JP4916270B2 - Information processing apparatus, communication method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To execute data transmission while protecting security through a network. <P>SOLUTION: An information processing apparatus 10 comprises a security setting management means 74 connected to the network to perform data communication with an external device 90 and associating security setting of secure data communication with communication data attributes to store them, communication data attribute decision means (50, 52) for deciding the communication data attributes (indexes of secrecy and importance of data) from the communication data with the external device 90, and an application execution means (50) for determining security setting of secure data communication with the external device 90 according to the communication data attributes and executing communication at suitable security strength. <P>COPYRIGHT: (C)2008,JPO&amp;INPIT

Description

  The present invention relates to security technology, and more particularly to an information processing apparatus, a communication method, and a program that execute data transmission while protecting security via a network.

  In recent years, with the development of network security technology, confidential documents such as in-house documents, security information such as passwords, credit card numbers, and account IDs are securely transmitted over the Internet, and online operations are performed safely. It became possible to do. For example, in a VPN (Virtual Private Network), remote bases can be connected via a tunnel via the Internet, and communication can be performed with the same high security as a dedicated line connection.

  In secure communication for maintaining high confidentiality, processing load due to encryption on the transmission side and decryption on the reception side accompanying encryption of transmission data increases, and in particular, a large number of externally connected devices ( This is a serious problem in an information processing apparatus that executes a transaction with an external device. Therefore, there has been a demand for a simple method for reducing the load while maintaining the necessary security strength of the network.

  As the security strength of encrypted communication is increased, the communication speed generally decreases and the processing load increases. From the viewpoint of preventing a decrease in communication speed due to excessive security strength, IPsec security according to the characteristics of the IP address using IPsec (Security Architecture for Internet Protocol) communication, which is a secure communication standard used in VPN and IPv6・ It is known to apply the policy.

Further, in Patent Document 1, when, for example, MPEG image packet transmission is performed as data to be transferred via a network, it is determined which of the MPEG I picture, P picture, and B picture is included in the packet. A data transmission apparatus is disclosed in which a destination port number corresponding to the degree is set as UDP (or TCP) header information.
JP 2002-141944 A IETF RFC4301 Security Architecture for the Internet ProtocolDecember 2005

  Although the above-described secure communication technology is known, it has not been sufficient from the viewpoint of applying a security policy flexibly to changes in network infrastructure technology.

  In recent years, in view of the fact that information leakage from the inside has become a social problem, it is desirable that highly confidential communications be protected with high security even for communications within the internal network. ing. On the other hand, in the above-described technology, the same security policy is applied based on the characteristics of the IP address regardless of whether the information is highly confidential or low, so that it matches the importance and confidentiality of the communication content. Thus, it was not possible to efficiently reduce the communication speed and the processing overload while ensuring the security effectively.

  Furthermore, especially in a usage mode in which access from an unspecified external device such as a Web server is expected, it is possible to efficiently reduce the communication speed while effectively ensuring security in accordance with the importance and confidentiality of communication contents. The processing overload could not be reduced.

  The present invention has been made in view of the above-described problems of the prior art, and enables a connection between an information processing apparatus and an external apparatus via a network with high security and reliability, and is special on the external apparatus side. Communication that flexibly applies security settings according to the attributes of the communication data, such as the user identification value of the transmission source user, the type of communication protocol of the application layer used for communication, and the resource attribute of the access request destination without requiring a program The present invention provides an information processing apparatus, a communication method, and a program that can reduce the processing load of the entire information processing apparatus using a path.

That is, according to the present invention, an information processing apparatus connected to a network and performing data communication with an external apparatus,
Security setting management means for keeping security data communication security settings and communication data attributes corresponding to each other;
Communication data attribute determining means for determining the communication data attribute from communication data with the external device;
An information processing apparatus is provided, including: an application execution unit that determines the security setting of the secure data communication with the external device according to the communication data attribute, and executes communication.

  In the present invention, the security setting is assigned for each communication path specified by at least one of an address and a port number, and the information processing apparatus notifies the external apparatus of the communication path and performs the secure data communication. Can be established. In the present invention, the application execution means determines the communication data attribute using the URL address of the requested Web page, and sets the security address corresponding to the communication data attribute to the external device. Can be notified.

In the present invention, the information processing apparatus includes:
Template storage means for storing a setting template for performing the security setting;
A selection unit that presents information for identifying the setting template on a display unit, and receives selection of the setting template;
Security setting processing means for executing security setting according to the setting template selected by the selection means.

Furthermore, in the present invention, the information processing apparatus includes:
Character string storage means for storing the security setting in association with the character string indicating the security setting;
Host name generation means for generating a registered host name including the character string corresponding to the security setting may be included.

  Further, in the present invention, the information processing apparatus can include a host name registration unit that registers the communication path in which the security setting is made and a host name in association with each other in a DNS server. According to the present invention, the secure data communication can be IPsec communication.

According to the present invention, there is provided a communication method that is connected to a network and causes an information processing device to execute data communication with an external device.
Receiving communication data from the external device and determining a communication data attribute;
Retrieving and determining security settings from the communication data attributes;
A communication method is provided that executes secure data communication by applying the determined security setting.

In the present invention, the communication method determines the security setting for a communication path specified by at least one of an address and a port number;
Informing the external device of the communication path and establishing the secure data communication.

According to the present invention, the communication method determines the communication data attribute using a URL address of a requested web page;
And notifying the external device of the URL address for which the security setting corresponding to the communication data attribute is set.

Furthermore, in the present invention, the information processing apparatus includes:
Determining a character string indicating the security setting from the security setting;
Generating a registered host name including the character string corresponding to the security setting.

Furthermore, according to the present invention, a program is connected to a network and performs data communication with an external device.
A security setting management means for keeping security data communication security settings and communication data attributes corresponding to each other; a communication data attribute judging means for judging the communication data attribute from communication data with the external device;
An apparatus-executable program is provided that implements application execution means for determining the security setting of the secure data communication with the external device in correspondence with the communication data attribute and executing communication.

