JP2003229849A - Relaying method, repeater, program, and recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To reduce traffic in a communication network of a narrow band while ensuring security for encryption communication. <P>SOLUTION: A DTE (data terminal equipment) 11 and an LWP 16 perform handshake processing to start an encipherment communication corresponding to an SSL (secure socket layer). If the LWP 16 succeeds in handshake with the DTE 11, the LWP 16 performs handshake processing in order to start the encipherment communication of the SSL with a WWW server 14 designated by the DTE 11. The LWP 16 transmits information related to the certification of the WWW server 14 obtained in the handshake processing to the DTE 11 only at the first time. This reduces traffic in a mobile packet communication network 12. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a technique for relaying encrypted communication between one communication device and another communication device.

[0002]

2. Description of the Related Art WWW (World
In the Wide Web), SSL (Secure Sockets Layer) is generally used when transferring information for which security should be ensured. In encrypted communication using SSL (hereinafter, SSL encrypted communication), first, a handshake process is performed between the client device and the server device.
In this handshake processing, negotiation processing of encryption specifications, mutual authentication (often only server authentication), common key sharing, etc. are performed between the client device and the server device. When the above process is normally completed in the handshake process, encrypted data communication is performed between the client device and the server device.

On the other hand, the WWW is widely used through a mobile communication network, and in recent years, a mobile phone capable of SSL encrypted communication has also appeared. Although access to the Internet by such a mobile phone is performed via a gateway server, there are a method of terminating at the gateway server and a method of not terminating at the encrypted communication.

[0004]

By the way, in SSL, when reconnecting to a server after closing a session to the server, the handshake process needs to be redone. Therefore, HTTP (Hype
If SSL is applied to communication using a communication protocol in which sessions are frequently opened / closed, such as rText Transfer Protocol), the overhead increases. In particular, in a communication network having a narrower band than a fixed network such as a mobile communication network, an increase in traffic due to this increase in overhead becomes a problem.

With the method in which the gateway server does not terminate the encrypted communication, it is difficult to reduce the traffic in the mobile communication network because the gateway server cannot participate in the encrypted communication. If it is a termination method, it is expected to reduce the traffic. However, in view of the current situation, it cannot be said that a method capable of sufficiently reducing traffic in the mobile communication network has been proposed.

The present invention has been made in view of such circumstances, and a relay method and a relay device capable of reducing the traffic in a narrow band communication network while ensuring the security of encrypted communication, and the relay. An object of the present invention is to provide a program for causing a computer to execute the method, and a recording medium recording the program in a computer-readable manner.

[0007]

In order to solve the above-mentioned problems, the present invention provides a relay method in a relay device for relaying a message between one communication device and the other communication device, wherein the one communication A first handshake process for performing a handshake process for starting the first encrypted communication with the device, and a second handshake process with the other communication device.
Second handshake process for performing a handshake process for starting the encrypted communication of the other communication device, and the one communication device holds information relating to the certification of the other communication device acquired in the second handshake process. If it is estimated that the information is not transmitted to the one communication device, in other cases the transmission process of transmitting the information to the one communication device, the one communication device and the The first encrypted communication and the second encrypted communication with the other communication device.
And a relay process for relaying a message using the encrypted communication. According to this method, the second
When it is estimated that the information related to the certification of the other communication device acquired in the handshake process is held in the one communication device, the information is not transmitted to the one communication device.

In order to solve the above-mentioned problems, the present invention provides first communication means for performing a handshake process for starting the first encrypted communication with one communication device, and the other communication device. Second communication means for performing a handshake process for starting the second encrypted communication with the other communication device and acquiring information relating to the certification of the other communication device; and the one communication device. Relay means for relaying a message between the other communication device using the first encrypted communication and the second encrypted communication, wherein the first communication means comprises the second communication means. When it is estimated that the one communication device holds the information related to the certification of the other communication device acquired by the handshake means, the information is not transmitted to the one communication device, and other information is not transmitted. In case of the above information Providing a relay apparatus for transmitting to the square of the communication device. According to this device, when it is estimated that the information related to the certification of the other communication device acquired by the second handshake means is held in the one communication device, the information is transmitted to the one communication device. Not sent to the device.

