JP2016213793A - Communication device and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To perform a process corresponding to the contents of data exchanged by encryption communication.SOLUTION: When a server certificate in a response to a request transferred by a request transfer unit 121 arrives, an alternative certificate providing unit 122 generates an alternative certificate substituting for the server certificate, and provides a web application unit 110 with it. A data transfer unit 125 performs a data transfer process of decrypting data received from one of the web application unit 110 and a web server 20, encrypting data after the decryption, and transferring data after the encryption to the other. A monitoring module unit 130 performs, as a process using the data after the decryption in the data transfer process by the data transfer unit 125, a process of recording the data after the decryption and a process of stopping communication of the data if the data after the decryption satisfies a condition.SELECTED DRAWING: Figure 5

Description

  The present invention relates to encrypted communication.

  As a technique for encrypted communication, for example, Patent Document 1 discloses a technique for performing URL filtering in HTTPS communication.

WO2009 / 054047

For example, in an employee's personal computer used in a company, communication with an undesired communication destination may be restricted. If the technique of patent document 1 is used, the restriction | limiting of the communication according to a communication destination is possible also in encryption communication. However, the technique of Patent Document 1 cannot limit communication according to the content of encrypted data. In addition, there are many efforts to leave a record of communications due to the increasing demand for compliance, but it is difficult to keep a record of what data has been exchanged in the case of encrypted communications. .
Therefore, an object of the present invention is to perform processing according to the contents of data exchanged by encrypted communication.

  To achieve the above object, the present invention provides a first communication unit that performs first encrypted communication with a web server, a web application unit that transmits data processed by the web server, and the web application unit. A second communication unit that performs second encrypted communication; a transfer unit that transfers data transmitted from the web application unit and decrypted by the second communication unit to the first communication unit; and the decryption And a processing unit that performs processing using the processed data.

Further, the web server transmits data processed by the web application unit,
The transfer unit may transfer data transmitted from the web server and decrypted by the first communication unit to the second communication unit.
Further, the processing unit may perform a process of recording the decrypted data, a process of stopping communication of the data when the data satisfies a condition, or a process of replacing the content of the data as the process. .

The first communication unit exchanges with the web application unit using a public key included in a server certificate transmitted from the web server in response to a request from the web application unit or the public key. The first encrypted communication may be performed using a common key.
And a certificate providing unit that provides the web application unit with a certificate issued by a certificate authority and including a public key. In the web application unit, a root certificate having a signature of the certificate authority is registered. The second communication unit may perform the second encrypted communication using a secret key corresponding to the public key or a common key exchanged with the web application unit using the secret key.

In addition, the certificate providing unit may issue a certificate to be provided to the web application unit with itself as the certificate authority.
Further, a plurality of the root certificates are registered in the web application unit, and the certificate providing unit realizes the type of the web server and the web application unit from the plurality of root certificates. The certificate that has been signed by the selected root certificate is selected according to the type of web application program to be executed or the type of communication protocol used for communication of data transmitted by the web application unit. May be provided to the web application unit.

The first communication path that receives data transmitted from the web application unit to the web server and passes through the first communication unit, the second communication unit, and the transfer unit, and the first communication path that does not pass through the respective units. You may provide the distribution part which distributes the path | route of the said data to either of 2 communication paths.
Further, the allocating unit determines the data according to the type of the web server, the type of the web application program that realizes the web application unit, or the type of communication protocol used for communication of data transmitted by the web application unit. The route may be distributed.

  In addition, the present invention provides a computer that controls a communication device including a web application unit that transmits data processed by a web server, a first communication unit that performs first encrypted communication with the web server, and the web application. A second communication unit that performs second encrypted communication with the communication unit, a transfer unit that transfers data transmitted from the web server and decrypted by the first communication unit to the second communication unit, and the decryption A program for functioning as a processing unit that performs processing using digitized data is provided.

  According to the present invention, it is possible to perform processing according to the contents of data exchanged by encrypted communication.

The figure showing an example of the whole structure of the communication monitoring system which concerns on 1st Example The figure showing the hardware constitutions of a user apparatus Diagram showing the hardware configuration of the web server Diagram showing the hardware configuration of the monitoring server Diagram showing functional configuration realized by each device The figure showing an example of the operation procedure in communication monitoring processing The figure showing an example of the whole structure of the communication monitoring system which concerns on 2nd Example Diagram showing functional configuration realized by each device A figure showing an example of an effective period table

[1] First Embodiment FIG. 1 shows an example of the overall configuration of a communication monitoring system 1 according to a first embodiment. The communication monitoring system 1 is a system for monitoring communication performed by a user device. The communication monitoring system 1 includes an intranet 2, the Internet 3, a user device 10, a web server 20, and a monitoring server 30.

  The user device 10 is an information processing device such as a personal computer or a notebook computer, and is used by a user (company employee or the like). The user device 10 is connected to the intranet 2. The intranet 2 is an in-house LAN (Local Area Network), for example, and is connected to the Internet 3. The user device 10 is also a communication device that communicates with the web server 20 and the monitoring server 30 via both or one of the intranet 2 and the Internet 3. Note that the user device 10 may be connected to the intranet 2 via the Internet 3 in order to connect to the intranet 2 at a business trip destination, for example. In FIG. 1, the user apparatus 10 is connected to the intranet 2 by wire, but may be connected wirelessly.