  In the present invention, the application execution unit assigns the security setting to each communication path designated by at least one of an address and a port number, and the information processing apparatus notifies the external apparatus of the communication path, and Means for establishing secure data communications may be included. In the present invention, the application execution means determines the communication data attribute using the URL address of the requested Web page, and the security setting corresponding to the communication data attribute is made in the external device. Means for notifying the URL address may be included.

Furthermore, in the present invention, the program stores a template storage means for storing a setting template for performing the security setting;
A selection unit that presents information for identifying the setting template on a display unit, and receives selection of the setting template;
Security setting processing means for executing security settings according to the setting template selected by the selection means can be realized.

  Further, according to the present invention, a host name registration unit that registers the communication path in which the security setting is made and the host name in association with each other in the DNS server can be realized in the information processing apparatus.

  The present invention will be described below with reference to embodiments shown in the drawings, but the present invention is not limited to the embodiments shown in the drawings.

  FIG. 1 is a block diagram showing an embodiment of a schematic configuration of the information processing apparatus 10. The information processing apparatus 10 of the present invention can use a personal computer or a workstation. The information processing apparatus 10 is formed of a central processing unit (CPU) 12, a cache memory 14 that enables high-speed access of data used by the CPU 12, and a solid-state memory element such as RAM and DRAM that enables processing of the CPU 12. System memory 16. The CPU 12, the cache memory 14, and the system memory 16 are connected via the system bus 18 to other devices or drivers of the information processing apparatus 10, for example, the graphics driver 20 and the network device (NIC) 22. It is connected. The graphics driver 20 is connected to the display device 24 via the system bus 18 and displays the processing result by the CPU 12 on the display screen. Further, the network device 22 connects the information processing apparatus 10 to the network at the transport layer level and the physical layer level, and is an external device (not shown) having a communication function such as a personal computer, a PDA, and a mobile phone. And establishing a session with.

  An I / O bus bridge 26 is further connected to the system bus 18. A storage device 30 such as a hard disk is connected to the downstream side of the I / O bus bridge 26 via IDE, ATA, ATAPI, serial ATA, SCSI, USB, etc. via an I / O bus 28 such as PCI. Yes. An input device 32 such as a keyboard and a pointing device such as a mouse is connected to the I / O bus 28 via a bus such as a USB, and receives inputs and commands from an operator such as a system administrator.

  Further, in a specific embodiment, when the present invention is used as a printer server or the like, or when used as a composite image forming apparatus, the information processing apparatus 10 is connected to an image connected to the system bus 18. A processing driver 34 and an image processing device 36 may be provided. The image processing driver 34 and the image processing device 36 can be used when image processing and image output are performed by driving an image forming engine using ADF (Automatic Document Feeder) and electrophotography (not shown). In still another embodiment, the information processing apparatus 10 can be used as a security gateway.

More specifically, the CPU used by the information processing apparatus 10 is, for example,
Itanium (R), Xeon (R), Core (R), Pentium (R), Celeron (R), PowerPC (R), Athlon (R), Turion (R), Sempron ( (Registered trademark), Duron (registered trademark), Opteron (registered trademark), Sparc (registered trademark), PA-RISC (abbreviation), MIPS, and the like.

  As an operating system (OS) to be used, for example, Windows (registered trademark) 2000, Windows (registered trademark) XP, Windows (registered trademark) 200X server, UNIX (registered trademark), LINUX (registered trademark), FreeBSD ( (Registered trademark), AIX (registered trademark), MacOS (trademark), Solaris (registered trademark), VxWorks (registered trademark), or other appropriate OS.

  FIG. 2 is a block diagram illustrating an embodiment of a functional unit configuration of the information processing apparatus 10. The information processing apparatus 10 provides a so-called server function. The information processing apparatus 10 corresponds to a physical layer and a data link layer of the OSI reference model, and includes a link layer 44 that is connected to the network 40 and controls communication using a protocol such as Ethernet (registered trademark), PPP, or PPPoE. Yes. Further, the information processing apparatus 10 controls communication using the IPv4 or IPv6 protocol, establishes an SA (Security Association) as necessary, and executes encrypted communication and the like, and TCP / And a session management unit 48 for managing transactions using UDP.

  The session management unit 48 communicates with an application unit 50 that is higher than the session management unit 48 and performs transaction control with a device externally connected via the network 40. In this embodiment, the IPSec processing is referred to as an embodiment integrated with the native IP stack. However, an embodiment using BITS (Bump in the Stack) in which IPsec processing is inserted between the IP stack and the link layer 44 is used. And it is not particularly limited.

  The application unit 50 of the information processing apparatus 10 provides various server functions. For example, based on user management information stored in the user information storage unit 56, a user authentication unit 54 that performs user authentication of a communication partner, and a file And a transfer unit 58. The application unit 50 executes transfer processing of file data stored in the data storage unit 60 in response to a request from an external device (not shown). Further, the application unit 50 includes a web page generation unit 62, generates a requested web page based on the web page data stored in the web page storage unit 64, and a request based on the HTTP protocol is made. Web page is returned as a response.

  The application unit 50 further includes a DNS registration unit 66 for registering the host name generated by the host name generation unit 68 in the DNS server 94 (not shown). The DNS registration unit 66 executes host name registration processing for enabling access to the information processing apparatus 10 with a host name and domain name that can be identified by the user. Further, the application unit 50 includes a network monitoring unit 70, and collects network device operation information and detects a communication failure by SNMP (Simple Network Management Protocol) to monitor the network.

  In other embodiments, various server functions included in the application unit 50 described above may include a server function such as a DHCP server function, a DNS server function, or a mail server function. Hereinafter, in the present invention, for convenience of explanation, a function unit including the link layer 44, the IPsec control unit 46, the session management unit 48, and the network communication function of the application unit 50 is referred to as the network communication unit 42.

