CN107342970B - Encryption mode determination method, calling device, called device and VoIP system - Google Patents

Encryption mode determination method, calling device, called device and VoIP system Download PDF

Info

Publication number
CN107342970B
CN107342970B CN201610286865.8A CN201610286865A CN107342970B CN 107342970 B CN107342970 B CN 107342970B CN 201610286865 A CN201610286865 A CN 201610286865A CN 107342970 B CN107342970 B CN 107342970B
Authority
CN
China
Prior art keywords
encryption mode
node
data transmission
transmission path
calling
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610286865.8A
Other languages
Chinese (zh)
Other versions
CN107342970A (en
Inventor
朱毅泉
杨海东
周园平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201610286865.8A priority Critical patent/CN107342970B/en
Publication of CN107342970A publication Critical patent/CN107342970A/en
Application granted granted Critical
Publication of CN107342970B publication Critical patent/CN107342970B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • H04L65/1104Session initiation protocol [SIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04MTELEPHONIC COMMUNICATION
    • H04M7/00Arrangements for interconnection between switching centres
    • H04M7/006Networks other than PSTN/ISDN providing telephone service, e.g. Voice over Internet Protocol (VoIP), including next generation networks with a packet-switched transport layer
    • H04M7/0078Security; Fraud detection; Fraud prevention

Abstract

The application discloses an encryption mode determining method, calling equipment, called equipment and a VoIP system. The method comprises the following steps: the method comprises the steps that a calling device sends an encryption mode detection request to a second node, wherein the second node is a next hop node of the calling device in a data transmission path between the calling device and a called device; the calling equipment receives an encryption mode detection response sent by the second node, wherein the encryption mode detection response carries indication information used for indicating the encryption mode among all nodes in the data transmission path; and the calling equipment determines the encryption mode among all nodes in the data transmission path according to the indication information. By adopting the method, the calling equipment, the called equipment and the VoIP system, the calling equipment can acquire the encryption mode detection response by sending the encryption mode detection request, and acquire the indication information for indicating the encryption mode among the nodes from the encryption mode detection response, thereby determining the encryption mode among the nodes.

