WO2008089694A1 - A method, a system and an equipment for obtaining the media stream protecting key in ims network - Google Patents

A method, a system and an equipment for obtaining the media stream protecting key in ims network Download PDF

Info

Publication number
WO2008089694A1
WO2008089694A1 PCT/CN2008/070138 CN2008070138W WO2008089694A1 WO 2008089694 A1 WO2008089694 A1 WO 2008089694A1 CN 2008070138 W CN2008070138 W CN 2008070138W WO 2008089694 A1 WO2008089694 A1 WO 2008089694A1
Authority
WO
WIPO (PCT)
Prior art keywords
calling
called
key
message
network entity
Prior art date
Application number
PCT/CN2008/070138
Other languages
French (fr)
Chinese (zh)
Inventor
Chengdong He
Jun Yan
Zhanjun Zhang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008089694A1 publication Critical patent/WO2008089694A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1069Session establishment or de-establishment

Abstract

A method, a system and an equipment for obtaining the media stream protecting key in IMS network is provided, said method includes the following steps: a calling terminal equipment (UE) sends a session request message to a network entity, the network entity adds the key to said session request message and send the message to the called UE (101); the called UE sends the response message to the network entity, the network entity adds the key to said response message and send the message to the calling UE (102). Said method also can be that: the network entity receives the session massage, and obtains the key from the key managing function entity, then the network entity respectively sends the obtained key to the terminal equipment (UE) and the media processing function entity (MP).

Description

在 IMS网络中获取媒体流保护密钥的方法、 系统和装置 技术领域  Method, system and device for acquiring media stream protection key in IMS network
本发明涉及媒体流加密技术,特别是涉及在 IMS网络中获取媒体流 保护密钥的方法、 系统和装置。 发明背景  The present invention relates to media stream encryption techniques, and more particularly to a method, system and apparatus for obtaining a media stream protection key in an IMS network. Background of the invention
IP多媒体业务子系统( IMS , IP Multimedia Network Subsystem )是 固定和移动网络的核心会话控制层, 是通信领域发展的重点之一, 并已 经在第三代伙伴项目 ( 3GPP, The Third Generation Partnership Project ) 和先进网络的电信与因特网融合的服务与协议标准化组织 ( TISPAN, Telecommunications and Internet Converged Services and Protocols for Advanced Networking ) 中定义了与 IMS相关的规范, 比如: 网络架构、 接口、 协议等等。  The IP Multimedia Service Subsystem (IMS) is the core session control layer for fixed and mobile networks. It is one of the focuses of the development of the communications field and is already in the 3GPP, The Third Generation Partnership Project. IMS-related specifications such as network architecture, interfaces, protocols, etc. are defined in the Telecommunications and Internet Converged Services and Protocols for Advanced Networking (TISPAN).
其中, 安全问题是 3GPP和 TISPAN制定规范的一个重要方面。 为 了能够保证安全, 将 IMS网络划分为接入域和网络域, 并分别定义了接 入域和网络域的安全规范。  Among them, security issues are an important aspect of 3GPP and TISPAN specifications. In order to ensure security, the IMS network is divided into an access domain and a network domain, and security specifications of the access domain and the network domain are respectively defined.
但目前关于安全的规范都是针对 IMS网络中控制面的, 即如何保证 IMS网络中会话协议的安全, 而媒体流本身则是通过明文传输。 在这种 情况下, 用户在通话过程中, 媒体流可能被窃听、 窜改等, 用户通话安 全无法得到保障。 发明内容  However, the current security specifications are for the control plane in the IMS network, that is, how to ensure the security of the session protocol in the IMS network, and the media stream itself is transmitted in plaintext. In this case, the user may be eavesdropped, tampered, etc. during the call, and the user's call security cannot be guaranteed. Summary of the invention
有鉴于此,本发明实施例提供一种在 IMS网络中获取媒体流保护密 钥的方法, 主叫终端设备(UE )和被叫 UE可以从网络侧获取密钥, 从 而可以对用户到用户传输的媒体流进行保护。 In view of this, an embodiment of the present invention provides a method for acquiring a media stream protection key in an IMS network, where a calling terminal device (UE) and a called UE can obtain a key from a network side, The media stream transmitted by the user to the user can be protected.
对于上述第一个发明目的, 本发明实施例提出的技术方案为: a、 主叫终端设备 UE向网络实体发送会话请求消息, 网络实体将密 钥添加到所述会话请求消息中, 并发送给被叫 UE;  For the first object of the present invention, the technical solution proposed by the embodiment of the present invention is: a. The calling terminal device UE sends a session request message to the network entity, and the network entity adds the key to the session request message, and sends the message to the session request message. Called UE;
b、被叫 UE向网络实体返回响应消息, 网络实体将密钥添加到所述 响应消息中, 并发送给主叫 UE。  b. The called UE returns a response message to the network entity, and the network entity adds the key to the response message and sends the key to the calling UE.
本发明实施例提供一种在 IMS网络中获取媒体流保护密钥的系统, 主叫 UE和被叫 UE可以从网络侧获取密钥, 从而可以对用户到用户传 输的媒体流进行保护。  The embodiment of the invention provides a system for acquiring a media stream protection key in an IMS network. The calling UE and the called UE can obtain a key from the network side, so as to protect the media stream transmitted by the user to the user.
针对上述第二个发明目的, 本发明实施例提出的技术方案为: 一种在 IMS网络中获取媒体流保护密钥的系统, 该系统包括: 终端设备 UE, 在作为主叫 UE时, 用于向网络实体发送会话请求消 息, 并接收携带有密钥的会话响应消息; 在作为被叫 UE时, 用于接收 从网络实体发来的会话请求消息, 并返回会话响应消息;  For the second object of the present invention, the technical solution provided by the embodiment of the present invention is: a system for acquiring a media stream protection key in an IMS network, where the system includes: a terminal device UE, when used as a calling UE, Sending a session request message to the network entity, and receiving the session response message carrying the key; when receiving the session request message, receiving the session request message sent from the network entity, and returning the session response message;
网络实体, 用于在接收到主叫 UE发来的会话请求消息时, 将密钥 添加到会话请求消息中,并发送给被叫 UE;还用于接收被叫 UE发送的 会话响应消息, 将密钥添加到会话响应消息中, 并发送给主叫 UE。  a network entity, configured to: when receiving a session request message sent by the calling UE, add a key to the session request message, and send the key to the called UE; and further, receive the session response message sent by the called UE, and The key is added to the session response message and sent to the calling UE.
本发明实施例还提供一种在 IMS网络中获取媒体流保护密钥的网络 实体, 可以为主叫 UE和被叫 UE提供密钥。  The embodiment of the invention further provides a network entity that obtains a media stream protection key in an IMS network, and can provide a key for the calling UE and the called UE.
针对上述第三个发明目的, 本发明实施例提供的技术方案为: 一种在 IMS 网络中向终端设备 UE提供媒体流保护密钥的网络实 体, 该网络实体包括:  For the third object of the present invention, the technical solution provided by the embodiment of the present invention is: A network entity that provides a media stream protection key to a terminal device UE in an IMS network, where the network entity includes:
接收单元, 用于接收主叫 UE发送的会话请求消息, 接收被叫 UE 发送的会话响应消息;  a receiving unit, configured to receive a session request message sent by the calling UE, and receive a session response message sent by the called UE;
密钥获取单元, 在接收到主叫 UE发送的会话请求消息时, 将密钥 添加到会话请求消息中, 并通过发送单元发送给被叫 UE; 在接收到被 叫 UE发送的会话响应消息时, 将密钥添加到会话响应消息中, 并通过 发送单元发送给主叫 UE; The key obtaining unit, when receiving the session request message sent by the calling UE, Adding to the session request message, and sending it to the called UE through the sending unit; when receiving the session response message sent by the called UE, adding the key to the session response message, and transmitting the key to the calling UE through the sending unit;
发送单元, 将会话请求消息发送给被叫 UE, 将会话响应消息发送 给主叫 UE。  The sending unit sends a session request message to the called UE, and sends a session response message to the calling UE.
本发明实施例还提供一种在 IMS网络中获取媒体流保护密钥的用户 设备, 可以从网络实体中获取密钥。  The embodiment of the invention further provides a user equipment for acquiring a media stream protection key in an IMS network, which can obtain a key from a network entity.
针对上述第四个发明目的, 本发明实施例提供的技术方案为: 一种在 IMS网络中获取媒体流保护密钥的用户设备 UE, 该用户设 备包括:  For the fourth object of the present invention, the technical solution provided by the embodiment of the present invention is as follows: A user equipment UE that obtains a media stream protection key in an IMS network, where the user equipment includes:
收发单元, 用于收发会话消息;  a transceiver unit, configured to send and receive session messages;
解析单元, 用于在收发单元接收到的会话消息中携带有密钥时, 从 会话消息中解析出密钥;  a parsing unit, configured to parse the key from the session message when the session message received by the transceiver unit carries the key;
密钥衍生单元, 用于在解析单元从会话消息中解析出主叫网络侧生 成的密钥和被叫网络侧生成的密钥时, 将解析出的主叫网络侧生成的密 钥和被叫网络侧生成的密钥衍生成新的密钥, 并将衍生出的密钥作为媒 体流保护密钥。  The key deriving unit is configured to: when the parsing unit parses the key generated by the calling network side and the key generated by the called network side from the session message, the parsed key and the called party generated by the calling network side are parsed The key generated by the network side is derived into a new key, and the derived key is used as a media stream protection key.
本发明实施例还提供一种媒体流保护密钥的方法, UE和媒体处理 功能实体( MP )可以从网络侧获取密钥, 从而可以对用户到网络传输的 媒体流进行保护。  The embodiment of the present invention further provides a method for protecting a key by a media stream. The UE and the media processing function entity (MP) can obtain a key from the network side, so as to protect the media stream transmitted by the user to the network.
针对上述第五个发明目的, 本发明实施例提供的技术方案为: 一种在 IMS网络中获取媒体流保护密钥的方法,该方法包括以下步 骤:  For the fifth object of the present invention, the technical solution provided by the embodiment of the present invention is: A method for obtaining a media stream protection key in an IMS network, the method comprising the following steps:
网络实体接收会话消息后, 从密钥管理功能实体 KMF中获取密钥; 网络实体将获取的密钥分别发送给终端设备 UE和媒体处理功能实 体 MP。 After receiving the session message, the network entity obtains the key from the key management function entity KMF; the network entity sends the obtained key to the terminal device UE and the media processing function respectively. Body MP.
本发明实施例还提供一种媒体流保护密钥的系统, UE和媒体处理 功能实体( MP )可以从网络侧获取密钥, 从而可以对用户到网络传输的 媒体流进行保护。  The embodiment of the present invention further provides a system for protecting a key of a media stream. The UE and the media processing function entity (MP) can obtain a key from the network side, so as to protect the media stream transmitted by the user to the network.
针对上述第六个发明目的, 本发明实施例提供的技术方案为: 一种在 IMS网络中获取媒体流保护密钥的系统, 该系统包括: 终端设备 UE, 用于接收网络实体发送的密钥;  For the sixth object of the present invention, the technical solution provided by the embodiment of the present invention is: A system for acquiring a media stream protection key in an IMS network, the system comprising: a terminal device UE, configured to receive a key sent by a network entity ;
媒体处理功能 MP, 用于接收网络实体发送的密钥;  a media processing function MP, configured to receive a key sent by a network entity;
网络实体, 用于接收会话消息, 并从密钥管理功能 KMF 中获取密 钥, 并发送给 UE和 MP;  a network entity, configured to receive a session message, and obtain a key from a key management function KMF, and send the key to the UE and the MP;
密钥管理功能 KMF, 用于生成密钥。  Key management function KMF, used to generate keys.
本发明实施例还提供一种在 IMS网络中提供媒体流保护密钥的网络 实体, 可以为 UE和 MP提供密钥, 从而实现用户到网络传输的媒体流 进行保护。  The embodiment of the present invention further provides a network entity that provides a media stream protection key in an IMS network, and provides a key for the UE and the MP to protect the media stream transmitted by the user to the network.
针对上述第七个发明目的, 本发明实施例提供的技术方案为: 一种在 IMS网络中提供媒体流保护密钥的网络实体,该网络实体包 括:  For the seventh object of the present invention, the technical solution provided by the embodiment of the present invention is: A network entity that provides a media stream protection key in an IMS network, where the network entity includes:
接收单元, 用于接收会话消息;  a receiving unit, configured to receive a session message;
密钥获取单元, 在接收到会话消息时, 从密钥管理功能 KMF 中获 取密钥, 将密钥添加到会话消息中, 并传给发送单元;  The key obtaining unit, when receiving the session message, obtains a key from the key management function KMF, adds the key to the session message, and transmits the key to the sending unit;
发送单元, 将携带有密钥的会话消息发送给 UE 和媒体处理功能 The sending unit sends the session message carrying the key to the UE and the media processing function
MP。 MP.
综上所述, 本发明提出一种在 IMS网络中获取媒体流保护密钥的方 法、 系统和装置, 可以由网络侧生成密钥, 并将生成的密钥下发给需要 保护媒体流的实体, 进而达到对传输的媒体流进行保护的目的。 附图简要说明 In summary, the present invention provides a method, system, and apparatus for acquiring a media stream protection key in an IMS network, which may generate a key by the network side, and deliver the generated key to an entity that needs to protect the media stream. , in turn, to protect the transmitted media stream. BRIEF DESCRIPTION OF THE DRAWINGS
图 1是本发明方法实施例一的流程图;  1 is a flow chart of Embodiment 1 of the method of the present invention;
图 2a是本发明方法实施例二消息流示意图;  2a is a schematic diagram of a message flow of Embodiment 2 of the method of the present invention;
图 2b是本发明方法实施例三消息流示意图;  2b is a schematic diagram of a message flow according to Embodiment 3 of the method of the present invention;
图 3是本发明方法实施例四消息流示意图;  3 is a schematic diagram of a message flow of a fourth embodiment of the method of the present invention;
图 4是本发明用户到用户媒体流保护情况下系统基本结构示意图; 图 5a是本发明系统实施例一基本结构示意图;  4 is a schematic diagram of a basic structure of a system for user-to-user media stream protection according to the present invention; FIG. 5a is a schematic diagram of a basic structure of a system embodiment of the present invention;
图 5b是本发明系统实施例二基本结构示意图;  Figure 5b is a schematic diagram showing the basic structure of the second embodiment of the system of the present invention;
图 5c是本发明系统实施例三基本结构示意图;  Figure 5c is a schematic diagram showing the basic structure of the third embodiment of the system of the present invention;
图 5d是用户到用户媒体流保护情况下网络实体的内部结构示意图; 图 5e是用户到用户媒体流保护情况下用户设备的内部结构示意图; 图 6是本发明方法实施例五的流程图;  Figure 5d is a schematic diagram of the internal structure of the network entity in the case of user-to-user media stream protection; Figure 5e is a schematic diagram of the internal structure of the user equipment in the case of user-to-user media stream protection; Figure 6 is a flowchart of Embodiment 5 of the method of the present invention;
图 7是本发明方法实施例六主叫侧的消息流示意图;  7 is a schematic diagram of message flow on a calling side of a sixth embodiment of the method according to the present invention;
图 8是本发明方法实施例六被叫侧的消息流示意图;  8 is a schematic diagram of a message flow of a called party side according to Embodiment 6 of the method of the present invention;
图 9是本发明方法实施例七主叫侧的消息流示意图;  9 is a schematic diagram of message flow on a calling side of Embodiment 7 of the method according to the present invention;
图 10是本发明方法实施例七被叫侧的消息流示意图;  10 is a schematic diagram of a message flow of a called party side according to Embodiment 7 of the method of the present invention;
图 11是本发明方法实施例八主叫侧的消息流示意图;  11 is a schematic diagram of a message flow on a calling side of an embodiment of the method according to the present invention;
图 12是本发明方法实施例八被叫侧的消息流示意图;  12 is a schematic diagram of a message flow of a called party side according to Embodiment 8 of the method of the present invention;
图 13是本发明方法实施例九主叫侧的消息流示意图;  13 is a schematic diagram of message flow on the calling side of the ninth embodiment of the method according to the present invention;
图 14是本发明方法实施例九被叫侧的消息流示意图;  14 is a schematic diagram of message flow on the called side of Embodiment 9 of the method of the present invention;
图 15是本发明用户到网络媒体流保护情况下系统基本结构示意图; 图 16是本发明系统实施例四基本结构示意图;  15 is a schematic diagram of a basic structure of a system for protecting a user to a network media stream according to the present invention; FIG. 16 is a schematic diagram of a basic structure of a fourth embodiment of the system of the present invention;
图 17是本发明系统实施例五基本结构示意图;  17 is a schematic diagram showing the basic structure of Embodiment 5 of the system of the present invention;
图 18是用户到网络媒体流保护情况下网络实体的内部结构示意图。 实施本发明的方式 FIG. 18 is a schematic diagram showing the internal structure of a network entity in the case of user-to-network media stream protection. Mode for carrying out the invention
为使本发明的目的、 技术方案和优点更加清楚, 下面将结合附图及 具体实施例对本发明作进一步地详细描述。  The present invention will be further described in detail below with reference to the drawings and specific embodiments.
本发明的基本思想是由网络侧实体获取所生成密钥, 再将密钥下发 给需要对传输的媒体流进行保护的实体。 这里所述需要对传输的媒体流 进行保护的实体可以为终端设备(UE ), 也可以为网络中的媒体处理功 能实体(MP )。 也就是说, 可以由主叫 UE和被叫 UE获取媒体流保护 密钥, 此后主叫 UE和被叫 UE之间传输的媒体流可以利用该密钥进行 保护, 即进行用户到用户的保护; 也可以由某网络侧的 UE和 MP获取 媒体流保护密钥, 此后 UE和 MP之间传输的媒体流也可以利用该密钥 进行保护, 即进行用户到网络保护。  The basic idea of the present invention is that the generated key is obtained by the network side entity, and then the key is sent to an entity that needs to protect the transmitted media stream. The entity that needs to protect the transmitted media stream here may be a terminal device (UE) or a media processing function entity (MP) in the network. That is, the media stream protection key may be obtained by the calling UE and the called UE, and then the media stream transmitted between the calling UE and the called UE may be protected by using the key, that is, user-to-user protection; The media stream protection key may also be obtained by the UE and the MP on the network side. The media stream transmitted between the UE and the MP may also be protected by the key, that is, user-to-network protection.
本发明针对用户到用户媒体流的保护以及用户到网络媒体流的保 护, 分别提供一种获取媒体流保护密钥的方法和系统。  The present invention provides a method and system for obtaining a media stream protection key for user-to-user media stream protection and user-to-network media stream protection, respectively.
对于保护用户到用户传输的媒体流的情况, 图 1是实现获取媒体流 保护密钥的方法实施例一的流程图。 如图 1所示, 方法实施例一可以包 括以下步骤:  For the case of protecting a media stream transmitted by a user to a user, FIG. 1 is a flowchart of Embodiment 1 of a method for obtaining a media stream protection key. As shown in FIG. 1, the method embodiment 1 may include the following steps:
步骤 101 : 主叫终端设备 UE向网络实体发送会话请求消息, 网络 实体将媒体流保护密钥添加到所述会话请求消息中, 并发送给被叫 UE。  Step 101: The calling terminal device UE sends a session request message to the network entity, and the network entity adds the media stream protection key to the session request message, and sends the message to the called UE.
实际应用中, 网络实体包括主叫网络实体和被叫网络实体, 所述步 骤 101可以包括:  In an actual application, the network entity includes a calling network entity and a called network entity, and the step 101 may include:
步骤 axl、主叫网络实体收到主叫 UE发送的会话请求消息后,获取 主叫网络侧生成的密钥, 并将主叫网络侧生成的密钥通过会话请求消息 发送给被叫网络实体。  Step axl: After receiving the session request message sent by the calling UE, the calling network entity obtains the key generated by the calling network side, and sends the key generated by the calling network side to the called network entity through the session request message.
这里, 所述会话请求消息为 PRACK或者 UPDATE消息, 所述主叫 网络实体可以为主叫呼叫会话控制功能实体 S-CSCF或主叫应用服务器 AS, 还可以为 AS-KMF。 如果为主叫 S-CSCF或主叫 AS, 那么, 所述 主叫 S-CSCF或主叫 AS获取本侧生成的密钥的方法可以为: Here, the session request message is a PRACK or an UPDATE message, and the calling network entity may be a calling call session control function entity S-CSCF or a calling application server. AS, can also be AS-KMF. If the calling S-CSCF or the calling AS is the calling party, the method for the calling S-CSCF or the calling AS to obtain the key generated by the local side may be:
主叫 S-CSCF或主叫 AS向主叫 KMF发送密钥请求消息,主叫 KMF 将生成的密钥通过密钥响应消息返回给主叫 S-CSCF或主叫 AS。  The calling S-CSCF or the calling AS sends a key request message to the calling KMF, and the calling KMF returns the generated key to the calling S-CSCF or the calling AS through the key response message.
如果主叫网络实体为 AS-KMF , 那么主叫网络侧的密钥就是 If the calling network entity is AS-KMF, then the key on the calling network side is
AS-KMF自身生成的密钥。 The key generated by AS-KMF itself.
步骤 ax2、 被叫网络实体收到会话请求消息后, 获取被叫网络侧生 成的密钥并添加到所述会话请求消息中, 再将所述会话请求消息发送给 被叫 UE。  Step ax2: After receiving the session request message, the called network entity obtains the key generated by the called network side and adds the key to the session request message, and then sends the session request message to the called UE.
相应地, 这里所述被叫网络实体可以为被叫 S-CSCF、被叫 AS或被 叫被叫 AS-KMF。 如果被叫网络实体被叫 S-CSCF或被叫 AS, 那么, 所 述被叫 S-CSCF或被叫 AS获取被叫网络侧生成的密钥的方法可以为: 被叫 S-CSCF或被叫 AS向被叫 KMF发送密钥请求消息, 被叫 KMF将 生成的密钥通过密钥响应消息返回给被叫 S-CSCF或被叫 AS。如果被叫 网络实体为被叫 AS-KMF, 那么, 被叫网络侧生成的密钥就是被叫 AS-KMF自身生成的密钥。  Correspondingly, the called network entity may be the called S-CSCF, the called AS or the called called AS-KMF. If the called network entity is called the S-CSCF or the called AS, the method of the called S-CSCF or the called AS acquiring the key generated by the called network side may be: the called S-CSCF or the called party The AS sends a key request message to the called KMF, and the called KMF returns the generated key to the called S-CSCF or the called AS through the key response message. If the called network entity is called AS-KMF, then the key generated by the called network side is the key generated by the called AS-KMF itself.
另外, 这里所述被叫网络实体已经获得了主叫网络侧生成的密钥和 本侧生成的密钥, 可以直接将所述主叫侧生成的密钥和本侧生成的密钥 作为媒体流保护密钥; 之后, 在所述被叫 UE接收到所述会话请求消息 后, 被叫 UE根据所述会话请求消息中的主叫网络侧生成的密钥和本侧 生成的密钥衍生出新的密钥, 并将衍生出的密钥作为媒体流保护密钥。  In addition, the called network entity has obtained the key generated by the calling network side and the key generated by the local side, and can directly use the key generated by the calling side and the key generated by the side as a media stream. Protecting the key; after the received UE receives the session request message, the called UE derives a new one according to the key generated by the calling network side and the key generated by the local side in the session request message. Key, and the derived key as the media stream protection key.
实际应用中, 被叫网络实体还可以根据主叫网络侧生成的密钥和本 侧生成的密钥衍生出新的密钥, 并将衍生出的密钥作为媒体流保护密 钥。  In a practical application, the called network entity may also derive a new key according to the key generated by the calling network side and the key generated by the local side, and use the derived key as the media stream protection key.
步骤 102: 被叫 UE向网络实体返回响应消息, 网络实体将媒体流 保护密钥添加到所述响应消息中, 并发送给主叫 UE。 Step 102: The called UE returns a response message to the network entity, and the network entity sends the media stream. A protection key is added to the response message and sent to the calling UE.
这里, 所述会话响应消息可以为 200响应消息, 所述步骤 102可以 包括:  Here, the session response message may be a 200 response message, and the step 102 may include:
步骤 bxl、 被叫网络实体收到被叫 UE返回的会话响应消息后, 将 被叫网络侧生成的密钥携带于所述会话响应消息中, 并发送给主叫网络 实体;  Step bxl, after receiving the session response message returned by the called UE, the called network entity carries the key generated by the called network side in the session response message, and sends the key to the calling network entity;
步骤 b2、 主叫网络实体收到所述会话响应消息后, 根据主叫网络侧 生成的密钥添加到所述会话响应消息发送给主叫 UE。  Step b2: After receiving the session response message, the calling network entity adds a key generated by the calling network side to the session response message and sends the message to the calling UE.
这里所述主叫网络实体为主叫 S-CSCF、 主叫 AS或主叫 AS-KMF, 主叫 S-CSCF、 主叫 AS或主叫 AS-KMF可以直接将主叫网络侧生成的 密钥和被叫网络侧生成的密钥作为媒体流保护密钥, 并在所述主叫 UE 接收到会话响应后, 由主叫 UE根据会话响应消息中本侧生成的密钥和 被叫侧生成的密钥衍生出新的密钥, 并将衍生出的密钥作为媒体流保护 密钥。  Here, the calling network entity is called the S-CSCF, the calling AS or the calling AS-KMF, and the calling S-CSCF, the calling AS or the calling AS-KMF can directly generate the key generated by the calling network side. The key generated by the network side and the called network side are used as the media stream protection key, and after the calling UE receives the session response, the calling UE generates the key generated by the local side and the called side according to the session response message. The key derives a new key and uses the derived key as a media stream protection key.
实际应用中, 主叫 S-CSCF、 主叫 AS或主叫 AS-KMF还可以根据 主叫网络侧生成的密钥和被叫网络侧生成的密钥衍生出新的密钥, 并将 衍生出的密钥作为媒体流保护密钥。  In actual application, the calling S-CSCF, the calling AS or the calling AS-KMF may also derive a new key according to the key generated by the calling network side and the key generated by the called network side, and will be derived. The key acts as a media stream protection key.
实际应用中, 在主叫 UE和被叫 UE获取媒体流保护密钥之前, 还 可以对安全能力进行协商, 其方法可以为:  In an actual application, before the calling UE and the called UE obtain the media stream protection key, the security capability may be negotiated. The method may be:
主叫 UE将携带有自身提供的媒体流安全能力信息的会话建立请求 消息通过网络实体发送给被叫 UE , 所述会话建立请求消息为邀请 ( INVITE )请求消息; 被叫 UE根据主叫 UE提供的媒体流安全能力信 息确定自身需提供的媒体流安全能力信息, 并将提供的媒体流安全能力 信息携带于会话建立响应响应消息中, 通过网络实体返回给主叫 UE, 所述会话建立响应消息为 183响应消息。 在协商的过程中, 当主叫网络实体接收到所述 INVITE请求消息时, 该方法进一步包括: 主叫网络实体判断出主叫 UE已经签约媒体流安全 业务, 将主叫 UE 已经签约媒体流安全业务的标识添加到所述 INVITE 请求消息中, 再继续执行将 INVITE请求消息发送给被叫网络实体的步 骤; The calling UE sends a session establishment request message carrying the media stream security capability information provided by itself to the called UE through the network entity, where the session establishment request message is an invite (INVITE) request message; the called UE provides according to the calling UE. The media stream security capability information determines the media stream security capability information that needs to be provided, and the provided media stream security capability information is carried in the session establishment response response message, and is returned to the calling UE by the network entity, and the session establishment response message is sent. A response message of 183. In the process of the negotiation, when the calling network entity receives the INVITE request message, the method further includes: the calling network entity determines that the calling UE has subscribed to the media stream security service, and the calling UE has subscribed to the media stream security. Adding an identifier of the service to the INVITE request message, and then performing the step of sending the INVITE request message to the called network entity;
当被叫网络实体接收所述 INVITE请求消息时,该方法进一步包括: 被叫网络实体检查出所述请求消息中有主叫 UE已经签约媒体流安全业 务的标识, 再判断出被叫 UE也已经签约媒体流安全业务, 再继续执行 将 INVITE请求消息发送给被叫 UE的步骤;  When the called network entity receives the INVITE request message, the method further includes: the called network entity checks that the requesting message has an identifier that the calling UE has subscribed to the media stream security service, and determines that the called UE is also already Signing the media stream security service, and then continuing to perform the step of sending the INVITE request message to the called UE;
当被叫网络实体接收到所述 183响应消息时, 该方法进一步包括: 被叫网络实体将被叫 UE 已经签约媒体流安全业务的标识添加到所述 183响应消息中, 再继续执行将 183响应消息发送给主叫网络实体的步 骤;  When the called network entity receives the 183 response message, the method further includes: the called network entity adds an identifier of the called UE that has subscribed to the media stream security service to the 183 response message, and then continues to perform the 183 response. The step of sending a message to the calling network entity;
当主叫网络实体接收到所述 183响应消息时, 该方法进一步包括: 主叫网络实体检查出消息中有被叫 UE 已经签约媒体流安全业务的标 识, 再继续执行将 183响应消息发送给主叫 UE的步骤。  When the calling network entity receives the 183 response message, the method further includes: the calling network entity checks that the called UE has subscribed to the identifier of the media stream security service, and then continues to send the 183 response message to the primary message. The step of calling UE.
为了更好地说明针对用户到用户媒体流保护情况而提出的获取密钥 的方案, 下面用较佳方法实施例和系统实施例进行详细描述。 方法实施例二  In order to better illustrate the scheme for obtaining a key for user-to-user media stream protection, the following describes the preferred method embodiment and system embodiment in detail. Method embodiment two
本实施例中,获取主叫侧生成密钥的网络实体为主叫 AS, 而生成密 钥的实体为主叫 KMF, 为一个独立的实体; 获取被叫侧生成密钥的网络 实体为被叫 AS, 生成密钥的实体为被叫 KMF, 为一个独立的实体。  In this embodiment, the network entity that generates the key on the calling side is called the AS, and the entity that generates the key is the KMF, which is an independent entity. The network entity that generates the generated key on the called side is called. AS, the entity that generates the key is called KMF, which is a separate entity.
独立的 KMF 与 AS 可以使用直接的接口来传递密钥, 例如使用 Diameter或者 HTTP等协议携带密钥。 独立的 KMF可以作为一个 IMS 网络中的应用服务器的方式通过 ISC接口与 S-CSCF进行通信, 这样, KMF和 AS都是以应用 良务器的形式进行通信。 Independent KMFs and ASs can use a direct interface to pass keys, such as carrying keys using protocols such as Diameter or HTTP. Independent KMF can be used as an IMS The way of the application server in the network communicates with the S-CSCF through the ISC interface, so that both the KMF and the AS communicate in the form of an application server.
本实施例中, 假设主叫 UE和被叫 UE都已经签约媒体流保护业务。 图 2a是方法实施例二的消息流示意图。 如图 2a所示, 方法实施例 二中主叫 UE和被叫 UE获取媒体流保护密钥的方法可以包括以下步骤: 步骤 201: 主叫 UE向主叫 CSCF发送会话建立请求消息,所述会话 建立请求消息携带有主叫 UE提供的媒体流安全能力信息。  In this embodiment, it is assumed that both the calling UE and the called UE have subscribed to the media stream protection service. 2a is a schematic diagram of a message flow of a second embodiment of a method. As shown in FIG. 2a, the method for the calling UE and the called UE to obtain the media stream protection key in the second embodiment of the method may include the following steps: Step 201: The calling UE sends a session establishment request message to the calling CSCF, where the session The setup request message carries the media stream security capability information provided by the calling UE.
本步骤所述的会话建立请求消息为会话发起协议(SIP ) 中的邀请 ( INVITE )消息, 所述媒体流安全能力信息包括安全算法, 还可以包括 需保护的媒体类型、 安全传输协议类型和安全前提中一种或几种任意的 组合。  The session establishment request message described in this step is an invitation (INVITE) message in a Session Initiation Protocol (SIP), and the media stream security capability information includes a security algorithm, and may also include a media type to be protected, a security transmission protocol type, and security. One or a combination of any of the premise.
这里所述安全算法可以为完整性安全算法或机密性安全算法, 所述 需保护的媒体类型可以为文本、 音频、 视频等, 所述安全传输协议类型 可以为 RTP/SAVP或 RTP/SAVPF等。  The security algorithm may be an integrity security algorithm or a confidentiality security algorithm, and the media type to be protected may be text, audio, video, etc., and the security transmission protocol type may be RTP/SAVP or RTP/SAVPF.
所述安全前提是用来指示本次会话对媒体流安全的要求, 可以包括 发起实体期望的媒体流安全保护的强度标识,比如:强制的(mandatory ), 可选的(optional ), 可忽略的( none )。 所述安全前提还可以包括期望的 安全协商配置结果和当前的配置情况, 比如: 是否完成协商、 接收方向 已经完成安全配置、 接收和发送方法都完成安全配置等。  The security premise is used to indicate the security requirements of the media stream in the current session, and may include the strength identifier of the media stream security protection that the initiating entity desires, such as: mandatory, optional, negligible ( none ). The security premise may also include a desired security negotiation configuration result and a current configuration situation, such as: whether to complete the negotiation, the receiving direction has completed the security configuration, and the receiving and transmitting methods complete the security configuration.
另外, 这里所述主叫 UE的媒体流安全能力信息可以为主叫 UE提 供给被叫 UE的媒体流安全能力信息。 比如: 主叫 UE可以支持 5种安 全算法,但可以只选择其中 3种安全算法提供给被叫 UE,那么, INVITE 消息中就可以只携带所提供的 3种安全算法即可。 当然, 主叫 UE也可 以将支持的 5 中安全算法都提供给被叫 UE, 如何确定提供的媒体流安 全能力信息则需要由实际情况决定。 步骤 202: 主叫 CSCF将所述会话建立请求消息发送给主叫 AS。 本步骤中, 主叫 CSCF可以采用事先设置的初始过滤规则, 将会话 建立请求消息触发给主叫 AS。 至于如何触发则属于现有技术, 此处不 再赘述。 In addition, the media stream security capability information of the calling UE may be used to provide the media stream security capability information of the called UE to the called UE. For example, the calling UE can support five security algorithms, but only three security algorithms can be selected for the called UE. Then, the INVITE message can carry only three security algorithms provided. Of course, the calling UE can also provide the supported 5 security algorithms to the called UE. How to determine the provided media stream security capability information needs to be determined by the actual situation. Step 202: The calling CSCF sends the session establishment request message to the calling AS. In this step, the calling CSCF may trigger a session establishment request message to the calling AS by using an initial filtering rule set in advance. As for how to trigger, it belongs to the prior art, and will not be described here.
步骤 203 ~步骤 205: 主叫 AS判断出主叫 UE已经签约媒体流保护 业务, 将主叫 UE已经签约媒体流保护业务的标识添加到所述会话建立 请求消息中, 然后将会话建立请求消息通过主叫 CSCF 发送给被叫 CSCF。  Step 203 to step 205: The calling AS determines that the calling UE has subscribed to the media stream protection service, adds the identifier of the subscribed media stream protection service of the calling UE to the session establishment request message, and then passes the session establishment request message. The calling CSCF is sent to the called CSCF.
实际应用中, 所述主叫 AS可以根据事先记录的与签约相关的信息 判断主叫 UE是否已经签约媒体流保护业务。 比如: 根据会话建立请求 消息中主叫 UE的标识查询所述与签约相关的信息, 并根据所述与签约 相关的信息判断出主叫 UE是否签约。 当然, 主叫 AS也可以采用其它 方法检查主叫 UE的签约情况, 此处不再赘述。  In an actual application, the calling AS may determine whether the calling UE has subscribed to the media stream protection service according to the information related to the subscription recorded in advance. For example: querying the information related to the subscription according to the identifier of the calling UE in the session establishment request message, and determining whether the calling UE subscribes according to the information related to the subscription. Of course, the calling AS can also check the signing situation of the calling UE by other methods, and details are not described herein again.
步骤 206: 被叫 CSCF接收到会话建立请求消息后, 将所述会话建 立请求消息发送给被叫 AS。  Step 206: After receiving the session establishment request message, the called CSCF sends the session establishment request message to the called AS.
与主叫侧相似, 这里所述被叫 CSCF也可以采用事先设置的初始过 滤规则, 将会话建立请求消息触发给被叫 AS。  Similar to the calling side, the called CSCF can also trigger the session establishment request message to the called AS by using the initial filtering rule set in advance.
步骤 207〜步骤 209: 被叫 AS检查出会话建立请求消息中有主叫 UE已经签约媒体流保护业务的标识,并判断出被叫 UE也已经签约媒体 流保护业务, 然后将所述会话建立请求消息通过被叫 CSCF发送给被叫 UE。  Step 207 to step 209: The called AS checks that the session establishment request message has an identifier that the calling UE has subscribed to the media stream protection service, and determines that the called UE has also subscribed to the media stream protection service, and then the session establishment request is performed. The message is sent to the called UE through the called CSCF.
这里所述被叫 AS也可以采用与主叫侧相同的方法判断被叫 UE签 约了媒体流保护业务, 此处不再赘述。  The called AS can also use the same method as the calling party to determine that the called UE has subscribed to the media stream protection service, and details are not described herein.
步骤 210 ~步骤 211:被叫 UE向被叫 CSCF发送会话建立响应消息, 被叫 CSCF再将接收到的会话建立响应消息发送给被叫 AS。 这里, 被叫 UE可以根据会话建立请求消息中主叫 UE提供的媒体 流安全能力信息确定自身需提供的媒体流安全能力信息, 并将确定提供 的媒体流安全能力信息携带于会话建立响应消息中, 通过被叫 CSCF发 送给被叫 AS。 Steps 210 to 211: The called UE sends a session establishment response message to the called CSCF, and the called CSCF sends the received session establishment response message to the called AS. Here, the called UE may determine the media stream security capability information that needs to be provided according to the media stream security capability information provided by the calling UE in the session establishment request message, and carry the determined media stream security capability information in the session establishment response message. , is sent to the called AS through the called CSCF.
所述的会话建立响应消息为 183消息, 所述被叫 UE需提供的媒体 流安全能力信息可以为能够被主叫 UE支持的全部或部分信息。 比如: 被叫 UE从接收到的 INVITE消息中确定主叫 UE可以支持 3种安全算 法, 如果被叫 UE 自身只支持其中的两种安全算法, 则可以向主叫 UE 返回可以支持的全部两种安全算法, 也可以向主叫 UE返回其中一种安 全算法。  The session establishment response message is a 183 message, and the media stream security capability information that the called UE needs to provide may be all or part of information that can be supported by the calling UE. For example, the called UE determines from the received INVITE message that the calling UE can support three security algorithms. If the called UE supports only two security algorithms, it can return all two types that can be supported to the calling UE. The security algorithm may also return one of the security algorithms to the calling UE.
步骤 212 ~步骤 215: 被叫 AS将被叫 UE已经签约的标识添加到会 话建立响应消息中, 并通过被叫 CSCF和主叫 CSCF将会话建立响应消 息发送给主叫 AS。  Step 212 ~ Step 215: The called AS adds the identifier that the called UE has subscribed to the session establishment response message, and sends the session establishment response message to the calling AS through the called CSCF and the calling CSCF.
步骤 216〜步骤 218: 主叫 AS检查出会话建立响应消息中包含被叫 UE 已经签约的标识, 并将所述会话建立响应消息通过主叫 CSCF发送 给主叫 UE。  Step 216 to step 218: The calling AS checks that the session establishment response message includes the identifier that the called UE has subscribed, and sends the session establishment response message to the calling UE through the calling CSCF.
本实施例中,步骤 201 ~步骤 218实际上是主叫 UE和被叫 UE之间 对安全能力进行协商的过程, 获取对方可以支持安全算法、 安全传输协 议等参数, 从而确定用于本次会话的媒体流安全能力信息。  In this embodiment, steps 201 to 218 are actually a process of negotiating security capabilities between the calling UE and the called UE, and the acquiring party can support parameters such as a security algorithm and a secure transmission protocol, thereby determining to be used for the session. Media stream security capabilities information.
在主叫 UE和被叫 UE协商的过程中,在主叫侧, 主叫 AS还需要检 查主叫 UE是否已经签约, 并将主叫 UE已经签约的标识添加到消息中; 在被叫侧, 被叫 AS也需要检查被叫 UE是否已经签约, 并将被叫 UE 已经签约的标识添加到返回的响应消息中。 实际应用中, 如果主叫 UE 和被叫 UE是默认的已经签约媒体流保护业务的用户, 或者说媒体流保 护业务是一项基本的业务, 所有用户都不需要进行签约检查。 在这种情 况下, 主叫 AS和被叫 AS也可以不检查签约情况; 或者, 主叫 AS和被 叫 AS也可以一方检查, 而另一方不检查; 或者直接由主叫 CSCF和被 叫 CSCF检查签约。 至于究竟是否检查签约情况, 由一方检查或双方都 检查, 由 CSCF检查或由 AS检查都可以根据实际情况确定, 此处不再 赘述。 In the process of negotiating between the calling UE and the called UE, on the calling side, the calling AS also needs to check whether the calling UE has subscribed, and adds the identifier that the calling UE has subscribed to the message; The called AS also needs to check whether the called UE has subscribed, and adds the identifier of the called UE that has been signed to the returned response message. In practical applications, if the calling UE and the called UE are the default users who have subscribed to the media stream protection service, or the media stream protection service is a basic service, all users do not need to perform the subscription check. In this situation In this case, the calling AS and the called AS may not check the subscription situation; or, the calling AS and the called AS may also check by one party, and the other party does not check; or the calling CSCF and the called CSCF directly check the subscription. As for whether or not to check the contract status, it is checked by one party or both parties. The CSCF inspection or the AS inspection can be determined according to the actual situation, and will not be repeated here.
与检查签约情况类似, 在主叫 UE和被叫 UE协商的过程中, 如果 主叫 UE已经签约,主叫 AS还需要将主叫 UE已经签约的标识添加到会 话建立请求消息中; 如果被叫 UE已经签约, 被叫 AS还需要将被叫 UE 已经签约的标识添加到会话建立响应消息中。 这样, 主叫侧和被叫侧就 可以明确对方的签约情况, 从而可以根据情况采用不同的策略。 但实际 应用中, 主叫 AS和被叫 AS也可以不将本侧签约的情况通知给对方, 那么也就无需将本侧 UE已经签约的标识添加到消息中, 这样以上各个 步骤中的对应的签约处理也可以不做。  Similar to the check signing, in the process of negotiating between the calling UE and the called UE, if the calling UE has already signed the contract, the calling AS also needs to add the identity that the calling UE has subscribed to the session establishment request message; The UE has already signed the contract, and the called AS also needs to add the identifier that the called UE has subscribed to the session establishment response message. In this way, the calling side and the called side can clarify the other party's signing situation, so that different strategies can be adopted according to the situation. However, in the actual application, the calling AS and the called AS may not notify the other party of the signing of the local side, and then it is not necessary to add the identifier that the local UE has subscribed to the message, so that the corresponding one of the above steps is corresponding. Contract processing can also be done.
步骤 219 ~步骤 220: 主叫 UE通过主叫 CSCF将会话请求消息发送 给主叫 AS。  Step 219 ~ Step 220: The calling UE sends a session request message to the calling AS through the calling CSCF.
这里所述的会话请求消息可以为确认(PRACK )消息, 并且携带有 主叫 UE确定的用于当前会话的媒体流安全能力信息。  The session request message described herein may be an acknowledgment (PRACK) message and carries media stream security capability information for the current session determined by the calling UE.
本步骤中, 所述主叫 UE确定用于当前会话的媒体流安全能力信息 的方法可以为: 主叫 UE根据被叫 UE提供的媒体安全能力信息确定用 于当前会话的媒体流安全能力信息。也就是说,主叫 UE可以从被叫 UE 提供的媒体流安全能力信息中选择出用于本次会话的媒体流安全能力 信息, 包括: 安全算法, 还可以包括需要保护的媒体类型、 安全传输协 议类型中一种或几种任意的组合。  In this step, the method for determining, by the calling UE, the media stream security capability information for the current session may be: the calling UE determines the media stream security capability information for the current session according to the media security capability information provided by the called UE. That is, the calling UE may select the media stream security capability information for the current session from the media stream security capability information provided by the called UE, including: a security algorithm, and may also include a media type to be protected, and secure transmission. One or a combination of any of the types of protocols.
步骤 221: 主叫 AS从主叫 KMF中获取密钥 Kl。  Step 221: The calling AS obtains the key Kl from the calling KMF.
本步骤中, 当主叫 AS需要从主叫 KMF中获取密钥 K1时, 所述主 叫 AS可以向主叫 KMF发送密钥请求消息, 主叫 KMF生成密钥, 再将 生成的密钥 K1返回给主叫 AS。 另夕卜,主叫 KMF还可以将针对密钥 K1 的密钥标识、 密钥有效期等信息一并返回给主叫 AS。 In this step, when the calling AS needs to obtain the key K1 from the calling KMF, the primary The called AS can send a key request message to the calling KMF, the calling KMF generates a key, and then returns the generated key K1 to the calling AS. In addition, the calling KMF may also return information such as the key identifier of the key K1, the key validity period, and the like to the calling AS.
这里, 当主叫 AS向主叫 KMF发送密钥请求消息,还可以将会话请 求消息中确定用于本次会话的媒体流安全能力信息中的安全算法等信 息发送给主叫 KMF, 所述主叫 KMF可以根据所述安全算法等信息生成 密钥。 实际应用中,主叫 KMF也可以不根据所述主叫 AS会话请求消息 中安全算法等信息生成密钥, 而是直接生成密钥。 不管采用哪种方法, 只要主叫 AS从主叫 KMF中获取密钥即可。  Here, when the calling AS sends a key request message to the calling KMF, information about a security algorithm in the media stream security capability information used for the current session in the session request message may be sent to the calling KMF. The KMF can generate a key based on information such as the security algorithm. In actual applications, the calling KMF may not generate a key according to information such as a security algorithm in the calling AS session request message, but directly generate a key. Either way, as long as the calling AS gets the key from the calling KMF.
步骤 222 ~步骤 225: 主叫 AS将本侧生成的密钥 K1添加到会话请 求消息中, 并通过主叫 CSCF和被叫 CSCF发送给被叫 AS。  Step 222 ~ Step 225: The calling AS adds the key K1 generated by the local side to the session request message, and sends it to the called AS through the calling CSCF and the called CSCF.
步骤 226: 被叫 AS从被叫 KMF中获取密钥 K2。  Step 226: The called AS obtains the key K2 from the called KMF.
与步骤 221相似,被叫 AS可以向被叫 KMF发送密钥请求消息,被 叫 KMF生成密钥,并将生成的密钥 K2返回给被叫 AS。另外,被叫 KMF 还可以将针对密钥 K2的密钥标识、 密钥有效期等信息一并返回给被叫 AS。  Similar to step 221, the called AS can send a key request message to the called KMF, the called KMF generates a key, and returns the generated key K2 to the called AS. In addition, the called KMF can also return the key identification of the key K2, the key validity period, and the like to the called AS.
步骤 227 ~步骤 229: 被叫 AS根据主叫侧生成的密钥 K1和本侧生 成的密钥 K2衍生出新的密钥, 将衍生出的密钥作为媒体流保护密钥, 并将媒体流保护密钥添加到所述会话请求消息中通过被叫 CSCF发送给 被叫 UE。  Step 227 to step 229: The called AS derives a new key according to the key K1 generated by the calling side and the key K2 generated by the calling side, and uses the derived key as a media stream protection key, and media stream The protection key is added to the session request message and sent to the called UE by the called CSCF.
步骤 230〜步骤 231:被叫 UE通过被叫 CSCF将会话响应消息发送 给被叫 AS。  Step 230 to Step 231: The called UE sends a session response message to the called AS through the called CSCF.
这里所述的会话响应消息为 200消息, 可以携带被叫 UE确认的媒 体流安全能力信息。 所述媒体流安全能力包括安全算法, 还可以包括需 保护的媒体类型、 安全传输协议类型和安全前提中一种或几种任意的组 合。 The session response message described herein is a 200 message, and may carry the media stream security capability information confirmed by the called UE. The media stream security capability includes a security algorithm, and may also include one or more arbitrary groups of media types, secure transmission protocol types, and security prerequisites to be protected. Hehe.
步骤 232 ~步骤 235: 被叫 AS将密钥 K2添加到所述会话响应消息 中, 并通过被叫 CSCF和主叫 CSCF发送给主叫 AS。  Step 232 ~ Step 235: The called AS adds the key K2 to the session response message, and sends it to the calling AS through the called CSCF and the calling CSCF.
这里, 如果被叫 KMF事先还将针对密钥 K2的密钥标识、 密钥有效 期等信息一并返回给了被叫 AS, 被叫 AS就还可以将所述针对密钥 K2 的密钥标识、 密钥有效期等信息也添加到所述会话响应消息中。  Here, if the called KMF also returns the key identifier of the key K2, the key validity period and the like to the called AS in advance, the called AS can also identify the key for the key K2, Information such as the key validity period is also added to the session response message.
步骤 236 ~步骤 238: 主叫 AS根据本侧生成的密钥 K1和被叫侧生 成的密钥 K2衍生出新的密钥, 将衍生出的密钥作为媒体流保护密钥, 并将所述媒体流保护密钥添加到会话响应消息中, 然后通过主叫 CSCF 发送给主叫 UE。  Step 236 to step 238: The calling AS derives a new key according to the key K1 generated by the local side and the key K2 generated by the called side, and uses the derived key as a media stream protection key, and the The media stream protection key is added to the session response message and then sent to the calling UE through the calling CSCF.
本实施例中, 主叫侧和被叫侧都分别生成密钥, 并根据本侧生成的 密钥和对方生成的密钥衍生出新的密钥, 将衍生出的密钥作为媒体流保 护密钥分别发送给主叫 UE和被叫 UE。 此后, 主叫 UE和被叫 UE就可 以利用所述密钥保护传输的媒体流。 比如: 主叫 UE需要向被叫 UE传 输媒体流时, 可以利用衍生出的密钥将媒体流保护后传输给被叫 UE; 相反, 如果被叫 UE需要向主叫 UE传输媒体流, 也可以利用衍生出的 密钥将媒体流保护后传输给主叫 UE。  In this embodiment, the calling side and the called side respectively generate a key, and a new key is derived according to the key generated by the side and the key generated by the other party, and the derived key is used as a media stream to protect the secret. The keys are sent to the calling UE and the called UE, respectively. Thereafter, the calling UE and the called UE can use the key to protect the transmitted media stream. For example, when the calling UE needs to transmit the media stream to the called UE, the media stream can be protected and transmitted to the called UE by using the derived key. Conversely, if the called UE needs to transmit the media stream to the calling UE, The media stream is protected and transmitted to the calling UE by using the derived key.
实际应用中, 主叫 AS和被叫 AS也可以不生成衍生密钥, 而直接 将本侧生成的密钥和对方生成的密钥作为媒体流保护密钥。 也就是说, 主叫 UE和被叫 UE将同时获得密钥 K1和密钥 K2, 其中一个密钥作为 发送给对方时保护媒体流的密钥, 另外一个密钥则用于接收被保护的媒 体流。  In actual applications, the calling AS and the called AS may also generate the derived key and directly use the key generated by the local side and the generated key of the other party as the media stream protection key. That is, the calling UE and the called UE will simultaneously obtain the key K1 and the key K2, one of which serves as a key for protecting the media stream when sent to the other party, and the other key for receiving the protected media. flow.
本实施例是由主叫 AS和被叫 AS对密钥进行衍生的, 实际应用中, 还可以分别由主叫 CSCF和被叫 CSCF对密钥进行衍生; 或者, 分别由 主叫 UE和被叫 UE对密钥进行衍生。 本实施例中的衍生密钥的方法可以为:密钥 K1和密钥 K2进行字符 串连接,也可以将密钥 K1和密钥 K2作为密钥生成函数的输入参数等方 法, 这里不再——列举。 In this embodiment, the key is derived by the calling AS and the called AS. In actual application, the key may be derived by the calling CSCF and the called CSCF respectively; or, by the calling UE and the called party respectively The UE derives the key. The method for deriving a key in this embodiment may be: string K1 and key K2 are connected by a string, and key K1 and key K2 may be used as input parameters of a key generation function, etc., - enumeration.
另夕卜,本实施例中所述 KMF为一个独立的实体, 实际应用中, KMF 也可以为 AS、 CSCF或归属用户服务器(HSS )等实体中的一个功能单 元。 但不管是独立的实体, 还是某实体中的一个功能单元, 其方法和流 程与本实施例相似, 此处不再——列举。 方法实施例三  In addition, in the embodiment, the KMF is an independent entity. In an actual application, the KMF may also be a function unit in an entity such as an AS, a CSCF, or a Home Subscriber Server (HSS). However, whether it is a separate entity or a functional unit in an entity, the method and process are similar to this embodiment, and are not enumerated here. Method embodiment three
本实施例中, KMF 与 AS 集成在一起作为一个独立的功能实体 AS-KMF, 下发主叫侧生成密钥的网络实体为主叫 AS-KMF; 下发被叫 侧生成密钥的网络实体为被叫 AS-KMF。 KMF作为独立实体的情况下, 需要 AS到 KMF处获取密钥, 具体流程和实施例二类似。  In this embodiment, the KMF is integrated with the AS as an independent functional entity AS-KMF, and the network entity that generates the key on the calling side is called the AS-KMF; the network entity that generates the key on the called side is sent. For the called AS-KMF. In the case of KMF as an independent entity, the AS needs to obtain a key from the KMF. The specific process is similar to that of the second embodiment.
图 2b是方法实施例三的消息流示意图。 如图 2b所示, 方法实施例 三中主叫 UE和被叫 UE获取媒体流保护密钥的方法可以包括以下步骤: 步骤 201' : 主叫 UE向主叫 CSCF发送会话建立请求消息,所述会 话建立请求消息携带有主叫 UE提供的媒体流安全能力信息。  2b is a schematic diagram of a message flow of a third embodiment of the method. As shown in FIG. 2b, the method for the calling UE and the called UE to obtain the media stream protection key in the third embodiment of the method may include the following steps: Step 201: The calling UE sends a session establishment request message to the calling CSCF, where The session establishment request message carries the media stream security capability information provided by the calling UE.
本步骤与方法实施例二中的步骤 201相似, 此处不再赘述。  This step is similar to step 201 in the second embodiment of the method, and details are not described herein again.
步骤 202' : 主叫 CSCF 将所述会话建立请求消息发送给主叫 AS-KMF。  Step 202': The calling CSCF sends the session establishment request message to the calling AS-KMF.
本步骤中, 主叫 CSCF可以采用事先设置的初始过滤规则, 将会话 建立请求消息发送给主叫 AS-KMF。  In this step, the calling CSCF may send a session establishment request message to the calling AS-KMF by using an initial filtering rule set in advance.
步骤 203' ~步骤 205' : 主叫 AS-KMF添加主叫 AS-KMF支持媒 体流安全保护的标识到所述会话建立请求消息中, 然后将会话建立请求 消息通过主叫 CSCF发送给被叫 CSCF。 实际应用中, 所述主叫 AS-KMF可以使用 SIP消息或者 SDP描述 中的头域携带该标识。例如使用 RFC 4566中的 SDP的属性头域 a=fmtp: <format> <format specific parameters ;^进行携带。 Step 203' ~ Step 205': The calling AS-KMF adds the identity of the calling AS-KMF to support the media stream security protection to the session establishment request message, and then sends the session establishment request message to the called CSCF through the calling CSCF. . In an actual application, the calling AS-KMF may carry the identifier by using a SIP message or a header field in the SDP description. For example, the attribute header field a=fmtp: <format><format specific parameters ;^ of SDP in RFC 4566 is used for carrying.
步骤 206' : 被叫 CSCF接收到会话建立请求消息后, 将所述会话 建立请求消息发送给被叫 AS-KMF。  Step 206': After receiving the session establishment request message, the called CSCF sends the session establishment request message to the called AS-KMF.
与主叫侧相似, 这里所述被叫 CSCF也可以采用事先设置的初始过 滤规则, 将会话建立请求消息发送给被叫 AS-KMF。  Similar to the calling side, the called CSCF can also send a session establishment request message to the called AS-KMF by using an initial filtering rule set in advance.
步骤 207' 〜步骤 209' : 被叫 AS-KMF检查会话建立请求消息中 有主叫 AS-KMF支持媒体流安全保护的标识,然后将所述会话建立请求 消息通过被叫 CSCF发送给被叫 UE。  Step 207 ′ to step 209 ′: the called AS-KMF check session establishment request message has an identifier that the calling AS-KMF supports media stream security protection, and then sends the session establishment request message to the called UE through the called CSCF. .
步骤 210' ~步骤 211' :被叫 UE向被叫 CSCF发送会话建立响应 消息,被叫 CSCF再将接收到的会话建立响应消息发送给被叫 AS-KMF。  Step 210' ~ Step 211': The called UE sends a session establishment response message to the called CSCF, and the called CSCF sends the received session establishment response message to the called AS-KMF.
这里, 被叫 UE可以根据会话建立请求消息中主叫 UE提供的媒体 流安全能力信息确定自身需提供的媒体流安全能力信息, 并将确定提供 的媒体流安全能力信息携带于会话建立响应消息中, 通过被叫 CSCF发 送给被叫 AS-KMF。  Here, the called UE may determine the media stream security capability information that needs to be provided according to the media stream security capability information provided by the calling UE in the session establishment request message, and carry the determined media stream security capability information in the session establishment response message. , sent to the called AS-KMF by the called CSCF.
所述的会话建立响应消息为 183消息, 所述被叫 UE需提供的媒体 流安全能力信息被叫 UE支持的在会话建立请求中主叫 UE提供的媒体 流安全能力。 比如: INVITE消息中主叫 UE提供了 3种安全算法, 如果 被叫 UE 自身只支持其中的两种安全算法, 则可以向主叫 UE返回支持 的两种安全算法, 也可以向主叫 UE返回其中一种安全算法。  The session establishment response message is a 183 message, and the media stream security capability information that the called UE needs to provide is the media stream security capability provided by the calling UE in the session establishment request supported by the called UE. For example, in the INVITE message, the calling UE provides three security algorithms. If the called UE supports only two security algorithms, it can return two supported security algorithms to the calling UE, and can also return to the calling UE. One of the security algorithms.
步骤 212' ~步骤 215' : 被叫 AS-KMF将被叫 AS-KMF支持媒体 流安全保护的标识添加到会话建立响应消息中, 并通过被叫 CSCF和主 叫 CSCF将会话建立响应消息发送给主叫 AS-KMF。  Step 212' ~ Step 215': The called AS-KMF adds the identifier of the called AS-KMF support media stream security protection to the session establishment response message, and sends a session establishment response message to the called CSCF and the calling CSCF. The caller is AS-KMF.
被叫 AS-KMF添加支持媒体流安全保护标识的方法可以使用类似主 叫 AS-KMF添加的方法。 The method called AS-KMF adds support for media stream security protection identifiers. Called AS-KMF added method.
步骤 216' ~步骤 218' : 主叫 AS-KMF检查会话建立响应消息中 包含被叫 AS-KMF支持媒体流安全保护的标识,并将所述会话建立响应 消息通过主叫 CSCF发送给主叫 UE。  Step 216 ′ to step 218 ′: The calling AS-KMF check session establishment response message includes an identifier of the called AS-KMF supporting media stream security protection, and sends the session establishment response message to the calling UE through the calling CSCF. .
本实施例中, 步骤 20 ~步骤 218' 实际上是主叫 UE和被叫 UE 之间对安全能力进行协商的过程, 获取对方可以支持安全算法、 安全传 输协议等参数, 从而确定用于本次会话的媒体流安全能力信息。  In this embodiment, the step 20 to the step 218 ′ are actually a process of negotiating the security capability between the calling UE and the called UE, and acquiring the parameters that the other party can support the security algorithm and the secure transmission protocol, thereby determining the current use for this time. Media stream security capability information for the session.
这里主叫和被叫的 AS-KMF通过标识互相通知支持媒体流安全保护 是为了让主叫和被叫的 AS-KMF确认主叫和被叫网络实体都能够支持 媒体流安全, 这样能够确认后续的会话中可以下发密钥。  Here, the calling and called AS-KMFs notify each other by supporting the media stream security protection so that the calling and called AS-KMF can confirm that both the calling and the called network entities can support the media stream security, thus confirming the follow-up. The key can be issued in the session.
在会话建立请求消息中被叫 AS-KMF检查主叫 AS-KMF支持媒体 流安全保护的标识后,在消息中可以进一步添加被叫 AS-KMF支持媒体 流安全保护的标识并发送给被叫 UE,这样被叫 UE就可以确认主叫网络 和被叫网络都支持体流安全保护。 类似的, 在会话建立响应消息中, 主 叫 AS-KMF检查被叫 AS-KMF支持媒体流安全保护的标识后, 在消息 中可以进一步添加主叫 AS-KMF支持媒体流安全保护的标识,这样主叫 UE就可以确认主叫网络和被叫网络都支持体流安全保护,这样主叫 UE 和被叫 UE便确认了后续的会话中网络侧实体支持媒体流安全保护。  After the called AS-KMF checks the identity of the media stream security protection of the calling AS-KMF in the session establishment request message, the identifier of the called AS-KMF supporting the media stream security protection may be further added in the message and sent to the called UE. Therefore, the called UE can confirm that both the calling network and the called network support the flow stream security protection. Similarly, in the session establishment response message, after the calling AS-KMF checks that the called AS-KMF supports the identifier of the media stream security protection, the identifier of the calling party AS-KMF supporting the media stream security protection may be further added in the message, so that The calling UE can confirm that both the calling network and the called network support the flow stream security protection, so that the calling UE and the called UE confirm that the network side entity supports the media stream security protection in the subsequent session.
步骤 219' 〜步骤 220' : 主叫 UE通过主叫 CSCF将请求消息发送 给主叫 AS-KMF。  Step 219' to step 220': The calling UE sends a request message to the calling AS-KMF through the calling CSCF.
这里所述的请求消息可以为确认 ( PRACK )或者是 UPDATE消息, 并且携带有主叫 UE确定使用的媒体流安全能力信息。  The request message described herein may be an acknowledgment (PRACK) or an UPDATE message, and carries the media stream security capability information determined by the calling UE.
本步骤中, 所述主叫 UE确定使用的媒体流安全能力信息的方法可 以为: 主叫 UE根据被叫 UE提供的媒体安全能力信息确定使用的媒体 流安全能力信息。 也就是说, 主叫 UE从被叫 UE提供的媒体流安全能 力信息中选择出本次会话实际使用的媒体流安全能力信息, 例如被叫In this step, the method for determining the media stream security capability information used by the calling UE may be: The calling UE determines the used media stream security capability information according to the media security capability information provided by the called UE. That is, the media stream security provided by the calling UE from the called UE Select the media stream security capability information actually used in this session, such as called
UE返回 2种安全算法,主叫 UE选择一种安全算法作为实际使用的安全 算法。 The UE returns two security algorithms, and the calling UE selects a security algorithm as the actual used security algorithm.
步骤 22 〜步骤 224' : 主叫 AS-KMF生成密钥 K1 , 并添加到请 求消息中, 并通过主叫 CSCF和被叫 CSCF发送给被叫 AS-KMF。  Step 22 to Step 224': The calling AS-KMF generates a key K1 and adds it to the request message, and sends it to the called AS-KMF through the calling CSCF and the called CSCF.
另外, 消息中还可以包括密钥 K1对应的密钥标识、 密钥有效期等 信息。  In addition, the message may further include information such as a key identifier corresponding to the key K1, a key validity period, and the like.
当主叫 AS-KMF生成密钥密钥 K1时, 可以根据消息中的媒体流安 全能力信息来产生对应的密钥, 例如, 根据媒体流安全能力信息中的算 法要求的密钥长度来生成对应长度的密钥; 还可以根据媒体流安全能力 信息中的密钥有效期来设置密钥对应的有效期等等。  When the calling party AS-KMF generates the key key K1, the corresponding key may be generated according to the media stream security capability information in the message, for example, according to the key length required by the algorithm in the media stream security capability information. The length of the key; the validity period of the key may be set according to the key validity period in the media stream security capability information, and the like.
步骤 225' 〜步骤 227' : 被叫 AS-KMF生成密钥 K2, 并添加到请 求消息中, 并通过被叫 CSCF发送给被叫 UE。  Step 225'~Step 227': The called AS-KMF generates a key K2, and adds it to the request message, and sends it to the called UE through the called CSCF.
被叫 AS-KMF与主叫 AS-KMF使用类似的方法来产生对应的密钥 The called AS-KMF uses a similar method to the calling AS-KMF to generate the corresponding key.
K2。 K2.
步骤 228' : 被叫 UE根据密钥 K1和密钥 Κ2衍生出新的密钥 Κ, 将衍生出的密钥 Κ作为媒体流保护密钥。  Step 228': The called UE derives a new key 根据 according to the key K1 and the key Κ2, and uses the derived key Κ as the media stream protection key.
步骤 229' ~步骤 230' : 被叫 UE通过被叫 CSCF将响应消息发送 给被叫 AS-KMF。  Step 229' ~ Step 230': The called UE sends a response message to the called AS-KMF through the called CSCF.
这里所述的响应消息为 200消息, 其中携带请求消息中本次会话使 用的媒体流安全能力信息。  The response message described here is a 200 message, which carries the media stream security capability information used by the session in the request message.
步骤 231' ~步骤 234' :被叫 AS-KMF将密钥 K2添加到所述会话 响应消息中, 并通过被叫 CSCF和主叫 CSCF发送给主叫 AS-KMF。  Step 231' ~ Step 234': The called AS-KMF adds the key K2 to the session response message and sends it to the calling AS-KMF through the called CSCF and the calling CSCF.
K2的生成与 K1的生成类似。 另夕卜, 消息中还可以包括密钥 K2对 应的密钥标识、 密钥有效期等信息。 步骤 235' ~步骤 237' :主叫 AS-KMF将本侧生成的密钥 K1添加 到会话响应消息中, 然后通过主叫 CSCF发送给主叫 UE。 The generation of K2 is similar to the generation of K1. In addition, the message may further include information such as a key identifier corresponding to the key K2, a key validity period, and the like. Step 235' ~ Step 237': The calling AS-KMF adds the key K1 generated by the local side to the session response message, and then sends it to the calling UE through the calling CSCF.
步骤 238' : 主叫 UE根据密钥 K1和密钥 K2衍生出新的密钥 K, 将衍生出的密钥 K作为媒体流保护密钥。  Step 238': The calling UE derives a new key K according to the key K1 and the key K2, and uses the derived key K as a media stream protection key.
本实施例中, 主叫侧和被叫侧 AS-KMF都分别生成密钥 K1和 K2 , 主叫 UE和被叫 UE再根据密钥 K1和密钥 K2衍生出密钥 K, 将衍生出 的密钥 K作为媒体流保护密钥。 此后, 主叫 UE和被叫 UE就可以利用 所述密钥保护传输的媒体流。 比如: 主叫 UE需要向被叫 UE传输媒体 流时, 可以利用衍生出的密钥将媒体流保护后传输给被叫 UE; 相反, 如果被叫 UE需要向主叫 UE传输媒体流, 也可以利用衍生出的密钥将 媒体流保护后传输给主叫 UE。  In this embodiment, the calling side and the called side AS-KMF respectively generate keys K1 and K2, and the calling UE and the called UE further derive the key K according to the key K1 and the key K2, which will be derived. The key K is used as a media stream protection key. Thereafter, the calling UE and the called UE can use the key to protect the transmitted media stream. For example, when the calling UE needs to transmit the media stream to the called UE, the media stream can be protected and transmitted to the called UE by using the derived key. Conversely, if the called UE needs to transmit the media stream to the calling UE, The media stream is protected and transmitted to the calling UE by using the derived key.
实际应用中, 主叫和被叫 AS-KMF也可以衍生密钥, 并将衍生出的 密钥作为媒体流的密钥发送给主叫 UE和被叫 UE,具体的衍生和下发方 式与实施例 2类似。实际应用中,还可以分别由主叫 CSCF和被叫 CSCF 对密钥进行衍生, 方法类似。  In actual application, the calling and called AS-KMF can also derive the key, and send the derived key as the key of the media stream to the calling UE and the called UE. The specific derivation and delivery mode and implementation Example 2 is similar. In practical applications, the keys can be derived by the calling CSCF and the called CSCF, respectively, in a similar manner.
主叫 UE和被叫 UE也可以直接使用密钥 K1和密钥 K2作为保护媒 体流的密钥, 而不用衍生出新的密钥 K, 例如, 其中密钥 K1作为主叫 UE发送给被叫 UE媒体数据时保护媒体流的密钥, 密钥 K2则用于主叫 UE解密接收被叫 UE发送的受保护的媒体流。  The calling UE and the called UE can also directly use the key K1 and the key K2 as keys for protecting the media stream without deriving a new key K, for example, where the key K1 is sent to the called party as the calling UE. The UE media data protects the key of the media stream, and the key K2 is used by the calling UE to decrypt and receive the protected media stream sent by the called UE.
本实施例中的衍生密钥的方法可以为:密钥 K1和密钥 K2进行字符 串连接;也可以将密钥 K1和密钥 K2作为密钥生成函数的输入参数,例 如使用哈希函数作为密钥生成函数生成密钥, 这里不——列举。 方法实施例四  The method for deriving a key in this embodiment may be: the key K1 and the key K2 are connected by a character string; the key K1 and the key K2 may also be used as input parameters of the key generation function, for example, using a hash function. The key generation function generates a key, not here - enumerated. Method embodiment four
本实施例中, 获取主叫网络侧生成密钥的网络实体为主叫 CSCF, 生成密钥的主叫 KMF为主叫 AS中的一个功能单元;获取被叫侧生成密 钥的网络实体为被叫 CSCF, 生成密钥的被叫 KMF为被叫 AS中的一个 功能单元。 In this embodiment, the network entity that generates the key generated by the calling network side is called the CSCF. The calling KMF that generates the key is a functional unit in the AS. The network entity that obtains the generated key on the called side is the called CSCF, and the called KMF that generates the key is a functional unit in the called AS.
另外, 本实施例中, 假设主叫 UE和被叫 UE都签约了媒体流保护 业务。  In addition, in this embodiment, it is assumed that both the calling UE and the called UE subscribe to the media stream protection service.
图 3是本实施例的消息流示意图。 如图 3所示, 本实施例可以包括 以下步骤:  FIG. 3 is a schematic diagram of a message flow of this embodiment. As shown in FIG. 3, this embodiment may include the following steps:
步骤 301: 主叫 UE向主叫 CSCF发送会话建立请求消息,所述会话 建立请求消息携带有主叫 UE提供的媒体流安全能力信息。  Step 301: The calling UE sends a session establishment request message to the calling CSCF, where the session establishment request message carries the media stream security capability information provided by the calling UE.
本步骤与实施二的步骤 201相同, 此处不再赘述。  This step is the same as step 201 of the second embodiment, and details are not described herein again.
步骤 302: 主叫 CSCF将所述会话建立请求消息发送给主叫 AS。 本步骤与实施二的步骤 201相同, 此处不再赘述。  Step 302: The calling CSCF sends the session establishment request message to the calling AS. This step is the same as step 201 of the second embodiment, and details are not described herein again.
步骤 303 ~步骤 305: 主叫 AS判断出主叫 UE已经签约媒体流保护 业务, 然后将所述会话建立请求消息通过主叫 CSCF发送给被叫 CSCF。  Step 303 ~ Step 305: The calling AS determines that the calling UE has subscribed to the media stream protection service, and then sends the session establishment request message to the called CSCF through the calling CSCF.
本步骤与实施二的步骤 203 ~步骤 205相似,只是主叫 AS没有将主 叫 UE已经签约的标识添加到会话建立请求消息中, 此处不再赘述。  This step is similar to the step 203 to the step 205 of the second embodiment, except that the calling AS does not add the identifier of the calling UE to the session establishment request message, and details are not described herein.
步骤 306: 被叫 CSCF接收到会话建立请求消息后, 再将所述会话 建立请求消息发送给被叫 AS。  Step 306: After receiving the session establishment request message, the called CSCF sends the session establishment request message to the called AS.
本步骤与实施例二的步骤 206相同, 此处不再赘述。  This step is the same as step 206 of the second embodiment, and details are not described herein again.
步骤 307 ~步骤 309: 被叫 AS判断出被叫 UE也已经签约媒体流保 护业务, 再将所述会话建立请求消息通过被叫 CSCF发送给被叫 UE。  Step 307 ~ Step 309: The called AS determines that the called UE has also subscribed to the media stream protection service, and then sends the session establishment request message to the called UE through the called CSCF.
本步骤与实施二的步骤 207 ~步骤 209相似,只是被叫 AS没有将被 叫 UE已经签约的标识添加到会话建立请求消息中, 此处不再赘述。  This step is similar to the steps 207 to 209 of the second embodiment, except that the called AS does not add the identifier that the called UE has subscribed to the session establishment request message, and details are not described herein again.
步骤 310 ~步骤 312:被叫 UE向被叫 CSCF发送会话建立响应消息, 被叫 CSCF再将所述会话建立响应消息通过主叫 CSCF发送给主叫 UE。 这里, 被叫 UE可以根据会话建立请求消息中主叫 UE提供的媒体 流安全能力信息确定自身需提供的媒体流安全能力信息, 并将确定提供 的媒体流安全能力信息携带于会话建立响应消息中, 通过被叫 CSCF和 主叫 CSCF发送给主叫 UE。 Steps 310 to 312: The called UE sends a session establishment response message to the called CSCF, and the called CSCF sends the session establishment response message to the calling UE through the calling CSCF. Here, the called UE may determine the media stream security capability information that needs to be provided according to the media stream security capability information provided by the calling UE in the session establishment request message, and carry the determined media stream security capability information in the session establishment response message. , is sent to the calling UE through the called CSCF and the calling CSCF.
这里所述的会话建立响应消息为 183消息, 所述被叫 UE需提供的 媒体流安全能力信息可以为能够被主叫 UE支持的全部或部分信息。  The session establishment response message described herein is a 183 message, and the media stream security capability information to be provided by the called UE may be all or part of information that can be supported by the calling UE.
本实施例中,步骤 301 ~步骤 312是主叫 UE和被叫 UE之间对安全 能力进行协商的过程, 获取对方可以支持安全算法、 安全传输协议等参 数, 从而确定用于本次会话的媒体流安全能力信息。  In this embodiment, the steps 301 to 312 are the process of negotiating the security capability between the calling UE and the called UE, and the acquiring party can support the security algorithm, the security transmission protocol, and the like, thereby determining the media used for the session. Flow security capability information.
与实施例二相似, 实际应用中, 在协商的过程中, 主叫 AS和被叫 AS也可以不检查签约情况; 或者主叫 AS和被叫 AS可以一方检查, 而 另一方不检查; 或者直接由主叫 CSCF和被叫 CSCF检查签约。 至于究 竟是否检查签约情况, 由一方检查或双方都检查, 由 CSCF检查或由 AS 检查等都可以根据实际情况确定, 此处不再赘述。  Similar to the second embodiment, in the actual application, during the negotiation process, the calling AS and the called AS may not check the subscription situation; or the calling AS and the called AS may check by one party, and the other party does not check; or directly The contract is checked by the calling CSCF and the called CSCF. As for whether the contract is checked, whether it is checked by one party or both parties, the CSCF inspection or the AS inspection can be determined according to the actual situation, and will not be repeated here.
另夕卜, 与实施例二相似, 主叫 AS还可以将主叫 UE已经签约媒体 流保护业务的标识添加到会话建立请求消息中,被叫 AS可以将被叫 UE 已经签约媒体流保护业务的标识添加到会话建立响应消息中。  In addition, similar to the second embodiment, the calling AS can also add the identifier of the subscribed media stream protection service of the calling UE to the session establishment request message, and the called AS can sign the media stream protection service of the called UE. The identity is added to the session establishment response message.
步骤 313: 主叫 UE将会话请求消息发送给主叫 CSCF。  Step 313: The calling UE sends a session request message to the calling CSCF.
步骤 314: 主叫 CSCF从主叫 KMF中获取密钥 Kl。  Step 314: The calling CSCF obtains the key K1 from the calling KMF.
本步骤与实施例二中的步骤 221相似, 其区别在于: 本实施例是由 主叫 CSCF直接从主叫 KMF获取密钥 K1 , 还可以获取针对密钥 K1的 密钥标识、 密钥有效期等信息, 此处不再赘述。  This step is similar to step 221 in the second embodiment. The difference is that: in this embodiment, the calling CSCF obtains the key K1 directly from the calling KMF, and can also obtain the key identifier for the key K1, the key validity period, and the like. Information, no more details here.
步骤 315 ~步骤 316: 主叫 CSCF将本侧生成的密钥 K1添加到会话 请求消息中, 并将携带有密钥 K1的会话请求消息发送给被叫 CSCF。  Step 315 ~ Step 316: The calling CSCF adds the key K1 generated by the local side to the session request message, and sends a session request message carrying the key K1 to the called CSCF.
步骤 317: 被叫 CSCF从被叫 KMF中获取密钥 K2。 本步骤与步骤 314相似, 此处不再赘述。 Step 317: The called CSCF obtains the key K2 from the called KMF. This step is similar to step 314 and will not be described here.
步骤 318 ~步骤 319: 被叫 CSCF根据主叫侧生成的密钥 K1和本侧 生成的密钥 K2衍生出新的密钥,将衍生出的密钥作为媒体流保护密钥, 并将媒体流保护密钥添加到所述会话请求消息中发送给被叫 UE。  Step 318 ~ Step 319: The called CSCF derives a new key according to the key K1 generated by the calling side and the key K2 generated by the calling side, and uses the derived key as a media stream protection key, and media stream A protection key is added to the session request message and sent to the called UE.
步骤 320: 被叫 UE向被叫 CSCF返回会话响应消息。  Step 320: The called UE returns a session response message to the called CSCF.
与方法实施例二相似,这里所述的会话响应消息也可以为 200消息, 可以携带被叫 UE确认的媒体流安全能力信息。 所述媒体流安全能力包 括安全算法, 还可以包括需保护的媒体类型、 安全传输协议类型和安全 前提中一种或几种任意的组合。  Similar to the method embodiment 2, the session response message described herein may also be a 200 message, and may carry the media stream security capability information confirmed by the called UE. The media stream security capabilities include security algorithms, and may also include any one or combination of media types, secure transport protocol types, and security premise to be protected.
步骤 321 ~步骤 322:被叫 CSCF将密钥 K2添加到会话响应消息中, 并将携带有密钥 K2的会话响应消息发送给主叫 CSCF。  Step 321 ~ Step 322: The called CSCF adds the key K2 to the session response message, and sends a session response message carrying the key K2 to the calling CSCF.
如果被叫 KMF事先还将针对密钥 K2的密钥标识、密钥有效期等信 息一并返回给了被叫 CSCF, 被叫 CSCF就还可以将所述针对密钥 K2 的密钥标识、 密钥有效期等信息也添加到会话响应消息中。  If the called KMF also returns the key identification and key validity period of the key K2 to the called CSCF in advance, the called CSCF can also identify the key and the key for the key K2. Information such as the validity period is also added to the session response message.
步骤 323 ~步骤 324: 主叫 CSCF根据本侧生成的密钥 K1和被叫侧 生成的密钥 K2衍生出新的密钥,将衍生出的密钥作为媒体流保护密钥, 并将所述媒体流保护密钥添加到会话响应消息中, 然后发送给主叫 UE。  Step 323 to step 324: The calling CSCF derives a new key according to the key K1 generated by the local side and the key K2 generated by the called side, and uses the derived key as a media stream protection key, and the The media stream protection key is added to the session response message and then sent to the calling UE.
与方法实施例二相似, 本实施例中主叫 CSCF和被叫 CSCF也可以 不生成衍生密钥, 而直接将本侧生成的密钥和对方生成的密钥作为媒体 流保护密钥; 或者由主叫 UE和被叫 UE生成衍生密钥。  Similar to the second embodiment of the method, in this embodiment, the calling CSCF and the called CSCF may also generate the derived key, and directly use the key generated by the local side and the generated key of the other party as the media stream protection key; The calling UE and the called UE generate a derived key.
此时, 主叫 UE和被叫 UE都获取了媒体流保护密钥, 可以利用所 述密钥对传输的媒体流进行保护。 另外, 实际应用中, 主叫 UE向被叫 UE发送的 INVITE消息中, 除了可以包括主叫 UE提供的媒体流安全能力信息, 还可以增加媒体流 安全模式, 所述安全模式可以为用户到用户模式, 也可以为用户到网络 的模式。 在这种情况下, 主叫 UE先将所述 INVITE消息通过主叫 P-CSCF、 主叫 S-CSCF发送给主叫 AS; 主叫 AS接收到该 INVITE消息时, 在检 查主叫 UE已经签约媒体流保护业务后, 还可以检查该媒体流安全模式 如果媒体流安全模式有多于一个的选项, 则确定唯一的一种媒体流安全 模式, 并修改消息中的模式为该确定的媒体流安全模式, 再继续执行, 即: 将 INVITE消息发送给被叫 S-CSCF; 被叫 S-CSCF再通过被叫 AS、 被叫 P-CSCF将所述 INVITE 消息发送给被叫 UE; 被叫 UE 向被叫 P-CSCF发送携带有自身提供的媒体流安全能力信息的 183消息, 被叫 P-CSCF再发送给被叫 S-CSCF, 并由被叫 S-CSCF发送给被叫 AS; 被 叫 AS 添加确定的媒体流安全模式后, 将所述 183 消息发送给被叫 S-CSCF; 被叫 S-CSCF再发送给主叫 S-CSCF; 主叫 S-CSCF接收到所 述 183消息后,发送给主叫 AS, 主叫 AS从所述 183消息中检查被叫网 络确定的媒体流安全模式后, 将 183 消息发送给主叫 S-CSCF; 主叫 S-CSCF再发送给主叫 P-CSCF; 主叫 P-CSCF确认媒体流安全模式, 并 继续发送给主叫 UE,从而完成主叫 UE和被叫 UE之间媒体流安全模式 协商。 针对上述用户到用户媒体流保护情况下 UE获取媒体保护密钥的方 法, 本发明还提出一种相应的获取媒体流保护密钥的系统。 At this time, both the calling UE and the called UE acquire the media stream protection key, and the key can be used to protect the transmitted media stream. In addition, in an actual application, the INVITE message sent by the calling UE to the called UE may include the media stream security capability information provided by the calling UE, and may also increase the media stream. The security mode may be a user-to-user mode or a user-to-network mode. In this case, the calling UE first sends the INVITE message to the calling AS through the calling P-CSCF and the calling S-CSCF; when the calling AS receives the INVITE message, it checks that the calling UE has signed the contract. After the media stream protects the service, the media stream security mode may also be checked. If the media stream security mode has more than one option, the unique media stream security mode is determined, and the mode in the message is modified to ensure the determined media stream security. The mode is further executed, that is, the INVITE message is sent to the called S-CSCF; the called S-CSCF sends the INVITE message to the called UE through the called AS and the called P-CSCF; The called P-CSCF sends a 183 message carrying the security capability information of the media stream provided by itself, and the called P-CSCF sends it to the called S-CSCF, and is sent by the called S-CSCF to the called AS; After the determined media stream security mode is added, the 183 message is sent to the called S-CSCF; the called S-CSCF is sent to the calling S-CSCF; and the calling S-CSCF receives the 183 message and sends the message. To the calling AS, the calling AS checks the media stream security determined by the called network from the 183 message. After the 183 message is sent to the calling S-CSCF; the calling S-CSCF is then sent to the calling P-CSCF; the calling P-CSCF confirms the media stream security mode, and continues to send to the calling UE, thereby completing the main The media stream security mode negotiation between the UE and the called UE is called. For the method for the UE to obtain the media protection key in the case of the above-mentioned user-to-user media stream protection, the present invention also provides a corresponding system for acquiring the media stream protection key.
图 4是该系统的基本结构示意图。 如图 4所示, 该系统至少包括: 终端设备 UE401 , 在作为主叫 UE时, 用于向网络实体 402发送会 话请求消息, 并接收携带有密钥的会话响应消息; 在作为被叫 UE时, 用于接收从网络实体发来的会话请求消息, 并返回会话响应消息。 网络实体 402, 用于在接收到主叫 UE发来的会话请求消息时, 将 密钥添加到会话请求消息中, 并发送给被叫 UE; 还用于接收被叫 UE 发送的会话响应消息, 将密钥添加到会话响应消息中, 并发送给主叫 UE。 Figure 4 is a schematic diagram of the basic structure of the system. As shown in FIG. 4, the system includes at least: a terminal device UE401, configured to send a session request message to the network entity 402, and receive a session response message carrying a key, when acting as a calling UE; And receiving a session request message sent from a network entity, and returning a session response message. The network entity 402 is configured to: when receiving the session request message sent by the calling UE, add the key to the session request message, and send the key to the called UE; and further, receive the session response message sent by the called UE, The key is added to the session response message and sent to the calling UE.
实际应用中, 所述网络实体 402在作为主叫网络实体时, 用于接收 主叫 UE发送的会话请求消息, 获取主叫网络侧生成的密钥, 并将主叫 网络侧生成的密钥通过所述会话请求消息发送给被叫网络实体; 接收被 叫网络实体返回的会话响应消息, 将主叫网络侧生成的密钥添加到所述 会话响应消息发送给主叫 UE。  In a practical application, the network entity 402, when acting as a calling network entity, is configured to receive a session request message sent by the calling UE, obtain a key generated by the calling network, and pass the key generated by the calling network side. The session request message is sent to the called network entity. The session response message returned by the called network entity is received, and the key generated by the calling network side is added to the session response message and sent to the calling UE.
相应地, 所述网络实体 402在作为被叫网络实体时, 用于接收来自 主叫网络实体的会话请求消息, 获取被叫网络侧生成的密钥并添加到所 述会话请求消息中, 再将所述会话请求消息发送给被叫 UE; 接收被叫 UE返回的会话响应消息, 将被叫网络侧生成的密钥携带于所述会话响 应消息中, 并发送给主叫网络实体。  Correspondingly, when the network entity 402 is used as the called network entity, it is configured to receive a session request message from the calling network entity, obtain a key generated by the called network side, and add the key to the session request message, and then The session request message is sent to the called UE; the session response message returned by the called UE is received, and the key generated by the called network side is carried in the session response message and sent to the calling network entity.
实际应用中, UE401还可以进一步用于将接收到的主叫网络侧生成 的密钥和被叫网络侧生成的密钥衍生出新的密钥, 并将衍生出的密钥作 为媒体流保护密钥。  In actual application, the UE 401 may be further configured to derive a new key generated by the received key generated by the calling network side and the generated key of the called network side, and use the derived key as a media stream to protect the confidentiality. key.
实际应用中, 所述网络实体 402在作为主叫网络实体时, 用于接收 主叫 UE发送的会话请求消息, 获取主叫网络侧生成的密钥, 并将主叫 网络侧生成的密钥通过所述会话请求消息发送给被叫网络实体; 接收被 叫网络实体返回的会话响应消息, 将主叫网络侧生成的密钥和被叫网络 侧生成的密钥衍生出新的密钥, 并携带于所述会话响应消息发送给主叫 UE。  In a practical application, the network entity 402, when acting as a calling network entity, is configured to receive a session request message sent by the calling UE, obtain a key generated by the calling network, and pass the key generated by the calling network side. The session request message is sent to the called network entity; the session response message returned by the called network entity is received, and the key generated by the calling network side and the key generated by the called network side are derived from the new key, and carried The session response message is sent to the calling UE.
相应地, 所述网络实体 402在作为被叫网络实体时, 用于接收来自 主叫网络实体的会话请求消息, 获取被叫网络侧生成的密钥, 根据主叫 网络侧生成的密钥和被叫网络侧生成的密钥衍生出新的密钥, 并将衍生 出的密钥作为媒体流保护密钥携带于所述会话请求消息中发送给被叫Correspondingly, when the network entity 402 is used as the called network entity, it is configured to receive a session request message from the calling network entity, and obtain a key generated by the called network side, according to the calling party. The key generated by the network side and the key generated by the called network side derive a new key, and the derived key is carried as a media stream protection key in the session request message and sent to the called party.
UE; 接收被叫 UE返回的会话响应消息, 将被叫网络侧生成的密钥携带 于所述会话响应消息中, 并发送给主叫网络实体。 The UE receives the session response message returned by the called UE, and carries the key generated by the called network side in the session response message, and sends the key to the calling network entity.
实际应用中, 如果网络实体 402为 S-CSCF或 AS, 该系统可以进一 步包括:  In practical applications, if the network entity 402 is an S-CSCF or an AS, the system can further include:
密钥管理功能实体 KMF,用于接收 S-CSCF或 AS的密钥请求消息, 生成密钥, 并通过密钥响应消息返回给 S-CSCF或 AS。 也就是说, 在这 种情况下, 网络实体 402需要获取密钥时, 就可以请求 KMF, 由 KMF 提供密钥。  The key management function entity KMF is configured to receive a key request message of the S-CSCF or the AS, generate a key, and return it to the S-CSCF or the AS through the key response message. That is to say, in this case, when the network entity 402 needs to acquire a key, it can request KMF, and the key is provided by KMF.
如果网络实体为 AS-KMF,所述网络实体获取的密钥为 AS-KMF自 身生成的密钥, 该系统可以进一步包括:  If the network entity is an AS-KMF, and the key obtained by the network entity is a key generated by the AS-KMF itself, the system may further include:
S-CSCF, 用于转发 UE和 AS-KMF之间的会话消息。 也就是说, 当 S-CSCF将来自 UE的会话消息转发给 AS-KMF时, AS-KMF可以自行 生成密钥, 而不必到其它的实体中获取。 为了更好地说明上述用户到用户媒体流保护情况下获取媒体流保 护密钥的系统, 下面用较佳的系统实施例进行详细描述。 系统实施例一  The S-CSCF is used to forward a session message between the UE and the AS-KMF. That is, when the S-CSCF forwards the session message from the UE to the AS-KMF, the AS-KMF can generate the key by itself without having to acquire it from other entities. In order to better illustrate the above system for obtaining a media stream protection key in the case of user-to-user media stream protection, a detailed description will be made below using a preferred system embodiment. System embodiment one
图 5a是系统实施例一的基本结构示意图。 如图 5a所示, 本系统实 施例包括: UE401、 AS-KMF402x、 S-CSCF403、 P-CSCF404。 UE401、 S-CSCF403、 AS-KMF402x、 P-CSCF404 为主叫网络侧中的实体时, 可 以完成上述方法中主叫侧对应的功能; UE401 、 S-CSCF403 、 AS-KMF402x、 P-CSCF404为被叫网络侧中的实体时, 可以完成上述方 法中被叫侧对应的功能。 本实施例中, AS-KMF402x相当于图 4中的网 络实体 402。 FIG. 5a is a schematic diagram of the basic structure of the first embodiment of the system. As shown in FIG. 5a, the system embodiment includes: UE401, AS-KMF402x, S-CSCF403, P-CSCF404. When the UE 401, the S-CSCF 403, the AS-KMF 402x, and the P-CSCF 404 are the entities in the calling network side, the functions corresponding to the calling side in the foregoing method may be completed; the UE 401, the S-CSCF 403, the AS-KMF 402x, and the P-CS CF 404 are When the entity in the network side is called, the function corresponding to the called side in the above method can be completed. In this embodiment, AS-KMF402x is equivalent to the network in FIG. Entity entity 402.
其中, UE401 , 用于向 P-CSCF404发送会话消息, 并接收携带有密 钥的会话消息。  The UE 401 is configured to send a session message to the P-CSCF 404 and receive a session message carrying the key.
P-CSCF404, 用于转发 UE401和 S-CSCF403之间的消息。  The P-CSCF 404 is configured to forward a message between the UE 401 and the S-CSCF 403.
S-CSCF402x,用于接收来自 P-CSCF404或者来自其它网络 S-CSCF 的会话消息, 并将消息发送给 AS-KMF402x; 还用于将 AS-KMF402x发 送的的会话消息发送给 P-CSCF404或者其它网络的 S-CSCF403;  The S-CSCF 402x is configured to receive a session message from the P-CSCF 404 or from another network S-CSCF, and send the message to the AS-KMF 402x. It is also used to send the session message sent by the AS-KMF 402x to the P-CSCF 404 or other Network S-CSCF403;
AS-KMF402 , 用于生成密钥, 将密钥添加到消息中, 并发送给 S-CSCF403。  AS-KMF402, used to generate a key, add the key to the message, and send it to the S-CSCF 403.
当需要获取媒体流保护密钥时, UE401 通过 P-CSCF404 向 When the media stream protection key needs to be obtained, the UE401 passes the P-CSCF404 to
S-CSCF403 发送会话消息, S-CSCF403 将消息发送给 AS-KMF402x, AS-KMF402 在消息中添加密钥后, 再通过被叫 S-CSCF403 发送给 UE40L The S-CSCF 403 sends a session message, and the S-CSCF 403 sends the message to the AS-KMF 402x. After the AS-KMF 402 adds the key to the message, it is sent to the UE 40L through the called S-CSCF 403.
当然, 这里并没有区分主叫 UE和被叫 UE、 主叫 P-CSCF和被叫 P-CSCF、主叫 S-CSCF和被叫 S-CSCF、主叫 AS-KMF和被叫 AS-KMF。 实际应用, 同一个 P-CSCF404 可以既充当主叫 P-CSCF 又充当被叫 P-CSCF , 同一个 S-CSCF403 可以既充当主叫 S-CSCF 又充当被叫 S-CSCF, 同一个 AS-KMF402x 既可以充当主叫 AS-KMF 又充当被叫 AS-KMF0 Of course, there is no distinction between the calling UE and the called UE, the calling P-CSCF and the called P-CSCF, the calling S-CSCF and the called S-CSCF, the calling AS-KMF, and the called AS-KMF. In practice, the same P-CSCF 404 can act as both the calling P-CSCF and the called P-CSCF. The same S-CSCF 403 can act as both the calling S-CSCF and the called S-CSCF, the same AS-KMF402x. Can act as both the calling AS-KMF and the called AS-KMF 0
另外, 这里的 P-CSCF404和 S-CSCF都只是对会话消息进行转发, 并没有实质作用。 当然, 实际网络中, UE401和 AS-KMF402x之间还可 能存在其它实体进行转发, 此处不再赘述。  In addition, both the P-CSCF 404 and the S-CSCF here only forward the session message and have no substantial effect. Of course, in the actual network, other entities may be forwarded between the UE 401 and the AS-KMF 402x, and details are not described herein.
系统实施例二 System embodiment two
图 5b是系统实施例二的基本结构示意图。 如图 5b所示, 本系统实 施例包括:主叫 UE401b、网络实体 402b、被叫 UE403b、主叫 KMF404b、 被叫 KMF405b、 主叫 P-CSCF406b、 被叫 P-CSCF407b。 FIG. 5b is a schematic diagram of the basic structure of the second embodiment of the system. As shown in FIG. 5b, the system embodiment includes: a calling UE 401b, a network entity 402b, a called UE 403b, and a calling KMF 404b. The called KMF405b, the calling P-CSCF406b, and the called P-CSCF407b.
其中所述网络实体 402b包括主叫网络实体和被叫网络实体,所述主 叫 网络实体为主叫 S-CSCF4021b , 所述被叫 网络实体为被叫 S-CSCF4022b。  The network entity 402b includes a calling network entity and a called network entity, the calling network entity is a calling S-CSCF4021b, and the called network entity is a called S-CSCF4022b.
所述主叫 UE401b,用于通过主叫 P-CSCF406b向主叫 S-CSCF4021b 发送会话请求消息, 并接收携带有媒体流保护密钥的会话响应消息; 所述主叫 S-CSCF4021b, 用于接收来自主叫 P-CSCF406b会话请求 消息, 从主叫 KMF405b获取密钥, 并发送给被叫 S-CSCF4022b; 还用 于接收来自被叫 S-CSCF4022b的接收会话响应消息,将获取的密钥携带 于响应消息中再发送给主叫 UE401b;  The calling UE 401b is configured to send a session request message to the calling S-CSCF 4021b through the calling P-CSCF 406b, and receive a session response message carrying a media stream protection key; the calling S-CSCF4021b is configured to receive From the calling P-CSCF 406b session request message, the key is obtained from the calling KMF 405b and sent to the called S-CSCF 4022b; and is also used to receive the receiving session response message from the called S-CSCF 4022b, and the obtained key is carried in The response message is sent to the calling UE 401b;
所述被叫 S-CSCF4022b,用于接收来自主叫 S-CSCF4021b的会话请 求消息, 从被叫 KMF405b 中获取密钥, 将获取的密钥携带于会话请求 消息中通过被叫 P-CSCF407b发送给被叫 UE403b;还用于接收来自被叫 UE403b的会话响应消息, 并转发给主叫 S-CSCF4021b;  The called S-CSCF4022b is configured to receive a session request message from the calling S-CSCF 4021b, obtain a key from the called KMF 405b, and carry the obtained key in the session request message and send it to the called P-CSCF 407b. The called UE 403b is further configured to receive a session response message from the called UE 403b, and forward it to the calling S-CSCF 4021b;
被叫 UE403b, 用于接收会话请求消息, 并返回会话响应消息; 主叫 KMF404b, 用于生成密钥, 并返回给主叫 S-CSCF4021b; 被叫 KMF405b, 用于生成密钥, 并返回给被叫 S-CSCF4022b; 主叫 P-CSCF406b, 用于转发主叫 UE401b和主叫 S-CSCF4021b之 间的消息;  The called UE 403b is configured to receive a session request message and return a session response message; the calling KMF 404b is configured to generate a key, and is returned to the calling S-CSCF 4021b; the called KMF 405b is used to generate a key, and is returned to the called Called S-CSCF4022b; the calling P-CSCF 406b is used to forward the message between the calling UE 401b and the calling S-CSCF 4021b;
被叫 P-CSCF407b, 用于转发被叫 UE403b和被叫 S-CSCF4022b之 间的消息。  The called P-CSCF407b is used to forward the message between the called UE 403b and the called S-CSCF 4022b.
当需要获取媒体流保护密钥时, 主叫 UE401b 通过主叫 P-CSCF4021b 向主叫 S-CSCF4021b 发送会话请求消息, 主叫 S-CSCF4021b从主叫 KMF404b获取密钥, 并发送被叫 S-CSCF4022b; 被叫 S-CSCF4022b 从被叫 KMF405b 中获取密钥, 再通过被叫 P-CSCF407b发送给被叫 UE403b; 被叫 UE403b通过被叫 P-CSCF407b 返回会话响应消息给被叫 S-CSCF4022b,被叫 S-CSCF4022b将获取的密 钥携带于会话响应消息中发送给主叫 S-CSCF4021b; 主叫 S-CSCF4021b 再将携带有密钥的会话响应消息通过主叫 P-CSCF406b 返回给主叫 UE401b。 When the media stream protection key needs to be obtained, the calling UE 401b sends a session request message to the calling S-CSCF 4021b through the calling P-CSCF 4021b, the calling S-CSCF 4021b obtains the key from the calling KMF 404b, and sends the called S-CSCF4022b. The called S-CSCF4022b obtains the key from the called KMF405b and then passes the called The P-CSCF 407b is sent to the called UE 403b; the called UE 403b returns a session response message to the called S-CSCF 4022b via the called P-CSCF 407b, and the called S-CSCF 4022b carries the acquired key in the session response message and sends it to the calling S. -CSCF4021b; The calling S-CSCF 4021b then returns the session response message carrying the key to the calling UE 401b through the calling P-CSCF 406b.
实际应用中, 该系统还可以包括主叫 AS 和被叫 AS , 主叫 S-CSCF4021b 通过主叫 AS 从主叫 KMF404b 中获取密钥, 被叫 S-CSCF4022b通过被叫 AS从被叫 KMF405b中获取密钥。  In practical applications, the system may further include a calling AS and a called AS, and the calling S-CSCF4021b obtains a key from the calling KMF 404b through the calling AS, and the called S-CSCF4022b obtains from the called KMF 405b through the called AS. Key.
获取密钥后, 被叫 AS还可以进一步用于将主叫侧生成的密钥和本 侧生成的密钥进行衍生; 或者, 被叫 S-CSCF还可以进一步用于将主叫 侧生成的密钥和本侧生成的密钥进行衍生; 或者, 被叫 UE还可以进一 步用于将主叫侧生成的密钥和本侧生成的密钥进行衍生。  After the key is obtained, the called AS can be further used to derive the key generated by the calling side and the key generated by the local side. Alternatively, the called S-CSCF can be further used to generate the secret generated by the calling side. The key is derived from the key generated by the local side. Alternatively, the called UE may be further used to derive the key generated by the calling side and the key generated by the side.
相应地, 获取密钥后, 主叫 AS还可以进一步用于将被叫侧生成的 密钥和本侧生成的密钥进行衍生; 或者, 主叫 S-CSCF还可以进一步用 于将被叫侧生成的密钥和本侧生成的密钥进行衍生; 或者, 主叫 UE还 可以进一步用于将被叫侧生成的密钥和本侧生成的密钥进行衍生。  Correspondingly, after the key is obtained, the calling AS can further be used to derive the key generated by the called side and the key generated by the local side; or the calling S-CSCF can be further used for the called side. The generated key is derived from the key generated by the local side. Alternatively, the calling UE may further be used to derive the key generated by the called side and the key generated by the side.
实际应用中,主叫 AS和被叫 AS还可以用于分别对主叫 UE和被叫 UE是否签约了媒体保护业务进行检查, 至于如何判断是否签约, 可以 参见上述具体的方法, 此处不再赘述。 系统实施例三  In the actual application, the calling AS and the called AS can also be used to check whether the calling UE and the called UE have subscribed to the media protection service respectively. For how to determine whether to sign the contract, refer to the above specific method. Narration. System embodiment three
图 5c是系统实施例三的基本结构示意图。 如图 5c所示, 本系统实 施例包括:主叫 UE401c、网络实体 402c、被叫 UE403c、主叫 KMF404c、 被叫 KMF405c、 主叫 P-CSCF406c、 被叫 P-CSCF407c。  Figure 5c is a schematic diagram of the basic structure of the third embodiment of the system. As shown in FIG. 5c, the system embodiment includes: a calling UE 401c, a network entity 402c, a called UE 403c, a calling KMF 404c, a called KMF 405c, a calling P-CSCF 406c, and a called P-CSCF 407c.
其中所述网络实体 402c包括主叫网络实体和被叫网络实体,所述主 叫网络实体为主叫 AS 5021c, 所述被叫网络实体为被叫 AS 5022c。 本系统实施例中的各实体的功能和结构与系统实施例二相似, 其区 别在于, 本系统实施例中主叫 AS的功能相当于系统实施例二中的主叫Wherein the network entity 402c includes a calling network entity and a called network entity, the primary The called network entity is called AS 5021c, and the called network entity is called AS 5022c. The function and structure of each entity in the embodiment of the system are similar to the system embodiment 2. The difference is that the function of the calling AS in the embodiment of the system is equivalent to the calling party in the second embodiment of the system.
S-CSCF, 被叫 AS的功能相当于系统实施例二中的被叫 S-CSCF。 S-CSCF, the function of the called AS is equivalent to the called S-CSCF in the second embodiment of the system.
本系统实施例中也可以同时包括主叫 S-CSCF408C 和被叫 In this embodiment of the system, the calling party S-CSCF408C and the called party can also be included at the same time.
S-CSCF409C, 只是不再具备向 KMF获取密钥的功能, 仅用作转发消息 而已。 S-CSCF409C, but no longer has the ability to obtain a key from KMF, it is only used to forward messages.
当然, 与系统实施例二相同, 获取密钥后, 被叫 AS还可以进一步 用于将主叫侧生成的密钥和本侧生成的密钥进行衍生; 或者, 被叫 S-CSCF还可以进一步用于将主叫侧生成的密钥和本侧生成的密钥进行 衍生; 或者, 被叫 UE还可以进一步用于将主叫侧生成的密钥和本侧生 成的密钥进行衍生。  Of course, after the key is obtained, the called AS can be further used to derive the key generated by the calling side and the key generated by the local side. Alternatively, the called S-CSCF can further It is used to derive the key generated by the calling side and the key generated by the local side. Alternatively, the called UE may further be used to derive the key generated by the calling side and the key generated by the side.
相应地, 获取密钥后, 主叫 AS还可以进一步用于将被叫侧生成的 密钥和本侧生成的密钥进行衍生; 或者, 主叫 S-CSCF还可以进一步用 于将被叫侧生成的密钥和本侧生成的密钥进行衍生; 或者, 主叫 UE还 可以进一步用于将被叫侧生成的密钥和本侧生成的密钥进行衍生。  Correspondingly, after the key is obtained, the calling AS can further be used to derive the key generated by the called side and the key generated by the local side; or the calling S-CSCF can be further used for the called side. The generated key is derived from the key generated by the local side. Alternatively, the calling UE may further be used to derive the key generated by the called side and the key generated by the side.
主叫 AS和被叫 AS还可以用于分别对主叫 UE和被叫 UE是否签约 了媒体保护业务进行检查, 至于如何判断是否签约, 可以参见上述具体 的方法, 此处不再赘述。  The calling AS and the called AS can also be used to check whether the calling UE and the called UE have subscribed to the media protection service. For details on how to determine whether to sign the contract, refer to the above specific method, and details are not described herein.
不管网络实体 402是 S-CSCF、 AS或 AS-KMF, 其内部结构示意图 都可以如图 5d所示。  Regardless of whether the network entity 402 is an S-CSCF, an AS or an AS-KMF, its internal structure diagram can be as shown in Figure 5d.
参见图 5d, 网络实体 402包括:  Referring to Figure 5d, network entity 402 includes:
接收单元 402m, 用于接收主叫 UE发送的会话请求消息,接收被叫 UE发送的会话响应消息。  The receiving unit 402m is configured to receive a session request message sent by the calling UE, and receive a session response message sent by the called UE.
密钥获取单元 402η, 在接收到主叫 UE发送的会话请求消息时, 将 密钥添加到会话请求消息中, 并通过发送单元发送给被叫 UE; 在接收 到被叫 UE发送的会话响应消息时, 将密钥添加到会话响应消息中, 并 通过发送单元发送给主叫 UE。 The key obtaining unit 402n, when receiving the session request message sent by the calling UE, The key is added to the session request message, and is sent to the called UE by the sending unit. When receiving the session response message sent by the called UE, the key is added to the session response message, and sent to the calling party through the sending unit. UE.
发送单元 402s, 将会话请求消息发送给被叫 UE, 将会话响应消息 发送给主叫 UE。  The sending unit 402s sends a session request message to the called UE, and sends a session response message to the calling UE.
实际应用中, 如果网络实体 402为 S-CSCF或 AS, 所述网络实体获 取的密钥就是 KMF提供的密钥; 如果网络实体为 AS-KMF, 所述密钥 为 AS-KMF自身生成的密钥。  In actual application, if the network entity 402 is an S-CSCF or an AS, the key acquired by the network entity is the key provided by the KMF; if the network entity is AS-KMF, the key is the secret generated by the AS-KMF itself. key.
其中,如果网络实体为 AS-KMF,所述密钥获取单元 402η可以包括: 密钥生成单元 402η1 ,用于生成密钥,并提供给密钥添加单元 402η2。 密钥添加单元 402η2, 用于在接收到主叫 UE发送的会话请求消息 时, 将密钥添加到会话请求消息中, 并通过发送单元 402s发送给被叫 UE; 在接收到被叫 UE发送的会话响应消息时, 将密钥添加到会话响应 消息中, 并通过发送单元 402s发送给主叫 UE。  Wherein, if the network entity is AS-KMF, the key obtaining unit 402n may include: a key generating unit 402n1 for generating a key and providing it to the key adding unit 402n2. The key adding unit 402n2 is configured to add a key to the session request message when receiving the session request message sent by the calling UE, and send the message to the called UE by using the sending unit 402s; When the session responds to the message, the key is added to the session response message and sent to the calling UE through the sending unit 402s.
实际应用中, 如果网络实体仅仅将密钥生成单元 402nl生成的密钥 添加到会话消息中, 则直接利用密钥添加单元 402n2添加即可。 如果网 络实体还需要将密钥生成单元 402nl生成的密钥与对方网络侧生成的密 钥进行衍生, 则还可以先将双方生成的密钥进行衍生之后, 再利用密钥 添加单元 402n2将衍生出的密钥添加到会话消息中。  In an actual application, if the network entity only adds the key generated by the key generation unit 402n1 to the session message, it may be directly added by the key adding unit 402n2. If the network entity further needs to derive the key generated by the key generation unit 402n1 and the key generated by the network side of the other party, the key generated by the two parties may be derivatized first, and then the key addition unit 402n2 is used to derive the key. The key is added to the session message.
图 5e是本发明实施例中 UE的内部结构示意图。 如图 5e所示, UE 可以包括:  FIG. 5e is a schematic diagram of an internal structure of a UE in an embodiment of the present invention. As shown in FIG. 5e, the UE may include:
收发单元 401x, 用于收发会话消息;  a transceiver unit 401x, configured to send and receive session messages;
解析单元 401y, 用于在收发单元 401x接收到的会话消息中携带有 密钥时, 从会话消息中解析出密钥。  The parsing unit 401y is configured to parse the key from the session message when the session message received by the transceiver unit 401x carries the key.
实际应用中, 如果 UE无需对密钥进行衍生, 那么, UE的解析单元 401y从会话消息中获取密钥就可以直接进行对媒体流的加密或解密。如 果 UE接收到的会话消息中包含本网络侧和对方网络侧生成的密钥, 还 可以包括密钥衍生单元 401z。 In practical applications, if the UE does not need to derivate the key, then the parsing unit of the UE The 401y can directly encrypt or decrypt the media stream by obtaining the key from the session message. If the session message received by the UE includes the key generated by the network side and the other party network side, the key derivation unit 401z may also be included.
密钥衍生单元 401z, 用于在解析单元 401y从会话消息中解析出主 叫网络侧生成的密钥和被叫网络侧生成的密钥时, 将解析出的主叫网络 侧生成的密钥和被叫网络侧生成的密钥衍生成新的密钥, 并将衍生出的 密钥作为媒体流保护密钥。  The key deriving unit 401z is configured to: when the parsing unit 401y parses the key generated by the calling network side and the key generated by the called network side from the session message, the parsed key generated by the calling network side The key generated by the called network side is derived into a new key, and the derived key is used as a media stream protection key.
当然, 实际应用中, UE 中还需要包括存储单元, 可以用于保存密 钥, 比如: 从会话响应消息中解析出的密钥, 或者由密钥衍生单元衍生 出的密钥。 这样, UE就可以利用存储单元中的密钥对媒体流进行保护。  Of course, in practical applications, the UE also needs to include a storage unit, which can be used to store a key, such as a key parsed from a session response message, or a key derived from a key derivation unit. In this way, the UE can protect the media stream by using the key in the storage unit.
应用上述方法实施例和系统实施例的方案,可以由网络侧生成密钥, 并分别发送给主叫 UE和被叫 UE, 主叫 UE和被叫 UE就可以利用获取 的密钥对传输的媒体流进行保护。 另外, 由于密钥由网络侧生成, 可以 满足第三方合法监听的实际需要。 上述方法实施例以及系统实施例都是针对用户到用户媒体流保护 的实例, 即主叫 UE和被叫 UE获取密钥之后, 在两个 UE之间传输的 媒体流可以全程被保护。 但在实际应用中, 两个用户之间传输的媒体流 也可以不是全程被保护, 而只保护其中一段, 即可以保护用户到网络的 部分, 而网络到网络部分则是明文传输的, 或者通过网络域的安全机制 进行保护, 这里不再赘述。  Applying the solutions of the foregoing method embodiments and system embodiments, a key may be generated by the network side and sent to the calling UE and the called UE respectively, and the calling UE and the called UE may use the acquired key pair to transmit the media. Stream protection. In addition, since the key is generated by the network side, it can meet the actual needs of the third party for legitimate interception. The foregoing method embodiments and system embodiments are all examples of user-to-user media stream protection, that is, after the calling UE and the called UE acquire the key, the media stream transmitted between the two UEs can be protected at all times. However, in practical applications, the media stream transmitted between two users may not be protected at all, but only one segment is protected, that is, the user can be protected to the network, and the network to the network portion is transmitted in plain text, or through The security mechanism of the network domain is protected and will not be described here.
对于保护用户到网络传输的媒体流的情况, 图 6是实现获取媒体保 护密钥的方法实施例的流程图, 即本发明方法实施例四的流程图。  FIG. 6 is a flowchart of an embodiment of a method for obtaining a media protection key, that is, a flowchart of Embodiment 4 of the method of the present invention.
如图 6所示, 方法实施例五可以包括以下步骤:  As shown in FIG. 6, the method embodiment 5 may include the following steps:
步骤 601: 网络实体接收会话消息后,从密钥管理功能实体 KMF中 获取密钥。 Step 601: After the network entity receives the session message, from the key management function entity KMF Get the key.
步骤 602: 网络实体将获取的密钥分别发送给终端设备 UE和媒体 处理功能实体(MP )。  Step 602: The network entity sends the acquired key to the terminal device UE and the media processing function entity (MP), respectively.
这里所述的网络实体可以为 S-CSCF, 也可以为 AS。 以网络实体为 S-CSCF为例:  The network entity described here may be an S-CSCF or an AS. Take the network entity as the S-CSCF as an example:
如果在主叫侧, 这里所述的网络实体可以为主叫 S-CSCF, 所述 UE 为主叫 UE, 所述 MP为主叫 MP, 所述 KMF为主叫 KMF。 相应地, 如 果在被叫侧,这里所述的网络实体可以为被叫 S-CSCF,所述 UE为被叫 UE,所述 MP为被叫 MP,所述 KMF为被叫 KMF。也就是说,主叫 S-CSCF 接收到会话消息后, 从主叫 KMF中获取密钥, 再将获取的密钥分别发 送给主叫 UE和主叫 MP。被叫 S-CSCF接收到会话消息后,从被叫 KMF 中获取密钥, 再将获取的密钥分别发送给被叫 UE和被叫 MP。  If on the calling side, the network entity described herein may be the primary S-CSCF, the UE is the calling UE, the MP is the calling MP, and the KMF is the calling KMF. Correspondingly, if on the called side, the network entity described herein may be the called S-CSCF, the UE is the called UE, the MP is the called MP, and the KMF is the called KMF. That is to say, after receiving the session message, the calling S-CSCF obtains the key from the calling KMF, and then sends the obtained key to the calling UE and the calling MP respectively. After receiving the session message, the called S-CSCF obtains the key from the called KMF, and then sends the obtained key to the called UE and the called MP respectively.
当然,至于主 /被叫 S-CSCF如何将密钥发送给主 /被叫 UE和主 /被叫 MP则与具体的呼叫流程相关。  Of course, how the master/called S-CSCF sends the key to the calling/called UE and the master/called MP is related to the specific call flow.
t匕: ¾口:  T匕: 3⁄4 port:
在主叫 S-CSCF接收到的会话消息为 200消息时,所述主叫 S-CSCF 将所述密钥携带于 200消息中发送给主叫 P-CSCF,主叫 P-CSCF再将携 带有所述密钥的 200消息发送给主叫 UE, 并将密钥下发给主叫 MP。 或 者,  When the session message received by the calling S-CSCF is 200, the calling S-CSCF carries the key in a 200 message and sends it to the calling P-CSCF, and the calling P-CSCF will carry The 200 message of the key is sent to the calling UE, and the key is sent to the calling MP. Or,
在主叫 S-CSCF接收到的会话消息为 PRACK消息或 UPDATE消息 时, 所述主叫 S-CSCF将所述密钥携带于 PRACK消息或 UPDATE消息 中发送给主叫 AS, 再由主叫 AS将所述密钥下发给主叫 MP; 同时, 在 主叫 S-CSCF接收到返回的 200消息时, 再将所述密钥携带于 200消息 中发送给主叫 UE。 或者,  When the session message received by the calling S-CSCF is a PRACK message or an UPDATE message, the calling S-CSCF carries the key in a PRACK message or an UPDATE message and sends it to the calling AS, and then the calling AS The key is sent to the calling MP. At the same time, when the calling S-CSCF receives the returned 200 message, the key is carried in the 200 message and sent to the calling UE. Or,
在被叫 S-CSCF接收到 PRACK消息或者 UPDATE消息时, 将获取 的密钥携带于 PRACK消息或者 UPDATE消息中发送给被叫 P-CSCF, 被叫 P-CSCF将携带有所述密钥的 PRACK消息或者 UPDATE消息发送 给被叫 UE。 或者, When the called S-CSCF receives a PRACK message or an UPDATE message, it will obtain The key is carried in the PRACK message or the UPDATE message and sent to the called P-CSCF. The called P-CSCF sends the PRACK message or the UPDATE message carrying the key to the called UE. or,
在被叫 S-CSCF接收到的会话消息为 PRACK消息或 UPDATE消息 时, 被叫 S-CSCF将获取的密钥携带于 PRACK消息或 UPDATE消息中 发送给被叫 UE; 同时, 在被叫 S-CSCF接收到返回的 200消息时, 将所 述密钥携带于 200消息中发送给被叫 AS,再由被叫 AS将所述密钥下发 给被叫 MP。  When the session message received by the called S-CSCF is a PRACK message or an UPDATE message, the called S-CSCF carries the acquired key in a PRACK message or an UPDATE message and sends it to the called UE. Meanwhile, at the called S- When the CSCF receives the returned 200 message, the key is carried in the 200 message and sent to the called AS, and then the called AS sends the key to the called MP.
如果以网络实体为 AS为例:  If the network entity is AS, for example:
在主叫侧, 所述网络实体为主叫 AS, 所述 UE 为主叫 UE, 所述 MP为主叫 MP, 所述 KMF为主叫 KMF; 相应地, 在被叫侧, 所述网 络实体为被叫 AS,所述 UE为被叫 UE,所述 MP为被叫 MP,所述 KMF 为被叫 KMF。也就是说, 当主叫 AS接收到会话消息时,将从主叫 KMF 中获取密钥, 再将获取的密钥分别发送给主叫 UE和主叫 MP。 被叫 AS 接收到会话消息后, 从被叫 KMF中获取密钥, 再将获取的密钥分别发 送给被叫 UE和被叫 MP。  On the calling side, the network entity is the calling AS, the UE is the calling UE, the MP is the calling MP, and the KMF is the calling KMF; correspondingly, on the called side, the network entity For the called AS, the UE is the called UE, the MP is the called MP, and the KMF is the called KMF. That is to say, when the calling AS receives the session message, it will obtain the key from the calling KMF, and then send the obtained key to the calling UE and the calling MP respectively. After receiving the session message, the called AS obtains the key from the called KMF, and then sends the obtained key to the called UE and the called MP respectively.
当然,至于主 /被叫 S-CSCF如何将密钥发送给主 /被叫 UE和主 /被叫 MP则与具体的呼叫流程相关。  Of course, how the master/called S-CSCF sends the key to the calling/called UE and the master/called MP is related to the specific call flow.
比如: 在主叫 AS接收到 200消息时, 将获取的密钥携带于 200消 息中通过主叫 S-CSCF发送给主叫 P-CSCF,再由主叫 P-CSCF将所述密 钥携带于 200消息发送给主叫 UE,同时,将所述密钥下发送给主叫 MP; 或者,  For example, when the calling AS receives the 200 message, the obtained key is carried in the 200 message and sent to the calling P-CSCF through the calling S-CSCF, and then the calling P-CSCF carries the key. Sending a message to the calling UE, and sending the key to the calling MP; or
在主叫 AS接收到的会话消息为 200消息时, 主叫 AS将获取的密 钥直接下发给主叫 MP, 同时, 主叫 AS将所述密钥携带于 200消息中, 通过被叫 S-CSCF和被叫 P-CSCF发送给主叫 UE。 或者, 在被叫 AS接收到的会话消息为 PRACK消息或者 UPDATE消息时, 被叫 AS将所述密钥携带于 PRACK消息或者 UPDATE消息中, 通过被 叫 S-CSCF发送给被叫 P-CSCF, 再由被叫 P-CSCF将所述密钥携带于 PRACK消息或者 UPDATE消息中发送给被叫 UE, 同时, 将所述密钥 下发给被叫 MP。 或者, When the session message received by the calling AS is 200, the calling AS sends the obtained key directly to the calling MP. At the same time, the calling AS carries the key in the 200 message and passes the called S. - The CSCF and the called P-CSCF are sent to the calling UE. or, When the session message received by the called AS is a PRACK message or an UPDATE message, the called AS carries the key in a PRACK message or an UPDATE message, and sends it to the called P-CSCF through the called S-CSCF, and then The called P-CSCF sends the key to the called UE in the PRACK message or the UPDATE message, and sends the key to the called MP. or,
在被叫 AS接收到的会话消息为 PRACK消息或 UPDATE消息时, 被叫 AS将获取的密钥直接下发给被叫 MP, 同时, 被叫 AS将所述密钥 携带于 PRACK 消息或 UPDATE 消息中, 通过被叫 S-CSCF 和被叫 P-CSCF发送给被叫 UE。  When the session message received by the called AS is a PRACK message or an UPDATE message, the called AS sends the obtained key directly to the called MP, and the called AS carries the key to the PRACK message or the UPDATE message. The called UE is sent to the called UE through the called S-CSCF and the called P-CSCF.
实际应用中, 在 UE和 MP获取密钥之前, 所述 UE和网络实体之 间还可以对安全能力进行协商。 即:  In an actual application, before the UE and the MP obtain the key, the security capability can be negotiated between the UE and the network entity. which is:
主叫 UE向主叫 AS或者主叫 P-CSCF发送 INVITE会话建立请求消 息,所述 INVITE请求消息携带有主叫 UE提供的媒体流安全能力信息, 主叫 AS或者主叫 P-CSCF再向主叫 UE返回携带有本侧提供的主叫 MP 支持的媒体流安全能力信息的 183响应消息。 以及,  The calling UE sends an INVITE session establishment request message to the calling AS or the calling P-CSCF, where the INVITE request message carries the media stream security capability information provided by the calling UE, and the calling AS or the calling P-CSCF is further directed to the primary The UE is called to return a 183 response message carrying the media stream security capability information supported by the calling MP provided by the side. as well as,
当被叫 AS或者被叫 P-CSCF接收到 INVITE会话建立请求消息后, 将携带有本侧提供的被叫 MP支持的媒体流安全能力信息的 INVITE会 话建立请求消息发送给被叫 UE,被叫 UE再向被叫 AS或者被叫 P-CSCF 返回携带有自身提供的媒体流安全能力信息的 183会话响应消息。  After the called AS or the called P-CSCF receives the INVITE session establishment request message, the INVITE session establishment request message carrying the media stream security capability information supported by the called MP provided by the side is sent to the called UE, and the called party is called. The UE then returns a 183 session response message carrying the media stream security capability information provided by itself to the called AS or the called P-CSCF.
另外, 这里的 MP可以为一个单独的功能实体, 也可以是 GPRS网 关支持节点 GGSN或者边界网关功能实体 BGF等功能实体的一个功能 单元; MP也可以为媒体资源功能实体 MRF, MRF可以由媒体资源控制 功能实体 MRFC和媒体资源处理功能实体 MRFP组成。  In addition, the MP may be a single functional entity, or may be a functional unit of a functional entity such as a GPRS gateway support node GGSN or a border gateway function entity BGF; the MP may also be a media resource function entity MRF, and the MRF may be a media resource. The control function entity MRFC and the media resource processing function entity MRFP are composed.
这里的 KMF可以为单独的一个设备,也可以是 AS、 S-CSCF或 HSS 中的功能模块。 个密钥下发请求消息, 其中携带需要下发的密钥, 或者还包括密钥的有 效期等参数, MP 返回应答消息, 这里的请求和应答消息可以使用 Diameter协议或者 H.248协议进行携带。 The KMF here can be a single device or a functional module in an AS, S-CSCF or HSS. The key sends a request message, which carries the key to be delivered, or includes the validity period of the key, and the MP returns a response message, where the request and response messages can be carried by using the Diameter protocol or the H.248 protocol.
另外, 这里主叫网络侧和被叫侧网络的媒体流安全保护可以是独立 的, 也可以是不独立的, 即: 主叫网络侧实体在发往被叫侧网络实体的 请求消息中填加要求被叫侧网络提供媒体流安全服务的标识, 被叫侧网 络实体检查到标识就为被叫 UE提供用户到网络的媒体流安全保护服 务, 这样主叫 UE与主叫网络实体之间被叫 UE与被叫网络实体之间就 都可以进行用户到网络的媒体流安全保护。  In addition, the media stream security protection of the calling network side and the called side network may be independent or non-independent, that is, the calling network side entity adds in the request message sent to the called side network entity. The called side network is required to provide the identifier of the media stream security service, and the called side network entity checks the identifier to provide the called UE with the user-to-network media stream security protection service, so that the called UE and the calling network entity are called together. User-to-network media stream security protection can be performed between the UE and the called network entity.
为了更好地说明针对用户到网络媒体流保护情况而提出的获取密钥 的方案, 下面用几个较佳实施例和系统实施例进行详细描述。 方法实施例六  In order to better illustrate the scheme for obtaining a key for user-to-network media stream protection, a detailed description will be made below with several preferred embodiments and system embodiments. Method Embodiment 6
本实施例中,获取主叫侧生成密钥的网络实体为主叫 AS, 而生成密 钥的实体为主叫 KMF, 为一个独立的实体; 获取被叫侧生成密钥的网络 实体为被叫 AS, 而生成密钥的实体为被叫 KMF,也为一个独立的实体。  In this embodiment, the network entity that generates the key on the calling side is called the AS, and the entity that generates the key is the KMF, which is an independent entity. The network entity that generates the generated key on the called side is called. AS, and the entity that generates the key is called KMF, which is also a separate entity.
图 7是本实施例主叫侧获取媒体流保护密钥方法的消息流示意图。 如图 7所示, 该方法可以包括以下步骤:  FIG. 7 is a schematic diagram of a message flow of a method for obtaining a media stream protection key by a calling side in this embodiment. As shown in FIG. 7, the method may include the following steps:
步骤 701: 主叫 UE向主叫 P-CSCF发送会话建立请求消息, 所述会 话建立请求消息携带有主叫 UE提供的媒体流安全能力信息。  Step 701: The calling UE sends a session establishment request message to the calling P-CSCF, where the session establishment request message carries the media stream security capability information provided by the calling UE.
步骤 702:主叫 P-CSCF继续向主叫 S-CSCF发送会话建立请求消息。 主叫 P-CSCF可以将提供的主叫 MP支持的媒体流安全能力信息携 带再会话建立请求消息中发送给主叫 S-CSCF;主叫 P-CSCF也可以将会 话建立请求消息中的媒体流安全能力信息删除后, 再发送给主叫 S-CSCF。 Step 702: The calling P-CSCF continues to send a session establishment request message to the calling S-CSCF. The calling P-CSCF may send the provided media stream security capability information carrying re-session establishment request message supported by the calling MP to the calling S-CSCF; the calling P-CSCF may also send the media stream in the session establishment request message. After the security capability information is deleted, it is sent to the calling party. S-CSCF.
本步骤所述的会话建立请求消息为邀请(INVITE )消息, 所述媒体 流安全能力信息包括安全算法, 还可以包括需保护的媒体类型、 安全传 输协议类型和安全前提中一种或几种任意的组合。  The session establishment request message described in this step is an INVITE message, and the media stream security capability information includes a security algorithm, and may also include one or more of a media type to be protected, a security transmission protocol type, and a security premise. The combination.
这里所述安全算法可以为完整性安全算法或机密性安全算法, 所述 需保护的媒体类型可以为文本、 音频、 视频等, 所述安全传输协议类型 可以为 RTP/SAVP或 RTP/SAVPF等。  The security algorithm may be an integrity security algorithm or a confidentiality security algorithm, and the media type to be protected may be text, audio, video, etc., and the security transmission protocol type may be RTP/SAVP or RTP/SAVPF.
所述安全前提是用来指示本次会话对媒体流安全的要求, 可以包括 第一实体期望的媒体流安全保护的强度标识,比如:强制的(mandatory ), 可选的(optional ), 可忽略的( none )。 所述安全前提还可以包括期望的 安全协商配置结果和当前的配置情况, 比如: 是否完成协商、 接收方向 已经完成安全配置、 接收和发送方法都完成安全配置等。  The security premise is used to indicate the security requirements of the media stream in the current session, and may include the strength identifier of the media stream security protection expected by the first entity, such as mandatory (mandatory), optional (optional), and negligible. ( none ). The security premise may also include a desired security negotiation configuration result and a current configuration situation, such as: whether to complete the negotiation, the receiving direction has completed the security configuration, and the receiving and transmitting methods complete the security configuration.
另外, 这里所述主叫 UE的媒体流安全能力信息可以为主叫 UE提 供给被叫 UE的媒体流安全能力信息。 比如: 主叫 UE可以支持 5种安 全算法,但可以只选择其中 3种安全算法提供给被叫 UE,那么, INVITE 消息中就可以只携带所提供的 3种安全算法即可。 当然, 主叫 UE也可 以将支持的 5 中安全算法都提供给被叫 UE, 如何确定提供的媒体流安 全能力信息则需要由实际情况决定。  In addition, the media stream security capability information of the calling UE may be used by the calling UE to provide the media stream security capability information of the called UE. For example, the calling UE can support five security algorithms, but only three security algorithms can be selected for the called UE. Then, the INVITE message can carry only three security algorithms provided. Of course, the calling UE can also provide the supported 5 security algorithms to the called UE. How to determine the provided media stream security capability information needs to be determined by the actual situation.
步骤 703: 主叫 S-CSCF将所述会话建立请求消息发送给主叫 AS。 本步骤中, 主叫 S-CSCF可以采用事先设置的初始过滤规则, 将会 话建立请求消息触发给主叫 AS。 至于如何触发则属于现有技术, 此处 不再赘述。  Step 703: The calling S-CSCF sends the session establishment request message to the calling AS. In this step, the calling S-CSCF may use an initial filtering rule set in advance, and the session establishment request message is triggered to the calling AS. As for how to trigger, it belongs to the prior art, and will not be described here.
步骤 704 ~步骤 706: 主叫 AS判断出主叫 UE已经签约媒体流保护 业务, 再将会话建立请求消息通过主叫 S-CSCF发送给被叫网络。  Step 704 ~ Step 706: The calling AS determines that the calling UE has subscribed to the media stream protection service, and then sends the session establishment request message to the called network through the calling S-CSCF.
实际应用中, 所述主叫 AS可以根据事先记录的与签约相关的信息 判断主叫 UE是否已经签约媒体流保护业务。 比如: 根据会话建立请求 消息中主叫 UE的标识查询所述与签约相关的信息, 并根据所述与签约 相关的信息判断出主叫 UE是否签约。 当然, 主叫 AS也可以采用其它 方法检查主叫 UE的签约情况, 此处不再赘述。 In practical applications, the calling AS may be based on pre-recorded information related to the subscription. Determine whether the calling UE has subscribed to the media stream protection service. For example: querying the information related to the subscription according to the identifier of the calling UE in the session establishment request message, and determining, according to the information related to the subscription, whether the calling UE subscribes. Of course, the calling AS can also check the signing situation of the calling UE by other methods, and details are not described herein again.
另外, 当主叫 AS判断出主叫 UE已经签约媒体流保护业务, 还可 以将主叫 UE已经签约媒体流保护业务的标识添加到会话建立请求消息 中。 当然, 由于本实施例为针对保护端到网络传输的媒体流而提出的, 也可以不添加所述主叫 UE 已经签约媒体流保护业务的标识。 这里 S-CSCF可以自己检查签约业务, 而不用到 AS处进行签约检查,也可以 不进行签约检查。  In addition, when the calling AS determines that the calling UE has subscribed to the media stream protection service, the calling UE may also add the identifier of the subscribed media stream protection service to the session establishment request message. Of course, since the present embodiment is proposed for the media stream transmitted by the protection end to the network, the identifier of the media stream protection service that the calling UE has subscribed to may not be added. Here, the S-CSCF can check the contracted business by itself, instead of going to the AS for contract checking, or not signing the contract.
这里主叫 AS可以将 INVITE消息中的媒体流安全能力集删除, 也 可以不删除, 而是直接将携带有主叫侧媒体流安全能力集的 INVITE消 息发往被叫 S-CSCF,被叫 S-CSCF或者被叫 AS可以参考该媒体流安全 能力信息进行媒体流安全能力协商。  Here, the calling AS can delete the media stream security capability set in the INVITE message, or delete the INVITE message carrying the security capability set of the calling side media stream directly to the called S-CSCF, called S. The CSCF or the called AS can refer to the media stream security capability information for media stream security capability negotiation.
步骤 707 ~步骤 710:主叫 S-CSCF接收从被叫网络返回的会话建立 响应消息后, 将所述会话建立响应消息转发给主叫 AS, 当接收从主叫 AS返回的会话建立响应消息后, 再发送给主叫 P-CSCF。  Step 707 ~ Step 710: After receiving the session establishment response message returned from the called network, the calling S-CSCF forwards the session establishment response message to the calling AS, and after receiving the session establishment response message returned from the calling AS , and then sent to the calling P-CSCF.
这里所述的会话建立响应消息为 183消息。  The session establishment response message described here is a 183 message.
步骤 711 :主叫 P-CSCF将提供的主叫 MP支持的媒体流安全能力信 息携带于会话建立响应消息中, 并返回给主叫 UE。  Step 711: The calling P-CSCF carries the provided media stream security capability information supported by the calling MP in the session establishment response message, and returns the message to the calling UE.
所述主叫 P-CSCF提供的主叫 MP支持的媒体流安全能力信息为能 够被主叫 UE支持的全部或部分信息。 P-CSCF可以通过配置的方法或者 通过向主叫 MP查询的方法获得 MP支持的媒体流安全能力信息, 其它 获得的方法这里不再赘述。  The media stream security capability information supported by the calling MP provided by the calling P-CSCF is all or part of information that can be supported by the calling UE. The P-CSCF can obtain the media stream security capability information supported by the MP through the configuration method or the method of querying the calling MP. Other methods obtained are not described here.
本实施例中,所述步骤 701 ~步骤 711实际是主叫 UE和主叫 P-CSCF 与 MP之间对安全能力进行协商的过程, 获取对方可以支持安全算法、 安全传输协议等参数, 从而确定用于本次会话的媒体流安全能力信息。 In this embodiment, the steps 701 to 711 are actually the calling UE and the calling P-CSCF. The process of negotiating the security capability between the MP and the MP can obtain parameters such as a security algorithm and a secure transmission protocol, so as to determine the media stream security capability information used for the session.
步骤 712 ~步骤 717: 主叫 UE通过主叫 P-CSCF向主叫 S-CSCF发 送会话消息, 主叫 S-CSCF再向主叫 AS发送所述会话消息, 主叫 AS 删除主叫 UE提供的媒体流安全能力信息再向主叫 S-CSCF返回会话消 息, 主叫 S-CSCF再将所述返回的会话消息发送给被叫网络。  Step 712 to step 717: The calling UE sends a session message to the calling S-CSCF through the calling P-CSCF, and the calling S-CSCF sends the session message to the calling AS again, and the calling AS deletes the provided by the calling UE. The media stream security capability information returns a session message to the calling S-CSCF, and the calling S-CSCF sends the returned session message to the called network.
当然,这里主叫 AS也可以不删除主叫 UE和 P-CSCF协商的媒体流 安全能力信息; 这里主叫 P-CSCF也可以删除请求消息中的媒体流安全 能力集, 这样主叫 AS就不能获得媒体流安全能力集, 后续的 AS请求 密钥的过程也就不需要参考媒体流安全能力集来申请。  Of course, the calling AS may not delete the media stream security capability information negotiated by the calling UE and the P-CSCF; here, the calling P-CSCF may also delete the media stream security capability set in the request message, so that the calling AS cannot The media stream security capability set is obtained, and the subsequent AS request key process does not need to refer to the media stream security capability set to apply.
这里所述的会话消息为 PRACK消息。 实际应用中, 当主叫 UE接 收到会话建立响应消息时, 还可以根据 P-CSCF提供的主叫 MP支持的 媒体流安全能力信息确定用于当前会话的媒体流安全能力信息, 并将用 于当前会话的媒体流安全能力信息携带于会话请求消息中。  The session message described here is a PRACK message. In actual application, when the calling UE receives the session establishment response message, the media stream security capability information for the current session is determined according to the media stream security capability information supported by the calling MP provided by the P-CSCF, and is used for The media stream security capability information of the current session is carried in the session request message.
步骤 718〜步骤 719:主叫 S-CSCF接收被叫网络返回的会话响应消 息, 并转发给主叫 AS。  Step 718 to step 719: The calling S-CSCF receives the session response message returned by the called network and forwards it to the calling AS.
这里所述的会话响应消息为 200消息。  The session response message described here is a 200 message.
步骤 720 ~步骤 721: 主叫 AS从主叫 KMF获取密钥, 将获取的密 钥携带于会话响应消息中发送给主叫 S-CSCF。  Step 720 ~ Step 721: The calling AS obtains the key from the calling KMF, and carries the obtained key in the session response message and sends it to the calling S-CSCF.
实际应用中, 主叫 AS可以向主叫 KMF发送密钥请求消息, 主叫 KMF生成密钥并返回给主叫 AS, 主叫 AS再将获取的密钥携带于会话 响应消息, 即 200消息中发送给主叫 S-CSCF。 主叫 AS和主叫 KMF之 间交互的消息可以采用 Diameter协议或者 SIP协议。  In actual application, the calling AS can send a key request message to the calling KMF. The calling KMF generates a key and returns it to the calling AS. The calling AS then carries the obtained key in the session response message, that is, in the 200 message. Sent to the calling S-CSCF. The message between the calling AS and the calling party KMF can use the Diameter protocol or the SIP protocol.
实际应用, 主叫 KMF还可以将针对密钥的密钥有效期、 密钥标识 等信息一并发送给主叫 AS。 实际应用中, 如果在步骤 717中, 主叫 UE确定了用于当前会话的 媒体流安全能力信息并携带于会话请求消息, 当主叫 AS接收到所述的 用于当前会话的媒体流安全能力信息时, 就可以根据会话请求消息中用 于当前会话的媒体流安全能力信息从主叫 KMF获取密钥。 当然, 实际 应用中, 主叫 AS也可以不根据会话请求消息从主叫 KMF中获取密钥, 而直接从主叫 KMF获取密钥。 In actual application, the calling KMF can also send information such as the key validity period and key identification of the key to the calling AS. In an actual application, if the calling UE determines the media stream security capability information for the current session and carries the session request message in step 717, the calling AS receives the media stream security capability for the current session. When the information is obtained, the key can be obtained from the calling KMF according to the media stream security capability information for the current session in the session request message. Of course, in an actual application, the calling AS may obtain the key directly from the calling KMF without acquiring the key from the calling KMF according to the session request message.
步骤 722〜步骤 724:主叫 S-CSCF将所述会话响应消息发送给主叫 P-CSCF, 主叫 P-CSCF继续将所述会话响应消息发送给主叫 UE, 并将 所述会话响应消息中携带的密钥下发给主叫 MP。  Step 722 to step 724: The calling S-CSCF sends the session response message to the calling P-CSCF, and the calling P-CSCF continues to send the session response message to the calling UE, and the session response message is sent. The key carried in the key is sent to the calling MP.
实际应用中, 主叫 P-CSCF可以先将所述会话响应消息发送给主叫 UE之后, 再将所述会话响应消息中的密钥下发给主叫 MP; 也可以先将 所述会话响应消息中的密钥下发给主叫 MP, 再将所述会话响应消息发 送给主叫 UE。 另外, 这里主叫 P-CSCF也可以先保存需要下发给 MP的 密钥等信息, 等收到主叫 UE发送的 UPDATE消息或者被叫 UE发送的 200消息后再发送给 MP。  In an actual application, the calling P-CSCF may first send the session response message to the calling UE, and then send the key in the session response message to the calling MP. The key in the message is sent to the calling MP, and the session response message is sent to the calling UE. In addition, the calling P-CSCF may also save the information such as the key to be sent to the MP, and then send it to the MP after receiving the UPDATE message sent by the calling UE or the 200 message sent by the called UE.
此时, 主叫 UE和主叫 MP都获得了密钥, 可以利用该密钥对媒体 流进行保护。 当然, 实际应用中, 主叫 UE还需要执行后续的呼叫流程, 比如:主叫 UE通过主叫 P-CSCF、主叫 S-CSCF向被叫网络发送 UPDATE 消息, 并接收返回的 200消息。 至于后续的呼叫流程具体是如何的, 可 以参考现有技术, 此处不再赘述。这里也可以使用 UPDATE消息以及返 回的 200消息来代替上文中使用的 PRACK消息以及 200消息, 具体内 容类似, 这里也不再赘述。  At this point, both the calling UE and the calling MP have obtained a key, which can be used to protect the media stream. Of course, in the actual application, the calling UE also needs to perform a subsequent call procedure. For example, the calling UE sends an UPDATE message to the called network through the calling P-CSCF and the calling S-CSCF, and receives the returned 200 message. For details on the subsequent call process, refer to the prior art, and details are not described herein again. Here, the UPDATE message and the returned 200 message can also be used instead of the PRACK message and the 200 message used in the above, and the specific content is similar, and will not be described here.
本实施例中, 图 7是主叫 UE和主叫 MP获取媒体流保护密钥的消 息流示意图。 实际应用中, 被叫侧可以不为被叫 UE和被叫 MP分配媒 体流保护密钥, 而执行现有普通的呼叫流程; 被叫侧也可以为被叫 UE 和被叫 MP分配密钥。 也就是说, 主叫侧和被叫侧分配密钥的过程是相 互独立, 可以仅有一侧分配密钥, 另外一侧按照现有普通的呼叫流程执 行, 也可以两侧都分配密钥。 In this embodiment, FIG. 7 is a schematic diagram of a message flow in which a calling UE and a calling MP acquire a media stream protection key. In an actual application, the called side may not allocate a media stream protection key for the called UE and the called MP, but perform an existing normal call procedure; the called side may also be the called UE. And the called MP assigns a key. That is to say, the process of assigning keys on the calling side and the called side is independent of each other, and only one side can assign a key, and the other side can be executed according to the existing ordinary call flow, or the keys can be allocated on both sides.
对于被叫侧为被叫 UE和被叫 MP分配密钥的情况, 可以利用与主 叫侧相似的方法。 图 8是被叫侧获取媒体流保护密钥方法的消息流示意 图。 如图 8所示, 该方法可以包括以下步骤:  For the case where the called side assigns a key to the called UE and the called MP, a method similar to the calling side can be utilized. FIG. 8 is a schematic diagram of a message flow of a method for acquiring a media stream protection key on a called side. As shown in FIG. 8, the method may include the following steps:
步骤 801 ~步骤 802:被叫 S-CSCF接收来自主叫网络的会话建立请 求消息, 并转发给被叫 AS。  Step 801 ~ Step 802: The called S-CSCF receives the session establishment request message from the calling network and forwards it to the called AS.
这里所述的会话建立请求消息可以为 INVITE消息。  The session establishment request message described herein may be an INVITE message.
与步骤 702相似,被叫 S-CSCF可以采用事先设置的初始过滤规则, 将会话建立请求消息触发给被叫 AS。 至于如何触发则属于现有技术, 此处不再赘述。  Similar to step 702, the called S-CSCF may trigger a session establishment request message to the called AS by using an initial filtering rule set in advance. As for how to trigger, it belongs to the prior art, and will not be described here.
步骤 803 ~步骤 805: 被叫 AS判断出被叫 UE已经签约, 再将会话 建立请求消息通过被叫 S-CSCF发送给被叫 P-CSCF。  Step 803 ~ Step 805: The called AS determines that the called UE has subscribed, and then sends the session establishment request message to the called P-CSCF through the called S-CSCF.
被叫 AS也可以不进行判断被叫 UE已经签约的过程。  The called AS may also not perform the process of determining that the called UE has subscribed.
步骤 806:被叫 P-CSCF将提供的被叫 MP支持的媒体流安全能力信 息添加到所述会话建立消息中, 再发送给被叫 UE。  Step 806: The called P-CSCF adds the provided media stream security capability information supported by the called MP to the session establishment message, and then sends the message to the called UE.
步骤 807: 被叫 UE向被叫 P-CSCF返回会话建立响应消息, 所述会 话建立响应消息携带有被叫 UE提供的媒体流安全能力信息。  Step 807: The called UE returns a session establishment response message to the called P-CSCF, where the session establishment response message carries the media stream security capability information provided by the called UE.
这里所述会话建立响应消息为 183消息。 当被叫 UE接收到会话建 立请求消息时, 可以根据消息中被叫 P-CSCF将提供的被叫 MP支持的 媒体流安全能力信息和自身可以支持的媒体流安全能力信息确定需提 供的媒体流安全能力信息。 这里被叫 P-CSCF还要确定本次会话使用的 媒体流安全能力信息后,将确认的媒体流安全能力信息填加到 183 响应 消息中。 步骤 808 ~步骤 809:被叫 P-CSCF将会话建立响应消息发送给被叫 S-CSCF, 被叫 S-CSCF再将会话建立响应消息转发给被叫 AS。 The session establishment response message here is 183 message. When the called UE receives the session establishment request message, the media stream security capability information supported by the called MP and the media stream security capability information that can be supported by the called P-CSCF in the message may be determined according to the media stream to be provided. Security capability information. Here, the called P-CSCF also determines the media stream security capability information used in the session, and adds the confirmed media stream security capability information to the 183 response message. Step 808 ~ Step 809: The called P-CSCF sends a session establishment response message to the called S-CSCF, and the called S-CSCF forwards the session establishment response message to the called AS.
这里, 当被叫 P-CSCF接收到会话建立响应消息时, 还可以从会话 建立响应消息中携带的媒体流安全能力信息中确定用于当前会话的媒 体流安全能力信息, 并携带于会话建立响应消息中。 当然, 这里被叫 P-CSCF也可以删除响应消息中的媒体流安全能力集,这样被叫 AS就不 能获得媒体流安全能力集, 后续的 AS请求密钥的过程也就不需要参考 媒体流安全能力集来申请。  Here, when the called P-CSCF receives the session establishment response message, the media stream security capability information for the current session may be determined from the media stream security capability information carried in the session establishment response message, and carried in the session establishment response. In the message. Of course, the called P-CSCF can also delete the media stream security capability set in the response message, so that the called AS cannot obtain the media stream security capability set, and the subsequent AS request key process does not need to refer to the media stream security. Ability set to apply.
步骤 810〜步骤 812:被叫 AS删除会话建立响应消息中的媒体流安 全能力信息,再通过被叫 S-CSCF将会话建立响应消息发送给主叫网络。  Step 810 to step 812: The called AS deletes the media stream security capability information in the session establishment response message, and then sends the session establishment response message to the calling network through the called S-CSCF.
当然, 这里被叫 AS也可以不删除媒体流安全能力信息。  Of course, the called AS here may also not delete the media stream security capability information.
步骤 813〜步骤 814: 被叫 S-CSCF接收来自主叫网络的会话消息, 并将所述会话消息转发给被叫 AS。  Step 813 to step 814: The called S-CSCF receives the session message from the calling network, and forwards the session message to the called AS.
这里所述会话消息为 PRACK消息。  The session message described here is a PRACK message.
步骤 815 ~步骤 816: 被叫 AS从被叫 KMF中获取密钥, 并将获取 的密钥添加到会话消息中, 再发送给被叫 S-CSCF。  Step 815 ~ Step 816: The called AS obtains the key from the called KMF, adds the obtained key to the session message, and sends it to the called S-CSCF.
与本实施例图 7中步骤 720 ~步骤 721相似,当需要从被叫 KMF中 获取密钥时,被叫 AS也可以向被叫 KMF发送密钥请求消息,被叫 KMF 生成密钥并返回给被叫 AS,被叫 AS再将获取的密钥携带于会话请求消 息, 即 PRACK消息中发送给被叫 S-CSCF。 被叫 AS和被叫 KMF之间 交互的消息可以采用 Diameter协议或者 SIP协议。  Similar to steps 720 to 721 of FIG. 7 in this embodiment, when the key needs to be obtained from the called KMF, the called AS can also send a key request message to the called KMF, and the called KMF generates a key and returns it to The called AS, the called AS carries the acquired key in the session request message, that is, the PRACK message is sent to the called S-CSCF. The message exchanged between the called AS and the called KMF can use the Diameter protocol or the SIP protocol.
相似地, 被叫 KMF也可以将针对密钥的密钥有效期、 密钥标识等 信息一并发送给被叫 AS。  Similarly, the called KMF can also send information such as the key validity period and key identification of the key to the called AS.
步骤 817 ~步骤 819:被叫 S-CSCF将会话消息发送给被叫 P-CSCF, 被叫 P-CSCF再将所述会话消息发送给被叫 UE,并将所述会话消息中的 密钥下发给被叫 MP。 Steps 817 to 819: The called S-CSCF sends a session message to the called P-CSCF, and the called P-CSCF sends the session message to the called UE, and the session message is The key is sent to the called MP.
当然, 如果会话消息还携带有针对密钥的密钥有效期、 密钥标识等 信息, 那么, 被叫 P-CSCF还需要将所述密钥有效期、 密钥标识等信息 一并下发给被叫 MP。 当然, 被叫 P-CSCF也还可以将会话消息中媒体 流安全能力信息, 如: 媒体类型、 安全传输方式等信息一并下发给被叫 MP。  Of course, if the session message also carries information such as the key validity period and the key identifier of the key, the called P-CSCF also needs to send the key validity period, the key identifier, and the like to the called party. MP. Of course, the called P-CSCF can also send the media stream security capability information in the session message, such as the media type and the secure transmission mode, to the called MP.
另外, 这里被叫 P-CSCF也可以先保存需要下发给被叫 MP的密钥 等信息, 等收到被叫 S-CSCF发送的 UPDATE消息或者被叫 UE的 200 消息后再发送给 MP。  In addition, the called P-CSCF may also save the information such as the key to be sent to the called MP, and then send the UPDATE message sent by the called S-CSCF or the 200 message of the called UE to the MP.
此时, 被叫 UE和被叫 MP都获得的媒体流保护密钥, 可以利用该 密钥对传输的媒体流进行保护。 实际应用中, 在所述步骤 819之后, 还 需要进行后续的呼叫流程, 比如: 被叫 UE 通过被叫 S-CSCF、 被叫 P-CSCF向主叫网络发送 200消息, 接收来自主叫网络的 UPDATE消息 等, 此处不再赘述。 方法实施例七  At this time, the media stream protection key obtained by both the called UE and the called MP can use the key to protect the transmitted media stream. In the actual application, after the step 819, a subsequent call flow is also required, for example, the called UE sends a 200 message to the calling network through the called S-CSCF and the called P-CSCF, and receives the message from the calling network. UPDATE messages, etc., will not be described here. Method Embodiment 7
本实施例中, 获取主叫侧生成密钥的网络实体为主叫 S-CSCF, 而 生成密钥的为主叫 KMF; 获取被叫侧生成密钥的网络实体为被叫 S-CSCF, 而生成密钥的为被叫 KMF。  In this embodiment, the network entity that obtains the key generated by the calling side is called the S-CSCF, and the key that generates the key is the calling KMF; and the network entity that obtains the generated key of the called side is the called S-CSCF, and The generated key is called KMF.
图 9是本实施例主叫侧获取媒体流保护密钥方法的消息流示意图。 如图 9所示, 该方法可以包括以下步骤:  FIG. 9 is a schematic diagram of a message flow of a method for acquiring a media stream protection key by a calling side in this embodiment. As shown in FIG. 9, the method may include the following steps:
步骤 901 ~步骤 902: 主叫 UE通过主叫 P-CSCF向主叫 S-CSCF发 送会话建立请求消息, 所述会话建立请求消息携带有主叫 UE提供的媒 体流安全能力信息。  Step 901 to step 902: The calling UE sends a session establishment request message to the calling S-CSCF through the calling P-CSCF, where the session establishment request message carries the media stream security capability information provided by the calling UE.
这里所述会话建立请求消息为 INVITE消息, 所述步骤 901〜步骤 902与实施例五中的步骤 701 ~步骤 702相同, 此处不再赘述。 The session establishment request message is an INVITE message, and the steps 901 to the step are performed. 902 is the same as step 701 to step 702 in the fifth embodiment, and details are not described herein again.
步骤 903: 主叫 S-CSCF将所述会话建立请求消息发送给主叫 AS。 这里所述步骤 903与实施例五中的步骤 703相同, 此处不再赘述。 步骤 904 ~步骤 906: 主叫 AS判断出主叫 UE已经签约媒体流保护 业务, 再将会话建立请求消息通过主叫 S-CSCF发送给被叫网络。  Step 903: The calling S-CSCF sends the session establishment request message to the calling AS. The step 903 is the same as the step 703 in the fifth embodiment, and details are not described herein again. Step 904 ~ Step 906: The calling AS determines that the calling UE has subscribed to the media stream protection service, and then sends the session establishment request message to the called network through the calling S-CSCF.
这里所述步骤 904〜步骤 906与实施例五中的步骤 704〜步骤 706 相同, 此处不再赘述。  The steps 904 to 906 are the same as the steps 704 to 706 in the fifth embodiment, and are not described herein again.
步骤 907 ~步骤 908:主叫 S-CSCF接收从被叫网络返回的会话建立 响应消息, 并直接发送给主叫 P-CSCF。  Step 907 ~ Step 908: The calling S-CSCF receives the session establishment response message returned from the called network and directly sends it to the calling P-CSCF.
这里所述会话建立响应消息为 183消息, 其流程与实施例五的步骤 Here, the session establishment response message is 183 message, and the flow thereof and the steps of the fifth embodiment
707 ~步骤 710相似, 只是可以不再经过主叫 AS。 707 ~ Step 710 is similar, but can no longer pass the calling AS.
步骤 909:主叫 P-CSCF将提供的主叫 MP支持的媒体流安全能力信 息携带于会话建立响应消息中, 并返回给主叫 UE。  Step 909: The calling P-CSCF carries the provided media stream security capability information supported by the calling MP in the session establishment response message, and returns the message to the calling UE.
本步骤与实施例五中的步骤 711相同, 此处不再赘述。  This step is the same as step 711 in the fifth embodiment, and details are not described herein again.
步骤 910 ~步骤 913: 主叫 UE通过主叫 P-CSCF向主叫 S-CSCF发 送会话消息, 主叫 S-CSCF删除会话消息中主叫 UE提供的媒体流安全 能力信息, 再将所述会话消息发送给被叫网络。 这里的主叫 S-CSCF也 可以不删除会话消息中的媒体流安全能力信息。  Step 910 to step 913: The calling UE sends a session message to the calling S-CSCF through the calling P-CSCF, and the calling S-CSCF deletes the media stream security capability information provided by the calling UE in the session message, and then the session is The message is sent to the called network. The calling S-CSCF here may also not delete the media stream security capability information in the session message.
这里所述的会话消息为 PRACK消息。 实际应用中, 当主叫 UE接 收到会话建立响应消息时, 还可以根据主叫 P-CSCF提供的主叫 MP支 持的媒体流安全能力信息确定用于当前会话的媒体流安全能力信息, 并 将用于当前会话的媒体流安全能力信息携带于会话请求消息中。  The session message described here is a PRACK message. In actual application, when the calling UE receives the session establishment response message, the media stream security capability information for the current session may be determined according to the media stream security capability information supported by the calling MP provided by the calling P-CSCF, and The media stream security capability information for the current session is carried in the session request message.
步骤 914: 主叫 S-CSCF接收被叫网络返回的会话响应消息。  Step 914: The calling S-CSCF receives the session response message returned by the called network.
这里所述会话响应消息为 200消息。  The session response message described here is a 200 message.
步骤 915〜步骤 916: 主叫 S-CSCF从主叫 KMF获取密钥, 将获取 的密钥携带于会话响应消息中发送给主叫 P-CSCF。 Step 915 to step 916: The calling S-CSCF obtains a key from the calling KMF, and will obtain The key is carried in the session response message and sent to the calling P-CSCF.
与实施例四相似,这里,主叫 S-CSCF可以向主叫 KMF发送密钥请 求消息, 主叫 KMF生成密钥并返回给主叫 S-CSCF; 主叫 S-CSCF再将 获取的密钥携带于会话响应消息, 即 200消息中发送给主叫 P-CSCF。 主叫 S-CSCF和主叫 KMF之间交互的消息可以采用 Diameter协议或者 SIP协议。  Similar to the fourth embodiment, here, the calling S-CSCF can send a key request message to the calling KMF, the calling KMF generates a key and returns it to the calling S-CSCF; the calling S-CSCF will then acquire the key. It is carried in the session response message, that is, the 200 message is sent to the calling P-CSCF. The message between the calling S-CSCF and the calling KMF can be either Diameter or SIP.
实际应用, 主叫 KMF还可以将针对密钥的密钥有效期、 密钥标识 等信息一并发送给主叫 S-CSCF。  In actual application, the calling KMF can also send information such as the key validity period and key identification of the key to the calling S-CSCF.
步骤 917〜步骤 918:主叫 P-CSCF将所述会话响应消息发送给主叫 UE, 并将所述会话响应消息中的密钥下发给主叫 MP。  Step 917 to step 918: The calling P-CSCF sends the session response message to the calling UE, and sends the key in the session response message to the calling MP.
此时, 主叫 UE和主叫 MP都获得了密钥, 可以利用所述密钥对传 输的媒体流进行保护。  At this time, both the calling UE and the calling MP obtain a key, and the key can be used to protect the transmitted media stream.
与实施例五相同,本实施例中主叫 UE还需要执行后续的呼叫流程, 此处不再赘述。  As in the fifth embodiment, the calling UE needs to perform a subsequent call flow in this embodiment, and details are not described herein again.
另外, 这里主叫 P-CSCF也可以先保存需要下发给主叫 MP的密钥 等信息, 等收到主叫 UE发送的 UPDATE消息或者被叫 UE的 200消息 后再发送给 MP。  In addition, the calling P-CSCF may also save the information such as the key that needs to be sent to the calling MP, and then send it to the MP after receiving the UPDATE message sent by the calling UE or the 200 message of the called UE.
本实施例中, 图 9是主叫 UE和主叫 MP获取媒体流保护密钥的消 息流示意图。 对于被叫侧为被叫 UE和被叫 MP分配密钥的情况, 可以 利用与主叫侧相似的方法。  In this embodiment, FIG. 9 is a schematic diagram of a message flow in which a calling UE and a calling MP acquire a media stream protection key. For the case where the called side assigns a key to the called UE and the called MP, a method similar to the calling side can be utilized.
图 10是本实施例中被叫侧获取媒体流保护密钥方法的消息流示意 图。 如图 10所示, 该方法可以包括步骤:  FIG. 10 is a schematic diagram of a message flow of a method for acquiring a media stream protection key on the called side in this embodiment. As shown in FIG. 10, the method may include the steps of:
步骤 1001 ~步骤 1002:被叫 S-CSCF接收来自主叫网络的会话建立 请求消息, 并转发给被叫 AS。  Step 1001 ~ Step 1002: The called S-CSCF receives the session establishment request message from the calling network and forwards it to the called AS.
这里所述的会话建立请求消息可以为 INVITE 消息, 所述步骤 1001 ~步骤 1002与实施例五中的步骤 801 ~步骤 802相同,此处不再赘 述。 The session establishment request message described herein may be an INVITE message, the steps The steps 1001 to 1002 are the same as the steps 801 to 802 in the fifth embodiment, and are not described here.
步骤 1003〜步骤 1005: 被叫 AS判断出被叫 UE已经签约, 再将会 话建立请求消息通过被叫 S-CSCF发送给被叫 P-CSCF。  Step 1003 to step 1005: The called AS determines that the called UE has subscribed, and then sends a call setup request message to the called P-CSCF through the called S-CSCF.
被叫 AS或者 S-CSCF也可以不进行判断被叫 UE已经签约的过程。 这里所述步骤 1003 ~步骤 1005与方法实施例五中的步骤 803 ~步骤 805 相同, 此处不再赘述。  The called AS or S-CSCF may also not perform the process of determining that the called UE has subscribed. The steps 1003 to 1005 are the same as the steps 803 to 805 in the fifth embodiment of the method, and are not described here.
步骤 1006: 被叫 P-CSCF将提供的被叫 MP支持的媒体流安全能力 信息添加到所述会话建立消息中, 再发送给被叫 UE。  Step 1006: The called P-CSCF adds the provided media stream security capability information supported by the called MP to the session establishment message, and then sends the message to the called UE.
本步骤与实施例五中的步骤 806相同, 此处不再赘述。  This step is the same as step 806 in the fifth embodiment, and details are not described herein again.
步骤 1007: 被叫 UE向被叫 P-CSCF返回会话建立响应消息, 所述 会话建立响应消息携带有被叫 UE提供的媒体流安全能力信息。  Step 1007: The called UE returns a session establishment response message to the called P-CSCF, where the session establishment response message carries the media stream security capability information provided by the called UE.
本步骤与方法实施五中步骤 807相同,所述会话建立响应消息为 183 消息, 此处不再赘述。  This step is the same as the step 807 of the method implementation, and the session establishment response message is a 183 message, which is not described here.
步骤 1008 ~步骤 1010:被叫 P-CSCF将所述会话建立响应消息发送 给被叫 S-CSCF,被叫 S-CSCF删除所述会话建立响应消息中的媒体流安 全能力信息, 再发送给主叫网络。  Steps 1008 to 1010: The called P-CSCF sends the session establishment response message to the called S-CSCF, and the called S-CSCF deletes the media stream security capability information in the session establishment response message, and then sends the message to the host. Call the network.
被叫 S-CSCF也可以不删除所述会话建立响应消息中的媒体流安全 能力信息。  The called S-CSCF may also not delete the media stream security capability information in the session establishment response message.
步骤 1011 ~步骤 1013:被叫 S-CSCF接收来自主叫网络的会话消息, 再从被叫 KMF获取密钥, 并将获取的密钥添加到会话消息中, 并发送 给被叫 P-CSCF。  Step 1011 ~ Step 1013: The called S-CSCF receives the session message from the calling network, acquires the key from the called KMF, adds the obtained key to the session message, and sends it to the called P-CSCF.
这里所述会话消息为 PRACK消息。  The session message described here is a PRACK message.
步骤 1014〜步骤 1015:被叫 P-CSCF再将所述会话消息发送给被叫 UE, 并将所述会话消息中的密钥下发给被叫 MP。 此时, 被叫 UE和被叫 MP都获得的媒体流保护密钥, 可以利用该 密钥对传输的媒体流进行保护。 当然, 步骤 1015之后, 实际还需要进 行后续的呼叫流程, 比如: 被叫 UE通过被叫 S-CSCF、 被叫 P-CSCF向 主叫网络发送 200消息,接收来自主叫网络的 UPDATE消息等, 此处不 再赘述。 Step 1014 to step 1015: The called P-CSCF sends the session message to the called UE, and sends the key in the session message to the called MP. At this time, the media stream protection key obtained by both the called UE and the called MP can use the key to protect the transmitted media stream. Certainly, after step 1015, a subsequent call flow is actually needed, for example, the called UE sends a 200 message to the calling network through the called S-CSCF, the called P-CSCF, and receives an UPDATE message from the calling network. I will not repeat them here.
另外, 这里被叫 P-CSCF也可以先保存需要下发给被叫 MP的密钥 等信息, 等收到被叫 S-CSCF发送的 UPDATE消息或者被叫 UE的 200 消息后再发送给 MP。 方法实施例八  In addition, the called P-CSCF may also save the information such as the key to be sent to the called MP, and then send the UPDATE message sent by the called S-CSCF or the 200 message of the called UE to the MP. Method Embodiment 8
本实施例中,获取主叫侧生成密钥的网络实体为主叫 AS,生成密钥 的实体为主叫 KMF, 所述 MP为主叫 MP; 获取被叫侧生成密钥的网络 实体为被叫 AS, 而生成密钥的为被叫 KMF。  In this embodiment, the network entity that generates the key generated by the calling side is the calling AS, the entity that generates the key is the calling KMF, and the MP is the calling MP; Called AS, and the key generated is called KMF.
另外, 本实施例中, 所述的主叫 MP为主叫 MRF, 所述被叫 MP为 被叫 MRF。 这里所述 MRF在接收会话消息时, 可以重新发起一条会话 消息。 比如: 当接收 INVITE 消息时, MRF 可以重新生成另外一条 INVITE, 再将重新生成的 INVITE继续传输给下一个实体。 至于如何重 新生成会话消息属于现有技术, 此处不再赘述。  In addition, in this embodiment, the calling MP is a calling MRF, and the called MP is a called MRF. Here, the MRF can re-initiate a session message when receiving the session message. For example: When receiving an INVITE message, the MRF can regenerate another INVITE and continue to transmit the regenerated INVITE to the next entity. As for how to regenerate the session message, it belongs to the prior art, and will not be described here.
本实施例中仅以 AS作为背靠背的用户代理 B2BUA的情况作为例 子; 实际实施中, AS 也可以仅仅修改主叫侧的发来的呼叫中的媒体流 安全相关的信息, 而不用重新发起一个新的会话流程; 另外, AS 还可 以先跟被叫侧协商完毕后再继续跟主叫侧协商, 具体流程类似这里不再 赘述。  In this embodiment, only the case where the AS is used as the back-to-back user agent B2BUA is taken as an example; in an actual implementation, the AS may also only modify the media stream security-related information in the incoming call on the calling side without re-initiating a new one. In addition, the AS can also negotiate with the calling party after negotiating with the called party. The specific process is similar to that of the calling party.
图 11是本实施例主叫侧获取媒体流保护密钥的消息流示意图。如图 11所示, 该方法包括以下步骤: 步骤 1101 : 主叫 UE向主叫 S-CSCF发送会话建立请求消息, 所述 会话建立请求消息携带有主叫 UE提供的媒体流安全能力信息。 FIG. 11 is a schematic diagram of a message flow for acquiring a media stream protection key by a calling side in this embodiment. As shown in FIG. 11, the method includes the following steps: Step 1101: The calling UE sends a session establishment request message to the calling S-CSCF, where the session establishment request message carries the media stream security capability information provided by the calling UE.
本步骤与实施例五中的步骤 701 ~步骤 702相同, 主叫 UE也需要 通过主叫 P-CSCF发送会话建立请求消息, 只是本实施例中, 所述主叫 P-CSCF 只用于消息的转发, 并不会下发密钥, 所以忽略掉对 P-CSCF 的描述。  This step is the same as the step 701 to the step 702 in the fifth embodiment. The calling UE also needs to send a session establishment request message through the calling P-CSCF, but in this embodiment, the calling P-CSCF is only used for the message. Forwarding does not issue a key, so the description of the P-CSCF is ignored.
本步骤所述的会话建立请求消息为 INVITE消息, 但为了与后续的 INVITE消息区分, 这里所述的 INVITE消息为 INVITE[ 1 ]。  The session establishment request message described in this step is an INVITE message, but in order to distinguish from the subsequent INVITE message, the INVITE message described here is INVITE[1].
步骤 1102: 主叫 S-CSCF将所述会话建立请求消息发送给主叫 AS。 本步骤与实施例五的步骤 703相同, 此处不再赘述。  Step 1102: The calling S-CSCF sends the session establishment request message to the calling AS. This step is the same as step 703 of the fifth embodiment, and details are not described herein again.
步骤 1103〜步骤 1105: 主叫 AS判断出主叫 UE已经签约, 再将自 身重新生成的会话建立请求消息通过主叫 S-CSCF发送给被叫网络。  Step 1103 to Step 1105: The calling AS determines that the calling UE has signed the contract, and then sends the session establishment request message regenerated by itself to the called network through the calling S-CSCF.
这里主叫 AS或者主叫 S-CSCF也可以不进行签约检查。  Here, the calling AS or the calling S-CSCF may not perform the contract checking.
这里所述步骤 1103 ~步骤 1105与实施例五中的步骤 704〜步骤 706 相似, 只是主叫 AS重新生成了一条会话建立请求消息, 所述重新生成 的会话建立请求消息可以记为 INVITE[2]。  The steps 1103 to 1105 are similar to the steps 704 to 706 in the fifth embodiment, except that the calling AS regenerates a session establishment request message, and the regenerated session establishment request message can be recorded as INVITE[2]. .
步骤 1106 ~步骤 1107: 主叫 S-CSCF接收从被叫网络返回的会话建 立响应消息后, 将所述会话建立响应消息转发给主叫 AS。  Step 1106 to step 1107: After receiving the session establishment response message returned from the called network, the calling S-CSCF forwards the session establishment response message to the calling AS.
这里所述的会话建立响应消息为 183消息, 是针对 INVITE[2]的响 应消息, 可以记为 183 [2]消息。  The session establishment response message described here is a 183 message, which is a response message for INVITE[2], which can be recorded as a 183 [2] message.
步骤 1108 ~步骤 1109: 主叫 AS重新生成会话建立响应消息, 所述 重新生成的会话建立响应消息携带有主叫 MRF提供的媒体流安全能力 信息, 并将所述重新生成的会话建立响应消息发送给主叫 S-CSCF, 由 主叫 S-CSCF发送给主叫 UE。  Step 1108 to step 1109: The calling AS regenerates a session establishment response message, where the regenerated session establishment response message carries the media stream security capability information provided by the calling MRF, and sends the regenerated session establishment response message. The calling S-CSCF is sent by the calling S-CSCF to the calling UE.
这里,主叫 AS重新生成的会话建立响应消息是针对 INVITE[1]的响 应消息, 可以记为 183[1]消息。 Here, the session establishment response message regenerated by the calling AS is for the INVITE[1] The message should be recorded as a 183[1] message.
所述 MRF提供的媒体流安全能力信息可以为能够被主叫 UE支持的 全部或部分信息。  The media stream security capability information provided by the MRF may be all or part of information that can be supported by the calling UE.
步骤 1110〜步骤 1111: 主叫 UE向主叫 S-CSCF发送会话消息, 主 叫 S-CSCF再将所述会话消息发送给主叫 AS。  Step 1110 to Step 1111: The calling UE sends a session message to the calling S-CSCF, and the calling S-CSCF sends the session message to the calling AS.
这里所述会话消息为 PRACK消息, 为了与后续的主叫 AS生成的 PRACK消息区分, 可以记为 PRACK[ 1 ]。  The session message is a PRACK message, which can be recorded as PRACK[1] in order to distinguish it from the PRACK message generated by the subsequent calling AS.
步骤 1112〜步骤 1113: 主叫 AS重新生成会话消息, 并将重新生成 的会话消息发送给主叫 S-CSCF, 再有主叫 S-CSCF发送给被叫网络。  Step 1112 to Step 1113: The calling AS regenerates the session message, and sends the regenerated session message to the calling S-CSCF, and then the calling S-CSCF sends the session message to the called network.
这里, 所述主叫 AS重新生成的 PRACK可以记为 PRACK[2]消息。 步骤 1114〜步骤 1115: 主叫 S-CSCF接收来自被叫网络的会话响应 消息, 并将所述会话响应消息发送给主叫 AS。  Here, the PRACK regenerated by the calling AS may be recorded as a PRACK[2] message. Step 1114 to step 1115: The calling S-CSCF receives the session response message from the called network, and sends the session response message to the calling AS.
这里,所述会话响应消息为 200消息,由于该消息是针对 PRACK[2] , 可以将其记为 200[2]消息。  Here, the session response message is a 200 message, and since the message is for PRACK[2], it can be recorded as a 200[2] message.
步骤 1116~步骤 1119: 主叫 AS从主叫 KMF获取密钥, 将获取的密 钥下发给主叫 MRF, 并重新生成会话响应消息,将获取密钥携带于重新 生成的会话响应消息中, 通过主叫 S-CSCF发送给主叫 UE。  Step 1116 to step 1119: The calling AS obtains the key from the calling KMF, and the obtained key is sent to the calling MRF, and the session response message is regenerated, and the obtained key is carried in the regenerated session response message. It is sent to the calling UE through the calling S-CSCF.
这里所述主叫 AS重新生成的会话响应消息为 200消息, 由于该消 息是针对 PRACK[ 1 ]的, 可以将其记为 200[ 1 ]。  Here, the session response message regenerated by the calling AS is 200, and since the message is for PRACK[1], it can be recorded as 200[1].
此时,主叫 UE和主叫 MRF都获得了密钥, 可以利用该密钥对传输 的媒体流进行保护。  At this point, both the calling UE and the calling MRF obtain a key, which can be used to protect the transmitted media stream.
本实施例中, 图 11是主叫 UE和主叫 MRF获取媒体流保护密钥的 消息流示意图。 实际应用中,如果被叫侧要为被叫 UE和被叫 MRF分配 密钥, 可以利用主叫侧相似的方法。 图 12是本实施例中被叫侧获取媒 体流保护密钥的消息流示意图。 如图 12所示, 该方法可以包括以下步 骤: In this embodiment, FIG. 11 is a schematic diagram of a message flow in which a calling UE and a calling MRF obtain a media stream protection key. In practical applications, if the called side wants to assign a key to the called UE and the called MRF, a similar method on the calling side can be utilized. FIG. 12 is a schematic diagram of a message flow for acquiring a media stream protection key on the called side in this embodiment. As shown in FIG. 12, the method may include the following steps Step:
步骤 1201 ~步骤 1202:被叫 S-CSCF接收来自主叫网络的会话建立 请求消息, 并转发给被叫 AS。  Step 1201 ~ Step 1202: The called S-CSCF receives the session establishment request message from the calling network and forwards it to the called AS.
为了与上述主叫侧对应, 这里所述被叫 S-CSCF接收到的会话建立 请求消息为 INVITE[2]。  In order to correspond to the calling side, the session establishment request message received by the called S-CSCF is INVITE[2].
步骤 1203 ~步骤 1205: 被叫 AS判断出被叫 UE已经签约, 再重新 生成会话建立请求消息, 并将被叫 MRF提供的媒体流安全能力信息携 带于所述重新生成的会话建立请求消息中, 通过被叫 S-CSCF发送给被 叫 UE。  Steps 1203 to 1205: The called AS determines that the called UE has subscribed, re-generates the session establishment request message, and carries the media stream security capability information provided by the called MRF in the regenerated session establishment request message. It is sent to the called UE through the called S-CSCF.
被叫 AS或者被叫 S-CSCF也可以不进行出被叫 UE已经签约的检 查。  The called AS or the called S-CSCF may also not perform the check that the called UE has signed the contract.
这里, 为了与上述主叫 AS重新生成会话建立请求消息相区分, 可 以将被叫 AS重新生成的会话建立请求消息记为 INVITE[3]。  Here, in order to distinguish the above-mentioned calling AS re-generation session establishment request message, the session establishment request message regenerated by the called AS may be recorded as INVITE[3].
步骤 1206: 被叫 UE向被叫 S-CSCF返回会话建立响应消息, 所述 会话建立响应消息携带有被叫 UE提供的媒体流安全能力信息。  Step 1206: The called UE returns a session establishment response message to the called S-CSCF, where the session establishment response message carries the media stream security capability information provided by the called UE.
这里所述的会话建立响应消息为 183消息, 由于是针对 INVITE[3] 的响应响应消息, 可以将其记为 183[3]消息。  The session establishment response message described here is a 183 message, and since it is a response response message for INVITE[3], it can be recorded as a 183[3] message.
步骤 1207 ~步骤 1209:被叫 S-CSCF将接收到的会话建立响应消息 发送给被叫 AS,被叫 AS再重新生成会话建立响应消息, 并将重新生成 的会话建立响应消息发送给被叫 S-CSCF,然后由被叫 S-CSCF发送给主 叫网络。  Step 1207 to step 1209: The called S-CSCF sends the received session establishment response message to the called AS, and the called AS regenerates the session establishment response message, and sends the regenerated session establishment response message to the called S. -CSCF, which is then sent by the called S-CSCF to the calling network.
这里, 所述被叫 AS 重新生成的会话建立响应消息是针对事先的 INVITE[2]消息的, 可以将其记为 183 [2]。  Here, the session establishment response message regenerated by the called AS is for the previous INVITE[2] message, which can be recorded as 183 [2].
步骤 1210 ~步骤 1211:被叫 S-CSCF接收来自主叫网络的会话消息, 并将所述会话消息转发给被叫 AS。 这里所述会话消息为会话请求消息,即主叫网络发送来的 PRACK[2] 消息。 Step 1210 ~ Step 1211: The called S-CSCF receives the session message from the calling network and forwards the session message to the called AS. The session message here is a session request message, that is, a PRACK[2] message sent by the calling network.
步骤 1212 ~ 1215: 被叫 AS从被叫 KMF中获取密钥, 将获取的密 钥下发给被叫 MRF, 并重新生成会话消息,将所述获取的密钥携带于重 新生成的会话消息, 通过被叫 S-CSCF发送给被叫 UE。  Steps 1212 to 1215: The called AS obtains a key from the called KMF, and the obtained key is sent to the called MRF, and the session message is regenerated, and the acquired key is carried in the regenerated session message. It is sent to the called UE through the called S-CSCF.
这里, 所述被叫 AS重新生成的会话消息为 PRACK[3]消息。  Here, the session message regenerated by the called AS is a PRACK[3] message.
此时,被叫 UE和被叫 MRF都获得的密钥, 就可以利用该密钥对传 输的媒体流进行保护。  At this time, the key obtained by both the called UE and the called MRF can use the key to protect the transmitted media stream.
当然, 步骤 1215之后, 被叫 UE还需要进行执行后续的呼叫流程, 比如: 被叫 UE通过被叫 S-CSCF和被叫 AS向主叫网络发送 200消息, 并再接收 UPDATE消息等。 在后续的呼叫流程中, 被叫 AS仍然可以重 新生成从被叫 S-CSCF 发送来的会话消息, 此处不再赘述。 这里的 PRACK消息以及对应的 200响应消息可以由 UPDATE消息以及对应的 200响应消息替代, 具体流程类似, 这里不再赘述。 方法实施例九  Certainly, after step 1215, the called UE also needs to perform a subsequent call procedure, for example, the called UE sends a 200 message to the calling network through the called S-CSCF and the called AS, and then receives an UPDATE message. In the subsequent call process, the called AS can still regenerate the session message sent from the called S-CSCF, and details are not described here. The PRACK message and the corresponding 200 response message can be replaced by the UPDATE message and the corresponding 200 response message. The specific process is similar and will not be described here. Method embodiment nine
本实施例中, 获取主叫侧生成密钥的网络实体为主叫 S-CSCF, 生 成密钥的实体为主叫 KMF; 获取主叫侧生成密钥的网络实体为被叫 S-CSCF, 生成密钥的实体为 KMF。  In this embodiment, the network entity that obtains the key generated by the calling side is called the S-CSCF, and the entity that generates the key is called the KMF; the network entity that generates the key generated by the calling side is the called S-CSCF, and generates The entity of the key is KMF.
另夕卜, 本实施例中, 所述主叫 MP为主叫 MRF, 被叫 MP为被叫 MRF。  In addition, in this embodiment, the calling MP is the calling MRF, and the called MP is the called MRF.
本实施例中仅以 AS作为背靠背的用户代理 B2BUA的情况作为例 子; 实际实施中, AS 也可以仅仅修改主叫侧的发来的呼叫中的媒体流 安全相关的信息, 而不用重新发起一个新的会话流程; 另外, AS 还可 以先跟被叫侧协商完毕后再继续跟主叫侧协商, 具体流程类似这里不再 赘述。 In this embodiment, only the case where the AS is used as the back-to-back user agent B2BUA is taken as an example; in an actual implementation, the AS may also only modify the media stream security-related information in the incoming call on the calling side without re-initiating a new one. The session process; in addition, the AS can also negotiate with the called party before negotiating with the called party. The specific process is similar here. Narration.
图 13是本实施例主叫侧获取媒体流保护密钥方法的消息流示意图。 如图 13所示, 该方法可以包括以下步骤:  FIG. 13 is a schematic diagram of message flow of a method for acquiring a media stream protection key by a calling side according to this embodiment. As shown in FIG. 13, the method may include the following steps:
步骤 1301 : 主叫 UE向主叫 S-CSCF发送会话建立请求消息, 所述 会话建立请求消息携带有主叫 UE提供的媒体流安全能力信息。  Step 1301: The calling UE sends a session establishment request message to the calling S-CSCF, where the session establishment request message carries the media stream security capability information provided by the calling UE.
本步骤与实施例七中步骤 1101相同,这里所述的会话建立请求消息 为 INVITE[1] , 此处不再赘述。  This step is the same as step 1101 in the seventh embodiment. The session establishment request message described here is INVITE[1], and details are not described herein again.
步骤 1302: 主叫 S-CSCF将所述会话建立请求消息发送给主叫 AS。 本步骤与实施例七的步骤 1102相同, 此处不再赘述。  Step 1302: The calling S-CSCF sends the session establishment request message to the calling AS. This step is the same as step 1102 of the seventh embodiment, and details are not described herein again.
步骤 1303 ~步骤 1305: 主叫 AS判断出主叫 UE已经签约, 再将自 身重新生成的会话建立请求消息通过主叫 S-CSCF发送给被叫网络。  Step 1303 ~ Step 1305: The calling AS determines that the calling UE has signed the contract, and then sends the session establishment request message regenerated by itself to the called network through the calling S-CSCF.
这里所述步骤 1303 ~步骤 1305与实施例七的步骤 1103 ~步骤 1105 相同, 所述重新生成的会话建立请求消息可以记为 INVITE[2] , 此处不 再赘述。  The steps 1303 to 1305 are the same as the steps 1103 to 1105 of the seventh embodiment, and the regenerated session establishment request message may be recorded as INVITE[2], which is not described here.
步骤 1306 ~步骤 1307:主叫 S-CSCF接收从被叫网络返回的会话建 立响应消息后, 将所述会话建立响应消息转发给主叫 AS。  Step 1306 ~ Step 1307: After receiving the session establishment response message returned from the called network, the calling S-CSCF forwards the session establishment response message to the calling AS.
这里所述步骤 1306 ~步骤 1307与实施例七中步骤 1106 ~步骤 1107 相同, 所述的会话建立响应消息为 183 [2]消息, 此处不再赘述。  The steps 1306 to 1307 are the same as the steps 1106 to 1107 in the seventh embodiment. The session establishment response message is 183 [2] message, and details are not described herein again.
步骤 1308〜步骤 1309: 主叫 AS重新生成会话建立响应消息, 所述 重新生成的会话建立响应消息携带有主叫 MRF提供的媒体流安全能力 信息, 并将所述重新生成的会话建立响应消息发送给主叫 S-CSCF, 由 主叫 S-CSCF发送给主叫 UE。  Step 1308 to step 1309: The calling AS regenerates a session establishment response message, where the regenerated session establishment response message carries the media stream security capability information provided by the calling MRF, and sends the regenerated session establishment response message. The calling S-CSCF is sent by the calling S-CSCF to the calling UE.
这里所述步骤 1308 ~步骤 1309与实施例七的步骤 1108 ~步骤 1109 相同, 所述主叫 AS重新生成的会话建立响应消息为 183[1]消息。  The steps 1308 to 1309 are the same as the steps 1108 to 1109 of the seventh embodiment, and the session establishment response message regenerated by the calling AS is a 183[1] message.
步骤 1310〜步骤 1312: 主叫 UE向主叫 S-CSCF发送会话消息, 主 叫 S-CSCF从主叫 KMF中获取密钥, 将获取的密钥携带于所述会话消 息中, 并发送给主叫 AS。 Step 1310 to step 1312: The calling UE sends a session message to the calling S-CSCF, the main The S-CSCF is called to obtain a key from the calling KMF, and the obtained key is carried in the session message and sent to the calling AS.
这里所述会话消息为会话请求消息, 即 PRACK消息。 为了与后续 主叫 AS重新生成的 PRACK消息区分, 可以记为 PRACK[1]消息。  The session message described here is a session request message, that is, a PRACK message. In order to distinguish it from the PRACK message regenerated by the subsequent calling AS, it can be recorded as a PRACK[1] message.
步骤 1313 ~步骤 1315: 主叫 AS将从主叫 S-CSCF发来的会话消息 中的密钥下发给主叫 MRF,再重新生成会话消息, 并将重新生成的会话 消息发送给主叫 S-CSCF, 然后由主叫 S-CSCF发送给被叫网络。  Step 1313 ~ Step 1315: The calling AS sends the key in the session message sent by the calling S-CSCF to the calling MRF, regenerates the session message, and sends the regenerated session message to the calling party S. -CSCF, then sent by the calling S-CSCF to the called network.
这里所述重新生成的会话消息可以记为 PRACK[2]。  The regenerated session message described herein can be written as PRACK[2].
步骤 1316〜步骤 1319:主叫 S-CSCF接收来自被叫网络的会话响应 消息, 将所述会话响应消息发送给主叫 AS, 并接收主叫 AS重新生成的 会话响应消息, 然后将事先获取的密钥携带于所述主叫 AS重新生成的 会话响应消息中发送给主叫 UE。  Step 1316 to step 1319: The calling S-CSCF receives the session response message from the called network, sends the session response message to the calling AS, and receives the session response message regenerated by the calling AS, and then acquires the session in advance. The key is carried in the session response message regenerated by the calling AS and sent to the calling UE.
这里所述的会话响应消息为针对 PRACK[2]的会话响应消息, 即 200[2]消息。 所述主叫 AS 重新生成的会话响应消息为针对 PRACK[1] 的会话响应消息, 即 200[1]。  The session response message described here is a session response message for PRACK[2], i.e., a 200[2] message. The session response message regenerated by the calling AS is a session response message for PRACK[1], that is, 200[1].
此时,主叫 UE和主叫 MRF已经获得了密钥,可以利用该密钥对传 输的媒体流进行保护。 当然, 步骤 1319之后, 还需要进行执行后续的 呼叫流程, 此处不再赘述。 本实施例中, 图 13是主叫 UE和主叫 MRF获取媒体流保护密钥的 消息流示意图。 实际应用中,如果被叫侧要为被叫 UE和被叫 MRF分配 密钥, 可以利用主叫侧相似的方法。  At this point, the calling UE and the calling MRF have obtained a key, which can be used to protect the transmitted media stream. Of course, after step 1319, the subsequent call process needs to be performed, and details are not described herein again. In this embodiment, FIG. 13 is a schematic diagram of a message flow in which a calling UE and a calling MRF obtain a media stream protection key. In practical applications, if the called side wants to assign a key to the called UE and the called MRF, a similar method on the calling side can be utilized.
图 14是本实施例中被叫侧获取媒体流保护密钥的消息流示意图。 如图 14所示, 该方法可以包括以下步骤:  FIG. 14 is a schematic diagram of a message flow for acquiring a media stream protection key on the called side in this embodiment. As shown in FIG. 14, the method may include the following steps:
步骤 1401 ~步骤 1402:被叫 S-CSCF接收来自主叫网络的会话建立 请求消息, 并转发给被叫 AS。 Step 1401 ~ Step 1402: The called S-CSCF receives the session establishment from the calling network. Request a message and forward it to the called AS.
这里所述步骤 1401 ~步骤 1402与实施例七中步骤 1201 ~步骤 1202 相同, 所述会话建立请求消息为 INVITE[2] , 此处不再赘述。  The steps 1401 to 1402 are the same as the steps 1201 to 1202 in the seventh embodiment, and the session establishment request message is INVITE[2], and details are not described herein again.
步骤 1403 ~步骤 1405: 被叫 AS判断出被叫 UE已经签约, 再重新 生成会话建立请求消息, 并将被叫 MRF提供的媒体流安全能力信息携 带于所述重新生成的会话建立请求消息中, 通过被叫 S-CSCF发送给被 叫 UE。  Steps 1403 to 1405: The called AS determines that the called UE has subscribed, re-generates the session establishment request message, and carries the media stream security capability information provided by the called MRF in the regenerated session establishment request message. It is sent to the called UE through the called S-CSCF.
这里所述步骤 1403 ~步骤 1405与实施例七中步骤 1203 ~步骤 1205 相同, 所述被叫 AS重新生成的会话建立请求消息为 INVITE[3] , 此处 不再赘述。  The steps 1403 to 1405 are the same as the steps 1203 to 1205 in the seventh embodiment. The session establishment request message regenerated by the called AS is INVITE[3], and is not described here.
步骤 1406: 被叫 UE向被叫 S-CSCF返回会话建立响应消息, 所述 会话建立响应消息携带有被叫 UE提供的媒体流安全能力信息。  Step 1406: The called UE returns a session establishment response message to the called S-CSCF, where the session establishment response message carries the media stream security capability information provided by the called UE.
本步骤与实施例七的步骤 1206相同,所述会话建立响应消息为 183 [3]消息。  This step is the same as step 1206 of the seventh embodiment, and the session establishment response message is a 183 [3] message.
步骤 1407 ~步骤 1409:被叫 S-CSCF将接收到的会话建立响应消息 发送给被叫 AS,被叫 AS再重新生成会话建立响应消息, 并将重新生成 的会话建立响应消息发送给被叫 S-CSCF,然后由被叫 S-CSCF发送给主 叫网络。  Step 1407 ~ Step 1409: The called S-CSCF sends the received session establishment response message to the called AS, and the called AS regenerates the session establishment response message, and sends the regenerated session establishment response message to the called S. -CSCF, which is then sent by the called S-CSCF to the calling network.
这里所述步骤 1407〜步骤 1409 与实施例七中的步骤 1207〜步骤 1209相同, 所述被叫 AS重新生成的会话建立响应消息为 183[2] , 此处 不再赘述。  The steps 1407 to 1409 are the same as the steps 1207 to 1209 in the seventh embodiment, and the session establishment response message regenerated by the called AS is 183 [2], and details are not described herein again.
步骤 1410 ~步骤 1411:被叫 S-CSCF接收来自主叫网络的会话消息, 并将所述会话消息转发给被叫 AS。  Step 1410 ~ Step 1411: The called S-CSCF receives the session message from the calling network, and forwards the session message to the called AS.
这里所述会话消息为会话请求消息,即主叫网络发送来的 PRACK[2] 消息。 步骤 1412: 被叫 AS重新生成会话消息, 并将重新生成的会话消息 发送给被叫 S-CSCF。 The session message here is a session request message, that is, a PRACK[2] message sent by the calling network. Step 1412: The called AS regenerates the session message, and sends the regenerated session message to the called S-CSCF.
为了与接收到的 PRACK[2]消息区分,这里所述被叫 AS重新生成的 会话消息可以记为 PRACK[3]。  In order to distinguish from the received PRACK[2] message, the session message regenerated by the called AS can be recorded as PRACK[3].
步骤 1413 ~步骤 1414: 被叫 S-CSCF从被叫 KMF中获取密钥, 并 将获取的密钥携带于所述重新生成的会话消息中发送给被叫 UE。  Step 1413 ~ Step 1414: The called S-CSCF obtains the key from the called KMF, and carries the obtained key in the regenerated session message and sends it to the called UE.
步骤 1415: 被叫 UE向被叫 S-CSCF发送会话响应消息。  Step 1415: The called UE sends a session response message to the called S-CSCF.
这里所述会话响应消息为针对 PRACK[3]的会话响应消息,即 200[3] 消息。  The session response message here is a session response message for PRACK[3], ie 200[3] message.
步骤 1416〜步骤 1419:被叫 S-CSCF将事先获取的密钥携带于会话 响应消息中发送给被叫 AS,被叫 AS将所述会话响应消息中的密钥下发 给被叫 MRF, 并重新生成会话响应消息,将重新生成的会话响应消息通 过被叫 S-CSCF发送给主叫网络。  Step 1416 to step 1419: The called S-CSCF carries the previously acquired key in the session response message and sends it to the called AS. The called AS sends the key in the session response message to the called MRF, and The session response message is regenerated, and the regenerated session response message is sent to the calling network through the called S-CSCF.
此时,被叫 UE和被叫 MFR都获得了密钥, 可以利用该密钥对传输 的媒体流进行保护。 针对上述保护用户到网络传输的媒体流情况而提出的获取密钥的 方法, 本发明还提出一种 IMS网络中获取媒体流保护密钥的系统。  At this time, both the called UE and the called MFR obtain a key, which can be used to protect the transmitted media stream. The present invention also provides a system for acquiring a media stream protection key in an IMS network, in response to the above method for securing a user to a media stream transmitted by a network.
图 15是该系统的基本结构示意图。 如图 15所示, 该系统包括: Figure 15 is a schematic diagram of the basic structure of the system. As shown in Figure 15, the system includes:
UE1501 , 用于接收网络实体发送的密钥; a UE1501, configured to receive a key sent by a network entity;
网络实体 1502, 用于接收会话消息, 从 KMF1503中获取密钥, 并 发送给 UE1501和 MP1504;  a network entity 1502, configured to receive a session message, obtain a key from the KMF1503, and send the key to the UE1501 and the MP1504;
KMF1503, 用于生成密钥;  KMF1503, used to generate a key;
MP1504, 用于接收网络实体发送的密钥。  MP1504, used to receive the key sent by the network entity.
实际应用中, 所述网络实体 1502可以为 S-CSCF, 也可以为 AS。 该系统可以为主叫侧实现获取媒体流保护密钥的系统, 也可以为被 叫侧实现获取保护密钥的系统。 如果为主叫侧, 则所述 UE1501为主叫 UE, 所述网络实体 1502为主叫 S-CSCF或主叫 AS, 所述 KMF1503为 主叫 KMF, 所述 MP1504为主叫 MP。 In an actual application, the network entity 1502 may be an S-CSCF or an AS. The system can implement a system for acquiring a media stream protection key on the calling side, or a system for obtaining a protection key for the called side. If the calling party is the calling party, the UE 1501 is the calling UE, the network entity 1502 is the calling S-CSCF or the calling AS, the KMF 1503 is the calling KMF, and the MP 1504 is the calling MP.
当然, 如果网络实体为 S-CSCF, 该系统可以进一步包括 AS, 还可 以进一步包括 P-CSCF; 如果网络实体为 AS, 该系统可以进一步包括 S-CSCF, 还可以进一步包括 P-CSCF。 本发明所述的 KMF可以为一个 独立的实体, 也可以为 CSCF、 AS或 HSS中的一个功能单元。 为了更好地说明上述用户到用户媒体流保护情况下获取媒体流保 护密钥的系统, 下面用较佳的系统实施例进行详细描述。 系统实施例四  Of course, if the network entity is an S-CSCF, the system may further include an AS, and may further include a P-CSCF; if the network entity is an AS, the system may further include an S-CSCF, and may further include a P-CSCF. The KMF of the present invention may be a separate entity or a functional unit in a CSCF, AS or HSS. In order to better illustrate the above system for obtaining a media stream protection key in the case of user-to-user media stream protection, a detailed description will be made below using a preferred system embodiment. System Embodiment 4
图 16是系统实施例四的基本结构示意图。 如图 16所示, 本系统实 施例包括: 主叫 UE1501、 主叫 S-CSCF1502A、 主叫 KMF1503、 主叫 Figure 16 is a schematic diagram showing the basic structure of the fourth embodiment of the system. As shown in FIG. 16, the system embodiment includes: a calling UE 1501, a calling S-CSCF 1502A, a calling KMF 1503, and a calling party.
MP1504、 主叫 P-CSCF1505。 其中, 所述主叫 P-CSCF用于转发主叫 UE1501 和主叫 S-CSCF1502A 之间交互的消息, 也用于将来自主叫MP1504, the calling party P-CSCF1505. The calling P-CSCF is used to forward the message exchanged between the calling UE 1501 and the calling S-CSCF 1502A, and is also used for future autonomous calling.
S-CSCF会话消息中的密钥下发给主叫 MP1504, 其它的实体与图 15所 述的相应实体的功能和结构相同, 此处不再赘述。 The key in the S-CSCF session message is sent to the calling party MP1504. The functions and structures of the other entities are the same as those of the corresponding entity in FIG.
当需要获取媒体流保护密钥时,主叫 UE1501通过主叫 P-CSCF1505 向主叫 S-CSCF1502A 发送会话消息, 主叫 S-CSCF1502A 从主叫 KMF1503 中获取密钥, 并将获取的密钥通过会话响应消息发送给主叫 When the media stream protection key needs to be obtained, the calling UE 1501 sends a session message to the calling S-CSCF 1502A through the calling P-CSCF 1505, and the calling S-CSCF 1502A obtains the key from the calling KMF1503, and passes the obtained key. The session response message is sent to the caller
P-CSCF1505 , 主叫 P-CSCF1505再将所述密钥发送给主叫 UE1501和主 叫 MP。 The P-CSCF 1505, the calling P-CSCF 1505, then sends the key to the calling UE 1501 and the calling MP.
当然, 本实施例中所述的各个实体还用于与执行呼叫流程相关的其 它功能, 其实现的功能或流程可以参见本发明上述的方法实施例, 此处 不再赘述。 Of course, the entities described in this embodiment are also used for other functions related to the execution of the call flow. The functions or processes implemented by the embodiments may be referred to the foregoing method embodiments of the present invention. No longer.
当然, 实际应用中, 该系统还可以进一步包括主叫 AS, 用于检查主 叫 UE是否签约, 至于如何检查可以参见上述的方法实施例, 此处不再 赘述。  Of course, in the actual application, the system may further include a calling AS, which is used to check whether the calling UE is subscribed. For how to check, refer to the foregoing method embodiment, and details are not described herein.
另外, 本系统实施例所述的主叫 MP1504是从主叫 P-CSCF1505接 收下发的密钥, 而实际应用中, 所述主叫 MP1504 也可以直接从主叫 S-CSCF、 主叫 AS中获取下发的密钥。 系统实施五  In addition, the calling MP1504 in the embodiment of the present system receives the issued key from the calling P-CSCF 1505, and in actual application, the calling MP1504 can also directly from the calling S-CSCF and the calling AS. Obtain the delivered key. System implementation five
图 17是本系统实施例的基本结构示意图。 如图 17所示, 本系统实 施例包括:主叫 UE1501、主叫 AS1502B、主叫 KMF1503、主叫 MP1504。  Figure 17 is a schematic diagram showing the basic structure of an embodiment of the present system. As shown in FIG. 17, the system embodiment includes: a calling UE 1501, a calling AS 1502B, a calling KMF 1503, and a calling MP 1504.
该系统还可以包括主叫 P-CSCF和主叫 S-CSCF,但与系统实施例四 不同的是, 这里所述的主叫 S-CSCF不再从主叫 KMF中获取, 可以仅 作为转发消息的实体, 其它的实体与图 15 所述的相应实体的功能和结 构相同, 此处不再赘述。  The system may also include a calling P-CSCF and a calling S-CSCF, but different from the system embodiment 4, the calling S-CSCF described herein is no longer obtained from the calling KMF, and may only be used as a forwarding message. The entities and other entities have the same functions and structures as the corresponding entities described in FIG. 15, and are not described herein again.
当需要获取媒体流保护密钥时, 主叫 UE1501通过主叫 P-CSCF和 主叫 S-CSCF向主叫 AS1502B发送会话消息, 主叫 AS1502B从主叫 KMF1503中获取密钥, 并将获取的密钥直接下发给主叫 MP1504, 并将 所述消息携带于会话响应消息中, 通过主叫 S-CSCF和 P-CSCF发送给 主叫 UE1501。  When the media stream protection key needs to be obtained, the calling UE 1501 sends a session message to the calling AS 1502B through the calling P-CSCF and the calling S-CSCF, and the calling AS 1502B obtains the key from the calling KMF 1503, and acquires the key. The key is directly sent to the calling party MP1504, and the message is carried in the session response message, and sent to the calling UE 1501 by the calling S-CSCF and the P-CSCF.
与系统实施例三相似, 实际应用中,主叫 AS1502B也还可以用作对 主叫 UE1501检查签约的实体, 此处不再赘述。  Similar to the third embodiment of the system, in the actual application, the calling party AS1502B can also be used as an entity for checking the subscription of the calling UE 1501, and details are not described herein again.
同样, 本系统实施例所述的主叫 AS还可以通过主叫 S-CSCF或主 叫 P-CSCF将密钥下发给主叫 MP。  Similarly, the calling AS in the embodiment of the system may also send the key to the calling MP through the calling S-CSCF or the calling P-CSCF.
本发明所述系统实施例三和系统实施例四都是以主叫侧为例进行说 明的, 实际应用中, 如果被叫侧需要为被叫 UE和被叫 MP分配密钥, 其系统的结构与主叫侧相似, 此处不再赘述。 The third embodiment of the system and the fourth embodiment of the system are all based on the calling side. In the actual application, if the called side needs to allocate a key for the called UE and the called MP, the structure of the system is similar to that of the calling side, and details are not described herein again.
另外, 不管图 15中的网络实体是主叫网络实体还是被叫网络实体, 其内部结构可以如图 18所示, 包括:  In addition, regardless of whether the network entity in FIG. 15 is a calling network entity or a called network entity, its internal structure may be as shown in FIG. 18, including:
接收单元 1801 , 用于接收会话消息。  The receiving unit 1801 is configured to receive a session message.
密钥获取单元 1802, 在接收到会话消息时, 从密钥管理功能 KMF 中获取密钥, 将密钥添加到会话消息中, 并传给发送单元 1803。  The key obtaining unit 1802, upon receiving the session message, acquires a key from the key management function KMF, adds the key to the session message, and transmits the key to the transmitting unit 1803.
发送单元 1803 , 将携带有密钥的会话消息发送给 UE和媒体处理功 能 MP。  The sending unit 1803 sends the session message carrying the key to the UE and the media processing function MP.
本发明中, 不管是对于保护用户到用户传输的媒体流而提出的获取 密钥方法, 还是对于保护用户到网络传输的媒体流而提出的获取密钥的 方法, 在所述 INVITE消息中, 所述媒体流安全能力信息除了包括安全 算法, 还可以包括需保护的媒体类型、 安全传输协议类型、 安全前提中 一种或几种任意的组合。 用户到用户或用户到网络交互的其它消息中, 所述媒体流安全能力信息也可以包括媒体类型、 安全传输协议类型、 安 全前提中一种或几种任意的组合, 至于是否包括密钥和安全算法则与具 体的实现相关。  In the present invention, whether it is a method for acquiring a key for protecting a media stream transmitted by a user to a user, or a method for acquiring a key for protecting a media stream transmitted by a user to a network, in the INVITE message, The media stream security capability information may include one or a combination of any one of a media type, a secure transmission protocol type, and a security premise to be protected, in addition to the security algorithm. The media stream security capability information may also include one or a combination of any one of a media type, a secure transmission protocol type, and a security premise, and whether the key and the security are included in the message that the user or the user interacts with the network. The algorithm is related to the specific implementation.
网络侧生成的密钥可以携带于媒体流安全能力信息中发送给对方。 此时, 所述媒体流安全能力信息中还可以包括密钥有效期等参数。 如果 有多个需要保护的媒体流, 每次还可以针对每一个不同的媒体流生成不 同的密钥, 所述媒体流安全能力信息中还可以包括密钥标识, 以区分对 应的媒体流。  The key generated by the network side may be carried in the media stream security capability information and sent to the other party. At this time, the media stream security capability information may further include parameters such as a key validity period. If there are multiple media streams to be protected, a different key may be generated for each different media stream. The media stream security capability information may further include a key identifier to distinguish the corresponding media stream.
所述安全算法可以在 rfc 4568 中定义的媒体流安全描述协议 ( SDES ) 中 a =crypto头域中作为 crypto-suite参数来携带; 所述生成的 密钥、 密钥标识、 密钥有效期等可以在 SDES协议 a =crypto头域中内联 ( inline )子头域的 key-params参数来携带。 The security algorithm may be carried as a crypto-suite parameter in the a =crypto header field in the Media Stream Security Description Protocol (SDES) defined in rfc 4568; the generated key, key identifier, key validity period, etc. may be Inline in the SDES protocol a =crypto header field (inline) The key-params parameter of the subheader field is carried.
如果采用多媒体因特网密钥协商(MIKEY )管理协议, 其中的安全 算法、 包括密钥长度、 密钥产生率等的安全上下文都可以携带于 RFC 3830 MIKEY协议中安全策略负载( Security Policy payload )字段中定义 的参数中。 所述生成的密钥、 密钥有效期等可以携带于 MIKEY中密钥 传输负载(KEMAC, Key data transport payload ) 字段中。 整个 MIKEY 消息则可以携带于 RFC4567规定的 a =key-mgmt SDP属性字段中。  If the Multimedia Internet Key Agreement (MIKEY) management protocol is adopted, the security algorithm, including the key length, key generation rate, and the like, may be carried in the Security Policy payload field in the RFC 3830 MIKEY protocol. Among the defined parameters. The generated key, the key validity period, and the like may be carried in a key transfer payload (KEMAC, Key data transport payload) field. The entire MIKEY message can be carried in the a =key-mgmt SDP attribute field specified in RFC4567.
所述安全算法也可以在会话发起协议( SIP )中扩展一个安全算法头 域来携带; 同样, 所述生成的密钥、 密钥标识、 密钥有效期等也可以在 SIP协议来中扩展对应的头域来携带。  The security algorithm may also be extended by a security algorithm header field in a Session Initiation Protocol (SIP); likewise, the generated key, key identifier, key validity period, etc. may also be extended in the SIP protocol. Head domain to carry.
应用本发明实施例方案, 由于可以由网络侧生成密钥, 并将生成的 密钥下发给需要保护媒体流的实体, 从而达到对传输的媒体流进行保护 的目的。 另外, 由于密钥由网络侧实体或功能单元, 即 KMF生成密钥, 可以满足第三方合法监听的实际需求。  Applying the solution of the embodiment of the present invention, the key can be generated by the network side, and the generated key is sent to the entity that needs to protect the media stream, so as to protect the transmitted media stream. In addition, since the key is generated by the network side entity or functional unit, that is, KMF, the actual requirement of the third party legal interception can be met.
综上所述, 以上仅为本发明的较佳实施例而已, 并非用于限定本发 明的保护范围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同 替换、 改进等, 均应包含在本发明的保护范围之内。  In conclusion, the above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalents, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权利要求书 Claim
1、 一种 IMS 网络中获取媒体流保护密钥的方法, 其特征在于, 该 方法包括以下步骤: A method for obtaining a media stream protection key in an IMS network, characterized in that the method comprises the following steps:
a、 主叫终端设备 UE向网络实体发送会话请求消息, 网络实体将密 钥添加到所述会话请求消息中, 并发送给被叫 UE;  a, the calling terminal device UE sends a session request message to the network entity, the network entity adds the key to the session request message, and sends the message to the called UE;
b、被叫 UE向网络实体返回响应消息, 网络实体将密钥添加到所述 响应消息中, 并发送给主叫 UE。  b. The called UE returns a response message to the network entity, and the network entity adds the key to the response message and sends the key to the calling UE.
2、 根据权利要求 1所述的方法, 其特征在于, 所述步骤 a具体为: axl、 主叫网络实体收到主叫 UE发送的会话请求消息后, 获取主叫 网络侧生成的密钥, 并将主叫网络侧生成的密钥通过所述会话请求消息 发送给被叫网络实体;  The method according to claim 1, wherein the step a is specifically: axl, after receiving the session request message sent by the calling UE, the calling network entity acquires a key generated by the calling network side, And sending, by the session request message, the key generated by the calling network side to the called network entity;
ax2、被叫网络实体收到所述会话请求消息后, 获取被叫网络侧生成 的密钥并添加到所述会话请求消息中, 再将所述会话请求消息发送给被 叫 UE。  After receiving the session request message, the called network entity obtains the key generated by the called network side and adds the key to the session request message, and then sends the session request message to the called UE.
3、根据权利要求 2所述的方法, 其特征在于, 所述将会话请求消息 发送给被叫 UE后, 该方法进一步包括:  The method according to claim 2, wherein, after the sending the session request message to the called UE, the method further includes:
所述被叫 UE根据消息中的主叫网络侧生成的密钥和被叫网络侧生 成的密钥衍生出新的密钥, 并将衍生出的密钥作为媒体流保护密钥。  The called UE derives a new key according to the key generated by the calling network side in the message and the key generated by the called network side, and uses the derived key as the media stream protection key.
4、 根据权利要求 1所述的方法, 其特征在于, 所述步骤 a具体为: ayl、 主叫网络实体收到主叫 UE发送的消息后, 获取主叫网络侧生 成的密钥, 并将主叫网络侧生成的密钥通过所述会话请求消息发送给被 叫网络实体;  The method according to claim 1, wherein the step a is specifically: ayl, after receiving the message sent by the calling UE, the calling network entity acquires a key generated by the calling network side, and The key generated by the calling network side is sent to the called network entity by using the session request message;
ay2、被叫网络实体收到所述会话请求消息后, 获取被叫网络侧生成 的密钥, 根据主叫网络侧生成的密钥和被叫网络侧生成的密钥衍生出新 的密钥, 并将衍生出的密钥作为媒体流保护密钥携带于所述会话请求消 息中发送给被叫 UE。 Ay2, after receiving the session request message, the called network entity obtains a key generated by the called network side, and derives a new key according to the key generated by the calling network side and the key generated by the called network side. The key is sent to the called UE as a media stream protection key in the session request message.
5、根据权利要求 2至 4任一项所述的方法, 其特征在于, 所述发送 给被叫 UE的会话请求消息为 PRACK或者 UPDATE消息。  The method according to any one of claims 2 to 4, wherein the session request message sent to the called UE is a PRACK or an UPDATE message.
6、根据权利要求 2至 4任一项所述的方法, 其特征在于, 所述主叫 网络实体为主叫呼叫会话控制功能实体 S-CSCF或主叫应用服务器 AS , 所述被叫网络实体为被叫 S-CSCF或被叫 AS;  The method according to any one of claims 2 to 4, wherein the calling network entity is a calling call session control function entity S-CSCF or a calling application server AS, and the called network entity Is called S-CSCF or called AS;
所述主叫 S-CSCF或主叫 AS获取主叫网络侧生成的密钥的方法为: 主叫 S-CSCF或主叫 AS向主叫密钥管理功能实体 KMF发送密钥请求消 息, 主叫 KMF将生成的密钥通过密钥响应消息返回给主叫 S-CSCF或 主叫 AS;  The method for the calling S-CSCF or the calling AS to obtain the key generated by the calling network side is: the calling S-CSCF or the calling AS sends a key request message to the calling key management function entity KMF, the calling party KMF returns the generated key to the calling S-CSCF or the calling AS through the key response message;
所述被叫 S-CSCF或被叫 AS获取被叫网络侧生成的密钥的方法为: 被叫 S-CSCF或被叫 AS向被叫 KMF发送密钥请求消息, 被叫 KMF将 生成的密钥通过密钥响应消息返回给被叫 S-CSCF或被叫 AS。  The method for the called S-CSCF or the called AS to obtain the key generated by the called network side is: the called S-CSCF or the called AS sends a key request message to the called KMF, and the called KMF will generate the key. The key is returned to the called S-CSCF or the called AS through a key response message.
7、根据权利要求 2至 4任一项所述的方法,所述主叫网络实体为主 叫 AS-KMF, 所述被叫网络实体为被叫 AS-KMF;  The method according to any one of claims 2 to 4, wherein the calling network entity is called AS-KMF, and the called network entity is called AS-KMF;
所述主叫 AS-KMF获取主叫网络侧生成的密钥的方法为: 所述主叫 AS-KMF生成密钥, 将生成的密钥作为主叫网络侧生成的密钥;  The method for the calling AS-KMF to obtain the key generated by the calling network side is: the calling AS-KMF generates a key, and the generated key is used as a key generated by the calling network side;
所述被叫 AS-KMF获取被叫网络侧生成的密钥的方法为: 所述被叫 AS-KMF生成密钥, 将生成的密钥作为被叫网络侧生成的密钥。  The method for the called AS-KMF to acquire the key generated by the called network side is as follows: The called AS-KMF generates a key, and the generated key is used as a key generated by the called network side.
8、 根据权利要求 1所述的方法, 其特征在于, 所述步骤 b具体为: bxl、被叫网络实体收到被叫 UE返回的会话响应消息后, 将被叫网 络侧生成的密钥携带于所述会话响应消息中, 并发送给主叫网络实体; bx2、主叫网络实体收到所述会话响应消息后,将主叫网络侧生成的 密钥添加到所述会话响应消息发送给主叫 UE。 The method according to claim 1, wherein the step b is specifically: bxl, the called network entity receives the session response message returned by the called UE, and carries the key generated by the called network side. In the session response message, and sent to the calling network entity; bx2, after receiving the session response message, the calling network entity adds the key generated by the calling network side to the session response message and sends it to the main Called UE.
9、根据权利要求 8所述的方法, 其特征在于, 所述将会话响应消息 发送给主叫 UE后, 该方法进一步包括: The method according to claim 8, wherein, after the sending the session response message to the calling UE, the method further includes:
所述主叫 UE根据消息中的主叫网络侧生成的密钥和被叫网络侧生 成的密钥衍生出新的密钥, 并将衍生出的密钥作为媒体流保护密钥。  The calling UE derives a new key according to the key generated by the calling network side in the message and the key generated by the called network side, and uses the derived key as the media stream protection key.
10、根据权利要求 1所述的方法, 其特征在于, 所述步骤 b具体为: byl、被叫网络实体收到被叫 UE返回的会话响应消息后, 将被叫网 络侧生成的密钥携带于所述会话响应消息中, 并发送给主叫网络实体; by2、 主叫网络实体收到所述会话响应消息后, 根据主叫网络侧生 成的密钥和被叫网络侧生成的密钥衍生出新的密钥, 并将衍生出的密钥 作为媒体流保护密钥携带于所述会话响应消息中发送给主叫 UE。  The method according to claim 1, wherein the step b is specifically: byl, the called network entity receives the session response message returned by the called UE, and carries the key generated by the called network side. In the session response message, and sent to the calling network entity; by2, after receiving the session response message, the calling network entity derives according to the key generated by the calling network side and the key generated by the called network side. A new key is generated, and the derived key is carried as a media stream protection key in the session response message and sent to the calling UE.
11、 根据权利要求 8 ~ 10任一项所述的方法, 其特征在于, 所述会 话响应消息为 200响应消息。  The method according to any one of claims 8 to 10, wherein the session response message is a 200 response message.
12、根据权利要求 8至 10任一项所述的方法, 其特征在于, 所述主 叫网络实体为主叫 S-CSCF、主叫 AS或主叫 AS-KMF,所述被叫网络实 体为被叫 S-CSCF、 被叫 AS或被叫 AS-KMF。  The method according to any one of claims 8 to 10, wherein the calling network entity is a calling S-CSCF, a calling AS or a calling AS-KMF, and the called network entity is The called S-CSCF, the called AS or the called AS-KMF.
13、 根据权利要求 1 所述的方法, 其特征在于, 步骤 a所述主叫 UE发送所述会话请求消息之前, 该方法进一步包括:  The method according to claim 1, wherein the method further comprises: before the calling UE sends the session request message, the method further comprises:
主叫 UE将携带有自身提供的媒体流安全能力信息的会话建立请求 消息通过网络实体发送给被叫 UE , 所述会话建立请求消息为邀请 INVITE请求消息;被叫 UE根据主叫 UE提供的媒体流安全能力信息确 定自身需提供的媒体流安全能力信息, 并将提供的媒体流安全能力信息 携带于会话建立响应响应消息中, 通过网络实体返回给主叫 UE, 所述 会话建立响应消息为 183响应消息。  The calling UE sends a session establishment request message carrying the media stream security capability information provided by itself to the called UE through the network entity, where the session establishment request message is an invitation INVITE request message; and the called UE according to the media provided by the calling UE The flow security capability information determines the media flow security capability information that is to be provided, and the provided media flow security capability information is carried in the session establishment response response message, and is returned to the calling UE by the network entity, where the session establishment response message is 183. Response message.
14、根据权利要求 13所述的方法, 其特征在于, 所述网络实体包括 主叫网络实体和被叫网络实体, 当主叫网络实体接收到所述 INVITE请 求消息时, 该方法进一步包括: 主叫网络实体判断出主叫 UE已经签约 媒体流安全业务, 将主叫 UE已经签约媒体流安全业务的标识添加到所 述 INVITE请求消息中, 再继续执行将 INVITE请求消息发送给被叫网 络实体的步骤; The method according to claim 13, wherein the network entity comprises a calling network entity and a called network entity, and when the calling network entity receives the INVITE, please When the message is obtained, the method further includes: the calling network entity determines that the calling UE has subscribed to the media stream security service, and adds the identifier of the subscribed media stream security service of the calling UE to the INVITE request message, and then continues to execute The step of sending an INVITE request message to the called network entity;
当被叫网络实体接收所述 INVITE请求消息时,该方法进一步包括: 被叫网络实体检查出所述请求消息中有主叫 UE已经签约媒体流安全业 务的标识, 再判断出被叫 UE也已经签约媒体流安全业务, 再继续执行 将 INVITE请求消息发送给被叫 UE的步骤;  When the called network entity receives the INVITE request message, the method further includes: the called network entity checks that the requesting message has an identifier that the calling UE has subscribed to the media stream security service, and determines that the called UE is also already Signing the media stream security service, and then continuing to perform the step of sending the INVITE request message to the called UE;
当被叫网络实体接收到所述 183响应消息时, 该方法进一步包括: 被叫网络实体将被叫 UE 已经签约媒体流安全业务的标识添加到所述 183响应消息中, 再继续执行将 183响应消息发送给主叫网络实体的步 骤;  When the called network entity receives the 183 response message, the method further includes: the called network entity adds an identifier of the called UE that has subscribed to the media stream security service to the 183 response message, and then continues to perform the 183 response. The step of sending a message to the calling network entity;
当主叫网络实体接收到所述 183响应消息时, 该方法进一步包括: 主叫网络实体检查出消息中有被叫 UE 已经签约媒体流安全业务的标 识, 再继续执行将 183响应消息发送给主叫 UE的步骤。  When the calling network entity receives the 183 response message, the method further includes: the calling network entity checks that the called UE has subscribed to the identifier of the media stream security service, and then continues to send the 183 response message to the primary message. The step of calling UE.
15、根据权利要求 13所述的方法, 其特征在于, 所述网络实体包括 主叫网络实体和被叫网络实体, 当主叫网络实体接收到所述 INVITE请 求消息时, 该方法进一步包括: 主叫网络实体将主叫网络侧实体支持媒 体流安全保护的标识添加到所述 INVITE请求消息中, 再继续执行将 INVITE请求消息发送给被叫网络实体的步骤;  The method according to claim 13, wherein the network entity comprises a calling network entity and a called network entity, and when the calling network entity receives the INVITE request message, the method further comprises: The calling network entity adds an identifier of the media network side entity to support the media stream security protection to the INVITE request message, and then proceeds to perform the step of sending the INVITE request message to the called network entity.
当被叫网络实体接收所述 INVITE请求消息时,该方法进一步包括: 被叫网络实体检查出所述 INVITE请求消息中携带有主叫网络侧实体支 持媒体流安全保护的标识, 再继续执行将 INVITE请求消息发送给被叫 UE的步骤;  When the called network entity receives the INVITE request message, the method further includes: the called network entity checks that the INVITE request message carries the identifier of the media network entity supporting the media stream security protection, and then continues to execute the INVITE The step of sending a request message to the called UE;
当被叫网络实体接收到所述 183响应消息时, 该方法进一步包括: 被叫网络实体将被叫网络侧实体支持媒体流安全保护的标识添加到所 述 183响应消息中, 再执行将所述 183响应消息发送给主叫网络实体的 步骤; When the called network entity receives the 183 response message, the method further includes: The called network entity adds an identifier of the called network side entity to support the media stream security protection to the 183 response message, and then performs the step of sending the 183 response message to the calling network entity.
当主叫网络实体接收到所述 183 响应消息时, 该方法进一步包括: 主叫网络实体检查出 183响应消息中有被叫网络侧实体支持媒体流安全 保护的标识, 再继续执行将 183响应消息发送给主叫 UE的步骤。  When the calling network entity receives the 183 response message, the method further includes: the calling network entity checks the identifier of the 183 response message that the called network side entity supports the media stream security protection, and then continues to execute the 183 response message. The step of sending to the calling UE.
16、根据权利要求 15所述的方法, 其特征在于, 所述被叫网络实体 检查出所述 INVITE请求消息中携带有主叫网络侧实体支持媒体流安全 保护的标志后, 该方法进一步包括: 被叫网络实体将被叫网络侧实体支 持媒体流安全保护的标识添加到 INVITE请求消息中, 再继续执行将 INVITE请求消息发送给被叫 UE的步骤;  The method according to claim 15, wherein, after the called network entity checks that the INVITE request message carries a flag that the calling network side entity supports media stream security protection, the method further includes: The called network entity adds the identifier of the called network side entity to support the media stream security protection to the INVITE request message, and then proceeds to perform the step of sending the INVITE request message to the called UE.
当主叫网络实体检查出 183 响应消息中有被叫网络侧实体支持媒体 流安全保护的标识后, 该方法进一步包括: 主叫网络实体将主叫网络侧 实体支持媒体流安全保护的标识, 添加到所述 183响应消息中, 再继续 执行将 183响应消息发送给主叫 UE的步骤。  After the calling network entity checks that the 183 response message has the identifier of the network-side entity supporting the media stream security protection, the method further includes: the calling network entity adds the identifier of the media stream security protection of the calling network side entity, In the 183 response message, the step of transmitting the 183 response message to the calling UE is further performed.
17、 根据权利要求 13所述的方法, 其特征在于, 所述媒体流安全能 力信息包括媒体流安全算法, 或者还包括需保护的媒体类型、 安全传输 协议类型中的一种或几种任意的组合。  The method according to claim 13, wherein the media stream security capability information comprises a media stream security algorithm, or further comprises one or more of a media type to be protected and a type of secure transmission protocol. combination.
18、 一种在 IMS 网络中获取媒体流保护密钥的系统, 其特征在于, 该系统包括:  18. A system for obtaining a media stream protection key in an IMS network, the system comprising:
终端设备 UE,在作为主叫 UE时, 用于向网络实体发送会话请求消 息, 并接收携带有密钥的会话响应消息; 在作为被叫 UE时, 用于接收 从网络实体发来的会话请求消息, 并返回会话响应消息;  The terminal device UE is configured to send a session request message to the network entity and receive the session response message carrying the key when the UE is the calling UE, and receive the session request sent from the network entity when the UE is the called UE. Message, and return a session response message;
网络实体, 用于在接收到主叫 UE发来的会话请求消息时, 将密钥 添加到会话请求消息中,并发送给被叫 UE;还用于接收被叫 UE发送的 会话响应消息, 将密钥添加到会话响应消息中, 并发送给主叫 UE。The network entity is configured to add a key to the session request message and send the message to the called UE when receiving the session request message sent by the calling UE, and is further configured to receive the sent by the called UE. The session response message adds the key to the session response message and sends it to the calling UE.
19、根据权利要求 18所述的系统, 其特征在于, 所述网络实体在作 为主叫网络实体时, 用于接收主叫 UE发送的会话请求消息, 获取主叫 网络侧生成的密钥, 并将主叫网络侧生成的密钥通过所述会话请求消息 发送给被叫网络实体; 接收被叫网络实体返回的会话响应消息, 将主叫 网络侧生成的密钥添加到所述会话响应消息发送给主叫 UE; The system according to claim 18, wherein the network entity, when acting as a calling network entity, is configured to receive a session request message sent by the calling UE, obtain a key generated by the calling network side, and Sending a key generated by the calling network side to the called network entity by using the session request message; receiving a session response message returned by the called network entity, and adding a key generated by the calling network side to the session response message. Give the calling UE;
所述网络实体在作为被叫网络实体时, 用于接收来自主叫网络实体 的会话请求消息, 获取被叫网络侧生成的密钥并添加到所述会话请求消 息中,再将所述会话请求消息发送给被叫 UE;接收被叫 UE返回的会话 响应消息, 将被叫网络侧生成的密钥携带于所述会话响应消息中, 并发 送给主叫网络实体。  When the network entity is used as the called network entity, it is configured to receive a session request message from the calling network entity, obtain a key generated by the called network side, add the key to the session request message, and then send the session request. The message is sent to the called UE; the session response message returned by the called UE is received, and the key generated by the called network side is carried in the session response message and sent to the calling network entity.
20、根据权利要求 19所述的系统, 所述 UE进一步用于将接收到的 主叫网络侧生成的密钥和被叫网络侧生成的密钥衍生出新的密钥, 并将 衍生出的密钥作为媒体流保护密钥。  The system according to claim 19, the UE is further configured to derive a new key generated by the received key generated by the calling network side and the generated key of the called network side, and the derived key The key acts as a media stream protection key.
21、根据权利要求 18所述的系统, 其特征在于, 所述网络实体在作 为主叫网络实体时, 用于接收主叫 UE发送的会话请求消息, 获取主叫 网络侧生成的密钥, 并将主叫网络侧生成的密钥通过所述会话请求消息 发送给被叫网络实体; 接收被叫网络实体返回的会话响应消息, 将主叫 网络侧生成的密钥和被叫网络侧生成的密钥衍生出新的密钥, 并携带于 所述会话响应消息发送给主叫 UE;  The system according to claim 18, wherein the network entity, when acting as a calling network entity, is configured to receive a session request message sent by the calling UE, obtain a key generated by the calling network side, and Sending the key generated by the calling network side to the called network entity by using the session request message; receiving the session response message returned by the called network entity, and generating the key generated by the calling network side and the secret generated by the called network side The key derives a new key and carries the session response message to the calling UE;
所述网络实体在作为被叫网络实体时, 用于接收来自主叫网络实体 的会话请求消息, 获取被叫网络侧生成的密钥, 根据主叫网络侧生成的 密钥和被叫网络侧生成的密钥衍生出新的密钥, 并将衍生出的密钥作为 媒体流保护密钥携带于所述会话请求消息中发送给被叫 UE; 接收被叫 UE返回的会话响应消息, 将被叫网络侧生成的密钥携带于所述会话响 应消息中, 并发送给主叫网络实体。 When the network entity is the called network entity, it is configured to receive a session request message from the calling network entity, obtain a key generated by the called network side, and generate the key generated by the calling network side and the called network side. The key is derived from the new key, and the derived key is carried as the media stream protection key in the session request message and sent to the called UE; receiving the session response message returned by the called UE, will be called The key generated by the network side is carried in the session ringing Should be in the message, and sent to the calling network entity.
22、 根据权利要求 19至 21所述的系统, 其特征在于, 所述网络实 体为呼叫会话控制功能实体 S-CSCF或应用服务器 AS ,该系统进一步包 括:  The system according to any one of claims 19 to 21, wherein the network entity is a call session control function entity S-CSCF or an application server AS, the system further comprising:
密钥管理功能实体 KMF,用于接收 S-CSCF或 AS的密钥请求消息, 生成密钥, 并通过密钥响应消息返回给 S-CSCF或 AS。  The key management function entity KMF is configured to receive a key request message of the S-CSCF or the AS, generate a key, and return it to the S-CSCF or the AS through the key response message.
23、 根据权利要求 19至 21所述的系统, 其特征在于, 所述网络实 体为 AS-KMF, 所述网络实体获取的密钥为 AS-KMF自身生成的密钥, 该系统进一步包括:  The system according to any one of claims 19 to 21, wherein the network entity is an AS-KMF, and the key obtained by the network entity is a key generated by the AS-KMF itself, the system further comprising:
S-CSCF, 用于转发 UE和 AS-KMF之间的会话消息。  The S-CSCF is used to forward a session message between the UE and the AS-KMF.
24、 一种在 IMS网络中向终端设备 UE提供媒体流保护密钥的网络 实体, 其特征在于, 该网络实体包括:  A network entity that provides a media stream protection key to a terminal device UE in an IMS network, wherein the network entity includes:
接收单元, 用于接收主叫 UE发送的会话请求消息, 接收被叫 UE 发送的会话响应消息;  a receiving unit, configured to receive a session request message sent by the calling UE, and receive a session response message sent by the called UE;
密钥获取单元, 在接收到主叫 UE发送的会话请求消息时, 将密钥 添加到会话请求消息中, 并通过发送单元发送给被叫 UE; 在接收到被 叫 UE发送的会话响应消息时, 将密钥添加到会话响应消息中, 并通过 发送单元发送给主叫 UE;  The key obtaining unit, when receiving the session request message sent by the calling UE, adds the key to the session request message, and sends the key to the called UE through the sending unit; when receiving the session response message sent by the called UE Adding a key to the session response message and sending it to the calling UE through the sending unit;
发送单元, 将会话请求消息发送给被叫 UE, 将会话响应消息发送 给主叫 UE。  The sending unit sends a session request message to the called UE, and sends a session response message to the calling UE.
25、根据权利要求 24所述的网络实体, 其特征在于, 所述网络实体 为 S-CSCF或 AS, 所述密钥为 KMF提供的密钥; 或者,  The network entity according to claim 24, wherein the network entity is an S-CSCF or an AS, and the key is a key provided by the KMF; or
所述网络实体为 AS-KMF, 所述密钥为 AS-KMF自身生成的密钥。 The network entity is an AS-KMF, and the key is a key generated by the AS-KMF itself.
26、 根据权利要求 25 所述的网络实体, 其特征在于, 如果所述网 络实体为 AS-KMF, 则所述密钥获取单元包括: 密钥生成单元, 用于生成密钥, 并提供给密钥添加单元; The network entity according to claim 25, wherein, if the network entity is an AS-KMF, the key obtaining unit comprises: a key generating unit, configured to generate a key, and provide the key adding unit;
密钥添加单元, 用于在接收到主叫 UE发送的会话请求消息时, 将 密钥添加到会话请求消息中, 并通过发送单元发送给被叫 UE; 在接收 到被叫 UE发送的会话响应消息时, 将密钥添加到会话响应消息中, 并 通过发送单元发送给主叫 UE。  a key adding unit, configured to: when receiving the session request message sent by the calling UE, add the key to the session request message, and send the message to the called UE by using the sending unit; and receive the session response sent by the called UE In the case of a message, the key is added to the session response message and sent to the calling UE through the sending unit.
27、根据权利要求 24所述的网络实体, 其特征在于, 所述网络实体 为主叫网络实体, 所述添加到会话响应中的密钥为衍生出的密钥; 所述 网络实体进一步用于: 在接收到被叫 UE发送的会话响应消息时, 将主 叫网络侧生成的密钥和被叫网络侧生成的密钥进行衍生, 衍生出新的密 钥; 或者,  The network entity according to claim 24, wherein the network entity is a calling network entity, and the key added to the session response is a derived key; the network entity is further used for And receiving a session response message sent by the called UE, deriving the key generated by the calling network side and the key generated by the called network side, and deriving a new key; or
所述网络实体为被叫网络实体, 所述添加到会话请求消息中的密钥 为衍生出的密钥; 所述网络实体进一步用于: 在接收到主叫 UE发送的 会话请求消息时, 将主叫网络侧生成的密钥和被叫网络侧生成的密钥进 行衍生, 衍生出新的密钥。  The network entity is a called network entity, and the key added to the session request message is a derived key; the network entity is further configured to: when receiving the session request message sent by the calling UE, The key generated by the calling network side and the key generated by the called network side are derived, and a new key is derived.
28、 一种在 IMS网络中获取媒体流保护密钥的用户设备 UE, 其特 征在于, 该用户设备包括:  28. A user equipment UE that obtains a media stream protection key in an IMS network, wherein the user equipment includes:
收发单元, 用于收发会话消息;  a transceiver unit, configured to send and receive session messages;
解析单元, 用于在收发单元接收到的会话消息中携带有密钥时, 从 会话消息中解析出密钥;  a parsing unit, configured to parse the key from the session message when the session message received by the transceiver unit carries the key;
密钥衍生单元,用于在解析单元从会话消息中解析出主叫网络侧生 成的密钥和被叫网络侧生成的密钥时, 将解析出的主叫网络侧生成的密 钥和被叫网络侧生成的密钥衍生成新的密钥, 并将衍生出的密钥作为媒 体流保护密钥。  The key deriving unit is configured to: when the parsing unit parses the key generated by the calling network side and the key generated by the called network side from the session message, the parsed key and the called party generated by the calling network side are parsed The key generated by the network side is derived into a new key, and the derived key is used as a media stream protection key.
29、根据权利要求 28所述的 UE, 其特征在于, 该 UE进一步包括: 存储单元, 用于保存密钥衍生单元衍生出的密钥。 The UE according to claim 28, wherein the UE further comprises: a storage unit, configured to save a key derived by the key derivation unit.
30、 一种在 IMS网络中获取媒体流保护密钥的方法, 其特征在于, 该方法包括以下步骤: 30. A method for obtaining a media stream protection key in an IMS network, the method comprising the steps of:
网络实体接收会话消息后, 从密钥管理功能实体 KMF中获取密钥; 网络实体将获取的密钥分别发送给终端设备 UE和媒体处理功能实 体 MP。  After receiving the session message, the network entity obtains the key from the key management function entity KMF; the network entity sends the acquired key to the terminal device UE and the media processing function entity MP, respectively.
31、 根据权利要求 30所述的方法, 其特征在于, 所述网络实体为 主叫 AS, 所述 UE为主叫 UE, 所述 MP为主叫 MP, 所述 KMF为主叫 KMF; 或者,  The method according to claim 30, wherein the network entity is a calling AS, the UE is a calling UE, the MP is a calling MP, and the KMF is a calling KMF; or
所述网络实体为被叫 AS,所述 UE为被叫 UE,所述 MP为被叫 MP, 所述 KMF为被叫 KMF。  The network entity is a called AS, the UE is a called UE, the MP is a called MP, and the KMF is a called KMF.
32、 根据权利要求 31 所述的方法, 其特征在于, 如果所述网络实 体为主叫 AS, 所述 UE为主叫 UE, 所述主叫 AS接收到的会话消息为 200消息, 所述主叫 AS将获取的密钥发送给主叫 UE的方法为:  The method according to claim 31, wherein, if the network entity is the calling AS, the UE is the calling UE, and the session message received by the calling AS is 200, the main The method for the AS to send the acquired key to the calling UE is:
所述主叫 AS将所述密钥携带于 200消息中通过主叫 S-CSCF发送 给主叫 P-CSCF,主叫 P-CSCF将携带有所述密钥的 200消息发送给主叫 UE。  The calling AS carries the key in the 200 message and sends it to the calling P-CSCF through the calling S-CSCF, and the calling P-CSCF sends the 200 message carrying the key to the calling UE.
33、 根据权利要求 31 所述的方法, 其特征在于, 如果所述网络实 体为主叫 AS, 所述 MP为主叫 MP, 所述主叫 AS接收到的会话消息为 200消息, 所述主叫 AS将获取的密钥发送给主叫 MP的方法为:  The method according to claim 31, wherein, if the network entity is the calling AS, the MP is the calling MP, and the session message received by the calling AS is 200, the main The method for the AS to send the obtained key to the calling MP is:
所述主叫 AS将所述密钥携带于 200消息中通过主叫 S-CSCF发送 给主叫 P-CSCF, 主叫 P-CSCF将所述密钥下发送给主叫 MP。  The calling AS carries the key in the 200 message and sends it to the calling P-CSCF through the calling S-CSCF, and the calling P-CSCF sends the key to the calling MP.
34、 根据权利要求 31 所述的方法, 其特征在于, 如果所述网络实 体为被叫 AS, 所述 UE为被叫 UE, 所述被叫 AS接收到的会话消息为 PRACK消息或者 UPDATE消息, 所述被叫 AS将获取的密钥发送给被 叫 UE的方法为: 所述被叫 AS将所述密钥携带于 PRACK消息或者 UPDATE消息中, 通过被叫 S-CSCF发送给被叫 P-CSCF,被叫 P-CSCF将携带有所述密钥 的 PRACK消息或者 UPDATE消息发送给被叫 UE。 The method according to claim 31, wherein, if the network entity is a called AS, the UE is a called UE, and the session message received by the called AS is a PRACK message or an UPDATE message. The method for the called AS to send the acquired key to the called UE is: The called AS carries the key in a PRACK message or an UPDATE message, and sends it to the called P-CSCF through the called S-CSCF, and the called P-CSCF will carry the PRACK message of the key or UPDATE. The message is sent to the called UE.
35、 根据权利要求 31 所述的方法, 其特征在于, 如果所述网络实 体为被叫 AS, 所述 MP为被叫 MP, 所述被叫 AS接收到的会话消息为 PRACK消息或者 UPDATE消息, 所述被叫 AS将获取的密钥发送给被 叫 MP的方法为:  The method according to claim 31, wherein, if the network entity is a called AS, the MP is a called MP, and the session message received by the called AS is a PRACK message or an UPDATE message. The method for the called AS to send the obtained key to the called MP is:
所述被叫 AS将所述密钥携带于 PRACK消息或者 UPDATE消息中, 通过被叫 S-CSCF发送给被叫 P-CSCF,被叫 P-CSCF再将所述密钥下发 给被叫 MP。  The called AS carries the key in a PRACK message or an UPDATE message, and sends it to the called P-CSCF through the called S-CSCF, and the called P-CSCF sends the key to the called MP. .
36、 根据权利要求 31 所述的方法, 其特征在于, 如果所述网络实 体为主叫 AS, 所述 UE为主叫 UE, 所述 MP为主叫 MP, 所述主叫 AS 接收到的会话消息为 200消息,所述主叫 AS将获取的密钥发送主叫 MP 的方法为: 主叫 AS将获取的密钥直接发送给主叫 MP;  36. The method according to claim 31, wherein, if the network entity is a calling AS, the UE is a calling UE, the MP is a calling MP, and the calling AS receives a session. The message is 200, and the method in which the calling AS sends the obtained key to the calling MP is: the calling AS sends the obtained key directly to the calling MP;
所述主叫 AS将获取的密钥发送主叫 UE的方法为:主叫 AS将所述 密钥携带于 200消息中, 通过主叫 S-CSCF和主叫 P-CSCF发送给主叫 UE。  The method in which the calling AS sends the obtained key to the calling UE is: the calling AS carries the key in the 200 message, and sends the key to the calling UE through the calling S-CSCF and the calling P-CSCF.
37、 根据权利要求 31 所述的方法, 其特征在于, 如果所述网络实 体为被叫 AS, 所述 UE为被叫 UE, 所述 MP为被叫 MP, 所述被叫 AS 接收到的会话消息为 PRACK消息, 所述被叫 AS将获取的密钥发送被 叫 MP的方法为: 被叫 AS将获取的密钥直接发送给被叫 MP;  The method according to claim 31, wherein, if the network entity is a called AS, the UE is a called UE, and the MP is a called MP, the called AS receives a session. The message is a PRACK message, and the method for the called AS to send the acquired key to the called MP is: the called AS sends the obtained key directly to the called MP;
所述被叫 AS将获取的密钥发送被叫 UE的方法为:被叫 AS将所述 密钥携带于 PRACK消息中, 通过被叫 S-CSCF和被叫 P-CSCF发送给 被叫 UE„  The method for the called AS to send the acquired key to the called UE is: the called AS carries the key in the PRACK message, and sends it to the called UE through the called S-CSCF and the called P-CSCF.
38、 根据权利要求 30所述的方法, 其特征在于, 所述 UE为主叫 UE, 所述网络实体为主叫网络实体, 所述 MP为主叫 MP; 所述步骤 A 之前该方法进一步包括: 38. The method according to claim 30, wherein the UE is called a UE, the network entity is a calling network entity, and the MP is a calling MP; the method before the step A further includes:
所述主叫 UE向主叫网络实体发送 INVITE会话建立请求消息, 所 述 INVITE请求消息携带有主叫 UE提供的媒体流安全能力信息, 主叫 网络实体再向主叫 UE返回携带有本侧提供的主叫 MP支持的媒体流安 全能力信息的 183响应消息。  The calling UE sends an INVITE session establishment request message to the calling network entity, where the INVITE request message carries the media stream security capability information provided by the calling UE, and the calling network entity returns to the calling UE to carry the provided side. The 183 response message of the media stream security capability information supported by the MP.
39、 根据权利要求 30所述的方法, 其特征在于, 所述 UE为被叫 UE, 所述网络实体为被叫网络实体, 所述 MP为被叫 MP; 所述步骤 A 之前该方法进一步包括:  The method according to claim 30, wherein the UE is a called UE, the network entity is a called network entity, and the MP is a called MP; :
当被叫网络实体接收到 INVITE会话建立请求消息后, 将携带有本 侧提供的被叫 MP支持的媒体流安全能力信息的 INVITE会话建立请求 消息发送给被叫 UE,被叫 UE再向被叫网络实体返回携带有自身提供的 媒体流安全能力信息的 183会话响应消息。  After receiving the INVITE session establishment request message, the called network entity sends an INVITE session establishment request message carrying the media stream security capability information supported by the called MP provided by the side to the called UE, and the called UE calls the called party again. The network entity returns a 183 session response message carrying the media stream security capability information provided by itself.
40、 一种在 IMS网络中获取媒体流保护密钥的系统, 其特征在于, 该系统包括:  40. A system for obtaining a media stream protection key in an IMS network, the system comprising:
终端设备 UE, 用于接收网络实体发送的密钥;  a terminal device UE, configured to receive a key sent by a network entity;
媒体处理功能 MP, 用于接收网络实体发送的密钥;  a media processing function MP, configured to receive a key sent by a network entity;
网络实体, 用于接收会话消息, 并从密钥管理功能 KMF 中获取密 钥, 并发送给 UE和 MP;  a network entity, configured to receive a session message, and obtain a key from a key management function KMF, and send the key to the UE and the MP;
密钥管理功能 KMF, 用于生成密钥。  Key management function KMF, used to generate keys.
41、 根据权利要求 40所述的系统, 其特征在于, 所述网络实体为 主叫 CSCF或主叫 AS, 所述 UE为主叫 UE, 所述 MP为主叫 MP, 所 述 KMF为主叫 KMF; 或者,  The system according to claim 40, wherein the network entity is a calling CSCF or a calling AS, the UE is a calling UE, the MP is a calling MP, and the KMF is a calling party. KMF; or,
所述网络实体为被叫 CSCF或被叫 AS, 所述 UE为被叫 UE, 所述 MP为被叫 MP, 所述 KMF为被叫 KMF。 The network entity is a called CSCF or a called AS, the UE is a called UE, the MP is a called MP, and the KMF is a called KMF.
42、 根据权利要求 41所述的系统, 其特征在于, 所述 KMF为 AS 或 S-CSCF中的功能模块。 42. The system of claim 41, wherein the KMF is a functional module in an AS or S-CSCF.
43、 一种在 IMS网络中提供媒体流保护密钥的网络实体, 其特征在 于, 该网络实体包括:  43. A network entity for providing a media stream protection key in an IMS network, the network entity comprising:
接收单元, 用于接收会话消息;  a receiving unit, configured to receive a session message;
密钥获取单元, 在接收到会话消息时, 从密钥管理功能 KMF 中获 取密钥, 将密钥添加到会话消息中, 并传给发送单元;  The key obtaining unit, when receiving the session message, obtains a key from the key management function KMF, adds the key to the session message, and transmits the key to the sending unit;
发送单元, 将携带有密钥的会话消息发送给 UE 和媒体处理功能 The sending unit sends the session message carrying the key to the UE and the media processing function
MP。 MP.
44、根据权利要求 43所述的网络实体, 其特征在于, 所述网络实体 为 CSCF或 AS。  The network entity according to claim 43, wherein the network entity is a CSCF or an AS.
PCT/CN2008/070138 2007-01-19 2008-01-18 A method, a system and an equipment for obtaining the media stream protecting key in ims network WO2008089694A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710000760.2 2007-01-19
CN 200710000760 CN101227272A (en) 2007-01-19 2007-01-19 System and method for obtaining media stream protection cryptographic key

Publications (1)

Publication Number Publication Date
WO2008089694A1 true WO2008089694A1 (en) 2008-07-31

Family

ID=39644134

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070138 WO2008089694A1 (en) 2007-01-19 2008-01-18 A method, a system and an equipment for obtaining the media stream protecting key in ims network

Country Status (2)

Country Link
CN (1) CN101227272A (en)
WO (1) WO2008089694A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618903A (en) * 2013-11-04 2015-05-13 华为技术有限公司 Key negotiation processing method and apparatus

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101834722B (en) * 2010-04-23 2012-06-13 西安西电捷通无线网络通信股份有限公司 Communication method for encrypted equipment and unencrypted equipment hybrid networking
CN101902324B (en) * 2010-04-29 2012-11-07 天维讯达无线电设备检测(北京)有限责任公司 Method and system for establishing communication key between nodes
CN101834862B (en) * 2010-04-29 2013-02-13 西安西电捷通无线网络通信股份有限公司 Method and system for establishing safe connection between nodes
CN101814987B (en) * 2010-04-29 2012-06-13 西安西电捷通无线网络通信股份有限公司 Method and system for establishing key between nodes
CN101841413B (en) * 2010-05-20 2012-03-07 西安西电捷通无线网络通信股份有限公司 Creation method of end-to-end secure link and system
CN101841414B (en) * 2010-05-20 2012-05-23 西安西电捷通无线网络通信股份有限公司 Creation method of end-to-end communication key and system
CN101841547B (en) * 2010-05-20 2012-08-08 西安西电捷通无线网络通信股份有限公司 Creation method of end-to-end shared key and system
CN107342970B (en) * 2016-05-03 2020-08-07 华为技术有限公司 Encryption mode determination method, calling device, called device and VoIP system
CN109981527B (en) * 2017-12-27 2021-09-17 中国移动通信集团山东有限公司 Method and device for association processing, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1658552A (en) * 2004-02-17 2005-08-24 华为技术有限公司 Method for safety transfering medium flow
CN1681241A (en) * 2004-04-07 2005-10-12 华为技术有限公司 Secret key distributing method of end-to-end encrypted telecommunication
CN1773904A (en) * 2004-11-08 2006-05-17 中兴通讯股份有限公司 Universal safety grade consulting method
CN1801697A (en) * 2005-01-07 2006-07-12 华为技术有限公司 Method for arranging key in IP multimedia service subsystem network
CN1801698A (en) * 2005-01-07 2006-07-12 华为技术有限公司 Method for ensuring media stream safety in IP multimedia service subsystem network
CN1889767A (en) * 2005-06-30 2007-01-03 华为技术有限公司 Method for achieving media flow security and communication system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1658552A (en) * 2004-02-17 2005-08-24 华为技术有限公司 Method for safety transfering medium flow
CN1681241A (en) * 2004-04-07 2005-10-12 华为技术有限公司 Secret key distributing method of end-to-end encrypted telecommunication
CN1773904A (en) * 2004-11-08 2006-05-17 中兴通讯股份有限公司 Universal safety grade consulting method
CN1801697A (en) * 2005-01-07 2006-07-12 华为技术有限公司 Method for arranging key in IP multimedia service subsystem network
CN1801698A (en) * 2005-01-07 2006-07-12 华为技术有限公司 Method for ensuring media stream safety in IP multimedia service subsystem network
CN1889767A (en) * 2005-06-30 2007-01-03 华为技术有限公司 Method for achieving media flow security and communication system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618903A (en) * 2013-11-04 2015-05-13 华为技术有限公司 Key negotiation processing method and apparatus

Also Published As

Publication number Publication date
CN101227272A (en) 2008-07-23

Similar Documents

Publication Publication Date Title
WO2008089694A1 (en) A method, a system and an equipment for obtaining the media stream protecting key in ims network
US9537837B2 (en) Method for ensuring media stream security in IP multimedia sub-system
KR100976635B1 (en) Media security for ims sessions
JP5043392B2 (en) Method for setting up a SIP communication session, system and computer program thereof
WO2015180654A1 (en) Method and apparatus for achieving secret communications
JP4856723B2 (en) Method, apparatus and / or computer program product for encrypting and transmitting media data between a media server and a subscriber device
WO2008089698A1 (en) A method and system for distributing secret keys of media stream
US8301570B2 (en) Method and system for data security in an IMS network
WO2011022999A1 (en) Method and system for encrypting video conference data by terminal
US8990563B2 (en) Sending protected data in a communication network
WO2007098660A1 (en) An authentication method and system between network entities in ip multimedia subsystem
WO2005112338A1 (en) Key distribution method
WO2008040213A1 (en) Message encryption and signature method, system and device in communication system
WO2006072209A1 (en) A method for agreeing upon the key in the ip multimedia sub-system
CN108833943A (en) The encrypted negotiation method, apparatus and conference terminal of code stream
JP2010505313A (en) How to provide a symmetric key to protect a key management protocol
WO2008083607A1 (en) Method and system of safely transferring media stream
WO2009132551A1 (en) Obtaining method of the meida stream key, session equipment and key management function entity
Chen et al. An efficient end-to-end security mechanism for IP multimedia subsystem
US11218515B2 (en) Media protection within the core network of an IMS network
WO2009094813A1 (en) Security parameters negotiation method and apparatus for realizing the security of the media flow
CN113055398A (en) SIP architecture-based multi-level cross-domain equipment certificate management system
WO2009030171A1 (en) Media service implementing method and communication system and associated devices
WO2007082435A1 (en) A system, method and network equipment for implementing the lawful interception in next generation network
Kuntze et al. Non-repudiation in internet telephony

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08700795

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08700795

Country of ref document: EP

Kind code of ref document: A1