  The web server 20 stores data of various contents such as web pages, and when requested by the user device 10, transmits the data to the requesting user device 10. In FIG. 1, the web server 20 is connected to the Internet 3, but may be connected to the intranet 2. The monitoring server 30 is connected to the intranet 2 and monitors communication performed by the user device 10.

  FIG. 2 shows a hardware configuration of the user device 10. The user device 10 is a computer that includes a control unit 11, a storage unit 12, a communication unit 13, a display unit 14, and an operation unit 15. The control unit 11 includes a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), and a real time clock. The CPU is stored in the ROM or the storage unit 12 using the RAM as a work area. The operation of each part is controlled by executing a program. The real time clock calculates the current date and time and notifies the CPU.

  The storage unit 12 includes an HDD (Hard disk drive) and the like, and stores data and programs used by the control unit 11 for control. The storage unit 12 stores various web application programs (hereinafter referred to as “web applications”) such as browsers, groupware, and business applications. The web application implements a function (communication procedure in the workflow system, display of a web page, posting on a bulletin board, etc.) that involves communication with the web server 20 using WWW (World Wide Web) technology. In addition, the storage unit 12 stores a proxy program that implements the local proxy unit 120 described later and a monitoring program that implements the monitoring module unit 130.

  The communication unit 13 includes a communication circuit for performing communication via the intranet 2 and the Internet 3 and communicates with, for example, the web server 20. The display unit 14 includes a liquid crystal display and the like, and displays an image based on control from the control unit 11. The operation unit 15 includes a keyboard or the like and receives user operations.

FIG. 3 shows a hardware configuration of the web server 20. The web server 20 is a computer that includes a control unit 21, a storage unit 22, and a communication unit 23. The control unit 21, the storage unit 22, and the communication unit 23 are the same type of hardware as the control unit 11, the storage unit 12, and the communication unit 13 illustrated in FIG.
FIG. 4 shows the hardware configuration of the monitoring server 30. The monitoring server 30 is a computer that includes a control unit 31, a storage unit 32, and a communication unit 33. The control unit 31, the storage unit 32, and the communication unit 33 are the same type of hardware as the control unit 11, the storage unit 12, and the communication unit 13 illustrated in FIG.

Each control unit of the user device 10 and the monitoring server 30 executes a program stored in the storage unit of the own device to control each unit of the own device, thereby realizing the functions described below.
FIG. 5 shows a functional configuration realized by each device. The user device 10 includes a web application unit 110 (realized by a web application), a local proxy unit 120 (realized by a proxy program), and a monitoring module unit 130 (realized by a monitoring program). The web server 20 includes a server certificate transmission unit 201 and an encrypted data transmission / reception unit 203, and the monitoring server 30 includes a recording unit 301.

  The web application unit 110 of the user device 10 is a function that involves communication using the WWW technology realized by the above-described web application, and is a communication unit that communicates with the web server 20. The web application unit 110 transmits data to be processed by the web server 20. On the other hand, the web server 20 transmits data to be processed by the web application unit 110. In the present embodiment, the web application unit 110 and the web server 20 perform encrypted communication based on the HTTPS (Hypertext Transfer Protocol Secure) protocol. The local proxy unit 120 is a relay unit that relays communication between the web application unit 110 and the web server 20. The monitoring module unit 130 is a monitoring unit that monitors communication between the web application unit 110 and the web server 20.

  The web application unit 110 includes a server certificate request unit 111, a session establishment unit 112, an encrypted data transmission / reception unit 113, and a data processing unit 114. The local proxy unit 120 includes a request transfer unit 121, an alternative certificate providing unit 122, a session establishment unit 123, a session establishment unit 124, and a data transfer unit 125. The data transfer unit 125 includes a first communication unit 251, a second communication unit 252, and a transfer unit 253.

  The server certificate request unit 111 requests the web server 20 for a server certificate. For example, when an operation of inputting or selecting a URL (Uniform Resource Locator) of the web server 20 is performed by the user, the server certificate request unit 111 transmits request data for requesting a server certificate with the URL as a transmission destination. . The transmitted request data is supplied to the request transfer unit 121. The request transfer unit 121 transfers the request for the server certificate from the web application unit 110 to the web server 20. The request transfer unit 121 transfers the request data supplied from the server certificate request unit 111 toward the URL that is the transmission destination. The transferred request data is supplied to the server certificate transmission unit 201 of the web server 20.

  The server certificate transmission unit 201 transmits the requested server certificate to the requesting user apparatus 10. This server certificate is issued by a certificate authority (root certificate authority or intermediate certificate authority) that has issued a certificate installed in the user device 10 and registered in the web application unit 110. Hereinafter, this certificate authority is referred to as a “first certificate authority”, and this certificate is referred to as a “first certificate”. The server certificate includes a public key, and the web server 20 has a private key corresponding to the public key provided by the first certificate authority.

  The public key corresponding to the secret key means that data encrypted with the public key can be decrypted with the secret key, and data encrypted with the secret key can be decrypted with the public key. Hereinafter, the private key held by the web server 20 is referred to as a “first secret key”, and the public key included in the server certificate is referred to as a “first public key”. The server certificate transmitted to the user device 10 is supplied to the alternative certificate providing unit 122 and the session establishing unit 123 of the local proxy unit 120.