Description

Encryption mode determination method, calling device, called device and VoIP system
Technical Field
The present invention relates to the field of communications, and in particular, to an encryption method determination method, a calling device, a called device, and a VoIP system.
Background
Voice over IP (VoIP) is a voice call technology based on an Internet Protocol (IP) network. In the VoIP system for implementing voice over IP, the calling device and the called device are not analog phones, but are IP phones or computer terminals, and the network side device may include nodes such as an SIP proxy network element, an SIP proxy server, and an SIP gateway.
In order to avoid the data in the VoIP system being tampered or eavesdropped during transmission, when SIP signaling is transmitted between nodes in the VoIP system, the SIP signaling needs to be encrypted according to the specification of a session initiation protocol (SIP T L S) based on a Secure transport layer protocol, and when voice media data is transmitted between nodes, the voice media data needs to be encrypted according to the specification of a Secure real-time transport protocol (SRTP) when voice media data is transmitted between nodes.
In the VoIP system, the types of the nodes are different, and when data is forwarded between network elements, whether data is encrypted and the encryption modes of the data are different. For example, the encryption method used for data transmission between the calling device and the SIP proxy network element is usually different from the encryption method used for data transmission between the SIP proxy network element. Therefore, a method is needed to determine the encryption mode used by each network element to encrypt data, so that when a security hole is caused because the data is not encrypted or the encryption strength is low, a user can timely find and repair the security hole, and the security of the VoIP system is ensured.
Disclosure of Invention
The embodiment of the invention provides an encryption mode determining method, calling equipment, called equipment and a VoIP system, which can determine the encryption mode adopted by each network element for encrypting data. In order to solve the technical problem, the embodiment of the invention discloses the following technical scheme:
in a first aspect, the present application provides a method for determining an encryption scheme, including: the calling equipment sends an encryption mode detection request to a second node, wherein the encryption mode detection request is used for requesting the encryption mode among all nodes in the data transmission path; after sending the encryption mode detection request, the calling device receives an encryption mode detection response sent by the second node, wherein the encryption mode detection response carries indication information used for indicating the encryption mode among the nodes in the data transmission path; after receiving the encryption mode detection response, the calling equipment determines the encryption mode among all nodes in the data transmission path according to the indication information. By adopting the method provided by the aspect, the calling equipment can obtain the encryption mode detection response by sending the encryption mode detection request, and obtain the indication information for indicating the encryption mode among the nodes from the encryption mode detection response, thereby determining the encryption mode among the nodes.
With reference to the first aspect, in a first possible implementation manner of the first aspect, a specific implementation manner in which the calling device sends the encryption mode detection request to the second node may be: and the calling equipment sends a session initiation protocol information (SIP INFO) signaling to the second node, wherein a message body of the SIP INFO signaling carries a security routing tracking command (sec-tracert). By adopting the implementation mode, the calling equipment can utilize the signaling specified by the SIP to bear the encryption mode detection request, thereby realizing the sending of the encryption mode detection request under the condition of not increasing the SIP signaling type.
With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, a specific implementation manner of the calling device receiving the encryption mode probe response sent by the second node may be: and the calling equipment receives a transaction end response SIP200 OK signaling sent by the second node, wherein the message body of the SIP200 OK signaling carries indication information for indicating the encryption mode among all nodes in the data transmission path. By adopting the implementation mode, the called equipment can utilize the signaling specified by the SIP to bear the encryption mode detection request, thereby realizing the sending of the encryption mode detection response under the condition of not increasing the SIP signaling type.
In a second aspect, the present application further provides another encryption method determining method, including: a called device receives an encryption mode detection request sent by a second node, wherein the second node is a previous hop node of the called device in a data transmission path between a calling device and the called device, and the encryption mode detection request is used for requesting an encryption mode between each node in the data transmission path; and the called device sends an encryption mode detection response to the second node, wherein the encryption mode detection response carries indication information used for indicating the encryption mode between the called device and the second node. By adopting the implementation mode, the called equipment can generate and send the encryption mode detection response to the calling equipment, so that the calling equipment can determine the encryption mode among all nodes through the content of the encryption mode detection response.
With reference to the second aspect, in a first possible implementation manner of the second aspect, a specific implementation manner of the called device receiving the encryption mode probe request sent by the second node may include: the called device receives an initial protocol information SIP INFO signaling sent by a second node, and a message body of the SIP INFO signaling carries a security routing tracking command sec-tracert.
With reference to the second aspect or the first possible implementation manner of the second aspect, a specific manner in which the called device sends the encryption mode probe response to the previous-hop node of the called device may be: the called device sends a transaction end response SIP200 OK signaling to the second node, and a message body of the SIP200 OK signaling carries an encryption mode used for indicating the called device and the second node.
In a third aspect, the present application further provides another encryption method determining method, including: a second node receives an encryption mode detection request sent by a first node, wherein the first node is a previous hop node of the second node in a data transmission path between calling equipment and called equipment, and the encryption mode detection request is used for requesting an encryption mode between each node in the data transmission path; the second node forwards the encryption mode detection request to a third node, wherein the third node is a next hop node of the second node in the data transmission path; the second node receives an encryption mode detection response sent by a third node, wherein the encryption mode detection response carries first indication information, the first indication information is used for indicating the encryption mode among all nodes in a first path segment, and the first path segment is a part from the second node to called equipment in the data transmission path; and the second node sends an encryption mode detection response carrying the first indication information and the second indication information to the first node, wherein the second indication information is used for indicating the encryption mode between the first node and the second node. The first node may be any one of a calling device, an SIP proxy network element, an SIP server, or an SIP gateway; the second node can be any one of an SIP proxy network element, an SIP server or an SIP gateway; the third node may be any one of a SIP proxy network element, a SIP server, a SIP gateway, or a called device.
In a fourth aspect, the present application further provides a calling device, where the calling device may include a processor and a communication interface. The processor is configured to generate an encryption mode probe request, where the encryption mode probe request is used to request an encryption mode between each node in the data transmission path; the communication interface is used for sending an encryption mode detection request to a second node, and the second node is a next hop node of the calling equipment in a data transmission path between the calling equipment and the called equipment; the communication interface is further configured to receive an encryption mode probe response sent by the second node, where the encryption mode probe response carries indication information used for indicating an encryption mode between each node in the data transmission path; the processor is further configured to determine an encryption mode between each node in the data transmission path according to the indication information.
