CN117240445A - Method for realizing intercommunication between secret voice VoLTE and clear voice VoBB - Google Patents

Method for realizing intercommunication between secret voice VoLTE and clear voice VoBB Download PDF

Info

Publication number
CN117240445A
CN117240445A CN202311016844.0A CN202311016844A CN117240445A CN 117240445 A CN117240445 A CN 117240445A CN 202311016844 A CN202311016844 A CN 202311016844A CN 117240445 A CN117240445 A CN 117240445A
Authority
CN
China
Prior art keywords
domain
vobb
volte
session
call
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311016844.0A
Other languages
Chinese (zh)
Inventor
罗俊
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Quantum Technology Co ltd
Original Assignee
China Telecom Quantum Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Quantum Technology Co ltd filed Critical China Telecom Quantum Technology Co ltd
Priority to CN202311016844.0A priority Critical patent/CN117240445A/en
Publication of CN117240445A publication Critical patent/CN117240445A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for realizing intercommunication between a secret voice VoLTE and an open voice VoBB, which is used for receiving call data sent by a second call session control center of a VoBB domain where a VoBB user terminal serving as a called party is positioned, wherein session information is expanded and added in the call data, and the session information comprises an identifier of a QKD node to which a calling party belongs and an identifier of a session key; transmitting a session key application to the QKD node of the cipher gateway domain according to the session information so that the QKD node of the domain requests a session key from the QKD node to which the calling party belongs; receiving a session key returned by the QKD node of the local domain, and establishing a corresponding media stream encryption and decryption strategy according to the session information and the session key; encrypting and decrypting the media streams routed by the first call session control center and the second call session control center by using the media stream encrypting and decrypting strategy; so as to realize the intercommunication between the secret voice VoLTE and the clear voice VoBB in different domains.

