The present invention relates to a communication technology, and more particularly to an encrypted communication technology for encrypting and transmitting data that is sent out from an information processing terminal.
Nowadays, the incident that secret information leaks out due to wiretapping, for example, the incident that data that is transmitted/received via networks such as Internet and LAN (Local Area Network) is interrupted unauthorizedly by a third party, frequently occurs, which has become an object of public concern.
As a technique that is effective in preventing such wiretapping of data, the technique of “encrypting” data that is sent out from a PC (Personal Computer) is listed. Encrypting data enables secrecy of data to be maintained.
Preserving secrecy of data necessitates encrypting all items of secret data that is sent out from the PC. However, conventionally, so as to encrypt data that is sent out from the PC, a user has to instruct encryption software to encrypt the transmission data.
For example, an electronic mail, which is generally encrypted by employing a protocol of SMTP over SSL, is transmitted, so the user has to explicitly instruct software to encrypt the electronic mail by using this protocol. Many kinds of software demand that its setting be changed manually, whereby a burden is imposed upon the user, and a risk that the not-encrypted electronic mail is sent out due to the erroneous setting is accompanied.
A suggestion of a solution for these problems is described in Patent document 1. The technique described in this Patent document 1 includes an encryption application, an encryption driver, and an encryption LSI for a purpose of preventing the not-encrypted packet from being sent out from the PC. In
The encryption application, which is software, manages an encryption algorithm with a password.
The encryption driver is software incorporated into a data-link layer, being a lower layer of a TCP/IP protocol. The encryption driver receives a password from the encryption application, and upon making a reference to its password, gives an instruction for the encryption algorithm to the encryption LSI.
The encryption LSI, which is incorporated into a physical layer, being a lowest layer of the TCP/IP protocol, is hardware. The encryption LSI makes a reference to the encryption algorithm given as an instruction by the encryption driver, thereby to encrypt data responding to a necessity. This makes it possible to encrypt data being sent out from the PC, and to exclude a risk that not-encrypted data is sent out to the network.
The detailed content of this patent document 1 will be explained while making a reference to
At first, as an initial setting, the encryption driver is installed onto both of the PC 1 and the server 2, and a network interface card (NIC) including the encryption LSI is attached to both of the PC and the server. Further, the encryption algorithm and the password that are used for encryption are pre-set to the encryption drivers of the PC 1 and the server 2. After completing these initial settings, the encrypted data can be exchanged.
So as to specifically explain the encrypting process, the case that data is transmitted to the server 2 from the PC 1 will be explained.
In a case where the application such as mail and Web of the PC 1 side starts data communication, it firstly conveys a data communication start request indicating the effect that data transmission is started to the encryption application, and delivers plaintext data, which is to be transmitted, to the NIC through a TCP, an IP routing, an IP stack, and a driver. Upon receipt of the data communication start request from the application, the encryption application notifies a communication start to the encryption driver, and provides the password set by a user for the encryption driver. The encryption driver instructs the encryption LSI to encrypt the plaintext data by employing the algorithm that corresponds to the password received from the encryption application. The encryption LSI encrypts the plaintext data ready for transmission that exists in the NIC based upon the algorithm received from the encryption driver. The NIC sends out the data encrypted by the encryption LSI to the network. On the other hand, when the NIC of the server receives this encrypted data, it firstly notifies the incoming of data to the driver. Upon receipt of the incoming notification from the NIC, this time, the driver gives the incoming notification to the encryption driver and the encryption application. Upon receipt of the incoming notification from the driver, the encryption driver inquires of the encryption application a registered password for confirmation, and instructs the encryption LSI to decode the received data with a decoding algorithm that conforms to the registered password. The encryption LSI employs the decoding algorithm given as an instruction by the encryption driver to decode the encrypted data ready for reception that exists in the NIC. The NIC delivers the plaintext data decoded in the encryption LSI to the application through the driver, the IP stack, the IP routing, and the TCP. Performing a series of these processes enables secret information that is transmitted/received between the PC and the server to be encrypted, and to be surely prevented from leaking out to the third party.
[Patent document 1] JP-P1998-190704A
A first point at issue of the above-mentioned prior art is that employing the prior art to encrypt data that is transmitted/received between the PC 1 and the server 2 necessitates not only installing each of the encryption application, the encryption driver, and the encryption LSI onto both of the PC 1 and the server 2, but also pre-setting the encryption algorithm or the password key that is used for encryption to the encryption applications of the PC 1 and the server 2, whereby a burden for the installation and the setting is required.
A second point at issue of the above-mentioned prior art is that employing the prior art to encrypt data that is transmitted/received between the PC 1 and the server 2 necessitates incorporating an encryption function such as the encryption LSI into the NIC, whereby a load that is imposed upon a hardware developer and a software developer is enormous and a burden for the development is required.
A third point at issue of the above-mentioned prior art is that solving the above-mentioned first problem by the first invention of the present invention enables the encrypted communication to be made between the PC 1 and the server 2 without installing a special encryption apparatus onto the server; however, at this moment, the application of the server 2 side needs to correspond to the encryption, whereby there is a possibility that data cannot be encrypted, depending upon the application being used, and a burden for setting the encryption is required.
A fourth point at issue of the above-mentioned prior art is that so as to change the setting associated with the starting or the stopping of the encrypting function responding to a migration of the location of the PC, or the like, the user has to manually change the setting by use of a GUI (Graphical User Interface). For this, the point at issue is that a risk of information leakage due to the erroneous setting is accompanied, and a burden for the setting is required.
A fifth point at issue of the above-mentioned prior art is that, in a case where a plurality of the PCs each of which is inclined to trigger information leakage exist in the network, employing the prior art to encrypt data necessitates installing the encryption application, the encryption driver, and the encryption LSI onto all PCs, whereby a burden for the installation and the setting is required.
The present invention has been accomplished in consideration of the above-mentioned problems, and an object thereof is to provide an encryption system that enables all items of data being transmitted/received between the PC and the server to be surely encrypted without a burden.
In addition hereto, an object thereof lies in reducing a load that is imposed upon the hardware developer and the software developer.
The first invention for solving the above-mentioned problem, which is a communication system including a transmission node and a reception node, is characterized in including:
a first session establishing means for establishing a first session with the transmission node responding to a session establishment request from the transmission node;
a second session establishing means for establishing a second session with the reception node for transmitting/receiving encrypted transmission data; and
an encrypting means for exchanging information necessary for encryption through the second session, and encrypting the transmission data received through the first session based upon this information.
The second invention for solving the above-mentioned problem is characterized in that, in the above-mentioned first invention, one of the first session establishing means and the second session establishing means is a means for establishing a session with a transport layer.
The third invention for solving the above-mentioned problem is characterized in, in one of the above-mentioned first and second inventions, including a determining means for determining the transmission data, and as a result of the determination, sending the transmission data that has not been encrypted to the first session establishing means.
The fourth invention for solving the above-mentioned problem is characterized in that, in the above-mentioned third invention, the determining means is a means for making a reference to a header of the transmission data, thereby to determine whether or not the transmission data has been encrypted.
The fifth invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned first to fourth inventions, the first session establishing means is a means for establishing a first session with the transmission node responding to the session establishment request from the transport layer of the transmission node, and commanding the second session establishing means to establish a session with the transport layer of the reception node.
The sixth invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned first to fourth inventions, in a case where the transmission data is transmitted/received between the transmission node and the reception node through a relay apparatus, the first session establishing means is a means for establishing a first session with the transmission node responding to the session establishment request from the transport layer of the transmission node, and commanding the second session establishing means to establish a second session with the transport layer of the relay apparatus.
The seventh invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned first to sixth inventions, each of the first session establishing means, the second session establishing means, the encrypting means, and the determining means is configured between a network layer and a data-link layer.
The eighth invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned first to sixth inventions, Operating System (OS) includes the second session establishing means and the encrypting means.
The ninth invention for solving the above-mentioned problem is characterized in that, in the above-mentioned eighth invention, the Operating System (OS) further includes the first session establishing means.
The tenth invention for solving the above-mentioned problem is characterized in, in one of the above-mentioned first to ninth inventions, including a controlling means for conducting a communication test, and responding to a result of this test, deciding whether or not the transmission data is encrypted.
The eleventh invention for solving the above-mentioned problem is characterized in that, in the above-mentioned tenth invention, a timing at which the controlling means conducts a communication test is one of the time that the transmission node is started, the time of transmitting/receiving data, the time after a lapse of every constant time period, and the designated time, or a combination thereof.
The twelfth invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned tenth and eleventh inventions, the communication test is one of a test for checking whether a response of an ICMP echo request is returned, a test for checking whether a response of an echo request employing a special frame is returned, and a test for checking whether a value of an IP address allotted to the transmission node is a specified value, or a combination thereof.
The thirteenth invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned first to twelfth inventions, the encrypting means includes a decoding means for decoding the received data based upon the information.
The fourteenth invention for solving the above-mentioned problem is characterized in that, in the above-mentioned thirteenth invention, the decoding means is a means for decoding the received data that has been determined by the determining means to be data sent through the second session established by the second session establishing means.
The fifteenth invention for solving the above-mentioned problem is characterized in that, in the above-mentioned thirteenth invention, the determining means is a means for making a reference to a header of the received data, thereby to determine that the received data has been sent through the second session established by the second session establishing means.
The sixteenth invention for solving the above-mentioned problem, which is a communication system in which communication is made between a transmission node and a reception node through a relay apparatus, is characterized in including:
a communication establishing means for establishing a session for making communication between the transmission node and the reception node;
a session establishing means for establishing an encryption session for transmitting/receiving transmission data encrypted between the transmission node and the relay apparatus; and
an encrypting means for exchanging information necessary for encryption through the encryption session, and encrypting the transmission data based upon this information.
The seventeenth invention for solving the above-mentioned problem, which is a communication system including a transmission node and a reception node, is characterized in including:
a first session establishing means for establishing a first session with the transmission node responding to a session establishment request from the transmission node; and
a second session establishing means for establishing a second session for transmitting/receiving encrypted transmission data to/from the reception node.
The eighteenth invention for solving the above-mentioned problem, which is a communication apparatus, is characterized in including:
a first session establishing means for establishing a first session responding to a session establishment request;
a second session establishing means for establishing a second session for transmitting/receiving encrypted transmission data; and
an encrypting means for exchanging information necessary for encryption through the second session, and encrypting the transmission data received through the first session based upon this information.
The nineteenth invention for solving the above-mentioned problem is characterized in that, in the above-mentioned eighteenth invention, one of the first session establishing means and the second session establishing means is a means for establishing a session with a transport layer.
The twentieth invention for solving the above-mentioned problem is characterized in, in one of the above-mentioned eighteenth and tenth inventions, including a determining means for determining the transmission data, and as a result of the determination, sending the transmission data that has not been encrypted to the first session establishing means.
The twenty-first invention for solving the above-mentioned problem is characterized in that, in the above-mentioned twentieth invention, the determining means is a means for making a reference to a header of the transmission data, thereby to determine whether or not the transmission data has been encrypted.
The twenty-second invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned eighteenth to twenty-first inventions, the first session establishing means is a means for establishing a first session responding to the session establishment request from the transport layer of its own apparatus, and commanding the second session establishing means to establish a second session with the transport layer of a transmission destination.
The twenty-third invention for solving the above-mentioned problem is characterized in that, in the one of the above-mentioned eighteenth to twenty-first inventions, in a case where the transmission data is transmitted through a relay apparatus, the first session establishing means is a means for establishing a first session responding to the session establishment request from the transport layer of its own apparatus, and commanding the second session establishing means to establish a second session with the transport layer of the relay apparatus.
The twenty-fourth invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned eighteenth to twenty-third inventions, each of the first session establishing means, the second session establishing means, the encrypting means, and the determining means is configured between a network layer and a data-link layer.
The twenty-fifth invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned eighteenth to twenty-fourth inventions, Operating System (OS) includes the second session establishing means and the encrypting means.
The twenty-sixth invention for solving the above-mentioned problem is characterized in that, in the above-mentioned twenty-fifth invention, the Operating System (OS) further includes the first session establishing means.
The twenty-seventh invention for solving the above-mentioned problem is characterized in, in one of the above-mentioned eighteenth to twenty-sixth inventions, including a controlling means for conducting a communication test, and responding to a result of this test, deciding whether or not the transmission data is encrypted.
The twenty-eighth invention for solving the above-mentioned problem is characterized in that, in the above-mentioned twenty-seventh invention, a timing at which the controlling means conducts a communication test is one of the time that the its own apparatus is started, the time of transmitting/receiving data, the time after a lapse of every constant time period, and the designated time, or a combination thereof.
The twenty-ninth invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned twenty-seventh and twenty-eighth inventions, the communication test is one of a test for checking whether a response of an ICMP echo request is returned, a test for checking whether a response of an echo request employing a special frame is returned, and a test for checking whether a value of an IP address allotted to the transmission node is a specified value, or a combination thereof.
The thirtieth invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned eighteenth to twenty-ninth inventions, the encrypting means includes a decoding means for decoding the received data based upon the information.
The thirty-first for solving the problem is characterized in that, in the above-mentioned thirtieth invention, the decoding means is a means for decoding the received data that has been determined by the determining means to be data sent through the second session established by the second session establishing means.
The thirty-second invention for solving the above-mentioned problem is characterized in that, in the above-mentioned thirty-first invention, the determining means is a means for making a reference to a header of the received data, thereby to determine that the received data has been sent through the second session established by the second session establishing means.
The thirty-third invention for solving the above-mentioned problem, which is a communication apparatus for making communication through a relay apparatus, is characterized in including:
a communication establishing means for establishing a session for making communication with a transmission destination;
a session establishing means for establishing an encryption session for transmitting/receiving transmission data encrypted with the relay apparatus; and
an encrypting means for exchanging information necessary for encryption through the encryption session, and encrypting the transmission data based upon this information.