  Further, the information processing apparatus 10 is configured to include a security unit 52, which manages security settings for IPsec communication, and in response to an inquiry from the application unit 50, a communication path for which appropriate security settings have been made. It responds to the address and port and establishes communication according to the communication data attributes (attributes for determining importance and confidentiality). More specifically, the security unit 52 includes a security setting management unit 72 and a security setting storage unit 74. The security setting storage unit 74 stores a table for associating a communication data attribute with a communication address / port for which a security setting corresponding to the communication data attribute is set, and security setting information of the communication address / port. The security setting management unit 72 performs security setting processing and management for the IPsec control unit 46.

  In the present embodiment, the security setting management unit 72 accesses the security setting storage unit 74, manages the IP address / port number assigned to the information processing apparatus 10, and instructs the IPsec control unit 46 for each IP address / port number. Security settings are set for each specified communication path. Further, the security setting management unit 72 performs different security settings for each IP address / port number communication path, and can establish SAs having different security strengths according to data attributes to be communicated. In response to the inquiry from the application unit 50, the security setting management unit 72 notifies the application unit 50 of the IP address / port number of the communication channel for which security is set according to the communication data attribute. The application unit 50 executes a transaction with an external device using the notified IP address / port number.

  As communication data attributes associated with the IP address / port number described above, in this embodiment, the user identification value of the communication data transmission source user, the role associated with the user identification value, and access to resources are designated. Resource attributes such as the URL path, file extension, and file name can be used. Further, as a communication data attribute, an application that handles communication data (application layer protocol) and a process in the application can be used. For example, in an embodiment in which the information processing apparatus 10 is used as an image forming apparatus having a composite function, IPsec communication with appropriate security strength may be performed according to various processes such as a scanner function, a fax function, or a printer function. it can. These communication data attributes are stored in the security setting storage unit 74 and referred to in response to a request from an external device.

  The information processing apparatus 10 further includes a user interface 76. The user interface 76 allows the user to set various functions of the application unit 50 and the security unit 52.

  FIG. 3 shows an embodiment of the address map table 80 stored in the security setting storage unit 74 and managed by the security setting management unit 72. In the embodiment shown in FIG. 3, the address map table 80 is associated with a field 80a for registering an IP address, a field 80b for designating a port number, and security setting information corresponding to the IP address / port number. A field 80c for registering the set security setting identification value is entered.

  In the embodiment of FIG. 3, the IP address is described in the IPv6 format. However, the IP address is not limited to the IPv6 protocol, and the IPv4 protocol can be applied. Furthermore, in another embodiment of the present invention, it is possible to cope with a network in which IPv4 and IPv6 are mixed by configuring an appropriate correspondence table. In the field 80b in which the port number is registered, “any” indicating that the port number is not specified but applied to all the port numbers, a specific port number, a specific port number range, and the like are registered. Can do. FIG. 3 shows an example in which only an IP address is specified and communication is performed with security settings of different security strengths, and the arrows described next to the table indicate the IP addresses “2001 :: 4” to “ It shows that the security strength is set higher toward “2001 :: 1”.

  As the security setting identification value entered in the field 80c, security designation data used in IPsec communication is entered. Specifically, the security designation data includes various parameters in the IKEv1 or IKEv2 protocol for performing encryption and authentication algorithms, secret key length, SA lifetime, secret key sharing, SA negotiation and management. Data for identifying a security setting related to the security strength can be given.

  In general, the strength of security increases as the key length increases, and at the same time, the processing load of encryption / decryption increases and the communication speed also decreases. The security strength and processing load also vary depending on the algorithm. Furthermore, the security strength also changes depending on the SA lifetime setting. The shorter the lifetime, the higher the security strength. However, the key exchange and the SA establishment processing are frequently performed. This leads to an increase in processing load. In this embodiment, a template is prepared in advance for security setting. In other embodiments, the user can also set details for each setting item via the user interface 76. A security setting identification value is assigned for each setting, and the security strength to be assigned is identified.

  As security settings used in this embodiment, for example, setting items conforming to RFC4301 (IPsec), RFC2409 (IKEv1), and RFC4306 (IKEv2) can be used. The security items in this embodiment will be described later, but the security settings are not particularly limited.

  Hereinafter, an embodiment of a communication method using the security setting corresponding to the communication data attribute executed by the information processing apparatus 10 will be described.

  FIG. 4 shows an embodiment of a communication method in file transfer based on a security setting based on a user identification value. FIG. 4A shows a user map table 82 managed by the security setting management unit 72 and stored in the security setting storage unit 74. The user map table 82 includes a field 82a for registering a user identification value, a field 82b for registering an IP address corresponding to the user identification value, and a field 82c for designating a port number. The security setting management unit 72 looks up the user map table 82 shown in FIG. 4A and searches for the identification value in the security setting storage unit 74 using the user identification value at the time of login / user authentication. Thus, it is possible to perform IPsec communication with different security strength for each user identification value.

  In another embodiment, the application unit 50 directly looks up the user map table 82 shown in FIG. 4A to determine a user identification value used for login / user authentication or the like. The application unit 50 determines the security protocol using the acquired user identification value, searches for the identification value in the security setting storage unit 74, and enables IPsec communication with different security strength for each user identification value. You can also.

  FIG. 4B shows a schematic configuration and processing embodiment of a network that executes a communication method in file transfer based on a security setting based on a user identification value. In the present embodiment, the information processing apparatus 10 performs file transfer with the external apparatus 90 via the network 40. The external apparatus 90 connects to the IP address “2001 :: 9” of the information processing apparatus 10 at P11, and executes user login processing at P12. In the illustrated embodiment, it is permitted to communicate in plain text using the IP address “2001 :: 9” to which IPsec is not applied. In another embodiment, it is also possible to perform communication under secure communication of a predetermined strength using IPsec during user login authentication.