  The alternative certificate providing unit 122 provides the web application unit 110 with an alternative certificate that replaces the server certificate as a certificate issued by the certificate authority and including the public key. The alternative certificate providing unit 122 is an example of the “certificate providing unit” in the present invention. Hereinafter, this certificate authority is referred to as a “second certificate authority” and the public key is referred to as a “second public key”. Since the root certificate is set for each web server, the first certificate authority may be different from or the same as the second certificate authority. In the web application unit 110, a root certificate having a signature of the second certificate authority is registered. Hereinafter, this root certificate is referred to as a “second certificate”. The second certificate authority is an example of the “certificate authority” in the present invention, and the second certificate is an example of the “root certificate” in the present invention. In addition, the local proxy unit 120 has a secret key corresponding to the second public key. Hereinafter, this secret key is referred to as a “second secret key”.

  In this embodiment, the alternative certificate providing unit 122 issues a certificate to be provided to the web application unit 110 by using itself as the second certificate authority. The certificate is issued by attaching a signature obtained by encrypting a hash value of the information with a secret key to the information of the certificate including an expiration date, a public key, a common name, and the like. The alternative certificate providing unit 122 uses the URL of the web server 20 as a common name and issues a signature signed with the second private key held by the local proxy unit 120 as an alternative certificate. When the server certificate is transmitted in response to the request transferred by the request transfer unit 121, the alternative certificate providing unit 122 issues an alternative certificate that replaces the server certificate and provides it to the web application unit 110. To do.

  The session establishing unit 123 of the local proxy unit 120 exchanges data with the session establishing unit 202 of the web server 20 to establish an encrypted data communication (SSL (Secure Sockets Layer) communication) session with the web server 20. The session establishment unit 123 generates a common key. Hereinafter, the common key generated by the session establishing unit 123 is referred to as a “first common key”. The session establishing unit 123 encrypts the generated first common key with the first public key, that is, the public key included in the server certificate transmitted from the web server 20, and transmits it to the web server 20.

  The session establishing unit 202 decrypts the transmitted first common key using the first secret key held by the own device (web server 20). In this way, the session establishment unit 123 exchanges the first common key with the session establishment unit 202 using the first public key included in the server certificate. The session establishment unit 202 supplies the first common key thus provided to the encrypted data transmission / reception unit 203. On the other hand, the session establishment unit 123 provides the generated first common key to the first communication unit 251.

  The encrypted data transmission / reception unit 203 encrypts and transmits the data using the supplied first common key, and receives the data encrypted using the first common key, and similarly decrypts the data using the first common key. The encrypted data transmission / reception unit 203 receives, for example, an encrypted HTTP request, decrypts it with the first common key, and encrypts data of the content (such as a web page) requested by the HTTP request with the first common key. To send.

  The substitute certificate provided to the web application unit 110 is supplied to the session establishing unit 112. The session establishment unit 112 exchanges data with the session establishment unit 124 of the local proxy unit 120 to establish an encrypted data communication session with the local proxy unit 120. When the alternative certificate is supplied, the session establishing unit 112 registers the second certificate of the second certificate authority that issued the alternative certificate in the web application unit 110. It is determined that it can be performed, and a common key is generated and provided to the encrypted data transmitting / receiving unit 113. Hereinafter, the common key generated by the session establishing unit 112 is referred to as a “second common key”. In addition, the session establishing unit 112 encrypts the generated second common key with the second public key included in the alternative certificate and provides it to the local proxy unit 120. The second common key provided to the local proxy unit 120 is supplied to the session establishment unit 124.

  Note that, when the server certificate of the web server 20 is supplied, the session establishing unit 112 uses the first certificate issued by the first certificate authority that issued the server certificate as described above. Since it is registered in the application unit 110, it is determined that the server certificate is reliable, and a common key is generated and provided to the encrypted data transmission / reception unit 113. Thus, since the session establishment unit 112 cannot distinguish between the server certificate of the web server 20 and the supplied alternative certificate, the supplied session certificate is supplied regardless of whether the server certificate or the alternative certificate is supplied. Determines that the other certificate is trusted and establishes a session using that certificate.

  When the session establishing unit 124 receives the second common key encrypted with the second public key, the session establishing unit 124 decrypts it with the second secret key held by the local proxy unit 120. In this way, the session establishment unit 112 exchanges the second common key with the session establishment unit 124 using the second public key included in the alternative certificate. The session establishment unit 124 supplies the decrypted second common key to the second communication unit 252.

  When the encrypted data transmission / reception unit 113 encrypts and transmits data with the second common key supplied from the session establishment unit 112 and receives the data encrypted with the second common key, the encrypted data transmission / reception unit 113 also receives the second common key. Decrypt with. The encrypted data transmission / reception unit 113, for example, encrypts an HTTP request with the second common key and transmits it to the web server 20, and transmits the data of the content (such as a web page) transmitted in response to the HTTP request to the second Decrypt with common key. The encrypted data transmission / reception unit 113 supplies the decrypted data to the data processing unit 114.

  The data processing unit 114 performs data processing according to the function of the web application. For example, if the web application is a browser, processing for generating an HTTP request, processing for displaying content data, and the like are performed. If the web application is groupware, a process of saving document data on a bulletin board or a process of generating request data for requesting an approver to approve application data is performed. The data processing unit 114 processes the decrypted data supplied from the encrypted data transmission / reception unit 113. When the data processed by the data processing unit 114 is supplied to the encrypted data transmission / reception unit 113, the encrypted data transmission / reception unit 113 encrypts the data with the second common key and transmits the encrypted data to the web server 20. The transmitted data is supplied to the second communication unit 252 of the local proxy unit 120.