In order to solve the above-mentioned problems, the present invention provides a computer device which relays a message between one communication device and the other communication device, and a first device between the computer device and the one communication device. And a second handshake process for starting the second encrypted communication with the other communication device. If it is estimated that the one communication device holds the information related to the certification of the other communication device acquired in the handshake procedure and the second handshake procedure, the information is transmitted to the one communication device. A transmission procedure in which the information is not transmitted to the device but otherwise the information is transmitted to the one communication device; and the first encrypted communication between the one communication device and the other communication device. A computer-readable recording medium recording the program and the program for executing a relay instructions to relay messages using a serial second encrypted communication. According to the computer that executes this program, when it is estimated that the information related to the certification of the other communication device acquired in the second handshake procedure is held in one communication device,
The information is not transmitted to the one communication device.

[0010]

DETAILED DESCRIPTION OF THE INVENTION Embodiments of the present invention will be described below with reference to the drawings. However, the present invention is not limited to the embodiment, and includes any aspect within the scope described in the claims.

(1) Overall Configuration FIG. 1 is a diagram showing the overall configuration of a data distribution system according to an embodiment of the present invention. In this figure, one WWW server and one DTE (data terminal equipment) are illustrated in order to prevent the drawing and description from becoming complicated, but in reality, there are many WWW servers and DTEs. . Further, the DTE 11 has a mobile phone function and can make a voice call via a mobile communication network. However, since the part related to the voice call is not directly related to the present invention, in the present embodiment, The description and illustration relating to the voice call are omitted.

In the data distribution system of FIG. 1, as shown in FIG. 2, the request transmitted from the DTE 11 is transmitted through the mobile packet communication network 12, the gateway server 15, and the Internet 13 in this order to a lightweight proxy server (hereafter
LWP) 16 and a request corresponding to the request from the DTE 11 is sent to the LW via the Internet 13.
It is transmitted from P16 to the WWW server 14 and received by the WWW server 14. The WWW server 14, which has received the request from the LWP 16, returns a response to the received request via the Internet 13.
This response is received by the LWP 16, and the response after undergoing the change processing described later is transmitted from the LWP 16 to the DTE 11 as a response corresponding to the request from the DTE 11. The response from the LWP 16 is received by the DTE 11 via the Internet 13, the gateway server 15, and the mobile packet communication network 12 in order.

(2) Configuration and Function of WWW Server 14 The WWW server 14 is a general computer system that constitutes a WWW that is realized by using the Internet 13. The WWW server 14 has the function of an HTTP server and is connected via the Internet 13. When the HTTP-compliant request is received, a response corresponding to the request is basically sent to the Internet 13. For example, the WWW server is H
When files such as TML data and image data are stored and the received request is a request using the GET method, the file corresponding to the URL specified by the GET method is read and the response including the file is returned. . Also, the WWW server has an SSL server function, and the HTT is performed using the SSL server function.
Operates as a PS server.

(3) Configuration and Function of DTE 11 FIG. 3 is a block diagram showing a configuration example of the DTE 11. In this figure, the CPU 31 controls each part of the DTE 11 and performs various data processing. The wireless communication unit 32 is a communication interface including an antenna and the like, and the CPU 3
The data supplied from No. 1 is sent to the mobile packet communication network 12, and the data received via the mobile packet communication network 12 is passed to the CPU 31.

The operation unit 33 is provided with an operator (a ten-key pad, a cursor key, etc.) operated by the user, and passes data indicating the operation content of the operator to the CPU 31. The display unit 34 is, for example, a liquid crystal display, and displays an image according to the image data supplied from the CPU 31. Volatile memory 35
Is, for example, a RAM (Random Access Memory), and CP
Functions as a work area for U31. The non-volatile memory 36 is, for example, a ROM that stores data in a non-rewritable manner.
(Read-Only Memory) 361 and EEPROM (Electrically Erasable Program) for rewritably storing data
mmable ROM) 362, the ROM 361 stores software such as an operating system and a web browser, and the EEPROM 362 stores information set by the user. The software such as a web browser may be stored in the EEPROM 362, or the software such as a web browser may be stored in the volatile memory 35 when the volatile memory 35 is backed up by a battery. Also, the web browser has an SSL client function and can operate as an HTTPS client. The SSL client function is different from the normal SSL client function only in that the client-side handshake process described below is performed instead of the normal client-side handshake process. The CPU 31 has a ROM 361.
By executing the software stored in, the above-mentioned various parts are controlled and various data processing is performed. These software may be acquired by downloading through a network such as the Internet 13, or may be acquired by reading out from a recording medium such as a nonvolatile semiconductor memory by a removable medium reading device (not shown). It may be

Next, the functions given to the DTE 11 by the CPU 31 executing the software stored in the ROM 361 will be described. However, description of functions of a general mobile phone equipped with a web browser is omitted.