  The external apparatus 90 transmits a command such as a file transfer request or a file list request to the information processing apparatus 10 using the same IP address in P13. The information processing apparatus 10 that has received the file transfer request, at P14, designates the designated IP address field 82b and the designated port number / field 82c corresponding to the user identification value (aaa here) registered in the user map table 82. For example, IPsec communication with the external apparatus 90 is established using the IP address “2001 :: 1” and an appropriate dynamic private port or reserved port. The SA for IPsec communication is established by searching for a corresponding security setting identification value in the address map table 80 and using SA management such as IKEv2 and a key exchange protocol. Thereafter, in P15, the information processing apparatus 10 performs file transfer using the SA established in P14.

  FIG. 5 shows an embodiment of a processing sequence in the communication method by the security setting based on the user identification value. In step S101, the external apparatus 90 requests connection to the network communication unit 42 of the information processing apparatus 10 and establishes the connection. Thereafter, the external device 90 transmits a login request including the user identification value and the password to the network communication unit 42 in step S102. In step S103, the network communication unit 42 inquires of the user authentication unit 54 about login authentication, and the user authentication unit 54 executes authentication processing. The external device 90 that has completed the login transmits a file transfer request to the network communication unit 42 in step S104.

  The network communication unit 42 that has received the file transfer request inquires the IP address / port corresponding to the user identification value to the security setting management unit 72 in step S105, and uses the inquired IP address / port in step S106. Thus, a secure communication path for data transfer is established with the external device 90. In step S107, the network communication unit 42 acquires the file stored in the data storage unit 60 and requested to be transferred from the external device 90 via the file transfer unit 58, and stores the file in, for example, a transmission buffer. Thereafter, in step S108, the network communication unit 42 transfers the requested file via the secure communication path established in step S106, and disconnects the connection upon completion of the transfer.

  Further, by using processing similar to the above processing sequence, other transactions such as file upload and list display requests can be performed, for example, processing by an FTP command defined in RFC959. In another embodiment, instead of the user identification value, IPsec communication with a different security strength can be performed by setting a communication path for the role associated with the user identification value. In yet another embodiment, a communication path is set for resource attributes such as a file name, path, file extension (file type), and file owner identification value, and IPsec communication is executed with corresponding security settings. be able to. In yet another embodiment, a communication path can be set for a command (request processing), and communication can be performed with different security settings, which is not particularly limited.

  FIG. 6 shows an embodiment of a communication method by security setting based on the URL of a resource requested to be accessed from the external device 90 side. In the embodiment shown in FIG. 6, the information processing apparatus 10 provides a Web application server function. FIG. 6A shows a URL map table 84 for performing IPsec communication with different security strengths based on the URL of the requested resource in HTTP communication or the like. The URL map table 84 shown in FIG. 6 has an entry for a field 84a for registering the URL path of the resource, a field 84b for registering an IP address corresponding to the path, and a field 84c for designating a port number.

  The web page generation unit 62 of the application unit 50 uses the data structure shown in FIG. 6A to analyze the URL path requested by the external device 90 for access to the browser 92 of the external device 90. A redirect instruction is sent to the URL to be executed, and IPsec communication is executed with the security strength specified by the URL path. With the configuration described above, it is possible to construct a flexible Web site in which more detailed security strength is set in addition to the conventional choice of HTTP (plain text communication) or HTTPS (encrypted communication).

  FIG. 6B shows a schematic configuration of a network and an embodiment of processing for executing a communication method based on security settings based on the URL of a resource requested to be accessed from the external device 90. The information processing apparatus 10 is connected to the external apparatus 90 via the network 40 and accepts an access request to the resource from the browser 92 of the external apparatus 90. In P21, the external device 90 transmits, for example, a resource acquisition request message specified by a URL (http: // 2001 :: 9 / usr) to the information processing device 10.

The information processing apparatus 10 that has received the request message is registered in the URL map table 84 at P22, searches the entry of the designated IP address field 84b and the designated port number field 84c corresponding to the path, and searches the URL path (/ For example, a response message including a redirect instruction to a URL (http: // 2001 :: 2 / usr) is transmitted to the external device 90. The external device 90 that has received the response message including the redirect instruction performs a redirect process to the URL notified from the information processing device 10 in P23, for example, URL (http: //
2001 :: 2 / usr) is transmitted to the information processing apparatus 10 as a resource acquisition request message. In step P24, the information processing apparatus 10 includes the requested resource in the response message and transmits the response message to the external apparatus 90. In addition, when executing the redirect instruction to the browser 92 of the external device 90, it can be performed using Java (registered trademark) Script or an HTTP header. In another embodiment, instead of redirecting, a web page can be embedded as a link and notified to an external device.

  FIG. 7 shows an embodiment of a processing sequence of a communication method based on security settings based on the URL of a resource requested to be accessed from an external device. In step S <b> 201, the browser 92 transmits a Web page URL (http: / 2001 :: 9 / usr) acquisition request message to the network communication unit 42 of the information processing apparatus 10. In step S202, the network communication unit 42 that has received the request message inquires the security setting management unit 72 about the validity of the correspondence between the URL path and IP address of the requested resource. In this embodiment, since the path (/ usr) is associated with (2001 :: 3), the security setting management unit 72 responds to the network communication unit 42 that the correspondence is invalid in step S203. To do.

  Upon receiving the response, the network communication unit 42 inquires the IP address corresponding to the URL path (/ usr) to the security setting management unit 72 in step S204, and the received security setting management unit 72 receives the IP address. Respond. The network communication unit 42 that has acquired a valid IP address transmits a response message including a redirect instruction to, for example, a URL (http: / 2001 :: 2 / usr) to the browser 92 of the external device 90. (Step S205).

  The browser 92 that has acquired the legitimate URL transmits a URL (http: / 2001 :: 2 / usr) acquisition request message to the network communication unit 42 in step S206, and the network communication unit 42 that has received the request message receives the request message. In step S207, the security setting management unit 72 is inquired about the validity of the correspondence between the URL path of the requested resource and the IP address. Upon receiving the inquiry, the security setting management unit 72 responds to the network communication unit 42 that the correspondence is valid in step S208. The network communication unit 42 that has received the response acquires the resource specified from the Web page generation unit 62 in step S209, and transmits the resource as a response message to the browser 92 in step S210.