Description

Method for realizing intercommunication between secret voice VoLTE and clear voice VoBB
Technical Field
The invention relates to the technical field of password application, in particular to a method for realizing intercommunication between a secret voice VoLTE and an open voice VoBB.
Background
VoLTE (Voice over LTE) is an IP data transmission technology, and along with the development of mobile communication technology, voLTE high-definition call is increasingly popular, so that in order to ensure the security of mobile network call, each operator disputes to push out end-to-end VoLTE encryption application. The security problem of VoBB (Voice over BroadBand) broadband telephony is not so pronounced with respect to mobile communication networks, nor is the deployment of encryption applications prevalent with smartphones of mobile communication networks, so the need for interworking between VoLTE dense speech and VoBB broadband arises. An IP phone and mobile terminal encryption communication system based on a quantum network, for example, proposed in the patent application publication No. CN113098872a, enables encrypted communication between different communication networks in an encrypted manner by distributing a quantum key as a session key to a convergence gateway and a mobile terminal; however, in this scheme, both the two parties of the quantum key use, namely, both the first-segment communication parties (the mobile terminal and the convergence gateway) obtain the key from the same cryptographic service platform, and both the second-segment communication parties, namely, the quantum security encryption devices a and B, perform encryption communication only based on the shared quantum key, so that a cross-domain session is not realized. In the text of 'IMS fixed-mobile interworking scheme and typical problem research, liu Lihua, etc., scientific and technological journal, 2021, 8 months and 20', a fixed-mobile IMS typical architecture, IMS fixed-mobile interworking scheme and interworking route are discussed, but the IMS fixed-mobile interworking scheme is only suitable for open-call interworking, so that the interactive message and communication architecture is only related to call route.
At present, the following difficulties still exist in the implementation of specific deployment of the interworking of the dense voice VoLTE and the clear voice VoBB:
(1) The openness of the fixed network broadband telephone software system is not as good as that of the VoLTE intelligent terminal, the VoLTE intelligent terminal can easily obtain new capability by means of online upgrading software APP or even online upgrading system firmware version, the broadband telephone terminal is difficult to update the function rapidly due to relative closure of the system and relative solidification of the ecology of the software, and the improvement space which can be realized on the terminal is limited, so the feasibility of deploying the same set of encryption system on the VoLTE terminal and the VoBB terminal is not high.
(2) The common encryption scheme usually adopts a public key cryptosystem with higher complexity, the public key cryptosystem of China also adopts a double-certificate double-key pair system, and the management difficulty of the VoIP (Voice over Internet Protocol) encryption system is very high due to the huge number of end users, so that the application and popularization are limited.
(3) The session key negotiation or distribution process adopts a long-term effective asymmetric encryption key pair and a signature key pair for protection, and one-time encryption is not realized; and the public key has the possibility of being cracked by the continuously developed quantum computer, so that the session key to be transferred is cracked and stolen.
(4) VoIP software or service providers need to be modified to support VoIP encryption, which has a significant impact on existing services.
Disclosure of Invention
The technical problem to be solved by the invention is how to realize the intercommunication between the secret voice VoLTE and the clear voice VoBB in different domains.
The invention solves the technical problems by the following technical means:
in a first aspect, the present invention proposes a method for implementing interworking between a secret voice VoLTE and an open voice VoBB, applied to a cryptographic gateway, the method comprising:
receiving call data sent by a second call session control center of a VoBB domain where a VoBB user terminal serving as a called party is located, wherein the call data is generated by a VoLTE user terminal serving as a calling party and is routed to the second call session control center through a first call session control center of the VoLTE domain, and session information is expanded and added in the call data, and the session information comprises an identifier of a QKD node to which the calling party belongs and an identifier of a session key;
transmitting a session key application to a QKD node of the local domain of the cryptographic gateway according to the session information, so that the QKD node of the local domain requests a session key from the QKD node to which the calling party belongs;
receiving a session key returned by the QKD node of the local domain, and establishing a corresponding media stream encryption and decryption strategy according to the session information and the session key;
And encrypting and decrypting the media streams routed by the first call session control center and the second call session control center by using the media stream encryption and decryption strategy.
In a second aspect, the present invention proposes a method for implementing interworking between a secret voice VoLTE and an open voice VoBB, applied to a cryptographic gateway, the method comprising:
receiving call data sent by a second call session control center of a VoBB domain where a VoBB user terminal serving as a calling party is located;
applying a session key of the current call to a QKD node of the cipher gateway domain according to the session information in the call data;
receiving a session key returned by a QKD node of a local domain, an identifier of the QKD node of the local domain and an identifier of the session key, and establishing a corresponding media stream encryption and decryption strategy according to the session information and the session key;
expanding and adding the identifier of the QKD node to which the calling party belongs and the identifier of the session key in the call data, and sending the call data to the second call session control center so that the second call session control center routes the call data to a VoLTE user terminal serving as a called party through a first call session control center of the VoLTE domain;
and encrypting and decrypting the media streams routed by the first call session control center and the second call session control center by using the media stream encryption and decryption strategy.
In a third aspect, the present invention provides a system for implementing interworking between a private voice VoLTE and an public voice VoBB, where the system includes a VoLTE user terminal, a volbb user terminal, a first call session control center of the VoLTE domain, a second call session control center of the volbb domain, an ENUM/DNS system, a cryptographic gateway, and a quantum key distribution network, the VoLTE user terminal, the volbb user terminal, and the cryptographic gateway are all connected to corresponding QKD nodes in the quantum key distribution network, the first call session control center and the second call session control center are both connected to the cryptographic gateway, and the first call session control center and the second call session control center are both connected to the ENUM/DNS system;
the ENUM/DNS system establishes mapping relations between telephone numbers of all levels of each domain and VoIP domain names, voIP domain names and IP addresses;
