CN100571133C - The implementation method of media flow security transmission - Google Patents
The implementation method of media flow security transmission Download PDFInfo
- Publication number
- CN100571133C CN100571133C CNB2004100043802A CN200410004380A CN100571133C CN 100571133 C CN100571133 C CN 100571133C CN B2004100043802 A CNB2004100043802 A CN B2004100043802A CN 200410004380 A CN200410004380 A CN 200410004380A CN 100571133 C CN100571133 C CN 100571133C
- Authority
- CN
- China
- Prior art keywords
- terminal
- soft switch
- security
- message
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 230000005540 biological transmission Effects 0.000 title claims abstract description 58
- 238000000034 method Methods 0.000 title claims abstract description 36
- 230000006854 communication Effects 0.000 claims abstract description 52
- 238000004891 communication Methods 0.000 claims abstract description 51
- 230000004044 response Effects 0.000 claims description 20
- 230000008569 process Effects 0.000 claims description 10
- 230000003993 interaction Effects 0.000 claims description 2
- 230000000977 initiatory effect Effects 0.000 description 4
- 238000010295 mobile communication Methods 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 2
- 230000011218 segmentation Effects 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Images
Abstract
The invention discloses a kind of implementation method of media flow security transmission, be applied among the next generation network NGN that comprises soft switch and terminal, described terminal comprises the transmitting terminal and the receiving terminal of media stream, this method comprises: (1) transmitting terminal and receiving terminal carry out security negotiation by soft switch, obtain communication key that is generated by soft switch and the security parameter of all being supported by two terminals of soft switch appointment; (2) transmitting terminal is according to described communication key and security parameter is encrypted by media stream message or/and the message integrity protection is sent to receiving terminal again; (3) receiving terminal is decrypted the media stream message of receiving or/and message is differentiated according to described communication key and security parameter, thereby realizes the media flow security transmission of transmitting terminal to receiving terminal.And identify the authentication of finishing source messages by terminal applies layer source is set, can't carry out the problem that message transmission source authenticates behind the solution Media Stream passing through NAT.
Description
Technical field
The present invention relates to the transmission method of Media Stream in the communications field, relate in particular to the method that realizes media flow security transmission among the NGN.
Background technology
NGN (Next Generation Network) is the abbreviation of next generation network.It is a novel public telecommunication network that is based upon on the IP technical foundation, promptly under unified management platform, digital signal such as audio frequency, video is transmitted between internet, mobile communications network, landline telephone communication network, realizes really that wide band narrow band is integrated, wire and wireless is integrated, integration of active and passive optical transmission, transmission insert incorporate integrated service network.That is to say that NGN is the developing direction of the present communications field.
Digital signals such as the audio frequency that transmits between internet, mobile communications network, landline telephone communication network, video are referred to as Media Stream.In the media flow transmission process, how to guarantee the legitimacy that the content of Media Stream is not distorted, monitored and guarantee media stream message, directly have influence on the network security of NGN net, whether can obtain large-scale application thereby have influence on NGN.
The implementation method of a kind of media flow security transmission of adopting at present is earlier segmentation to be carried out in the transmitting terminal and the zone between the receiving terminal of media flow transmission, then the segment transmissions Media Stream.With the disclosed structure of Fig. 1 is example, transmitting terminal 3 is connected with node 2, node 2 connects soft switch 1, soft switch 1 connected node 4, node 4 is connected node 2 simultaneously, node 4 also connects receiving terminal 5, the Media Stream of transmitting terminal 3 to be sent to receiving terminal 5 now, adopt said method need pass through following steps: at first, when transmitting terminal 3 and receiving terminal 5 set up call out be connected after, the media flow transmission line sectionalizing is carried out in soft switch 1, and such as being divided into: transmitting terminal 3 to node 2 is that first section, node 2 to node 4 are that second section, node 4 to receiving terminal 5 are the 3rd section;
Secondly, need to give the two ends of each section to distribute corresponding media stream privacy key.That is to say, give first section two nodes---transmitting terminal 3 and node 2 distribute the first media stream privacy key, give second section two nodes---node 2 and node 4 distribute the second media stream privacy key, give the 3rd section two nodes--and-node 4 and receiving terminal 5 distribute the 3rd media stream privacy key;
Then, the transmitting terminal 3 usefulness first media stream privacy key transfers to node 2 after to media stream privacy, node 2 is earlier with after the first media stream privacy secret key decryption, again with another node that is sent to second section after the second media stream privacy secret key encryption, by that analogy, node between subsequent segment and the section is decrypted Media Stream earlier, and transmission again receives this media stream message at last up to receiving terminal after encrypting again with the new key of next section then.