  In the above-described embodiment, the IP address (and port) for which the security setting has been made is notified from the information processing apparatus 10 in response to a request process from the external apparatus 90, and IPsec communication with security strength corresponding to the communication data attribute is performed. A communication method is provided. According to the present embodiment, on the external device side, (1) it is not necessary to install a special program, (2) it is not necessary to know the connection destination according to the communication data attribute, (3) the information processing device 10 Notification enables IPsec communication with appropriate security settings according to user settings, and as a result (4), more flexible secure communication can be provided. In the following, a second embodiment of a communication method for performing secure communication with different security strengths using types of higher-layer protocols in the TCP / IP layer in communication will be described.

  FIG. 8 shows a second embodiment of the information processing apparatus 10 that determines the importance of communication data based on a higher-level protocol and performs IPsec communication with different security strengths. FIG. 8 shows a data structure table used for the software configuration and processing of the information processing apparatus 10. Note that the basic hardware configuration of the second embodiment shown in FIG. 8 can be the same as that of the first embodiment. FIG. 8A is a block diagram of a software module according to the second embodiment. In the second embodiment, the IPsec control unit 46 implemented by the information processing apparatus 10 is different, and other software modules use the same configuration as that of the first embodiment. Therefore, the IPsec control unit 46 will be described in detail below. To do.

The IPsec control unit 46 of the second embodiment responds to an inquiry about the processing method from the IPsec processing unit 46a that processes the IP packet input from the link layer 44 or the IP packet output from the upper layer. And a policy management unit 46b. The policy management unit 46b refers to the IP packet processing policy stored in the database unit 46d and responds to an inquiry from the IPsec processing unit 46a. The IPsec control unit 46 further includes a database unit 46d. More specifically, the database unit 46d includes an SPD (Security Policy Database) 46e for storing a security policy (SP), an SA. SAD (Security Association Database: Security
Association Database) 46f.

  The SPD 46e can be implemented as a database in which a security policy (hereinafter referred to as SP) is entered. The SPD 46e should either apply (1) IPsec processing or (2) without applying IPsec processing. The packet processing policy such as whether to pass or (3) discard is stored. In addition, when applying secure communication such as IPsec, the SPD 46e stores various parameters used when establishing IPsec processing and SA (Security Association).

  The SA information includes information shared for performing secure communication between external device hosts, such as an encryption algorithm and encryption key used in IPsec communication, an authentication algorithm, and an authentication key. When the SA is established, the SAD 46f Stored in Note that the security setting of the communication path specified by the IP address / port set in the IPsec control unit 46 by the security setting management unit 72 described above includes SP.

The IPsec control unit 46 uses IKE (Internet Key
Exchange) section 46c is further included. When the application of IPsec is instructed in the SPD and the SA has not been established, the IKE unit 46c uses the IPsec protocol (AH (Authentication
Header), ESP (Encapsulating Security Payload) or both), protocol mode (transport mode or tunnel mode), negotiation of encryption algorithm, key exchange of encryption key, etc. by protocol such as IKEv2 The SA is established and the SA information is stored in the SAD 46f.

  FIG. 8B shows an embodiment of the table configuration of the SPD 46e for determining the upper protocol and establishing communication with the corresponding security setting. In the present embodiment, the security policy table 86 includes a field 86a for registering the IP address of the IP packet transmission source and a field 86b for registering the destination IP address. Further, the security policy table 86 includes a field 86c for specifying the next layer protocol and a field 86d for registering the destination port number. Further, the SPD 46e includes a field 86e in which various setting information such as an IPsec protocol, an encryption algorithm, an encryption key, and a key exchange parameter in IPsec communication is stored.

  In the security policy table 86, a selector 86f is composed of a set of remote address, local address, next layer protocol, and local port. In the present embodiment, the selector 86f is used to specify an upper protocol. In the IP packet, the next layer protocol is included in the header portion of the IP packet (including the extension header in the case of IPv6), the value of the protocol field in the case of IPv4, and the value of the next header field in the case of IPv6. Can be identified based on. When not fragmented, the port number is included in the port number field of the next layer header in the payload of the IP packet. In the case of fragmentation, an appropriate verification policy can be included in the IP packet.

  If the port number is a well-known port, for example, the session management unit 48 specifies the upper protocol using the port number. For example, in the embodiment shown in the figure, when the IP packet is an IP address (2001 :: 8), a next layer protocol (TCP), and a port number (21), it is specified as the FTP protocol. When the upper layer protocol in the application unit 50 uses an unknown port such as a dynamic private port, the security setting management unit 72 is notified from the application unit 50 or a preset unknown port number is set. It is possible to obtain and set security for each IP address and port.

  The information processing apparatus 10 according to the second embodiment can identify an upper layer protocol from the received packet and perform IPsec communication by controlling the security strength (security setting) for each upper protocol. For example, even for a protocol that performs encrypted communication in an upper layer, such as https, if excessively strong encrypted communication is specified in the IP layer, redundant processing is performed in the information processing apparatus 10. A load is added. In such a case, the information processing apparatus 10 can execute a process of applying only AH and reducing the processing load. The policy management unit 46b and the security setting management unit 72 are referred to as separate functional units. However, as the policy management unit 46b including the function of the security setting management unit 72, complex functions incorporated in the IPsec stack. It can also be implemented as a means.

  Hereinafter, an embodiment in which the security setting is set by the user will be described. The user can input / modify / delete the setting of the security setting management unit 72 via the user interface 76. FIG. 9 illustrates an embodiment of a user interface 76 for performing security settings using a communication protocol. The illustrated embodiment illustrates a case where the information processing apparatus 10 is mounted as an image forming apparatus having a composite function.