The thirty-fourth invention for solving the above-mentioned problem, which is a communication apparatus, is characterized in including:
a first session establishing means for establishing a first session responding to a session establishment request; and
a second session establishing means for establishing a second session with a transmission destination for transmitting/receiving encrypted transmission data.
The thirty-fifth invention for solving the above-mentioned problem, which is a communication method, is characterized in including:
a first session establishment step of establishing a first session responding to a session establishment request from a transmission source;
a second session establishment step of establishing a second session for transmitting encrypted transmission data; and
an encryption step of exchanging information necessary for encryption through the second session, and encrypting the transmission data received through the first session based upon this information.
The thirty-sixth invention for solving the above-mentioned problem is characterized in that, in the above-mentioned thirty-fifth invention, one of the first session establishment step and the second session establishment step is a step of establishing a session with a transport layer.
The thirty-seventh invention for solving the above-mentioned problem is characterized in, in one of the above-mentioned thirty-fifth and thirty-sixth inventions, the encryption step is a step of determining the transmission data, and as a result of the determination, encrypting the transmission data that has not been encrypted.
The thirty-eighth invention for solving the above-mentioned problem is characterized in that, in the above-mentioned thirty-seventh invention, the encryption step is a step of making a reference to a header of the transmission data, thereby to determine whether or not the transmission data has been encrypted.
The thirty-ninth invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned thirty-fifth to thirty-eighth inventions, the first session establishment step is a step of establishing a first session responding to the session establishment request from the transport layer of the transmission source, and giving a command for establishing a second session with the transport layer of a transmission destination in the second session establishment step.
The fortieth invention for solving the above-mentioned problem is characterized in that, in the one of the above-mentioned thirty-fifth to thirty-eighth inventions, in a case where the transmission data is transmitted through a relay apparatus, the first session establishment step is a step of establishing a first session responding to the session establishment request from the transport layer of the transmission source, and giving a command for establishing a second session with the transport layer of the relay apparatus in the second session establishment step.
The forty-first invention for solving the above-mentioned problem is characterized in, in one of the above-mentioned thirty-fifth to fortieth inventions, including a control step of conducting a communication test, and responding to a result of this test, deciding whether or not the transmission data is encrypted.
The forty-second invention for solving the above-mentioned problem is characterized in that, in the above-mentioned forty-first invention, a timing at which the communication test is conducted is one of the time that an apparatus of the transmission source is started, the time of transmitting/receiving data, the time after a lapse of every constant time period, and the designated time, or a combination thereof.
The forty-third invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned forty-first and forty-second inventions, the communication test is one of a test for checking whether a response of an ICMP echo request is returned, a test for checking whether a response of an echo request employing a special frame is returned, and a test for checking whether a value of an IP address allotted to the transmission source is a specified value, or a combination thereof.
The forty-fourth invention for solving the above-mentioned problem is characterized in, in one of the above-mentioned thirty-fifth to forty-third inventions, including a decoding step of decoding the received data based upon the information.
The forty-fifth invention for solving the above-mentioned problem is characterized in that, in the above-mentioned forty-fourth invention, the decoding step is a step of decoding the received data that has been determined to be data sent through the second session established in the second session establishment step.
The forty-sixth invention for solving the above-mentioned problem is characterized in that, in the above-mentioned forty-fifth invention, the decoding step is a step of making a reference to a header of the received data, thereby to making a determination.
The forty-seventh invention for solving the above-mentioned problem, which is a communication method for making communication through a relay apparatus, is characterized in including:
a communication establishment step of establishing a session through which communication is made between a transmission source and a transmission destination;
a session establishment step of establishing an encryption session for transmitting/receiving transmission data encrypted between the transmission source and the relay apparatus; and
an encryption step of exchanging information necessary for encryption through the encryption session, and encrypting the transmission data based upon this information.
The forty-eighth invention for solving the above-mentioned problem, which is a communication method, is characterized in including:
a first session establishment step of, responding to a session establishment request from a transmission source, establishing a first session with the transmission source; and
a second session establishment step of establishing a second session for transmitting/receiving encrypted transmission data.
The forty-ninth invention for solving the above-mentioned problem, which is a program of an information processing apparatus, is characterized in causing the information processing apparatus to function as:
a first session establishing means for, responding to a session establishment request from a transmission node, establishing a first session with the transmission node;
a second session establishing means for establishing a second session with the reception node for transmitting/receiving encrypted transmission data; and
an encrypting means for exchanging information necessary for encryption through the second session, and encrypting the transmission data received through the first session based upon this information.
The fiftieth invention for solving the above-mentioned problem is characterized in, in the above-mentioned forty-ninth invention, causing one of the first session establishing means and the second session establishing means to function as a means for establishing a session with a transport layer.
The fifty-first invention for solving the above-mentioned problem is characterized in, in one of the above-mentioned forty-ninth and fiftieth inventions, including a determining means for determining the transmission data, and as a result of the determination, sending the transmission data that has not been encrypted to the first session establishing means.
The fifty-second invention for solving the above-mentioned problem is characterized in, in the above-mentioned fifty-first invention, causing the determining means to function as a means for making a reference to a header of the transmission data, thereby to determine whether or not the transmission data has been encrypted.
The fifty-third invention for solving the above-mentioned problem is characterized in, in one of the above-mentioned forty-ninth to fifty-second inventions, causing the first session establishing means to function as a means for establishing a first session with the transmission node responding to the session establishment request from the transport layer of the transmission node, and commanding the second session establishing means to establish a session with the transport layer of the reception node.
The fifty-fourth invention for solving the above-mentioned problem is characterized in, in the one of the above-mentioned forty-ninth to fifty-second inventions, in a case where the transmission data is transmitted/received between the transmission node and the reception node through a relay apparatus, causing the first session establishing means to function as a means for establishing a first session with the transmission node responding to the session establishment request from the transport layer of the transmission node, and commanding the second session establishing means to establish a second session with the transport layer of the relay apparatus.
The fifty-fifth invention for solving the above-mentioned problem is characterized in, in one of the above-mentioned forty-ninth to fifty-fourth inventions, including a controlling means for conducting a communication test, and responding to a result of this test, deciding whether or not the transmission data is encrypted.
The fifty-sixth invention for solving the above-mentioned problem is characterized in that, in the above-mentioned fifty-fifth invention, a timing at which the controlling means conducts a communication test is one of the time that the transmission node is started, the time of transmitting/receiving data, the time after a lapse of every constant time period, and the designated time, or a combination thereof.
The fifty-seventh invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned fifty-fifth and fifty-sixth inventions, the communication test is one of a test for checking whether a response of an ICMP echo request is returned, a test for checking whether a response of an echo request employing a special frame is returned, and a test for checking whether a value of an IP address allotted to the transmission node is a specified value, or a combination thereof.
The fifty-eighth invention for solving the above-mentioned problem is characterized in that, in one of the above-mentioned forty-ninth to fifty-seventh inventions, the encrypting means includes a decoding means for decoding the received data based upon the information.
The fifty-ninth invention for solving the above-mentioned problem is characterized in that, in the above-mentioned fifty-eighth invention, the decoding means is a means for decoding the received data that has been determined by the determining means to be data sent through the session established by the second session establishing means.
The sixtieth invention for solving the above-mentioned problem is characterized in, in the above-mentioned fifty-ninth invention, causing the determining means to function as a means for making a reference to a header of the received data, thereby to determine that the received data has been sent through the second session established by the second session establishing means.
The sixty-first invention for solving the above-mentioned problem, which is a program of an information processing apparatus for making communication through a relay apparatus, is characterized in causing the information processing apparatus to function as:
a communication establishing means for establishing a session through which communication is made between a transmission source and a transmission destination;
a session establishing means for establishing an encryption session for transmitting/receiving transmission data encrypted between the transmission source and the relay apparatus; and
an encrypting means for exchanging information necessary for encryption through the encryption session, and encrypting the transmission data based upon this information.
The sixty-second invention for solving the above-mentioned problem, which is a program of an information processing apparatus, is characterized in causing the information processing apparatus to function as:
a first session establishing means for, responding to a session establishment request from a transmission node, establishing a first session with the transmission node; and
a second session establishing means for establishing a second session for transmitting/receiving encrypted transmission data to/from the reception node.
The first effect of the foregoing present invention lies in a point that utilizing the TCP relaying means enables certificate information or an encryption key to be exchanged between the intermediate driver of the PC side and the SSL of the server side, whereby not only a burden of setting the encryption key to the intermediate driver of the PC side, but also a burden of installing the intermediate driver onto the server is eliminated. Further, a risk as well that data is wiretapped by the third party, and resultantly, secret information leaks out can be excluded.
The second effect lies in a point that utilizing a loopback connection enables the encrypting means incorporated inside the intermediate driver to be replaced with the existing module in the OS, whereby a burden that the software developer bears for developing the encrypting means and the decoding means is eliminated.
The third effect lies in a point that utilizing a TCP tunneling means enables the PC to encrypt data being sent out also in a case where the application of the server is not in a correspondence with the SSL, whereby a burden of installing the application in correspondence with SSL onto the server is eliminated.
The fourth effect lies in a point that utilizing an encryption setting means enables the encryption setting of the intermediate driver to be automatically switched over responding to a network environment, whereby a burden that a user bears for manually changing the encryption setting is eliminated. Further, a risk as well that the not-encrypted packet is sent out due to the erroneous setting by a user, and resultantly, secret information leaks out can be excluded.
The fifth effect lies in a point that incorporating each function of the intermediate driver into the gateway enables the encryption of the frames from all PCs to be collectively executed in the gateway also in a case where a plurality of the PCs each having a potential for causing secret information to leak out exist in the network, whereby a burden of installing the intermediate driver onto each PC is eliminated.
The first encryption system of the present invention includes the PC and the server. And, as shown in
And, as shown in
Employing such a configuration to perform a TCP relaying process in the intermediate driver of the PC makes it possible to match the TCP/IP hierarchy of the encrypting means of the intermediate driver of the PC side with that of the SSL of the server side. This enables communication by the SSL protocol to be made between the encrypting means of the intermediate driver of the PC side and the SSL of the server side, and the certificate information or the encryption key necessary for starting the encryption session to be exchanged. For this, the PC can download the certificate information or the encryption key from the server side, and simply can start the encrypted communication if the certificate or the encryption key are pre-set to the SSL module of the server side even though the certificate or the encryption key are not pre-set to the encrypting means of the intermediate driver of the PC side. From the foregoing, employing this configuration eliminates not only a burden of installing a special module onto the server side but also a burden of setting the encryption key or the certificate password to the PC, whereby a first object of the present invention can be accomplished.
Further, the second encryption system of the present invention, as shown in
Employing such a configuration to loopback the frame, of which the encryption has been determined to be necessary, from the intermediate driver into the OS in the intermediate driver of the PC by employing the loopbacking means makes it possible to encrypt the frame with the SSL module existing in the OS. Almost all, the SSL is standardizedly installed onto the OS (Operating System) of the computer that is currently available in the market, so the software developer does not have to develop the SSL newly. As a result, packaging the encrypting means into the intermediate driver is not necessitated, whereby a second object of the present invention can be accomplished.
Further, the third encryption system of the present invention includes a gateway in addition to the configuration of the first encryption system. This third encryption system is an encryption system that is characterized in that the PC and the gateway have a TCP tunneling means for establishing an encryption TCP tunnel mounted therebetween as shown in
By employing such a configuration, encrypting the frame of which the encryption has been determined to be necessary in the intermediate driver of the PC, thereafter transferring it from the PC to the gateway by employing the TCP tunneling means, decoding this frame in the gateway, and then re-transferring it to the server, the PC can encrypt data being sent out even in a case where the application software of the server side is not in a correspondence with the SSL. For this, the encrypted communication can be made between the PC and the server without depending upon the application, whereby a third object of the present invention can be accomplished.
Further, the fourth encryption system of the present invention includes a management server in addition to the configuration of the first encryption system. And, this fourth encryption system is an encryption system that is characterized in that the PC includes an encryption setting means for automatically switching the setting of the encryption function of the intermediate driver over as shown in
Employing such a configuration to automatically change the setting of the encryption function of the intermediate driver of the PC over enables a fourth object of the present invention to be accomplished.
Further, the fifth encryption system of the present invention is an encryption system that is characterized in including a gateway in addition to the configuration of the first encryption system and in incorporating the function of the intermediate driver incorporated into the PC in the first encryption system into the gateway.
Installation of the intermediate driver onto the PC is unnecessitated by employing such a configuration to encrypting the frame of which the encryption has been determined to be necessary in the intermediate driver of the gateway, and to then send it out, whereby a fifth object of the present invention can be accomplished.
Next, so as to explain the aspect that enables the foregoing predominance point and characteristic of the present invention to be obtained, more specific description of the present invention briefed below will be made by making a reference to specific embodiments shown in the accompanied drawings. Upon understanding that these drawings illustrates only typified embodiments, and the invention is not intended to be limited to the embodiments described therein, the present invention will be described and explained more clearly and detailedly by employing the drawings attached hereinafter.
[Explanation of a Configuration]
A first embodiment for carrying out the first invention of the present invention will be explained in details by making a reference to the accompanied drawings.
The PC 1, which is connected to the hub 3, receives the frame from the hub 3, and performs a desired process for the received frame. Further, the PC 1 transmits the frame generated in the internal process of the PC1 to the hub 3.
The server 2, which is connected to the hub 3, receives the frame from the hub 3, and performs a desired process for the received frame. Further, the server 2 transmits the frame generated in the internal process of the server 2 to the hub 3.
The hub 3 is connected to the PC 1 and the server 2. Upon receipt of the frame from the PC 1, the hub 3 analyzes the received frame, and transfers the frame to an appropriate port based upon its analysis result. Further, upon receipt of the frame from the server 2, the hub 3 analyzes the received frame, and transfers the frame to an appropriate port based upon its analysis result.
The CPU 100, which is referred to as a central processing unit, is hardware for loading software (program) recorded in the HDD 103, and executing the process described in a program by employing the memory 102. In performing this process, the CPU 100 receives a command by a user from the keyboard 104 and the mouse 105, and in addition hereto, also can output a result to the monitor 106. Further, in performing this process, it sometimes receives data from the NIC 101, or outputs data to the NIC 101.