  As described above, the first common key is supplied from the session establishing unit 123 to the first communication unit 251. The first communication unit 251 decrypts the data encrypted with the first common key transmitted from the encrypted data transmission / reception unit 203 with the first common key. The first communication unit 251 supplies the decrypted data to the transfer unit 253. As described above, the second common key is supplied from the session establishing unit 124 to the second communication unit 252. The second communication unit 252 similarly decrypts the data encrypted by the second common key supplied from the encrypted data transmission / reception unit 113 with the second common key. The second communication unit 252 supplies the decrypted data to the transfer unit 253.

  The transfer unit 253 supplies the data requested from the first communication unit 251 to the second communication unit 252 and supplies the data requested from the second communication unit 252 to the first communication unit 251. As described above, the transfer unit 253 transfers the data transmitted from the web server 20 and decrypted by the first communication unit 251 to the second communication unit 252. The transfer unit 253 transfers the data transmitted from the web application unit 110 and decrypted by the second communication unit 252 to the first communication unit 251.

  Since the first communication unit 251 has been transferred by the transfer unit 253, the first communication unit 251 encrypts the data with the first common key and transmits the data to the web server 20. In this way, the first communication unit 251 performs encrypted communication with the web application unit 110. Hereinafter, this encrypted communication is referred to as “first encrypted communication”. Specifically, the first communication unit 251 uses the first public key included in the server certificate transmitted from the web server 20 in response to the request from the web application unit 110 to cause the session establishing unit 123 to execute the web server. The first encrypted communication is performed using the first common key exchanged with 20.

  The second communication unit 252 encrypts the data transferred by the transfer unit 253 with the second common key and transmits the encrypted data to the web application unit 110. In this way, the second communication unit 252 performs encrypted communication with the web application unit 110. Hereinafter, this encrypted communication is referred to as “second encrypted communication”. Specifically, the second communication unit 252 uses the second common key exchanged with the web application unit 110 by the session establishment unit 124 using the second secret key corresponding to the second public key included in the alternative certificate. Second encrypted communication.

  The first communication unit 251, the second communication unit 252, and the transfer unit 253, that is, the data transfer unit 125 relay communication between the web application unit 110 and the web server 20. At that time, the data transfer unit 125 decrypts the data transmitted from one of the web application unit 110 and the web server 20, encrypts the decrypted data, and transfers the encrypted data to the other. In this way, the data transfer unit 125 performs a data transfer process.

  The monitoring module unit 130 performs processing (hereinafter referred to as “decoded data processing”) using data decoded in the transfer processing by the data transfer unit 125 described above. The monitoring module unit 130 is an example of the “processing unit” in the present invention. The decrypted data here is data that is transmitted from the web application unit 110 when the first communication unit 251 decrypts the data transmitted from the web server 20 using the first common key. In some cases, the second communication unit 252 decrypts the received data using the second common key. The monitoring module unit 130 monitors the operations of the first communication unit 251 and the second communication unit 252. When the decoded data is stored in the RAM, the monitoring module unit 130 reads the data from the RAM and reads the read data ( That is, decrypted data processing using the decrypted data) is performed.

  In this embodiment, the monitoring module unit 130 decodes a recording process for recording the data decoded in the transfer process, and a stop process for stopping communication of the data when the decoded data satisfies the condition. As a data processing. For example, the monitoring module unit 130 performs, as a recording process, a process of transmitting the decrypted data and information on the time when the data is transmitted from the web application unit 110 or the web server 20 to the monitoring server 30. The transmitted data and time information are supplied to the recording unit 301 of the monitoring server 30, and the recording unit 301 records the supplied data and time information in association with each other.

  Note that the monitoring module unit 130 may transmit information (such as a file name or attribute of data) specifying the decrypted data instead of the data itself. Further, the monitoring module unit 130 analyzes, for example, a character string in the decrypted data, and when it is determined that confidential information of a predetermined level or higher is included, the data is transferred to the transfer unit 253. Instruct to stop. Upon receiving this instruction, the transfer unit 253 stops data transfer between the first communication unit 251 and the second communication unit 252. Note that the monitoring module unit 130 may instruct the first communication unit 251 or the second communication unit 252 to stop either the encryption of the data transferred from the transfer unit 253 or the transmission of the encrypted data. Good. In either case, communication of data decrypted by the data transfer unit 125 is stopped.

  In addition to the analysis result of the decrypted data, the monitoring module unit 130 may determine whether or not to stop the transfer according to the transmission destination of the data. For example, if the level of the confidential information included in the decrypted data is less than a predetermined level, the monitoring module unit 130 permits transfer to the web server 20 operated in the company, and the external web server The transfer to 20 is stopped.

Each device provided in the communication monitoring system 1 performs communication monitoring processing for monitoring communication between the web application unit 110 and the web server 20 based on the above configuration.
FIG. 6 shows an example of an operation procedure in the communication monitoring process. In FIG. 6, the operation of the user device 10 is divided into the web application unit 110, the local proxy unit 120, and the monitoring module unit 130. This operation procedure is started when, for example, the user operates the user device 10 to input or select the URL of the web server 20.