  FIG. 9A shows a specific embodiment of the user interface for specifying the encryption method for changing the security strength and performing the security setting in association with each protocol. The user interface 76 includes a display unit 76a and an operation unit 76b. On the display unit 76a, encryption schemes such as DES, 3DES, and AES are displayed corresponding to higher-layer protocols such as SNMP, HTTP, and FTP. In the embodiment of FIG. 9A, the user selects and sets an encryption method for each protocol from the input key of the operation unit 76b. Further, in the embodiment shown in FIG. 9B, the security settings expressed as “strong”, “medium”, and “weak” as the security strength are displayed on the display unit 76a in association with each protocol. The user performs the security setting by specifying the security setting displayed on the display unit 76a.

In addition, when the user inputs the security setting, the security setting of the communication path by each IP address / port of IPsec communication includes:
(1) Whether to apply IPsec processing (in IPsec, it is mandatory to apply IPsec)
(2) Whether the key used in IPsec communication is shared by the automatic key exchange method or the manual key exchange method,
The setting items of the key exchange method can be included.

Furthermore, the security setting is further set as a parameter in the IKE protocol for the automatic key exchange method.
(3) A partner authentication method such as a pre-shared secret key authentication method, a digital signature authentication method, a public key encryption authentication method (deprecated in IKEv2), an improved public key encryption authentication method (deprecated in IKEv2),
(4) Setting information for establishing IKE_SA such as encryption algorithm, key length, pseudorandom function, authentication algorithm, Diffie-Hellman group in IKE key exchange (phase 1),
In establishing the SA for IPsec communication (phase 2),
(5) IPsec protocol such as EPS (Encapsulating Security Payload), AH (Authentication Header), or both,
(6) ESP encryption algorithm, key length, authentication algorithm,
(7) Authentication algorithm in AH,
(8) Setting items such as protocol mode such as SA validity period (lifetime), transport mode, and tunnel mode can be included. For the various settings, RFC4301 (IPsec), RFC4306 (IKEv6) and standards / settings corresponding to these can be used, and there is no particular limitation.

  Also, the encryption algorithm, authentication algorithm, key length, etc. used in IKE key exchange and ESP and AH in IPsec communication are determined by negotiation between external device hosts. The security settings for specifying the security strength include a parameter set that provides functions as an initiator and a responder. For example, for the initiator function, specification of key exchange parameters, or a range of key exchange parameters, or settings for selecting multiple parameter sets can be used. In addition, in the case of acting as a responder at the time of negotiation, it is possible to include a setting for designating an acceptable range from the set parameters.

  When the information processing apparatus 10 is mounted as an image forming apparatus or the like, it is assumed that the space of the display area 76a in the display area is limited. Even in this case, by using the embodiment shown in FIG. 9, the options provided by the preset template setting are displayed without sequentially performing complicated security setting entry items. The user can perform communication based on the security setting specified by the user while referring to the display displayed on the display unit 76a.

  FIG. 10 illustrates an embodiment in which a DNS server is used to access the information processing apparatus 10 using a host name and a domain name that can be easily identified by a user. FIG. 10A shows a host name map table 88 that is generated by the host name generation unit 68 and for registering the IP address and the host name in association with each other in the DNS server 94. The host name map table 88 includes a field 88a for registering a host name and a field 88b for registering an associated IP address. In the embodiment of FIG. 10A, a character string indicating the IPsec protocol is concatenated by “_ (underscore)” to the default host name “server” such as “server_AH” or “server_ESP”. Yes. In the embodiment of FIG. 10A, the IP address (2001 :: 5) represents that security settings including AH are made, and the IP address (2001 :: 6) is ESP and the IP address (2001 :: 2001). 7) indicates that security settings are applied to which both AH and ESP are applied.

  According to the embodiment shown in FIG. 10A, the user can know information related to the security setting of the current communication by confirming the host name. In the present embodiment, the host name generation unit 68 generates a host name based on the IPsec protocol such as AH and ESP applied in the security setting. In yet another embodiment, for example, character strings such as “TNN” and “TRN” representing a tunnel mode and a transport mode, and character strings representing a key length such as “128” and “256” are represented by “_”. (Underbar) ”can be further connected to present the mode and security strength to the user in an identifiable manner, and the present invention is not limited to a specific display format.

  FIG. 10B shows a host name map table 88 according to another embodiment. The host name map table 88 shown in FIG. 10B is used when registering a host name in association with an IP address in the DNS server 94. The host name map table 88 shown in FIG. 10B includes a field 88a for registering a host name and a field 88b for registering an associated IP address. In addition, a host name such as “server” is assigned to an address to which IPsec is applied (for example, 2001 :: 1), and an address to which IPsec is not applied (for example, 2001 :: 9) The host name is not registered, and only the IP address for performing IPsec communication is registered. By performing processing for excluding IP addresses, to which normal IPsec communication is not applied, from DNS registration, an IP address for executing plaintext communication is not replied to the external device 90, and communication using IPsec is always performed. It becomes possible.

  FIG. 10C illustrates an embodiment of communication that enables access to the information processing apparatus 10 using a host and a domain name. In the present embodiment, the information processing apparatus 10 is connected to the DNS server 94 via the network 40 and performs host name registration processing. Further, the external device 90 accesses the DNS server 94, requests name resolution from the DNS server 94, and executes communication with the information processing device 10 using the obtained IP address.

  In step P31, the information processing apparatus 10 performs dynamic DNS registration with the DNS server 94. Registration is performed on the DNS server 94 based on the host name map table 88. The DNS server 94 stores the IP address and the host name. Perform name resolution. On the other hand, the external device 90 notifies the DNS server 94 of the host name and domain name (FQDN), for example, “server_AH.net.co.jp” in order to access the information processing device 10 in P32, and the corresponding IP. The DNS server 94 transmits an address acquisition request, and inquires another DNS server 94 as necessary to execute name resolution processing.

  In P33, the external apparatus 90 acquires the corresponding IP address from the DNS server 94, and in P34, uses the acquired IP address (2001 :: 5) to connect to the information processing apparatus 10 and perform communication.