In a fifth aspect, the present application further provides a calling device, where the calling device may include a unit configured to execute the first aspect and each implementation manner of the first aspect.
In a sixth aspect, the present application further provides a called device, where the called device may include a processor and a communication interface, the communication interface is configured to receive an encryption mode detection request sent by a second node, the second node is a previous-hop node of the called device in a data transmission path between a calling device and the called device, and the encryption mode detection request is used to request an encryption mode between nodes in the data transmission path; the processor is configured to generate an encryption mode probe response after the communication interface receives the encryption mode probe request, where the encryption mode probe response carries indication information indicating an encryption mode between the called device and the second node; the communication interface is further configured to send an encryption mode probe response to the second node.
In a seventh aspect, the present application further provides a called device, where the calling device may include a unit configured to execute the second aspect and each implementation manner of the second aspect.
In an eighth aspect, the present application further provides another network-side device, where the network-side device may include a processor and a communication interface, and the communication interface is configured to receive an encryption mode probe request sent by a first node, and forward the encryption mode probe request to a third node; the first node is a previous hop node of the second node in a data transmission path between calling equipment and called equipment, the encryption mode detection request is used for requesting an encryption mode between each node in the data transmission path, and the third node is a next hop node of the second node in the data transmission path; the communication interface is further configured to receive an encryption mode detection response sent by a third node, where the encryption mode detection response carries first indication information, where the first indication information is used to indicate an encryption mode between nodes in a first path segment, and the first path segment is a part from the second node to a called device in the data transmission path; the processor is further configured to add second indication information to the encrypted mode probe response; the communication interface is further configured to send an encryption mode probe response carrying the first indication information and the second indication information to the first node, where the second indication information is used to indicate an encryption mode between the first node and the second node.
In a ninth aspect, the present application further provides a network side device, where the network side device may include a unit for each method step of the third aspect.
In a tenth aspect, the present application further provides a VoIP system, where the VoIP system may include a calling device, a called device, and at least one network side device for implementing data transmission between the calling device and the called device; the calling device is used for sending an encryption mode detection request to the called device through the network side device, and the encryption mode detection request is used for requesting the encryption mode between each node in a data transmission path between the calling device and the called device; the called device is used for generating an encryption mode detection response after receiving the encryption mode detection request sent by the network side device and sending the encryption mode detection response to the calling device through the network side device; the network side device is configured to send the encryption mode detection request to a next hop node of the network side device in the data transmission path after receiving the encryption mode detection request sent by the previous hop node of the network side device in the data transmission path between the calling device and the called device; the network side device is further configured to send an encryption mode probe response carrying the first indication information and the second indication information to the previous hop node after receiving an encryption mode probe response sent by the next hop node and written to the first indication information, where the first indication information is used to indicate an encryption mode between nodes in a first path segment, and the first path segment is a part of the data transmission path from the network side device to a called device; the second indication information is used for indicating an encryption mode between the network side equipment and the previous hop node.
By adopting the encryption mode determining method, the calling equipment, the called equipment and the VoIP system, the calling equipment can send the encryption mode detection request, and the called equipment can respond to the encryption mode detection request and send the encryption mode detection response, so that the calling equipment can obtain the indication information for indicating the encryption mode among all nodes from the encryption mode detection response, and the calling equipment can determine the encryption mode among all nodes according to the indication information. Therefore, when the data is not encrypted or the encryption strength is low to cause security holes, a user of the calling equipment can find and repair the security holes in time, and the security of the VoIP system is ensured.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an embodiment of a VoIP system of the present application;
fig. 2 is a schematic flowchart of an embodiment of an encryption mode determining method according to the present application;
fig. 3 is a schematic flowchart of another embodiment of the encryption mode determining method according to the present application;
FIG. 4 is a schematic diagram of an embodiment of a calling device of the present application;
fig. 5 is a schematic structural diagram of an embodiment of a called device according to the present application.
Detailed Description
Referring to fig. 1, a schematic diagram of a structure of a VoIP network system according to the present application is shown.
A calling device 101 accesses an SIP server 103 of the calling device side through a Session Initiation Protocol (SIP) proxy network element 102 of the calling device side; the called device 107 accesses the SIP server 105 of the called device side through the SIP proxy network element 106 of the called device side; the SIP server 103 on the calling device side and the SIP server 105 on the called device side can communicate through the SIP gateway 104.
When the calling device 101 needs to perform a voice call with the called device 107, the calling device 101 first sends an SIP signaling for establishing a call, and the SIP signaling is transmitted to the called device 107 by the SIP proxy network element, the SIP server, and the SIP gateway; after receiving the SIP signaling for the call, the called device may send SIP signaling that agrees to establish the call to the calling device 101, and the SIP proxy network element, the SIP server, and the SIP gateway transmit the SIP signaling to the calling device 101, so as to establish the call between the calling device 101 and the called device 107.
After the calling device 101 and the called device 107 establish a call, the transmission of voice media data between the calling device 101 and the called device 107 can be performed through an SIP proxy network element according to the provision of a real time transport protocol (RTP), so as to implement a voice call between the calling device 101 and the called device 107.
It should be noted that, in the VoIP system according to each embodiment of the present application, the SIP proxy network element between the calling device and the SIP server on the calling device side may be in one stage or in more stages, and the SIP proxy network element between the called device and the SIP server on the called device side may also be in one stage or in more stages. When the SIP server on the calling device side and the SIP server on the called device side are different SIP servers, one or more levels of SIP gateways may be provided between the two. When the SIP server on the calling device side and the SIP server on the called device side are the same SIP server, no SIP gateway may exist in the VoIP system.
The SIP proxy network element on the calling device side, the SIP server on the calling device side, the SIP proxy network element on the called device side, the SIP server on the called device side, and the SIP gateway may be collectively referred to as a network-side device. The network side device and the calling device and the called device may be collectively referred to as a network element.
