Encryption communication system, apparatus and method for allowing direct encryption communication with a plurality of nodes
First Claim
1. An encryption communication method in which an application in a node apparatus communicates with another node apparatus in a network, the method comprising:
- determining, by a processor, on a basis of a domain name contained in one of a name resolution query transmitted from the application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, whether said other node apparatus is an encryption communication target node;
registering, in a first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session when said other node apparatus is the encryption communication target node;
replacing the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmit the name resolution response to the application;
transmitting by the application a data packet in which the loopback address serving as an IP address for closed communication in a self node is set as a destination address; and
;
receiving, by a communication encryption module operating as an independent process, the data packet having the loopback address set as the destination address and transmitted from the application, read out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from the first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the loopback address, rewrite the destination address of the data packet to the readout communication partner IP address, and encrypt and transmit the data packet.
1 Assignment
0 Petitions
Accused Products
Abstract
If the communication partner of a client node (A1a) is an encryption communication target node (C1), a DNS Proxy unit (A12a) in the client node rewrites a response to a name resolution request for the communication partner node of an application from the actual IP address of the communication partner node to a loopback address that changes depending on the communication partner. On the basis of the destination loopback address of a data packet transmitted from the application, a communication encryption module (A13a) in the client node identifies the communication partner and the encryption communication path to be used for communication with the communication partner. Hence, encryption communication can simultaneously be executed directly with a plurality of communication partner nodes by using the communication encryption module that operates as an independent process.
-
Citations
53 Claims
-
1. An encryption communication method in which an application in a node apparatus communicates with another node apparatus in a network, the method comprising:
-
determining, by a processor, on a basis of a domain name contained in one of a name resolution query transmitted from the application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, whether said other node apparatus is an encryption communication target node; registering, in a first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session when said other node apparatus is the encryption communication target node; replacing the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmit the name resolution response to the application; transmitting by the application a data packet in which the loopback address serving as an IP address for closed communication in a self node is set as a destination address; and
;receiving, by a communication encryption module operating as an independent process, the data packet having the loopback address set as the destination address and transmitted from the application, read out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from the first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the loopback address, rewrite the destination address of the data packet to the readout communication partner IP address, and encrypt and transmit the data packet. - View Dependent Claims (2, 3, 4)
-
-
5. An encryption communication method characterized by comprising:
-
determining, by a processor, on a basis of a domain name contained in one of a name resolution query transmitted from an application on a client node apparatus to resolve an IP address of another node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node; registering, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node; transmitting, to the application as the name resolution response, the first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response; transmitting, by the application on the client node apparatus, a data packet in which the first intercept address is set as a destination address, the application executing encryption communication with said other node apparatus connected to a network; and receiving, by a communication encryption module provided in a communication encryption node and operating as an independent process, the data packet having the first intercept address set as the destination address and transmitted from the application, reading out a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet from the first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the first intercept address, and encrypting and transmitting the data packet in which the readout communication partner IP address is set as the destination address of the data packet. - View Dependent Claims (6, 7, 8)
-
-
9. An encryption communication method comprising:
-
determining, by a processor, on a basis of a domain name contained in one of a name resolution query transmitted from an application on a client node apparatus to resolve an IP address of another node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node; registering, in a redirection table, a criterion to determine a data packet to be encrypted and a rewrite rule of a communication partner identification information and registering, in an encryption communication path setting table, a correspondence between the rewrite rule of the communication partner identification information of the data packet and the IP address of said other node apparatus of the application when said other node apparatus is the encryption communication target node, transmitting, by the application a data packet in which the IP address of said other node apparatus is set as a destination address, the application executing encryption communication with said other node apparatus connected to a network; intercepting, by a redirection unit provided in a data transmission/reception unit of a kernel unit, the data packet transmitted from the application to said other node apparatus, looking up the redirection table that holds the criterion to determine a data packet to be encrypted and the rewrite rule of communication partner identification information, determining on a basis of the criterion held in the redirection table whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewriting predetermined information of the data packet in accordance with the rewrite rule and redirecting the data packet to a communication encryption module; and rewriting the communication partner identification information of the data packet redirected from the data transmission/reception unit by looking up the encryption communication path setting table that stores the correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from the data transmission/reception unit and the IP address of said other node apparatus of the application, encrypting the data packet in which the destination IP address of said other node apparatus is set, and transmitting the data packet to said other node apparatus. - View Dependent Claims (10)