Though above-mentioned Media Stream is provided with some keys in transmission course, and segmentation carries out encrypted transmission,, still there are a lot of defectives in the method for this Media Stream segment transmissions:
The first, because except transmitting terminal 3 and receiving terminal 5, other intermediate node can be decrypted media stream message, and system can't guarantee the safety of each intermediate node, thereby has reduced the coefficient of safety of media flow transmission.
Second, system need distribute corresponding media stream privacy key for the two ends of each section, thereby make the encryption key distribution of whole system become complicated, and except the encryption and decryption processing need be carried out in the two ends of whole Media Stream, the node between section and the section also needed Media Stream is carried out first deciphering, then with encrypting transmission more again, so both, reduced the speed of media flow transmission again, directly had influence on the service quality of real time business such as voice for system brings great performance burden.
The 3rd, in the NGN of reality network organizing, relate to complicated network operations such as address transition repeatedly, and the source authentication that is used for authenticating the transmitting terminal identity at present is that source address information with the IP head of transmitting terminal is as authentication content, cause the problem that can't authenticate message transmission source because of the IP address mapping when so just having Media Stream passing through NAT (Netword Address Translation, network address translation) equipment.
Summary of the invention
The technical problem to be solved in the present invention is the implementation method that proposes a kind of media flow security transmission, transmitting terminal and receiving terminal carry out the security negotiation of media flow transmission earlier before the media stream message transmission by soft switch, and this negotiations process and transmitting terminal combine with the call establishment of receiving terminal, this method can improve the coefficient of safety of media flow transmission, and the transmission quality and the speed that improve Media Stream.
For addressing the above problem, the invention provides a kind of implementation method of media flow security transmission, be applied among the next generation network NGN that comprises soft switch and terminal, described terminal comprises the transmitting terminal and the receiving terminal of media stream, comprising: (1) transmitting terminal and receiving terminal carry out security negotiation by soft switch in call establishment or behind the call setup:
When terminal is registered, the authentication center of NGN network obtain with the shared key kc of terminal and with the shared key ks of soft switch, the session key between distributing terminals and the soft switch, respectively by kc and ks to session key; Authentication center will be sent to the terminal and the soft switch of request registration by kc and ks encrypted session key respectively; Terminal and soft switch receive the session key of respective encrypted, and terminal is used and shared key kc deciphering, and soft switch is used and shared key ks deciphering, obtains the session key between terminal and the soft switch; Session key negotiation packet between soft switch use and the terminal, the negotiation packet that terminal deciphering receives obtains communication key that is generated by soft switch and the security parameter of all being supported by two terminals of soft switch appointment;
(2) transmitting terminal is according to described communication key and security parameter is encrypted by media stream message or/and the message integrity protection is sent to receiving terminal again; (3) receiving terminal is decrypted the media stream message of receiving or/and message is differentiated according to described communication key and security parameter.
Described transmitting terminal and receiving terminal carry out security negotiation according to following step in call establishment: described step (1) further comprises: (1-1) the transmitting terminal call request message that will comprise the security parameter tabulation of local terminal is sent to soft switch; (1-2) soft switch is preserved the security parameter tabulation after receiving call request message, and sends call request message to receiving terminal; (1-3) the receiving terminal response message that will comprise the security parameter tabulation of local terminal is sent to soft switch; (1-4) soft switch is selected the security parameter of both sides' support according to the security parameter tabulation at the two ends of receiving, the negotiation packet that will comprise described security parameter and described communication key then is distributed to transmitting terminal and receiving terminal by response message.
Described transmitting terminal and receiving terminal can carry out security negotiation according to following step behind call setup: (1-1) security parameter of transmitting terminal transmission local terminal is tabulated to soft switch; (1-2) security parameter of receiving terminal transmission local terminal is tabulated to soft switch; (1-3) soft switch is selected the security parameter of both sides' support according to the security parameter tabulation at the two ends of receiving, the negotiation packet that will comprise described security parameter and described communication key then is distributed to transmitting terminal and receiving terminal by response message.
Described security parameter tabulation comprises the security capabilities parameter of local terminal support and the priority tag of every kind of security capabilities parameter.
Wherein, above-mentioned security parameter tabulation also comprises the application layer source sign of local terminal, and described local terminal application layer source sign is generated by the local terminal dynamic random; Soft switch sends to the application layer source sign that comprises the opposite end in the negotiation packet of each end; Transmitting terminal is placed on the application layer source sign of local terminal in the media stream message, calculates message authentication code; Receiving terminal is differentiated described media stream message, and the transmitting terminal application layer source sign in the described negotiation packet that the transmitting terminal application layer source in the media stream message is identified and receives in advance compares, if identical, then finishes the authentication in media stream message source.
Wherein, described terminal communicating by letter by Xin Lingdaili SP realization and soft switch; Be specially:
In the endpoint registration process, authentication center by terminal and Xin Lingdaili the device identification acquisition and the shared key kc of terminal and with the shared key ksp of Xin Lingdaili, carry out the session key of message interaction between distributing terminals and the Xin Lingdaili, by shared key kc and ksp session key is encrypted respectively, authentication center will send to Xin Lingdaili through the ksp encrypted session key, authentication center will send to terminal through the kc encrypted session key, after Xin Lingdaili and terminal receive encrypted session key, use shared secret key decryption separately to obtain session key, utilize session key derived cipher key and authenticate key, be used for communicating between Xin Lingdaili and the terminal encryption and the authentication of message, guarantee the communication security of Xin Lingdaili and terminal room, soft switch sends to Xin Lingdaili with negotiation packet, the session key negotiation packet of Xin Lingdaili utilization and terminal also sends to terminal, the negotiation packet that terminal utilizes the session key deciphering to receive.
When carrying out Media Stream communication between the user of public switched telephone network, described transmitting terminal and receiving terminal are respectively the Tandem Gateway of terminal.
Compared with prior art, the present invention has the following advantages:
At first, because transmitting terminal of the present invention and receiving terminal carry out security negotiation by soft switch, obtain the security parameter that two terminals are all supported, therefore make two terminals can utilize this security parameter to finish the encryption and decryption and/or the message of media stream message are differentiated, improved the coefficient of safety of media flow transmission.Also have, carry out direct communication or terminal when communicating in terminal and soft switch by Xin Lingdaili SP and soft switch, allocate the secure communication that session key is used for terminal and soft switch or terminal and Xin Lingdaili SP in advance by authentication center, guarantee the safe transmission of negotiation packet on network, thereby further improved the coefficient of safety of media flow transmission.
Secondly, in the call establishment at two ends, prolong the security negotiation of finishing end-to-end Media Stream with the media stream code/decode negotiation mechanism, it is mutual that the distribution of communication key and application layer source identify, not only saved the process of media flow transmission, improved communication efficiency, and avoid using segment transmissions because end is communicated by letter with the Media Stream of holding, so reduced the performance burden of network, improved the quality of media flow transmission simultaneously.
Also have, because the terminal kind is rich, the security capabilities of the terminal support of different manufacturers production is different, has expanded the adaptability of scheme greatly by dynamic security negotiation, is suitable for the access of multiple terminal.
At last, because terminal applies layer source sign generates by crossing the terminal dynamic random, thereby therefore avoid owing to make the IP address change behind the passing through NAT to cause the problem that can't authenticate the IP raw address.
Description of drawings
Fig. 1 is a kind of structure chart that existing Media Stream transmits.
Fig. 2 is a kind of structure chart that Media Stream transmits.
Fig. 3 is the realization flow figure of media flow security transmission.
Fig. 4 is based on the call setup flow chart of Session Initiation Protocol (Session Initial Protocol session initiation protocol).
Embodiment
In the NGN network, Media Stream carries out end-to-end transmission in communication network.Wherein, communication network comprises internet, mobile communications network, landline telephone communication network.Therefore, transmitting terminal and receiving terminal can be arranged in same communication network domains, are both the user of internet as transmitting terminal and receiving terminal, also can be arranged in different communication network domains.Below, at first introduce transmitting terminal and receiving terminal and be arranged in the method that same communication network domains is carried out media flow transmission.
Please refer to Fig. 2, transmitting terminal client ClientA7 and receiving terminal ClientB8 are the users of internet or mobile communications network.ClientA7 connects Xin Lingdaili (SP, Signal Proxy) 6, and SP6 connects core network device soft switch 1 (SoftSwith) 1, and ClientB8 directly connects soft switch 1.From the angle of safety, ClientA7 is connected with SP6, and terminal is hidden core network device such as soft switch 1 to external world, and the control Media Stream do not allow illegitimate traffic to enter network, realizes the purpose of protecting network device security.
Be divided into some trusted domain and non-trusted domain in the whole network environment.That is, operator can carry out secure communication at trusted domain, does not exist as data safety problem such as to be distorted.In like manner, it is unsafe that operator communicates at non-trusted domain, owing to may there be a lot of safety problems, need provide various security services, guarantees the safety of communication as encryption, authentication etc.Communication between the network equipment more than the SP can be thought safe, be that operator can be by guaranteeing the safety of these network equipment communications on system group network, as soft switch, Tandem Gateway, SP etc., be in the trusted domain, communication safety between these network equipments, the network equipment among Fig. 2 in the empty frame is in trusted domain.Communicating by letter between soft switch 1 and the SPA6 is safe.