The network element may include a processor, a communication interface, and a memory. The processor, the memory and the communication interface are connected with each other through a bus; the bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc.
The processor may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP, the processor may further include a hardware chip, the hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (P L D), or a combination thereof, the P L D may be a complex programmable logic device (CP L D), a field-programmable gate array (FPGA), a general array logic (GA L), or any combination thereof.
The memory may include a volatile memory (volatile memory), such as a Random Access Memory (RAM); non-volatile memory (non-volatile memory) such as flash memory (flash memory), hard disk (HDD) or solid-state drive (SSD); the memory may also comprise a combination of memories of the kind described above.
The communication interface may be a wired communication access interface, a wireless communication interface, or a combination thereof, wherein the wired communication interface may be, for example, AN Ethernet interface, the Ethernet interface may be AN optical interface, AN electrical interface, or a combination thereof, the wireless communication interface may be a wireless local area network (W L AN) interface, a cellular network communication interface, or a combination thereof, and the like.
Besides, the network element may further include a display module (e.g., a display screen), an audio playing module, and the like, and these modules may also be connected with the processor and the like through the bus.
In various embodiments of the present application, the data transmission path may refer to a transmission path when SIP signaling is transmitted between a calling device and a called device. The data transmission path may generally include a plurality of nodes, and the nodes may include a calling device, a calling device side SIP server, a called device, at least one calling device side SIP proxy network element between the calling device and the calling device side SIP server, at least one called device side SIP proxy network element between the called device and the called device side SIP server, and at least one SIP gateway between the calling device side SIP server and the called device side SIP server. In general, the data transmission path may be a transmission path of invite signaling.
In the embodiments of the present application, the encryption method between nodes refers to an encryption method used by two nodes to encrypt data when performing data transmission of types such as SIP signaling and voice media data. For example, the encryption mode between the nodes may refer to an encryption mode between the calling device and the SIP proxy network element on the calling device side, which may include an encryption mode for the SIP signaling when the SIP signaling is transmitted between the calling device and the SIP proxy network element of the calling device; or it may refer to an encryption method for the voice media data when the voice media data is transmitted between the calling device and the SIP proxy unit of the calling device.
Fig. 2 is a flowchart illustrating an embodiment of an encryption method determining method according to the present application. The present application is described below with reference to fig. 2.
The first node may be any one of a calling device, an SIP proxy network element, an SIP server, or an SIP gateway; the second node can be any one of an SIP proxy network element, an SIP server or an SIP gateway; the third node may be any one of a SIP proxy network element, a SIP server, a SIP gateway, or a called device. The second node may be a next hop node of the first node in the transmission path; the third node may then be a next hop node of said second node in the data transmission path.
In step 201, the second node receives the encryption mode probe request sent by the first node.
When the first node is a calling device, the calling device may first generate an encrypted detection mode request, and then send the encrypted detection mode request to a next hop node of the calling device. Typically, the next hop node of the calling device may be a SIP proxy network element or a SIP server.
For example, when the data transmission path is the SIP signaling transmission path in fig. 1, the calling device 101 may send the encryption mode detection request generated by itself to the SIP proxy network element 102 on the calling device side.
When the first node is any one of a SIP proxy network element, a SIP server, or a SIP gateway, the encryption mode detection request may be sent to the first node by a previous-hop node of the first node.
For example, when the second node is the SIP proxy network element 102 on the calling device side, the first node may be the calling device 101, and the calling device 101 may send the encryption mode detection request to the SIP proxy network element 102 on the calling device side.
For another example, when the second node is the called device-side SIP proxy network element 106, the first node may be the called device-side SIP server 105, and the called device-side SIP server 105 may send the encryption mode detection request to the called device-side SIP proxy network element 106.
The encryption mode detection request is used for requesting the encryption mode among each node in the data transmission path. The encryption mode detection request can be an independent SIP signaling or can be carried by the SIP signaling specified by the SIP.
For example, the encryption mode probe request may be SIP INFO signaling, and a message body of the SIP INFO signaling carries a security tracert command, which is used to request an encryption mode between nodes in the data transmission path.
Step 202, the second node forwards the encryption mode detection request to a third node.
And after receiving the encryption mode detection request sent by the first node, the second node sends the encryption mode detection request to a third node, wherein the third node is a next hop node of the second node in the data transmission path.
When the second node forwards the encryption mode detection request to the third node, a transparent transmission mode can be adopted, or necessary contents can be added to the encryption mode detection request or the contents of the encryption mode detection request can be modified when needed.
For example, after the SIP INFO signaling sent by the calling device 101 is received by the calling device side SIP proxy network element 102, the SIP INFO signaling may be forwarded to the calling device side SIP server 103.
For another example, when receiving the SIP INFO signaling sent by the SIP server 105 on the called device side, the SIP proxy network element 106 on the called device side may forward the SIP INFO signaling to the called device 107.
Step 203, the second node receives the encryption mode probe response sent by the third node.
The encryption mode probe response may carry first indication information, where the first indication information is used to indicate an encryption mode between nodes in a first path segment, and the first path segment is a portion from the second node to a called device in the data transmission path.
When the third node is a called device, the called device may generate and send an encryption mode probe response to a previous-hop route of the third node, where the encryption mode probe response carries indication information for indicating an encryption mode between the called device and the second node.
For example, after receiving the encryption mode detection request sent by the SIP proxy network element 106 on the called device side, the called device 107 may generate and send an encryption mode detection response to the SIP proxy network element 106 on the called device side, where the encryption mode detection response carries first indication information used for indicating an encryption mode used for encrypting data when data transmission is performed between the called device 107 and the SIP proxy network element 106 on the called device side.
Since the first path segment may include a plurality of nodes, a plurality of different types of data may need to be transmitted between different nodes, and the encryption manners used for encrypting different types of data may also be different, when a plurality of different types of data need to be transmitted between the second node and the third node, the first indication information may be used to indicate different encryption manners used for encrypting different types of data.
For example, the data transmitted between the called device 107 and the SIP proxy network element 106 on the called device side may include SIP signaling and voice media data. When the SIP proxy network element 106 on the called device side and the called device 107 use different encryption methods to encrypt the SIP signaling and the voice media data, the first indication information may be used to indicate an encryption method used to encrypt the SIP signaling and an encryption method used to encrypt the voice media data.
Step 204, the second node sends an encryption mode probe response carrying the first indication information and the second indication information to the first node.