the quantum key distribution network is used for carrying out session key distribution between VoLTE user terminals and the password gateway in different domains, the VoLTE user terminals and the password gateway respectively obtain session keys from corresponding QKD nodes, and the different QKD nodes carry out real-time synchronous transmission of the session keys through QKD cross-domain key distribution;
the first call session control center is used for transmitting call data and a session key in the call session process of the VoLTE user terminal;
The second call session control center is used for transmitting call data and a session key in the call session process of the VoBB user terminal;
the cryptographic gateway is used for converting and connecting VoLTE cipher and VoBB cipher based on call data and session key.
The invention has the advantages that:
(1) According to the invention, the cryptographic gateway is deployed at the boundary of the VoLTE domain and the VoBB domain, session key distribution is carried out between the VoLTE secret telephone terminals and the VoBB cryptographic gateway in different domains through a quantum key distribution (Quantum key distribution, QKD) network, the two parties of use of the quantum key, namely the two parties of communication (the VoLTE terminal and the cryptographic gateway), are different QKD nodes for obtaining the quantum key, and the different QKD nodes carry out real-time synchronous transmission of the session key through QKD cross-domain key distribution, so that the security and the communication efficiency are higher, and the management deployment is simple; in addition, session information such as QKD node identifiers, session key identifiers and the like to which a calling party belongs is expanded and added in a call data field, and call information and key information transmission links between network elements and a password gateway are added in a message and communication architecture, namely call session control centers corresponding to a VoBB end (plaintext) and a VoLTE end (ciphertext) are respectively in transmission with the password gateway, so that interworking between secret voice VoLTE and clear voice VoBB of different domains is realized. And the QKD quantum key distribution network is adopted to carry out the safe distribution of the symmetric key, so that the complexity is low, the safety is high, the management difficulty of an encryption system is reduced, and the popularization is easy.
(2) The encryption gateway is deployed to perform the conversion of the encrypted media stream and the processing of the related signaling of the key distribution, the VoIP software or the service provider is not required to be modified, the influence on the existing service is reduced, and the encryption speech conversion gateway in the form of hardware encryption equipment is adopted, so that the reliability and the safety are advantageous.
(3) The large-capacity master key generated by the quantum key distribution network QKD is pre-filled and used, so that one-time pad of the key distribution protection process in the true sense is realized, and the security of the whole system is enhanced from the top layer.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
Fig. 1 is a schematic structural diagram of a system for implementing interworking between a private voice VoLTE and an public voice VoBB according to a first embodiment of the present invention;
fig. 2 is a schematic flow chart of a VoLTE user terminal calling a VoBB user terminal in the present invention;
fig. 3 is a schematic flow chart of a VoBB user terminal calling a VoLTE user terminal in the present invention;
fig. 4 is a flow chart of a method for implementing interworking between the private voice VoLTE and the public voice VoBB according to a second embodiment of the present invention;
Fig. 5 is a flow chart of a method for implementing interworking between the private voice VoLTE and the public voice VoBB according to a third embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions in the embodiments of the present invention will be clearly and completely described in the following in conjunction with the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, a first embodiment of the present invention discloses a system for implementing interworking between a private voice VoLTE and an public voice VoBB, where the system includes a VoLTE user terminal 10, a volbb user terminal 20, a first call session control center 30 of the VoLTE domain, a second call session control center 40 of the volbb domain, an ENUM/DNS system 50, a cryptographic gateway 60, and a quantum key distribution network 70, the VoLTE user terminal 10, the volbb user terminal 20, and the cryptographic gateway 60 are all connected to corresponding QKD nodes in the quantum key distribution network 70, the first call session control center 30 and the second call session control center 40 are all connected to the cryptographic gateway 60, and the first call session control center 30 and the second call session control center 40 are all connected to the ENUM/DNS system 50;
Mapping relations between telephone numbers of each level of each domain and VoIP domain names, voIP domain names and IP addresses are established in the ENUM/DNS system 50;
the quantum key distribution network 70 is configured to perform session key distribution between the VoLTE user terminals and the cryptographic gateway in different domains, where the VoLTE user terminals 10 and the cryptographic gateway 60 respectively obtain session keys from corresponding QKD nodes, and the different QKD nodes perform real-time synchronous transmission of the session keys through QKD cross-domain key distribution;
the first call session control center 30 is configured to transfer call data and a session key in a call session process of the VoLTE user terminal 10;
the second call session control center 40 is configured to transfer call data and a session key during a call session of the VoBB user terminal 20;
the cryptographic gateway 60 is used for conversion and connection of VoLTE and VoBB clear calls based on call data and session keys.
In this embodiment, a VoBB cryptographic gateway is deployed at the boundary between the VoLTE domain and the VoBB domain, and session key distribution is performed between the VoLTE user terminal and the VoBB cryptographic gateway in different domains through the quantum key distribution network, so that interworking between the secret voice VoLTE and the clear voice VoBB in different domains is realized, the security and the communication efficiency are higher, and the management deployment is simple.
Specifically, voLTE user terminal devices such as a smart phone with a secure SIM card built in the VoLTE user terminal 10 may invoke a key management and encryption and decryption function of the secure SIM card to implement encrypted VoLTE call.
The VoBB terminal 20 is a broadband voice telephony terminal, and establishes a virtual telephony network for the group user using the broadband transmission network and the IP terminal as carriers.
The cryptographic gateway 60 is deployed in a hardware network encryption device at the boundary of the broadband private network and the LTE, and performs conversion and connection of the VoLTE cipher call and the VoBB clear call.
The quantum key distribution network 70 comprises quantum network nodes and a quantum network link control center, and realizes services such as quantum key generation, quantum key relay, quantum key provision and the like; the quantum network node (QKD node) stores the generated quantum key, receives the key application of the key agent, and provides the key to the key agent or directly provides the key filling service; the quantum network link control center can establish quantum key distribution and relay links among nodes according to the quantum network node ID.
