Conventionally, on an open network (e.g., Internet or public hot spot) to which many and unspecified nodes are connected, various encrypted communication methods are used to encrypt communication between nodes such as nodes, servers, and gateway apparatuses and provide a secure communication path to prevent any third party from peeping the communication contents, as described in, e.g., RFC2401 or RFC3546.
Encrypted communication protocols to implement an encrypted communication method of this type are roughly classified in the following way depending on the layer to be encrypted.
◯ Layer 4 (transport layer) and upper layers
SSL (Secure Socket Layer), TLS (Transport Layer Security), SSH (Secure Shell)
◯ Layer 3 (network layer) and lower layers
IPsec, L2TP (Layer 2 Tunneling Protocol) over IPsec, Ethernet® over IPsec
In encrypted communication with another node by using these encrypted communication protocols, the conventional encrypted communication methods can be classified into the following three types depending on the forms of communication encryption.
(1) A form to encrypt communication in individual applications such as an Web browser and e-mail application
(2) A form to encrypt communication by using a communication encryption module
(3) A form to encrypt communication by using a function provided by the kernel unit of an OS (Operating System)
The encrypted communication method of form (1) uses the above-described communication encryption protocol for layer 4 and upper layers. For example, to encrypt HTTP (Hyper Text Transfer Protocol) communication with a communication partner having a domain name “example.com”, a URL (Universal Resource Locator) such as “https://example.com/index.html” is input in a Web browser to encrypt the HTTP communication with the communication partner by SSL. Such a communication encryption form cannot be used unless the application supports the communication encryption protocol, as a matter of course.
In communication encryption of form (2) using a communication encryption module, the above-described communication encryption protocol for layer 4 and upper layers is mainly used. The communication encryption module operates as an independent process. The communication encryption module intercepts data packets transmitted/received between an application and a communication partner, encrypts/decrypts the packets, and transmits them to the communication partner/application. Examples of the communication encryption module are stunnel that SSL-encrypts an arbitrary TCP (Transport Control Protocol) connection and SSH port forwarding to encryption-tunnel an arbitrary TCP connection by SSH.
The communication encryption method of form (2) can encrypt communication of an arbitrary application because the method can encrypt communication independently of whether an application supports the communication encryption protocol, like the communication encryption method of form (3). This communication encryption form can encrypt communication with consciousness of an application, unlike the communication encryption method of form (3). Hence, only communication of a specific application can be done.
FIG. 10 shows the outline of communication encryption processing by the communication encryption method of form (2). A communication encryption module A13x includes a communication encryption unit A131x to execute communication encryption processing, and an encrypted communication path setting table A132x in which only a set of the address of a target node (to be referred to as an encrypted communication target node) C1 of encrypted communication and encrypted communication path setting information is registered. The communication encryption module A13x operates as an independent process by itself. To cause the communication encryption module A13x to execute communication encryption processing of a data packet transmitted from an application A11x, the application A11x temporarily transfers the data packet to the communication encryption module A13x to execute necessary encryption processing. After that, the communication encryption module A13x transmits the data packet to the actual communication partner. Hence, the application A11x transmits the data packet by designating the loopback address, i.e., “127.0.0.1” (and the reception port number of the process (communication encryption module) as needed) as the destination address, instead of directly designating the IP address of the actual communication partner, such that the communication encryption module A13x can receive the data packet. Upon receiving the data packet from the application A11x, the communication encryption module A13x causes an encryption/decryption processing unit A1311x of the communication encryption unit A131x to encrypt the data packet (by using protocol: SSL, encryption algorithm: DES, and digital certificate ID: 11 in FIG. 10) in accordance with encrypted communication path setting information for the preset communication partner (node of IP address “1.2.3.4” in FIG. 10) by looking up the encrypted communication path setting table A132x. Then, the communication encryption module A13x causes an address conversion unit A1312x to rewrite the destination to IP address “1.2.3.4” and transmits the data packet.
The encrypted communication method of form (2) may employ the arrangement with a client node A1x incorporating the communication encryption module A13x, as shown in FIG. 10, or an arrangement in which the communication encryption module is provided as a communication encryption proxy node by an external node. In this case, the application transmits a data packet by designating the IP address of the external node to the destination address. The communication encryption module executes necessary encryption processing for the received data packet and transmits it to a preset communication partner (the IP address of the encrypted communication target node is designated).
In the encrypted communication method of form (3) which executes communication encryption by using a function provided by the kernel unit of an OS, the above-described communication encryption protocol for layer 3 and lower layers is mainly used. For example, to encrypt all IP packets to a communication partner having an IP address “1.2.3.4”, IPsec setting in a transport mode or tunneling mode is done for the communication partner (IP address=1.2.3.4) in OS setting.
The encrypted communication method of form (3) can encrypt communication of an arbitrary application because the method can encrypt communication independently of whether an application supports the communication encryption protocol, like the encrypted communication method of form (2). However, in the communication encryption form (3), generally, communication with a communication partner having a preset IP address is totally encrypted without consciousness of an application, unlike the encrypted communication method of form (2). Hence, it is therefore impossible to encrypt only communication of a specific application.
FIG. 11 shows the outline of communication encryption processing by the encrypted communication method of form (3). A communication encryption unit A141y to execute communication encryption processing and an encrypted communication path setting table A142y in which the address of an encrypted communication target node and encrypted communication path setting information are registered are included in a data transmission/reception unit A14y in the kernel unit of an OS. All data packets transmitted from the application A11x are transferred to the data transmission/reception unit A14y for transmission processing. The communication encryption unit A141y in the data transmission/reception unit A14y looks up the encrypted communication path setting table A142y on the basis of the destination address of the data packet. When the destination address is registered as an encrypted communication target node (when the destination address is “1.2.3.4” or “5.6.7.8” in FIG. 11), the data packet is encrypted in accordance with the registered encrypted communication path setting information (protocol: IPsec, encryption algorithm: DES, and digital certificate ID: 11 in FIG. 11) and transmitted to the communication partner.