And after receiving the encryption mode detection response, the second node adds second indication information to the encryption mode detection response to obtain the encryption mode detection response carrying the second indication information and the first indication information, and then sends the encryption mode detection response to the first node. The second indication information is used for indicating an encryption mode between the first node and the second node.
Since a plurality of different types of data may need to be transmitted between the first node and the second node, not only data transmission paths of the different types of data may also be different, but also encryption manners used for encrypting the different types of data may also be different, when a plurality of different types of data need to be transmitted between the first node and the second node, the second indication information may also be used for indicating the different encryption manners used for encrypting the different types of data.
For example, the data transmitted between the calling device 101 and the calling device side SIP proxy network element 102 may include SIP signaling and voice media data. When the calling device 101 and the SIP proxy network element 102 on the calling device side encrypt the SIP signaling and the voice media data in different encryption manners, the second indication information may be used to indicate an encryption manner used for encrypting the SIP signaling and an encryption manner used for encrypting the voice media data.
For another example, when the SIP proxy network element 106 on the called device side is used to transmit SIP signaling, the previous hop node of the SIP proxy network element 106 on the called device side is the SIP server 105 on the called device side; when the SIP proxy network element 106 on the called device side transmits voice media data, the previous hop node of the SIP proxy network element 106 on the called device side is the SIP proxy network element 102 on the calling device side. When the SIP proxy network element 106 on the called device side receives the encryption mode detection response sent by the called device 107, the second indication information may be used to indicate an encryption mode used for encrypting the SIP signaling when the SIP proxy network element 106 on the called device side performs SIP signaling transmission with the SIP server 105 on the called device side, and an encryption mode used for encrypting the voice media data when the SIP proxy network element 106 on the called device side performs voice media data transmission with the SIP server 105 on the calling device side.
If the first node is the calling device, the calling device may determine the encryption mode between each node in the data transmission path according to the indication information after receiving the encryption mode detection response.
For example, after the calling device 101 receives the SIP200 OK signaling sent by the SIP proxy network element 102 on the calling device side, the calling device may extract the first indication information and the second indication information from a message body of the SIP200 OK signaling. And determining the encryption mode among the nodes in the data transmission path according to the first indication information and the second indication.
If the first node is a calling device, the calling device may also display the encryption mode between each node after the encryption mode between each node in the data transmission path.
For example, when the calling device 101 has a display screen, the calling device may further display the encryption mode between the nodes on the display screen, so that a user can visually see the encryption mode between the nodes.
If the first node is not the calling device, the first node may add indication information indicating an encryption scheme between the first node and a previous node of the first node to the encryption scheme probe response, and send the encryption scheme probe response to the previous-hop node of the first node. The specific process can be referred to this implementation, and is not described herein again.
The following takes the SIP server at the calling device side and the SIP server at the called device side as different devices, and the SIP proxy network element at the calling device side between the calling device and the SIP server at the calling device side, the SIP proxy network element at the called device side between the called device and the SIP server at the called device side, and the SIP gateways between the SIP server at the calling device side and the SIP server at the called device side are all 1-level, which further describes the present application.
Referring to fig. 3, a schematic flowchart of another embodiment of the encryption mode determining method of the present application is shown.
Step 301, the calling device generates a SIP INFO signaling, where a message body of the SIP INFO signaling carries a sec-tracert.
The structure and inclusion of SIP INFO signaling may be as shown in the following example.
INFO SIP:900372368@ IP1 SIP/2.0 (type of signaling)
To: sip:900372368@ IP1 (called equipment identification)
From < sip:800501511@ IP1 >; tag f25cab16 (identification of calling device)
Via:SIP/2.0/TCP
.......
Content-Type application/sdp (SIP signaling message body)
……
sec-tracert ═ Request (the message body carries the sec-tracert Request)
s=SRTP
m=audio
a ═ crypto:1AES _ CM _256_ HMAC _ SHA2_256 (encryption mode supported by calling device)
a=crypto:2AES_CM_128_HMAC_SHA1_80
And step 302, the calling device sends the SIP INFO signaling to a SIP proxy network element at the calling device side.
Step 303, the SIP proxy network element at the calling device side sends the SIP INFO signaling to the SIP server at the calling device side.
And step 304, the SIP server at the calling equipment side sends the SIP INFO signaling to the SIP gateway.
And 305, the SIP gateway sends the SIP INFO signaling to a SIP server at the called equipment side.
And step 306, the SIP server on the called device side sends the SIP INFO signaling to the SIP proxy network element on the called device side.
And 307, the SIP proxy network element on the called device side sends the SIP INFO signaling to the called device.
Step 308, the called device responds to the SIP INFO signaling to generate a SIP200 OK signaling.
The message body of the SIP200 OK signaling may carry indication information of an encryption mode between the called device and the SIP proxy network element on the called device side. Since the data transmitted between the called device and the SIP proxy network element on the called device side includes the SIP signaling and the voice media data, the indication information may be used to indicate the SIP signaling between the called device and the SIP proxy network element on the called device side and the encryption mode of the voice media data.
The structure and content of the SIP200 OK signaling may be shown in the following example.
SIP/2.0200 OK (Signaling type)
From < sip:900372368@ IP5 >; tag f25cab16 (called equipment identification)
To: sip: <800501511@ IP1> (calling device identification)
Via:SIP/2.0/TCP
……
Content-Type application/sdp (SIP signaling message body)
……
sec-tracert=Reply
m=audio
tracert-SIP IP 5-calleid crypto, AES-256 (indication information for indicating SIP signaling encryption mode between SIP proxy network element on called device side and called device)
tracert-rtp IP 5-calleid crypto, AES-256 (indication information for indicating the encryption mode of voice media data between the SIP proxy network element on the called device side and the called device)
Step 309, the called device sends the SIP200 OK signaling to the SIP proxy network element on the called device side.
In step 310, the SIP proxy network element on the called device side adds indication information for indicating the encryption mode between the SIP proxy network element on the called device side and the SIP server on the called device side into the SIP200 OK signaling.
Since the SIP proxy network element on the called device side and the SIP server on the called device side not only need to transmit the SIP signaling, but also need to transmit the voice media data, the SIP proxy network element on the called device side can add the indication information for indicating the encryption mode of the SIP signaling and the indication information for indicating the encryption mode of the voice media data into the SIP200 OK signaling.
After adding the indication information, the structure and content of the SIP200 OK signaling may be shown as an example as follows.
SIP/2.0 200 OK
From:<sip:900372368@IP5>;tag=f25cab16
To:sip:<800501511@IP1>
Via:SIP/2.0/TCP
……
Content-Type:application/sdp
……
sec-tracert=Reply
m=audio
tracert-SIP IP 5-calleid crypto, AES-256 (indication information for indicating SIP signaling encryption mode between called device and SIP proxy network element at called device side)
tracert-SIP IP 4-IP 5 crypto, AES-128 (indication information for indicating SIP signaling encryption mode between SIP proxy network element on called device side and SIP server on called device side)
tracert-rtp IP 5-calleid crypto, AES-256 (indication information for indicating voice media data encryption mode between called device and SIP proxy network element at called device side)