  First, the web application unit 110 (server certificate request unit 111) requests a server certificate from the web server 20 (step S11). The local proxy unit 120 (request transfer unit 121) transfers the request for the server certificate to the web server 20 (step S12). The web server 20 (server certificate transmission unit 201) transmits the requested server certificate (step S13). When receiving the server certificate, the local proxy unit 120 (alternative certificate providing unit 122) issues an alternative certificate (step S14), and provides the issued alternative certificate to the web application unit 110 (step S15).

  Next, the local proxy unit 120 (session establishment unit 123) and the web server 20 (session establishment unit 202) establish a first encrypted communication session (step S21). At this time, the first common key is exchanged between the local proxy unit 120 and the web server 20. Further, the web application unit 110 (session establishment unit 112) and the local proxy unit 120 (session establishment unit 124) establish a second encrypted communication session (step S22). At this time, the second common key is exchanged between the web application unit 110 and the local proxy unit 120. Either of steps S21 and S22 may be performed first or in parallel.

  Subsequently, the web application unit 110 (encrypted data transmission / reception unit 113) transmits the data encrypted with the second common key to the web server 20 (step S31). The local proxy unit 120 (first communication unit 251) decrypts the data transmitted from the web application unit 110 using the second common key (step S32). Next, the monitoring module unit 130 refers to the decrypted data (step S41), and whether or not a condition for stopping the transfer of the data is satisfied (for example, whether confidential information of a predetermined level or higher is included) (No) is determined (step S42).

  If the monitoring module unit 130 determines that the condition is satisfied (YES), the monitoring module unit 130 instructs the local proxy unit 120 (transfer unit 253) to cancel the transfer (step S43), and the local proxy unit 120 (transfer unit). 253) stops the transfer of the decrypted data according to the instruction (step S33). When the monitoring module unit 130 determines that the condition is not satisfied (NO), the monitoring module unit 130 notifies the local proxy unit 120 (transfer unit 253) of transfer permission (step S44). Upon receiving the notification, the local proxy unit 120 (transfer unit 253) transfers the data decrypted in step S32 (step S34).

  Then, the local proxy unit 120 (second communication unit 252) encrypts the transferred data with the second common key (step S35) and transmits it to the web server 20 (step S36). Note that the operation in step S35 (data encryption) may be performed before step S33. In addition, the monitoring module unit 130 transmits the decrypted data referred in step S41 to the monitoring server 30 (step S61), and the monitoring server 30 (recording unit 301) records the data (step S62). Note that the operations in steps S61 and S62 may be performed before step S42 or may be performed in parallel therewith.

  In this embodiment, when communication of encrypted data is performed between the web application unit 110 and the web server 20, the monitoring module is used for data decrypted in the local proxy unit 120 that relays the communication. Decoded data processing by the unit 130 is performed. Thereby, the process according to the content of the data exchanged by encryption communication can be performed. Specifically, for example, it is possible to perform processing for recording data to be exchanged and processing for stopping data exchange according to the contents of the data.

  In this embodiment, the web application unit 110 requests a server certificate, establishes an encrypted data communication session using an alternative certificate provided in response thereto, and performs encrypted data communication. In addition, the web server 20 transmits a server certificate in response to a request from the user device 10, and performs encrypted data communication using the first common key provided from the user device 10. As described above, even if the web application unit 110 and the web server 20 perform normal SSL communication operations, processing according to the contents of data exchanged by encrypted communication can be performed as described above.

[2] Second Embodiment Hereinafter, a second embodiment of the present invention will be described focusing on differences from the first embodiment. In the first embodiment, all data exchanges between the web application unit 110 and the web server 20 are relayed by the local proxy unit 120. However, in the second embodiment, this relay may not be performed.

  FIG. 7 illustrates an example of the overall configuration of the communication monitoring system 1a according to the second embodiment. The communication monitoring system 1a includes user devices 10-1 and 10-2 (the hardware configuration is the same as that of the user device 10 illustrated in FIG. And an external web server 20-2 (the hardware configuration is the same as that of the web server 20 shown in FIG.

  The user device 10-1 is connected to the intranet 2, and the user device 10-2 is connected to the Internet 3 by, for example, mobile communication or wireless LAN communication. The in-house web server 20-1 is a web server operated by a company of a user who uses the user device 10a. The in-house web server 20-1 is connected to the intranet 2 and provides services related to in-house operations such as a workflow system and an in-house bulletin board. The in-house web server 20-1 can also communicate from the Internet 3 via the intranet 2 like the user device 10-2. The external web server 20-2 is a web server operated by a subject other than the company of the user who uses the user device 10a. The external web server 20-2 is connected to the Internet 3 and provides a web page and the like.

  FIG. 8 shows a functional configuration realized by each device in this embodiment. The user device 10a includes a distribution unit 140 in addition to the units illustrated in FIG. The distribution unit 140 is realized by a distribution program stored in the user device 10a. The distribution unit 140 distributes the route of data that the web application unit 110 transmits to the web server 20. Specifically, the allocating unit 140 receives data transmitted from the web application unit 110 to the web server 20, and the data transfer unit 125 (that is, the first communication unit 251 and the second communication unit) of the local proxy unit 120. 252 and the transfer unit 253), and the data path is distributed to either the first communication path that does not pass through the data transfer unit 125.

