CN102868683A - Terminal-to-terminal based voice safety multi-path communication system and method - Google Patents
Terminal-to-terminal based voice safety multi-path communication system and method Download PDFInfo
- Publication number
- CN102868683A CN102868683A CN2012103024916A CN201210302491A CN102868683A CN 102868683 A CN102868683 A CN 102868683A CN 2012103024916 A CN2012103024916 A CN 2012103024916A CN 201210302491 A CN201210302491 A CN 201210302491A CN 102868683 A CN102868683 A CN 102868683A
- Authority
- CN
- China
- Prior art keywords
- terminal
- path
- nodal
- node
- voice
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Telephonic Communication Services (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a terminal-to-terminal based voice safety multi-path communication system and method. The end-to-end based voice safety multi-path communication system comprises a plurality of node terminals, a center server and at least three network paths, wherein the plurality of node terminals are respectively a calling terminal, an opposite terminal, a common node and a super node; the calling terminal is in communication connection with the opposite terminal through the network path, the common node and the super node are arranged on the network path, each node terminal comprises a distributed hash table interconnecting module, a voice processing forwarding module, a multi-path searching module and a security module; and the node terminals are mutually communicated through the distributed hash table interconnecting modules and are connected into a terminal-to-terminal network structure with an issuing and searching function. The terminal-to-terminal based voice safety multi-path communication method comprises the following steps of: firstly, partitioning voice into a plurality of data packets after encrypting on a calling end, labeling a sequence of the data packets; and then enabling the data packets to reach the opposite terminal through at least three independent route paths, recombining, decrypting and reducing the data packets according to the serial numbers on the opposite terminal so that the voice is transmitted in multiple paths.
Description
Technical field
The present invention relates to a kind of voice secure multi-path communication system and method based on end-to-end (P2P, Peer-to-Peer), belong to network voice communication and field of information security technology.
Background technology
Because the environment of the Internet and global ip interconnection is become better and better, the voice communication on the network, especially voip technology can take full advantage of the omnipresent of IP network, and cheap advantage provides than more, the better services of traditional business.Yet, although VoIP has the unrivaled innate advantage of black phone, it has defective equally, being subject to easily the impact, definition of network quality and traditional fixed line such as speech quality has gap, service quality to can not get ensureing etc., and wherein the safety problem of VoIP is of crucial importance and urgent problem.
VoIP control protocol commonly used has H.323 agreement, SIP agreement, MEGACO agreement and MGCP agreement etc. at present.These control protocols mainly are to create, revise and be connected the connection session, realize the conversation procedure of foundation and control and other end points at end points.They generally only are that data are carried out block encryption, and are direct end-to-end data packet transmission between calling terminal and the opposite end for the not too deep restriction of confidentiality of session.A key issue of this generation is exactly that voice-over-net stream is compared traditional code phone and is easier to be intercepted and captured, even the voice flow after encrypting also may all be intercepted and captured and decrypt.Therefore, to hiding of voice-over-net stream, or even separating treatment seems particularly important.
The technology that in the past had pair voice to hide, as the DCT domain information hide, wavelet domain information is hidden etc., but these Information Hiding Techniques can not thoroughly solve the possibility of the monitored intercepting of one-way network voice.Aspect multi-path transmission, our open source literature that finds mainly contains at present: Guo Qiang etc. have described the method for a kind of multirouting of using and parallel transmission in wireless sensor network in " multirouting method for building up and the parallel data transmission method of wireless sensor network " (201010228323.8), and the multipath safe transmission of IP network voice aspect is not related to.And Huawei Company has proposed a kind of single current of realizing between two equipment in patent " method of transmitting voice message in multipath, equipment and system " (201010620239.0), single current backs up and the voice of dual transmitting and receiving send and receive pattern.There is following technical problem: 1) transmission of two paths is at most only supported at the two ends of communication, and the valid data on only receiving wherein; 2) safety problem is not considered, and because it adopts dual transmitting and receiving mechanism, so that the voice message copy transmits simultaneously, has increased the security risk of the monitored intercepting of speech data on mulitpath.3) its description is the voice transfer problem in two 2 following paths under the MPRTP mode between the equipment, does not set forth in the voice safety problem aspect the end-to-end multiple spot forwarding multi-path transmission.
Summary of the invention
Goal of the invention: the present invention proposes a kind of based on end to end voice secure multi-path communication system and method, and system is by central server, and super node and ordinary node are realized safe and reliable voice communication; Method is on the end to end network basis based on the distributed hash structure, selector unification causes the transmission that 3 of qos requirement or 3 above network paths are encrypted voice, meet on the basis of voice-over-net time delay, delay variation and packet loss requirement in assurance, realize based on end to end multipath secure voice communication.