tracert-rtp IP 1-IP 5 crypto, AES-128 (indication information for indicating the encryption mode of voice media data between the SIP proxy network element on the called device side and the SIP proxy network element on the calling device side)
Step 311, the SIP proxy network element at the called device side sends the SIP signaling to the SIP server at the called device side.
In step 312, the SIP server on the called device side adds the indication information for indicating the encryption mode between the SIP server on the called device side and the SIP gateway into the SIP200 OK signaling.
Since the SIP server on the called device side and the SIP gateway can only be used for transmitting the SIP signaling, only the indication information for indicating the encryption mode of the SIP signaling between the SIP server on the called device side and the SIP gateway can be added into the SIP200 OK signaling.
Step 313, the SIP server on the called device side sends the SIP200 OK signaling to the master SIP gateway.
Step 314, the SIP gateway adds indication information for indicating the data encryption mode between the SIP gateway and the SIP server at the calling device side into the SIP200 OK signaling.
And step 315, the SIP gateway sends the SIP200 OK signaling to the SIP server at the calling equipment side.
And step 316, the calling equipment side SIP server adds indication information for indicating the data encryption mode between the calling equipment side SIP server and the calling equipment side SIP proxy network element into the SIP200 OK signaling.
And 317, the SIP server at the calling equipment side sends the SIP200 OK signaling to the SIP proxy network element at the calling equipment side.
Step 318, the SIP proxy network element at the calling device side adds indication information for indicating the data encryption mode between the SIP proxy network element at the calling device side and the calling device to the SIP200 OK signaling.
Step 319, the SIP proxy network element at the calling device side sends the SIP200 OK signaling to the calling device.
The structure and content of the SIP200 OK signaling sent by the SIP proxy network element on the calling device side to the calling device may be shown in the following example.
SIP/2.0 200 OK
From:<sip:900372368@IP5>;tag=f25cab16
To:sip:<800501511@IP1>
Via:SIP/2.0/TCP
……
Content-Type:application/sdp
……
sec-tracert=Reply
m=audio
tracert-SIP IP 5-calleid crypto, AES-256 (indication information for indicating SIP signaling encryption mode between SIP proxy network element on called device side and called device)
tracert-SIP IP 4-IP 5 crypto, AES-128 (indication information for indicating SIP signaling encryption mode between SIP server on called device side and SIP proxy network element on called device side)
tracert-SIP IP 3-IP 4 crypto, AES-128 (indication information for indicating SIP signaling encryption mode between SIP gateway and SIP server on called device side)
tracert-SIP IP 2-IP 3 crypto, AES-128 (indication information for indicating SIP signaling encryption mode between the SIP server and the SIP gateway on the calling device side)
Tracert-SIP (IP 1-IP 2) plain (indicating information for indicating the SIP signaling encryption mode between the SIP proxy network element at the calling device side and the SIP proxy server at the calling device side)
tracert-SIP-IP 1 cipher, AES-256 (indication information for indicating the SIP signaling encryption mode between the calling device and the SIP proxy network element at the calling device side)
tracert-rtp IP 5-calleid crypto, AES-256 (indication information for indicating the encryption mode of voice media data between the SIP proxy network element on the called device side and the called device)
tracert-rtp IP 1-IP 5 crypto, AES-128 (indication information for indicating the encryption mode of voice media data between the SIP proxy network element on the calling device side and the SIP proxy network element on the called device side)
tracert-rtp CallerID-IP 1 cipher, AES-256 (indicating information for indicating voice media data encryption mode between calling device and SIP proxy network element at calling device side)
Step 320, the calling device determines the encryption mode between each node in the data transmission path according to the indication information carried in the SIP200 OK signaling.
After receiving the SIP200 OK signaling, the calling device may extract all the indication information from the SIP200 OK signaling, and then determine an encryption manner between each node in the data transmission path according to the indication information.
After the encryption mode is determined, the calling device may also use a display module to display the encryption mode.
By adopting the method provided by the embodiment, the calling device can acquire the encryption mode between each node in the data transmission path.
Corresponding to the encryption mode determining method, the application also provides the terminal equipment which can be used for determining the encryption mode.
Referring to fig. 4, a schematic structural diagram of an embodiment of the calling device of the present application is shown.
As shown in fig. 4, the calling device may include: transmitting section 401, receiving section 402, and acquiring section 403.
The sending unit 401 is configured to send an encryption mode detection request to a second node, where the second node is a next hop node of a calling device in a data transmission path between the calling device and a called device, and the encryption mode detection request is used to request an encryption mode between each node in the data transmission path.
A receiving unit 402, configured to receive an encryption scheme probe response sent by the second node, where the encryption scheme probe response carries indication information used for indicating an encryption scheme between nodes in the data transmission path.
An obtaining unit 403, configured to determine, according to the indication information, an encryption manner between each node in the data transmission path.
Optionally, the sending unit 401 may be configured to send a session initiation protocol information SIP INFO signaling to the second node, where a message body of the SIP INFO signaling carries a secure route trace command sec-tracert, and the sec-tracert is used to request an encryption manner between nodes in the data transmission path. Correspondingly, the receiving unit 402 may be configured to receive a transaction end response SIP200 OK signaling sent by the second node, where a message body of the SIP200 OK signaling carries indication information used for indicating an encryption manner between nodes in the data transmission path.
Fig. 5 is a schematic structural diagram of an embodiment of the called device of the present application.
As shown in fig. 5, the called device may include a receiving unit 501 and a sending unit 502.
The receiving unit 501 is configured to receive an encryption mode detection request sent by a second node, where the second node is a previous-hop node of a called device in a data transmission path between a calling device and the called device, and the encryption mode detection request is used to request an encryption mode between each node in the data transmission path; a sending unit 502, configured to send an encryption mode probe response to the second node, where the encryption mode probe response carries indication information used for indicating an encryption mode between the called device and the second node.
Optionally, the receiving unit 501 may be configured to receive an initial protocol information SIP INFO signaling sent by a second node, where a message body of the SIP INFO signaling carries a security route trace command sec-tracert, and the sec-tracert is used to request an encryption manner between nodes in the data transmission path. Correspondingly, the sending unit 502 may be configured to send a transaction end response SIP200 OK signaling to the second node, where a message body of the SIP200 OK signaling carries information used for indicating an encryption manner between the called device and the second node.
In a specific implementation, the present invention further provides a computer storage medium, where the computer storage medium may store a program, and the program may include some or all of the steps in the embodiments of the calling method provided by the present invention when executed. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM) or a Random Access Memory (RAM).
Those skilled in the art will readily appreciate that the techniques of the embodiments of the present invention may be implemented as software plus a required general purpose hardware platform. Based on such understanding, the technical solutions in the embodiments of the present invention may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as ROM/RAM, magnetic disk, optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments or some parts of the embodiments.
The same and similar parts in the various embodiments in this specification may be referred to each other. In particular, for the apparatus and system embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference may be made to the description of the method embodiments for relevant points.
The above-described embodiments of the present invention should not be construed as limiting the scope of the present invention.

