CN101188498B - Communication terminal and communication method - Google Patents

Communication terminal and communication method Download PDF

Info

Publication number
CN101188498B
CN101188498B CN 200710125285 CN200710125285A CN101188498B CN 101188498 B CN101188498 B CN 101188498B CN 200710125285 CN200710125285 CN 200710125285 CN 200710125285 A CN200710125285 A CN 200710125285A CN 101188498 B CN101188498 B CN 101188498B
Authority
CN
China
Prior art keywords
communication
network
security level
communication network
security
Prior art date
Application number
CN 200710125285
Other languages
Chinese (zh)
Other versions
CN101188498A (en
Inventor
俞洲
孟越涛
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN 200710125285 priority Critical patent/CN101188498B/en
Publication of CN101188498A publication Critical patent/CN101188498A/en
Application granted granted Critical
Publication of CN101188498B publication Critical patent/CN101188498B/en

Links

Abstract

The invention discloses a communication terminal and the communication method thereof, wherein, the communication method consists of the following steps. Communication connection is established for the communication network of the maximum; the communication data is judged whether to be encrypted or not; the judgment result is a communication data without encryption, and the communication network transmits the communication data through the communication network with highest security level. The invention can select a network of high security for the transmission of the communication data; and prevents the two correspondence parties from the assaults of the middleman when the communication is connected.

Description

一种通信终端及通信方法 A communication terminal and a communication method

技术领域 FIELD

[0001] 本发明关于通信技术,特别关于通信网路的数据安全传输,具体的讲是一种通信终端及通信方法。 [0001] The present invention relates to communication technology, particularly secure transmission of data on a communication network, specifically speaking a communication terminal and a communication method.

背景技术 Background technique

[0002] 如图1所示,中间人攻击(Man-in-the-Middle Attack,简称“MITM攻击”)是一种“间接”的入侵攻击,这种攻击模式是通过各种技术手段将由入侵者控制的一台计算机虚拟放置在网络连接中的两台通信计算机之间,这台计算机就称为“中间人”。 [0002] As shown in FIG. 1, middle attack (Man-in-the-Middle Attack, referred to as "the MITM attack") is an "indirect" intrusion attacks, which pattern is obtained by various techniques by intruders communication between two computers a control computer is placed in a virtual network connection, this computer is called "middlemen." 然后入侵者把这台计算机模拟一台或两台原始计算机,使“中间人”能够与原始计算机建立活动连接并允许其读取或篡改传递的信息,然而两个原始计算机用户却认为他们是在互相通信,因而这种攻击方式并不很容易被发现。 Then the intruder this computer to simulate one or two original computer, the "middleman" to establish an active connection and allows information to be read or tampered with its original delivery of the computer, but the two original computer users thought that they were in each other communications, so this attack is not very easy to find. 所以中间人攻击很早就成为了一种攻击手段,并且一直到今天还具有极大的扩展空间。 So-middle attack very early became a means of attack, and to this day still has great room for expansion.

[0003] MITM攻击在网络安全方面中使用非常广泛的,例如:会话劫持、DNS欺骗等技术都是典型的MITM攻击手段。 [0003] MITM attack is widely used, for example, in the network security aspects: session hijacking, DNS spoofing and other techniques are typical of MITM attacks. 如今,MITM攻击已成为对网上银行、网络游戏、网上交易等网络通信业务最有威胁并且最具破坏性的一种攻击方式。 Today, MITM attack has become a way to attack the network communications business online banking, online games, online trading and other the most threatening and most devastating. 随着IP通信方式的发展,电信的IP化程度越来越高,运营商级和企业级的电信系统遭受此类攻击的可能性也会不断提高。 With the development of IP communication, the degree of IP-based telecommunications have become increasingly demanding, carrier-grade and enterprise-class telecommunications system from the possibility of such attacks will continue to increase.

[0004] 为避免中间人攻击,现有技术通过采用的公钥基础设施(PKI =Public KeyInfrastructure)提供公钥加密、数字签名服务的系统或平台,进行密钥和证书管理。 [0004] In order to avoid middleman attack, the prior art by providing a public key encryption public key infrastructure (PKI = Public KeyInfrastructure) used, system or platform digital signature service, a key and certificate management. 一个第三方机构通过采用PKI框架管理密钥和证书可以建立一个安全的网络环境。 A third party can establish a secure network environment through the use of PKI framework for managing keys and certificates.

[0005] 系统中存在的第三方的机构,认证中心(CA Certificate Authority)对所有参与方的公钥进行签名认证,当密钥的接收方收到一个公钥的签名证书的时候,他会将这份证书交给上述的第三方进行认证,由于攻击者无法修改这个公钥的签名,所以也无法替换双方交换的公钥,导致其无法完成中间人攻击。 [0005] third-party agencies present in the system, authentication center (CA Certificate Authority) to sign authentication for all public participants, when the recipient receives a public key of the signing certificate, he will the above-mentioned third-party certificate to authenticate because the attacker can not modify the public key signature, so it can not replace the public key exchanged by the parties, it can not lead to complete middle attacks.

[0006] 但由于PKI体系建立比较复杂,现阶段内并非所有的系统都部署了PKI,同时PKI 中的认证中心(CA)会有分级设置的方式,较为低级的认证中心(CA)同样也面临着安全方面的风险。 [0006] However, due to the establishment of PKI system is more complex, within this stage not all systems are deployed PKI, while the way the PKI Certification Authority (CA) will be graded set, the more low-level Certificate Authority (CA) also faces the security risks. 而且PKI还需要得到终端的支持,若终端无法支持PKI,那么用户在没有部署PKI 的环境中的通信连接将面临很大的安全问题。 And PKI also need the support of the terminal, if the terminal can not support PKI, then the user is not deployed communication connection PKI environment will face significant security issues.