  FIG. 11 shows an embodiment of a communication sequence for accessing the information processing apparatus 10 using a host and a domain name. The DNS registration unit 66 of the information processing apparatus 10 transmits a host name acquisition request to the host name generation unit 68 in step S301. The host name generation unit 68 that has received the host name acquisition request acquires combination information of the security setting and the IP address from the security setting management unit 72 in step S302 in order to include a character string related to the security setting in the host name. Thereafter, in step S303, the host name generation unit 68 generates a host name based on the security setting, and responds to the DNS registration unit 66 with the host name and the address as a pair.

  The DNS registration unit 66 that has acquired the host name and IP address executes host registration processing to the DNS server 94 in step S304, and the DNS server 94 performs host name / address pair registration processing. Thereafter, the external device 90 acquires the IP address corresponding to the DNS server 94 using the host name and domain name acquired in advance in step S305, and the DNS server 94 performs name resolution in step 306. To notify the external device 90. In step S307, the external device 90 accesses the information processing apparatus 10 using the acquired IP address.

  With the above configuration, since the host name includes a character string representing the communication security setting information, the user of the external device 90 communicating with the information processing apparatus 10 can easily know the connection security setting information. Become. Further, even if the user does not know the host name corresponding to other security settings in advance, it is possible to connect by analogy with the host name corresponding to the security setting. Hereinafter, another embodiment of a communication method that enables access to the information processing apparatus 10 using a host name and a domain name that can be easily identified by the user will be described.

  FIG. 12 shows another embodiment of a communication sequence that enables access to the information processing apparatus 10 using a host and a domain name that can be easily identified by the user. In the embodiment illustrated in FIG. 12, the DNS registration unit 66 of the information processing apparatus 10 transmits an address acquisition request to the security setting management unit 72 in step S401, and acquires an IP address in step S402. In step S403, the DNS registration unit 66 makes a host registration request to the DNS server 94 by combining the host name and the IP address, and the DNS server 94 registers the host name and address pair. Thereafter, in step S404, the external device 90 uses the host name and domain name acquired in advance to make a corresponding IP address acquisition request to the DNS server 94, and the DNS server 94 receives the registered IP address in step S405. To the external device 90. When a plurality of IP addresses are registered in the DNS server 94 for the host name, the DNS server 94 responds to the timing of access from the external device 90 or the like, and at least one of the registered IP addresses. It is good also as the process which notifies one to the external device 90. In step S406, the external device 90 executes access to the information processing device 10 using the acquired IP address. In the embodiment illustrated in FIG. 12, even when the information processing apparatus 10 is under maintenance or malfunction occurs, it is possible to communicate with the external apparatus 90 via the backup apparatus.

  In the embodiment using the DNS server 94, an IPsec connection can be established with the information processing unit 10 by using a domain name and a host name that can be identified by the user from an IP address that is not identifiable by the user. In addition, when used in combination with a dynamic DNS server, information acquired from the server by DHCPv6 even if it is an IP address assigned by a DHCPv4 (Dynamic Host Configuration Protocol) server, or in IPv6, even a stateless address by plug and play Even if the stateful address is set based on the host name, since the host name is dynamically registered in the DNS, the user can access the information processing apparatus 10 using the same host name and domain name.

  As described above, according to the present invention, it is possible to connect the information processing apparatus and the external apparatus via a network with high security and reliability, and the user identification value of the transmission source user is used for communication. It is possible to reduce the processing load of the entire information processing device by using a communication path to which security settings are flexibly applied according to the communication data attributes such as the type of communication protocol of the application layer and access request destination resource attributes. An information processing apparatus, a communication method, and a program can be provided.

  In addition, according to the present invention, a special program is not required on the external device side, and it is possible to switch the connection to the communication path on which the appropriate security setting has been made on the information processing device side. Does not feel complicated.

  Conventionally, even in a process that requires high confidentiality, there has been a case where the security of communication is compromised due to concerns about the processing load applied to the server. Since communication is performed with security strength corresponding to confidentiality, the processing load as a whole is reduced, and for highly confidential processing that is required, communication can be performed with sufficient security strength, and processing on the server side It can also be suitably prevented that the speed becomes a bottleneck of the communication speed.

The encryption algorithm in the ESP protocol of IPsec communication includes DES (Data Encryption Standard) algorithm, 3DES, RC5, IDEA (International Data
Encryption Algorithm), CAST-128, CAST-256, Advanced Encryption Standard (AES), etc. can be used, and CBC (Cipher Block Chain: Cipher)
Encryption processing can be performed in various modes such as Block Chaining and ECB (Electronic Code Block), but is not limited thereto.

  In addition, as an authentication algorithm mode in IPsec communication, HMAC-MD5, HMAC-SHA-1, DES-CBC-MAC, AES-XCBC-MAC, AES-CMAC, and the like can be used, but are not limited thereto. It is not a thing.

  The above functions of the present invention can be realized by a device-executable program written in a legacy programming language such as assembler, C, C ++, C #, Java (registered trademark), an object-oriented programming language, or the like. It can be stored and distributed in a device-readable recording medium such as MO, EEPROM, EPROM, flash memory, flexible disk, CD-ROM, CD-RW, and DVD. The above functions are configured by a system memory and a CPU, and can be realized by loading a program for realizing each function into the system memory and executing it.

  Although the present invention has been described with the embodiments shown in the drawings, the present invention is not limited to the embodiments shown in the drawings, and those skilled in the art have conceived other embodiments, additions, modifications, deletions, and the like. It can be changed within the range that can be performed, and any embodiment is included in the scope of the present invention as long as the operation and effect of the present invention are exhibited.