Below introduce after ClientA7 and the ClientB8 call setup, how the media flow security on the ClientA7 is sent to the step (please refer to Fig. 3) on the ClientB8.
At first, carry out security negotiation step (step S1) between transmitting terminal and receiving terminal, comprising: the security parameter tabulation that ClientA7 supported is sent to soft switch 1 (step S11) to ClientA7 and ClientB8 is sent to soft switch 1 (step S12) with the security parameter tabulation that ClientB8 supported; Described security parameter tabulation comprises the security capabilities parameter of local terminal support and the priority and the priority tag of every kind of security capabilities parameter.Secondly, soft switch is according to the security capabilities parameter at described two ends, the security capabilities parameter of selecting two ends all to support, and consider the security needs of this media flow transmission, the priority of the security capabilities parameter of all supporting according to two ends, be identified for the security parameter and the allocate communications key of current media flow transmission, last, the negotiation packet that will comprise security parameter and communication key sends to ClientA7 and ClientB8 (step S13) respectively;
Then, ClientA7 encrypts or/and message is differentiated media stream message after receiving negotiation packet, and is sent to ClientB8 (step S2);
At last, ClientB8 deciphers or/and message is differentiated media stream message after receiving negotiation packet, thereby finishes the transmission (step S3) of media stream message.
In step S1, media stream message security negotiation process can also and the secure key distribution process of Media Stream combine, and security negotiation process and encryption key distribution process can be finished in the call establishment of ClientA7 and ClientB8.See also Fig. 4, present embodiment is an example with the call flow of Session Initiation Protocol, specifies at call establishment how to finish the negotiation of security capabilities, the distribution of key and the exchange of terminal applies layer source sign.
Step S101:ClientA7 sends call request message Invite to SP6, and call request message is that the form with SDP message (Session Description Protocol Session Description Protocol) sends, and wherein the SDP message comprises following information at least:
ClientA SPA:IDClientA||IDsp||IDClientB||N1||TS1||Security Parameter list
Wherein:
IDClientA: sign ClientA
IDsp: sign SP
IDClientB identifies ClientB
N1: random number or sequence number, be used to identify this message, need comprise this number in the response message that returns, be used to prevent the message playback;
TS1: make the clock of the clock of SP checking ClientAUMD and SP whether synchronous;
Security Parameter list: comprise the security parameter tabulation of local terminal, the security parameter tabulation comprises the security capabilities parameter of local terminal, as the algorithm of being supported, and priority list, the priority tag that comprises each security capabilities parameter in the priority list, in the present embodiment, also as one of security parameter of Security Parameter list, application layer source sign can be generated by the clientA dynamic random for the application layer source of local terminal sign.The present source authentication at the source sign is as authentication content, but because behind the passing through NAT, the IP address changes, thereby causes and can't authenticate IP source address, and then identity that can't the confirmation message transmitting terminal with the source address information in the IP head.Therefore the present invention does not adopt the IP address as transmitting terminal application layer source sign, but the random number that produces is identified as transmitting terminal application layer source.
Before step S1, system distributes corresponding encryption key and authenticate key can for ClientA7 and SP6, and ClientA adopts encryption key that the security parameter list information is encrypted and adopts authenticate key that the SDP message is carried out integrality and source protection.Obviously, SP6 adopts corresponding key to obtain to come from the SDP message of ClientA7.
Because the communication between ClientA 7 and the SP6 is to be in non-trusted domain, therefore SP6 sends the message during to ClientA7 that comprises the encryption key that distributed by soft switch 1 and authenticate key, existence is by third party's unauthorized theft and the possibility of distorting message, therefore in order to improve safety of transmission between ClientA7 and the SP6, the present invention adopts following method to be used for the method for distributing key of ClientA7 and SP6 message transmissions.
When ClientA7 registers, the device identification of the AuC of authentication center of NGN net by ClientA7 and SP6 obtain earlier with the shared key kc of ClientA7 and with the shared key ksp of SP6, distribute the session key Kc between ClientA7 and the SP6 simultaneously, sp, and respectively to session key Kc, sp encrypts by shared key K c and Ksp; Secondly will be by soft switch 1 through key K c encrypted session key Kc, sp is sent to ClientA7, and will be through key K sp encrypted session key Kc, sp is sent to SP6, at last, ClientA7 and SP6 obtain this session key Kc by sharing secret key decryption separately, sp, and utilize this session key Kc, sp derived cipher key and authenticate key, be used for communicating between communication process ClientA7 and the SP6 encryption and the authentication of message, thereby guarantee the communication security between ClientA7 and the SP6, further improve the communication security of whole communication network.Therefore in step S101, session key Kc is adopted in the tabulation of transmitting terminal security parameter, and the encryption key that sp derives is encrypted, and/or session key Kc, and the authenticate key that sp derives carries out being sent to SPA6 after integrality and the source protection to whole SDP message.