发明内容 SUMMARY

[0007] 本发明实施例提供了一种通过选择具有最高安全等级值的通信网络建立网络连接并传输通信数据的通信方法。 Embodiment [0007] The present invention provides a communication method for establishing a network connection by selecting a value of the highest security level communications network and transmits communication data. 本发明实施例还提供了一种利用通信网络安全等级值选择通信网络建立通信连接以进行通信数据传输及密钥交换的通信终端。 Embodiments of the present invention further provides a security level value using a communication network establishing a communication connection for selecting a communication network for data transmission and communication terminal key exchange. 本发明实施例提供了一种通信方法,该通信方法包括以下步骤:发送探测报文至通信网络的节点设备;接收所述节点设备发送的安全等级报文;根据所述安全等级报文中携带的节点设备信息来判断通信网络的安全等级值;根据所述通信网络的所述安全等级值来确定最高安全等级通信网络;与所述最高安全等级通信网络建立通信连接;判断是否对通信数据进行加密;若判断结果为不加密通信数据,通过最高安全等级通信网络传输通信数据。 Embodiment of the present invention provides a communication method, the communication method comprising the steps of: transmitting probe packets to a communication network node apparatus; receiving the security level of the packet transmission node device; according to the security level carrying packets node device information to determine the security level value of the communication network; determining the highest security level communication network according to the security level value of the communication network; establishing a communication connection with the highest level of security communication network; determining whether communication data encryption; if the judging result is not encrypted data communications, data communications highest level of security communication network transmission. 本发明实施例提供了一种通信方法,该通信方法包括以下步骤:发送探测报文至通信网络的节点设备;接收所述节点设备发送的安全等级报文;根据所述安全等级报文中携带的通信网络类型和通信网络通信方式来判断所述通信网络的安全等级值;根据所述通信网络的所述安全等级值来确定最高安全等级通信网络。 Embodiment of the present invention provides a communication method, the communication method comprising the steps of: transmitting probe packets to a communication network node apparatus; receiving the security level of the packet transmission node device; according to the security level carrying packets the communication network type communication system and the communication network to determine the value of the security level of the communication network; determining the highest security level communication network according to the value of the security level of the communication network. 与所述最高安全等级通信网络建立通信连接;判断是否对通信数据进行加密;若判断结果为不加密通信数据,通过所述最高安全等级通信网络传输所述通信数据。 Establishing a communication with the highest level of security network communication connection; determining whether the communication data is encrypted; if the judging result is not encrypted communication data, the communication data transmitted through said communication network the highest security level.

[0008] 本发明实施例还提供了一种通信终端,该通信终端包括:存储单元,控制单元,网络切换单元,通信单元;存储单元,存储安全等级值列表及密钥;存储安全等级值列表用于记录通信网络数据以及与通信网络数据对应的安全等级值;控制单元包括列表读取单元和切换信号生成单元,列表读取单元用于读取安全等级值列表中与最高的安全等级值对应的通信网络数据至切换信号生成单元;切换信号生成单元,根据接收的通信网络数据生成网络切换信号并输出至网络切换单元;网络切换单元,与网络切换信号对应的通信网络建立通信连接; Example [0008] The present invention further provides a communication terminal, the communication terminal comprising: a storage unit, a control unit, a network switching unit, the communication unit; a storage unit for storing a list of security level and a key value; storing a security level value list a communication network and for recording data corresponding to the security level value data communications network; list read unit comprises a control unit and a switching signal generating unit, a reading unit for reading the list with the highest security level corresponding to the value of the security level value list a data communication network to the switching signal generating unit; a switching signal generating unit generates a switching signal and outputs the network to the network switching unit according to the received data communications network; network switching unit, the switching network to establish a communication connection with a signal corresponding to a communication network;

[0009] 通信单元,与建立通信连接的通信网络交换密钥以及通过建立通信连接的通信网络发送/接收的通信数据。 [0009] a communication unit, a communication network establishing a communication connection with the exchange key and the communication data transmitted through a communication network establishing a communication connection / reception.

[0010] 本发明实施例的有益效果在于,通信终端可通过内部存储的网络安全等级值或通过检测的通信网络的网络安全等级值感知网络的安全程度,进而选择安全程度最高的网络进行通信数据传输。 [0010] Advantageous effects of the embodiments of the present invention is that the communication terminal may be or communicate data aware security level of the network through the network security level value of the communication network is detected by the network security level value stored internally, thereby selecting secure the highest degree of network transmission. 此外,本发明实施例通过不同的通信网络进行密钥交换以及通信数据传输,在不利用复杂的PKI体系的前提下,同样能够防止通信双方在建立通信连接时遭到中间人的攻击。 Further, embodiments of the present invention and key exchange communication data transmitted through different communication networks, without the use of complicated PKI system premise communication parties can be prevented from being the same middleman attacks when establishing a communication connection.

附图说明 BRIEF DESCRIPTION

[0011] 图1所示为中间人攻击示意图; [0011] Figure 1 is a schematic view of the-middle attack;

[0012] 图2所示为本发明实施例的通信网络的架构示意图; [0012] As shown in a schematic view of a communication network architecture according to an embodiment of the present invention, FIG 2;

[0013] 图3所示为图2中本发明实施例的安全网络进行数据通信的流程图。 [0013] Figure 3 is a flow chart of the present invention, FIG. 2 secure data communications network according to embodiments.

[0014] 图4所示为图2中本发明实施例的通信终端的结构示意图。 [0014] FIG. 4 is shown in FIG. 2 of the present invention is a schematic structural diagram of a communication terminal according to an embodiment.

具体实施方式 Detailed ways

[0015] 为使本发明实施例的目的、技术方案和优点更加清楚明白,下面结合实施例和附图,对本发明实施方式做进一步详细说明。 [0015] The object of the present invention embodiment, technical solutions and advantages clearer, the following Examples and accompanying drawings, the detailed description of the further embodiment of the present invention. 在此,本发明的示意性实施方式及其说明是用于解释本发明,但并不作为对本发明的限定。 Here, exemplary embodiments of the present invention and is described to illustrate the invention, but not limit the present invention.

[0016] 图2为本发明实施方式中的安全通信系统的架构示意图。 [0016] Fig 2 a schematic view of the architecture of a secure communication system according to an embodiment of the present invention. 如图2所示,该系统架构中的各通信终端如果使用安全通信方式进行会话建立则均需要在通信终端所连接的两个或者两个以上的通信网络中选择一通信网络作为接入网以接入系统架构中的基于IP的核心网(图2中未示),需要说明的是,由于监听和窃取一般都是在接入侧完成。 2, each communication terminal if the system architecture used for secure communication session establishment require you to select a communication network to two or more of the communication network as a terminal is connected to the access network access system architecture based on IP core network (not shown in FIG. 2), to be noted that, because listening and theft are generally completed on the access side. 因而本发明实施方式中的核心网不应当只限于基于IP的核心网。 Thus embodiments of the present invention should not be limited to the core network IP-based core network. 本实施方式中的基于IP的核心网只是用于说明各通信终端可以通过各自不同的接入网接入同一个核心网实现相互之间的数据通信和密钥交换。 The present embodiment is an IP-based core network just for explaining the communication terminals can access the same data communications network core and key exchange between one another by their different access networks. [0017] 各通信网络中可设置有用于评估通信网络安全等级值的网络安全评估装置,该网络安全等级值评估装置可单独设置(如:如图2所示的安全评估装置),也可合设于基站等其它网络设备中(图2中未示)。 [0017] Each communication network may be provided with a network security assessment means for assessing the security level value of a communication network, the network security level value of the evaluation means may be provided separately (eg: Safety evaluation device shown in FIG. 2), can be combined provided in base stations other network devices (not shown in FIG. 2). 虽然图2中仅在无线局域网和局域网中设置了网络安全等级值评估装置,但该网络安全等级值评估装置亦可设置于图2所示的安全通信系统的其它通信网络中。 Although FIG. 2 only set value of the evaluation level of network security devices in the wireless LAN and the LAN, but the value of the evaluation level of the network security device may also be provided to other communication networks secure communication system shown in FIG. 2.

[0018] 以下,将参照图2、图3详细说明本发明的通信方法实施方式的实施过程: [0018] Hereinafter, with reference to FIG. 2, FIG. 3 described in detail implementation of the communication method according to an embodiment of the present invention:

[0019] 当通信终端,如计算机与智能终端,进行数据传输时,获得各自连接的各通信网络对应的安全等级值。 [0019] When a communication terminal, such as a computer and the smart device, data transmission, to obtain the security level value of each communication network corresponding to each connection. 计算机与智能终端分别选择与各自连接的通信网络中的最高安全等级通信网络建立通信连接。 They were selected intelligent terminals and computers the highest security level with the respective communication networks connected to the communication connection is established. 当计算机与智能终端分别与各自的最高安全等级通信网络建立通信连接后,计算机与智能终端判断是否需要对通信数据进行加密传输。 When the computer to establish a communication with the intelligent terminal respectively connected to the respective highest level of security communication network, the computer and the smart device determines whether the communication data encrypted transmission.

[0020] 当计算机与智能终端不需要对通信数据进行加密传输时,通信终端双方可直接通过已建立通信连接的最高安全等级通信网络进行数据传输。 [0020] When the computer and the smart device communication data does not need to be encrypted transmission, both the communication terminals can be directly transmitted via the highest security level of data communication network has established a communication connection. 当计算机与智能终端间的通信数据传输结束后,计算机与智能终端断开已建立通信连接的通信网络,以便在下次通信数据传输之前,重新选择具有最高安全等级通信网络建立通信连接并传输通信数据。 After the end of the communication data transfer between computers and intelligent terminals, intelligent computer terminal disconnects the communication network has established a communication connection for communication data transmission before the next, again with the highest level of security communication network establishing a communication connection and transmit the communication data . 通信终端间传输的通信数据的通信内容包括但不限于各种文本文件,视音频文件,二进制文件,流媒体等。 Communication content of the communication data transmission between communication terminals include, but are not limited to, various text files, audio files, binary files, streaming media.

[0021] 当通信双方需要对通信数据进行加密传输时,计算机与智能终端选择各自已建立通信连接的最高安全等级的通信网络作为密钥交换网络,进行密钥交换。 [0021] When the two communication parties need to communicate data encrypted transmission, the computer and the smart device has selected the respective communication network connection established the highest security level network as the key exchange, key exchange. 当通信双方的密钥交换完成后,计算机与智能终端分别断开与各自密钥交换网络建立的通信连接并将交换的密钥进行本地存储。 When both the communication key exchange is completed, the intelligent terminal and the computer are disconnected from the communication network to establish respective key exchange and key exchange connection is stored locally. 之后,通信双方的通信终端选择与各自密钥交换网络不同的通信网络传输通信数据。 Thereafter, the communication with the communication terminal and the respective selection of both the key exchange different data transmission communication network communication network. 当计算机与智能终端完成通信数据传输后,通信终端双方再次断开通信连接,并利用本地存储的密钥对接收的通信数据进行解密。 When the computer and the smart device communication data transmission is completed, both the communication terminal again disconnect the communication connection and the data communication using the received key to decrypt locally stored.

[0022] 以下将参照图2、图4,以计算机为例详细说明本发明实施方式选择最高安全等级通信网络建立通信连接,进行通信数据传输及密钥交换的实施过程: [0022] below with reference to FIG. 2, FIG. 4, described in detail an example embodiment of a computer embodiment of the present invention selects the highest security level of a communication network establishing a communication connection for data transmission and implementation of the communication key exchange:

[0023] 如图4所示,通信终端包括:控制单元、存储单元、通信单元、网络切换单元以及网络安全等级值评估单元。 [0023] As shown in FIG. 4, the communication terminal comprising: a control unit, a storage unit, a communication unit, a network switching unit and network security level value evaluation unit. 其中,控制单元由列表读取单元和切换信号生成单元组成;安全等级值评估单元由探测报文发送模块、探测报文接收模块、安全等级值计算单元以及安全等级值比较模块组成;存储单元中存储有的安全等级值列表,该安全等级值列表用于存储通信终端连接的各通信网络的对应的安全等级值。 Wherein the control unit reads the switching signal generating unit, and a list of units; the evaluation unit by the security level value of a probe packet modules, probe packet receiving module, a security level value calculating means, and a security level value comparing module; storage unit some list of values ​​stored in the security level, the security level of the security level values ​​for a list of values ​​corresponding to the respective communication network connected to the communication terminal stores. 各安全等级值可以通过数字的数值大小表示各通信网络安全等级的高低。 Each security level value may represent the level of the security level of each communication network by the size of the digital values.

[0024] 本实施方式中以计算机为例,说明本发明图2系统中各通信终端选择最高安全等级通信网络并建立网络连接的过程: [0024] In the present embodiment, computer as an example, the system described in FIG 2 according to the present invention, each communication terminal selects the highest security level of a communication network and a network connection establishment procedure:

[0025] 实施方式一: [0025] The first embodiment:

[0026] 计算机的安全等级值评估单元的探测报文发送模块向电信网络、无线局域网、以及局域网的节点设备发送探测报文,如互联网控制消息协议(InternetControl Message Protocol, I CMP)报文、国际互联网协议(Internet GroupMessage Protocol, IGMP)报文、 简单网络管理协议(Simple Network ManagementProtocol, SNMP)报文,以请求获得上述通信网络的节点设备的设备信息。 [0026] detecting a security level value of the evaluation unit in a computer message sending module to the telecommunication network, wireless LAN, and a LAN node device transmits probe packets, such as Internet Control Message Protocol (InternetControl Message Protocol, I CMP) packets, International Internet protocol (Internet GroupMessage protocol, IGMP) packets, SNMP (simple network ManagementProtocol, SNMP) message to request access to equipment information node device of the communication network.

[0027] 电信网络的电信交换机、无线局域网的无线接入点、以及局域网的路由器收到探测报文后,电信交换机发送携带TDM(时分复用)设备类型(电信交换机的设备类型,现有的PSTN网络中的所有的设备都是TDM类型的,包括不同电话机和交换局)的安全等级报文至计算机的探测报文接收模块,无线接入点发送携带无线设备类型(无线接入点设备类型)的安全等级报文至计算机的探测报文接收模块,路由器发送携带IP设备类型(局域网接入设备类型)安全等级报文至计算机的探测报文接收模块。 [0027] The telecommunications switch of a telecommunications network, wireless LAN access points, and LAN router receives the probe packet transmission telecommunications switches carrying the TDM (Time Division Multiplexing) device type (device type of telecommunications switches, conventional All devices are TDM PSTN network types, including different security levels and the telephone exchange) packets to a computer probe packet receiving module, a wireless access point can transmit a wireless device types (wireless access point device type) message to the security level of the computer module receiving the probe packet, the router transmits IP carrying device type (device type LAN access) message to the security level of the probe packet receiving module computer. 计算机的探测报文接收模块将携带TDM设备类型安全等级报文、无线设备类型安全等级报文、IP设备类型安全等级报文转发至计算机的安全等级计算单元。 A probe packet receiving module TDM carrying computer device type security level of the packet, the wireless device security level of the packet type, device type the IP packets forwarded to the security level security level calculation unit of the computer.

[0028] 安全等级值计算单元根据电信交换机TDM设备类型、无线接入点安全等级报文中的无线设备类型、以及路由器安全等级报文中的IP设备类型计算分别与电信网络、无线局域网、以及局域网对应的安全等级值。 [0028] The security level value calculation unit calculates respectively the telecommunication network, a wireless local area network switch in accordance with TDM telecommunication device type, wireless access point security level of the packet wireless device type, and security level router IP packets device type, and LAN security level corresponding value. 由于TDM设备的安全性高于IP设备,而有线设备的安全性高于无线设备。 Since the TDM over IP device is safety equipment, and the safety wire device to a wireless device. 假设安全等级值计算单元计算得到电信网络、局域网以及无线局域网的安全等级值从高到低分别为1、2、3(或A、B、C)。 Suppose a security level value calculating means calculate a telecommunications network, the security level value of a local area network LAN and wireless high to low is 2, 3 (or A, B, C). 计算机的安全等级值计算单元将电信网络、局域网以及无线局域网的安全等级值输出至计算机的安全等级值比较单元。 Computer security level value calculation unit outputs the telecommunications network, a local area network and the wireless LAN security level value to computer security level value comparison unit. 计算机的安全等级值比较单元比较得到电信网络的安全等级值最高。 Computer security level value comparison unit comparing the highest value of the security level telecommunications network. 安全等级值比较单元生成电信网络数据并输出至计算机的切换信号生成单元。 A security level value comparing unit generates data and outputs the telecommunications network to the switching signal generating unit of the computer. 计算机的切换信号生成单元根据电信网络数据生成与电信网络对应的网络切换信号并输出至网络切换单元。 Computer switching signal generating unit generates a corresponding network telecommunication network and a switching signal is output to the network switching unit according to the data telecommunications network. 网络切换单元与电信网络建立通信连接。 Network switch unit and a telecommunications network to establish a communication connection. 计算机的通信单元通过电信网络进行交换密钥或传输通信数据。 The communication unit of the computer key exchange or communication data transmitted over a telecommunications network.

[0029] 实施方式二: [0029] Second Embodiment:

[0030] 计算机的安全等级值评估单元的探测报文发送模块发送探测报文至电信网络的电信交换机、无线局域网的无线接入点、以及局域网的路由器。 [0030] The security module probe packet level value of the evaluation unit a computer sends a probe message to the telecommunication switch telecommunication network, wireless LAN access points, and LAN router. 电信交换机、无线接入点以及路由器收到探测报文后,电信交换机发送携带的网络类型为公共开关电话网络(PSTN), 通信方式为模拟信号的(电信网络的网络类型为PSTN、通信方式为模拟信号)的安全等级报文至计算机的探测报文接收模块。 After the telecommunications switch, wireless access point and a router receives a probe packet, carrying the telecommunications switch to send the network type as the Public Switched Telephone Network (PSTN), an analog signal of the communication system (network type is the PSTN telecommunication network, the communication system is an analog signal) message to the security level probe packet receiving module computer. 无线接入点发送携带的网络类型为WiFi,通信方式为实时传输RTP)安全等级报文(无线局域网的网络类型为WiFi、通信方式为RTP)至计算机的探测报文接收模块,路由器发送携带网络类型为LAN,通信方式为IP的安全等级报文(局域网的网络类型为、通信方式为)至计算机的探测报文接收模块。 The radio access point sends the network type is carried WiFi, real-time transmission of communication RTP) packet security level (wireless local area network type of WiFi, the communication system is RTP) packets to probe the computer receiving module carries a network router sends type of the LAN, the communication system is a security level IP packet (LAN type of network, the communication system is) to a computer probe packet receiving module. 安全等级值计算单元根据电信交换机安全等级报文、无线接入点安全等级报文以及路由器的安全等级报文中的网络类型和通信方式计算相应的安全等级值。 The security level value calculating means switches the security level of the packet telecommunications, security level of the packet wireless access points and the security level of the packet router and the communication network type corresponding calculated value of the security level. 安全等级值计算单元计算得到电信网络、局域网以及无线局域网的安全等级值从高到低分别为1、2、3(或A、B、C)。 Security level value calculating means calculate a telecommunications network, the security level value of a local area network LAN and wireless high to low is 2, 3 (or A, B, C). 计算机的安全等级值计算单元将电信网络、局域网以及无线局域网的安全等级值输出至计算机的安全等级值比较单元。 Computer security level value calculation unit outputs the telecommunications network, a local area network and the wireless LAN security level value to computer security level value comparison unit. 计算机的安全等级值比较单元比较得到电信网络的安全等级值最高。 Computer security level value comparison unit comparing the highest value of the security level telecommunications network. 安全等级值比较单元生成电信网络数据并输出至计算机的网络切换单元。 A security level value comparing unit generates and outputs the data to the telecommunications network switching unit of the computer network. 计算机的切换信号生成单元根据电信网络数据生成与电信网络对应的网络切换信号并输出至网络切换单元。 Computer switching signal generating unit generates a corresponding network telecommunication network and a switching signal is output to the network switching unit according to the data telecommunications network. 网络切换单元与电信网络建立通信连接。 Network switch unit and a telecommunications network to establish a communication connection. 计算机的通信单元通过电信网络进行交换密钥或传输通信数据。 The communication unit of the computer key exchange or communication data transmitted over a telecommunications network.

[0031] 实施方式三: [0031] Embodiment three:

[0032] 电信网络、无线局域网以及局域网中的网络安全等级值评估装置的结构和功能与计算机的安全等级评估单元的相类似。 Similar security level evaluation unit with the structure and function of the computer [0032] telecommunications network, a wireless local area network LAN and the value of the evaluation device a network security level. 网络安全等级评估装置可以参照实施方式一与实施方式二中记载的计算机安全等级评估单元的工作方式,计算各通信网络对应的安全等级值并发送至计算机的通信单元。 Rating the network security device may be a mode of operation described in the second embodiment and the security level of the computer evaluation unit, computational security level value corresponding to each communication network and transmitted to the communication unit of the computer with reference to embodiments. 由计算机的通信单元将接收的网络安全等级评估装置计算的安全等级值输出至计算机的安全等级值比较单元。 Security level network security rating value output means of the computer by the communication unit receives the calculated value to the security level of the computer the comparison unit.

[0033] 实施方式四: [0033] Embodiment four:

[0034] 计算机存储单元中的安全等级值列表存储的各安全等级值分别与电信网络、无线局域网、局域网对应。 [0034] Each value of the security level value of a security level of the computer list stored in the storage unit, respectively, and a telecommunications network, a wireless local area network, corresponding to LAN. 计算机的列表读取单元读取安全等级值列表中与最高安全等级值对应的电信网络数据至切换信号生成单元。 The reading unit reads a list of computer-telecommunication network list data security level value with the highest security level value corresponding to the switching signal generating unit. 切换信号生成单元根据接收的电信网络数据生成网络切换信号并输出至网络切换单元。 Network switching signal generating unit generates and outputs a switching signal to the switching network unit according to the received data telecommunications network. 网络切换单元与网络切换信号对应的电信网络建立通信连接。 Telecommunications network switching network unit and a switching signal corresponding to a network communication connection is established.

[0035] 安全等级值列表中的各通信网络对应的安全等级值可采用人工设定的方式设定。 [0035] The security level of communication network security level values ​​of the respective values ​​corresponding to the list can be set either manually set. 设定各通信网络的安全等级值时,可将自己部署的网络安全等级值设定为最高安全等级值,将专用网络或公共网络的安全等级值设定为相对较低的安全等级值。 Setting the security level value of each communication network, the network security level value of their deployment may be set to the value of the highest security level, the security level value of a private or public network is set to a relatively low level of security values.

[0036] 同理,图2系统实施方式中的其它通信终端,如智能终端、普通电话、IP电话可按照实施方式一至四中计算机选择最高安全等级的通信网络的方式,选择最高安全等级的通信网络。 [0036] Similarly, another communication terminal system according to the embodiment of FIG. 2, such as intelligent terminals, ordinary phone, IP phone communication network may select the highest security level in accordance with an embodiment of one to four computer mode, select the highest security level of communication The internet.

[0037] 需要说明的是,图2系统实施方式中,通信双方的通信终端可能选择的不同的通信网络传输数据或交换密钥。 [0037] Incidentally, the transmission data different communication network system according to the embodiment of FIG 2, both the communication with the communication terminal or may choose to exchange key. 但是由于各通信终端都是通过不同的通信网络接入同一个核心网。 However, because each communication terminal is accessed via a communication network with a different core network. 因而通信双方的通信终端并非必须选择同一个网络。 Thus communication terminal communication between the two sides do not have to choose a network. 通信终端选择的不同的通信网络只是在接入方式上的不同,对于通信双方传输的通信数据和密钥都没有影响。 The communication terminal selects different communication access networks only in different ways, and a key for communication data transmission communication parties are not affected. 譬如:计算机可以通过ASDL拨号,光纤、调制解调器拨号、直接网线相连,GPRS,CDMA方式接入。 For example: Computer through ASDL dial, fiber, dial-up modems, connected directly to the network cable, GPRS, CDMA access mode. 艮口, 当计算机与智能终端进行通讯时,计算机可选择无线局域网建立通信连接作为密钥交换网络,而智能终端可选择电信网络建立作为密钥交换网络进行双方的密钥交换。 Gen mouth, when the computer communicates with the intelligent terminal, optional wireless local area network computer communication connection is established as the key exchange network, while intelligent terminal may select the telecommunication network to establish both the conduct of key exchange as the key exchange network. 当密钥交换结束后,计算机再选择局域网建立通信连接,智能终端选择无线局域网建立通信连接,双方进行通信数据的传输。 When the end of the key exchange, the computer select the LAN to establish communication intelligent terminal selects the wireless LAN communication connection is established, both communication data transmission.

[0038] 在本发明的上述实施方式中,通信双方不对通信数据进行加密时,可按照上述各实施方式的内容选择最高安全等级通信网络传输通信数据。 [0038] In the above embodiment of the present invention, when the communicating parties are not encrypted communication data, selects the highest security level can be a communication network transmitting communication data according to the content of each of the above embodiments. 若通信双方需要对通信数据加密时,可按照上述各实施方式选择最高安全等级网络作为密钥交换网络。 If the communication parties need to encrypt communication data, the network can select the highest level of security key exchange network as in the above embodiments. 在密钥交换结束, 与密钥交换网络断开通信连接后,通信双方可按照现有技术的方法选择与密钥交换网络不同的其它通信网络建立通信连接并传输通信数据。 In the end of the key exchange, the communication network disconnect from the key exchange, the communication parties may establish a communication network connected to different switching communications network in accordance with another method of the prior art key selects and transmits the communication data. 因而本发明实施方式中不再对密钥交换网络通信连接断开后选择与密钥交换网络不同的其它通信网络建立通信连接的方法进行详细描述。 Thus an embodiment of the present invention is no longer a key exchange key exchange network for communication with the other communication networks of different network communication method of establishing a connection after disconnecting be described in detail.

[0039] 本发明实施方式的有益效果在于,通信终端可通过内部存储的网络安全等级值或通过检测的通信网络的安全等级值感知网络的安全程度,进而选择安全程度最高的网络进行通信数据传输。 [0039] Advantageous effects of the embodiments of the present invention is that the communication terminal may or perceived degree of safety network through the security level value of the communication network is detected by the network security level value stored internally, thereby selecting secure the highest degree of network communication data transmission . 此外,本发明实施方式通过不同的通信网络进行密钥交换以及通信数据传输,在不利用复杂的PKI体系的前提下,同样能够防止通信双方在建立通信连接时遭到中间人的攻击。 Further, embodiments of the present invention and key exchange communication data transmitted through different communication networks, without the use of complicated PKI system premise communication parties can be prevented from being the same middleman attacks when establishing a communication connection.

[0040] 以上所述的具体实施方式,对本发明的目的、技术方案和有益效果进行了进一步详细说明,所应理解的是,以上所述仅为本发明的具体实施方式而已,并不用于限定本发明的保护范围,凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 [0040] The foregoing specific embodiments, objectives, technical solutions, and advantages of the invention will be further described in detail, it should be understood that the above descriptions are merely specific embodiments of the present invention, but not intended to limit the scope of the present invention, all within the spirit and principle of the present invention, any changes made, equivalent substitutions and improvements should be included within the scope of the present invention.

Claims (9)

  1. 一种通信方法,其特征在于,所述通信方法包括以下步骤:发送探测报文至通信网络的节点设备;接收所述节点设备发送的安全等级报文;根据所述安全等级报文中携带的节点设备信息来判断通信网络的安全等级值;根据所述通信网络的所述安全等级值来确定最高安全等级通信网络;与所述最高安全等级通信网络建立通信连接;判断是否对通信数据进行加密;若判断结果为不加密通信数据,通过所述最高安全等级通信网络传输所述通信数据。 A communication method, wherein said communication method comprising the steps of: transmitting probe packets to a communication network node apparatus; receiving node sent by the security level of the packet; carried in the message to the security level node device information to determine the security level value of the communication network; determining the highest security level communication network according to the security level value of the communication network; establishing a communication connection with the highest level of security communication network; determining whether the communication data is encrypted ; If the determination result is not encrypted communication data, the communication data transmitted through said communication network the highest security level.
  2. 2.根据权利要求1所述的方法,其特征在于,若判断结果为对通信数据进行加密时,所述通信方法还包括以下步骤:选择所述最高安全等级通信网络为密钥交换网络; 利用所述密钥交换网络进行密钥交换; 断开与所述密钥交换网络的通信连接;选择与所述密钥交换网络不同的通信网络建立通信连接并传输所述通信数据。 2. The method according to claim 1, wherein, if the determination result for the communication data is encrypted, the communication method further comprising the step of: selecting the highest security level of the communication network is a key exchange network; using the key exchange key exchange network; key exchange disconnected from the network communication connection; establishing a communication connection with the selected key exchange different network communication and transmit the communication data network.
  3. 3.根据权利要求1或2所述的方法,其特征在于,所述节点设备至少包括:IP交换机、 电信交换机、路由器、无线接入点或PSTN网关中的一个;所述节点设备信息是指所述节点设备的类型,所述节点设备的类型至少包括:IP设备、TDM设备、有线设备或无线设备中的一个。 3. The method of claim 1 or claim 2, wherein said node device comprises at least: IP switch, a telecommunications switch, a router, a wireless access point or PSTN gateway; information refers to the node device type of the node device, the node device of the type comprising at least: a device IP, the TDM device, a wired device or wireless device.
  4. 4.根据权利要求1或2所述的方法,其特征在于,与所述最高安全等级通信网络建立通信连接的步骤之前,所述通信方法还包括以下步骤:根据设定的通信网络的安全等级值来确定所述最高安全等级通信网络。 4. The method of claim 1 or claim 2, characterized in that, prior to the step of establishing a communication connection with the highest level of security communication network, the communication method further comprising the steps of: setting the security level of the communication network determining the value of the highest security level of the communication network.
  5. 5. 一种通信方法,其特征在于,所述通信方法包括以下步骤: 发送探测报文至通信网络的节点设备;接收所述节点设备发送的安全等级报文;根据所述安全等级报文中携带的通信网络类型和通信网络通信方式来判断所述通信网络的安全等级值;根据所述通信网络的所述安全等级值来确定最高安全等级通信网络; 与所述最高安全等级通信网络建立通信连接; 判断是否对通信数据进行加密;若判断结果为不加密通信数据,通过所述最高安全等级通信网络传输所述通信数据。 A communication method, wherein said communication method comprising the steps of: transmitting probe packets to a communication network node apparatus; receiving the security level of the packet sent by node apparatus; according to the security level message the communication network type and carrying the communication network to determine the communication security level value of the communication network; determining the highest security level communication network according to the security level value of the communication network; establishing communication with the highest level of security communication network connection; determining whether the communication data is encrypted; if the judging result is not encrypted communication data, the communication data transmitted through said communication network the highest security level.
  6. 6.根据权利要求5所述的方法,其特征在于,若判断结果为对通信数据进行加密时,所述通信方法还包括以下步骤:选择所述最高安全等级通信网络为密钥交换网络; 利用所述密钥交换网络进行密钥交换; 断开与所述密钥交换网络的通信连接;选择与所述密钥交换网络不同的通信网络建立通信连接并传输所述通信数据。 6. The method according to claim 5, wherein, if the determination result for the communication data is encrypted, the communication method further comprising the step of: selecting the highest security level of the communication network is a key exchange network; using the key exchange key exchange network; key exchange disconnected from the network communication connection; establishing a communication connection with the selected key exchange different network communication and transmit the communication data network.
  7. 7. 一种通信终端,其特征在于,所述通信终端包括:存储单元、控制单元、网络切换单元和通信单元,其中,所述存储单元,用于存储安全等级值列表及密钥;所述安全等级值列表用于记录通信网络数据以及与通信网络数据对应的安全等级值;所述控制单元包括列表读取单元和切换信号生成单元,所述列表读取单元用于读取所述安全等级值列表中与最高的安全等级值对应的通信网络数据至所述切换信号生成单元; 所述切换信号生成单元,根据接收的所述通信网络数据生成网络切换信号并输出至所述网络切换单元;所述网络切换单元,与所述网络切换信号对应的所述通信网络建立通信连接; 所述通信单元,与建立通信连接的所述通信网络交换所述密钥以及通过建立通信连接的所述通信网络发送或接收的通信数据。 A communication terminal, wherein said communication terminal comprises: a storage unit, a control unit, a network switching unit and the communication unit, wherein the storage unit for storing a list of security level and a key value; the security level value list for recording data, and a communication network security level value corresponding to the data communications network; said control unit comprises a list of the reading unit and the switching signal generating unit, a reading unit for reading the list of security levels value list with the highest security level of data communication network corresponding to the value of the switching signal generating means; said switching signal generating means generates a switching signal and outputs the network to the network switching unit according to the data received by the communication network; the network switching unit establishes a communication connection with the network switching signal corresponding to said communication network; the communication unit, and the key exchange to establish a communication connection to the communication network by establishing said communication connection and communication a communication network to send or receive data.
  8. 8.根据权利要求7所述的通信终端,其特征在于,所述通信终端还包括:网络安全评估单元;所述网络安全评估单元包括:探测报文发送模块,发送探测报文至所述通信网络的节点设备以请求获得节点设备信息或获得所述通信网络的网络类型和通信方式;探测报文接收模块,接收所述节点设备发送的携带所述节点设备信息的安全等级报文或接收所述节点设备发送的携带所述通信网络的所述网络类型及所述通信方式的所述安全等级报文,输出携带所述节点设备信息的所述安全等级报文或携带所述通信网络的所述网络类型及所述通信方式的所述安全等级报文至安全等级值计算单元;所述安全等级值计算单元,根据所述安全等级报文携带的所述节点设备信息或所述通信网络的所述网络类型及所述通信方式计算与所述通信网络对应的所述安全等级值,并输出 8. The communication terminal according to claim 7, wherein said communication terminal further comprising: a network security assessment unit; the network security evaluation unit comprising: a probe packet module, transmit a probe message to the communication the network node apparatus to request the device to obtain network information node or a type of communication and the communication network; probe packet receiving module, the receiving node apparatus carries security level of the packet or the receive device information sent by a node the security of the communication network carries the network and the type of said communication node device transmits the packet level, the output node of the information carrying device to the security level of the message or carrying the communication network the type of network and said security level of the communication packets to the security level value calculation unit; the security level value calculating means, based on the security level of the node device or the communication network information carried in the packet the network type and the communication system calculates the value corresponding to the security level of the communication network, and the output 所述通信网络对应的所述安全等级值至所述安全等级值比较模块;所述安全等级值比较模块,比较与所述通信网络的所述安全等级值以生成与最高安全等级值对应的所述通信网络数据并输出至所述网络切换单元。 The communication network corresponding to the security level value of a security level value comparison module; said security level value comparison module comparing the value of the security level of the communication network with the highest security level to generate a value corresponding to and outputting said data communications network to the network switching unit.
  9. 9.根据权利要求8所述的通信终端,其特征在于,所述通信单元还用于接收所述通信网络中的网络安全评估装置传送的与所述通信网络对应的所述安全等级值并输出至所述安全等级值比较单元。 9. The communication terminal according to claim 8, wherein the communication unit further level of security for the network security assessment value received in the communication network with the communication network and means for transmitting corresponding output security level value to the comparison unit.
CN 200710125285 2007-12-19 2007-12-19 Communication terminal and communication method CN101188498B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200710125285 CN101188498B (en) 2007-12-19 2007-12-19 Communication terminal and communication method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200710125285 CN101188498B (en) 2007-12-19 2007-12-19 Communication terminal and communication method

Publications (2)

Publication Number Publication Date
CN101188498A CN101188498A (en) 2008-05-28
CN101188498B true CN101188498B (en) 2010-12-08

Family

ID=39480701

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200710125285 CN101188498B (en) 2007-12-19 2007-12-19 Communication terminal and communication method

Country Status (1)

Country Link
CN (1) CN101188498B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2014103488A (en) * 2012-11-19 2014-06-05 Sony Corp Communication apparatus and program
CN103401865A (en) * 2013-07-30 2013-11-20 东莞宇龙通信科技有限公司 Terminal and data transmission method
CN104113601A (en) * 2014-07-29 2014-10-22 深圳市中兴移动通信有限公司 File transfer method and device
CN105635058B (en) * 2014-10-30 2019-05-17 中国科学院声学研究所 Go-between's processing method of TCP is directed under a kind of no-protocol mode stack
CN105138906B (en) * 2015-08-31 2019-02-05 联想(北京)有限公司 Information processing method and electronic equipment
WO2019174015A1 (en) * 2018-03-15 2019-09-19 Oppo广东移动通信有限公司 Data processing method, access network device, and core network device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1601961A (en) 2003-09-24 2005-03-30 国际商业机器公司 Apparatus, system, and method for dynamic selection of best network service
CN1701565A (en) 2003-12-12 2005-11-23 株式会社东芝 Information processing apparatus and information processing method
CN1913701A (en) 2005-08-08 2007-02-14 北京三星通信技术研究有限公司 Method for providing different safety class service to different user in mobile communication system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1601961A (en) 2003-09-24 2005-03-30 国际商业机器公司 Apparatus, system, and method for dynamic selection of best network service
CN1701565A (en) 2003-12-12 2005-11-23 株式会社东芝 Information processing apparatus and information processing method
CN1913701A (en) 2005-08-08 2007-02-14 北京三星通信技术研究有限公司 Method for providing different safety class service to different user in mobile communication system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
CN 101098222 A,全文.

Also Published As

Publication number Publication date
CN101188498A (en) 2008-05-28

Similar Documents

Publication Publication Date Title
US8156337B2 (en) Systems and methods for authenticating communications in a network medium
KR100832893B1 (en) A method for the access of the mobile terminal to the WLAN and for the data communication via the wireless link securely
EP2437469B1 (en) Method and apparatus for establishing a security association
US7916861B2 (en) System and method for establishing secondary channels
US8588746B2 (en) Technique for bypassing an IP PBX
US7400576B2 (en) Method and system for QoS control using wireless LAN network, its base station, and terminal
US7353388B1 (en) Key server for securing IP telephony registration, control, and maintenance
CN1685689B (en) Apparatus for controlling a home terminal,communication method and system
CA2398383C (en) Certification method, communication device and relay device
US20020118674A1 (en) Key distribution mechanism for IP environment
US20010016909A1 (en) Method and arrangement in a communication network
US7536720B2 (en) Method and apparatus for accelerating CPE-based VPN transmissions over a wireless network
US9882723B2 (en) Method and system for authentication
US20050160095A1 (en) System, method and computer program product for guaranteeing electronic transactions
RU2571394C2 (en) Method and apparatus for using identification information for digital signing and encrypting content integrity and authenticity in content oriented networks
EP1133132B1 (en) Method to perfom end-to-end authentication, and related customer premises network termination and access network server
US8515066B2 (en) Method, apparatus and program for establishing encrypted communication channel between apparatuses
US6907034B1 (en) Out-of-band signaling for network based computer session synchronization
US5410602A (en) Method for key management of point-to-point communications
US8386767B2 (en) Methods and systems for bootstrapping security key information using session initiation protocol
US5222140A (en) Cryptographic method for key agreement and user authentication
Mishra Security and quality of service in ad hoc wireless networks
US20060117174A1 (en) Method of auto-configuration and auto-prioritizing for wireless security domain
DE102009043276B4 (en) Multimedia communication session coordination across heterogeneous transport networks
JP6455780B2 (en) Global real-time telecommunications equipment, software modules, and systems

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model
CF01