1 is a block diagram showing an embodiment of a schematic configuration of an information processing apparatus. The block diagram which showed embodiment of the function means structure of information processing apparatus. The figure which showed embodiment of the address map table. The figure which showed embodiment of the communication method by the security setting based on a user identification value. The figure which showed embodiment of the process sequence in the communication method by the security setting based on a user identification value. The figure which showed embodiment of the communication method by the security setting based on URL of the resource by which the access request | requirement was carried out from the external device side. The figure which showed embodiment of the processing sequence of the communication method by the security setting based on URL of the resource by which the access request was carried out from the external device. The figure which showed 2nd Embodiment of the information processing apparatus which performs communication of the security setting based on a high-order protocol. The figure which showed embodiment of the user interface for performing a security setting based on a high-order protocol. The figure which showed embodiment which accesses an information processing apparatus using the host name and domain name which a user can identify easily using a DNS server. The figure which showed embodiment of the process sequence in the communication method which accesses an information processing apparatus using a host and a domain name. The figure which showed other embodiment of the communication sequence which enables access to information processing apparatus using the host and domain name which a user can identify easily.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Information processing apparatus, 12 ... CPU, 14 ... Cache memory, 16 ... System memory, 18 ... System bus, 20 ... Graphics driver, 22 ... NIC, 24 ... Display device, 26 ... I / O bus Bridge 28 28 I / O bus 30 Storage device 32 Input device 34 Image processing driver 36 Image processing device 40 Network 42 Network communication unit 44 Link layer 46 IPsec Control unit, 46a ... IPsec processing unit, 46b ... Policy management unit, 46c ... IKE unit 46c, 46d ... Database unit, 46e ... SPD, 46f ... SAD, 48 ... Session management unit, 50 ... Application unit, 52 ... Security unit, 54 ... User authentication unit 56 ... User information storage unit 58 ... File transfer unit 60 ... Data Storage unit, 62 ... Web page generation unit, 64 ... Web page storage unit, 66 ... DNS registration unit, 68 ... Host name generation unit, 70 ... Network monitoring unit, 72 ... Security setting management unit, 74 ... Security setting storage unit, 76 ... User interface, 76a ... Display unit, 76b ... Operation unit, 80 ... Address map table, 80a, 80b, 80c ... Field, 82 ... User map table, 82a, 82b, 82c ... Field, 84 ... URL map Table, 84a, 84b, 84c ... field, 86 ... Security policy table, 86a-86e ... Field, 86f ... Selector, 88 ... Host name map table, 88a, 88b ... Field, 90 ... External device, 92 ... Browser 94 DNS server

Claims (14)

An information processing apparatus connected to a network and performing data communication with an external device, wherein the information processing apparatus
Security setting management means for keeping security data communication security settings and communication data attributes corresponding to each other;
Communication data attribute determining means for determining the communication data attribute from communication data with the external device;
Application execution means for determining the security setting of the secure data communication with the external device corresponding to the communication data attribute, and executing communication ;
Character string storage means for storing the security setting in association with the character string indicating the security setting;
Wherein including the character string corresponding to the security setting, and a host name generation unit that generates a registration host name, the information processing apparatus.   The security setting is assigned for each communication path designated by at least one of an address and a port number, and the information processing apparatus notifies the external apparatus of the communication path to establish the secure data communication. Item 4. The information processing apparatus according to Item 1.   The application execution unit determines the communication data attribute using the URL address of the requested Web page, and notifies the external device of the URL address for which the security setting corresponding to the communication data attribute is set. The information processing apparatus according to claim 1. The information processing apparatus includes:
Template storage means for storing a setting template for performing the security setting;
A selection unit that presents information for identifying the setting template on a display unit, and receives selection of the setting template;
Security setting processing means for executing security settings according to the setting template selected by the selection means ;
The information processing apparatus according to claim 1 , comprising: 5. The information processing apparatus according to claim 1, further comprising: a host name registration unit that registers the communication path in which the security setting is made and the registered host name in association with each other in a DNS server. The information processing apparatus described in 1. The secure data communication is IPsec communication, information processing apparatus according to any one of claims 1 to 5. A communication method connected to a network and causing an information processing device to perform data communication with an external device, the information processing device
Receiving communication data from the external device and determining a communication data attribute;
Retrieving and determining security settings from the communication data attributes;
Executing the secure data communication by applying the determined security setting, and the communication method further includes:
Determining a character string indicating the security setting from the security setting;
Generating a registered host name including the character string corresponding to the security setting; and
A communication method that executes The communication method further includes:
Determining the security setting for a communication path designated by at least one of an address and a port number;
Notifying the external device of the communication path and establishing the secure data communication;
Is executed, communication method according to claim 7. The communication method further includes:
Determining the communication data attribute using the URL address of the requested web page;
Notifying the external device of the URL address for which the security setting corresponding to the communication data attribute is set;
Is executed, communication method according to claim 7. A program for realizing an information processing apparatus connected to a network and performing data communication with an external apparatus , the computer comprising:
Security setting management means for holding security data communication security settings in correspondence with communication data attributes Communication data attribute determining means for determining the communication data attributes from communication data with the external device ,
Application execution means for determining the security setting of the secure data communication with the external device in correspondence with the communication data attribute, and executing communication ;
A character string storage means for storing the security setting in association with a character string indicating the security setting; and
Host name generation means for generating a registered host name including the character string corresponding to the security setting
A computer- executable program that functions as a computer . The application execution means assigns the security setting for each communication path designated by at least one of an address and a port number ,
The program according to claim 10 , further causing the computer to function as means for notifying the external device of the communication path and establishing the secure data communication. The application execution means determines the communication data attribute using the URL address of the requested Web page, and notifies the external device of the URL address where the security setting corresponding to the communication data attribute is set. the program product of claim 10. The program further comprises a computer ,
A template storage means for storing a setting template for performing the security setting ;
A selection means for presenting information for identifying the setting template on a display unit and receiving selection of the setting template ; and
Security setting processing means for executing security setting according to the setting template selected by the selecting means
The program of any one of Claims 10-12 made to function as . 14. The program according to claim 10 , further causing the computer to function as a host name registration unit that registers the communication path in which the security setting is made and a host name in association with each other in a DNS server. The program according to item 1.

Images