Step S102:SPA6 receives the SDP message, transmitting terminal security parameter in SDP message tabulation is decrypted and/or after message differentiates, send call request message Invite to soft switch 1 again, this Invite message at least also comprises the tabulation of transmitting terminal security parameter except the sign that comprises sign ClientA, sign SP, sign ClientB.
Step S103: soft switch 1 is received the Invite message therefrom with transmitting terminal security parameter tabulation and preserve, and to the ClientB8 request message Invite that makes a call, this message is used to ask ClientB8 transmitting and receiving terminal security parameter to tabulate to soft switch 1 simultaneously;
Step S104:ClientB8 postbacks 180 (ring) response message to soft switch 1, comprises the receiving terminal security parameter tabulation of ClientB8 in the SDP message of this response message.The tabulation of receiving terminal security parameter comprises the security capabilities parameter of ClientB8, the priority of each security capabilities parameter and the application layer source sign of local terminal.Application layer source sign can be generated by the ClientB dynamic random.The security parameter tabulation of clientB is preserved in soft switch 1 simultaneously.
Step S105: soft switch 1 postbacks 180 (ring) response message to SP6;
Step S106:SP6 postbacks 180 (ring) response message to ClientA7, and this response message is sent to ClientA7 through session key Kc after the authenticate key that sp derives authenticates protection;
Step S107:ClientB8 postbacks 200 (OK) response message to soft switch 1, comprise the receiving terminal security parameter tabulation of ClientB8 in the SDP message of this response message, the receiving terminal security parameter tabulation of clientB8 is upgraded in soft switch 1 simultaneously, soft switch 1 simultaneously is according to ClientA7, ClientA7 is at first determined in the security parameter tabulation of ClientB8, the security capabilities parameter that ClicntB8 supports, as ClientA7, the algorithm that ClientB8 supports, if ClicntA7, ClientB8 only has a common algorithm of supporting, then this algorithm is the algorithm that media flow transmission adopts, if ClientA7, ClientB8 has several common algorithms of supporting, then soft switch is according to the security needs of media flow transmission, priority according to each security capabilities, determine the algorithm of one of them algorithm for this media flow transmission, that is to say, soft switch is according to the transmitting terminal security capabilities parameter of receiving and receiving terminal security capabilities parameter and the security needs of media flow transmission this time, determine the security parameter that two ends are all suitable, and distributing key.
Step S108: soft switch 1 postbacks 200 (OK) response message to SPA6, comprises simultaneously the security parameter that soft switch 1 determines and the key of distribution in the SDP message of response message, and the receiving terminal application layer source of ClientB8 sign.
Step S109:SPA7 postbacks 200 (OK) response message to ClicntA8; carry simultaneously the security parameter that soft switch 1 determines and the key of distribution in the SDP message of response message; and the application layer source of ClientB8 sign; the media flow security parameter will be by session key Kc; the encryption keys that sp derives; and/or whole SDP message is by Kc, and the authenticate key that sp derives is protected.
Step S110: soft switch 1 postbacks ACK to ClientB8 and confirms response message, carries the transmitting terminal Media Stream application layer source sign of soft switch definite media flow security parameter, key and ClientA in the response message.
Step S111:ClientA7 postbacks ACK to SP6 and confirms to reply after obtaining the application layer source sign of security parameter, encryption or the authenticate key of the Media Stream that communicates with ClientB8 and ClientB.
Step S112:SP6 postbacks ACK to soft switch and confirms response message, and whole calling procedure is set up.
Simultaneously, finished the negotiating safety capability of the media flow transmission of transmitting terminal ClientA7 and receiving terminal ClientB8, also finished the mutual of the distribution of key and application layer source sign at call establishment.
When ClientA7 receives the SDP message of application layer source sign of the security parameter, communication key and the ClientB that include the Media Stream that ClientB8 communicates; therefrom take out security parameter, communication key and application layer source sign and preservation; the algorithm of the Media Stream that will send in communication key and security parameter encrypts or/and the message integrity protection, and form media stream message.Message format of the present invention is with reference to the RTP message format (please refer to table 1) of IETF RFC3329 Securtiy RTP.
The message format of table 1RTP
| ... |
| Timetable |
| Synchronization application level source, SSRC territory sign |
| Useful application layer source, CSRC territory sign ... |
| The RTP expansion |
| Valid data ... |
| SRTP MKI (optional) |
| Differentiate label (jointly) |
Medium stream information is placed on this part of valid data, and the transmitting terminal application layer source sign of ClientA is placed in the media stream message, as put into synchronization application level source, the SSRC territory sign and useful application layer source, the CSRC territory sign of table 1RTP form.The method that the present invention adopts message to differentiate is used message authentication code MAC (Message Authentication Code).With the communication key that obtains, algorithm, media stream message and transmitting terminal application layer source sign calculate together message authentication code MAC=F (K, M), F is the function in the algorithm, K is a communication key, M is media stream message and transmitting terminal application layer source sign.This message authentication code appends in the back of media stream message and media stream message and is sent to ClientB8 from transmitting terminal ClientA 7 together.
When ClientB8 receives media stream message, use same communication key, calculate message authentication code again one time, and compare with the message authentication code of receiving, as unanimity, differentiate that then this message is genuine, is not distorted.Then, the transmitting terminal application layer source sign of A in the Media Stream and the transmitting terminal application layer source sign of receiving are in advance compared,, then finish authentication the media stream message source if consistent
Media Stream communication end to end is two-way.When client B sent media stream message to client A, Client B was a transmitting terminal, and client A is a receiving terminal.Equally, transmitting terminal is placed on the application layer source sign of local terminal in the media stream message, calculates message authentication code; Receiving terminal differentiates and states media stream message that the transmitting terminal application layer source sign in the described negotiation packet that the transmitting terminal application layer source in the media stream message is identified and receives in advance compares, if identical, then finishes the authentication in media stream message source.
More than among the disclosed embodiment, ClicntA7 communicates by SP6 and soft switch 1.But, ClientA7 also can with the soft switch direct communication.Safety when communicating by letter with soft switch 1 in order to reach ClientA7 can be given ClicntA7 and soft switch 1 allocate communications key in advance by authentication center.Concrete steps are as follows:
At first, when ClientA7 registers, the authentication center of next generation network obtain with the shared key kc of ClientA7 and with the shared key ks of soft switch 1, distribute the session key between ClientA7 and the soft switch 1, by shared key K c and Ks session key is encrypted respectively;
Secondly, authentication center will be sent to soft switch 1 through sharing key K s encrypted session key;
At last, authentication center will be sent to ClientA7 by soft switch through sharing key K c encrypted session key.
When ClientB8 communicates by letter with soft switch 1 by SP8; the Signalling exchange message of ClientB8 and SPB also needs the session key Kc through authentication center's distribution; the authenticate key that sp derives is protected; media stream privacy key, authenticate key and application layer source sign adopt session key Kc simultaneously, and the encryption key that sp derives is encrypted.
Equally, for H.323, MGCP (Media Gateway Control Protocol, Media Stream gateway control protocol) and the H.248 calling between agreement and the different agreement, above-mentioned Media Stream security negotiation end to end mechanism is same to be suitable for.Be respectively based on agreement H.323, MGCP and the call setup flow process of agreement H.248.Because above-mentioned process step and general thought with consistent based on the call establishment of Session Initiation Protocol, are message in the flow process is respectively H.323 protocol message, MGCP protocol message and H.248 protocol message.Do not giving unnecessary details at this.
When ClientB is PSTN user, then media flow security protection will terminate in Tandem Gateway, and promptly security capabilities is the security capabilities of Tandem Gateway, the key of distribution and security service also will ClientA and with Tandem Gateway that ClientB links to each other between finish;
When Client A and Client B are positioned at the heterogeneous networks operator of next generation network, because the security strategy of different operators may be different, Client A has different security capabilities with Client B, and end-to-end security negotiation this moment can be decomposed into security negotiation and the IP-IP gateway device of other Virtual network operator and security negotiation two parts of Client B of the IP-IP gateway device of Client A and present networks operator.
More than disclosed be specific embodiments of the invention only, but the present invention is not limited thereto, the technique variation that any those skilled in the art can think of on basis of the present invention all should drop on protection scope of the present invention.