  Data that has passed through the first communication path is decrypted and encrypted by the data transfer unit 125 and transferred to the web server 20, and decrypted data processing is performed using the decrypted data at that time. Is done by. On the other hand, since the data transmitted through the second communication path is not decrypted by the data transfer unit 125, the data is not subjected to decrypted data processing by the monitoring module unit 130.

  The distribution unit 140 requests the server certificate from the server certificate request unit 111, the alternative certificate from the alternative certificate provision unit 122, and the encryption from the session establishment unit 112 when passing through the first communication path. The encrypted second common key, the encrypted data from the encrypted data transmission / reception unit 113, and the encrypted data from the second communication unit 252 are received, and each destination described in the description of FIG. Forward them. Thereby, the same communication as in the first embodiment is performed between the web application unit 110 and the web server 20.

  On the other hand, the distribution unit 140 transfers the request for the server certificate from the server certificate request unit 111 to the request transfer unit 121 when encrypted via the second communication path, and is encrypted from the session establishment unit 112. The second common key is transferred to the session establishing unit 202 of the web server 20a, and the encrypted data from the encrypted data transmitting / receiving unit 113 and the encrypted data from the encrypted data transmitting / receiving unit 203 are sent to each other. Transfer as. Thereby, the second communication path that does not pass through the data transfer unit 125 (the first communication unit 251, the second communication unit 252, and the transfer unit 253) of the local proxy unit 120 between the web application unit 110 and the web server 20 is provided. Communication takes place.

  For example, the distribution unit 140 distributes the data path according to the type of the web server that processes the data transmitted from the web application unit 110 (in other words, the web server of the communication partner of the web application unit 110). In this embodiment, the allocating unit 140 performs the second communication if the web server 20a of the communication partner of the web application unit 110 is connected to the intranet 2 (in-house web server 20-1 in the example of FIG. 7). If the route is routed and is not connected to the intranet 2 (external web server 20-2 in the example of FIG. 7), the route is routed so as to be routed through the first communication path. In this case, the above-described cancellation processing (processing for canceling data transfer) is not performed in communication with the in-house web server 20-1 in which the security of the communication path is ensured because it passes through the intranet 2 only. In the communication with the external web server 20-2 including the Internet 3, the cancellation process is performed.

  As described above, according to the present embodiment, when monitoring of communication is necessary, the stop process is performed via the first communication path to improve security, and when monitoring of communication is unnecessary, the first is performed. It is possible to increase the communication speed by eliminating the decryption and encryption of data by the transfer unit 253 via the two communication paths. The type of web server 20a is not limited to this. For example, the allocating unit 140 stores a list of web servers 20a whose communication is not recommended, and when the communication partner web server 20a is included in the list, the distribution unit 140 passes through the first communication path and is not included. In some cases, the route may be distributed so as to pass through the second communication path.

  Further, the distribution unit 140 may distribute the data path according to the type of the web application program that implements the web application unit 110. For example, when the web application unit 110 is realized by a browser used for browsing a web page or a program for a client of an external system, the distribution unit 140 passes the first communication path. On the other hand, the distribution unit 140 causes the second communication path to pass through when the web application unit 110 is realized by a program for a client in an in-house system.

  Further, the distribution unit 140 may distribute the data path according to the type of communication protocol used for communication of data transmitted by the web application unit 110. For example, when the type of the communication protocol is SMTP (Simple Mail Transfer Protocol) and FTP (File Transfer Protocol), the distribution unit 140 passes the first communication path and is SNTP (Simple Network Management Protocol). In this case, the route is distributed so as to pass through the second communication path.

  In any case, the balance between security and communication speed may be achieved by going through the first communication path when it is desired to increase security and via the second communication path when increasing the communication speed. As described above, according to the present embodiment, it is possible to increase the security or increase the communication speed for each type of the web server 20a, the type of the web application program, and the type of the communication protocol.

[3] Modifications Each of the above-described embodiments is merely an example of the implementation of the present invention, and may be modified as follows. Moreover, you may combine each embodiment and each modification as needed.

[3-1] A plurality of second certificates There may be a plurality of second certificates used when the alternative certificate providing unit 122 generates an alternative certificate. For example, in the web application unit 110, a plurality of the second certificates having different validity periods are registered. The alternative certificate providing unit 122 corresponds to the type of the web server (web server of the communication partner of the web application unit 110) that processes the data transmitted from the web application unit 110 among the plurality of second certificates. The second certificate is selected, and an alternative certificate signed by the selected second certificate is provided to the web application unit 110.

The user device 10 stores a validity period table in which the second certificate, its validity period, and the type of communication partner are associated with each other.
FIG. 9 shows an example of the validity period table. In the example of FIG. 9, the second certificate “R01.xx.xx.crt” includes an effective period of “20xx.07.01 to 20xx.07.31” (that is, an effective period of one month) and “external web”. The type of communication partner “server” is associated with the server. In addition, the second certificate “R02.xx.xx.crt” includes an effective period “20xx.07.01 to 20xx.12.31” (that is, an effective period is 6 months) and communication “in-house web server”. The type of partner is associated. “R01.xx.xx.crt” and “R02.xx.xx.crt” are examples of second certificates having different validity periods.