Claims (15)

1. An encryption method determination method, comprising:
a calling device sends an encryption mode detection request to a second node, wherein the second node is a next hop node of the calling device in a data transmission path between the calling device and a called device, and the encryption mode detection request is used for requesting an encryption mode between each node in the data transmission path;
the calling equipment receives an encryption mode detection response sent by the second node, wherein the encryption mode detection response carries indication information used for indicating the encryption mode among the nodes in the data transmission path;
and the calling equipment determines the encryption mode among all nodes in the data transmission path according to the indication information.
2. The method of claim 1, wherein sending the encrypted probe request to the second node by the calling device comprises:
and the calling equipment sends session initiation protocol information (SIP INFO) signaling to the second node, wherein a message body of the SIP INFO signaling carries a security routing tracking command sec-tracert, and the sec-tracert is used for requesting an encryption mode among all nodes in the data transmission path.
3. The method of claim 1 or 2, wherein the receiving, by the calling device, the encrypted probe response sent by the second node comprises:
and the calling equipment receives a transaction end response SIP200 OK signaling sent by the second node, wherein the message body of the SIP200 OK signaling carries indication information for indicating the encryption mode among all nodes in the data transmission path.
4. An encryption method determination method, comprising:
a called device receives an encryption mode detection request sent by a second node, wherein the second node is a previous hop node of the called device in a data transmission path between a calling device and the called device, and the encryption mode detection request is used for requesting an encryption mode between each node in the data transmission path;
and the called device sends an encryption mode detection response to the second node, wherein the encryption mode detection response carries indication information used for indicating the encryption mode between the called device and the second node, so that the calling device determines the encryption mode between each node in the data transmission path according to the indication information.
5. The method of claim 4, wherein the called device receiving the encrypted probe request sent by the second node comprises:
the called device receives an initial protocol information SIP INFO signaling sent by a second node, wherein a message body of the SIP INFO signaling carries a security routing tracking command sec-tracert, and the sec-tracert is used for requesting an encryption mode among all nodes in the data transmission path.
6. The method of claim 4 or 5, wherein the sending, by the called device, the encrypted probe response to the last hop node of the called device comprises:
the called device sends a transaction end response SIP200 OK signaling to the second node, and a message body of the SIP200 OK signaling carries an encryption mode used for indicating the called device and the second node.
7. A calling device, comprising:
a sending unit, configured to send an encryption mode detection request to a second node, where the second node is a next hop node of a data transmission path between a calling device and a called device, and the encryption mode detection request is used to request an encryption mode between nodes in the data transmission path;
a receiving unit, configured to receive an encryption mode probe response sent by the second node, where the encryption mode probe response carries indication information used for indicating an encryption mode between each node in the data transmission path;
and the acquisition unit is used for determining the encryption mode among the nodes in the data transmission path according to the indication information.
8. The calling device of claim 7,
the sending unit is specifically configured to send a session initiation protocol information SIP INFO signaling to the second node, where a message body of the SIP INFO signaling carries a security route trace command sec-tracert, and the sec-tracert is used to request an encryption mode between each node in the data transmission path.
9. The calling device of claim 7 or 8,
the receiving unit is specifically configured to receive a transaction end response SIP200 OK signaling sent by the second node, where a message body of the SIP200 OK signaling carries indication information for indicating an encryption manner between nodes in the data transmission path.
10. A called device, comprising:
a receiving unit, configured to receive an encryption mode detection request sent by a second node, where the second node is a previous-hop node of a called device in a data transmission path between a calling device and the called device, and the encryption mode detection request is used to request an encryption mode between nodes in the data transmission path;
a sending unit, configured to send an encryption mode probe response to the second node, where the encryption mode probe response carries indication information used to indicate an encryption mode between the called device and the second node, so that the calling device determines, according to the indication information, an encryption mode between each node in the data transmission path.
11. The called device of claim 10,
the receiving unit is specifically configured to receive an initial protocol information SIP INFO signaling sent by a second node, where a message body of the SIP INFO signaling carries a security route trace command sec-tracert, and the sec-tracert is used to request an encryption manner between nodes in the data transmission path.
12. The called device of claim 10 or 11,
the sending unit is specifically configured to send a transaction end response SIP200 OK signaling to the second node, where a message body of the SIP200 OK signaling carries an encryption mode for indicating the called device and the second node.
13. A calling device, comprising a processor and a communication interface,
the processor is configured to generate an encryption mode probe request, where the encryption mode probe request is used to request an encryption mode between each node in a data transmission path;
the communication interface is used for sending an encryption mode detection request to a second node, and the second node is a next hop node of the calling equipment in a data transmission path between the calling equipment and the called equipment;
the communication interface is further configured to receive an encryption mode probe response sent by the second node, where the encryption mode probe response carries indication information used for indicating an encryption mode between each node in the data transmission path;
the processor is further configured to determine an encryption mode between each node in the data transmission path according to the indication information.
14. A called device is characterized in that the device comprises a processor and a communication interface,
the communication interface is configured to receive an encryption mode detection request sent by a second node, where the second node is a previous-hop node of the called device in a data transmission path between the calling device and the called device, and the encryption mode detection request is used to request an encryption mode between each node in the data transmission path;
the processor is configured to generate an encryption mode detection response after the communication interface receives the encryption mode detection request, where the encryption mode detection response carries indication information used for indicating an encryption mode between the called device and the second node, so that the calling device determines, according to the indication information, an encryption mode between each node in the data transmission path;
the communication interface is further configured to send an encryption mode probe response to the second node.
15. A VoIP system is characterized by comprising a calling device, a called device and at least one network side device for realizing data transmission between the calling device and the called device;
the calling device is used for sending an encryption mode detection request to the called device through the network side device, and the encryption mode detection request is used for requesting the encryption mode between each node in a data transmission path between the calling device and the called device;
the called device is used for generating an encryption mode detection response after receiving the encryption mode detection request sent by the network side device and sending the encryption mode detection response to the calling device through the network side device;
the network side device is configured to send the encryption mode detection request to a next hop node of the network side device in the data transmission path after receiving the encryption mode detection request sent by the previous hop node of the network side device in the data transmission path between the calling device and the called device;
the network side device is further configured to send an encryption mode probe response carrying first indication information and second indication information to the previous hop node after receiving an encryption mode probe response carrying the first indication information and sent by the next hop node, where the first indication information is used to indicate an encryption mode between nodes in a first path segment, and the first path segment is a part of the network side device in the data transmission path to a called device; the second indication information is used for indicating an encryption mode between the network side equipment and the previous hop node.
CN201610286865.8A 2016-05-03 2016-05-03 Encryption mode determination method, calling device, called device and VoIP system Active CN107342970B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610286865.8A CN107342970B (en) 2016-05-03 2016-05-03 Encryption mode determination method, calling device, called device and VoIP system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610286865.8A CN107342970B (en) 2016-05-03 2016-05-03 Encryption mode determination method, calling device, called device and VoIP system