The NIC 101, which is referred to as a network interface card, is hardware that is inserted into a computer for a purpose of connecting a cable for a network such as Ethernet. It converts data received from the cable into an appropriate electric signal to send it to the CPU 100, and contrarily, converts data received from the CPU 100 into an appropriate signal to send it to the cable.
The memory 102, which is a memory device that is used at the moment that the CPU 100 processes/executes the software, preserves data sent together with a write command from the CPU 100 in a designated address, and further, upon receipt of a read command transmitted from the CPU 100, reads out data from the designated address to forward it to the CPU.
The HDD 103, which is referred to as a hard disc drive, is a memory device for storing the software (program). It preserves data sent together with the write command from the CPU 100 in the designated address, and further, upon receipt of the read command transmitted from the CPU 100, reads out data from the designated address to forward it to the CPU.
The keyboard 104 is an input apparatus for converting a command input by pressing a key by a user into an electric signal, and conveying it to the CPU 100.
The mouse 105 is an input apparatus for converting a command input by moving the mouse by a user into an electric signal, and conveying it to the CPU 100.
The monitor 106 is an output apparatus for receiving a depiction command transmitted by the CPU 100, and displaying it on a Braun tube, a liquid crystal screen, etc.
Many items of the software other than the software shown in
Next, a function of each component of the PC 1 will be explained in details. At first, out of the software operating within the CPU of the PC 1, the software that is positioned at the higher layer that is not included in the OS will be explained. The PC 1 includes a client application A1 as software that corresponds hereto. The client application A1 is an application for making communication with a server application B1 of the server 2. The client application A1 has a function of transferring data generated in a predetermined process to a TCP A2. Further, the client application A1 has function of, upon receipt of data from the TCP 2A, performing a predetermined process for the received data.
Next, a function of the software that is included in the OS of the PC 1 will be explained. The PC 1 includes a TCP A2, an IP routing A3, and an IP stack A4 as software that is included in the OS.
The TCP A2 has a function of arranging data into formatted data having a constant form and packetizing it in the processes of (1) to (4) described below, or recovering the data from the packet.
(1) The TCP A2 receives data from the client application A1, adds to the data a TCP header and a destination IP address for detecting a missing of the packet or a reversal of the sequence, and sends it to the IP routing A3. Herein, the data, of which size is large, is division-processed (also referred to as “is fragmented”).
(2) The TCP A2 receives the packet from the IP routing A3, and makes a reference to the TCP header, thereby to detect a missing of the packet or a reversal of the sequence, and in a case where not only a reversal of the sequence but also a missing has not occurred, removes the header from the packet, and sends the data to the client application A1. At this moment, it gives an ACK packet for notifying arrival of the packet as a reply to a transmission source of the packet.
(3) In the above-mentioned (2), in a case where a missing of the packet has occurred, the TCP A2 transmits a re-sending request packet to the transmission source. Further, in a case where a reversal of the sequence or a fragmentation has occurred, it waits for the packet that is to arrive later, and recovers the data.
(4) Upon receipt of the ACK packet, the TCP A2 regulates a transmission speed of the packet in (1).
The IP routing A3 has a function of receiving the packet from the TCP A2, and making a reference to the destination IP address to transfer the received packet to the IP stack A4. Further, the IP routing A3 has a function of receiving the packet from the IP stack A4, and making a reference to a destination port number to transfer the received packet to the TCP A2.
The IP stack A4 has a function of receiving the packet from the IP routing A3, adding the IP header and the MAC header to the received packet, thereby to generate a frame, and transferring this frame to an intermediate driver A11.
Next, the software that is positioned in the lower layer that is not included in the OS of the PC 1 will be explained. The PC 1 includes the intermediate driver A11 and a driver A5 as software that corresponds hereto.
The intermediate driver A11 is a module that is inserted between a network layer and a data-link layer that are mentioned in a tabulation of a TCP/IP hierarchy model. And, the intermediate driver A11, which is connected to the IP stack A4 and the driver A5, has functions listed below.
The intermediate driver A11 makes a reference to a header of the frame that arrives from the IP stack A4, thereby to determine whether the frame needs to be encrypted. If, as a result of the determination, the received frame needs to be encrypted, the intermediate driver A11 terminates a TCP session with the TCP A2 for the time being, and thereafter, encrypts the data. Herein, the encryption key exchanged with the SSL B2 is employed for an encryption key that is used for encryption. And, the intermediate driver A11 has a function of, after adding to the encrypted data the header that corresponds to the TCP session with the TCP B3, transferring it to the driver A5. On the other hand, the intermediate driver A11 has a function of, if the received frame does not need to be encrypted, transferring the received frame to the driver A5. Herein, as a frame that does not need to be encrypted, the frame already encrypted in the higher TCP/IP hierarchy, a DHCP packet, an ARP packet, etc. are listed.
Further, the intermediate driver A11 makes a reference to a header of the frame that arrives from the driver A5, thereby to determine whether the frame needs to be decoded. If, as a result of the determination, the received frame needs to be decoded, the intermediate driver A11 terminates a TCP session with the TCP B3 for the time being, and thereafter, decodes the data. Herein, the decoding key exchanged with the SSL B2 is employed for a decoding key that is used for decoding. And, the intermediate driver A11 has a function of, after adding to the decoded data the header that corresponds to the TCP session with the TCP A2, transferring it to the IP stack A4. On the other hand, the intermediate driver A11 has a function of, if the received frame does not need to be decoded, transferring it to the IP stack A4. As a frame that does not needs to be decoded, the frame that should be decoded in the TCP/IP hierarchy higher than the intermediate driver A11, the DHCP packet, the ARP packet, etc. are listed.
The intermediate driver A11, as shown in
However, each of a function and a configuration of each component described below is only an example. In particular, it will be appreciated by those skilled in the relevant field that, with the frame analyzer A12 and the header converter A13, its function and configuration can be realized with multifarious methods.
Further, the frame analyzer A12 to be described below will be explained by employing a configuration having a function of determining whether the received frame needs to be encrypted and decoded; however it is not limited hereto. For example, the frame analyzer A12 may assume a configuration having a function of determining whether to cancel the frame in addition this function. This cancellation function makes it possible to prevent CPU resources of the PC 1 from being wasted due to the unnecessary process of the packet, and to prevent the PC 1 from being attacked unauthorizedly from the external network.
At first, a function of the frame analyzer A12 will be explained. The frame analyzer A12 is connected to the IP stack A4, the header converter A13, and the driver A5. Each of
As mentioned above, it can be determined whether the received frame has been encrypted in the higher TCP/IP hierarchy, and whether the received frame is one of the DHCP frame and the DNS frame, for example, by making a reference to the TCP header of its frame. Specifically, it follows that numbers, for example, no. 443, no. 465, and no. 995 are employed for the destination port number of the encrypted frame with WWW (World Wide Web) access, mail transmission, and mail reception, respectively. On the other hand, numbers, for example, no. 80, no. 25, and no. 110 are employed for the destination port number of the not-encrypted frame with WWW (World Wide Web) access, mail transmission, and mail reception, respectively. Further, no. 68 is employed for the destination port number of the DHCP frame, and no. 53 for the destination port number of the DNS frame
In such a manner, it is determinable from the header of the frame whether its frame needs to be encrypted. So as to cause the frame analyzer A12 to execute such a process, it is enough that the frame analyzer A12 is allowed to have a list having port number information described of the encrypted frame and the not-encrypted frame.
The frame analyzer A12 employs the above-mentioned method, thereby to determine in the step S3 of
On the other hand,
The frame of which the decoding is determined to be necessary in this step S13 is a frame that has been encrypted. Contrarily, the frame of which the decoding is determined to be unnecessary in this step S13 is a frame that has not been encrypted.
As mentioned above, whether the received frame has been encrypted is determinable, for example, by making a reference to the TCP header of its frame.
Specifically, it follows that the numbers, for example, no. 443, no. 465, and no. 995 are employed for the transmission source port number of the encrypted frame with WWW (World Wide Web) access, mail transmission, and mail reception, respectively. On the other hand, no. 80, no. 25, and no. 110 are employed for the transmission source port number of the not-encrypted frame with WWW (World Wide Web) access, mail transmission, and mail reception, respectively.
In such a manner, it is determinable from the header of the frame whether its frame needs to be decoded. So as to cause the frame analyzer A12 to execute such a process, it is enough that the frame analyzer A12 is allowed to have a list having port number information described of the encrypted frame and the not-encrypted frame.
Further, the frame analyzer A12 also makes a reference to the table T1 to check whether the acquired frame header has been registered into the table T1 in addition to the above-mentioned process. Herein, in checking whether the frame header has been registered into the table T1, attention should be paid to the fact that, with both of the frame header and the table T1, a relation of the transmission source address and the destination address has been reversed.
As a result of determination, if the frame does not need to be decoded, or the acquired header has been registered into the table T1, the frame analyzer A12 transfers the frame to the IP stack A4 (step S14). Further, if the frame needs to be decoded, and yet the acquired header has been not been registered into the table T1, the frame analyzer A12 transfers the frame to the header converter A13 (step S15).
Herein, the reason why registered information of the table T1 is checked will be explained. The reason is that it is determined whether the received frame is decoded in the intermediate driver A11, or in the TCP/IP hierarchy higher than the intermediate driver A11. So as to explain a necessity of making a reference to this table T1 in details, envisage the case that the PC 1 includes a plurality of the SSL modules. For example, in a case where the PC 1 includes not only an SSL A16 that exists in the intermediate driver A11, but also another SSL module in the TCP/IP hierarchy higher than the intermediate driver A11, the packet of some TCP session is encrypted and decoded in the SSL A16 of the intermediate driver A11, and further, the packet of another TCP session is encrypted and decoded in the SSL module of the TCP/IP hierarchy higher than the intermediate driver A11. In such a case, it is the table T1 that is used for determining which SSL module is employed for decoding the received packet. The table T1 has the header of the packet encrypted in the TCP/IP hierarchy higher than the intermediate driver A11 registered in the step S4 of
On the other hand,
If, as a result of the investigation, the destination of the frame is the PC 1, the frame analyzer A12 transfers the frame to the IP stack A4 (step S24). Further, if the destination of the frame is a destination other than the PC 1, it transfers the frame to the driver A5 (step S25).
Next, a function of the header converter A13 will be explained. The header converter A13 is connected to the frame analyzer A12, the TCP A14, and the TCP A17. Each of
On the other hand,
Next, functions of the TCP A14 and the TCP A17 will be explained. Each of the TCP A14 and the TCP A17 has a function of arranging data into formatted data having a constant form and packetizing it in the processes of (1) to (4) described below, or recovering the data from the packet.
(1) Each of the TCP A14 and the TCP A17 receives data from the SSL A16 or the relay application A15, adds to the data the TCP header and the destination IP address for detecting a missing of the packet and a reversal of the sequence, and sends it to the header converter A13. Herein, the data, of which size is large, is division-processed (also referred to as “is fragmented”).
(2) Each of the TCP A14 and the TCP A17 receives the packet from the header converter A13, and makes a reference to the TCP header, thereby to detect a reversal of the sequence and a missing of the packet, and in a case where not only a reversal of the sequence but also a missing has not occurred, removes the header from the packet to send the data to the relay application A15. At this moment, it gives an ACK packet for notifying arrival of the packet as a reply to a transmission source of the packet.
(3) In the above-mentioned (2), in a case where a missing of the packet has occurred, TCP A14 and the TCP A17 transmit a re-sending request packet to the transmission source of the packet. Further, in a case where a reversal of the sequence or a fragmentation has occurred, they wait for the packet that is to arrive later, and recover the data.
(4) Upon receipt of the ACK packet, each of the TCP A14 and the TCP A17 regulates a transmission speed of the packet in (1).
Next, a function of the SSL A16 will be explained. The SSL A16 has a function of, after encrypting the data received from the relay application A15, transferring it to the TCP A17. Further, the SSL A16 has a function of, after decoding the data received from the TCP A17, transferring it to the relay application A15. In addition hereto, the SSL A16 has a function of exchanging information of the certificate or the secret key/the public key that are employed for encryption with the SSL B2 according to an SSL protocol. It is decided according to the setting from the relay application A15 whether to use the SSL, and in a case where the SSL is not used, the data received from the relay application A15, which is not encrypted, is transferred to the TCP A17, and further the data received from the TCP A17, which is not decoded, is transferred to the relay application A15.
Next, a function of the relay application A15 will be explained. The relay application A15 has a function of transferring the data arriving from the TCP A14 to the SSL A16 for a purpose of allowing it to get into communication by the TCP session between the TCP A16 and a TCP B3.
Above, the explanation of each functional block that is included in the intermediate driver A11 is finished.
Continuously, a function of the driver A5 will be explained. The driver A5, which is software for mediating between an NIC A6 and the OS, has a function of receiving the frame from the NIC A6 and sending it to the OS, and further has a function of receiving the frame from the OS and sending it to the NIC A6
Next, a function of hardware of the PC 1 will be explained. The PC 1 includes the NIC A6 as hardware. The NIC A6, which is referred to as a network interface card, is hardware that is inserted into a computer for a purpose of connecting a cable for a network such as Ethernet. It has a function of converting data received from the cable into an appropriate electric signal to send it to the driver, and further converting data received from the driver into an appropriate electric signal to transmit it to the cable.
Next, a function of each component of the server 2 will be explained. At first, out of software that operates within the CPU of the server 2, software that is positioned in the higher layer that is not included in the OS will be stated. The server 2 includes the server application B1 as software that corresponds hereto. The server application B1 is an application for making communication with the client application A1. The server application B1 has a function of transferring data generated in a predetermined process to the TCP B2. Further, the server application B1 has function of, upon receipt of data from the TCP B2, performing a predetermined process for the received data.
Next, a function of the software that is included in the OS of the server 2 will be explained. The server 2 includes the SSL B2, the TCP B3, a TCP B6, an IP routing B4, and an IP stack B5 as software that is included in the OS. The function of the software other than the IP stack B5 out of theses modules is entirely identical to that of the software of the PC 1, so its explanation is omitted.
The IP stack B5 has a function of receiving the packet from the IP routing B4, adding the IP header and the MAC header to the packet, and then transferring the packet to a driver B7.
Next, a function of the software that is positioned in the lower layer that is not included in the OS of the server 2 will be explained. The server 2 includes the driver B7 as software that corresponds hereto; however a function of the driver B7 is entirely identical to that of the driver A5 of the PC 1, so its explanation is omitted.
Next, a function of the hardware of the server 2 will be explained. The server 2 includes an NIC B8 as hardware; however a function of the NIC B8 is entirely identical to that of the NIC A6 of the PC 1, so its explanation is omitted.
Next, a function of each component of the hub 3 will be explained. At first, a function of the software that is included in the OS of the hub 3 will be explained. The hub 3 includes a bridge C1 as software that is included in the OS. The bridge C1 has a function of receiving the frame from a diver C2 or a driver C4, making a reference to the destination MAC address, and transferring the frame to the driver C2 or the driver C4. Further, it has function of, at the time of receiving the frame, making a reference to the transmission source MAC address, learning the MAC address, and recording which MAC address the terminal has, and which NIC the above terminal has been connected to.
Next, a function of the software of the lower layer that is not included in the OS of the hub 3 will be explained. The hub 3 includes the driver C2 and the driver C4 as software that corresponds hereto; however a function of the driver C2 and the driver C4 is entirely identical to that of the driver A5 of the PC 1, so its explanation is omitted.
Next, a function of the hardware of the hub 3 will be explained. The hub 3 includes an NIC C3 and an NIC C5 as hardware; however a function of the NIC C3 and the NIC C5 is entirely identical to that of the NIC A6 of the PC 1, so its explanation is omitted.
[Explanation of an Operation]
At first, an operation in the case that data is transmitted from the client application A1 of the PC 1 to the server application B1 of the server 2 will be explained.
In a case where the client application A1 of the PC 1 transmits data to the server application B1 of the server 2, it firstly delivers data to the TCP A2 through a connection P1.
Upon receipt of the data from the client application A1 through the connection P1, the TCP A2 adds the TCP header and the destination IP address to the data, thereby to packetize it. A port number t2 of the TCP B6 of the server 2 is employed for the destination TCP port number of the TCP header, and a port number t1 of the TCP A2 for the transmission source TCP port number. Further, an IP address i2 of the server 2 is set to the destination IP address. After adding the TCP header and the destination IP address, the TCP A2 delivers the packet to the IP routing A3 through a connection P2.
Upon receipt of the packet from the TCP A2 through the connection P2, the IP routing A3 makes a reference to the destination IP address, and transmits the packet to the IP stack A4 through a connection P3.
Upon receipt of the packet from the IP routing A3 through the connection P3, the IP stack A4 adds the IP header and the MAC header to the packet. An IP address i2 of the server 2 is employed for the destination IP address of the IP header, and an IP address i1 of the PC 1 for the transmission source IP address. Further, an MAC address m2 of the server 2 is employed for the destination MAC address of the MAC header, and an MAC address m1 of the PC 1 for the transmission source MAC address. After inserting such an IP header and MAC header into the packet, thereby to generate a frame, the IP stack A4 delivers the frame to the frame analyzer A12 through a connection P4.
Upon receipt of the frame from the IP stack A4 through the connection P4 as shown in
For example, it can be checked whether the frame has been encrypted from the destination TCP port number t2 of the frame. The frame analyzer A12 makes a reference to a list having port number information of the encrypted frame and the not-encrypted frame described, thereby to grasp that the port number t2 is a destination TCP port number of the non-encrypted frame.
After performing such a process, the frame analyzer A12 determines that the frame delivered in the connection P4 has not been encrypted, and delivers this frame to the header converter A13 through a connection P5 according to
Upon receipt of the frame from the frame analyzer A12 through the connection P5 as shown in
Upon receipt of the packet from the header converter A14 through a connection P6, the TCP A14 makes a reference to the TCP header, thereby to detect a reversal of the sequence and a missing of the packet, and in a case where not only a reversal of the sequence but also a missing has not occurred, removes the header from the packet to deliver the packet to the relay application A15 through a connection P7. At this moment, it gives an ACK packet for notifying arrival of the packet as a reply to the TCP A2, thereby to terminate the TCP session from the TCP A2. Upon viewing from the TCP A2, the TCP session looks as if it were established between the TCP A2 and the TCB B6 because the port number of the TCP A14 has been caused to coincide to the port number t2 of the TCP B6; however the actual TCP session is established between the TCP A2 and the TCP A14. In
The above-mentioned explanation of the operation of the TCP A14 was made on the assumption that the TCP session 1 was already established between the TCP A2 and the TCP A14. Herein, upon making a digression a little, an operation until the TCP session 1 is established between the TCP A2 and the TCP A14 will be briefed.
Upon receipt of the data from the client application A1 through the connection P1, the TCP A2 transmits a TCP session establishment request frame for a purpose of establishing the TCP session with the TCP B6 of the server 2 prior to transmitting its data; however, the TCP A14 waits for this TCP session establishment request frame in all port numbers so that it can be usurped, for example, so that all frames are engulfed into the TCP A14. However, the port number that the TCP module other than the intermediate driver A11 occupies is not allowed to be included in the wait-state port number so as to prevent a competing problem of the port number from occurring.
Performing such a process enables the TCP A14 to receive the TCP session establishment request frame via the header converter A13. Upon receipt of this TCP session establishment request frame, the TCP A14 occupies the destination port number t2 described in its frame header as a wait-state port number of the TCP A14, and releases other port numbers. Thereafter, the TCP A14 performs a 3-way handshake process necessary for establishing the TCP session with the TCP A2, and establishes a TCP session 1. It became apparent that performing the process as mentioned above enabled the TCP session 1 to be established between the TCP A2 and the TCP A14.
Above, a digression was made a little, and now returning to the subject matter, the explanation of the operation of each module is continued.
Upon receipt of the packet from the TCP A14 through the connection P7, the relay application A7 delivers it to the SSL A16 as it stands through a connection P8 for a purpose of encrypting the packet to realize prevention of the wiretapping.
Upon receipt of the packet from the relay application A15 through the connection P8, the SSL A16 uses an encryption technique pre-settled with the SSL B2 of the server 2, thereby to encrypt the packet. After completing the encryption, the SSL A16 delivers the encrypted data to the TCP A17 through a connection P9.
Upon receipt of the encrypted data from the SSL A16 through the connection P9, the TCP A17 adds the TCP header and the destination IP address to this data, thereby to packetize it. A port number t4 of the TCP B3 of the server 2 is employed for the destination TCP port number of the TCP header, and a port number t3 of the TCP A17 for the transmission source TCP port number. Herein, the port number t4 of the TCP B3 is a port number that is explicitly used in transmitting the encrypted data. For example, in a case of transmitting the encrypted mail, the protocol of SMTP over SSL is used, and no. 465 is employed as its destination TCP port number. Further, an IP address i2 of the server 2 is set to the destination IP address. After adding the TCP header and the destination IP address, the TCP A17 delivers the packet to the header converter A13 through a connection P10. The TCP A17 establishes the TCP session with the TCP B3 by use of theses processes, and realizes the stabilized data transfer to/from the TCP B3. In
The above-mentioned explanation of the operation of the TCP A17 was made on the assumption that the TCP session 2 was already established between the TCP A17 and the TCP B3. Herein, upon making a digression a little again, an operation until the TCP session 2 is established between the TCP A17 and the TCP B3 will be briefed.
Previously, the operation until the TCP A14 established the TCP session 1 with the TCP A2 was described, and after the TCP A14 establishes the TCP session 1 with the TCP A2, it sends the relay application A15 a command for establishing the encryption TCP session 2 with the server 2. At this moment, the TCP A14 delivers information as well of the IP address i2 of the server 2 and the port number t2 of the TCP B6 to the relay application A15.
Upon receipt of the command from the TCP A14, the relay application A15 derives a port number for encryption from the port number t2 for not-encryption that is delivered from the TCP A14. This process of deriving the port number for encryption is executable by making a reference to a list that, application by application, has its port number for encryption and port number for not-encryption described.
Specifically, the relay application A15 makes a reference to a list having the numbers described in such a manner that the encryption/not-encryption port number of WWW (World Wide Web) is no. 443/no. 80, the encryption/not-encryption port number of the mail transmission is no. 465/no. 25, and the encryption/not-encryption port number of the mail reception is no. 995/no. 110.
After the relay application A15 derives the encryption port number t4 that corresponds to the not-encryption port number t2 in the above-mentioned process, it delivers information of the IP address i2 of the server 2 and the encryption port number t4 to the TCP A17 via the SSL A16.
Upon receipt of the IP address i2 and the encryption port number t4 from the relay application A15 via the SSL A16, the TCP A17 transmits a TCP session establishment request frame for encryption to the TCP B3 of the server 2.
If the server application B1 that corresponds to the SSL has been installed onto the server 2, it follows that the TCP B3 has been mounted onto the server 2, whereby the 3-Way Handshake process can executed between the TCP B3 and the TCP A17, and the TCP session 2 can be established. After this TCP session 2 is established, the certificate information or the secret key necessary for starting the encryption session are exchanged between the SSL A16 and the SSL B2 by utilizing the TCP session 2. It became apparent that performing the process as mentioned above enabled the TCP session 1 to be established between the TCP A17 and the TCP B3. That is, it follows that the TCP A17 has established the session with a transport layer of the TCP B3.
On the other hand, unless the server application B1 that corresponds to the SSL has been installed onto the server 2, it follows that the TCP B3 has not been mounted onto the server 2, whereby the TCP A17 cannot execute the 3-Way Handshake process with the TCP B3, and resultantly, cannot establish the TCP session 2. As a countermeasure method in such a case, for example, the following two countermeasure methods are thinkable.
(1) Such application data is cancelled in the intermediate driver A11 because it is impossible to encrypt and transmit/receive it between the PC 1 and the server 2, and there is a risk of being wiretapped.
(2) The data, which is not encrypted, is daringly transmitted to the TCP B6 of the server 2 without using the encryption function of the SSL A16 in anticipation of a risk that the data is wiretapped. In this case, it is necessary not only to change the setting of the frame analyzer A12 but also to establish a TCP session 3 between the TCP A17 and the TCP B6 so that the frame transmitted from the TCP B6 is transferred to the TCP A17.
The operational policy of security governs which method out of the above-mentioned two methods is employed.
Above, the operation in the case that the server application B1 that corresponded to the SSL was not installed onto the server 2 was explained; however in the following explanation, without making mention of these operations particularly, it is assumed to the last that the server application B1 that corresponds to the SSL has been installed onto the server 2.
Above, a digression was made a little, and now upon returning to the subject matter, the explanation of the operation of each module is continued.
From the above explanation, it can be seen that the data transfer between the client application A1 and the server application B1 is relayed with a total of the two TCP sessions consisting of the TCP session 1 between the TCP A2 and the TCP A14, and the TCP session 2 between the TCP A17 and the TCP B3. Relaying the TCP session by use of the intermediate driver A11 in such a manner makes it possible to achieve a coincidence of the TCP/IP protocol hierarchy between the SSL A16 of the PC 1 side and the SSL B2 of the server 2 side. This enables communication by the SSL protocol to be made, and the certificate information, the encryption algorithm, etc. for necessary for starting the SSL session to be exchanged between the SSL A16 of the PC 1 side and the SSL B2 of the server side.
Upon receipt of the packet from the TCP A17 through the connection P10 as shown in
Upon receipt of the frame from the header converter A13 through the connection P11 as shown in
Upon receipt of the frame from the frame analyzer A12 through the connection P12, the drivers A5 delivers the packet to the NIC A6 through a connection P13.
Upon receipt of the frame from the driver A5 through the connection P13, the NIC A6 delivers the frame to the NIC C3 through a connection P14.
Upon receipt of the frame from the NIC A6 through the connection P14, the NIC C3 delivers the frame to the driver C2 through a connection P15.
Upon receipt of the frame from the NIC C3 through the connection P15, the driver delivers the frame to the bridge C1 through a connection P16.
Upon receipt of the frame from the driver C2 through the connection P16, the bridge C1 makes a reference to the destination MAC address of the received frame. When the bridge C1 recognizes that the terminal having the destination MAC address has been connected to the NIC C5, it delivers the frame to the driver C4 through a connection P17.
Upon receipt of the frame from the bridge C1 through the connection P17, the driver C4 delivers the frame to the NIC C5 through a connection P18.
Upon receipt of the frame from the driver C4 through the connection P18, the NIC C5 delivers the frame to the NIC B8 through a connection P19.
Upon receipt of the frame from the NIC C5 through the connection P19, the NIC B8 delivers the frame to the driver B7 through a connection P20.
Upon receipt of the frame from the NIC B8 through the connection P20, the driver B7 delivers the frame to the IP stack B5 through a connection P21.
Upon receipt of the frame from the driver B7 through the connection P21, the IP stack B5 removes the MAC header and the IP header from the frame, thereby to generate a packet, and thereafter, delivers the packet to the IP routing B4 through a connection P22.
Upon receipt of the packet from the IP stack B5 through the connection P22, the IP routing B4 makes a reference to the TCP header of the packet. When IP routing B4 recognizes that the destination of the packet is the TCP B3 from the destination TCP port number, it delivers the received packet to the TCP B3 through a connection P23.
The TCP B3 receives the packet from the IP routing B4 through the connection P23, and makes a reference to the TCP header, thereby to investigate a reversal of the sequence and a missing of the packet. In a case where not only a reversal of the sequence and also a missing have not occurred, it removes the TCP header from the packet, and delivers the data to the SSL B2 through a connection P24. At this moment, the TCP B3 gives the TCP A17 an ACK packet for notifying arrival of the packet as a reply.
Upon receipt of the data from the TCP B3 through the connection P24, the SSL B2 uses the decoding technique settled with the SSL A16 of the PC 1, thereby to decode the data. The SSL B2 delivers the decoded data to the server application B1 through a connection P25.