(3-1) Content Acquisition Function and Interpretation / Display Function The content acquisition function is a function for downloading HTML files, image files, etc. from a WWW server, and HTTP (H
It is realized by using the TTPS) client function.
The interpretation / display function is a function of interpreting / displaying the downloaded content, and is realized by using the HTML interpretation function and the user interface providing function of the DTE 11 that executes the software.

FIG. 4 is a flow chart showing the flow of content acquisition processing using the HTTP client function of the DTE 11. As shown in FIG.
When a start instruction of the content acquisition process is input using the operation unit 33 of No. 1, the CPU 31 controls the wireless communication unit 32,
CPU31 and LWP16 (to be exact, CP of LWP16)
U), a TCP connection (hereinafter, client TCP connection) is established (step SA1).
Next, the CPU 31 transmits a request using the HTTP GET method (step SA2). This request is, for example, a request line "GET http: //www.*****.co.jp/". This request line is
The URL (http: //www.*****.co.jp/) based on the start instruction input by the user using the operation unit 33 of the DTE 11 is included.

Thereafter, the CPU 31 waits for reception of a response to the request (step SA3), and when receiving the response, disconnects the TCP connection (step SA4) and interprets and displays the content included in the response (step SA4). Step SA5). If a response is not received even after a lapse of a predetermined time after transmitting the request, a time-out process is performed. However, this type of time-out process is not directly related to the operation example of the present embodiment. Then, the explanation about the timeout process is omitted.

In the interpretation and display processing, the content is interpreted according to the HTML grammar. Content is HTM
In the case of L data, the CPU 31 interprets the HTML data, generates image data of a layout according to the description, and supplies the image data to the display unit 34. In interpreting the HTML data, the CPU 31 performs processing corresponding to various tags described hierarchically. For example, with an IMG tag,
An image frame including the alternative character string represented by the ALT attribute value is displayed on the display unit 34. It should be noted that when the user selects (clicks) the display portion represented by the image frame, the CPU 31 performs the above-described content acquisition process on the image file identified by the URL specified in the IMG tag corresponding to the image frame. I do.

On the other hand, in the case of content acquisition processing using the HTTPS client function of the DTE 11, the request line is, for example, "GET https: //www.*****.
co.jp/ ”. The flow of the content acquisition processing in such a case is shown in FIG. 5. As shown in this figure, when the user inputs an instruction to start the content acquisition processing, the CPU 31
Controls the wireless communication unit 32, establishes a client TCP connection between the CPU 31 and the LWP 16 (step SA1), and communicates with the LWP 16 via this client TCP connection to start encrypted communication. Handshake processing is performed (step SA6).

When the client side handshake process is completed normally (step SA7), the CPU 31 notifies the LWP 16 of the information (host name and port number) of the WWW server of the connection destination via the client TCP connection (step SA8). Wait for the certification information of the WWW server of the connection destination. In the present embodiment, the host name and port number are indispensable information for connection, and hence these information are hereinafter referred to as connection information.

When the certification information of the WWW server of the connection destination is received via the client TCP connection (step SA9), the CPU 31 requests the GET method (for example, "GET" as in the normal HTTP communication).
(https: //www.*****.co.jp/ ”) is transmitted to the LWP 16 via the TCP connection (step SA2), and a response to the request is waited (step SA3).

When the response is received, the CPU 31
Closes the SSL session opened by the handshake process (step SA10), disconnects the TCP connection (step SA4), and interprets and displays the content included in the response (step SA5). If the client-side handshake process is not normally completed in step SA7, the user is notified to that effect (step SA1).
1), the process ends. Normal HT for other flows
This is the same as the flow of the content acquisition processing using the TP client function.

(4) Configuration and Function of LWP 16 FIG. 6 is a block diagram showing a configuration example of the LWP 16. L
The WP 16 has a hardware configuration similar to that of a general proxy server, and the explanation is complicated if all the configurations are explained. Therefore, FIG. 6 is necessary for explaining an operation example of this embodiment. Only the minimal configuration is shown.

In FIG. 6, the CPU 41 controls each part of the LWP 16 and performs various data processing. The communication unit 42 uses TCP / IP (Tran
smission Control Protocol / Internet Protocol), U
This is an interface for performing communication in accordance with DP (User Datagram Protocol) / IP, HTTP, and HTTPS, and sends the data supplied from the CPU 41 to the Internet 13 and passes the data received via the Internet 13 to the CPU 41. .

The operation unit 43 is operated by the administrator of the LWP 16, and is equipped with devices such as a keyboard and a mouse.
The data input by the administrator using these devices is stored in the CPU.
Pass to 41. The display unit 44 is, for example, a CRT (Cathode Ray).
Tube) and its control device, and displays an image according to the image data supplied from the CPU 41. The volatile memory 45 is, for example, a RAM and functions as a work memory for the CPU 41. The non-volatile memory 46 is composed of, for example, a ROM and a hard disk, and stores a boot program, an operating system, software for performing relay processing, and the like. The CPU 41 is a nonvolatile memory 4
By executing the software (program) stored in 6, the above-mentioned respective parts are controlled and various data processing is performed. These software may be acquired by downloading via a network such as the Internet 13, or may be acquired by reading from a recording medium such as a CD-ROM by a removable media reading device (not shown). May be

Next, the function given to the LWP 16 by the CPU 41 executing the software stored in the non-volatile memory 46 will be described. However, regarding the functions of a general proxy server, only the functions directly related to the operation example of the present embodiment will be described.

(4-1) HTTP Processing Function The HTTP processing function is a function of relaying HTTP-compliant communication using the HTTP client function and the HTTP server function. In this relay, the CPU 41 recognizes the fields that make up the request and response according to HTTP and performs appropriate processing. For example, H
"Via" in the general header field of the TTP request header is not set in DTE11 and is L
It is set at WP16. Also, "Host" in the request header field is DTE11 and L
It is set in WP16 respectively. In addition, “Proxy-Authorizatio in the request header field
“N” is set in DTE 11 and deleted in LWP 16. “Cont in entity header field
"ent-Length" is set in DTE11 and cannot be changed in LWP 16. Also, "Conten in the entity header field of the HTTP response header
"t-Length" and "Content-Type" are set in the WWW server and cannot be changed in LWP 16. In the communication between the DTE 11 and the WWW server,
Such conversion is always performed when the LWP 16 relays the HTTP request and response.

(4-2) HTTPS processing function The HTTPS processing function includes an SSL server function and an SSL server function.
It is a function of relaying communication according to HTTPS using a client function. This function is a function for realizing processing in which the target communication protocol of the HTTP processing function described above is replaced with HTTPS. The SSL server function is a function for performing encrypted communication with the SSL client. The difference between the SSL server function and the normal SSL server function is the same as the difference between the normal SSL client function and the SSL client function. That is, it differs from the normal SSL server function in that the server-side handshake process corresponding to the client-side handshake process is performed.

(4-3) Content Proxy Acquisition Function by HTTP The content proxy acquisition function by HTTP downloads the content from the WWW server in response to the request from the DTE, processes it as necessary, and then sends it to the DTE as a response to the request. This is a transfer function and is premised on the use of the HTTP processing function.

FIG. 7 is a flow chart showing the flow of the content proxy acquisition process using the HTTP function of the LWP 16. As shown in FIG.
Client TC with DTE upon request from E
A P connection is established (step SB1). Then, the HT is sent via the client TCP connection.
Upon receiving the request using the TP GET method, the CPU 41 determines the U specified in the received request.
A TCP connection (hereinafter, server TCP connection) is established with the WWW server corresponding to the RL, and the ID of the server TCP connection is set to the client T.
Volatile memory 45 in association with the ID of the CP connection
(Step SB3). Further CPU41
Processes the request and sends the processed request via the server TCP connection (step SB4). At this time, the source of the request transmitted via the server TCP connection is LWP16.

Thereafter, the CPU 41 waits for reception of a response to the request (step SB5), and when receiving the response, disconnects the server TCP connection (step SB6) and analyzes (and changes) the content included in the response. I do. That is,
The CPU 41 sequentially extracts tags to be analyzed (hereinafter, target tags) from the content, and if the target tag is an IMG tag, performs a process of changing the ALT attribute value set in the IMG tag until the target tag disappears. The above process is repeated (steps SB7 to SB10). The process of changing the ALT attribute value is a process for increasing convenience by notifying the user of the DTE 11 of the data size of the image file before the start of downloading the image file, and its specific content will be described later. . The ALT attribute value is an alternative character string displayed when the corresponding image is hidden.

When the above analysis (and modification) is completed, C
The PU 41 transmits a response including the analyzed (and changed) content as a response to the request from the DTE via the corresponding client TCP connection (step SB11), and disconnects the client TCP connection (step SB1).
2).

FIG. 8 shows an ALT attribute value changing process in the content proxy acquisition process using the HTTP processing function (see FIG. 7).
Is a flowchart showing the flow of step SB10) of FIG. 7, and the processing shown in this figure is performed when the target tag is an IMG tag. When the target tag is an IMG tag, CPU41
Is the WWW corresponding to the URL specified in the IMG tag
A server TCP connection is established with the server (step SC1), and a GET method for acquiring the image file specified by the URL is transmitted via the server TCP connection (step SC2). After that, the CPU 41 waits for the reception of the response to the request (step SC3), and when the response is received, measures the data size of the image file included in the response (step SC4) and disconnects the server TCP connection. (Step SC5), the ALT attribute value is changed based on the data size (step SC6). The data size of the image file is measured by the CPU 41, for example, by measuring the data size of the entity body in the response. The above-described ALT attribute value changing process is repeated for the number of IMG tags (images) in the content.

(4-4) Content Proxy Acquisition Function by HTTPS The content proxy acquisition function by HTTPS downloads content from a WWW server in response to a request from the DTE, processes it as necessary, and then sends it to the DTE as a response to the request. This is a transfer function and is premised on the use of the HTTPS processing function.

FIG. 9 is a flowchart showing the flow of the content proxy acquisition process using the HTTPS function of the LWP 16. As shown in this figure, the CPU 41 causes the D41
The client T communicates with the DTE in response to the request from the TE.
A CP connection is established (step SB1), and a server side handshake process for starting encrypted communication is performed by communicating with the DTE via the client TCP connection (step SB13).

When the server side handshake process is completed normally (step SB14), the CPU 41 receives the connection information of the WWW server of the connection destination via the client TCP connection (step SB15), and the WW concerned.
Establish a server TCP connection with the W server,
The ID of the server TCP connection is stored in the volatile memory 45 in association with the ID of the client TCP connection (step SB3).

Further, the CPU 41 uses the server TCP
S by communicating with the WWW server via a connection
A client side handshake process for starting the SL encrypted communication is performed (step SB16). When the client-side handshake processing is completed normally (step SB17), the CPU 41 indicates in the correspondence table T shown in FIG. 10 a DTE identifier for uniquely identifying the DTE, and encrypted communication with the DTE. Assigned session ID, common key assigned to DTE in this encrypted communication, session ID assigned to encrypted communication with the WWW server, and common key assigned to WWW server in this encrypted communication Is inserted, and the WWW server certification information (server certificate and its determination result) obtained by the client-side handshake process is inserted into the client T.
Send via CP connection (step SB1)
8).

Next, the CPU 41 causes the client T
The HTTP processing function is used until the request from the DTE is received via the CP connection (step SB2), the request is processed and then transmitted to the WWW server via the server TCP connection, and the client TCP connection is disconnected. The same processing as the content proxy acquisition processing is performed (steps SB4 to SB1).
2). However, in step SB12, the corresponding record in the correspondence table T is deleted. Further, the process of step SB10 is not performed, and instead, step SB1 is performed.
The process of 9 is performed.

When the server side handshake processing is not normally completed in step SB14, CP
The U41 notifies that effect to the DTE via the client TCP connection (step SB20), and disconnects the client TCP connection (step S).
B12). If the client side handshake process is not normally completed in step SB17,
The CPU 41 notifies the DTE to that effect via the client TCP connection (step SB21), and disconnects the server TCP connection (step SB2).
2) The client TCP connection is disconnected (step SB12).

FIG. 11 is a flow chart showing the flow of the ALT attribute value changing process (step SB19 in FIG. 9) in the content proxy acquisition process using the HTTPS processing function. The process shown in this figure differs from the process shown in FIG. 8 in that the process of step SC7 is inserted between step SC1 and step SC2.
In addition, the processing of SC3 is performed by SSL encrypted communication.

In step SC7, the CPU 41 obtains the WWW session ID related to the current process from the correspondence table T stored in the volatile memory 45, and the WW concerned via the already established server TCP connection.
Performs the client-side handshake process that specifies the W session ID. As a result, a simplified handshake process is performed with the WWW server, and SSL encrypted communication is started. At this time, the WWW server certification information is not transmitted to the DTE. This is the WWW
This is because the server certification information has already been transmitted to the DTE, and only a sufficiently short time has passed since the certification information was transmitted first, and there is no need to retransmit the WWW server certification information.

(4-5) Name Resolution Function The LWP 16 has a DNS (Domain Name System) name resolution function and can specify the IP address based on the host name. This name resolution function is LWP16
Is realized by making an inquiry to a DNS server device (not shown), but it goes without saying that the LWP 16 may also be provided with a DNS server function and this function may be used for implementation.

(5) Operation Example The operation of this embodiment is the content of contents, the function of DTE,
The number of operation patterns varies depending on the function of the WWW server and the WWW server, but here, an operation example that directly expresses the features of the present invention will be described with reference to FIGS.
2 will be described. In addition, in these figures, the same reference numerals are given to common portions. In addition, FIG.
In order to avoid complicated drawings,
Related messages, acknowledgment messages, and optional messages in various handshake processes are not shown.

However, as a premise of the operation example described below, it is assumed that the content acquired by the DTE 11 from the WWW server 14 is a text file including an IMG tag designating an image file (aaa.gif) of 20 KB. In addition, HTTP-based access to the content is prohibited, and in this operation example, the DTE 11 sets the HT
It is assumed that the content is accessed using TPS.

(5-1) When all handshake processes are completed normally FIG. 12 is a sequence diagram showing an operation example when all handshake processes are completed normally. As shown in FIG. The user operates the DTE 11 and the WWW server 14
When an instruction to acquire the above-mentioned content according to HTTPS is input from, a client TCP connection is established between the DTE 11 and the LWP 16 (step S
A1, SB1), handshake processing is performed via the client TCP connection (step SA).
6, SB13).

When the handshake process is completed normally,
After that, communication via the client TCP connection becomes encrypted communication. Further, when the handshake process is normally completed, the connection information of the WWW server 14 is notified from the DTE 11 to the LWP 16 via the client TCP connection (steps SA8, SB1).
5). Upon receiving this notification, the LWP 16 resolves the DNS name based on the connection information, and the LWP 16 and WW
A server TCP connection is established with the W server 14 (step SB13), and a handshake process is performed between the LWP 16 and the WWW server 14 via the server TCP connection (step SB16).

When the handshake process is completed normally,
After that, communication via the server TCP connection becomes encrypted communication. Further, when the handshake process is completed normally, the LWP 16 obtains the certificate of the WWW server 14 obtained in the handshake process (server certificate).
And the result of the determination made for the certificate are passed to the DTE 11 via the client TCP connection (steps SB18, SA9). This allows the DTE 11 to know that all nodes on the route have been authenticated.

Next, a request based on the URL (https: //www.*****.co.jp/index.html) corresponding to the content to be acquired is sent from the DTE 11 to the LWP 16 via the client TCP connection. Is transmitted (step SA2). This request is received by the LWP 16 (step SB2), converted by the HTTPS processing function described above, and then transmitted to the WWW server 14 via the server TCP connection (step SB).
4).

L via the server TCP connection
WWW server 14 that received the request from WP 16
Then, a response including the content (index.html) corresponding to the URL specified in the request is generated,
This response is returned to the LWP 16 via the server TCP connection (step SB5). After that, the server TCP connection is disconnected (step SB6).

Since the content acquired by the LWP 16 includes the IMG tag designating the image file (aaa.gif), the LWP 16 performs the process of acquiring the image file. That is, LWP16 and W
A server TCP connection is established with the WW server 14 (step SC1) and stored in the correspondence table T in association with the client TCP connection (DTE identification information and DTE session ID) via the server TCP connection. A handshake process is performed by specifying the existing WWW session ID (step SC7).

When this handshake process is completed, L
A request for obtaining the image file is transmitted from the WP 16 to the WWW server 14 via the server TCP connection. When an image file is sent as a response to this request, the LWP 16 uses a character string (for example, [2
0KB]) AL of the IMG tag that specifies the file
Index.html is changed so that it has the T attribute value. Also,
The server TCP connection is disconnected.

Thus, even if the handshake process in the process of changing the ALT attribute value is completed, the WWW server 14
1 is not transferred to the DTE 11, the amount of data flowing into the mobile packet communication network 12 of FIG. 1 is reduced as compared with the case where the certification information of the WWW server 14 is always sent when the handshake process is normally completed. In addition, DTE1
1 receives the certification information of the WWW server 14 in steps SB18 and SA9, and the validity period of the server certificate is LW from the time of acquisition of index.html by LWP16.
This is sufficiently long as compared with the period up to the time of obtaining aaa.gif in P16, so that no security problem can occur.

The changed index.html is sent from the LWP 16 to DT via the client TCP connection.
After being sent to E11 (step SB11, SA3),
The client TCP connection is disconnected (step SA4.SB12), and the record corresponding to the client TCP connection is deleted from the correspondence table T. Note that the DTE 11 provides a user interface based on the changed index.html. On this occasion,
The character string [20 KB] is displayed in the display portion corresponding to aaa.gif. After that, when the display portion is selected by the user, the DTE 11 performs a process of obtaining aaa.gif from the WWW server 14, and the operation at that time is as shown in FIG.
Is deleted and the target file in steps SB4 and SB5 is changed to aaa.gif, which is represented by a sequence.

(5-2) When the handshake process is not normally completed When the handshake process is not normally completed, as shown in FIG.
The processing subsequent to steps SA6 and SB13 in 2 is skipped, and the client TCP connection is disconnected (steps SA4 and SB12). Also, DTE
In 11, a message indicating that the handshake process has not been normally completed is displayed.

(5-3) When the handshake process is not normally completed When the handshake process between the LWP 16 and the WWW server 14 is not normally completed, the process following step SB16 in FIG. Skipped, server T
CP connection disconnection process (step SB6) and client TCP connection disconnection process (step S)
Only A4 and SB12) are performed. Further, the DTE 11 displays that the handshake process with the WWW server 14 has not been normally completed.

[Modification] In the above-described embodiment, the LWP is used.
The record is inserted into the correspondence table T only when the handshake process between the WWW server and the WWW server is normally completed. However, when various information is obtained, the information is stored in the field of the corresponding record. You may

Further, in the above-described embodiment, DTE and L
The encrypted communication with the WP was SSL encrypted communication,
Any communication that can realize security equivalent to SSL may be used, and for example, communication using ECC (elliptic curve encryption) may be used. When communication using ECC is adopted, D
The traffic between the TE and the LWP can be further reduced. Of course, the encrypted communication between the LWP and the WWW server is not limited to the SSL encrypted communication.

Further, in the above-described embodiment, an example in which the DTE has a communication function is shown, but the DTE may communicate via a communication terminal having a communication function. Further, according to the present invention, the bandwidth of the communication path between the DTE and the LWP is L.
When the band is narrower than the bandwidth of the communication path between the WP and the WWW server, the remarkable effect is exhibited.
The communication path between them may be a fixed network or a circuit switched network. Of course, the communication network between the LWP and the WWW server is not limited to the Internet, but may be any network that realizes the same function as the Web, and may be, for example, a so-called intranet.

In the above embodiment, HTTP
Although description has been made on the premise of (HTTPS), the scope of application of the present invention is not limited to this, and the present invention can be applied to all communication protocols that can use encrypted communication. further,
The present invention can also be applied when the LWP and the WWW server are integrated. However, in this case, the communication between the LWP and the WWW server is, for example, interprocess communication.
Further, an aspect in which the LWP and the gateway server are integrated is also included in the scope of the present invention.

[0062]

As described above, according to the present invention,
If it is estimated that the information related to the certification of the other communication device acquired by the relay device by the handshake process between the relay device and the other communication device is held in the one communication device, the communication of the one communication device is performed. Not sent to the device. Therefore, the traffic between the one communication device and the relay device is reduced.

The reduction of the traffic between the one communication device and the relay device is particularly achieved by the communication speed of the communication path between the one communication device and the relay device being the communication between the other communication device and the relay device. It is extremely effective when the communication speed is lower than the road communication speed.

[Brief description of drawings]

FIG. 1 is a diagram showing an overall configuration of a data distribution system according to an embodiment of the present invention.

FIG. 2 is a sequence diagram for explaining an outline of operation of the system.

FIG. 3 is a block diagram showing a configuration example of a DTE 11 that constitutes the same system.

FIG. 4 is a content acquisition process (H
It is a flowchart which shows the flow of (TTP).

FIG. 5 is a content acquisition process (H
It is a flowchart which shows the flow of TTPS.

FIG. 6 is a block diagram showing a configuration example of an LWP 16 configuring the same system.

FIG. 7 is a flowchart showing a flow of a content proxy acquisition process (HTTP) performed by the LWP16.

FIG. 8 is a flowchart showing a flow of ALT attribute value change processing (HTTP) performed by the LWP 16.

FIG. 9 is a flowchart showing a flow of a content proxy acquisition process (HTTPS) performed by the LWP 16.

FIG. 10 is a conceptual diagram showing a data structure of a correspondence table T included in the LWP 16.

FIG. 11 is a flowchart showing a flow of ALT attribute value change processing (HTTPS) performed by the LWP 16.

FIG. 12 is a sequence diagram for explaining an operation example of the system.

[Explanation of symbols]

11 DTE 12 Mobile packet communication network 13 Internet 14 WWW server 15 Gateway server 16 LWP

   ─────────────────────────────────────────────────── ─── Continued front page    (72) Inventor Tomoyasu Chikada             2-11-1, Nagatacho, Chiyoda-ku, Tokyo Stock             Ceremony company NTT Docomo (72) Inventor Hiroaki Iwata             2-11-1, Nagatacho, Chiyoda-ku, Tokyo Stock             Ceremony company NTT Docomo F-term (reference) 5B089 GA31 GB01 KA07                 5J104 AA07 KA02 PA07

Claims (7)

[Claims] 1. A relay method in a relay device for relaying a message between one communication device and another communication device, comprising a hand for starting a first encrypted communication with the one communication device. A first handshake process for performing a shake process, a second handshake process for performing a handshake process for starting a second encrypted communication with the other communication device, and the second hand If it is estimated that the one communication device holds the information related to the certification of the other communication device acquired in the shake process, the information is not transmitted to the one communication device, and in other cases. Using the transmission process of transmitting the information to the one communication device and the first encrypted communication and the second encrypted communication between the one communication device and the other communication device. Relay method characterized in that it comprises a relay process of relaying the message. 2. A communication speed in a communication path between the one communication device and the relay device is lower than a communication speed in a communication path between the other communication device and the relay device. The relay method according to claim 1. 3. A first communication means for performing a handshake process for starting the first encrypted communication with one communication device, and a second encrypted communication between the other communication device. A second communication unit that performs a handshake process for starting the communication and acquires information related to the certification of the other communication device; and the first communication device between the one communication device and the other communication device. Relay means for relaying a message using encrypted communication and the second encrypted communication, wherein the first communication means is the other communication device of the other communication device acquired by the second handshake means. If it is estimated that the information related to the certification is held by the one communication device, the information is not transmitted to the one communication device; otherwise, the information is transmitted to the one communication device. A relay characterized by apparatus. 4. The relay apparatus according to claim 3, wherein the communication speed of the first communication unit is lower than the communication speed of the second communication unit. 5. A computer device that relays a message between one communication device and the other communication device is provided with a handshake process for starting the first encrypted communication with the one communication device. A first handshake procedure to be performed, a second handshake procedure to perform a handshake process for starting the second encrypted communication with the other communication device, and the second handshake procedure. If it is estimated that the one communication device holds the acquired information related to the certification of the other communication device, the information is not transmitted to the one communication device, and in other cases, the information is transmitted. A transmission procedure for transmitting a message to the one communication device, and a message is transmitted between the one communication device and the other communication device by using the first encrypted communication and the second encrypted communication. Program for executing a relay procedure for. 6. A communication speed in a communication path between the one communication device and the relay device is lower than a communication speed in a communication path between the other communication device and the relay device. The program according to claim 5. 7. A computer-readable recording medium in which the program according to any one of claims 5 and 6 is recorded.