Publications (2)

Publication Number Publication Date
CN107342970A CN107342970A (en) 2017-11-10
CN107342970B true CN107342970B (en) 2020-08-07

Family

ID=60222922

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610286865.8A Active CN107342970B (en) 2016-05-03 2016-05-03 Encryption mode determination method, calling device, called device and VoIP system

Country Status (1)

Country Link
CN (1) CN107342970B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111741031B (en) * 2020-08-26 2020-11-20 深圳信息职业技术学院 Block chain based network communication encryption method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1937624A (en) * 2005-09-24 2007-03-28 国际商业机器公司 Method and apparatus for verifying encryption of sip signalling
CN101227272A (en) * 2007-01-19 2008-07-23 华为技术有限公司 System and method for obtaining media stream protection cryptographic key
CN101997681A (en) * 2009-08-14 2011-03-30 中国移动通信集团公司 Authentication method and system for multi-node path and relevant node equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8214640B2 (en) * 2005-12-05 2012-07-03 Alcatel Lucent Method of embedding information in implementation defined SIP header fields

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1937624A (en) * 2005-09-24 2007-03-28 国际商业机器公司 Method and apparatus for verifying encryption of sip signalling
CN101227272A (en) * 2007-01-19 2008-07-23 华为技术有限公司 System and method for obtaining media stream protection cryptographic key
CN101997681A (en) * 2009-08-14 2011-03-30 中国移动通信集团公司 Authentication method and system for multi-node path and relevant node equipment

Also Published As

Publication number Publication date
CN107342970A (en) 2017-11-10

Similar Documents

Publication Publication Date Title
US9749292B2 (en) Selectively performing man in the middle decryption
US9021575B2 (en) Selectively performing man in the middle decryption
KR100924692B1 (en) Data transmission system, apparatus and method for processing information, apparatus and method for relaying data, and storage medium
ES2654333T3 (en) Session control for streaming media streams
US20210007176A1 (en) Wireless connection establishing methods and wireless connection establishing apparatuses
US9648052B2 (en) Real-time communications gateway
US9294463B2 (en) Apparatus, method and system for context-aware security control in cloud environment
US11831763B2 (en) Methods, systems, and computer readable media for utilizing predetermined encryption keys in a test simulation environment
EP3716526A1 (en) Method of identity authentication for voice over internet protocol call and related device
US20180176157A1 (en) Conveying instant messages via http
WO2017215565A1 (en) Method and device for transmitting dpi policy
US9049012B2 (en) Secured cryptographic communication system
JP5091887B2 (en) Terminal device, communication processing method, and program
CN104753872A (en) Authentication method, authentication platform, service platform, network elements and system
US10205590B2 (en) Methods, systems, and computer readable media for reducing the size of a cryptographic key in a test simulation environment
BR112018008015B1 (en) METHOD FOR OPERATION, DEVICE FOR COMMUNICATION, AND, NETWORK FOR CONTENT DISTRIBUTION
CN107342970B (en) Encryption mode determination method, calling device, called device and VoIP system
WO2013189398A2 (en) Application data push method, device, and system
CA2844428C (en) Real-time encryption of voice and fax over ip
US10389835B2 (en) Application aware systems and methods to process user loadable network applications
US20170201493A1 (en) System and method for secure and anonymous communication in a network
CN109379378A (en) Sending method, device, server, system and the storage medium of internet short message
KR102514337B1 (en) Carrier aggregation through user network interface proxy
CN111245601A (en) Communication negotiation method and device
CN110995730A (en) Data transmission method and device, proxy server and proxy server cluster

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant