Summary of the invention
The invention provides a kind of media stream transmission method,, realize the transmission of safety encipher Media Stream in order to solve the problem that medium stream information is stolen.
The present invention provides following technical scheme by some embodiment: a kind of media stream transmission method may further comprise the steps:
Whether the first terminal judges Media Stream needs to encrypt, and sends the session of carrying the extended field that includes encrypted instruction and begins request message; Perhaps directly send session and begin request message;
Controlling platform judges described session begins whether to carry in the request message described extended field, generates the key that is used for encrypted media streams, transmits the session of carrying described key and begins request message; Perhaps directly transmit described session and begin request message;
The described session of second terminal judges begins whether to carry described extended field in the request message, restores described key, returns the response message that carries described extended field, and utilizes described key that described Media Stream is carried out sending behind the selective encryption; Perhaps directly return response message, and described Media Stream is directly sent;
Described controlling platform judges whether carry described extended field in the described response message, transmits the response message that carries described key; Perhaps directly transmit described response message;
Whether carry described extended field in the described response message of described first terminal judges, restore described key and described Media Stream; Perhaps directly read the Media Stream that receives.
Some embodiments of the present invention are by adding new field extension Session Initiation Protocol in the SIP signaling, and the method for Media Stream being carried out selective encryption, realized the transmission of safety encipher Media Stream, guaranteed to have the higher data fail safe based on the systems such as Next Generation Internet video monitoring, video conference and video request program of Session Initiation Protocol.
In addition, the computing load of some embodiments of the present invention is low, treatment effeciency is high, has real-time media stream privacy ability.For video monitoring system, reduced the requirement of embedded monitoring terminal processing capacity, improved the performance of the real-time media stream encryption of embedded monitoring terminal.
Embodiment
As shown in Figure 1, be the schematic flow sheet of first embodiment of media stream transmission method of the present invention.Present embodiment may further comprise the steps:
Whether the first terminal judges Media Stream needed before transmission is encrypted, if above-mentioned Media Stream need carry out transmitting after the encryption again, first terminal then send the session of carrying the extended field that includes encrypted instruction begin the request (hereinafter to be referred as: INVITE) message is to controlling platform; Just can directly not transmit if above-mentioned Media Stream does not need to carry out encryption, first terminal is then directly sent INVITE to controlling platform;
Controlling platform judges whether carry above-mentioned extended field in the above-mentioned INVITE, if carry above-mentioned extended field in the above-mentioned INVITE, controlling platform then generates the key that is used for encrypted media streams, and transmits and carry the INVITE of above-mentioned key to second terminal; If do not carry above-mentioned extended field in the above-mentioned INVITE, controlling platform is then directly transmitted above-mentioned INVITE to second terminal;
Whether carry above-mentioned extended field in the above-mentioned INVITE of second terminal judges, if carry above-mentioned extended field in the above-mentioned INVITE, second terminal then restores above-mentioned key, return the response of carrying above-mentioned extended field (hereinafter to be referred as: 200 OK) message is to controlling platform, and utilizes above-mentioned key that above-mentioned Media Stream is carried out sending to first terminal behind the selective encryption; If do not carry above-mentioned extended field in the above-mentioned INVITE, second terminal is then directly returned 200 OK message to controlling platform, and above-mentioned Media Stream is directly sent to first terminal;
Above-mentioned controlling platform judges in the above-mentioned 200 OK message whether carry above-mentioned extended field, if carry above-mentioned extended field in the above-mentioned 200 OK message, controlling platform then transmit carry above-mentioned key 200 OK message to first terminal; If do not carry above-mentioned extended field in the above-mentioned response message, controlling platform is then directly transmitted above-mentioned 200 OK message to first terminal;
Whether carry above-mentioned extended field in the above-mentioned 200 OK message of above-mentioned first terminal judges, if whether carry above-mentioned extended field in the above-mentioned 200 OK message, first terminal then restores the Media Stream that above-mentioned key and second terminal are sent; First terminal then directly reads the Media Stream that receives.
In the present embodiment, above-mentioned Media Stream being carried out the algorithm of enciphering/deciphering, is that system pre-sets.Present embodiment is by beginning to have added encrypted instruction that is used for encrypted media streams and/or the key that is used for encrypted media streams in request message and the response message in session, and the method for Media Stream being carried out selective encryption, realized the transmission of safety encipher Media Stream, guaranteed to have the higher data fail safe based on the systems such as Next Generation Internet video monitoring, video conference and video request program of Session Initiation Protocol.
In addition, the algorithm that above-mentioned Media Stream carries out enciphering/deciphering can also be to carry out the algorithm that obtains after the algorithmic match, describes in detail in next embodiment.As shown in Figure 2, be the schematic flow sheet of second embodiment of media stream transmission method of the present invention.Present embodiment may further comprise the steps:
Whether the first terminal judges Media Stream needed before transmission is encrypted, if above-mentioned Media Stream need carry out transmitting after the encryption again, first terminal is then sent the INVITE that carries extended field " Require:encrypt ", the encrypted instruction of " encrypt " in the extended field " Require:encrypt " for being used for above-mentioned Media Stream is encrypted; Just can directly not transmit if above-mentioned Media Stream does not need to carry out encryption, first terminal is then directly sent INVITE;
Controlling platform judges in the INVITE that receives whether carry extended field " Require:encrypt ", if carry extended field " Require:encrypt " in the above-mentioned INVITE, controlling platform is then carried out algorithmic match, match first terminal that participates in session and the algorithm that second terminal is all supported, the key A that is used for encrypted media streams that second password that utilizes algorithm Y that algorithmic match obtains and described second terminal to be had will generate is at random encrypted earlier and is generated the first character string B
1(B
1Be string of binary characters), again with the first character string B
1Encoding with Base-64 generates the second character string B (B is a text-string), and the algorithm Y and the second character string B are write first encrypted fields, will include the first encrypted fields " Encrypt:Y of the algorithm Y and the second character string B; Key=B " add in the above-mentioned INVITE, and will carry the extended field " Require:encrypt " and the first encrypted fields " Encrypt:Y; Key=B " INVITE be forwarded to second terminal; If do not carry extended field " Require:encrypt " in the above-mentioned INVITE, controlling platform is then directly transmitted above-mentioned INVITE to second terminal;
Whether carry extended field " Require:encrypt " in the INVITE that second terminal judges receives, if carry extended field " Require:encrypt " in the above-mentioned INVITE, second terminal then extract first encrypted fields of carrying in the above-mentioned INVITE " Encrypt:Y; Key=B "; utilize Base-64 that the second character string B that is wherein comprised is decoded earlier and restore the first character string B1; second password that utilizes algorithm Y and above-mentioned second terminal to be had again is decrypted the first character string B1 and restores key A; return carry extended field " Require:encrypt " 200 OK message to controlling platform, and utilize key A that above-mentioned Media Stream is carried out sending to above-mentioned first terminal behind the selective encryption; If do not carry extended field " Require:encrypt " in the above-mentioned INVITE, second terminal is then directly returned 200 OK message to controlling platform, and above-mentioned Media Stream is directly sent to above-mentioned first terminal;
Controlling platform judges in the 200 OK message that receive whether carry extended field " Require:encrypt ", if carry extended field " Require:encrypt " in the above-mentioned 200 OK message, first password that controlling platform then utilizes algorithm Y and described first terminal to be had is encrypted key A earlier and is generated three-character doctrine string C
1(C
1Be string of binary characters), again with three-character doctrine string C
1Encoding with Base-64 generates the 4th character string C (C is a text-string), and algorithm Y and the 4th character string C are write second encrypted fields, will include the second encrypted fields " Encrypt:Y of algorithm Y and the 4th character string C; Key=C " add in the above-mentioned 200 OK message, and transmit and carry the extended field " Require:encrypt " and the second encrypted fields " Encrypt:Y; Key=C " 200 OK message to above-mentioned first terminal; If do not carry extended field " Require:encrypt " in the above-mentioned 200OK message, controlling platform is then directly returned 200 OK message to above-mentioned first terminal;
Whether carry extended field " Require:encrypt " in the 200 OK message that first terminal judges receives, if carry extended field " Require:encrypt " in the above-mentioned 200 OK message, first terminal then extract second encrypted fields of carrying in the above-mentioned 200 OK message " Encrypt:Y; Key=C ", utilize Base-64 that the 4th character string C that is wherein comprised is decoded earlier and restore three-character doctrine string C
1, utilize first password that algorithm Y and above-mentioned first terminal had again with three-character doctrine string C
1Be decrypted and restore key A, first terminal is utilized key A that the process encrypted media stream that receives is deciphered and is restored above-mentioned Media Stream; If do not carry extended field " Require:encrypt " in the above-mentioned 200 OK message, first terminal then directly reads the Media Stream that receives.
Wherein, according to first terminal that participates in session and the secret grade that second terminal is supported and the needs of media stream privacy, algorithm Y can be data encryption standard (Data Encryption Standard, hereinafter to be referred as: DES), three times of DES (Triple DES, hereinafter to be referred as: 3DES) or Advanced Encryption Standard (AdvancedEncryption Standard is hereinafter to be referred as AES) algorithm.
In the present embodiment, first terminal of participation session and second terminal are carried out the algorithm that algorithmic match is determined the above-mentioned Media Stream of enciphering/deciphering by registering the own cryptographic algorithm of being supported by controlling platform, have finished the negotiation of algorithm.Consult the algorithm of enciphering/deciphering Media Stream between first terminal and second terminal by controlling platform, Media Stream is carried out DES, 3DES or aes algorithm enciphering/deciphering, wherein, the employed key of enciphering/deciphering is determined by controlling platform.By the above-mentioned steps of present embodiment, first terminal and second terminal that participate in session have been carried out cipher key change by monitor supervision platform, have had identical key A, and both sides utilize key A promptly can finish the Media Stream that will transmit is encrypted and/or deciphered.
Present embodiment is by adding the extended field " Require:encrypt " and/or the first encrypted fields " Encrypt:Y in INVITE; Key=B ", in 200 OK message, add the extended field " Require:encrypt " and/or the second encrypted fields " Encrypt:Y; Key=C " expanded Session Initiation Protocol, realized the negotiation of algorithm and the exchange of key.In addition, present embodiment is also considered in video monitoring system, the disposal ability deficiency of embedded video monitor terminal, generally can not realize whole Media Streams are carried out the function of DES, 3DES or aes algorithm encryption, therefore, present embodiment only selects the data message of the Media Stream of sub-fraction key to encrypt, realized Media Stream is carried out transmission behind the safety encipher, guaranteed to have the higher data fail safe based on the systems such as Next Generation Internet video monitoring, video conference and video request program of S IP agreement.
As a kind of extendible negotiating algorithm and cipher key exchange mechanism, can select the encryption key of corresponding cryptographic algorithm and enough figure places fully as required for the grade strength of encrypting by system.If terminal need improve the intensity of encryption, only need when registration, the own high strength encrypting algorithm of being supported be reported to the sip server of controlling platform, and the support that sip server also correspondingly adds above-mentioned algorithm gets final product.
The 3rd embodiment of media stream transmission method of the present invention compares with a last embodiment, and in the present embodiment, first terminal utilizes key A that the process encrypted media stream that receives is deciphered the operation that restores above-mentioned Media Stream can be following steps:
Step 1: (Real-Time Transport Protocol is hereinafter to be referred as RTP) packet R1, R2 to the individual RTP of n (n is a natural number) with the data encapsulation of certain frame Media Stream that will transmit, ..., among the Rn, form the RTP packet first sequence P1, promptly
Frame[0...FrameLength]->P1={R1,R2,...,Rn};
Step 2: judge whether above-mentioned frame is key frame, if above-mentioned frame is a key frame, then execution in step 3; Otherwise, execution in step 6;
Step 3: extracting sequence number from the RTP packet first sequence P1 is the RTP packet of odd number, forms the RTP packet second sequence P2, promptly
P2={R1, R3 ..., Rm}, (when n is even number, m=n-1; When n is odd number, m=n); And sequence number is the RTP packet of even number, then forms RTP packet the 3rd sequence P3, promptly
P3={R2, R4 ..., Rk}, (when n is even number, k=n; When n is odd number, k=n-1);
Step 4: utilize algorithm Y to encrypt generation RTP packet the 4th sequence P4 one by one each RTP packet of the RTP packet second sequence P2, each packet of RTP packet the 4th sequence P4 still takies the memory block of each packet of the RTP packet second sequence P2;
Step 5: generate RTP packet the 5th sequence P5, i.e. P5=P3+P4;
Step 6: (User Datagram Protocol, be called for short: UDP), the first sequence P5 sends to first terminal to second terminal with the RTP packet according to User Datagram Protoco (UDP).
In the present embodiment, for the key frame of the Media Stream of MPEG-4 type (hereinafter referred to as: Intra-Frame), only its odd number RTP packet of encipher only is not then encrypted for other RTP packet of Inter-Frame.The Media Stream that transmits 25 frame/seconds, 100 bag/seconds with video monitoring system is an example, and statistics shows, only need do 4 times/second computations.Even illegal terminal steals all RTP packets, owing to be difficult to guess the key that to be used to encrypt above-mentioned Media Stream, therefore can not recover the data message of Intra-Frame, promptly can't reconstructed image, can't watch video.
Present embodiment is not limited to Intra-Frame odd number RTP packet is encrypted, also can or extract limited RTP packet according to certain rule and encrypt Intra-Frame even number RTP packet, encryption method is similar, repeats no more herein.
Present embodiment is by adding new field (" Require:encrypt ", " Encrypt:Y in SIP signaling (INVITE and 200 OK message); Key=B " or " Encrypt:Y; Key=C ") expanded Session Initiation Protocol; and the Media Stream that will transmit carried out selective encryption; transmit after having realized media flow security encrypted, guaranteed to have the higher data fail safe based on the systems such as Next Generation Internet video monitoring, video conference and video request program of Session Initiation Protocol.
After through the Session Initiation Protocol security extension,, therefore reduced the possibility that the media stream data transmission is divulged a secret because the Media Stream that is transmitted all is process encryptions.For the mode of stealing of network monitoring,, therefore can guarantee the safety of media flow transmission data because the hacker does not have corresponding decruption key; For the mode of stealing of identity camouflage, because the hacker can't be known first password and second password of first terminal and second terminal of above-mentioned participation session, also can't obtain correct key simultaneously, therefore can guarantee safety of user data.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as ROM, RAM, magnetic disc or CD.
It should be noted that at last: above embodiment only in order to technical scheme of the present invention to be described, is not intended to limit; Although with reference to previous embodiment the present invention is had been described in detail, those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these modifications or replacement do not make the essence of appropriate technical solution break away from the spirit and scope of various embodiments of the present invention technical scheme.