Claims (7)
1, a kind of implementation method of media flow security transmission is applied among the next generation network NGN that comprises soft switch and terminal, and described terminal comprises the transmitting terminal and the receiving terminal of media stream, it is characterized in that, comprising:
(1) transmitting terminal and receiving terminal carry out security negotiation by soft switch in call establishment or behind the call setup:
When terminal is registered, the authentication center of NGN network obtain with the shared key kc of terminal and with the shared key ks of soft switch, the session key between distributing terminals and the soft switch, respectively by kc and ks to session key; Authentication center will be sent to the terminal and the soft switch of request registration by kc and ks encrypted session key respectively; Terminal and soft switch receive the session key of respective encrypted, and terminal is used and shared key kc deciphering, and soft switch is used and shared key ks deciphering, obtains the session key between terminal and the soft switch; Session key negotiation packet between soft switch use and the terminal, the negotiation packet that terminal deciphering receives obtains communication key that is generated by soft switch and the security parameter of all being supported by two terminals of soft switch appointment;
(2) transmitting terminal is according to described communication key and security parameter is encrypted by media stream message or/and the message integrity protection is sent to receiving terminal again;
(3) receiving terminal is decrypted the media stream message of receiving or/and message is differentiated according to described communication key and security parameter.
2, the implementation method of media flow security transmission as claimed in claim 1 is characterized in that described transmitting terminal and receiving terminal carry out security negotiation according to following step in call establishment:
(1-1) the transmitting terminal call request message that will comprise the security parameter tabulation of local terminal is sent to soft switch;
(1-2) soft switch is preserved the security parameter tabulation after receiving call request message, and sends call request message to receiving terminal;
(1-3) the receiving terminal response message that will comprise the security parameter tabulation of local terminal is sent to soft switch;
(1-4) soft switch is selected the security parameter of both sides' support according to the security parameter tabulation at the two ends of receiving, the negotiation packet that will comprise described security parameter and described communication key then is distributed to transmitting terminal and receiving terminal by response message.
3, the implementation method of media flow security transmission as claimed in claim 1 is characterized in that described transmitting terminal and receiving terminal carry out security negotiation according to following step behind call setup:
(1-1) security parameter of transmitting terminal transmission local terminal is tabulated to soft switch;
(1-2) security parameter of receiving terminal transmission local terminal is tabulated to soft switch;
(1-3) soft switch is selected the security parameter of both sides' support according to the security parameter tabulation at the two ends of receiving, the negotiation packet that will comprise described security parameter and described communication key then is distributed to transmitting terminal and receiving terminal.
As the implementation method of claim 2 or 3 described media flow security transmission, it is characterized in that 4, described security parameter tabulation comprises the security capabilities parameter of local terminal support and the priority tag of every kind of security capabilities parameter.
As the implementation method of claim 2 or 3 described media flow security transmission, it is characterized in that 5, described security parameter tabulation also comprises the application layer source sign of local terminal, described local terminal application layer source sign is generated by the local terminal dynamic random;
Soft switch sends to the application layer source sign that comprises the opposite end in the negotiation packet of each end;
Transmitting terminal is placed on the application layer source sign of local terminal in the media stream message, calculates message authentication code; And receiving terminal is differentiated described media stream message, and the transmitting terminal application layer source sign in the described negotiation packet that the transmitting terminal application layer source in the media stream message is identified and receives in advance compares, if identical, then finishes the authentication in media stream message source.
As the implementation method of claim 2 or 3 described media flow security transmission, it is characterized in that 6, described terminal is communicated by letter by Xin Lingdaili SP realization and soft switch; Be specially:
In the endpoint registration process, authentication center by terminal and Xin Lingdaili the device identification acquisition and the shared key kc of terminal and with the shared key ksp of Xin Lingdaili, carry out the session key of message interaction between distributing terminals and the Xin Lingdaili, by shared key kc and ksp session key is encrypted respectively, authentication center will send to Xin Lingdaili through the ksp encrypted session key, authentication center will send to terminal through the kc encrypted session key, after Xin Lingdaili and terminal receive encrypted session key, use shared secret key decryption separately to obtain session key, utilize session key derived cipher key and authenticate key, be used for communicating between Xin Lingdaili and the terminal encryption and the authentication of message, guarantee the communication security of Xin Lingdaili and terminal room, soft switch sends to Xin Lingdaili with negotiation packet, the session key negotiation packet of Xin Lingdaili utilization and terminal also sends to terminal, the negotiation packet that terminal utilizes the session key deciphering to receive.