-
-
11. An encryption communication method characterized by comprising:
-
determining, on a basis of a domain name contained in one of a name resolution query transmitted from an application on a client node apparatus to resolve an IP address of another node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node; and registering, in the redirection table, a criterion to determine a data packet to be encrypted and a rewrite rule of a communication partner identification information, and registering, in an encryption communication path setting table, a correspondence between the rewrite rule of the communication partner identification information of the data packet and the IP address of said other node apparatus of the application when said other node apparatus is the encryption communication target node; transmitting, by the application, the data packet in which an intercept address corresponding to an IP address of said other node apparatus is set as a destination address, the application executing encryption communication with said other node apparatus connected to a network; intercepting, by a redirection unit provided in a data transmission/reception unit of a kernel unit in a communication encryption node, the data packet transmitted from the application, looking up a redirection table that holds the criterion to determine a data packet to be encrypted and the rewrite rule of communication partner identification information, determining on the basis of the criterion held in the redirection table whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewriting predetermined information of the data packet in accordance with the rewrite rule and redirecting the data packet to a communication encryption module provided in the communication encryption node; and rewriting the communication partner identification information of the data packet redirected from the data transmission/reception unit by looking up the encryption communication path setting table that stores the correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from the data transmission/reception unit and the IP address of said other node apparatus of the application, encrypting the data packet in which the destination IP address of said other node apparatus is set, and transmitting the data packet to said other node apparatus. - View Dependent Claims (12)
-
-
13. A node apparatus characterized by comprising:
-
an application that communicates with another node apparatus connected to a network; and a communication encryption module which operates as an independent process, said communication encryption module comprising a first encryption communication path setting table which holds a correspondence between a communication partner IP address and a loopback address serving as an IP address for closed communication in a self node, a first communication encryption unit which receives the data packet having the loopback address set as the destination address and transmitted from said application, reads out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from said first encryption communication path setting table, rewrites the destination address of the data packet to the readout communication partner IP address, and encrypts and transmits the data packet; a communication method resolution unit which determines on the basis of a domain name contained in one of a name resolution query transmitted from said application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node; an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session when said other node apparatus is the encryption communication target node; and a name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmits the name resolution response to said application. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A node apparatus comprising:
-
an application that communicates with another node apparatus connected to a network; a communication encryption module which operates as an independent process; and a data transmission/reception unit provided in a kernel unit, said data transmission/reception unit comprising a redirection table which holds a criterion to determine a data packet to be encrypted and a rewrite rule of communication partner identification information, and a redirection unit which intercepts a data packet transmitted from said application to said other node apparatus, determines on the basis of the criterion held in the redirection table whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewrites predetermined information of the data packet in accordance with the rewrite rule and redirects the data packet to said communication encryption module, and said communication encryption module comprising an encryption communication path setting table which holds a correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from said data transmission/reception unit and an IP address of said other node apparatus of said application; a communication encryption unit which rewrites the communication partner identification information of the data packet redirected from said data transmission/reception unit by looking up the encryption communication path setting table, encrypts the data packet in which a destination IP address of said other node apparatus is set, and transmits the data packet to said other node apparatus; a communication method resolution unit which determines on the basis of a domain name contained in one of a name resolution query transmitted from said application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node; and an encryption communication path setting unit which registers, in said redirection table, the criterion to determine the data packet to be encrypted and the rewrite rule of the communication partner identification information, and registers, in said encryption communication path setting table, a correspondence between the rewrite rule of the communication partner identification information of the data packet and the IP address of said other node apparatus of said application when said other node apparatus is the encryption communication target node. - View Dependent Claims (23, 24)
-
-
25. A communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, comprising:
-
a communication encryption module which operates as an independent process, said communication encryption module comprising a first encryption communication path setting table which holds a correspondence between a communication partner IP address and a first intercept address, and a first communication encryption unit which receives a data packet having the first intercept address set as a destination address and transmitted from the application, reads out, from said first encryption communication path setting table, a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet, and encrypts and transmits the data packet in which the readout communication partner IP address is set as the destination address of the data packet; a communication method resolution unit which determines on the basis of a domain name contained in a name resolution query transmitted from the application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node; an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node; and a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, the first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response. - View Dependent Claims (26, 27, 28, 29, 30)
-
-
31. A communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, comprising:
-
a communication encryption module which operates as an independent process; a data transmission/reception unit provided in a kernel unit; and a name resolution proxy unit which relays a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, said data transmission/reception unit comprising a redirection table which holds a correspondence between an intercept address and a loopback address serving as an IP address for closed communication in a self node, and a redirection unit which receives a data packet having the intercept address set as a destination address and transmitted from the application, reads out, from said redirection table, a loopback address corresponding to the intercept address set as the destination address of the data packet, and redirects the data packet to said communication encryption module by rewriting the destination address of the data packet to the readout loopback address, said communication encryption module comprising an encryption communication path setting table which holds a correspondence between a communication partner IP address, a loopback address, and encryption communication path setting information to be used for communication with a communication partner, and a communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the loopback address set as the destination address of the data packet redirected from said data transmission/reception unit, encrypts the data packet in which the readout communication partner IP address is set as the destination address of the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy unit comprising a setting table which holds a correspondence between a specifying condition to specify an encryption communication target node and encryption communication path setting information, a communication method resolution unit which determines whether information of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of specifying conditions held in said setting table, an encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between encryption communication path setting information corresponding to the matched specifying condition, the IP address of said other node apparatus resolved by the name resolution response, and a loopback address that is not used in any other communication session, and registers, in said redirection table, a correspondence between the loopback address in the correspondence and an intercept address that is not used in any other communication session, and a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, an intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response received from the name resolution server. - View Dependent Claims (32, 33)
-
-
34. A communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, comprising:
-
a communication encryption module which operates as an independent process; a data transmission/reception unit provided in a kernel unit; and a name resolution proxy unit which relays a name resolution query transmitted from the client node to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, said data transmission/reception unit comprising a redirection table which holds a correspondence between an intercept address and a rewrite rule of communication partner identification information, and a redirection unit which intercepts a data packet transmitted from the client node apparatus to said other node apparatus, and redirects the data packet to said communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of the communication partner identification information corresponding to an intercept address designated as a destination address of the data packet upon looking up said redirection table and by rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption module comprising an encryption communication path setting table which holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information to be used for communication with a communication partner, and a communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the other node apparatus to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy unit comprising a name resolution query/response transmission/reception unit which transmits, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receives, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, replaces the IP address of said other node apparatus contained in the name resolution response with the intercept address in the correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and an intercept address that is not used in any other communication session, and transmits the name resolution response to the client node apparatus if said other node apparatus is an encryption communication target node, and an encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and communication partner identification information that is not used in any other communication session, and registers, in said redirection table, a correspondence between a rewrite rule to the communication partner identification information that is not used in any other communication session and the intercept address that is not used in any other communication session if said other node apparatus is the encryption communication target node.
-
-
35. A name resolution server, for a name resolution query to resolve an IP address corresponding to a domain name, whether communication to be executed in a query source of the name resolution query by using a response result to the name resolution query is a target to be encrypted is identified on a basis of the domain name, and if it is determined that the communication is an encryption communication target, a name resolution response containing information necessary for the encryption communication in addition to the IP address corresponding to the domain name is returned,
wherein the name resolution server comprises: -
a name resolution query/response transmission/reception unit which transmits/receives the name resolution query and the name resolution response as a response to the name resolution query, and a communication method resolution unit which identifies for the name resolution query on the basis of the domain name whether the communication to be executed in the query source of the name resolution query by using the response result to the name resolution query is the target to be encrypted, wherein for the name resolution query received by said name resolution query/response transmission/reception unit, said communication method resolution unit identifies on the basis of information contained in one of the name resolution query and the response to the name resolution query whether the communication to be executed in the query source of the name resolution query by using the response result to the name resolution query is the encryption communication target, and if it is determined that the communication is the encryption communication target, said name resolution query/response transmission/reception unit returns the name resolution response containing information necessary for the encryption communication in addition to the IP address corresponding to the domain name.
-
-
36. An encryption communication system comprising:
-
a node apparatus in which an application that communicates with another node apparatus connected to a network operates; and a name resolution server to cause the application to resolve an IP address of said other node apparatus, said node apparatus comprising a communication encryption module which operates as an independent process, and said communication encryption module comprising a first encryption communication path setting table which holds a correspondence between a communication partner IP address and a loopback address serving as an IP address for closed communication in a self node, and a first communication encryption unit which receives a data packet having the loopback address set as a destination address and transmitted from the application, reads out, from said first encryption communication path setting table, a communication partner IP address corresponding to the loopback address set as the destination address of the data packet, rewrites the destination address of the data packet to the readout communication partner IP address, and encrypts and transmits the data packet, wherein said name resolution server comprises a communication method resolution unit which determines on the basis of a domain name contained in one of a name resolution query transmitted from the application to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query whether said other node apparatus is an encryption communication target node, and said node apparatus further comprises an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said another other node apparatus and a loopback address that is not used in any other communication session if it is determined that said other node apparatus is the encryption communication target node, and a name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmits the name resolution response to the application. - View Dependent Claims (37)
-
-
38. An encryption communication system characterized by comprising:
-
a client node apparatus in which an application that communicates with another node apparatus connected to a network operates; a communication encryption node apparatus connected to said client node apparatus through the network; and a name resolution server to cause the application to resolve an IP address of said other node apparatus, said communication encryption node apparatus comprising a communication encryption module which operates as an independent process, and a name resolution proxy unit which relays the name resolution query transmitted from the application to said name resolution server to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query, and said communication encryption module comprising a first encryption communication path setting table which holds a correspondence between a communication partner IP address and a first intercept address, and a first communication encryption unit which receives a data packet having the first intercept address set as a destination address and transmitted from the application, reads out, from said first encryption communication path setting table, a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet, and encrypts and transmits the data packet in which the readout communication partner IP address is set as the destination address of the data packet, wherein said name resolution server comprises a communication method resolution unit which determines on the basis of an IP address of said other node apparatus whether said other node apparatus is an encryption communication target node, and said name resolution proxy unit of said communication encryption node apparatus comprises an encryption communication path setting unit which registers, in said first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node; and a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, the first intercept address corresponding to the IP address of said other node apparatus contained in the name resolution response.
-
-
39. An encryption communication system comprising:
-
a node apparatus in which an application that communicates with another node apparatus connected to a network operates; and a name resolution server to cause the application to resolve an IP address of said other node apparatus, said node apparatus comprising a communication encryption module which operates as an independent process, a data transmission/reception unit provided in a kernel unit, and a name resolution proxy unit which relays a name resolution query transmitted from the application to said name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, said data transmission/reception unit comprising a redirection table which holds a correspondence between an IP address of an encryption communication target node and a rewrite rule of communication partner identification information, and a redirection unit which intercepts a data packet transmitted from the application to said other node apparatus, determines whether the data packet is an encryption target by comparing a destination IP address of the data packet with the IP address of the encryption communication target node registered in said redirection table, and if the data packet is the encryption target, redirects the data packet to said communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of the corresponding communication partner identification information on the redirection table and rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption module comprising an encryption communication path setting table which holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information to be used for communication with a communication partner, and a communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the other node apparatus to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution server comprising, in addition to a function related to name resolution, a setting table which holds a correspondence between a specifying condition to specify an encryption communication target node and encryption communication path setting information, a communication method resolution unit which determines whether information of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of specifying conditions held in said setting table, and a name resolution response/query transmission/reception unit which adds encryption communication path setting information corresponding to the matched specifying condition to the name resolution response and transmits the name resolution response, and said name resolution proxy unit comprising an encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and communication partner identification information that is not used in any other communication session, and registers, in said redirection table, a correspondence between IP address of the encryption communication target node and a rewrite rule of communication partner identification information that is not used in any other communication session upon receiving the name resolution response added the encryption communication path setting information from said name resolution server, and a name resolution query/response transmission/reception unit which transmits, to the application as the name resolution response, the IP address of said other node apparatus contained in the name resolution response received from said name resolution server.
-
-
40. An encryption communication system comprising:
-
a client node apparatus in which an application that communicates with another node apparatus connected to a network operates; a communication encryption node apparatus connected to said client node apparatus through the network; and a name resolution server to cause the application to resolve an IP address of said other node apparatus, said communication encryption node apparatus comprising a communication encryption module which operates as an independent process, a data transmission/reception unit provided in a kernel unit, and a name resolution proxy unit which relays a name resolution query transmitted from the client node to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, said data transmission/reception unit comprising a redirection table which holds a correspondence between an intercept address and a rewrite rule of communication partner identification information, and a redirection unit which intercepts a data packet transmitted from the client node apparatus to said other node apparatus, and redirects the data packet to said communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of the communication partner identification information corresponding to an intercept address designated as a destination address of the data packet upon looking up said redirection table and by rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption module comprising an encryption communication path setting table which holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information to be used for communication with a communication partner, and a communication encryption unit which reads out, from said encryption communication path setting table, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from said data transmission/reception unit, rewrites the destination address of the other node apparatus to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, said name resolution server comprising, in addition to a function related to name resolution, a setting table which holds a correspondence between a specifying condition to specify an encryption communication target node and encryption communication path setting information, a communication method resolution unit which determines whether information of said other node apparatus contained in one of the name resolution query and the name resolution response matches any one of specifying conditions held in said setting table, and a name resolution response/query transmission/reception unit which adds encryption communication path setting information corresponding to the matched specifying condition to the name resolution response and transmits the name resolution response, and said name resolution proxy unit comprising an encryption communication path setting unit which registers, in said encryption communication path setting table, a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and communication partner identification information that is not used in any other communication session, and registers, in said redirection table, a correspondence between a rewrite rule of communication partner identification information that is not used in any other communication session and an intercept address that is not used in any other communication session upon receiving the name resolution response added the encryption communication path setting information from said name resolution server, and a name resolution query/response transmission/reception unit which replaces the IP address of said other node apparatus contained in the name resolution response received from said name resolution server with the intercept address in the correspondence and transmits the name resolution response to said client node apparatus.
-
-
41. A non-transitory computer readable storage medium which stores a program, which causes a computer included in a node apparatus in which an application that communicates with another node apparatus connected to a network operates, to function as
communication encryption means provided in a communication encryption module which operates as an independent process, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, wherein said communication encryption means receives a data packet transmitted from the application, in which a loopback address serving as an IP address for closed communication in a self node is set as a destination address, reads out a communication partner IP address corresponding to the loopback address set as the destination address of the data packet from a first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the loopback address, rewrites the destination address of the data packet to the readout communication partner IP address, and encrypts and transmits the data packet wherein said name resolution proxy means comprises: -
communication method resolution means for determining on the basis of a domain name contained in one of the name resolution query transmitted from the application to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query whether said other node apparatus is an encryption communication target node, encryption communication path setting means for registering, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a loopback address that is not used in any other communication session when said other node apparatus is the encryption communication target node, and name resolution query/response transmission/reception means for replacing the IP address of said other node apparatus contained in the name resolution response with the loopback address in the correspondence and transmitting the name resolution response to the application. - View Dependent Claims (42, 43)
-
-
44. A non-transitory computer-readable storage medium which stores a program, which causes a computer included in a communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, to function as
communication encryption means provided in a communication encryption module which operates as an independent process, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, wherein said communication encryption means receives a data packet having a first intercept address set as a destination address and transmitted from the application, reads out a communication partner IP address corresponding to the first intercept address set as the destination address of the data packet from a first encryption communication path setting table that holds a plurality of correspondences between the communication partner IP address and the first intercept address, and encrypts and transmits the data packet in which the readout communication partner IP address is set as the destination address of the data packet, wherein said name resolution proxy means comprises: -
communication method resolution means for determining on the basis of a domain name contained in the name resolution query transmitted from the application to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query whether said other node apparatus is an encryption communication target node, encryption communication path setting means for registering, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node, and name resolution query/response transmission/reception means for replacing the IP address of said other node apparatus contained in the name resolution response with the first intercept address in the correspondence and transmitting the name resolution response to the application. - View Dependent Claims (45, 46, 47)
-
-
48. A non-transitory computer-readable storage medium which stores a program, which causes a computer included in a node apparatus in which an application that communicates with another node apparatus connected to a network operates, to function as
communication encryption means provided in a communication encryption module which operates as an independent process, a redirection means provided in a data transmission/reception unit of a kernel unit, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, wherein said redirection means intercepts a data packet transmitted from the application to said other node apparatus, determines on the basis of a criterion held in a redirection table that holds the criterion to determine a data packet to be encrypted and a rewrite rule of communication partner identification information whether the data packet is the data packet to be encrypted, and if the data packet is the data packet to be encrypted, rewrites predetermined information of the data packet in accordance with the rewrite rule and redirects the data packet to the communication encryption module, and said communication encryption means rewrites the communication partner identification information of the data packet redirected from the data transmission/reception unit by looking up an encryption communication path setting table that holds a correspondence between the rewrite rule of the communication partner identification information of the data packet redirected from the data transmission/reception unit and an IP address of said other node apparatus of the application, encrypts the data packet in which a destination IP address of said other node apparatus is set, and transmits the data packet to said other node apparatus, wherein said name resolution proxy means comprises: -
communication method resolution means for determining on the basis of a domain name contained in the name resolution query transmitted from the application to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query whether said other node apparatus is an encryption communication target node, encryption communication path setting means for registering, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node, and name resolution query/response transmission/reception means for replacing the IP address of said other node apparatus contained in the name resolution response with the first intercept address in the correspondence and transmitting the name resolution response to the application.
-
-
49. A non-transitory computer-readable storage medium which stores a program, which causes a computer included in a communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, to function as:
-
communication encryption means provided in a communication encryption module which operates as an independent process, redirection means provided in a data transmission/reception unit of a kernel unit, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, wherein said redirection means receives a data packet having an intercept address set as a destination address and transmitted from the application, reads out, from a redirection table that holds a correspondence between an intercept address and a loopback address, a loopback address corresponding to the intercept address set as the destination address of the data packet, and redirects the data packet to the communication encryption module by rewriting the destination address of the data packet to the readout loopback address, and said communication encryption means reads out, from an encryption communication path setting table that holds a correspondence between a communication partner IP address, a loopback address, and encryption communication path setting information, encryption communication path setting information and a communication partner IP address corresponding to the loopback address set as the destination address of the data packet redirected from the data transmission/reception unit, encrypts the data packet in which the readout communication partner IP address is set as the destination address of the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet wherein said name resolution proxy means comprises; communication method resolution means for determining on the basis of a domain name contained in the name resolution query transmitted from the application to resolve the IP address of said other node apparatus and the name resolution response as the response to the name resolution query whether said other node apparatus is an encryption communication target node, encryption communication path setting means for registering, in the first encryption communication path setting table, a correspondence between the IP address of said other node apparatus and a first intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node, and name resolution query/response transmission/reception means for replacing the IP address of said other node apparatus contained in the name resolution response with the first intercept address in the correspondence and transmitting the name resolution response to the application.
-
-
50. A non-transitory computer-readable storage medium which stores a program which causes a computer included in a node apparatus in which an application that communicates with another node apparatus connected to a network operates, to function as
communication encryption means provided in a communication encryption module which operates as an independent process, redirection means provided in a data transmission/reception unit of a kernel unit, and name resolution proxy means for relaying a name resolution query transmitted from the application to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, wherein said redirection means intercepts a data packet transmitted from the application to said other node apparatus, determines whether the data packet is an encryption target by comparing a destination IP address of the intercepted data packet with an IP address of an encryption communication target node held in a redirection table that holds a correspondence between an IP address of an encryption communication target node and a rewrite rule of communication partner identification information, and if the data packet is the encryption target, redirects the data packet to the communication encryption module by rewriting the communication partner identification information of the data packet in accordance with the rewrite rule of corresponding communication partner identification information on the redirection table and rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption means reads out, from an encryption communication path setting table that holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from the data transmission/reception unit, rewrites the destination address of the data packet to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy means comprises name resolution query/response transmission/reception means for transmitting, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receiving, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, and transmitting, to the application as the name resolution response, the IP address of said other node apparatus contained in the name resolution response, and encryption communication path setting means for registering, in the encryption communication path setting table, the correspondence between the IP address of said other node apparatus, the communication partner identification information that is not used in any other communication session, and the encryption communication path setting information, and registering, in the redirection table, the correspondence between an IP address of an encryption communication target node and a rewrite rule of communication partner identification information that is not used in any other communication session when said other node apparatus is the encryption communication target node.
-
51. A non-transitory computer-readable storage medium which stores a program which causes a computer included in a communication encryption node apparatus connected, through a network, to a client node apparatus in which an application that communicates with another node apparatus connected to the network operates, to function as
communication encryption means provided in a communication encryption module which operates as an independent process, redirection means provided in a data transmission/reception unit of a kernel unit, and name resolution proxy means for relaying a name resolution query transmitted from the client node to a name resolution server to resolve an IP address of said other node apparatus and a name resolution response as a response to the name resolution query, wherein said redirection means intercepts a data packet transmitted from the client node apparatus to said other node apparatus, and redirects the data packet to the communication encryption module by rewriting communication partner identification information of the data packet in accordance with a rewrite rule of communication partner identification information corresponding to an intercept address designated as a destination address of the data packet while looking up a redirection table that holds a correspondence between an intercept address and a rewrite rule of communication partner identification information, and rewriting the destination address of the data packet to a loopback address serving as an IP address for closed communication in a self node, said communication encryption means reads out, from an encryption communication path setting table that holds a correspondence between a communication partner IP address, communication partner identification information, and encryption communication path setting information, encryption communication path setting information and a communication partner IP address corresponding to the communication partner identification information of the data packet redirected from the data transmission/reception unit, rewrites the destination address of the data packet to the readout communication partner IP address, encrypts the data packet in accordance with the readout encryption communication path setting information, and transmits the data packet, and said name resolution proxy means comprises name resolution query/response transmission/reception means for transmitting, to the name resolution server, the name resolution query transmitted from the application to resolve the IP address of said other node apparatus, receiving, from the name resolution server, the name resolution response containing a determination result indicating whether said other node apparatus is an encryption communication target node, encryption communication path setting information, and the IP address of said other node apparatus, and if said other node apparatus is the encryption communication target node, replacing the IP address of said other node apparatus contained in the name resolution response to the intercept address in a correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and an intercept address that is not used in any other communication session, and transmitting the name resolution response to the client node apparatus, and encryption communication path setting means for registering, in the encryption communication path setting table, the correspondence between the encryption communication path setting information, the IP address of said other node apparatus resolved by the name resolution response, and the communication partner identification information that is not used in any other communication session, and registering, in the redirection table, the correspondence between a rewrite rule of communication partner identification information that is not used in any other communication session and the intercept address that is not used in any other communication session when said other node apparatus is the encryption communication target node.
-
52. A non-transitory computer-readable storage medium which stores a program which causes a computer included in a name resolution server to function as:
-
name resolution query/response transmission/reception means for transmitting/receiving a name resolution query to resolve an IP address corresponding to a domain name and a name resolution response as a response to the name resolution query; and communication method resolution means for identifying for the name resolution query on the basis of the domain name whether communication to be executed in a query source of the name resolution query by using a response result to the name resolution query is a target to be encrypted, for the name resolution query received by said name resolution query/response transmission/reception means, said communication method resolution means identifying on the basis of information contained in one of the name resolution query and the response to the name resolution query whether the communication to be executed in the query source of the name resolution query by using the response result to the name resolution query is the encryption communication target, and if it is determined that the communication is the encryption communication target, returning, through said name resolution query/response transmission/reception unit, the name resolution response containing information necessary for the encryption communication in addition to the IP address corresponding to the domain name. - View Dependent Claims (53)
-
Specification