identification information that is not used in any other communication session and the intercept address that is not used in any other communication session if said other node apparatus is the encryption communication target node.

35. A name resolution server, for a name resolution query to resolve an IP address corresponding to a domain name, whether communication to be executed in a query source of the name resolution query by using a response result to the name resolution query is a target to be encrypted is identified on a basis of the domain name, and if it is determined that the communication is an encryption communication target, a name resolution response containing information necessary for the encryption communication in addition to the IP address corresponding to the domain name is returned,wherein the name resolution server comprises:
- a name resolution query/response transmission/reception unit which transmits/receives the name resolution query and the name resolution response as a response to the name resolution query, anda communication method resolution unit which identifies for the name resolution query on the basis of the domain name whether the communication to be executed in the query source of the name resolution query by using the response result to the name resolution query is the target to be encrypted,wherein for the name resolution query received by said name resolution query/response transmission/reception unit, said communication method resolution unit identifies on the basis of information contained in one of the name resolution query and the response to the name resolution query whether the communication to be executed in the query source of the name resolution query by using the response result to the name resolution query is the encryption communication target, and if it is determined that the communication is the encryption communication target, said name resolution query/response transmission/reception unit returns the name resolution response containing information necessary for the encryption communication in addition to the IP address corresponding to the domain name.

36. An encryption communication system comprising:
- a node apparatus in which an application that communicates with another node apparatus connected to a network operates; and
  
  a name resolution server to cause the application to resolve an IP address of said other node apparatus,said node apparatus comprising a communication encryption module which operates as an independent process, andsaid communication encryption module comprisinga first encryption communication path setting table which holds a correspondence between a communication partner IP address and a loopback address serving as an IP address for closed communication in a self node, anda first communication encryption unit which receives a data packet having the loopback address set as a destination address and transmitted from the application, reads out, from said first encryption communication path setting table, a communication partner IP address corresponding to the loopback address set as the destination address of the data packet, rewrites the destination address of the data packet to the readout communication partner IP address, and encrypts and transmits the data packet,wherein said name resolution server comprises a communication method resolution unit which determines on the basis of a domain name contained in one of a name resolution query transmitted from the application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node, andsaid node apparatus further comprisesan encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said another other node apparatus and a loopback address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node, anda name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmits the name resolution response to the application.
- View Dependent Claims (37)
- - 37. An encryption communication system according to claim 36, whereinsaid name resolution server comprises a communication method resolution unit which determines on the basis of an IP address of said other node apparatus whether said other node apparatus is an encryption communication target node.

38. An encryption communication system characterized by comprising:
- a client node apparatus in which an application that communicates with another node apparatus connected to a network operates;
  
  a communication encryption node apparatus connected to said client node apparatus through the network; and
  
  a name resolution server to cause the application to resolve an IP address of said other node apparatus,said communication encryption node apparatus comprisinga communication encryption module which operates as an independent process, anda name resolution proxy unit which relays the name resolution query transmitted from the application to said name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query, andsaid communication encryption module comprisinga first encryption communication path setting table which holds a correspondence between a communication partner IP address and a first intercept address, anda first communication encryption unit which receives a data packet having the first intercept address set as a destination address and transmitted from the application, reads out, from said first encryption communication path setting table, a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet, and encrypts and transmits the data packet in which the readout communication partner IP address is set as the destination address of the data packet,wherein said name resolution server comprises a communication method resolution unit which determines on the basis of an IP address of said other node apparatus whether said other node apparatus is an encryption communication target node, andsaid name resolution proxy unit of said communication encryption node apparatus comprisesan encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node; and
  
  a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, the first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response.

39. An encryption communication system comprising:
- a node apparatus in which an application that communicates with another node apparatus connected to a network operates; and
  
  a name resolution server to cause the application to resolve an IP address of said other node apparatus,said node apparatus comprisinga communication encryption module which operates as an independent process,a data transmission/reception unit provided in a kernel unit, anda name resolution proxy unit which relays a name resolution query transmitted from the application to said name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query,said data transmission/reception unit comprisinga redirection table which holds a correspondence between an IP address of an encryption communication target node and a rewrite rule of communication partner identification information, anda redirection unit which intercepts a data packet transmitted from the application to said other node apparatus, determines whether the data packet is an encryption target by comparing a destination IP address of the data packet with the IP address of the encryption communication target node registered in said redirection table, and if the data packet is the encryption target, redirects the data packet to said communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of the corresponding communication partner identification information on the redirection table and rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node,said communication encryption module comprisingan encryption communication path setting table which holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information to be used for communication with a communication partner, anda communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the other node apparatus to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, andsaid name resolution server comprising, in addition to a function related to name resolution,a setting table which holds a correspondence between a specifying condition to specify an encryption communication target node and encryption communication path setting information,a communication method resolution unit which determines whether information of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of specifying conditions held in said setting table, anda name resolution response/query transmission/reception unit which adds encryption communication path setting information corresponding to the matched specifying condition to the name resolution response and transmits the name resolution response, andsaid name resolution proxy unit comprisingan encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and communication partner identification information that is not used in any other communication session, and registers, in said redirection table, a correspondence between IP address of the encryption communication target node and a rewrite rule of communication partner identification information that is not used in any other communication session upon receiving the name resolution response added the encryption communication path setting information from said name resolution server, anda name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, the IP address of said other node apparatus contained in the name resolution response received from said name resolution server.

40. An encryption communication system comprising:
- a client node apparatus in which an application that communicates with another node apparatus connected to a network operates;
  
  a communication encryption node apparatus connected to said client node apparatus through the network; and
  
  a name resolution server to cause the application to resolve an IP address of said other node apparatus,said communication encryption node apparatus comprisinga communication encryption module which operates as an independent process,a data transmission/reception unit provided in a kernel unit, anda name resolution proxy unit which relays a name resolution query transmitted from the client node to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query,said data transmission/reception unit comprisinga redirection table which holds a correspondence between an intercept address and a rewrite rule of communication partner identification information, anda redirection unit which intercepts a data packet transmitted from the client node apparatus to said other node apparatus, and redirects the data packet to said communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of the communication partner identification information corresponding to an intercept address designated as a destination address of the data packet upon looking up said redirection table and by rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node,said communication encryption module comprisingan encryption communication path setting table which holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information to be used for communication with a communication partner, anda communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the other node apparatus to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet,said name resolution server comprising, in addition to a function related to name resolution,a setting table which holds a correspondence between a specifying condition to specify an encryption communication target node and encryption communication path setting information,a communication method resolution unit which determines whether information of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of specifying conditions held in said setting table, anda name resolution response/query transmission/reception unit which adds encryption communication path setting information corresponding to the matched specifying condition to the name resolution response and transmits the name resolution response, andsaid name resolution proxy unit comprisingan encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and communication partner identification information that is not used in any other communication session, and registers, in said redirection table, a correspondence between a rewrite rule of communication partner identification information that is not used in any other communication session and an intercept address that is not used in any other communication session upon receiving the name resolution response added the encryption communication path setting information from said name resolution server, anda name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response received from said name resolution server with the intercept address in the correspondence and transmits the name resolution response to said client node apparatus.

41. A non-transitory computer readable storage medium which stores a program, which causes a computer included in a node apparatus in which an application that communicates with another node apparatus connected to a network operates, to function ascommunication encryption means provided in a communication encryption module which operates as an independent process, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, whereinsaid communication encryption means receives a data packet transmitted from the application, in which a loopback address serving as an IP address for closed communication in a self node is set as a destination address, reads out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from a first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the loopback address, rewrites the destination address of the data packet to the readout communication partner IP address, and encrypts and transmits the data packetwherein said name resolution proxy means comprises:
- communication method resolution means for determining on the basis of a domain name contained in one of the name resolution query transmitted from the application to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query whether said other node apparatus is an encryption communication target node,encryption communication path setting means for registering, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session when said other node apparatus is the encryption communication target node, andname resolution query/response transmission/reception means for replacing the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmitting the name resolution response to the application.
- View Dependent Claims (42, 43)
- - 42. The computer readable storage medium according to claim 41,wherein the communication method resolution means further determining on the basis of the IP address of said other node apparatus whether said other node apparatus is an encryption communication target node.
  - 43. The computer readable storage medium according to claim 41, wherein said name resolution proxy means comprisesname resolution query/response transmission/reception means for transmitting, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receiving, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node and the IP address of said other node apparatus, replacing the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session, and transmitting the name resolution response to the application if it is determined that said other node apparatus is the encryption communication target node, andencryption communication path setting means for registering, in the first encryption communication path setting table, the correspondence between the IP address of said other node apparatus and the loopback address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node.

44. A non-transitory computer-readable storage medium which stores a program, which causes a computer included in a communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, to function ascommunication encryption means provided in a communication encryption module which operates as an independent process, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, whereinsaid communication encryption means receives a data packet having a first intercept address set as a destination address and transmitted from the application, reads out a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet from a first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the first intercept address, and encrypts and transmits the data packet in which the readout communication partner IP address is set as the destination address of the data packet,wherein said name resolution proxy means comprises:
- communication method resolution means for determining on the basis of a domain name contained in the name resolution query transmitted from the application to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query whether said other node apparatus is an encryption communication target node,encryption communication path setting means for registering, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node, andname resolution query/response transmission/reception means for replacing the IP address of said other node apparatus contained in the name resolution response with the first intercept address in the correspondence and transmitting the name resolution response to the application.
- View Dependent Claims (45, 46, 47)
- - 45. The computer readable storage medium according to claim 44, whereinsaid name resolution proxy means comprises:
    - communication method resolution means for determining on the basis of the IP address of said other node apparatus whether said other node apparatus is an encryption communication target node.
  - 46. The computer readable storage medium according to claim 44, wherein said name resolution proxy means comprises:
    - the name resolution query/response transmission/reception means further transmitting, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receiving, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node and the IP address of said other node apparatus, replacing the IP address of said other node apparatus contained in the name resolution response with the first intercept address in the correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session, and transmitting the name resolution response to the application if it is determined that said other node apparatus is the encryption communication target node, andthe encryption communication path setting means for further registering, in the first encryption communication path setting table, the correspondence between the IP address of said other node apparatus and the first intercept address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node.
  - 47. The computer readable storage medium according to claim 44, whereinsaid communication encryption means receives the data packet having the first intercept address set as the destination address and transmitted from the application, reads out encryption communication path setting information and a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet from the first encryption communication path setting table that holds the correspondence between a communication partner IP address, a first intercept address, and encryption communication path setting information, encrypts the data packet in which the readout communication partner IP address is set as the destination address of the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, andsaid name resolution proxy means comprisesthe name resolution query/response transmission/reception means for further transmitting, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receiving, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, replacing the IP address of said other node apparatus contained in the name resolution response with the first intercept address in the correspondence between the IP address of said other node apparatus, the encryption communication path setting information, and a first intercept address that is not used in any other communication session, and transmitting the name resolution response to the application if it is determined that said other node apparatus is the encryption communication target node, andthe encryption communication path setting means for further registering, in the first encryption communication path setting table, the correspondence between the IP address of said other node apparatus, the first intercept address that is not used in any other communication session, and the encryption communication path setting information if said other node apparatus is the encryption communication target node.

48. A non-transitory computer-readable storage medium which stores a program, which causes a computer included in a node apparatus in which an application that communicates with another node apparatus connected to a network operates, to function ascommunication encryption means provided in a communication encryption module which operates as an independent process, a redirection means provided in a data transmission/reception unit of a kernel unit, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, whereinsaid redirection means intercepts a data packet transmitted from the application to said other node apparatus, determines on the basis of a criterion held in a redirection table that holds the criterion to determine a data packet to be encrypted and a rewrite rule of communication partner identification information whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewrites predetermined information of the data packet in accordance with the rewrite rule and redirects the data packet to the communication encryption module, andsaid communication encryption means rewrites the communication partner identification information of the data packet redirected from the data transmission/reception unit by looking up an encryption communication path setting table that holds a correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from the data transmission/reception unit and an IP address of said other node apparatus of the application, encrypts the data packet in which a destination IP address of said other node apparatus is set, and transmits the data packet to said other node apparatus,wherein said name resolution proxy means comprises:
- communication method resolution means for determining on the basis of a domain name contained in the name resolution query transmitted from the application to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query whether said other node apparatus is an encryption communication target node,encryption communication path setting means for registering, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node, andname resolution query/response transmission/reception means for replacing the IP address of said other node apparatus contained in the name resolution response with the first intercept address in the correspondence and transmitting the name resolution response to the application.

49. A non-transitory computer-readable storage medium which stores a program, which causes a computer included in a communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, to function as:
- communication encryption means provided in a communication encryption module which operates as an independent process, redirection means provided in a data transmission/reception unit of a kernel unit, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, whereinsaid redirection means receives a data packet having an intercept address set as a destination address and transmitted from the application, reads out, from a redirection table that holds a correspondence between an intercept address and a loopback address, a loopback address corresponding to the intercept address set as the destination address of the data packet, and redirects the data packet to the communication encryption module by rewriting the destination address of the data packet to the readout loopback address, andsaid communication encryption means reads out, from an encryption communication path setting table that holds a correspondence between a communication partner IP address, a loopback address, and encryption communication path setting information, encryption communication path setting information and a communication partner IP address corresponding to the loopback address set as the destination address of the data packet redirected from the data transmission/reception unit, encrypts the data packet in which the readout communication partner IP address is set as the destination address of the data packet in accordance with the readout encryption communication path setting information, and transmits the data packetwherein said name resolution proxy means comprises;
  
  communication method resolution means for determining on the basis of a domain name contained in the name resolution query transmitted from the application to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query whether said other node apparatus is an encryption communication target node,encryption communication path setting means for registering, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node, andname resolution query/response transmission/reception means for replacing the IP address of said other node apparatus contained in the name resolution response with the first intercept address in the correspondence and transmitting the name resolution response to the application.

50. A non-transitory computer-readable storage medium which stores a program which causes a computer included in a node apparatus in which an application that communicates with another node apparatus connected to a network operates, to function ascommunication encryption means provided in a communication encryption module which operates as an independent process, redirection means provided in a data transmission/reception unit of a kernel unit, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, whereinsaid redirection means intercepts a data packet transmitted from the application to said other node apparatus, determines whether the data packet is an encryption target by comparing a destination IP address of the intercepted data packet with an IP address of an encryption communication target node held in a redirection table that holds a correspondence between an IP address of an encryption communication target node and a rewrite rule of communication partner identification information, and if the data packet is the encryption target, redirects the data packet to the communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of corresponding communication partner identification information on the redirection table and rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node,said communication encryption means reads out, from an encryption communication path setting table that holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from the data transmission/reception unit, rewrites the destination address of the data packet to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, andsaid name resolution proxy means comprisesname resolution query/response transmission/reception means for transmitting, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receiving, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, and transmitting, to the application as the name resolution response, the IP address of said other node apparatus contained in the name resolution response, andencryption communication path setting means for registering, in the encryption communication path setting table, the correspondence between the IP address of said other node apparatus, the communication partner identification information that is not used in any other communication session, and the encryption communication path setting information, and registering, in the redirection table, the correspondence between an IP address of an encryption communication target node and a rewrite rule of communication partner identification information that is not used in any other communication session when said other node apparatus is the encryption communication target node.

51. A non-transitory computer-readable storage medium which stores a program which causes a computer included in a communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, to function ascommunication encryption means provided in a communication encryption module which operates as an independent process, redirection means provided in a data transmission/reception unit of a kernel unit, and name resolution proxy means for relaying a name resolution query transmitted from the client node to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, whereinsaid redirection means intercepts a data packet transmitted from the client node apparatus to said other node apparatus, and redirects the data packet to the communication encryption module by rewriting communication partner identification information of the data packet in accordance with a rewrite rule of communication partner identification information corresponding to an intercept address designated as a destination address of the data packet while looking up a redirection table that holds a correspondence between an intercept address and a rewrite rule of communication partner identification information, and rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node,said communication encryption means reads out, from an encryption communication path setting table that holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from the data transmission/reception unit, rewrites the destination address of the data packet to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, andsaid name resolution proxy means comprisesname resolution query/response transmission/reception means for transmitting, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receiving, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, and if said other node apparatus is the encryption communication target node, replacing the IP address of said other node apparatus contained in the name resolution response to the intercept address in a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and an intercept address that is not used in any other communication session, and transmitting the name resolution response to the client node apparatus, andencryption communication path setting means for registering, in the encryption communication path setting table, the correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and the communication partner identification information that is not used in any other communication session, and registering, in the redirection table, the correspondence between a rewrite rule of communication partner identification information that is not used in any other communication session and the intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node.

52. A non-transitory computer-readable storage medium which stores a program which causes a computer included in a name resolution server to function as:
- name resolution query/response transmission/reception means for transmitting/receiving a name resolution query to resolve an IP address corresponding to a domain name and a name resolution response as a response to the name resolution query; and
  
  communication method resolution means for identifying for the name resolution query on the basis of the domain name whether communication to be executed in a query source of the name resolution query by using a response result to the name resolution query is a target to be encrypted, for the name resolution query received by said name resolution query/response transmission/reception means, said communication method resolution means identifying on the basis of information contained in one of the name resolution query and the response to the name resolution query whether the communication to be executed in the query source of the name resolution query by using the response result to the name resolution query is the encryption communication target, and if it is determined that the communication is the encryption communication target, returning, through said name resolution query/response transmission/reception unit, the name resolution response containing information necessary for the encryption communication in addition to the IP address corresponding to the domain name.
- View Dependent Claims (53)
- - 53. A name resolution server according to claim 52, wherein said communication method resolution means identifies whether the communication to be executed in the query source of the name resolution query by using the response result to the name resolution query is the encryption communication target by checking whether the domain name for name resolution matches the domain name set on a database in which at least part of the domain name as the encryption communication target is set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Ishikawa, Yuichi, Fujita, Norihito, Iijima, Akio, Iwata, Atsushi
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US10/585,997
Publication Number

US 20070160200A1
Time in Patent Office

2,925 Days
Field of Search

380/30
US Class Current

713/150
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 61/59   using proxies for addressing

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

Encryption communication system, apparatus and method for allowing direct encryption communication with a plurality of nodes

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption communication system, apparatus and method for allowing direct encryption communication with a plurality of nodes

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links