  In the example of FIG. 7, when the communication partner is the external web server 20-2, the alternative certificate providing unit 122 has the first “R01.xx.xx.crt” because the web server type is the external web server. The alternative certificate generated using the second certificate is provided to the web application unit 110. Further, when the communication partner is the in-house web server 20-1, the alternative certificate providing unit 122 uses the second certificate “R02.xx.xx.crt” because the type of the communication partner is the in-house web server. The web application unit 110 is provided with the alternative certificate generated using the.

  However, the alternative certificate providing unit 122 does not provide the alternative certificate when the current date and time has passed the valid period, and displays, for example, on the display unit 14 of the own apparatus that the valid period has expired. . In the user apparatus 10, if a root certificate with a new valid period is registered in the web application unit 110 as the second certificate before the valid period expires, encrypted communication can be performed continuously without interruption. . Even after the validity period has expired, if a root certificate with a new validity period is registered as the second certificate, encrypted communication can be performed again thereafter. In other words, the second certificate “R01.xx.xx.crt” must be registered to register the root certificate with a new validity period as the second certificate in the web application unit 110 every month. On the other hand, for the second certificate “R02.xx.xx.crt”, the registration work may be performed every six months.

  As described above, in the example of FIG. 9, the interval between the times when the registration work of the second certificate is required differs depending on the type of the web server 20 of the communication partner. The shorter this interval is, the more time is required for registration work, or the validity period has expired and the situation where encrypted communication cannot be performed decreases. However, even if the second certificate is leaked, The period during which the encrypted data may be illegally decrypted is shortened. In other words, according to the example of FIG. 9, in the case of a communication partner that has a large influence when data to be communicated leaks, the second certificate is generated by generating an alternative certificate using “R01.xx.xx.crt”. Risk when a book is leaked can be reduced. Further, in the case of a communication partner having a small influence even if data to be communicated is leaked, it is possible to reduce the labor of registration work by generating an alternative certificate using “R02.xx.xx.crt”.

  The alternative certificate providing unit 122 may select a second certificate corresponding to the type of web application program that implements the web application unit 110. For example, when the web application unit 110 is realized by a browser used for browsing a web page or a program for a client of an external system, the alternative certificate providing unit 122 obtains a second certificate with a short validity period. When the web application unit 110 is realized by a client program of an in-house system, a second certificate having a long validity period is selected.

  The alternative certificate providing unit 122 may select a second certificate corresponding to the type of communication protocol used for communication of data transmitted by the web application unit 110. For example, when the communication protocol type is SMTP or FTP, the alternative certificate providing unit 122 selects the second certificate having a short valid period, and when the communication protocol type is SNTP, the alternative certificate providing unit 122 selects the second certificate having a long valid period. Select a certificate.

  In either case, the effective period is short when it is desired to reduce the influence of data leakage in consideration of the magnitude of the influence when the data to be communicated is leaked and the above-described user convenience (installation effort, etc.). If the second certificate is selected and the user's convenience is to be improved, the second certificate having a long validity period may be selected. As described above, according to the present embodiment, for each type of the web server 20, the type of the web application program, and the type of the communication protocol, the influence when the data is leaked is reduced or the convenience of the user is reduced. Can be suppressed.

[3-2] Monitoring Target In the embodiment, monitoring by the monitoring module unit 130 is performed on both the data transmitted from the web application unit 110 and the data transmitted from the web server 20, that is, both upstream communication and downstream communication. Although it was performed, monitoring may be performed for only one of them. When upstream communication is monitored, the possibility of leakage of confidential data can be reduced. In addition, when downstream communication is monitored, the possibility of a virus program entering from the outside can be reduced.

[3-3] Alternative Certificate In the embodiment, the alternative certificate providing unit 122 illustrated in FIG. 5 issues the alternative certificate using itself as the second certificate authority. However, the present invention is not limited to this. For example, an external device connected to the intranet 2 or the Internet 3 may issue a substitute certificate as the second certificate authority. In this case, for example, when a server certificate is supplied, the alternative certificate providing unit 122 requests the external device to issue an alternative certificate based on the server certificate, and is issued by the external device in response to the request. An alternative certificate is provided to the web application unit 110.

  In the embodiment, an alternative certificate with the common name of the URL of the web server is issued, but not limited to this, an alternative certificate with the common name of the web server name and the web server device ID is issued. Alternatively, a common name not related to the web server may be used. In the embodiment, the alternative certificate is issued every time the server certificate is transmitted. However, the present invention is not limited to this. For example, if data has been exchanged with the same web server in the past, an alternative certificate issued at that time may be provided.

  Further, the issued alternative certificate may be used in data exchange with a plurality of different web servers. In this case, a common name not related to the web server may be used for the substitute certificate. In any case, the alternative certificate providing unit 122 provides the web application unit 110 with a certificate issued by the second certificate authority and including the second public key as an alternative certificate, thereby enabling the second encryption. Communication will be performed.

[3-4] Encrypted Communication In the embodiment, the encrypted communication using the exchanged common key is performed, but the present invention is not limited to this. For example, encrypted communication in which encryption and decryption are performed using a public key and a secret key may be performed. In this case, the encrypted data transmitting / receiving unit 113 of the web application unit 110 encrypts the data using the second public key included in the alternative certificate, and the second proxy unit 120 of the local proxy unit 120 The data is decrypted using the second secret key held.