In an embodiment, the VoLTE user terminal 10 comprises:
a first session key application module, configured to apply a session key of the current call to a first QKD node of a domain where the VoLTE user terminal is located;
A session information receiving module, configured to receive first session information and a session key returned by a first QKD node, where the first session information includes an identifier of the first QKD node and the session key;
and the call data generation module is used for generating first call data based on the first session information and routing the first call data to the first call session control center, wherein the first call data carrying information comprises a calling number, a called number and a Session Initiation Protocol (SIP) call data field, and the first session information is expanded and added in the SIP call data field.
In the embodiment, session information such as QKD node identifiers, session key identifiers and the like to which a calling party belongs is expanded and added in a call data field of the SIP, and call information and key information transmission links between each network element and a password gateway are added in a message and communication architecture, namely call session control centers corresponding to a VoBB end (plaintext) and a VoLTE end (ciphertext) are respectively provided with transmission of call data and key information between the call session control centers and the password gateway, so that intercommunication between the VoBB end (plaintext) and the VoLTE end (ciphertext) is realized.
In an embodiment, the first call session control center includes a P-CSCF in a VoLTE domain, an S-CSCF in a VoLTE domain, and an I-CSCF in a VoLTE domain, and the second call session control center includes a P-CSCF in a VoBB domain, an S-CSCF in a VoBB domain, and an I-CSCF in a VoBB domain;
The S-CSCF of the VoLTE domain is used for receiving the first call data sent by the call data generation module and inquiring the address of the I-CSCF of the VoBB domain to the ENUM/DNS system;
the S-CSCF of the VoBB domain is used for routing first call data to the I-CSCF of the VoBB domain, the I-CSCF of the VoBB domain queries the ENUM/DNS system for the address of the S-CSCF of the VoBB domain and routes the first call data to the P-CSCF of the VoBB domain through the S-CSCF of the VoBB domain;
the P-CSCF of the VoBB domain routes the first call data to the VoBB user terminal and the cryptographic gateway.
Specifically, the first call session control center and the second call session control center are call session control functions (Call Session Control Function, CSCF), are functional entities inside the IP multimedia subsystem IMS, are cores of the whole IMS network, and are mainly responsible for processing signaling control in the multimedia call session process, including a proxy call session control function P-CSCF, a serving call session control function S-CSCF, and an interrogating call session control function I-CSCF.
In one embodiment, the cryptographic gateway 60 includes:
a second session key application module, configured to apply, according to the first session information, a session key of the current session to a second QKD node of the local domain, where the second QKD node requests, according to the identifier of the first QKD node and the identifier of the session key, to obtain the session key from the first QKD node;
A session key receiving module, configured to receive a session key returned by the second QKD node;
the data receiving module is used for receiving media streams routed by the first call session control center and the second call session control center;
and the encryption and decryption module is used for establishing a corresponding media stream encryption and decryption strategy according to the first session information and the session key, and carrying out encryption and decryption processing on the incoming media stream.
In one embodiment, the cryptographic gateway 60 includes:
the data receiving module is also used for receiving call data generated when the VoBB user terminal dials the VoLTE user terminal;
the second session key application module is further configured to apply, according to the call data, a session key of the current call to a second QKD node of the local domain;
the session key receiving module is further configured to receive a session key and second session information generated by a second QKD node, where the second session information includes an identifier of the second QKD node and an identifier of the session key;
and the encryption and decryption module is also used for establishing a corresponding media stream encryption and decryption strategy according to the second session information and the session key, and carrying out encryption and decryption processing on the incoming media stream.
In one embodiment, the cryptographic gateway 60 further comprises:
A call data transmission module, configured to extend and add the second session information in call data generated by a VoBB user terminal to obtain second call data, and transmit the second call data to an S-CSCF of the VoBB domain, where the S-CSCF of the VoBB domain queries the ENUM/DNS system for an address of an I-CSCF of the VoLTE domain, and routes the second call data to the I-CSCF of the VoLTE domain, where the I-CSCF of the VoLTE domain queries the ENUM/DNS system for an address of an S-CSCF of the VoLTE domain, and routes the second call data to a P-CSCF of the VoLTE domain via the S-CSCF of the VoLTE domain;
the P-CSCF of the VoLTE domain routes the second call data to the VoLTE user terminal.
The embodiment adopts the public and private call conversion gateway in the form of hardware password equipment, and has the advantages of reliability and safety.
In an embodiment, the first session key application module is further configured to:
and applying a session key of the conversation to the first QKD node based on the second session information, wherein the first QKD node initiates a key trusted relay or key transmission request to the second QKD node according to the identification of the second QKD node and the identification of the session key.
In one embodiment, the ENUM/DNS system includes an ENUM system and a DNS system;
The ENUM system is used for converting the called number from a telephone number form to an SIP URI format number according to a query request sent by the S-CSCF of the VoLTE domain; the called number is converted from TEL URI format to SIP URI format number according to the query request sent by S-CSCF of VoBB domain;
the DNS system is used for returning the address of the I-CSCF of the VoBB domain according to the query request sent by the S-CSCF of the VoLTE domain; and the address of the I-CSCF of the VoLTE domain is returned according to the query request sent by the S-CSCF of the VoBB domain.
In particular, telephone number mapping (ENUM) and Domain Name System (DNS) are used to establish a mapping relationship between telephone numbers at each level of each domain and VoIP domain names, and IP addresses.
In an embodiment, the cryptographic gateway and the VoLTE user terminal each have stored therein a master key for encrypted communications with the respective QKD node.
In the embodiment, a large-capacity security medium is adopted to fill a large number of master keys for encrypted communication with QKD nodes of the respective domains for the VoLTE terminal and the password gateway, and a key distribution security channel between the VoLTE terminal and the password gateway and the QKD nodes in the respective domains is established; the key distribution protection process in the true sense is realized by pre-filling and using the large-capacity master key generated by the quantum key distribution network QKD, so that the security of the whole system is enhanced from the top layer.