Above, it was confirmed that the data transmitted from the client application A1 was encrypted and surely arrived at the server application B1.
Next, after completing the above-mentioned process, this time, an operation will be explained of the case that the data is transmitted from the server application B1 to the client application A1.
In a case where the server application B1 of the server 2 transmits the data to the client application A1 of the PC 1, it firstly delivers the data to the SSL B2 through a connection P27.
Upon receipt of the data from the server application B1 through the connection P27, the SSL B2 encrypts the data, and thereafter, delivers the data to the TCP B3 through a connection P28.
Upon receipt of the data from the SSL B2 through the connection P28, the TCP B3 adds the TCP header and the destination IP address to the data, thereby to packetize it. A port number t3 of the TCP A17 of the PC 1 is employed for the destination TCP port number of the TCP header, and a port number t4 of the TCP B3 for the transmission source TCP port number. Further, an IP address i1 of the PC 1 is set to the destination IP address. After adding the TCP header, the TCP B3 delivers the packet to the IP routing B4 through a connection P29.
Upon receipt of the packet from the TCP B3 through the connection P29, the IP routing B4 makes a reference to the destination IP address, and transmits the packet to the IP stack B5 through a connection P30.
Upon receipt of the packet from the IP routing B4 through the connection P30, the IP stack B5 adds the IP header and the MAC header to the packet, thereby to generate a frame. An IP address i1 of the PC 1 is employed for the destination IP address of the IP header, and an IP address i2 of the server 2 for the transmission source IP address. Further, an MAC address m1 of the PC 1 is employed for the destination MAC address of the MAC header, and an MAC address m2 of the server 2 for the transmission source MAC address. After inserting such a IP header and MAC header into the packet, thereby to generate a frame, the IP stack B5 delivers the frame to the driver B7 through a connection P31.
Upon receipt of the frame from the IP stack B5 through the connection P31, the driver B7 delivers the frame to the NIC B8 through a connection P32.
Upon receipt of the frame from the driver B7 through the connection P32, the NIC B8 delivers the frame to the NIC C5 through a connection P33.
Upon receipt of the frame from the NIC B8 through the connection P33, the NIC C5 delivers the frame to the driver C4 through a connection P34.
Upon receipt of the frame from the NIC C5 through the connection P34, the driver C4 delivers the frame to the bridge C1 through a connection P35.
Upon receipt of the frame from the driver C4 through the connection P35, the bridge C1 makes a reference to the destination MAC address of the received packet. When bridge C1 recognizes that the terminal having the destination MAC address has been connected to the NIC C3, it delivers the frame to the driver C2 through a connection P36.
Upon receipt of the frame from the bridge C2 through the connection P36, the driver C2 delivers the frame to the NIC C3 through a connection P37.
Upon receipt of the frame from the driver C2 through the connection P37, the NIC C3 delivers the frame to the NIC A6 through a connection P38.
Upon receipt of the packet from the NIC C3 through the connection P38, the NIC A6 delivers the packet to the driver A5 through a connection P39.
Upon receipt of the frame from the NIC A6 through the connection P39, the driver A5 delivers the frame to the frame analyzer A12 through a connection P40.
Upon receipt of the frame from the driver A5 through the connection P40 as shown in
Upon receipt of the frame from the frame analyzer A12 through the connection P41 as shown in
The TCP A17 receives the packet from the header converter A13 through a connection P42, and makes a reference to the TCP header, thereby to investigate a reversal of the sequence and a missing of the packet. In a case where not only a reversal of the sequence but also a missing have not occurred, it removes the TCP header from the packet, and delivers the data to the SSL A16 through a connection P43. At this moment, it gives the TCP B3 an ACK packet for notifying arrival of the packet as a reply.
Upon receipt of the data from the TCP A17 through the connection P43, the SSL A16 uses the decoding technique settled with the SSL B2, thereby to decode the data. The SSL A16 delivers the decoded data to the relay application A15 through a connection P44.
Upon receipt of the data from the SSL A16 through the connection P44, the relay application A15 delivers the data to the TCP A14 through a connection A45 for a purpose of sending the data to the client application A1.
Upon receipt of the data from the relay application A15 through the connection P45, the TCP A14 adds the TCP header and the destination IP address to the data, thereby to packetize it. A port number t1 of the TCP A2 is employed for the destination TCP port number of the TCP header, and a port number t2 of the TCP B6 for the transmission source TCP port number. Further, an IP address i1 of the PC 1 is set to the destination IP address. After adding the TCP header, the TCP A14 delivers the packet to the header converter A13 through a connection P46.
Upon receipt of the packet from the TCP A14 through the connection P46 as shown in
Upon receipt of the frame from the header converter A13 through the connection P47 as shown in
Upon receipt of the frame from the frame analyzer A12 through the connection P48, the IP stack A4 removes the MAC header and the IP header from the frame, thereby to packetize it, and thereafter, delivers the packet to the IP routing A3 through a connection P49.
Upon receipt of the packet from the IP stack A4 through the connection P49, the IP routing A3 makes a reference to the TCP header of the packet. When the IP routing A3 recognizes that the destination of the packet is the TCP A2 from the destination TCP port number, it delivers the received packet to the TCP A2 through a connection P50.
The TCP A2 receives the packet from the IP routing A3 through the connection P50, and makes a reference to the TCP header, thereby to investigate a reversal of the sequence and a missing of the packet. In a case where not only a reversal of the sequence but also a missing have not occurred, it removes the TCP header from the packet, and delivers the data to the client application A1 through a connection P51. At this moment, it gives the TCP A14 an ACK packet for notifying arrival of the packet as a reply. As mentioned above, it was confirmed that the data transmitted from the server application B1 was encrypted and surely arrived at the client application A1.
From the above explanation, it was confirmed that bi-directional communication between the client application A1 and the server application B1 was encrypted without fail.
Further, in the above explanation, the configuration in which encrypted data was exchanged between the PC 1 and the server 2 was explained, and in a case where the PC 1 exchanges encrypted data with a plurality of the servers in addition to the server 2, the intermediate driver A11 of the PC 1 assumes a configuration described below.
The intermediate driver A11, which includes the header converter A13, the TCP A14, the relay application A15, the SSL A16, the TCP A17, and the header converter A13 for each server that becomes a communication partner, establishes the different TCP session 2 for each server that becomes a communication partner. Data that is transmitted/received between the PC 1 and each server is encrypted, and exchanged through the TCP session 2. This enables the PC 1 to exchange the encrypted data with a plurality of the servers.
[Effects]
Next, effects of this embodiment will be explained.
In this embodiment, incorporating the TCP relay function into the intermediate driver A11 makes it possible to achieve a coincidence of the TCP/IP protocol hierarchy between the SSL A16 of the PC 1 side and the SSL B2 of the server 2 side, thereby enabling the communication by the SSL protocol between the SSL A16 of the PC 1 side and the SSL B2 of the server 2 side. With this, the certificate information or the encryption algorithm necessary for starting the SSL session is automatically exchanged between the server 2 and the PC 1, which can eliminate a burden of manually setting the encryption key to the intermediate driver of the PC 1 side.
Further, with the server 2, a configuration of its software does not need to be changed, differently from the conventional case, whereby a burden of installing the intermediate driver into the server 2 can be eliminated.
In addition hereto, the frame analyzer A12 is configured to determine whether or not the transmission data has been encrypted, and to encrypt it in a case where it has not been encrypted, whereby the transmission data can be transmitted in a state of having been encrypted surely.
[Explanation of a Configuration]
Next, a second embodiment for carrying out the second invention of the present invention will be explained in details by making a reference to the accompanied drawings. A network configuration of the second embodiment is identical to that of the first embodiment of
A function of the driver A19 is identical to that of the driver A5 shown in
The virtual NIC A20 is software for mediating between the driver A19 and a relay application A15. The virtual NIC A20 has a function of receiving the frame from the driver A19, and delivering it to the relay application A15. Further, it has a function of receiving the frame from the relay application A15, and sending it to the driver A19. Originally, the NIC is configured with hardware; however the virtual NIC is configured with software. The virtual NIC is recognized as if it were hardware from a view of the OS.
Further, upon making a reference to
An outline of a function of a TCP A21 is almost similar to that of the TCP A14 of the first embodiment shown in
An outline of a function of the relay application A22 is almost similar to that of the relay application A15 of the first embodiment shown in
An outline of a function of a TCP A24 is almost similar to that of the TCP A17 of the first embodiment shown in
An outline of a function of a SSL A23 is almost similar to that of the SSL A16 of the first embodiment shown in
Next, a function of a frame analyzer A18 will be explained. Each of
On the other hand,
Further, an operational flowchart of the frame analyzer A18 in the case that the frame has arrived from the header converter A13 is entirely identical to that of the frame analyzer A12 of the first embodiment, which was already explained by employing
The function of the block other than the foregoing components, out of the components shown in
[Explanation of an Operation]
An operation of this embodiment will be explained below by making a reference to
At first, an operation in the case that data is transmitted from the client application A1 of the PC 1 to the server application B1 of the server 2 will be explained. However, the operation until a connection P3 is identical to that of the first embodiment, so the explanation of the operation is started at time point of a connection P4.
Upon receipt of the frame from the IP stack A4 through the connection P4 as shown in
Upon receipt of the frame from the frame analyzer A18 through the connection P5 as shown in
Upon receipt of the packet from the header converter A13 through a connection P6, the TCP A21 makes a reference to the TCP header, thereby to investigate a reversal of the sequence and a missing of the packet, and in a case where not only a reversal of the sequence but also a missing have not occurred, removes the header from the packet, and delivers the data to the driver A19 through a connection P55. At this moment, it gives the TCP A2 an ACK packet for notifying arrival of the packet as a reply, thereby to terminate the TCP session from the TCP A2. Upon viewing from the TCP A2, the TCP session looks as if it had been established between the TCP A2 and the TCP B6 because the TCP port number of the TCP A21 has been caused to correspond to the TCP port number t2 of the TCP B6; however the actual TCP session is established between the TCP A2 and the TCP A21. In
Upon receipt of the packet from the TCP A21 through the connection P55, the driver A19 delivers the packet to the virtual NIC A20 through a connection P56.
Upon receipt of the packet from the driver A19 through the connection P56, the virtual NIC A20 delivers the packet to the relay application A22 through a connection P57.
Upon receipt of the data from the virtual NIC A20 through the connection P57, the relay application A22 delivers the data to the SSL A23 through a connection P58 for a purpose of encrypting the data to realize prevention of the wiretapping.
Upon receipt of the data from the relay application A22 through the connection P58, the SSL A23 uses an encryption technique pre-settled with the SSL B2 of the server 2, thereby to encrypt the data. After completing the encryption, the SSL A23 delivers the encrypted data to the TCP A24 through a connection P59.
Upon receipt of the data from the SSL A23 through the connection P60, the TCP A24 adds the TCP header and the destination IP address to the data, thereby to packetize it. A port number t4 of the TCP B3 of the server 2 is employed for the destination TCP port number of the TCP header, and a port number t3 of the TCP A24 for the transmission source TCP port number. Herein, the port number t4 of the TCP B3 is a port number that is explicitly used in transmitting the encrypted data. For example, in a case of transmitting the encrypted mail, the protocol of SMTP over SSL is used, and no. 465 is employed as its destination TCP port number. Further, an IP address i2 of the server 2 is set to the destination IP address. After adding the TCP header and the destination IP address, the TCP A24 delivers the packet to the IP routing A3 through a connection P60. The TCP A24 establishes the TCP session with the TCP B3 by use of theses processes, and realizes the stabilized data transfer to/from the TCP B3. In
From the above explanation, it can be seen that the data transfer between the client application A1 and the server application B1 is relayed with a total of the two TCP sessions consisting of the TCP session 1 between the TCP A2 and the TCP A21, and the TCP session 2 between the TCP A24 and the TCP B3. Relaying the TCP session by use of the intermediate driver A11 in such a manner makes it possible to achieve a coincidence of the TCP/IP protocol hierarchy between the SSL A23 of the PC 1 side and the SSL B2 of the server 2 side. This enables communication by the SSL protocol to be made, and the certificate information, the encryption algorithm, etc. for necessary for starting the SSL session to be exchanged between the SSL A23 of the PC 1 side and the SSL B2 of the server side.
Upon receipt of the packet from the TCP A24 through the connection P60, the IP routing A3 makes a reference to the destination IP address to deliver the packet to the IP stack A4 through a connection P61.
Upon receipt of the packet from the IP routing A3 through the connection P61, the IP stack A4 adds the IP header and the MAC header to the packet, thereby to generate a frame. An IP address i2 of the server 2 is employed for the destination IP address of the IP header, and an IP address i1 of the PC 1 for the transmission source IP address. Further, an MAC address m2 of the server 2 is employed for the destination MAC address of the MAC header, and an MAC address m1 of the PC 1 for the transmission source MAC address. After inserting such an IP header and MAC header into the packet, thereby to generate a frame, the IP stack A4 delivers the frame to the frame analyzer A18 through a connection P62.
Upon receipt of the frame from the IP stack A4 through the connection P62 as shown in
The operation after it is entirely identical to that of the first embodiment of
Next, after completing the above-mentioned process, this time, an operation will be explained of the case that the data is transmitted from the server application B1 to the client application A1. However, a point in which this embodiment differs from the first embodiment shown in
Upon receipt of the frame from the NIC A6 through the connection P39, the driver A5 delivers the frame to the frame analyzer A18 through a connection P40.
Upon receipt of the frame from the driver A5 through the connection P40, as shown in
Upon receipt of the frame from the frame analyzer A18 through the connection P63, the IP stack A4 removes the MAC header and the IP header from the frame, thereby to convert it into a packet, and thereafter, delivers the packet to the IP routing A3 through a connection P64.
Upon receipt of the packet from the IP stack A4 through the connection P64, the IP routing A3 makes a reference to the TCP header of the packet. When the IP routing A3 recognizes that the destination of the packet is the TCP A24 from the destination TCP port number, it delivers the received packet to the TCP A24 through a connection P65.
The TCP A24 receives the packet from the IP routing A3 through the connection P65, and makes a reference to the TCP header, thereby to investigate a reversal of the sequence and a missing of the packet. In a case where not only a reversal of the sequence but also a missing have not occurred, it removes the TCP header from the packet, and delivers the data to the SSL A23 through a connection P66. At this moment, it gives the TCP B3 an ACK packet for notifying arrival of the packet as a reply (TCP session 2).
Upon receipt of the data from the TCP A24 through the connection P66, the SSL A23 uses the decoding technique settled with the SSL B2 of the server 2, thereby to decode the data. The SSL A23 delivers the decoded data to the relay application A22 through a connection P67.
Upon receipt of the data from the SSL A23 through the connection P67, the relay application A22 delivers the data to the virtual NIC A20 through a connection A68 for a purpose of sending the data to the client application A1.
Upon receipt of the packet from the relay application A22 through the connection P68, the virtual NIC A20 delivers the packet to the driver A19 through a connection P69.
Upon receipt of the packet from the virtual NIC A20 through the connection P69, the driver A19 delivers the packet to the TCP A21 through a connection P70.
Upon receipt of the data from the driver A19 through the connection P70, the TCP A21 adds the TCP header and the destination IP address to the data, thereby to packetize it. A port number t1 of the TCP A2 is employed for the destination TCP port number of the TCP header, and a port number t2 of the TCP B6 for the transmission source TCP port number. Further, an IP address i1 of the PC 1 is set to the destination IP address. After adding the TCP header, the TCP A21 delivers the packet to the header converter A13 through a connection P46 (TCP session 1).
Upon receipt of the packet from the TCP A21 through the connection P46 as shown in
The operation after it is entirely identical to that of the first embodiment of
As mentioned above, it was confirmed that the data transmitted from the server application B1 was encrypted and surely arrived at the client application A1.
Next, effects of this embodiment will be explained.
This embodiment has the following effect in addition to the effects of the first embodiment.
In this embodiment, loopbacking the frame, which needs to be encrypted, from the intermediate driver A11 into the OS so that the function of the SSL A16 incorporated inside the intermediate driver A11 in the first embodiment can be replaced with the function of the SSL A23 already incorporated into the OS eliminates a burden that the software developer bears for packaging the SSL A16 into the intermediate driver. This makes it possible to reduce the load that is imposed upon the software developer, and to reduce a burden of the development.
[Explanation of a Configuration]
Next, a third embodiment for carrying out the second invention of the present invention will be explained in details by making a reference to the accompanied drawings. A network configuration of the third embodiment is identical to that of the first embodiment of
An outline of a function of the TCP A25 is almost similar to that of the TCP A21 of the second embodiment shown in
An outline of a function of the relay application A26 is almost similar to that of the relay application A22 of the second embodiment shown in
The function of the blocks other than the foregoing components out of the components shown in
[Explanation of an Operation]
An operation of this embodiment will be explained below by making a reference to
At first, an operation in the case that data is transmitted from the client application A1 of the PC 1 to the server application B1 of the server 2 will be explained. However, the operation until a connection P5 is identical to that of the second embodiment, so the explanation of the operation is started at time point of a connection P6.
Upon receipt of the packet from the header converter A13 through the connection P6, the TCP A25 makes a reference to the TCP header, thereby to investigate a reversal of the sequence and a missing of the packet, and in a case where not only a reversal of the sequence but also a missing have not occurred, it removes the header from the packet, and delivers the data to the relay application A26 through a connection P71. At this moment, it gives the TCP A2 an ACK packet for notifying arrival of the packet as a reply, thereby to terminate the TCP session from the TCP A2. Upon viewing from the TCP A2, the TCP session looks as if it had been established between the TCP A2 and the TCP B6 because the TCP port number of the TCP A25 has been caused to correspond to the TCP port number t2 of the TCP B6; however the actual TCP session has been established between the TCP A2 and the TCP A25. In
Upon receipt of the data from the TCP A25 through the connection P71, the relay application A26 delivers the data to the SSL A23 through a connection P58 for a purpose of encrypting it to realize prevention of the wiretapping.
The operation after it is entirely identical to that of the second embodiment of
As mentioned above, it was confirmed that the data transmitted from the client application A1 was encrypted and surely arrived at the server application B1.
Next, after completing the above-mentioned process, this time, an operation will be explained of the case that the data is transmitted from the server application B1 to the client application A1. However, a point in which this embodiment differs from the second embodiment shown in
Upon receipt of the data from the SSL A23 through the connection P67, the relay application A26 delivers the data to the TCP A25 through a connection P72 for a purpose of sending it to the client application A1.
Upon receipt of the data from the relay application A26 through the connection P72, the TCP A25 adds the TCP header and the destination IP address to the data, thereby to packetize it. A port number t1 of the TCP A2 is employed for the destination TCP port number of the TCP header, and a port number t2 of the TCP B6 for the transmission source TCP port number. Further, the IP address i1 of the PC 1 is set to the destination IP address. After adding the TCP header, the TCP A25 delivers the packet to the header converter A13 through a connection P46 (TCP session 1).
The operation after it is entirely identical to that of the second embodiment of
As mentioned above, it was confirmed that the data transmitted from the server application B1 was encrypted and surely arrived at the client application A1.
[Effects]
Next, effects of this embodiment will be explained.
This embodiment has the following effect in addition to the effects of the second embodiment.
In this embodiment, performing the loopback process between the TCP A25 and the relay application A26 so that the driver A19 and the virtual NIC A20 incorporated into the PC 1 in the second embodiment can be excluded eliminates a burden that the software developer bears for developing these modules. This makes it possible to reduce the load that is imposed upon the software developer, and to reduce a burden of the development.
Further, in the second embodiment, there is a risk that a security level declines in the PC 1 when the virtual NIC A20 and the NIC A6 are bridge-connected; however in this embodiment, the bridge-connection is impossible because the virtual NIC A20 itself has been excluded, and a burden as well of taking a security countermeasure can be reduced.
[Explanation of a Configuration]
Next, a fourth embodiment for carrying out the second invention of the present invention will be explained in details by making a reference to the accompanied drawings. A network configuration of the fourth embodiment is identical to that of the first embodiment of
An outline of a function of a TCP A29 is almost similar to that of the TCP A25 of the third embodiment shown in
Next, a function of a header converter A27 will be explained. The header converter A27 is connected to the frame analyzer A18.
Functions of the blocks other than the foregoing components, out of the components shown in
[Explanation of an Operation]
An operation of this embodiment will be explained below by making a reference to
At first, an operation in the case that data is transmitted from the client application A1 of the PC 1 to the server application B1 of the server 2 will be explained. However, the operation until a connection P4 is identical to that of the third embodiment, so the explanation of the operation is started at time point of a connection P5.
Upon receipt of the packet from the frame analyzer A18 through the connection P5 as shown in
Upon receipt of the frame from the header converter A27 through the connection P73 as shown in
Upon receipt of the packet from the frame analyzer A18 through the connection P74, the IP stack A4 removes the MAC header and the IP header from the packet, thereby to convert it into a packet, and thereafter, delivers the packet to the IP routing A3 through a connection P75.
Upon receipt of the packet from the IP stack A4 through the connection P75, the IP routing A3 makes a reference to the TCP header of the packet. When the IP routing A3 recognizes that the destination of the packet is the TCP A29 from the destination TCP port number, it delivers the received packet to the TCP A29 through a connection P76.
The TCP A29 receives the packet from the IP routing A3 through the connection P76, and makes a reference to the TCP header, thereby to investigate a reversal of the sequence and a missing of the packet. In a case where not only a reversal of the sequence but also a missing have not occurred, it removes the TCP header from the packet, and delivers the data to the relay application A26 through a connection P71. At this moment, it gives the TCP A2 an ACK packet for notifying arrival of the packet as a reply, thereby to terminate the TCP session from the TCP A2. Upon viewing from the TCP A2, the TCP session looks as if it had been established between the TCP A2 and the TCP B6 because the TCP port number of the TCP A29 has been caused to correspond to the TCP port number t2 of the TCP B6; however the actual TCP session is established between the TCP A2 and the TCP A29. In
The operation after it is entirely identical to that of the third embodiment of
As mentioned above, it was confirmed that the data transmitted from the client application A1 was encrypted and surely arrived at the server application B1.
Next, after completing the above-mentioned process, this time, an operation will be explained of the case that the data is transmitted from the server application B1 to the client application A1. However, a point in which this embodiment differs from the third embodiment shown in
Upon receipt of the data from the SSL A23 through the connection P67, the relay application A26 delivers the data to the TCP A29 through the connection P72 for a purpose of sending it to the client application A1.
Upon receipt of the data from the relay application A26 through the connection P72, the TCP A29 adds the TCP header and the destination IP address to the data, thereby to packetize it. A port number t1 of the TCP A2 is employed for the destination TCP port number of the TCP header, and a port number t2 of the TCP B6 for the transmission source TCP port number. Further, an IP address i2 of the server 2 is set to the destination IP address. After adding the TCP header, the TCP A29 delivers the packet to the IP routing A3 through a connection P79 (TCP session 1).
Upon receipt of the packet from the TCP A29 through the connection P79, the IP routing A3 makes a reference to the destination IP address to transmit the packet to the IP stack A4 through a connection P80.
Upon receipt of the packet from the IP routing A3 through the connection P80, the IP stack A4 adds the IP header and the MAC header to the packet, thereby to generate a frame. An IP address i2 of the server 2 is employed for the destination IP address of the IP header, and an IP address i1 of the PC 1 for the transmission source IP address. Further, an MAC address m2 of the server 2 is employed for the destination MAC address of the MAC header, and an MAC address m1 of the PC 1 for the transmission source MAC address. After inserting such an IP header and MAC header into the packet, the IP stack A4 delivers the frame to the frame analyzer A18 through a connection P81.
Upon receipt of the frame from the IP stack A4 through the connection P81 as shown in
Upon receipt of the frame from the frame analyzer A18 through the connection P82 as shown in
The operation after it is entirely identical to that of the third embodiment of
As mentioned above, it was confirmed that the data transmitted from the server application B1 was encrypted and surely arrived at the client application A1.
[Effects]
Next, effects of this embodiment will be explained.
This embodiment has the following effect in addition to the effects of the third embodiment.
In this embodiment, changing the transmission source address and the destination address over to each other with regard to the frame, which needs to be encrypted, in the intermediate driver so that the function of the TCP A14 incorporated inside the intermediate driver A11 in the third embodiment can be replaced with the function of the TCP A29 already incorporated into the OS eliminates a burden that the software developer bears for packaging the TCP A14 into the intermediate driver. This makes it possible to reduce the load that is imposed upon the software developer, and to reduce a burden of the development.
[Explanation of a Configuration]
Next, a fifth embodiment for carrying out the third invention of the present invention will be explained in details by making a reference to the accompanied drawings.
The PC 1 is connected to the hub 3 via a network 5. Herein, it is assumed that the so-called network 5 is what those skilled in the relevant field can imagine from the network, for example, LAN (Local Area Network), WAN (Wide Area Network), and Internet. The PC 1 receives the frame from the network 5, and performs a desired process for the received frame. Further, the PC 1 transmits the frame generated in the internal process of the PC 1 to the network 5.
Each of the server 2 and the gateway 4, which is connected to the hub 3, receives the frame from the hub 3, and performs a desired process for the received frame. Further, each of the server 2 and the gateway 4 transmits the frame generated in the internal process of the server 2 to the hub 3.
The hub 3 is connected to the network 5, the gateway 4 and the server 2. Upon receipt of the frame from the network 5, the gateway 4 and the server 2, the hub 3 analyzes the received frame, and transfers the frame to an appropriate port based upon its analysis result.
An outline of a function of a relay application A31 is almost similar to that of the relay application A15 of the first embodiment shown in
Next, a function of the frame analyzer A30 will be explained. The frame analyzer A30 is connected to the IP stack A4, a header converter A33, and the relay application A31. Each of
On the other hand,
On the other hand,
On the other hand,
Next, a function of the header converter A33 will be explained. The header converter A33 is connected to the frame analyzer A30 and the TCP A14. Each of
On the other hand,
Next, a function of each component of the gateway 4 shown in
The relay server application D1 has a function of transferring the data that arrives from an SSL D2 to a virtual NIC D10 as a frame. Further, the relay server application D1 has a function of transferring the data that arrives from the virtual NIC D10 to the SSL D2 for a purpose of allowing it to get into the communication by the TCP session between the TCP A14 and a TCP D3.
Next, a function of the software that is included in the OS of the gateway 4 will be explained. As software that is included in the OS, the gateway 4 includes the SSL D2, the TCP D3, an IP routing D4, an IP stack D5, and a bridge D6. The functions of these items of the software are entirely identical to that of the modules of the server 2 of
Next, a function of software that is positioned in the lower layer that is not included in the OS of the gateway 4 will be explained. As software that corresponds hereto, the gateway 4 includes a driver D7 and a driver D9; however a function of these items of the software is entirely identical to the driver B7 of the server 2 of
Next, a function of hardware of the gateway 4 will be explained. As hardware, the gateway 4 includes an NIC D8 and a virtual NIC D10; however functions of these modules are entirely identical to the modules of the PC 1 of FIG. 12, so its explanation is omitted.
[Explanation of an Operation]
At first, an operation in the case that data is transmitted from the client application A1 of the PC 1 to the server application B1 of the server 2 will be explained. However, the operation until a connection P3 is identical to that of the first embodiment, so the explanation of the operation is started at time point of a connection P4.
Upon receipt of the frame from the IP stack A4 through the connection P4 as shown in
Upon receipt of the data from the frame analyzer A30 through the connection P83, the relay application A31 delivers the data to the SSL A16 through a connection P84 for purpose of encrypting it to realize prevention of the wiretapping.
Upon receipt of the data from the relay application A31 through the connection P84, the SSL A16 uses the encryption technique pre-settled with the SSL D2 of the gateway 4, thereby to encrypt the data. After completing the encryption, the SSL A16 delivers the encrypted data to the TCP A14 through a connection P85.
Upon receipt of the data from the SSL A16 through the connection P85, the TCP A14 adds the TCP header and the destination IP address to the data, thereby to packetize it. A port number t6 of the TCP D3 of the gateway 4 is employed for the destination TCP port number of the TCP header, and a port number t5 of the TCP A14 for the transmission source TCP port number. Further, an IP address i3 of the gateway 4 is set to the destination IP address. After adding the TCP header and the destination IP address, the TCP A14 delivers the packet to the header converter A33 through a connection P86. The TCP A14 establishes the TCP session with the TCP D3 by use of these processes, and realizes the stabilized data transfer to/from the TCP D3. In
Upon receipt of the packet from the TCP A14 through the connection P86 as shown in
Herein, judging from a comparison of the data format of
Upon receipt of the frame from the header converter A33 through the connection P87 as shown in
Upon receipt of the frame from the frame analyzer A12 through the connection P12, the driver A5 delivers the frame to the NIC A6 through a connection P89.
Upon receipt of the frame from the driver A5 through the connection P89, the NIC A6 delivers the frame to the NIC C3 through a connection P90 while allowing it to go through the network 5.
Upon receipt of the frame from the NIC A6 through the connection P90 while allowing it to go through the network 5, the NIC C3 delivers the frame to the driver C2 through a connection P91.
Upon receipt of the frame from the NIC C3 through the connection P91, the driver C2 delivers the frame to the bridge C1 through a connection P92.
Upon receipt of the frame from the driver C2 through the connection P92, the bridge C1 makes a reference to the destination MAC address of the received frame. When the bridge C1 recognizes that the terminal having the destination MAC address has been connected to the NIC C5, it delivers the frame to the driver C4 through a connection P93.
Upon receipt of the frame from the bridge C1 through the connection P93, the driver C4 delivers the frame to the NIC C5 through a connection P94.
Upon receipt of the frame from the driver C4 through the connection P94, the NIC C5 delivers the frame to the NIC D8 through a connection P95.
Upon receipt of the frame from the NIC C5 through the connection P95, the NIC D8 delivers the frame to the driver D7 through a connection P96.
Upon receipt of the frame from the NIC D8 through the connection P96, the driver D7 delivers the frame to the bridge D6 through a connection P97.
Upon receipt of the frame from the driver D7 through the connection P97, the bridge D6 makes a reference to the destination MAC address of the received frame. When the bridge D6 recognizes that the terminal having the destination MAC address is the gateway 4, it delivers the frame to the IP stack D5 through a connection P98.
Upon receipt of the frame from the bridge D6 through the connection P98, the IP stack D5 removes the MAC header and the IP header from the frame, thereby to convert it into a packet, and thereafter, delivers the packet to the IP routing D4 through a connection P99.
Upon receipt of the packet from the IP stack D5 through the connection P99, the IP routing D4 makes a reference to the TCP header of the packet. When the IP routing D4 recognizes that the destination of the packet is the TCP D3 from the destination TCP port number, it delivers the received packet to the TCP D3 through a connection P100.
The TCP D3 receives the packet from the IP routing D4 through the connection P100, and makes a reference to the TCP header, thereby to investigate a reversal of the sequence and a missing of the packet. In a case where not only a reversal of the sequence but also a missing have not occurred, it removes the TCP header from the packet, and delivers the data to the SSL D2 through a connection P101. At this moment, it gives the TCP A14 an ACK packet for notifying arrival of the packet as a reply (TCP session 2).
Upon receipt of the data from the TCP D3 through the connection P101, the SSL D2 uses the decoding technique settled with the SSL A16 of the PC 1, thereby to decode the data. The SSL D2 delivers the decoded data to the relay application D1 through a connection P102.
Upon receipt of the frame from the SSL D2 through the connection P102, the relay server application D1 delivers the frame to the virtual NIC D10 through a connection P103.
Upon receipt of the frame from the relay server application D1 through the connection P103, the virtual NIC D10 delivers the frame to the driver D9 through a connection P104.
Upon receipt of the frame from the virtual NIC D10 through the connection P104, the driver D9 delivers the frame to the bridge D6 through a connection P105.
Upon receipt of the frame from the driver D9 through the connection P105, the bridge D6 makes a reference to the destination MAC address of the received frame. When the bridge D6 recognizes that the terminal having the destination MAC address has been linked to the upstream side of NIC D8, it delivers the frame to the driver D7 through a connection P106.
Upon receipt of the frame from bridge D6 through the connection P106, the driver D7 delivers the frame to the NIC D8 through a connection P107.
Upon receipt of the frame from the driver D7 through the connection P107, the NIC D8 delivers the frame to the NIC C5 through a connection P108.
Upon receipt of the frame from the NIC D8 through the connection P108, the NIC C5 delivers the frame to the driver C4 through a connection P109.
Upon receipt of the frame from the NIC C5 through the connection P109, the driver C4 delivers the frame to the bridge C1 through a connection P110.
Upon receipt of the frame from the driver C4 through the connection P110, the bridge C1 makes a reference to the destination MAC address of the received frame. When the bridge C1 recognizes that the terminal having the destination MAC address has been linked to the upstream side of the NIC C7, it delivers the frame to the driver C6 through a connection P111.
Upon receipt of the frame from the bridge C1 through the connection P111, the driver C6 delivers the frame to the NIC C7 through a connection P112.
Upon receipt of the frame from the driver D6 through the connection P112, the NIC C7 delivers the frame to the NIC B8 through a connection P113.
Upon receipt of the frame from the NIC C7 through the connection P113, the NIC B8 delivers the frame to the driver B7 through a connection P114.
Upon receipt of the frame from the NIC B8 through the connection P114, the driver B7 delivers the frame to the IP stack B5 through a connection P115.
Upon receipt of the frame from the driver B7 through the connection P115, the IP stack B5 removes the MAC header and the IP header from the frame, thereby to convert it into a packet, and thereafter, delivers the packet to the IP routing B4 through a connection P116.
Upon receipt of the packet from the IP stack B5 through the connection P116, the IP routing B4 makes a reference to the TCP header of the packet. When the IP routing B4 recognizes that the destination of the packet is the TCP B3 from the destination TCP port number, it delivers the received packet to the TCP B3 through a connection P117.
The TCP B3 receives the packet from the IP routing B4 through the connection P116, and makes a reference to the TCP header, thereby to investigate a reversal of the sequence and a missing of the packet. In a case where not only a reversal of the sequence but also a missing have not occurred, it removes the TCP header from the packet, and delivers the data to the server application B1 through a connection P118. At this moment, it gives the TCP A2 an ACK packet for notifying arrival of the packet as a reply (TCP session 1).
As mentioned above, it was confirmed that the data transmitted from the client application A1 was encrypted and surely arrived at the server application B1.
Herein, it is only in the section ranging from the PC 1 up to the gateway 4 that the data transmitted from the client application A1 is encrypted, and in a case where only this section is a section in which a risk that the data is wiretapped exists, this technique enjoys a sufficient merit in the terms of the security. That is, this technique enjoys a sufficient merit in the terms of the security in a case where the network 5 bridging this section is a network such as Internet having a risk that the data is wiretapped because the data is encrypted.
Further, with an operation in the case that the data is transmitted from the server application B1 to the client application A1 after completing the above-mentioned process, its explanation is omitted because the data only migrates in a direction opposite to that of the foregoing path.
In the above explanation, the operation in the case of allowing the TCP session 1 between the TCP A2 of the PC 1 and the TCP B3 of the server 2 to tunnel through the secure TCP session 2 between the PC 1 and the gateway 4 was explained. For this, the data format becomes a TCP over TCP format.
On the other hand, it is also possible to allow the UDP frame that is exchanged between the PC 1 and the server 2 to tunnel through the secure TCP session 2 between the PC 1 and the gateway 4. The system configuration in this case is a configuration in which the TCP A2 of the PC 1 side and the TCP B3 of the server 2 side shown in
[Effects]
Next, effects of this embodiment will be explained.
This embodiment has the following effect in addition to the effects of the first embodiment.
In this embodiment, allowing the TCP session 1 of the PC 1 and the server 2 to tunnel through the secure TCP session 2 between the PC 1 and the gateway 4 makes it possible to encrypt the data that is sent out from the PC 1 without fail, and then to transmit it even in a case where the server application B1 of the server 2 is not in a correspondence with the SSL. For this, a burden that the user bears for searching for the server application B1 that corresponds to the SSL, and a burden of installing its server application B1 onto the server 2 can be eliminated.
[Explanation of a Configuration]
Next, a sixth embodiment for carrying out the third invention of the present invention will be explained in details by making a reference to the accompanied drawings. A network configuration of the sixth embodiment is identical to that of the fifth embodiment of
A function of the driver A34 is identical to that of the driver A19 shown in
A function of the virtual NIC A20 is identical to that of the virtual NIC A20 shown in
Further, upon making a reference to
A frame analyzer A36 is connected to the IP stack A4, the driver A5, and the driver A34.
On the other hand, an operational flowchart of the frame analyzer A36 in the case that the frame has arrived from the driver A5 is entirely identical to that of
Further, an operational flowchart of the frame analyzer A36 in the case that the frame has arrived from the driver A34 is entirely identical to that of
Functions of a relay application A22, a TCP A24, and an SSL A23 that are shown in
Functions of the blocks other than the foregoing components out of the components shown in
[Explanation of an Operation]
An operation of this embodiment will be explained below by making a reference to
At first, an operation in the case that data is transmitted from the client application A1 of the PC 1 to the server application B1 of the server 2 will be explained. However, the operation until a connection P3 is identical to that of the fifth embodiment, so the explanation of the operation is started at time point of a connection P4.
Upon receipt of the frame from the IP stack A4 through the connection P4 as shown in
Upon receipt of the frame from the frame analyzer A36 through the connection P120, the driver A34 transmits the frame to the virtual NIC A20 through a connection P121.
Upon receipt of the frame from the driver A34 through the connection P121, the virtual NIC A20 transmits the frame to the relay application A22 through a connection P123.
Upon receipt of the data from the virtual NIC A20 through the connection P123, the relay application A22 delivers the data to the SSL A23 through a connection P124 for purpose of encrypting it to realize prevention of the wiretapping.
Upon receipt of the data from the relay application A22 through the connection P124, the SSL A23 uses the encryption technique pre-settled with the SSL D2, thereby to encrypt the data. After completing the encryption, the SSL A23 delivers the encrypted data to the TCP A24 through a connection P125.
Upon receipt of the data from the SSL A23 through the connection P125, the TCP A24 adds the TCP header and the destination IP address to the data, thereby to packetize it. A port number t6 of the TCP D3 of the gateway 4 is employed for the destination TCP port number of the TCP header, and a port number t5 of the TCP A24 for the transmission source TCP port number. Further, an IP address i3 of the gateway 4 is set to the destination IP address. After adding the TCP header and the destination IP address, the TCP A24 delivers the packet to the IP routing A3 through a connection P126. The TCP A24 establishes the TCP session with the TCP D3 by use of these processes, and realizes the stabilized data transfer to/from the TCP D3. In
Upon receipt of the packet from the TCP A24 through the connection P126, the IP routing A3 makes a reference to the destination IP address to transmit the packet to the IP stack A4 through a connection P127.
Upon receipt of the packet from the IP routing A3 through the connection P127, the IP stack A4 adds the IP header and the MAC header to the packet, thereby to generate a frame. An IP address i3 of the gateway 4 is employed for the destination IP address of the IP header, and an IP address i1 of the PC 1 for the transmission source IP address. Further, an MAC address m3 of the gateway 4 is employed for the destination MAC address of the MAC header, and an MAC address m1 of the PC 1 for the transmission source MAC address. After inserting such an IP header and MAC header into the packet, the IP stack A4 delivers the frame to the frame analyzer A36 through a connection P128.
Upon receipt of the frame from the IP stack A4 through the connection P128 as shown in
The operation after it is entirely identical to that of the fifth embodiment of
As mentioned above, it was confirmed that the data transmitted from the client application A1 was encrypted and surely arrived at the server application B1.
Further, with an operation in the case that the data is transmitted from the server application B1 to the client application A1 after completing the above-mentioned process, its explanation is omitted because the data only migrates in a direction opposite to that of the foregoing path.
[Effects]
Next, effects of this embodiment will be explained. This embodiment has the following effect in addition to the effects of the fifth embodiment.
In this embodiment, loop-backing the frame, which needs to be encrypted, from the intermediate driver A11 into the OS so that the function of the SSL A16 incorporated inside the intermediate driver A11 in the fifth embodiment can be replaced with the function of the SSL A23 already incorporated into the OS eliminates a burden that the software developer bears for packaging the SSL A16 into the intermediate driver. This makes it possible to reduce the load that is imposed upon the software developer, and to reduce a burden of the development.
[Explanation of a Configuration]
Next, a seventh embodiment for carrying out the third invention of the present invention will be explained in details by making a reference to the accompanied drawings. A network configuration of the seventh embodiment is identical to that of the fifth embodiment of
An outline of a function of the frame analyzer A37 is almost similar to that of the frame analyzer A36 of the sixth embodiment shown in
An outline of the function of the relay application A26 is almost similar to that of the relay application A22 of the sixth embodiment shown in
Functions of the blocks other than the foregoing components out of the components shown in
[Explanation of an Operation]
An operation of this embodiment will be explained below by making a reference to
At first, an operation in the case that data is transmitted from the client application A1 of the PC 1 to the server application B1 of the server 2 will be explained. However, the operation until a connection P3 is identical to that of the sixth embodiment, so the explanation of the operation is started at time point of a connection P4.
Upon receipt of the frame from the IP stack A4 through the connection P4 as shown in
Upon receipt of the frame from the frame analyzer A37 through the connection P129, the relay application A38 delivers the data to the SSL A23 through a connection P124 for a purpose of encrypting it to realize prevention of the wiretapping.
The operation after it is entirely identical to that of the sixth embodiment of
Further, with an operation in the case that the data is transmitted from the server application B1 to the client application A1 after completing the above-mentioned process, its explanation is omitted because the data only migrates in a direction opposite to that of the foregoing path.
[Effects]
Next, effects of this embodiment will be explained. This embodiment has the following effect in addition to the effects of the sixth embodiment.
In this embodiment, performing the loopbacking process between the frame analyzer A37 and the relay application A38 so that the driver A34 and the virtual NIC A20 incorporated into the PC 1 in the sixth embodiment can be excluded eliminates a burden that the software developer bears for developing these modules. This makes it possible to reduce the load that is imposed upon the software developer, and to reduce a burden of the development.
Further, in the sixth embodiment, there is a risk that a security level declines in the PC 1 when the virtual NIC A20 and the NIC A6 are bridge-connected; however in this embodiment, the bridge-connection is impossible because the virtual NIC A20 itself has been excluded, and a burden of taking a security countermeasure can be reduced.
[Explanation of a Configuration]
Next, an eighth embodiment for carrying out the fourth invention of the present invention will be explained in details by making a reference to the accompanied drawings.
The encryption setting application A40 is software that is positioned in the upper layer that is not included in the OS. The encryption setting application A40 has a function etc. of determining whether the frame is encrypted in the intermediate driver A11 responding to a network environment, and changing the setting of a frame analyzer A41 based upon its determination result. The encryption setting application A40 can perform various processes in determining whether to encrypt the frame, and can determine whether to encrypt it based upon its analysis result. This process includes the following processes. The process of sending an ICMP echo request to the management server 6, and checking whether its response is returned. The process of sending a special frame to the management server 6, and checking whether its response is returned. The process of investigating the IP address currently set to the PC 1, and checking whether the IP address is a predetermined value.
The encryption setting application A40 determines whether to encrypt the frame responding to a result of any of the above-mentioned processes or a combination thereof.
Further, various types of the timing at which the above-mentioned processes are performed in the encryption setting application A40 are thinkable, and for example, whenever the packet is transmitted/received, periodically for each certain time period, at the time of starting the PC, at the time designated by the user, or a combination thereof.
Accompanied by addition of the encryption setting application A40 to the PC 1 in such a manner, the frame analyzer is changed as described below. The frame analyzer A41 is connected to the IP stack A4, the driver A5, and a header converter A13. Each of
On the other hand,
Further, an operational flowchart of the frame analyzer A41 in the case that the frame has arrived from the header converter A13 is entirely identical to that of
[Explanation of an Operation]
An operation of this embodiment will be explained below by making a reference to
The encryption setting module A40 executes the process of determining whether to encrypt the frame in the intermediate driver A11 at a pre-set timing.
As a process to be performed herein, there exist one of the process of sending an ICMP echo request to the management server 6 and checking whether its response is returned, the process of sending a special frame to the management server 6 and checking whether its response is returned, and the process of investigating the IP address set to the PC 1, and checking whether the IP address is a predetermined value, or a combination thereof.
As a result of having performed the above processes, for example, in a case where one of the condition that the ICMP echo response is returned from the management server 6, the condition that the special frame is returned from the management server 6, and the condition that the IP address currently set in the PC 1 is a predetermined value, or a combination thereof holds, the encryption setting module A40 changes the setting of the frame analyzer A41, and validates the encryption setting of the step S8 and the step S18. Further, in a case where the above-mentioned condition does not hold, the encryption setting module A40 changes the setting of the frame analyzer A41, and invalidates the encryption setting of the step S8 and the step S18.
It was confirmed that performing the above operation enabled the encryption function of the intermediate driver to be automatically set responding to the network environment of the PC.
[Effects]
Next, effects of this embodiment will be explained.
In this embodiment, as mentioned above, incorporating the encryption setting module A40 into the PC 1 enables the encryption function of the intermediate driver to be automatically set responding to the network environment, whereby a burden that a user bears for manually changing the encryption function responding to a migration of the location of the PC 1 can be eliminated.
For example, by employing this encryption setting module A40, the operation is automatically executed of switching off the encryption setting in using the PC in an office LAN due to no risk of the wiretapping, and contrarily, switching on the encryption setting in using the PC in a net-café due to a high risk of the wiretapping. The user does not have to manually change the setting at all.
Further, the user has no chance to manually change the setting of the encryption, whereby no risk that the erroneous setting is induced exists, and a risk as well that information leakage occurs due to the erroneous setting can be excluded.
[Explanation of a Configuration]
Next, a ninth embodiment for carrying out the fifth invention of the present invention will be explained in details by making a reference to the accompanied drawings.
Herein, the network 5 was already explained in the configuration of the fifth embodiment shown in
The gateway 7 is connected to the hub 3 and the network 5. Upon receipt of the frame from the hub 3 and the network 5, the gateway 7 analyzes the received frame, performs a desired process for the frame, and thereafter, transfers the frame to an appropriate port.
Accompanied thereby, the function of the intermediate driver A11 mounted onto the PC 1 of
A function of each component of the gateway 7 will be explained. The gateway 7 includes an intermediate driver E1, a driver E7, and a driver E9 as software that is positioned in the lower layer that is not included in the OS.
The intermediate driver E1, which is connected to the driver 7 and the driver E9, has a function described below. The intermediate driver E1 makes a reference to the header of the frame that arrives from the driver E7, and investigates whether the frame needs to be encrypted. If the received frame needs to be encrypted, the intermediate driver E1 terminates the TCP session with the TCP A2 of the PC 1, being a transmission source of its frame, for a time being, and thereafter, encrypts the data. Herein, as an encryption key to be used for encryption, the encryption key exchanged with the SSL B2 of the server 2, being a destination of the frame, is employed. The intermediate driver E1 has a function of, after encrypting the frame, adding to the encrypted data the header that corresponds to the TCP session with the TCP B3 of the server 2, being a destination of the frame, and thereafter, transferring the encrypted data to the driver E9. On the other hand, it has a function of, if the frame received from the driver E7 does not need to be encrypted, transferring the frame to the driver E9 as it stands. Herein, as a frame that does not need to be encrypted, the frame already encrypted in the PC 1, the DHCP packet, the ARP packet, or the like is listed.
Further, the intermediate driver E1 makes a reference to the header of the frame that arrives from the driver E9, and investigates whether the frame needs to be decoded. If the received frame needs to be decoded, the intermediate driver E1 terminates the TCP session with the TCP B3 of the server 2, being a transmission source of its frame, for a time being, and thereafter, decodes the data. Herein, as a decoding key to be used for decoding, the decoding key exchanged with the SSL B2 of the server 2, being a transmission source, is employed. The intermediate driver E1 has a function of, after decoding the frame, adding to the decoded data the header that corresponds to the TCP session with the TCP A2 of the PC 1, being a destination of the frame, and thereafter, transferring the decoded data to the driver E7. On the other hand, the intermediate driver E1 has a function of, if the received frame does not need to be decoded, transferring the frame to the driver E7 as it stands. Herein, as a frame that does not need to be decoded, the frame that should be decoded in the PC 1, the DHCP packet, the ARP packet, or the like is listed.
The intermediate driver E1 is configured of a plurality of functional blocks as shown in
Next, a function of the frame analyzer E11 will be explained. However, it will be understood that a function and a configuration of the frame analyzer to be described below is only an example.
Further, as described below, the frame analyzer E11 has a function of determining whether the received frame needs to be encrypted and decoded, and the function of determining whether to cancel the frame also can be added besides this function. With this cancellation function, it is possible to prevent the not-encrypted frame from leaking out from the PC 1, and to prevent the PC 1 from being attacked unauthorizedly from an external network.
The frame analyzer E11 is connected to the driver E7, the driver E9, and a header converter E12. Each of
On the other hand,
Further,
The reason why the frame analyzer E11 has the bridge function mounted like the case of process in the step S95 is that, even in a case where a plurality of the terminals are connected to the upstream side of the driver E7 and the driver E9, an obstacle to the transfer of the frame is prevented from occurring.
In the above-mentioned explanation of the gateway 7, making a reference to the destination MAC address of the frame header allows an identification to be made as to which of the driver E7 and the driver E9 the destination terminal is connected to; however a reference may be made to not the destination MAC address but the destination IP address.
Functions of the blocks other than the foregoing components out of the components shown in
[Explanation of an Operation]
An operation of this embodiment will be explained below by making a reference to
At first, an operation in the case that data is transmitted from the client application A1 of the PC 1 to the server application B1 of the server 2 will be explained. However, the operation until a connection P3 is identical to that of the first embodiment, so the explanation of the operation is started at time point of a connection P150.
Upon receipt of the frame from the IP stack A4 through the connection P150, the driver A5 delivers the received frame to the NIC A6 through a connection P151.
Upon receipt of the frame from the driver A5 through the connection P151, the NIC A6 transfers the received frame to the NIC E8 of the gateway 7 via the hub 3.
Upon receipt of the frame from the hub 3 through a connection P156, the NIC E8 delivers the received frame to the driver E7 through a connection P157.
Upon receipt of the frame from the NIC E8 through the connection P157, the driver E7 delivers the received frame to the frame analyzer E11 through a connection P158.
Upon receipt of the frame from the driver E7 through the connection P158 as shown in
Upon receipt of the frame from the frame analyzer E11 through the connection P159 as shown in
Upon receipt of the packet from the header converter E12 through the connection P160, the TCP E13 makes a reference to the TCP header, thereby to investigate a reversal of the sequence and a missing of the packet, and in a case where not only a reversal of the sequence but also a missing have not occurred, removes the header from the packet, and delivers the data to the relay application E14 through a connection P161. At this moment, it gives the TCP A2 an ACK packet for notifying arrival of the packet as a reply, thereby to terminate the TCP session from the TCP A2. Upon viewing from the TCP A2, the TCP session looks as if it were established between the TCP A2 and the TCB B6 because the port number of the TCP E13 has been caused to coincide with the port number t2 of the TCP B6; however the actual TCP session is established between the TCP A2 and the TCP E13. In
Upon receipt of the data from the TCP E13 through the connection P161, the relay application E14 delivers the data to the SSL E16 through a connection P162-1 for a purpose of encrypting it to realize prevention of the wiretapping.
Upon receipt of the data from relay application E14 through the connection P162-1, the SSL E16 uses the encryption technique pre-settled with the SSL B2 of the server 2 to encrypt the data. After completing the encryption, the SSL E16 delivers the encrypted data to the TCP E15 through a connection P162-2.
Upon receipt of the data from the SSL A16 through the connection P162-2, the TCP E15 adds the TCP header and the destination IP address to the data, thereby to packetize it. A port number t4 of the TCP B3 of the server 2 is employed for the destination TCP port number of the TCP header, and a port number t3 of the TCP E15 for the transmission source TCP port number. Herein, the port number t4 of the TCP B3 is a port number that is explicitly used in transmitting the encrypted data. Further, an IP address i2 of the server 2 is set to the destination IP address, After adding such a TCP header and destination IP address, the TCP E15 delivers the packet to the header converter E12 through a connection P163. The TCP E15 establishes the TCP session with the TCP B3 of the server 2 by use of theses processes, and realizes the stabilized data transfer to/from the TCP B3. In
Upon receipt of the packet from the TCP E15 through the connection P163 as shown in
Upon receipt of the frame from the frame analyzer E11 through the connection P165, the driver E9 delivers the frame to the NIC E10 through a connection P166.
Upon receipt of the frame from the driver E9 through the connection P166, the NIC E10 delivers the frame to the NIC B8 via the network 5.
Upon receipt of the frame from the NIC E10 via the network 5, the NIC B8 delivers the frame to the driver B7 through a connection P168.
The operation after it is entirely identical to that of the first embodiment, so its explanation is omitted.
As mentioned above, it was confirmed that the data transmitted from the client application A1 was encrypted in the gateway 7 and surely arrived at the server application B1.
Further, with an operation in the case that the data is transmitted from the server application B1 to the client application A1 after completing the above-mentioned process, its explanation is omitted because the data only migrates in a direction opposite to that of the foregoing path.
From the above explanation, it was confirmed that the bi-directional communication between the client application A1 and the server application B1 was encrypted without fail by allowing it to go through the gateway 7.
Further, in the above explanation, the operation in the case of encrypting the communication between the PC 1 and the server 2 in the gateway 7 was explained, and the gateway 7 in the case that the gateway 7 mediates communication between each of a plurality of the PCs and the server in addition to the communication between the PC 1 and the server 2 as shown in
The intermediate driver E1 of the gateway 7, which includes the TCP E13, the relay application E14, the SSL E16, and the TCP E15 for each communication session between the PC and the server, performs a relaying process of the TCP session between the PC and the server. This enables data that is transmitted/received between each PC and each server to be encrypted.
Further, loopback-connecting the intermediate driver and the OS in addition to the configuration, as already described in the second embodiment and third embodiment, makes it possible to reduce a burden that the soft developer bears. Incorporation of the loopbacking process as above-mentioned into the intermediate driver of this embodiment allows the system configuration as shown in
[Effects]
Next, effects of this embodiment will be explained. In this embodiment, mounting the function of the intermediate driver incorporated in the PC in the first embodiment onto the gateway apparatus makes it possible to collectively encrypt the communication data between each of a plurality of the PCs and the server in the gateway apparatus without installing the intermediate driver into each PC even in a case where a plurality of the PCs each having a risk of the information leakage exist. For this, a burden of installing the intermediate driver into all PCs each having a risk of the information leakage can be eliminated.
The present invention has been described with reference to the preferred embodiments; however, the present invention, which is not always limited to the above-mentioned embodiments, can be carried out by making an alteration hereto within the scope of the technical spirit of the present invention. For example, in a case of transmitting data to the PC 2 from a PC 1 via the server like the case of transmitting the electronic mail, a frame analyzer for determining whether the transmission data has been encrypted, and an SSL for, in a case where this frame analyzer has determined that the transmission data has not been encrypted, encrypting the transmission data may be mounted onto the server.
Number | Date | Country | Kind |
---|---|---|---|
2005-054954 | Feb 2005 | JP | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/JP2006/303578 | 2/27/2006 | WO | 00 | 8/24/2007 |