  In addition, the first communication unit 251 of the local proxy unit 120 encrypts data using the first public key included in the server certificate, and the web server 20 uses the first secret key held by the own device to perform data Is decrypted. Further, not limited to these keys, for example, encrypted communication may be performed when the transmission source stores the encryption algorithm and the transmission destination stores the decryption algorithm. In addition to this, a known encryption communication technique for encrypting and decrypting data may be used.

[3-5] Decrypted Data Process The decrypted data process is not limited to the recording process and the cancellation process described in the embodiment. For example, when the decrypted data satisfies a condition (for example, when confidential information is included in the data), a process for notifying the fact may be performed as the decrypted data process. Further, the process of replacing the content of the decrypted data may be performed as a decrypted data process. In this case, for example, the user confirms that the decrypted data has been confirmed by the monitoring module, or that the data transfer was stopped because the data contained confidential information. Processing to replace the image data representing the screen to be notified is performed. As long as these are processes using the decrypted data, any process may be performed as the decrypted data process.

[3-6] Program In the embodiment, the local proxy unit 120 is realized by the proxy program and the monitoring module unit 130 is realized by the monitoring program. However, the present invention is not limited to this. For example, both the local proxy unit 120 and the monitoring module unit 130 may be realized by a proxy program. In other words, the local proxy unit 120 may include the function of the monitoring module unit 130. The same applies to the distribution unit 140 shown in FIG. 8 and the distribution program that implements it. In short, the functions of the local proxy unit 120, the monitoring module unit 130, and the distribution unit 140 described in FIG. 5 and the like may be realized by executing one or more programs on the user device.

[3-7] Category of Invention The present invention can be understood as a communication monitoring system including a user device, a web server, and a monitoring server in addition to a communication device such as a user device. In addition, an information processing method for realizing processing performed by these devices and a program for causing a computer that controls these devices to function (a web application, a proxy program, a monitoring program, a distribution program, or a combination thereof) Etc.). These programs may be provided in the form of a recording medium such as an optical disk in which they are stored, or may be downloaded to a computer via a network such as the Internet, installed and made available for use. May be provided.

DESCRIPTION OF SYMBOLS 1 ... Communication monitoring system, 2 ... Intranet, 3 ... Internet, 10 ... User apparatus, 20 ... Web server, 30 ... Monitoring server, 11, 21, 31 ... Control part, 12, 22, 32 ... Storage part, 13, 23 33 ... Communication unit, 14 ... Display unit, 15 ... Operation unit, 110 ... Web application unit, 120 ... Local proxy unit, 130 ... Monitoring module unit, 140 ... Distribution unit, 111 ... Server certificate request unit, 112, 123, 124, 202 ... session establishment unit, 113, 203 ... encrypted data transmission / reception unit, 114 ... data processing unit, 121 ... request transfer unit, 122 ... alternative certificate providing unit, 125 ... first communication unit, 126 ... first 2 communication unit, 127 ... transfer unit, 201 ... server certificate transmission unit, 301 ... recording unit

Claims (10)

A first communication unit that performs first encrypted communication with a web server;
A web application unit that transmits data to be processed by the web server;
A second communication unit that performs second encrypted communication with the web application unit;
A transfer unit that transfers data transmitted from the web application unit and decrypted by the second communication unit to the first communication unit;
And a processing unit that performs processing using the decrypted data. The web server transmits data to be processed by the web application unit,
The communication device according to claim 1, wherein the transfer unit transfers data transmitted from the web server and decrypted by the first communication unit to the second communication unit. The processing unit performs a process of recording the decrypted data, a process of stopping communication of the data when the data satisfies a condition, or a process of replacing the content of the data as the process. The communication apparatus as described in. The first communication unit includes a public key included in a server certificate transmitted from the web server in response to a request from the web application unit or a common key exchanged with the web application unit using the public key The communication device according to any one of claims 1 to 3, wherein the first encrypted communication is performed by using a computer. A certificate providing unit that provides a certificate issued by a certificate authority and including a public key to the web application unit;
In the web application unit, a root certificate having a signature of the certificate authority is registered,
The second communication unit performs the second encrypted communication using a secret key corresponding to the public key or a common key exchanged with the web application unit using the secret key. The communication apparatus according to claim 1. The communication apparatus according to claim 5, wherein the certificate providing unit issues a certificate to be provided to the web application unit using itself as the certificate authority. A plurality of the root certificates are registered in the web application unit,
The certificate providing unit is a communication used for communication of a type of the web server, a type of a web application program that realizes the web application unit, or data transmitted by the web application unit among the plurality of root certificates. The communication apparatus according to claim 5 or 6, wherein a root certificate corresponding to a protocol type is selected, and the web application unit is provided with the certificate signed by the selected root certificate. A first communication path that receives data transmitted from the web application section to the web server and passes through the first communication section, the second communication section, and the transfer section, and a second communication that does not pass through the sections. The communication device according to claim 1, further comprising a distribution unit that distributes the route of the data to any one of the routes. The distribution unit determines the route of the data according to the type of the web server, the type of web application program that realizes the web application unit, or the type of communication protocol used for communication of data transmitted by the web application unit. The communication device according to claim 8. A computer that controls a communication device including a web application unit that transmits data processed by a web server,
A first communication unit that performs first encrypted communication with the web server;
A second communication unit that performs second encrypted communication with the web application unit;
A transfer unit that transfers data transmitted from the web server and decrypted by the first communication unit to the second communication unit;
A program for causing a processing unit to perform processing using the decrypted data.

Images