Further, as shown in fig. 2, the implementation steps of the VoLTE user terminal calling the VoBB user terminal include:
(1) The calling VoLTE user terminal dials the called VoBB user terminal, the call is routed to the S-CSCF where the calling party is located, and a session key of the call is applied to the QKD node of the local domain.
(2) The QKD node in the domain generates a session key of the call, returns the session key to the calling VoLTE user terminal together with session information such as a QKD node identifier, a session key identifier and the like under the protection of a master key of the calling VoLTE user terminal, temporarily stores the session key and the key identifier, and clears the used master key by the QKD node and the VoLTE user terminal.
(3) The calling S-CSCF (VoLTE domain) receives the call request and call data (comprising the calling and called numbers and session information such as the calling party QKD node identification and the session key identification which are added in the extension of the call data field of the SIP) of the calling VoLTE user terminal, and initiates a query to the ENUM system to convert the called number from the telephone number form to the SIP URI format (SIP: called number@domain name).
(4) After the calling S-CSCF (VoLTE domain) obtains the called SIP URI format number, a query is initiated to a DNS system, and the DNS returns the address of the called I-CSCF (VoBB domain).
(5) The calling S-CSCF (VoLTE domain) routes the call to the called I-CSCF (VoBB domain).
(6) The called I-CSCF (VoBB domain) initiates a query to the second-level DNS of the VoBB domain of the present province to obtain the address of the called S-CSCF (VoBB domain).
(7) The I-CSCF (VoBB domain) routes the call to the S-CSCF (VoBB domain).
(8) The S-CSCF (VoBB domain) routes the call to the called terminal through the P-CSCF (VoBB domain) which simultaneously transfers the call data to the cryptographic gateway.
(9) And the cryptographic gateway applies the session key of the current call to the local domain QKD node according to the session information in the call data.
(10) The local domain QKD node of the cryptographic gateway initiates a key trusted relay (a QKD link without direct connection between two QKD nodes) or a key transmission request (a QKD link with direct connection between two QKD nodes) to the calling party QKD node according to the identification of the calling party QKD node and the session key identification in the session information, and the session key is acquired by using the QKD quantum key distribution network and returned to the cryptographic gateway under the protection of the cryptographic gateway master key. The QKD node and the cryptographic gateway zero out the used master key.
(11) The cipher gateway establishes corresponding media stream encryption and decryption strategies according to the session information and the session key, and the P-CSCF of the VoBB end (plaintext) and the P-CSCF of the VoLTE end (ciphertext) both route the media stream to the cipher gateway, and the cipher gateway carries out transparent encryption and decryption processing on the corresponding media stream according to the media stream encryption and decryption strategies.
Further, as shown in fig. 3, the implementation steps of the VoBB user terminal calling the VoLTE user terminal include:
(1) The VoBB subscriber dials the VoLTE subscriber and the call is routed to the province P-CSCF (VoBB domain) where the caller is located. The P-CSCF (VoBB domain) transmits the call data to the cipher gateway at the same time, the cipher gateway applies the session key of the current call to the QKD node of the local domain according to the session information in the call data, wherein the session information in the call data comprises the telephone numbers and the IP addresses of the calling party and the called party.
(2) The QKD node in the domain generates the session key of the current call, returns the session key to the cryptographic gateway together with session information such as the QKD node identifier, the session key identifier and the like under the protection of the master key of the cryptographic gateway, and temporarily stores the session key and the key identifier. The QKD node and the cryptographic gateway zero out the used master key.
(3) The cipher gateway establishes corresponding media stream encryption and decryption strategies according to the session information and the session key, and expands and adds session information such as calling party QKD node identification, session key identification and the like in a call data field of the SIP to transmit back to the P-CSCF (VoBB domain), wherein the QKD node to which the calling party belongs refers to the QKD node corresponding to the cipher gateway.
(4) The S-CSCF (VoBB domain) initiates a query to ENUM to translate the called number from TEL URI format to SIP URI format.
(5) After the S-CSCF (VoBB domain) obtains the called SIP URI format number, a query is initiated to the DNS, and the DNS returns the address of the large area I-CSCF (VoLTE domain) where the called party is located.
(6) The S-CSCF (VoBB domain) routes the call to the called large area I-CSCF (VoLTE domain).
(7) And the called large area I-CSCF (VoLTE domain) initiates inquiry to the second-level DNS of the VoLTE large area to obtain the address of the S-CSCF (VoLTE domain).
(8) The I-CSCF (VoLTE domain) routes the call to the S-CSCF (VoLTE domain).
(9) The S-CSCF (VoLTE domain) routes the call to the called VoLTE terminal through the P-CSCF (VoLTE domain), and the called VoLTE terminal applies the session key of the call to the called QKD node according to the session information (calling party QKD node identification and session key identification) in the call data.
(10) The called party QKD node initiates a key trusted relay (a QKD link without direct connection between two QKD nodes) or a key transmission request (a QKD link with direct connection between two QKD nodes) to the calling party QKD node according to the identification of the calling party QKD node and the session key identification in the session information, and the session key is acquired by using the QKD quantum key distribution network and returned to the called VoLTE terminal under the protection of the main key of the called VoLTE terminal. The called party QKD node and the called VoLTE terminal clear the used master key.
(11) The P-CSCF of the VoBB end (plaintext) and the P-CSCF of the VoLTE end (ciphertext) both route the media stream to a password gateway, and the password gateway carries out transparent encryption and decryption processing on the corresponding media stream according to a media stream encryption and decryption strategy.
As shown in fig. 4, a second embodiment of the present invention discloses a method for implementing interworking between a secret voice VoLTE and an open voice VoBB, applied to a cryptographic gateway, the method comprising the steps of:
s101, receiving call data sent by a second call session control center of a VoBB domain where a VoBB user terminal serving as a called party is located, wherein the call data is generated by a VoLTE user terminal serving as a calling party and is routed to the second call session control center through a first call session control center of the VoLTE domain, session information is expanded and added in the call data, and the session information comprises an identifier of a QKD node to which the calling party belongs and an identifier of a session key;
s102, according to the session information, a session key application is sent to a QKD node of the local domain of the cryptographic gateway, so that the QKD node of the local domain requests a session key to the QKD node to which the calling party belongs;
s103, receiving a session key returned by the QKD node of the local domain, and establishing a corresponding media stream encryption and decryption strategy according to the session information and the session key;
S104, encrypting and decrypting the media streams routed by the first call session control center and the second call session control center by utilizing the media stream encrypting and decrypting strategy.
In the embodiment, session information such as a calling party QKD node identifier, a session key identifier and the like is expanded and added in a call data field of the SIP, a call information and key information transmission link between each network element and a password gateway is added in a message and communication architecture, and call data and key information transmission exists between a first call session control center and a second call session control center and the password gateway; and the quantum key is obtained from different QKD nodes through the two parties of the quantum key, namely the communication parties (the VoLTE terminal and the password gateway), and the different QKD nodes carry out real-time synchronous transmission of the session key through QKD cross-domain key distribution so as to realize intercommunication between the secret voice VoLTE and the clear voice VoBB of different domains.
In an embodiment, the generating process of the call data includes:
the VoLTE user terminal dials the VoBB user terminal and applies for a session key of the call from the QKD node to which the calling party belongs;
the VoLTE user terminal generates a call request and the call data, wherein session information is expanded and added in a field of the call data, and the session information comprises an identifier of a QKD node to which a calling party belongs and an identifier of the session key.
In an embodiment, the first call session control center includes a P-CSCF of the VoLTE domain, an S-CSCF of the VoLTE domain, and an I-CSCF of the VoLTE domain;
the second call session control center comprises a P-CSCF of the VoBB domain, an S-CSCF of the VoBB domain and an I-CSCF of the VoBB domain.
In one embodiment, the step S101: receiving call data sent by a second call session control center of a VoBB domain where a VoBB user terminal as a called party is located, including:
and receiving the call data transmitted by the P-CSCF of the VoBB domain, wherein the call data transmitted by the P-CSCF of the VoBB domain is routed to the P-CSCF of the VoBB domain by the first call session control center according to the address of the VoBB domain, and the address of the VoBB domain is obtained from an ENUM/DNS system by the first call session control center according to a called number.
In one embodiment, the step S102: the step of sending a session key application to the QKD node of the cipher gateway domain according to the session information so that the QKD node of the domain requests the session key from the QKD node to which the calling party belongs, comprises the following steps:
and sending a session key application to the QKD node of the local domain of the cryptographic gateway according to the session information, so that the QKD node of the local domain initiates a key trusted relay or key transmission request to the QKD node to which the calling party belongs.
In one embodiment, the cryptographic gateway is charged with a master key for encrypted communication with the QKD node of the home domain;
and receiving a session key returned by the QKD node of the local domain, wherein the session key is protected by adopting a master key corresponding to the cryptographic gateway.
In an embodiment, after receiving the session key returned by the QKD node of the home domain, the method further includes:
and carrying out zero clearing processing on the used master key.
The cryptographic gateway in the embodiment adopts the public-private call conversion gateway in the form of hardware cryptographic equipment, and has the advantages of reliability and safety.
As shown in fig. 5, a third embodiment of the present invention discloses a method for implementing interworking between a secret voice VoLTE and an open voice VoBB, applied to a cryptographic gateway, the method comprising the steps of:
s201, receiving call data sent by a second call session control center of a VoBB domain where a VoBB user terminal serving as a calling party is located;
s202, applying a session key of the current call to a QKD node of a cryptographic gateway domain according to session information in the call data;
the session information in the call data includes the number and the IP address of the calling party and the called party.
S203, receiving a session key returned by the QKD node of the local domain, an identifier of the QKD node of the local domain and an identifier of the session key, and establishing a corresponding media stream encryption and decryption strategy according to the session information and the session key;
S204, expanding and increasing the identification of the QKD node to which the calling party belongs and the identification of the session key in the call data, and sending the call data to the second call session control center so that the second call session control center routes the call data to the VoLTE user terminal serving as the called party through the first call session control center of the VoLTE domain;
it should be noted that, the identifier of the QKD node to which the calling party belongs is the identifier of the QKD node corresponding to the cryptographic gateway.
S205, encrypting and decrypting the media streams routed by the first call session control center and the second call session control center by utilizing the media stream encrypting and decrypting strategy.
In the embodiment, session information such as a calling party QKD node identifier, a session key identifier and the like is expanded and added in a call data field of the SIP, a call information and key information transmission link between each network element and a password gateway is added in a message and communication architecture, and call data and key information transmission exists between a first call session control center and a second call session control center and the password gateway; and the quantum key is obtained from different QKD nodes through the two parties of the quantum key, namely the communication parties (the VoLTE terminal and the password gateway), and the different QKD nodes carry out real-time synchronous transmission of the session key through QKD cross-domain key distribution so as to realize intercommunication between the secret voice VoLTE and the clear voice VoBB of different domains.
In an embodiment, the first call session control center includes a P-CSCF of the VoLTE domain, an S-CSCF of the VoLTE domain, and an I-CSCF of the VoLTE domain;
the second call session control center comprises a P-CSCF of the VoBB domain, an S-CSCF of the VoBB domain and an I-CSCF of the VoBB domain.
In one embodiment, the cryptographic gateway is charged with a master key for encrypted communication with the QKD node of the home domain;
and receiving a session key returned by the QKD node of the local domain, wherein the session key is protected by adopting a master key corresponding to the cryptographic gateway.
In an embodiment, after receiving the session key returned by the QKD node of the home domain, the method further includes:
and carrying out zero clearing processing on the used master key.
It should be noted that, other embodiments or specific structural arrangements of the cryptographic gateway according to the present invention may refer to the above-mentioned system embodiments, and are not repeated here.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
While embodiments of the present invention have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the invention, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the invention.

Claims (20)

1. A method for implementing interworking between a secret voice VoLTE and an open voice VoBB, applied to a cryptographic gateway, the method comprising:
receiving call data sent by a second call session control center of a VoBB domain where a VoBB user terminal serving as a called party is located, wherein the call data is generated by a VoLTE user terminal serving as a calling party and is routed to the second call session control center through a first call session control center of the VoLTE domain, and session information is expanded and added in the call data, and the session information comprises an identifier of a QKD node to which the calling party belongs and an identifier of a session key;
Transmitting a session key application to a QKD node of the local domain of the cryptographic gateway according to the session information, so that the QKD node of the local domain requests a session key from the QKD node to which the calling party belongs;
receiving a session key returned by the QKD node of the local domain, and establishing a corresponding media stream encryption and decryption strategy according to the session information and the session key;
and encrypting and decrypting the media streams routed by the first call session control center and the second call session control center by using the media stream encryption and decryption strategy.
2. The method for implementing interworking between the private voice VoLTE and the public voice VoBB according to claim 1, wherein the generating process of the call data comprises:
the VoLTE user terminal dials the VoBB user terminal and applies for a session key of the call from the QKD node to which the calling party belongs;
the VoLTE user terminal generates a call request and the call data, wherein session information is expanded and added in a field of the call data, and the session information comprises an identifier of a QKD node to which a calling party belongs and an identifier of the session key.
3. The method for implementing interworking between dense voice VoLTE and open voice VoBB according to claim 1, wherein the first call session control center comprises a P-CSCF of VoLTE domain, an S-CSCF of VoLTE domain, and an I-CSCF of VoLTE domain;
The second call session control center comprises a P-CSCF of the VoBB domain, an S-CSCF of the VoBB domain and an I-CSCF of the VoBB domain.
4. A method for implementing interworking between dense voice VoLTE and open voice VoBB according to claim 3, wherein said receiving call data sent by the second call session control center of the VoBB domain in which the VoBB user terminal as the called party is located comprises:
and receiving the call data transmitted by the P-CSCF of the VoBB domain, wherein the call data transmitted by the P-CSCF of the VoBB domain is routed to the P-CSCF of the VoBB domain by the first call session control center according to the address of the VoBB domain, and the address of the VoBB domain is obtained from an ENUM/DNS system by the first call session control center according to a called number.
5. The method for implementing interworking between the private voice VoLTE and the public voice VoBB according to claim 1, wherein said sending a session key application to the QKD node of the cryptographic gateway home domain according to the session information, so that the QKD node of the home domain requests the session key from the QKD node to which the calling party belongs, comprises:
and sending a session key application to the QKD node of the local domain of the cryptographic gateway according to the session information, so that the QKD node of the local domain initiates a key trusted relay or key transmission request to the QKD node to which the calling party belongs.
6. The method for interworking between dense voice VoLTE and open voice VoBB according to claim 1 wherein the cryptographic gateway is charged with a master key for encrypted communication with the QKD node of the home domain;
and receiving a session key returned by the QKD node of the local domain, wherein the session key is protected by adopting a master key corresponding to the cryptographic gateway.
7. The method for implementing interworking between dense voice VoLTE and open voice VoBB according to claim 6 wherein after receiving the session key returned by the QKD node of the home domain, the method further comprises:
and carrying out zero clearing processing on the used master key.
8. A method for implementing interworking between a secret voice VoLTE and an open voice VoBB, applied to a cryptographic gateway, the method comprising:
receiving call data sent by a second call session control center of a VoBB domain where a VoBB user terminal serving as a calling party is located;
applying a session key of the current call to a QKD node of the cipher gateway domain according to the session information in the call data;
receiving a session key returned by a QKD node of a local domain, an identifier of the QKD node of the local domain and an identifier of the session key, and establishing a corresponding media stream encryption and decryption strategy according to the session information and the session key;
Expanding and adding the identifier of the QKD node to which the calling party belongs and the identifier of the session key in the call data, and sending the call data to the second call session control center so that the second call session control center routes the call data to a VoLTE user terminal serving as a called party through a first call session control center of the VoLTE domain;
and encrypting and decrypting the media streams routed by the first call session control center and the second call session control center by using the media stream encryption and decryption strategy.
9. The method for implementing interworking between dense voice VoLTE and open voice VoBB according to claim 8, wherein the first call session control center comprises a P-CSCF of VoLTE domain, an S-CSCF of VoLTE domain, and an I-CSCF of VoLTE domain;
the second call session control center comprises a P-CSCF of the VoBB domain, an S-CSCF of the VoBB domain and an I-CSCF of the VoBB domain.
10. The method of achieving interworking between dense voice VoLTE and clear voice VoBB according to claim 9 wherein the cryptographic gateway is charged with a master key for encrypted communication with the QKD node of the home domain;
and receiving a session key returned by the QKD node of the local domain, wherein the session key is protected by adopting a master key corresponding to the cryptographic gateway.
11. The method for implementing interworking between dense voice VoLTE and clear voice VoBB according to claim 9, wherein after receiving the session key returned by the QKD node of the home domain, the method further comprises:
and carrying out zero clearing processing on the used master key.
12. The system is characterized by comprising a VoLTE user terminal, a VoBB user terminal, a first call session control center of the VoLTE domain, a second call session control center of the VoBB domain, an ENUM/DNS system, a password gateway and a quantum key distribution network, wherein the VoLTE user terminal, the VoBB user terminal and the password gateway are all connected with corresponding QKD nodes in the quantum key distribution network, the first call session control center and the second call session control center are both connected with the password gateway, and the first call session control center and the second call session control center are both connected with the ENUM/DNS system;
the ENUM/DNS system establishes mapping relations between telephone numbers of all levels of each domain and VoIP domain names, voIP domain names and IP addresses;
the quantum key distribution network is used for carrying out session key distribution between VoLTE user terminals and the password gateway in different domains, the VoLTE user terminals and the password gateway respectively obtain session keys from corresponding QKD nodes, and the different QKD nodes carry out real-time synchronous transmission of the session keys through QKD cross-domain key distribution;
The first call session control center is used for transmitting call data and a session key in the call session process of the VoLTE user terminal;
the second call session control center is used for transmitting call data and a session key in the call session process of the VoBB user terminal;
the cryptographic gateway is used for converting and connecting VoLTE cipher and VoBB cipher based on call data and session key.
13. The system for implementing interworking between dense voice VoLTE and clear voice VoBB according to claim 12, wherein the VoLTE user terminal comprises:
a first session key application module, configured to apply a session key of the current call to a first QKD node of a domain where the VoLTE user terminal is located;
a session information receiving module, configured to receive first session information and a session key returned by a first QKD node, where the first session information includes an identifier of the first QKD node and the session key;
and the call data generation module is used for generating first call data based on the first session information and routing the first call data to the first call session control center, wherein the first call data carrying information comprises a calling number, a called number and a Session Initiation Protocol (SIP) call data field, and the first session information is expanded and added in the SIP call data field.
14. The system for implementing interworking between dense voice VoLTE and open voice VoBB according to claim 13, wherein the first call session control center comprises a P-CSCF of the VoLTE domain, an S-CSCF of the VoLTE domain, and an I-CSCF of the VoLTE domain, and the second call session control center comprises a P-CSCF of the volbb domain, an S-CSCF of the VoBB domain, and an I-CSCF of the volbb domain;
the S-CSCF of the VoLTE domain is used for receiving the first call data sent by the call data generation module and inquiring the address of the I-CSCF of the VoBB domain to the ENUM/DNS system;
the S-CSCF of the VoBB domain is used for routing first call data to the I-CSCF of the VoBB domain, the I-CSCF of the VoBB domain queries the ENUM/DNS system for the address of the S-CSCF of the VoBB domain and routes the first call data to the P-CSCF of the VoBB domain through the S-CSCF of the VoBB domain;
the P-CSCF of the VoBB domain routes the first call data to the VoBB user terminal and the cryptographic gateway.
15. The system for implementing interworking between dense voice VoLTE and open voice VoBB according to claim 14 wherein the cryptographic gateway comprises:
a second session key application module, configured to apply, according to the first session information, a session key of the current session to a second QKD node of the local domain, where the second QKD node requests, according to the identifier of the first QKD node and the identifier of the session key, to obtain the session key from the first QKD node;
A session key receiving module, configured to receive a session key returned by the second QKD node;
the data receiving module is used for receiving media streams routed by the first call session control center and the second call session control center;
and the encryption and decryption module is used for establishing a corresponding media stream encryption and decryption strategy according to the first session information and the session key, and carrying out encryption and decryption processing on the incoming media stream.
16. The system for implementing interworking between dense voice VoLTE and open voice VoBB according to claim 15, wherein the cryptographic gateway comprises:
the data receiving module is also used for receiving call data generated when the VoBB user terminal dials the VoLTE user terminal;
the second session key application module is further configured to apply, according to the call data, a session key of the current call to a second QKD node of the local domain;
the session key receiving module is further configured to receive a session key and second session information generated by a second QKD node, where the second session information includes an identifier of the second QKD node and an identifier of the session key;
and the encryption and decryption module is also used for establishing a corresponding media stream encryption and decryption strategy according to the second session information and the session key, and carrying out encryption and decryption processing on the incoming media stream.
17. The system for implementing interworking between dense voice VoLTE and open voice VoBB according to claim 16 wherein the cryptographic gateway further comprises:
a call data transmission module, configured to extend and add the second session information in call data generated by a VoBB user terminal to obtain second call data, and transmit the second call data to an S-CSCF of the VoBB domain, where the S-CSCF of the VoBB domain queries the ENUM/DNS system for an address of an I-CSCF of the VoLTE domain, and routes the second call data to the I-CSCF of the VoLTE domain, where the I-CSCF of the VoLTE domain queries the ENUM/DNS system for an address of an S-CSCF of the VoLTE domain, and routes the second call data to a P-CSCF of the VoLTE domain via the S-CSCF of the VoLTE domain;
the P-CSCF of the VoLTE domain routes the second call data to the VoLTE user terminal.
18. The system for implementing interworking between dense voice VoLTE and clear voice VoBB according to claim 17, wherein the first session key application module is further configured to:
and applying a session key of the conversation to the first QKD node based on the second session information, wherein the first QKD node initiates a key trusted relay or key transmission request to the second QKD node according to the identification of the second QKD node and the identification of the session key.
19. The system for interworking between dense voice VoLTE and open voice VoBB according to claim 13 wherein the ENUM/DNS system comprises an ENUM system and a DNS system;
the ENUM system is used for converting the called number from a telephone number form to an SIP URI format number according to a query request sent by the S-CSCF of the VoLTE domain; the called number is converted from TEL URI format to SIP URI format number according to the query request sent by S-CSCF of VoBB domain;
the DNS system is used for returning the address of the I-CSCF of the VoBB domain according to the query request sent by the S-CSCF of the VoLTE domain; and the address of the I-CSCF of the VoLTE domain is returned according to the query request sent by the S-CSCF of the VoBB domain.
20. The system for interworking between dense voice VoLTE and clear voice VoBB according to claim 12, wherein both the cryptographic gateway and the VoLTE user terminal have stored therein a master key for encrypted communications with the respective QKD node.
CN202311016844.0A 2023-08-10 2023-08-10 Method for realizing intercommunication between secret voice VoLTE and clear voice VoBB Pending CN117240445A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311016844.0A CN117240445A (en) 2023-08-10 2023-08-10 Method for realizing intercommunication between secret voice VoLTE and clear voice VoBB

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311016844.0A CN117240445A (en) 2023-08-10 2023-08-10 Method for realizing intercommunication between secret voice VoLTE and clear voice VoBB

Publications (1)

Publication Number Publication Date
CN117240445A true CN117240445A (en) 2023-12-15

Family

ID=89091977

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311016844.0A Pending CN117240445A (en) 2023-08-10 2023-08-10 Method for realizing intercommunication between secret voice VoLTE and clear voice VoBB

Country Status (1)

Country Link
CN (1) CN117240445A (en)

Similar Documents

Publication Publication Date Title
US7388953B2 (en) Method and system for providing intelligent network control services in IP telephony
KR101367038B1 (en) Efficient key management system and method
US8917858B2 (en) Method and apparatus for network based fixed mobile convergence
CN101232368B (en) Method for distributing media stream cryptographic key and multimedia subsystem
CN114553422B (en) VoLTE voice encryption communication method, terminal and system
US7652984B1 (en) Geographic redundancy and resource optimization for security gateways in wireless networks
WO2007025447A1 (en) Processing method for bearer control
US20090070586A1 (en) Method, Device and Computer Program Product for the Encoded Transmission of Media Data Between the Media Server and the Subscriber Terminal
CN101227272A (en) System and method for obtaining media stream protection cryptographic key
ES2292118T3 (en) METHOD FOR ESTABLISHING A CALL ON A TELECOMMUNICATIONS NETWORK; TELECOMMUNICATIONS NETWORK; AND CONTROL DEVICE FOR PACKAGE NETWORKS.
CN104618387A (en) Method applying SIP signaling to quantum secure communication system, integrated access quantum gateway and system
CN101222320B (en) Method, system and device for media stream safety context negotiation
CN111404865A (en) IMS system encrypted call method, network equipment, terminal and system
EP1898579A1 (en) A method for transfering content in media gateway control protocol calling
CN117240445A (en) Method for realizing intercommunication between secret voice VoLTE and clear voice VoBB
CN101622815B (en) Dynamic key exchange for call forking scenarios
CN113098872B (en) Encryption communication system and method based on quantum network and convergence gateway
CN103997491A (en) Quantum secret communication telephone subscriber terminal extension gateway system
CN101212387B (en) Method for interworking between circuit switching network and IP multimedia subsystem
WO2018231109A1 (en) Media protection within the core network of an ims network
KR101078226B1 (en) Gateway system for secure realtime transport protocol session transmission and redundancy providing method using the same
WO2014019857A2 (en) Improved telecommunication system
WO2010100602A2 (en) A secure communication network system and cost efficient method of communication thereon
CN101247323B (en) Method and system for transmitting history identification information
CN102833715A (en) Inquisition switching implementation method, application server, business terminal and system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination