WO2023206909A1

WO2023206909A1 - Volte voice encrypted communication method, terminal and system

Info

Publication number: WO2023206909A1
Application number: PCT/CN2022/117510
Authority: WO
Inventors: 王丙磊; 陈文俊; 赵鹏; 刘驰; 王建
Original assignee: 中电信量子科技有限公司
Priority date: 2022-04-26
Filing date: 2022-09-07
Publication date: 2023-11-02
Also published as: JP2024520245A; CN114553422A; CN114553422B

Abstract

Disclosed are a VoLTE voice encrypted communication method, a terminal and a system, in the technical field of wireless communications. The method comprises: a calling terminal and a called terminal each completing identity authentication to a key management platform to which the calling terminal and the called terminal belong, by means of authentication keys stored in corresponding security chips thereof; the calling terminal initiating a call, sending a verification request to a cloud encrypted call service management platform, and acquiring an encrypted call identifier returned by the cloud encrypted call service management platform; after the call is connected, the calling terminal and the called terminal playing alert tones and applying for a session key of the present call to the key management platform to which the calling terminal and the called terminal belong, on the basis of the encrypted call identifier; the calling terminal and the called terminal synchronizing the key acquisition states of the calling terminal and the called terminal using a media channel, on the basis of the session key, and then carrying out encrypted voice communication; when the call is hung up, the two parties sending an encrypted ending message, to end the present key call. The present invention does not require a certificate management module, has fast computational speed and high security, and has high synchronization efficiency and a good user experience.

Description

VoLTE voice encrypted communication method, terminal and system

Technical field

The present invention relates to the field of wireless communication technology, and specifically relates to a VoLTE voice encrypted communication method, terminal and system.

Background technique

Voice over Long Term Evolution (VoLTE) is a voice service based on IP Multimedia Subsystem (IMS) and is an IP data transmission technology. VoLTE does not require a 2G/3G network, and all services are carried on the 4G network, which can achieve shorter wait time for connection and higher-quality, more natural voice and video call effects. IMS itself provides a complex and relatively secure authentication and authentication mechanism. However, as malicious monitoring becomes more and more common, VoLTE requires a special encryption mechanism to ensure the security of its calls.

Currently, there are three main problems faced in order to realize VoLTE voice encryption and subsequent large-scale promotion:

(1) Traditional VoLTE encryption provides a certificate-dependent security mechanism. Terminals often need to install APPs to implement functions, so the VoLTE key transfer process relies on certificate security mechanisms. Because the mechanism relies on mathematical calculations such as large number decomposition, there will be a problem that security gradually decreases as the frequency of use increases. And because there is end-to-end negotiation in the session key delivery and negotiation process in the certificate mechanism, it is difficult for the platform to monitor the key. is also a problem.

(2) For implementing VoLTE encrypted calls, the existing solution is to extend the SIP protocol stack and enable call session processes with preset conditions to support operations such as encrypted phone identification, clear and secret call identification, call response, and connection state interoperability control. To this end, the entire IMS network needs to be checked, verified and modified to ensure that it can use transparent transmission by default for SIP extension fields to ensure that the terminal Modem chips of both communicating parties can recognize and process the SIP extension fields. At the same time, the terminal Modem chips need to be customized and modified. To support SIP extension fields and parse the extended content. This solution requires transformation of mobile phone terminals, modules, and IMS networks. It requires a large amount of transformation and cannot be automatically and smoothly upgraded as the terminal version evolves.

(3) With the development of QKD network construction, various places have their own needs to build their own password management systems. Most password management systems realize the filling of secure media within the system. However, in practice, for VoLTE services, there is a need for wide-area interoperability of call services, and independent password management systems need to have key negotiation and session key issuance functions. Therefore, it is necessary to integrate the security requirements of customers' own cryptographic system construction and the interoperability requirements of the entire network to improve the compatibility of VoLTE encryption services.

In related technology, the invention patent application with the publication number CN114040385A discloses an encrypted call system and method based on VoLTE. The system includes: a cloud encrypted call service management platform, an operator network and a mobile phone component; wherein, the cloud encrypted call The business management platform is used to provide user management and certificate management based on VoLTE voice call services, as well as session key distribution; the operator network is used to carry and transmit data between the cloud encrypted voice business management platform and the mobile phone; the The mobile phone component is used to provide encrypted call functions and real-time encryption and decryption of call data during the call. This solution avoids the transformation of the telecom operator's IMS network and the extension of the signaling control protocol SIP protocol, and allows users to make VoLTE encrypted calls across the telecom operator's network. However, the cloud encrypted voice business management platform is used to provide the API interface of the key management center client for identity verification when users log in and the issuance of the client's SM2 encryption certificate. The certificate management module still needs to call the key management center. The API interface is used for the application, download and destruction management operations of the user's SM2 encryption certificate. The key transfer process relies on the certificate security mechanism.

The invention patent application with the publication number CN106941403A discloses a secure mobile communication system and method based on quantum keys, including a quantum key service station, several mobile terminals and a public communication network. The quantum key service station and mobile terminals communicate through public communication Network communication; the quantum key service station is used to provide quantum key download services to mobile terminals and complete the security management and control of quantum keys. The mobile terminal is used to implement basic call functions and additional secure communication functions, and the public communication network is used to implement Data transfer function. Although this solution is an encrypted communication method in which the quantum key service station provides keys, in the specific method, electronic tags are used to monitor the keys of both mobile parties. The mobile terminals of the calling party and the called party are at the quantum key service station. Perform identity authentication and download the shared quantum key to add the electronic tag. The quantum key is applied in advance. When making a secret call, the calling party sends its own electronic tag authentication information and reaches the called party through the public communication network. The called party The electronic tag is identified and the called party's electronic tag authentication information is fed back to the calling party through the public communication network. Both parties perform label authentication respectively. After successful authentication, the calling party and the called party retrieve the stored quantum key. Confidential communication begins. However, the communication interaction process requires the use of a tag system, and the interaction process is cumbersome.

Contents of the invention

The technical problem to be solved by this invention is how to solve the problem of certificate dependence in VoLTE handheld terminal authentication.

The present invention solves the above technical problems through the following technical means:

On the one hand, the present invention proposes a VoLTE voice encrypted communication method. Security chips are integrated into the calling terminal and the called terminal respectively. The method includes:

The calling terminal and the called terminal respectively complete the identity authentication to the key management platform to which they belong through the authentication keys stored in their corresponding security chips;

The calling terminal initiates a call, and the calling terminal and the called terminal send verification requests to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform;

After the call is connected, the calling terminal and the called terminal play prompt tones and apply to their respective key management platforms for session keys for this call based on the encrypted call identification. The session keys are provided by the quantum key distribution network. distribution;

The calling terminal and the called terminal use the media channel to synchronize the key acquisition status of the calling terminal and the called terminal based on the session key, and then conduct an encrypted voice call;

The calling terminal and the called terminal send encrypted end messages to end this key call.

In the present invention, the calling terminal and the called terminal are both integrated with security chips. The calling terminal and the called terminal use the authentication keys stored in their respective internally integrated security chips to complete identity authentication to the key management platform to which they belong. The key management platform stores session key pairs distributed through the quantum key distribution network. It uses symmetric key algorithms to achieve VoLTE terminal authentication and key distribution. It does not require a certificate management module and has faster calculation speed than the certificate system. , High safety features. Moreover, the encrypted call is initiated by VoLTE. The clear call is connected first and then the key negotiation process is carried out. This avoids premature key negotiation and avoids the problem of users answering the phone too quickly and having too high key negotiation requirements. When initiating a clear conversation, a prompt tone is played at one end first, and the actual encrypted conversation is carried out after key negotiation. For the user, only the encrypted conversation is perceived, and the user experience is good. In addition, by using the connected media channel as the key status synchronization interface, the key synchronization time can be synchronized through the media channel to improve synchronization efficiency.

Further, the calling terminal and the called terminal respectively complete the identity authentication to the key management platform through the authentication keys stored in their corresponding security chips, including:

The security chips respectively obtain the identification of the key management platform to which they belong;

The calling terminal and the called terminal respectively call the authentication keys stored in their corresponding security chips to complete the identity authentication to the key management platform to which they belong;

The calling terminal and the called terminal upload the identification of the key management platform to which they belong and their own terminal identification to the cloud encrypted voice service management platform, so that the cloud key service management platform generates the terminal identification and key Manage and store the comparison table of platform identifiers.

Further, the calling terminal initiates a call, and the calling terminal and the called terminal send verification requests to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform, including:

The calling terminal and the called terminal report the calling number and the called number of the current call to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform can use the calling number and the called number according to the calling number and the called number. The number generates the secret code ID for this call;

When the cloud encrypted voice service management platform determines that the key management platform identities of the calling terminal and the called terminal are inconsistent based on the comparison table, the calling terminal and the called terminal obtain the cloud encrypted voice service. The secret conversation identifier returned by the management platform and the identifier of the key management platform to which the peer belongs.

Further, after the call is connected, the calling terminal and the called terminal play a prompt tone, and apply to the key management platform to which they belong for a session key for this call based on the secret conversation identifier. The session key is provided by Quantum key distribution system distribution, including:

The called terminal sends a first key request to the key management platform to which it belongs, so that the key management platform obtains the key identification from the cryptographic machine and returns it to the called terminal. The first key The request carries the secret conversation identifier and the identifier of the key management platform to which the peer belongs;

The called terminal pushes the key identifier and the encrypted call identifier to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform Push to the calling terminal;

The calling terminal sends a second key request to the key management platform to which it belongs, so that the key management platform returns the session key to the calling terminal, and the second key request carries the key Identity and said secret phrase identification.

Further, the key management platform obtains the key identification from the encryption machine and returns it to the called terminal, including:

The key management platform sends a first key application to the cryptographic machine, so that the cryptographic machine initiates a second key application to the QKD network to which it is connected based on the first key application, wherein the first key application is sent to the cryptographic machine. The information carried in the first key application includes the encrypted call identifier, the calling number, the called number and the identification of the key management platform to which the opposite end belongs, and the information carried in the second key application includes the key management platform to which the opposite end belongs. The identification of the key management platform;

The QKD network obtains a symmetric key of the QKD node to which the calling terminal and the called terminal belong based on the second key application, and returns the symmetric key to the cryptographic machine;

The cryptographic machine returns the symmetric key and key identification to the called terminal through the key management platform.

Further, the calling terminal and the called terminal use the media channel to synchronize the key acquisition status of the calling terminal and the called terminal based on the session key, and then conduct an encrypted voice call, including:

The calling terminal and the called terminal obtain the session key;

The calling terminal and the called terminal synchronize the notification information of key acquisition to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform transparently transmits the notification information to the calling terminal and the called terminal. The called terminal completes key acquisition status synchronization.

Further, when at least one of the calling terminal and the called terminal is a SIP terminal that requests distribution of an encryption ID based on the SIP extension field, the method further includes:

The cloud encrypted call service management platform and the IMS network complete a user synchronization interface and an encrypted call identification push interface;

The cloud encrypted call service management platform or the IMS network generates the encrypted call identifier, and the IMS network delivers the corresponding encrypted call identifier to the SIP terminal. The SIP terminal includes a key middleware and Voice middleware;

The voice middleware obtains the secret speech identifier processed by the baseband chip, calls the key middleware, and applies to the key management platform to obtain the session key.

In addition, the present invention also proposes a VoLTE voice encrypted communication terminal. The terminal is provided with a security chip and an intermediate component. An authentication key is stored in the security chip. The intermediate component includes a key middleware and a business middleware. software and voice middleware, including:

The key middleware is used to use the authentication key stored in the security chip to complete the identity authentication to the key management platform to which it belongs. The business middleware requests login from the cloud encrypted voice business management platform. The voice Middleware performs self-starting;

The business middleware is used to send a verification request to the cloud encrypted call service management platform after both parties initiate a call to obtain the encrypted call identifier returned by the cloud encrypted call service management platform; the business middleware is used to After the call is connected and the terminal plays the prompt tone, it calls the key middleware and applies to the key management platform to which it belongs for the session key for this call based on the secret speech identifier. The session key is provided by Quantum key distribution network distribution;

The key middleware is used to transfer the session key to the voice middleware, and after the voice middleware uses the media channel to complete the key acquisition status synchronization of both parties, the two parties conduct encrypted voice calls;

The voice middleware is used to send an encrypted end message after the call is hung up to end the key call.

Further, the business middleware includes a UI display module, a secret conversation notification module, a secret conversation identification synchronization module and a key negotiation initiation module, wherein:

The UI display module is used to display the judgment information for coordinating user signing with the cloud secret conversation service management platform, the notification and identification synchronization information of this secret conversation, and the key negotiation status of the start of this secret conversation;

The secret call notification module is used to interact with the interface of the cloud secret call service management platform;

The secret conversation identification synchronization module is used to obtain the secret conversation identification and the peer acquisition status returned by the cloud secret conversation service management platform after the cloud secret conversation service management platform determines that both parties have the qualifications and conditions for a secret conversation call. , complete the issuance and synchronization of the secret call ID;

The key negotiation initiating module is configured to initiate a key request to the key middleware based on the key identification and obtain the corresponding key negotiation status after completing the key identification synchronization.

Further, the key middleware includes an external service interface, a general cryptographic service module and a cryptographic device service module, wherein:

The external service interface is used to connect external applications through inter-process communication;

The general cryptographic service module is used to provide key management, identity authentication and key calculation interfaces;

The cryptographic device service module is used to obtain the authentication key stored in the security chip.

Further, the voice middleware includes a voice interception module, a voice rate filtering module, a voice encryption module and a voice backhaul module, wherein:

The voice interception module is used to monitor the voice data transmission channel in the current terminal system, intercept and return voice call data;

The voice rate screening module is used to receive and detect the voice call data transmitted by the voice interception module to obtain AMR payload data;

The voice encryption module is used for key processing, session key status negotiation, and voice data encryption and decryption to send and receive;

The voice return module is used to send the AMR payload data to the voice encryption module in a single frame, and return the voice encryption data processed by the voice encryption module to the voice rate screening module. .

In addition, the present invention also proposes a VoLTE voice encrypted communication system, which includes: a quantum key distribution network, a calling terminal, a called terminal, a first key management platform, a second key management platform, a first Cipher machine, second cipher machine, cloud encrypted voice service management platform and operator network;

The calling terminal and the called terminal are respectively integrated with security chips, and an authentication key is stored in the security chip;

The calling terminal is connected to the first key management platform, the called terminal is connected to the second key management platform, and the first key management platform is connected to the quantum computer via the first cryptographic machine. Key distribution network, the second key management platform is connected to the quantum key distribution network via the second encryption machine, and the calling terminal and the called terminal are respectively connected via the operator network The cloud encrypted voice business management platform;

The calling terminal and the called terminal are both provided with intermediate components. The intermediate components include key middleware, service middleware and voice middleware. The key middleware and the first key management The platform or the second key management platform is connected, the business middleware is connected with the cloud encrypted voice business management platform, and the voice middleware is connected with the underlying data transmission channel;

The key middleware is used to use the authentication key stored in the corresponding security chip to complete the identity authentication to the key management platform to which it belongs, and the business middleware requests login from the cloud encrypted voice business management platform , the voice middleware performs self-starting;

After the calling terminal initiates a call, the service middleware is used to send a verification request to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform;

After the call is connected, the calling terminal and the called terminal play prompt tones, and the business middleware calls the key middleware and applies to the key management platform to which it belongs for the session secret for this call based on the secret conversation identifier. Key, the session key is distributed by the quantum key distribution network;

The key middleware transfers the session key to the voice middleware, and after the voice middleware uses the media channel to complete the key acquisition status synchronization of the calling terminal and the called terminal, the calling terminal and the called terminal Call the terminal to make an encrypted voice call;

After the call is hung up, the voice middleware sends an encrypted end message to end this key call.

The advantages of the present invention are:

(1) In the present invention, the calling terminal and the called terminal are both integrated with security chips. The calling terminal and the called terminal use the authentication keys stored in their respective internally integrated security chips to complete the authentication to the key management platform to which they belong. Identity authentication, the key management platform stores session key pairs distributed through the quantum key distribution network, and uses symmetric key algorithms to achieve VoLTE terminal authentication and key distribution without the need for a certificate management module. Compared with the certificate system, it has It has the characteristics of fast calculation speed and high security. Moreover, the encrypted call is initiated by VoLTE. The clear call is connected first and then the key negotiation process is carried out. This avoids premature key negotiation and avoids the problem of users answering the phone too quickly and having too high key negotiation requirements. When initiating a clear conversation, a prompt tone is played at one end first, and the actual encrypted conversation is carried out after key negotiation. For the user, only the encrypted conversation is perceived, and the user experience is good. In addition, by using the connected media channel as the key status synchronization interface, the key synchronization time can be synchronized through the media channel and the synchronization efficiency can be improved.

(2) The present invention can complete an end-to-end example from the perspective of terminal internal processing flow, cloud encrypted voice business management platform, key management platform and corresponding quantum key distribution network.

(3) The present invention can solve the problem of VoLTE interoperability under key interaction between different key management platforms under two QKD nodes.

(4) Both SIP terminals and non-SIP terminals can be implemented using the solution of the present invention, and there are no changes to the two types of terminals, making it easy to implement.

Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.

Description of the drawings

Figure 1 is a schematic flow chart of the VoLTE voice encrypted communication method in the first embodiment of the present invention;

Figure 2 is a schematic diagram of the subdivision steps of step S10 in the first embodiment of the present invention;

Figure 3 is a schematic diagram of the subdivided steps of step S20 in the first embodiment of the present invention;

Figure 4 is a schematic diagram of the subdivided steps of step S30 in the first embodiment of the present invention;

Figure 5 is a schematic diagram of the subdivided steps of step S40 in the first embodiment of the present invention;

Figure 6 is a schematic structural diagram of a VoLTE voice encrypted communication terminal in the second embodiment of the present invention;

Figure 7 is a schematic diagram of the connection of intermediate components in the second embodiment of the present invention;

Figure 8 is a schematic structural diagram of the VoLTE voice encrypted communication system in the third embodiment of the present invention.

Detailed ways

In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the embodiments of the present invention. Obviously, the described embodiments are part of the present invention. Examples, not all examples. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without making creative efforts fall within the scope of protection of the present invention.

Referring to Figure 1, the first embodiment of the present invention proposes a VoLTE voice encrypted communication method. Security chips are integrated in the calling terminal and the called terminal respectively. The method includes the following steps:

S10. The calling terminal and the called terminal respectively complete the identity authentication to their respective key management platforms through the authentication keys stored in their corresponding security chips;

It should be noted that each key management platform uses the charging function to charge the security chip connected to it. The calling terminal and the called terminal obtain the charging key respectively, use the charging key as the authentication key, and charge Note that there is no correlation between keys; this embodiment uses a security chip prefabricated key as the authentication key to solve the problem of certificate dependence in VoLTE handheld terminal authentication and realize the one-time authentication and one-key function.

S20. The calling terminal initiates a call, and the calling terminal and the called terminal send verification requests to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform;

It should be noted that when the calling party and the called party initiate a call, the called terminal starts to ring. The calling terminal and the called terminal apply to the cloud encrypted call service management platform to verify the contract information of both parties. The cloud encrypted call service management platform uses its own business system The record determines whether both parties to the call have signed up for the secret call service. After the verification is completed, a unique identifier for this call, that is, the secret call ID, is generated based on the accounts of the calling party and the called party and is sent to the calling terminal and the called terminal.

S30. After the call is connected, the calling terminal and the called terminal play a prompt tone, and apply to the key management platform to which they belong for a session key for this call based on the encrypted message identification. The session key is composed of a quantum key distribution network distribution;

It should be noted that in order to prevent the calling and called parties from communicating in clear mode in advance, the calling terminal and the called terminal first play the key negotiation prompt tone before conducting clear communication. The two parties are temporarily unable to talk, and then based on the secret key The call ID applies to its key management platform for the session key of this call. The key management platform applies to the respective connected cryptographic machines for the session key of this call. The quantum keys stored in the cryptographic machines are distributed by the quantum key distribution network. Distributed as the session key for this call.

S40. The calling terminal and the called terminal use the media channel to synchronize the key acquisition status of the calling terminal and the called terminal based on the session key, and then conduct an encrypted voice call;

It should be noted that by using the connected media channel as the key status synchronization interface, the key synchronization time can be synchronized through the media channel and the synchronization efficiency can be improved.

It should be noted that when the calling terminal and the called terminal start an encrypted voice call, the voice begins to be intercepted and the qualified voice data is encrypted and transmitted.

S50. The calling terminal and the called terminal send encrypted end messages to end this key call.

It should be noted that when the calling terminal and the called terminal hang up the phone, an encrypted call end message is sent, and both parties end this key call.

In this embodiment, the calling terminal and the called terminal are both integrated with security chips. The calling terminal and the called terminal use the authentication keys stored in their respective internally integrated security chips to complete identity authentication to the key management platform to which they belong. , the key management platform stores session key pairs distributed through the quantum key distribution network. VoLTE terminal authentication and key distribution are achieved by using a symmetric key algorithm. There is no need for a certificate management module, and it is faster than the certificate system. Fast and safe. Moreover, the encrypted call is initiated by VoLTE. The clear call is connected first and then the key negotiation process is carried out. This avoids premature key negotiation and avoids the problem of users answering the phone too quickly and having too high key negotiation requirements. When initiating a clear conversation, a prompt tone is played at one end first, and the actual encrypted conversation is carried out after key negotiation. For the user, only the encrypted conversation is perceived, and the user experience is good. In addition, by using the connected media channel as the key status synchronization interface, the key synchronization time can be synchronized through the media channel and the synchronization efficiency can be improved.

Furthermore, in the key charging stage, this invention directly uses the key management platform to charge the security chips of the calling party and the called party with keys as authentication keys. There is no relationship between the authentication keys stored internally by the calling party and the called party. Its main function is to enable both the called party and the called party to use the keys stored in their respective chips to achieve identity authentication to the key management platform, thereby achieving one-time one-time padding for identity authentication. During the voice communication phase, when the calling party and the called party apply for the communication key, the key management platform will use a new key in the security chip of the calling party and the called party as a protection key to issue the session key. Although the session key is The plain text of the key is consistent, but because the authentication keys stored in the security chips of the calling party and the called party are different, the key ciphertext obtained by the calling party and the called party is inconsistent. It provides a one-time pad function for session key distribution; and the entire The process does not use a tag system, which reduces the interaction process. The entire process does not require the keys of the calling party and the called party to be consistent. It realizes the decoding of the root key filled in the security chip of the calling party and the called party and the session key required for actual voice communication. Coupling provides more adaptability and is more in line with actual business conditions.

In one embodiment, referring to Figure 2, step S10 includes the following subdivided steps:

S11. The security chips respectively obtain the identification of the key management platform to which they belong;

It should be noted that each key management platform uses the charging function to charge the security chip connected to it. The charging process writes the identification of the key management platform into the connected security chip. This identification is in the quantum key. The distribution QKD network is unique.

S12. The calling terminal and the called terminal respectively call the authentication keys stored in their corresponding security chips to complete the identity authentication to the key management platform to which they belong;

It should be noted that after the terminal is started, the authentication key stored in the security chip is called to complete the login authentication to the key management platform to which it belongs, and the terminal also provides key services to the outside world.

S13. The calling terminal and the called terminal upload the identification of the key management platform to which they belong and their own terminal identification to the cloud encrypted voice service management platform, so that the cloud key service management platform generates the terminal identification and Comparison table of key management platform identification and storage.

It should be noted that the cloud encrypted voice business management platform stores the corresponding relationship between user terminals and each key management platform, and serves as a user resource information library for multiple key management platforms to provide cross-key management platform key negotiation query services. Adapt to multi-key platform VoLTE service interoperability issues under QKD network.

In one embodiment, referring to Figure 3, step S20 includes the following subdivided steps:

S21. The calling terminal and the called terminal report the calling number and called number of this call to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform can use the calling number and the called number according to the calling number and the called number. The called number generates the secret call identifier for this call;

S22. When the cloud encrypted call service management platform determines that the key management platform identifiers of the calling terminal and the called terminal are inconsistent based on the comparison table, the calling terminal and the called terminal obtain the cloud encrypted call service management platform. The encrypted conversation identifier returned by the call service management platform and the identifier of the key management platform to which the peer belongs.

It should be noted that the calling terminal and the called terminal report the calling and called numbers of this call to the cloud encrypted call service management platform. The cloud encrypted call service management platform determines the call based on the status of the encrypted call contract between the calling and the called parties. Whether the conditions for entering the secret call are met; at the same time, the cloud secret call service management platform checks the last login status of the calling party and the called party. If the status of both parties is found to be normal, it generates a secret call identification for this call based on the calling/called number; and at the same time, according to the comparison table, check the identity of the key management platform to which both parties belong to the call. If they are inconsistent, the cloud encrypted call service management platform returns the identity of the key platform to which the other end belongs and the encrypted call identifier to the terminal.

The acquisition of the encrypted voice ID in this embodiment can be adapted to the problem of VoLTE service interoperability on a multi-key platform under the QKD network, because under a multi-key management platform, the service ID cannot directly act as a proxy for the key ID.

In one embodiment, referring to Figure 4, step S30 includes the following subdivided steps:

S31. The called terminal sends a first key request to the key management platform to which it belongs, so that the key management platform obtains the key identification from the cryptographic machine and returns it to the called terminal. The first The key request carries the encryption key identifier and the identifier of the key management platform to which the peer belongs;

It should be noted that the called terminal generally serves as the active terminal, and it requests a key from the key management platform to which it belongs based on the parameters (identity of the platform to which the opposite terminal belongs, and encryption key identification).

S32. The called terminal pushes the key identifier and the encrypted call identifier to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform sends the key identifier and the encrypted call service management platform. Push the call ID to the calling terminal;

S33. The calling terminal sends a second key request to the key management platform to which it belongs, so that the key management platform returns the session key to the calling terminal. The second key request carries the The key identifier and the secret key identifier.

It should be noted that in the case of a single key management platform, since the key generation is a platform, the secret speech identifier can be directly used as the key identifier to complete the double-ended key acquisition. Both the calling and the called parties can use the secret speech identifier. Go to the same key management platform to obtain the key. However, under a multi-key management platform, because the key management platform mainly relies on providing a key interface through the QKD network to complete double-ended key negotiation, a key is negotiated and a key identifier is returned. At this time, the active end of the key application can This key ID is obtained, but the other end cannot use the same secret key ID to uniquely identify a key, and key synchronization cannot be achieved.

This embodiment realizes the association between the key identification after QKD remote key negotiation and the encrypted voice identification between this VoLTE call, realizes the key distribution problem under the multi-key management platform, and truly realizes key synchronization. .

In one embodiment, in step S31, the key management platform obtains the key identification from the cryptographic machine and returns it to the called terminal, including:

It should be noted that this embodiment can complete an end-to-end instance from the perspective of terminal internal processing flow, cloud encrypted voice business management platform, key management platform and corresponding quantum key distribution network; and can implement two QKD nodes. The problem of VoLTE interoperability under key interaction between different key management platforms.

In one embodiment, referring to Figure 5, step S40 includes the following subdivided steps:

S41. The calling terminal and the called terminal obtain the session key;

S42. The calling terminal and the called terminal synchronize the notification information of key acquisition to the cloud encrypted voice service management platform, so that the cloud encrypted voice service management platform transparently transmits the notification information to the calling party. The terminal and the called terminal complete key acquisition status synchronization.

It should be noted that in some scenarios, after the calling party and the called party obtain the relevant keys, the user expects that the phone will be encrypted when the call is connected, and does not want to connect the phone first and then distribute the key, so as to improve the user's understanding of VoLTE encrypted calls. experience; this embodiment can realize an optimized instance of key synchronization that does not rely on media information flow through the terminal push mechanism, and can realize the synchronization of the key acquisition status of both parties under the same key platform or under different key platforms, which has certain Adaptability.

Furthermore, in some scenarios, there will be a solution for coexistence of a customized terminal (SIP terminal) based on the SIP extended field request to distribute the encryption ID and a customized terminal (non-SIP terminal) that does not rely on the SIP extended field. The main difference between the two customized terminals is SIP terminals have been modified on the module side to have the ability to process SIP extended fields. The same point is that they have similar key middleware and voice middleware structures to implement key negotiation and voice encryption and decryption. Therefore, it is only necessary to complete the connection between the cloud management platform and the service AS (service authentication platform) of IMS responsible for key identification distribution, and the VoLTE interoperability function can be realized without modifying the terminal. This solution can support the existing two types of terminals. No modifications, easy to implement. Specific implementation steps include:

(1) The IMS component is responsible for the service AS (business authentication platform) of key identification distribution and the cloud encrypted voice business management platform to complete the user synchronization interface and encrypted voice identity push interface;

(2-1) The first scenario: one of the calling parties is a SIP terminal, and the SIP terminal is the calling party:

After the caller initiates a call, the call request will be sent to the service AS (service authentication platform) responsible for key identification distribution in the IMS network. The AS will query the local synchronization database to determine the account terminal type. If the encryption conditions are met, the corresponding encrypted message will be generated. Identify and send the identification to the cloud encrypted call service management platform. The cloud encrypted call service management platform will push the encrypted call identifier to the peer terminal. For SIP terminals, the AS will continue to use the encrypted call identifier issued by the AS to complete the encryption.

(2-2) The second scenario: the SIP terminal is the called party, and the normal calling party initiates a call:

Through the cloud encrypted call service management platform, the peer is a SIP terminal. The cloud encrypted call service management platform generates the encrypted call identifier and pushes the corresponding encrypted call identifier to the service AS (service authentication platform) responsible for key identifier distribution in the IMS network. The AS delivers the corresponding encryption ID to the corresponding SIP expansion solution terminal to complete the encryption.

(3) After the encryption ID is issued, the SIP terminal will pass the encryption ID processed by the baseband chip to the voice middleware. The voice middleware will call the key middleware to obtain the key from the key management platform based on the encryption ID. , for non-SIP extended fields, the key is obtained by pushing the encryption ID to the key middleware according to the business middleware.

(4) Both the calling party and the called party use the key middleware to obtain the key and follow the steps S40 to S50 to implement the voice encryption function.

In addition, referring to Figures 6 to 7, the second embodiment of the present invention proposes a VoLTE voice encrypted communication terminal. The terminal is provided with a security chip 4 and an intermediate component. The security chip 4 stores an authentication key. The middle components include key middleware 3, business middleware 1 and voice middleware 2, where:

The key middleware 3 is used to use the authentication key stored in the security chip 4 to complete the identity authentication to the key management platform to which it belongs, and the business middleware 1 requests login to the cloud encrypted voice business management platform, The voice middleware 2 performs self-starting;

The business middleware 1 is used to send a verification request to the cloud encrypted call service management platform after both parties initiate a call to obtain the encrypted call identifier returned by the cloud encrypted call service management platform; the business middleware 1, It is used to call the key middleware after the call is connected and the terminal plays the prompt tone, and apply to the key management platform to which it belongs for the session key for this call based on the secret conversation identifier. The key is distributed by the quantum key distribution network;

The key middleware 3 is used to transfer the session key to the voice middleware, and after the voice middleware 2 uses the media channel to complete the dual key acquisition status synchronization of the calling parties, the two parties conduct encrypted voice calls. ;

The voice middleware 2 is used to send an encryption end message after the call is hung up to end this key call.

In this embodiment, within the terminal, between the three middlewares, the key within the security chip is relied upon to implement entity authentication between the middleware and between the middleware and the platform. Instead of using public and private keys, the key within the security chip is used to achieve entity authentication. It realizes one-time authentication of the key and has the characteristics of fast authentication speed.

Specifically, the key middleware is used to interact with the security chip integrated in the terminal, and supports multiple channel protocols to realize the reading and operation of keys in different types of security chips. Since most security chips are single-channel, the key middleware needs to have unified external service functions and can complete application authentication, access control, scheduling and other functions for access applications; at the same time, the key middleware can also interact with the key management platform Complete the identity authentication, key negotiation, session key acquisition, encryption and destruction functions based on the security chip, and realize the unified management, control and service of password security capabilities by the middleware.

The business middleware is used to interact with the cloud encrypted call service management platform to complete VoLTE encrypted call notification, encrypted call identification synchronization, and call the password middleware to complete the key negotiation function. During the middleware initialization phase, the security chip can be charged into the platform. With the function of identifying and reporting, the cloud encrypted voice business management platform can build a corresponding relationship between global users and the key management platform based on the reported information.

The business middleware can feedback the current call progress according to the status of the call process. At the same time, the business middleware is also an independent process in the mobile phone, has the ability to start automatically when the phone is turned on, and prevents the process from being killed by the mobile phone system.

The voice middleware runs in the mobile phone middleware as an independent process, and mainly completes the interaction with the underlying mobile phone voice processing and transmission module to realize the shutdown of the silence detection mechanism and the recording function during encrypted calls; monitors the voice call status at the bottom of the mobile phone system, and The cryptographic operation interface provided by the cryptographic middleware can be called to implement the encryption and decryption function of the voice stream.

In one embodiment, referring to Figure 6, the service middleware includes a UI display module, a secret conversation notification module, a secret conversation identification synchronization module and a key negotiation initiation module, wherein:

Specifically, the UI display module is used for UI display at each stage during the secret call establishment process, mainly including the display of user contract information and judgment information coordinated with the cloud secret call service management platform, the display of this secret call notification and identification synchronization information, this The sub-encryption key negotiation status display and other processes are displayed.

The secret call notification module includes interaction with the cloud secret call service management platform interface to realize the secret call signing qualification judgment of the caller and the called party, the judgment of the current network status of both parties, and the message push function with the cloud secret call service management platform.

The secret call identifier synchronization module is used to determine that both parties have the qualifications and conditions for a secret call call on the cloud secret call service management platform. The cloud secret call service management platform generates an identifier for this call and pushes it to the business middleware. The business middleware Obtain the peer acquisition status through the cloud encrypted call service management platform, and complete the issuance and synchronization of encrypted call identification. This interface is mainly used for VoLTE calls between users belonging to multiple key management platforms. Users of the same key platform cannot communicate with each other before. This feature is required.

The key negotiation initiation module is configured to, after completing the key identification synchronization interface, the business middleware use the identification to initiate a key application request to the key middleware and obtain the corresponding key negotiation status.

In one embodiment, referring to Figure 6, the key middleware includes an external service interface, a general cryptographic service module and a cryptographic device service module, wherein:

Specifically, the external services mainly include external application authentication, access control, process communication and other functions to realize secure access of external applications, and external applications access the key middleware through inter-process communication.

The general cryptographic service module mainly includes key management, identity authentication, and key calculation interfaces to implement key services for external applications.

Specifically, during the startup process, the key middleware will obtain the key in the security chip through the cryptographic device service interface, and use a key in the security chip as the authentication key to complete the identity authentication to the key management platform. The entire authentication The process is based on the two-time authentication authentication mechanism stipulated in the 15843.2 standard, which realizes one-time one-time password in the authentication process, and can avoid the problems of overly complex and computationally intensive certificate system authentication.

The business middleware completes the basic encrypted conversation identification synchronization and passes it to the key middleware through the key middleware external interface. The key middleware sends the encrypted conversation identification and the calling and called party numbers as key identifications to the key management platform. Apply for the corresponding session key to apply for and obtain the session key for this call.

The cryptographic device service module mainly implements device management of security chips, application management of card containers and files, key management and computing interface calls.

In one embodiment, referring to Figure 6, the voice middleware includes a voice interception module, a voice rate filtering module, a voice encryption module and a voice backhaul module, wherein:

Specifically, the voice interception module mainly includes monitoring the voice data transmission channel in the current mobile phone system, intercepting and returning voice call data.

The voice rate screening module is used to receive and detect the voice call data transmitted by the voice data interception module; for the voice call data, the VoLTE voice data can be data processed according to the VoLTE voice quality setting rules. In theory As mentioned above, VoLTE voice data processing with different code rates can be implemented to adapt to different network environments. For voice data that meets the conditions, AMR payload data is obtained; the AMR payload data is pushed to the voice backhaul module. According to the 3GPP protocol, qualified AMR payload data is pushed to the voice backhaul module; other voice data that does not meet this requirement is sent back to the mobile phone voice data transmission channel.

The voice return module is used to send the AMR payload data to the negotiation encryption module in real time in a single frame, and receive the VoLTE voice encryption data processed by the negotiation encryption module and transmit it back to the voice rate screening module.

The voice encryption module is used for key processing, session key status negotiation, and voice data encryption, decryption, and transceiver functions.

Specifically, the key processing function is mainly for the voice middleware to realize the session key by interacting with the key middleware. The session key is protected by encryption. The key processing function completes the session key ciphertext data processing and initialization. Encrypted environment.

The session key negotiation includes: after completing the session key acquisition, both calling parties need to use the existing system voice data transmission channel to send a voice message related to the identity of this secret conversation, and check the other party's return through the voice rate filtering module. Information: If the information returned by the other party is filtered out, it means that the voice data of both parties are transmitted under the operator's VoLTE environment, the AMR payload rates of both parties match, and at the same time, the other party has also completed the session key in accordance with the encryption establishment instructions. After the negotiation, the session key for the encrypted call is ready; if the information returned by the other party cannot be filtered out, it means that one party is not in the VoLTE environment or the session key acquisition failed, the AMR payload rate does not match, and the encrypted call negotiation fails. If the negotiation is successful, voice data encryption begins.

The voice data encryption and decryption includes: after the initiator and the two sides complete the session key negotiation, the VoLTE voice data is transmitted through the voice backhaul module. The encryption module has the ability to adapt to the VoLTE encoding rate. During the entire life cycle of data encryption and decryption, it can When the voice data stream is running, the encryption and decryption module will construct data encryption and decryption start and end messages to achieve control and synchronization of the encryption and decryption status.

The encryption terminal in this embodiment has services, keys, voice middleware functional features and similar terminal programs provided for VoLTE encryption to ensure the development of VoLTE encryption services.

In one embodiment, in order to adapt to the VoLTE service interoperability problem of multi-key platforms under the QKD network, the key middleware is used to use the authentication key stored in the security chip to complete the key management platform to which it belongs. For identity authentication, the business middleware requests login to the cloud encrypted voice business management platform, and the voice middleware performs self-starting. The specific expansion is as follows:

a1) The key management platform uses the charging function to charge the security chip. During the charging process, the key management platform identification of this platform is written into the security chip. This identification is unique in the QKD network.

a2) Security chip integrated terminal. After the terminal is started, the key middleware calls the key stored in the security chip to complete the login authentication to the key management platform. At the same time, the key middleware provides key services to the outside world.

a3) The business middleware accesses the key middleware, obtains the filled key management platform identification, and uploads its own information (terminal information) and key management platform identification to the cloud encrypted voice business management platform.

a4) The cloud encrypted voice business management platform stores the corresponding relationship between users and each key management platform, serves as a user resource information database for multiple key management platforms, and provides cross-key management platform key negotiation query services.

In one embodiment, after both parties initiate a call, the service middleware is used to send a verification request to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform. Specifically, Expand to:

b1) The terminal uses the service middleware to report the calling and called numbers of this call to the cloud encrypted call service management platform. The cloud encrypted call service management platform determines whether the call has the ability to enter the encrypted call based on the status of the encrypted call contract between the calling party and the called party. At the same time, the cloud secret call service management platform checks the latest login status of the middleware of the calling party and the called party. If the middleware status of both parties is found to be normal, it generates the secret call ID of this call based on the calling and called numbers, and checks the secret calling parties of both parties. Key management platform identification. If they are inconsistent, the cloud encrypted call service management platform returns the key platform identification of the peer and the encrypted call identification that generated this call to the business middleware.

b2) After the key negotiation phase is started, the business middleware in the terminal sends the identity of the key platform to which the peer belongs and the encrypted voice ID generated by the cloud encrypted voice business management platform to the key middleware.

In one embodiment, after the call is connected, the terminal plays a prompt tone, the business middleware calls the key middleware, and applies to the key management platform to which it belongs based on the secret message identification. The session key of the call, specifically expanded to:

c1) The called party generally serves as the active end, and the cryptographic middleware requests the key from its own key management platform according to the parameters (the identity of the platform to which the peer belongs, and the encrypted conversation identity).

c2) The key management platform obtains the key from the encryption machine based on the encrypted call ID, calling and called numbers, and the key platform ID of the peer. The encryption machine initiates a key application to connect to the QKD network based on the key platform indication.

c3) Upon request, the QKD network obtains a symmetric key of the QKD node that specifies the calling party and the called party based on the key platform identification of the calling party and the called party, and returns the corresponding key identification to the cryptographic machine.

c4) The cryptographic machine feeds back the corresponding key and returns the key and key identification to the called end through the key management platform.

c5) The called end cryptographic middleware pushes the key identification to the business middleware, and the business middleware then pushes the key identification and secret conversation identification to the cloud secret conversation service management platform.

c6) The cloud encrypted call service management platform pushes the key identifier and encrypted call identifier to the calling end.

c7) The calling end business middleware pushes the key identifier and encrypted session identifier to its own key middleware, and the calling key middleware obtains the session key from its own key management platform based on these two parameters.

In one embodiment, the key middleware transfers the session key to the voice middleware, and the voice middleware uses the media channel to complete the key acquisition status synchronization of both parties in the call. The specific expansion is as follows:

d1) The calling and called key middleware obtains the session key for this call and notifies the respective business middleware of the key acquisition status.

d2) The business middleware of both parties synchronizes the notification information that the session key of this call has been obtained to the cloud encrypted call service management platform.

d3) The cloud encrypted call business management platform transparently transmits push information from both parties to their respective business middlewares to complete key acquisition status synchronization.

d4) The business middleware of both parties synchronizes the status information to the middleware to complete the key acquisition status synchronization.

It should be noted that the push mechanism of business middleware is directly used to achieve an optimized example of key synchronization that does not rely on media information flow. This solution does not rely on key middleware and can achieve the same key platform or different key platforms between the two parties. The key acquisition status under the key is synchronized and has certain adaptability.

In one embodiment, after the key acquisition status of the calling terminal and the called terminal is synchronized, the calling terminal and the called terminal conduct an encrypted voice call. The specific expansion is as follows:

e1) The key middleware of the calling terminal and the called terminal passes the encrypted session key to the voice middleware to complete the encryption state initialization of the voice middleware. The voice middleware uses the media channel to complete the key status synchronization between the calling parties.

e2) The calling party and the called party begin to conduct encrypted conversations, the terminal begins to conduct encrypted voice calls, and the voice middleware begins to intercept the voice and encrypt the qualified voice data.

e3) The caller and called party hang up the phone, and the voice middleware sends an encrypted end message to complete this key call.

It should be noted that the terminal proposed in this embodiment can avoid the transformation of the telecom operator's IMS network and the extension of the signaling control protocol SIP protocol, and only adopts the deployment of a centralized management platform and the in-depth customization of the mobile phone terminal (service , voice, key) three middlewares cooperate with each other to realize the transmission of key synchronization information through the voice channel, the transmission of key synchronization information based on business data information, and the VoLTE encrypted interoperability between SIP extended field terminals and non-SIP extended terminals. It has It has the advantages of wide adaptability, simple construction plan, low cost and short cycle.

In addition, the three middleware technologies of terminal in-depth customization (service, voice, key) are used to realize the VoLTE interoperability problem under the single key management platform and multi-key management platform based on the QKD quantum key distribution network, and realize the customer's own password The integration of system construction security requirements and network-wide interoperability requirements improves the compatibility of VoLTE encryption services.

It should be noted that other embodiments of the VoLTE voice encrypted communication terminal according to the present invention or implementation methods may refer to the above-mentioned method embodiments, and no redundancy will be provided here.

In addition, referring to Figure 8, the third embodiment of the present invention proposes a VoLTE voice encrypted communication system. The system includes: a quantum key distribution network 13, a calling terminal 5, a called terminal 6, and a first key management platform. 9. The second key management platform 10, the first encryption machine 11, the second encryption machine 12, the cloud encrypted voice service management platform 8 and the operator's IMS network 7;

The calling terminal 5 and the called terminal 6 are respectively integrated with a security chip 4, and an authentication key is stored in the security chip 4;

The calling terminal 5 is connected to the first key management platform 9, the called terminal 6 is connected to the second key management platform 10, and the first key management platform 9 is connected to the first encryption machine 11 is connected to the quantum key distribution network 13. The second key management platform 10 is connected to the quantum key distribution network 13 via the second encryption machine 12. The calling terminal 5 and the called terminal 5 are connected to the quantum key distribution network 13. The calling terminal 6 respectively accesses the cloud encrypted voice service management platform 8 via the operator's IMS network 7;

The calling terminal 5 and the called terminal 6 are both provided with intermediate components. The intermediate components include key middleware 3, service middleware 1 and voice middleware 2. The key middleware 3 and the The first key management platform 9 or the second key management platform 10 is connected, the service middleware 1 is connected to the cloud encrypted voice service management platform 8, and the voice middleware 2 is connected to the underlying data transmission channel ;

The key middleware 3 is used to use the authentication key stored in its corresponding security chip 4 to complete the identity authentication to the key management platform to which it belongs, and the business middleware 1 requests the cloud encrypted voice business management platform 8 Log in, and the voice middleware 2 starts automatically;

After the calling terminal 5 initiates a call, the service middleware 1 is used to send a verification request to the cloud encrypted call service management platform 8 to obtain the encrypted call identifier returned by the cloud encrypted call service management platform 8;

After the call is connected, the calling terminal 5 and the called terminal 6 play a prompt tone, and the service middleware 1 calls the key middleware 3 and applies to the key management platform to which it belongs based on the encrypted call identification. The session key for the call, which is distributed by the quantum key distribution network 13;

The key middleware 3 transfers the session key to the voice middleware 2, and the voice middleware 2 uses the media channel to complete the key acquisition status synchronization of the calling terminal 5 and the called terminal 6, The calling terminal 5 and the called terminal 6 conduct an encrypted voice call;

After the calling terminal 5 and the called terminal 6 hang up, the voice middleware 2 sends an encryption end message to end this key call.

It should be noted that the cloud encrypted voice service management platform 8 is used to provide VoLTE voice-based wide-area user addressing management, each key system information registration management, and the generation and delivery of encrypted identification during VoLTE calls.

The operator's IMS network 7 is used to carry and transmit data between the cloud encrypted call service management platform 8 and the mobile phone, as well as the signaling domain and media domain that previously existed on the two mobile phones.

The intermediate component can realize functions such as addressing the key management platform of both VoLTE calls, VoLTE encrypted message processing, key negotiation application and acquisition functions, and real-time encryption and decryption of call data during the call.

The security chip 4 is a security medium that complies with the certificate issued by the National Commercial Cryptozoology Bureau and has security protection capabilities. It can be connected with the key management platform to realize the key filling function in the security chip 4 and realize the authentication using the key in the security chip 4. The key is delivered to the key management platform for identity authentication and session key one-time padding.

The key management platform: used to provide a server-side API interface of the key management middleware to interface with the mobile phone-side middleware to realize user login with the key filled in the security chip 4 as the core. Identity verification, session key negotiation, and the generation and issuance of session keys during the establishment of encrypted calls, and the key management platform can be deployed separately or in the quantum key distribution network 13, with the ability to obtain docking cryptographic machines keys and distributed to quantum middleware functions.

The first cryptographic machine 11 and the second cryptographic machine 12 adopt a three-level key management system and use cryptographic cards to achieve local secure storage of keys. Supports two encryption methods: "one-time pad" and national secret algorithm to realize key exchange and output. It is used to provide cryptographic operations based on national secret algorithms, and supports quantum secure communication networks, quantum random number generators, and local cryptographic cards as key sources.

The quantum key distribution network 13 refers to quantum meeting the networking and application requirements of quantum secure communication in different scenarios, and extending the point-to-point QKD link into a multi-user QKD network. It mainly includes the QKD module, key manager (KM), QKDN controller and QKDN network management system in the QKD network, as well as QKD links between QKD modules and KM links between KMs; password applications (KMS) in the user network and other modules.

It should be noted that in some scenarios, there will be a solution for coexistence of customized terminals based on SIP extended field requests to distribute encryption IDs and customized terminals that do not rely on SIP extended fields. The main difference between the two customized terminals is that the SIP terminal implements module The side transformation has the ability to process SIP extended fields. The same point is that it has a similar key middleware and voice middleware structure to implement key negotiation and voice encryption and decryption. Therefore, it only needs to complete the cloud management platform and IMS responsible for key identification distribution services. AS (Service Authentication Platform) docking can realize VoLTE interoperability function without modifying the terminal.

This system has the characteristics of no modification to the existing two types of terminals and is easy to implement. The specific process is as follows:

(1) The service AS (service authentication platform) of the IMS component responsible for key identification distribution needs to complete the user synchronization interface and the encryption identification push interface with the cloud encrypted voice service management platform.

(2-1) In the first scenario, the calling party is a SIP terminal:

(2-2) The second scenario is that the SIP terminal is the called party:

The normal calling party initiates a call and checks that the peer is a SIP terminal through the cloud encrypted call service management platform. The cloud encrypted call service management platform generates the encrypted call identifier and pushes the corresponding encrypted call identifier to the service AS responsible for key identifier distribution in the IMS network ( Business authentication platform), the AS issues the corresponding encryption ID to the corresponding SIP terminal to complete the encryption.

(4) Both calling parties use key middleware to complete key acquisition, and can follow the media channel described in e1) process to achieve dual-end synchronization of the key acquisition status.

(5) Both calling parties use key middleware to complete key acquisition. They can follow the process description in e1) to achieve session key acquisition and key acquisition status dual-end synchronization, and encrypt the session key and pass it to the voice middleware.

(6) Both parties use voice middleware to implement voice encryption functions in accordance with e2) and e3).

It should be noted that for other embodiments of the VoLTE voice encrypted communication system of the present invention or implementation methods, please refer to the above method embodiments, and no redundancy is required here.

It should be noted that the logic and/or steps represented in the flowcharts or otherwise described herein, for example, may be considered to be a sequenced list of executable instructions for implementing logical functions, which may be embodied in any computer. in a readable medium for use by, or in conjunction with, an instruction execution system, apparatus, or device (such as a computer-based system, a system including a processor, or other system that can retrieve and execute instructions from the instruction execution system, apparatus, or device) Used by instruction execution systems, devices or equipment. For the purposes of this specification, a "computer-readable medium" may be any device that can contain, store, communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. More specific examples (non-exhaustive list) of computer readable media include the following: electrical connections with one or more wires (electronic device), portable computer disk cartridges (magnetic device), random access memory (RAM), Read-only memory (ROM), erasable and programmable read-only memory (EPROM or flash memory), fiber optic devices, and portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium may even be paper or other suitable medium on which the program may be printed, as the paper or other medium may be optically scanned, for example, and subsequently edited, interpreted, or otherwise suitable as necessary. process to obtain the program electronically and then store it in computer memory.

It should be understood that various parts of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if it is implemented in hardware, as in another embodiment, it can be implemented by any one or a combination of the following technologies known in the art: a logic gate circuit with a logic gate circuit for implementing a logic function on a data signal. Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGA), field programmable gate arrays (FPGA), etc.

In the description of this specification, reference to the terms "one embodiment," "some embodiments," "an example," "specific examples," or "some examples" or the like means that specific features are described in connection with the embodiment or example. , structures, materials or features are included in at least one embodiment or example of the invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

In addition, the terms “first” and “second” are used for descriptive purposes only and cannot be understood as indicating or implying relative importance or implicitly indicating the quantity of indicated technical features. Therefore, features defined as "first" and "second" may explicitly or implicitly include at least one of these features. In the description of the present invention, "plurality" means at least two, such as two, three, etc., unless otherwise expressly and specifically limited.

Although the embodiments of the present invention have been shown and described above, it can be understood that the above-mentioned embodiments are illustrative and should not be construed as limitations of the present invention. Those of ordinary skill in the art can make modifications to the above-mentioned embodiments within the scope of the present invention. The embodiments are subject to changes, modifications, substitutions and variations.

Claims

A VoLTE voice encrypted communication method, characterized in that security chips are integrated into the calling terminal and the called terminal respectively. The method includes:

The calling terminal and the called terminal respectively complete the identity authentication to the key management platform to which they belong through the authentication keys stored in their corresponding security chips;

The calling terminal initiates a call, and the calling terminal and the called terminal send verification requests to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform;

After the call is connected, the calling terminal and the called terminal play prompt tones and apply to their respective key management platforms for session keys for this call based on the encrypted call identification. The session keys are provided by the quantum key distribution network. distribution;

The calling terminal and the called terminal use the media channel to synchronize the key acquisition status of the calling terminal and the called terminal based on the session key, and then conduct an encrypted voice call;

The calling terminal and the called terminal send encrypted end messages to end this key call.
The VoLTE voice encrypted communication method according to claim 1, wherein the calling terminal and the called terminal respectively complete the identity authentication to the key management platform through the authentication keys stored in their corresponding security chips, including:

The security chips respectively obtain the identification of the key management platform to which they belong;

The calling terminal and the called terminal respectively call the authentication keys stored in their corresponding security chips to complete the identity authentication to the key management platform to which they belong;

The calling terminal and the called terminal upload the identification of the key management platform to which they belong and their own terminal identification to the cloud encrypted voice service management platform, so that the cloud key service management platform generates the terminal identification and key Manage and store the comparison table of platform identifiers.
The VoLTE voice encrypted communication method according to claim 2, characterized in that the calling terminal initiates a call, and the calling terminal and the called terminal send verification requests to the cloud encrypted voice service management platform to obtain the cloud encrypted voice. The secret message ID returned by the business management platform includes:

The calling terminal and the called terminal report the calling number and the called number of the current call to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform can use the calling number and the called number according to the calling number and the called number. The number generates the secret code ID for this call;

When the cloud encrypted voice service management platform determines that the key management platform identities of the calling terminal and the called terminal are inconsistent based on the comparison table, the calling terminal and the called terminal obtain the cloud encrypted voice service. The secret conversation identifier returned by the management platform and the identifier of the key management platform to which the peer belongs.
The VoLTE voice encrypted communication method according to claim 3, characterized in that after the call is connected, the calling terminal and the called terminal play prompt tones, and apply to the key management platform to which they belong based on the encrypted call identification. The session key for this call, which is distributed by the quantum key distribution system, includes:

The called terminal sends a first key request to the key management platform to which it belongs, so that the key management platform obtains the key identification from the cryptographic machine and returns it to the called terminal. The first key The request carries the secret conversation identifier and the identifier of the key management platform to which the peer belongs;

The called terminal pushes the key identifier and the encrypted call identifier to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform Push to the calling terminal;

The calling terminal sends a second key request to the key management platform to which it belongs, so that the key management platform returns the session key to the calling terminal, and the second key request carries the key Identity and said secret phrase identification.
The VoLTE voice encrypted communication method according to claim 4, wherein the key management platform obtains the key identification from the encryption machine and returns it to the called terminal, including:

The key management platform sends a first key application to the cryptographic machine, so that the cryptographic machine initiates a second key application to the QKD network to which it is connected based on the first key application, wherein the first key application is sent to the cryptographic machine. The information carried in the first key application includes the encrypted call identifier, the calling number, the called number and the identification of the key management platform to which the opposite end belongs, and the information carried in the second key application includes the key management platform to which the opposite end belongs. The identification of the key management platform;

The QKD network obtains a symmetric key of the QKD node to which the calling terminal and the called terminal belong based on the second key application, and returns the symmetric key to the cryptographic machine;

The cryptographic machine returns the symmetric key and key identification to the called terminal through the key management platform.
The VoLTE voice encrypted communication method according to claim 1, characterized in that, after the calling terminal and the called terminal use the media channel to synchronize the key acquisition status of the calling terminal and the called terminal based on the session key, Make encrypted voice calls, including:

The calling terminal and the called terminal obtain the session key;

The calling terminal and the called terminal synchronize the notification information of key acquisition to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform transparently transmits the notification information to the calling terminal and the called terminal. The called terminal completes key acquisition status synchronization.
The VoLTE voice encrypted communication method according to claim 1, wherein when at least one of the calling terminal and the called terminal is a SIP terminal that requests distribution of an encryption identifier based on the SIP extension field, the method further includes :

The cloud encrypted call service management platform and the IMS network complete a user synchronization interface and an encrypted call identification push interface;

The cloud encrypted call service management platform or the IMS network generates the encrypted call identifier, and the IMS network delivers the corresponding encrypted call identifier to the SIP terminal. The SIP terminal includes a key middleware and Voice middleware;

The voice middleware obtains the secret speech identifier processed by the baseband chip, calls the key middleware, and applies to the key management platform to obtain the session key.
A VoLTE voice encrypted communication terminal, characterized in that the terminal is provided with a security chip and an intermediate component, an authentication key is stored in the security chip, and the intermediate component includes a key middleware, a business middleware and a voice middleware, which:

The key middleware is used to use the authentication key stored in the security chip to complete the identity authentication to the key management platform to which it belongs. The business middleware requests login from the cloud encrypted voice business management platform. The voice Middleware performs self-starting;

The business middleware is used to send a verification request to the cloud encrypted call service management platform after both parties initiate a call to obtain the encrypted call identifier returned by the cloud encrypted call service management platform; the business middleware is used to After the call is connected and the terminal plays the prompt tone, it calls the key middleware and applies to the key management platform to which it belongs for the session key for this call based on the secret speech identifier. The session key is provided by Quantum key distribution network distribution;

The key middleware is used to transfer the session key to the voice middleware, and after the voice middleware uses the media channel to complete the key acquisition status synchronization of both parties, the two parties conduct encrypted voice calls;

The voice middleware is used to send an encrypted end message after the call is hung up to end the key call.
The VoLTE voice encrypted communication terminal according to claim 8, characterized in that the service middleware includes a UI display module, a secret conversation notification module, a secret conversation identification synchronization module and a key negotiation initiation module, wherein:

The UI display module is used to display the judgment information for coordinating user signing with the cloud secret conversation service management platform, the notification and identification synchronization information of this secret conversation, and the key negotiation status of the start of this secret conversation;

The secret call notification module is used to interact with the interface of the cloud secret call service management platform;

The secret conversation identification synchronization module is used to obtain the secret conversation identification and the peer acquisition status returned by the cloud secret conversation service management platform after the cloud secret conversation service management platform determines that both parties have the qualifications and conditions for a secret conversation call. , complete the issuance and synchronization of the secret call ID;

The key negotiation initiating module is configured to initiate a key request to the key middleware based on the key identification and obtain the corresponding key negotiation status after completing the key identification synchronization.
The VoLTE voice encrypted communication terminal according to claim 8, characterized in that the key middleware includes an external service interface, a general cryptographic service module and a cryptographic device service module, wherein:

The external service interface is used to connect external applications through inter-process communication;

The general cryptographic service module is used to provide key management, identity authentication and key calculation interfaces;

The cryptographic device service module is used to obtain the authentication key stored in the security chip.
The VoLTE voice encrypted communication terminal according to claim 8, characterized in that the voice middleware includes a voice interception module, a voice rate filtering module, a voice encryption module and a voice backhaul module, wherein:

The voice interception module is used to monitor the voice data transmission channel in the current terminal system, intercept and return voice call data;

The voice rate screening module is used to receive and detect the voice call data transmitted by the voice interception module to obtain AMR payload data;

The voice encryption module is used for key processing, session key status negotiation, and voice data encryption and decryption to send and receive;

The voice return module is used to send the AMR payload data to the voice encryption module in a single frame, and return the voice encryption data processed by the voice encryption module to the voice rate screening module. .
A VoLTE voice encrypted communication system, characterized in that the system includes: a quantum key distribution network, a calling terminal, a called terminal, a first key management platform, a second key management platform, a first encryption machine, Second cipher machine, cloud encrypted voice service management platform and operator network;

The calling terminal and the called terminal are respectively integrated with security chips, and an authentication key is stored in the security chip;

The calling terminal is connected to the first key management platform, the called terminal is connected to the second key management platform, and the first key management platform is connected to the quantum computer via the first cryptographic machine. Key distribution network, the second key management platform is connected to the quantum key distribution network via the second encryption machine, and the calling terminal and the called terminal are respectively connected via the operator network The cloud encrypted voice business management platform;

The calling terminal and the called terminal are both provided with intermediate components. The intermediate components include key middleware, service middleware and voice middleware. The key middleware and the first key management The platform or the second key management platform is connected, the business middleware is connected with the cloud encrypted voice business management platform, and the voice middleware is connected with the underlying data transmission channel;

The key middleware is used to use the authentication key stored in the corresponding security chip to complete the identity authentication to the key management platform to which it belongs, and the business middleware requests login from the cloud encrypted voice business management platform , the voice middleware performs self-starting;

After the calling terminal initiates a call, the service middleware is used to send a verification request to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform;

After the call is connected, the calling terminal and the called terminal play prompt tones, and the business middleware calls the key middleware and applies to the key management platform to which it belongs for the session secret for this call based on the secret conversation identifier. Key, the session key is distributed by the quantum key distribution network;

The key middleware transfers the session key to the voice middleware, and after the voice middleware uses the media channel to complete the key acquisition status synchronization of the calling terminal and the called terminal, the calling terminal and the called terminal Call the terminal to make an encrypted voice call;

After the call is hung up, the voice middleware sends an encrypted end message to end this key call.