7, the implementation method of media flow security transmission as claimed in claim 1 is characterized in that, when carrying out Media Stream communication between the user of public switched telephone network, described transmitting terminal and receiving terminal are respectively the Tandem Gateway of terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100043802A CN100571133C (en) | 2004-02-17 | 2004-02-17 | The implementation method of media flow security transmission |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2004100043802A CN100571133C (en) | 2004-02-17 | 2004-02-17 | The implementation method of media flow security transmission |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1658552A CN1658552A (en) | 2005-08-24 |
| CN100571133C true CN100571133C (en) | 2009-12-16 |
Family
ID=35007827
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2004100043802A Expired - Lifetime CN100571133C (en) | 2004-02-17 | 2004-02-17 | The implementation method of media flow security transmission |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100571133C (en) |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1889706B (en) * | 2005-09-28 | 2010-05-12 | 华为技术有限公司 | Method for raising interoffice transfer content security in soft exchange |
| CN1956443A (en) * | 2005-10-24 | 2007-05-02 | 华为技术有限公司 | Encipher method of NGN service |
| CN1983921B (en) * | 2005-12-16 | 2010-05-05 | 华为技术有限公司 | Method and system for realizing end to end media fluid safety |
| CN101102185B (en) * | 2006-07-06 | 2012-03-21 | 朗迅科技公司 | Media security for IMS session |
| CN101192919B (en) * | 2006-11-21 | 2010-09-08 | 中兴通讯股份有限公司 | Method for realizing user-defined security level |
| CN101227272A (en) * | 2007-01-19 | 2008-07-23 | 华为技术有限公司 | System and method for obtaining media stream protection cryptographic key |
| CN101247218B (en) * | 2008-01-23 | 2012-06-06 | 中兴通讯股份有限公司 | Safety parameter negotiation method and device for implementing media stream safety |
| CN101222503A (en) * | 2008-01-25 | 2008-07-16 | 中兴通讯股份有限公司 | Safety parameter generating method and device for implementing media stream safety |
| CN101282250B (en) * | 2008-05-12 | 2011-02-09 | 华为终端有限公司 | Method, system and network equipment for snooping safety conversation |
| CN101321395B (en) * | 2008-06-24 | 2012-01-11 | 中兴通讯股份有限公司 | Method and system for supporting mobility safety in next generation network |
| CN103916849B (en) * | 2012-12-31 | 2018-08-24 | 上海诺基亚贝尔股份有限公司 | Method and apparatus for wireless LAN communication |
| CN103974241B (en) * | 2013-02-05 | 2018-01-16 | 东南大学常州研究院 | A kind of sound end-to-end encryption method towards android system mobile terminal |
| CN114499913B (en) * | 2020-10-26 | 2022-12-06 | 华为技术有限公司 | Encrypted message detection method and protection equipment |
| CN113206841B (en) * | 2021-04-26 | 2022-08-23 | 杭州当虹科技股份有限公司 | AES decryption agent method and system based on HLS protocol |
-
2004
- 2004-02-17 CN CNB2004100043802A patent/CN100571133C/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| CN1658552A (en) | 2005-08-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9537837B2 (en) | Method for ensuring media stream security in IP multimedia sub-system | |
| US5410602A (en) | Method for key management of point-to-point communications | |
| EP1717986B1 (en) | Key distribution method | |
| US7876897B2 (en) | Data security in wireless network system | |
| JP5288210B2 (en) | Unicast key management method and multicast key management method in network | |
| US20030095663A1 (en) | System and method to provide enhanced security in a wireless local area network system | |
| KR20050072789A (en) | A method for the access of the mobile terminal to the wlan and for the data communication via the wireless link securely | |
| CN100571133C (en) | The implementation method of media flow security transmission | |
| CN101420686B (en) | Industrial wireless network security communication implementation method based on cipher key | |
| CN102202299A (en) | Realization method of end-to-end voice encryption system based on 3G/B3G | |
| JP2012217207A (en) | Exchange of key material | |
| RU2008146960A (en) | METHOD AND SYSTEM OF PROVIDING PROTECTED COMMUNICATION USING A CELLULAR NETWORK FOR MANY PERSONALIZED COMMUNICATION DEVICES | |
| CN104683304A (en) | Processing method, equipment and system of secure communication service | |
| CN207490944U (en) | A kind of safe communication system based on SIP quantum network phones | |
| WO2012024905A1 (en) | Method, terminal and ggsn for encrypting and decrypting data in mobile communication network | |
| CN100544247C (en) | The negotiating safety capability method | |
| CN101273571B (en) | Implementing method for field-crossing multi-network packet network cryptographic key negotiation safety strategy | |
| CN101572694A (en) | Method for acquiring media stream key, session equipment and key management function entity | |
| KR20030050881A (en) | Key Management Method for Wireless LAN | |
| WO2008029853A1 (en) | Encryption key delivery device and encryption key delivery method | |
| CN1323509C (en) | Conversation key distribution method of crossing gate-guard management range under direct route mode | |
| CN1996838A (en) | AAA certification and optimization method for multi-host WiMAX system | |
| CN101207478B (en) | Method for key agreement of guard end-to-end conversation in cross-domain multi-network | |
| KR20060070498A (en) | Secure communication method between ad hoc nodes in ad hoc network | |
| Page | Report Highlights |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20091216 |
|
| CX01 | Expiry of patent term |