Technical scheme: a kind of based on voice secure multi-path communication system end to end, comprise a plurality of nodal terminals, central server, at least 3 network paths; Described a plurality of nodal terminal is respectively calling terminal, opposite end, ordinary node and super node; Described calling terminal is by network path and opposite end communication connection; Described ordinary node and super node are located on the network path; Each nodal terminal includes distributed hashtable interconnecting modules, speech processes forwarding module, multipath searching module and security module; Nodal terminal is realized mutually intercommunication by the distributed hashtable interconnecting modules, and connects into the end-to-end network infrastructure with issue and function of search; Distributed hashtable interconnection be with the address of each nodal terminal and relevant information by after the Hash calculation, form binary coding, and the interconnection mode that carries out deposit data and search based on the binary tree search mode; Described super node is the nodal terminal that carries out data retransmission; Described ordinary node is not for carrying out the nodal terminal of data retransmission.
Described central server possesses the key generator function; The newly added node terminal passes to central server with own identity id information when registration, central server generates private key according to this id information, and user's identity is as PKI; The private key that generates is given the newly added node terminal by the passage of safety.
Described speech processes forwarding module be used for to be realized compression, the encryption of nodal terminal voice, and carries out multipath by maximum safe distance mode and cut apart, and forms the packet that transmits on the multipath, and packet is added sequence number identifies; Maximum safe distance mode refers to voice, divides it and is transmitting without the path, so that in the alap mode of the individual paths residue intelligibility of speech.
Described speech processes forwarding module is also transmitted relay voice except the speech processes of finishing this nodal terminal; Nodal terminal will receive that according to transmitting target the packet with the forwarding mark carries out data retransmission.
Described multipath is sought module according to the consistency principle, under the prerequisite that guarantees QoS of voice, chooses the good routed path more than 3 or 3 of consistent performance and opposite end and sets up conversation.
Described security module is finished the management of key and security algorithm, comprises from central server obtaining public and private key information.
A kind ofly at first after calling terminal is with voice encryption, be divided into a plurality of packets based on voice secure multi-path communication means end to end, and to a plurality of packet sequence labels; Then described packet is arrived the opposite end by at least 3 independent routed paths, carry out again recombinating, decipher and reduction by sequence number of packet in the opposite end, realize the multi-path transmission of voice; Wherein, the nodal terminal on the path is realized mutually intercommunication by the distributed hashtable interconnecting modules, and connects into the end-to-end network infrastructure with issue and function of search.
The issue of described Hash table interconnecting modules and search procedure comprise following 7 steps:
Step 1: the new node terminal obtains the public and private key information of oneself through finish registration and login at central server after;
Step 2: the new node terminal obtains the nodal terminal information of part systemic presupposition from central server, and these nodal terminals are added as the contact person;
Step 3: the new node terminal is again by central server or distributed hash interconnecting modules, loads the online information of other contact person's nodal terminals and IP address information etc., and is that online associated person information stores in the local linkages personal data storehouse with state;
Step 4: the new node terminal sends on-line message to online contact person's nodal terminal, and the address information of oneself is sent over together;
Step 5: the new node terminal is by measuring own platform computing capability and network condition, and judge according to measurement result and oneself to bear the super node role or as ordinary node, then the information with oneself comprises user name, IP address, node property, issuing time etc., is published on other nodal terminals through network path by the distributed hash list structure;
Step 6: the new node terminal can be carried out search and calling to other contact persons by the distributed hash list structure, and other nodal terminals also can be searched for and be called out new node by the distributed hash list structure;
Step 7: when having nodal terminal to roll off the production line, this nodal terminal that rolls off the production line sends to central server and its online connection people nodal terminal with offline information, withdraws from the distributed hashtable structural network.
Described packet is arrived the opposite end by at least 3 independent routed paths, and wherein the foundation of at least 3 paths and selection step are as follows:
A) arbitrary nodal terminal all has 3 routing tables to be used for the information of memory node terminal and associated pathway, it is respectively the good nodal terminal of the first routing table R1 storage networking situation, secondary route table R2 storing communication path candidate, Third Road are used for the path more than 3 or 3 of current communication by table R3 storage;
B) after the login of calling terminal A nodal terminal is reached the standard grade, the data retransmission quality of each nodal terminal in inquiry and the test local linkages personal data storehouse, on the basis that ensures the data retransmission quality, the nodal terminal that network condition is good is stored among the first routing table R1, transmits speech data when communicating by letter for calling terminal A nodal terminal;
C) if in the calling terminal A nodal terminal among the first routing table R1 enabled node less, be lower than setting threshold, then start the super node in the distributed hashtable interconnection search distributed hash network, replenish new super node information and deposit among the first routing table R1, so that nodal terminal arrival predetermined threshold value then stops search among the first routing table R1;
When d) calling terminal A nodal terminal is called out opposite end B nodal terminal, at first by the address information of local linkages personal data library lookup opposite end B, if do not find, then obtain the information of opposite end B by the function of search of distributed hash list structure;
E) calling terminal A node in the first routing table R1 sends the pathfinding demand signalling, and the pathfinding demand signalling is used for to other nodal terminal transmit path test request, measures the accessibility and the lag characteristic that arrive purpose opposite end B; After if the nodal terminal C among the first routing table R1 receives the pathfinding demand signalling of calling terminal A, the work of repeated call end A sends to the pathfinding demand signalling other nodal terminals among oneself the first routing table R1;
F) after nodal terminal C1, C2, the C3 among the first routing table R1 of nodal terminal C receives the pathfinding demand signalling, testing self is the path situation of opposite end B to destination node terminal B, and the information such as time delay, delay variation and packet loss are fed back to nodal terminal C; Nodal terminal C is according to behind the feedback information that receives, path delay of time of path C-C1-B, C-C2-B, C-C3-B relatively, delay variation and packet loss situation and with the path of the best for example C-C1-B choose and feed back to calling terminal A;
G) calling terminal A receives optimal path C-C
1After-B the information, judge the fullpath (A-C-C from calling terminal A to optimal path
1-B) whether information meets the time delay of the reasonable voice communication of setting, the numerical value requirements such as delay variation and packet loss, and meeting the requirements then is deposited among the secondary route table R2;
H) kindred circumstances, other nodal terminals test out respectively separately optimal path by above scheme among the first routing table R1 of calling terminal A, guarantee that simultaneously these paths do not intersect as far as possible, after being completed with the path delay of time, delay variation and packet loss situation feed back to calling terminal A, and the path that meets default reasonable voice communication condition deposits among the secondary route table R2;
I) the whole node tests among the first routing table R1 complete after, compare each paths situation among the secondary route table R2, the selecting paths time delay, the path more than 3 or 3 that the better performances such as delay variation and packet loss and performance approach is as the path of this voice call communication, and this forward-path more than 3 or 3 will be stored into Third Road by among the table R3;
J) the first routing table R1 fixed time test and renewal nodal terminal information wherein have new contact person's nodal terminal to reach the standard grade and also test, and contact person's nodal terminal rolls off the production line and then will in time delete;
K) Third Road is then in time changed suitable nodal terminal by after having nodal terminal to roll off the production line among the table R3, and the both candidate nodes terminal is selected from secondary route table R2, also fixed time test and renewal of the nodal terminal among the secondary route table R2.
The general standard that described judgement newly added node terminal is super node is, nodal terminal IP address is public network IP address, the comprehensive evaluation value of computing capability, the network bandwidth and memory space surpasses setting threshold, otherwise is ordinary node, and ordinary node does not carry out data retransmission;
After each communication node terminal is received link pathfinding demand signalling, the measurement of link-quality comprises the network attainability of measuring from self to destination node, then network delay value and delay variation value and packet loss numerical value comprehensively judge the acquisition link evaluating by these values;
During nodal terminal communication, transmit leg can be interrupted the VoP that generates a certain size, nodal terminal is encrypted each packet by the symmetric key of sharing, and then the packet after will encrypting is divided into the parcel more than 3 or 3, send to the opposite end by the path more than 3 or 3 respectively, and guarantee one section continuous voice packet not to be sent by the same path; The opposite end after receiving the voice packet of each paths is decrypted voice packet, then voice packet is carried out again arranged in sequence, combination, and then decoding recovers former voice; The key of encrypted speech data when communicating pair ID-based key agreement mechanism consults to obtain per call; Signaling between calling terminal A and the opposite end B and key protocol are consulted to transmit and will be transmitted based on single-link.
Before carrying out the multipath voice communication, the nodal terminal that makes a call (calling terminal) needs Third Road is sent to called nodal terminal (opposite end) by path, the port numbers selected among the table R3, packet directly sends to the called nodal terminal by fixing port numbers after encryption; Equally, if change the path in the communication, path, port numbers after the nodal terminal that makes a call also will be changed send to the called nodal terminal.
Beneficial effect: compared with prior art, the present invention is by selecting 3 or 3 above communication paths of consistency the best from mulitpath, and utilize simultaneously this path more than 3 or 3 to be encrypted the VoP transmission, on the basis that guarantees voice QoS, realized the sound end-to-end safe transmission.And be encrypted the transmission of voice by independently 3 or 3 with upper pathway, greatly reduced the possibility of the monitored intercepting of voice-over-net.Potential listener often can only monitor or intercept one the tunnel, the two tunnel or the voice encryption fragment of part, is difficult to recover raw tone fully, and the fail safe of end-to-end voip communication has obtained great guarantee.
Description of drawings
Fig. 1 is the systematic schematic diagram of the embodiment of the invention;
Fig. 2 is the nodal terminal composition frame chart of the embodiment of the invention;
Fig. 3 is the interconnected process schematic diagram of the distributed hashtable of the embodiment of the invention;
Fig. 4 is that the multipath of the embodiment of the invention is sought the process schematic diagram;
Fig. 5 is the voice encryption processing method schematic diagram of the embodiment of the invention;
Fig. 6 is the key management of the embodiment of the invention and consults schematic diagram.
Embodiment
Below in conjunction with specific embodiment, further illustrate the present invention, should understand these embodiment only is used for explanation the present invention and is not used in and limits the scope of the invention, after having read the present invention, those skilled in the art all fall within the application's claims limited range to the modification of the various equivalent form of values of the present invention.
As seen from Figure 1, method of the present invention is based on these 3 kinds of equipment of super node, ordinary node and central server and sets up.Calling terminal A is by network path and opposite end B communication connection; Ordinary node and super node are located on the network path.
In the schematic diagram of Fig. 1, calling terminal A will carry out based on end-by-end security voice multi-path communications with opposite end B.Through the negotiation at two ends, transmission when calling terminal A has selected 3 paths to be encrypted voice.Communication path I is comprised of super node C and super node C1; Communication path II is comprised of super node D and super node D1; Communication path III then is comprised of super node E and super node E1.
Super node is by having public network IP address, and computing capability, the network bandwidth and storage capacity enough strong node serve as.Do not possess the node of public network IP address or do not reach the nodal terminal of preset requirement then as ordinary node at aspects such as computing capability, the network bandwidth and storage capacities.Calling terminal A and opposite end B can be super nodes, also can be ordinary nodes.Super node can be finished the data retransmission function, and ordinary node does not possess such ability.
Central server is responsible for the registration of all nodes, and login generates simultaneously the whole network public safety parameter and also carries out distribution, management, the inquiry work of public and private key for each user.When new nodal terminal accesses, need at first be registered to central server, each node has a pair of public and private key, is distributed by the center service management.
The nodal terminal of new registration safeguards that a transfer quality numerical value represents the quality height of forward node terminal.When the forwarding work that speech data is provided, be successfully completed and once be forwarded to sign off and then increase transfer quality value 1, failing to finish is forwarded to sign off and ends then to reduce transfer quality value 1.
Fig. 2 has provided the composition of each functional module on the nodal terminal.Nodal terminal has the distributed hashtable interconnecting modules at least, security module, and multipath is sought module and speech processes forwarding module.
Distributed hashtable interconnecting modules on each nodal terminal is set up the interconnection structure of issue and search by distributed hash structural table algorithm, the ID of each nodal terminal and relevant information after Hash is processed, become each end points on the binary tree structure, then by the quick search of quick binary tree search algorithm realization to each node ID and address information etc.
Security module is finished the management of key and the security algorithm of nodal terminal, comprises communicating by letter with central server 5 and obtaining public and private key information.
Multipath is sought module and is closed on the super node database according to what store on each nodal terminal, it is good to seek packet loss, time delay and delay variation performance, and the path more than 3 or 3 of high conformity is set up reply and is consulted, for follow-up audio call is set up ready.
The speech processes forwarding module is also realized compress speech, the encryption of this nodal terminal except realizing the relay data forwarding capability, and carries out multipath by maximum safe distance mode and cut apart, and forms the packet that transmits on the multipath, and adds sequence number and identify; Maximum safe distance refers to voice, divides it and is transmitting without the path, so that low as far as possible in the individual paths residue intelligibility of speech.
Can intercom mutually between above-mentioned each module, carry out the transmission of information and realize mutually cooperation.
Fig. 3 has provided issue and the search procedure based on the Hash table interconnecting modules in the end-to-end speech secure multi-path communication means, and it comprises following 7 steps:
201: during the access of new node terminal, at first finish registration and login at central server; Simultaneously, by consulting to obtain oneself public and private key information with central server;
202: the new node terminal obtains the information of the nodal terminal of part systemic presupposition from central server, and these nodal terminals are added as the contact person;
203: the new node terminal is by central server or distributed hash interconnecting modules, loads the online information of contact person's nodal terminal and IP address information etc., and is that online associated person information stores in the local linkages personal data storehouse with state;
204: the new node terminal sends on-line message to online contact person's nodal terminal, and the address information of oneself is sent over together;
205: the new node terminal is by measuring own platform computing capability and network condition, and judge according to measurement result and oneself to bear the super node role or as ordinary node, then the information with oneself comprises user name, IP address, node property, issuing time etc., is published on other nodal terminals by network by the distributed hash list structure;
206: the new node terminal can be carried out search and calling to other contact persons by the distributed hash list structure, and other nodal terminals also can be searched for and be called out the new node terminal by the distributed hash list structure;
207: when having nodal terminal to roll off the production line, this nodal terminal sends to central server and its online connection people nodal terminal with offline information, withdraws from the distributed hashtable structural network.
Fig. 4 has provided the multipath that the present invention is based in the end-by-end security voice multi-path communications method and has sought the process schematic diagram, and the step that multipath is sought is as follows:
A) arbitrary nodal terminal all has 3 routing tables to be used for the information of memory node terminal and associated pathway, it is respectively the good nodal terminal of R1 table storage networking situation, R2 table storing communication path candidate, the storage of R3 table is used for the path more than 3 or 3 of current communication;
B) after the login of calling terminal A nodal terminal is reached the standard grade, the data retransmission quality of each nodal terminal in inquiry and the test local linkages personal data storehouse, on the basis that ensures the communication data transfer quality, the nodal terminal that will meet default QoS condition is stored among the table R1, transmits speech data when communicating by letter for calling terminal A.For example: nodal terminal arrives the network condition of oneself in the calling terminal A use ping test local linkages personal data storehouse, according to the time delay that ping returns, and the time delay of calculating path, delay variation and packet loss situation, simultaneously query node terminal transfer quality value.For example, time delay be lower than 50ms, shake be lower than 10ms, without packet loss, transfer quality value be higher than 50 and idle available nodal terminal will be stored among the table R1.
C) if among the calling terminal A table R1 in the enabled node terminal less, be lower than setting threshold, then start the super node in the distributed hashtable search structure distributed hash network, replenish new super node information and deposit among the R1, so that nodal terminal arrival threshold value then stops search among the R1;
When d) calling terminal A calls out opposite end B, at first by the address information of local linkages personal data library lookup opposite end B, if do not find, then obtain the information of opposite end B by the function of search of distributed hash list structure;
E) nodal terminal sends the pathfinding demand signalling to calling terminal A among the R1 to showing, the pathfinding demand signalling is used for to other nodal terminal transmit path test request, measure to arrive destination node terminal B(namely, opposite end B) accessibility and the characteristics such as time delay, delay variation and packet loss; After if the nodal terminal C among the R1 receives the pathfinding demand signalling of calling terminal A, the work of repeated call end A sends to the pathfinding demand signalling other nodal terminals among oneself the R1;
F) after nodal terminal C1, C2, the C3 among the R1 of nodal terminal C receives the pathfinding demand signalling, test self to the path situation of purpose opposite end B, comprise time delay, shake, packet loss and the nodal terminal transfer quality of self, and the information such as time delay, delay variation and packet loss are fed back to nodal terminal C; Nodal terminal C is according to behind the feedback information that receives, relatively the path situation of path C-C1-B, C-C2-B, C-C3-B and with best path for example C-C1-B choose and feed back to calling terminal A; For example, measuring process comprises the situation of time delay, shake, packet loss and nodal terminal transfer quality value, with the accumulation time delay be lower than 150ms, accumulated jitter be lower than 15ms, without packet loss, and the forward node terminal quality is not less than 50 and is prerequisite, select the little path of time delay and feed back to calling terminal A, the information without suitable path then returned that does not satisfy condition;
G) after calling terminal A receives path C-C1-B information, judge whether the path fullpath information of A-C-C1-B meets the time delay of the reasonable voice communication of setting, the numerical value requirements such as delay variation and packet loss, meeting the requirements then is deposited among the table R2;
H) kindred circumstances, other nodal terminals test out respectively separately optimal path by above scheme among the table R1 of calling terminal A, guarantee that simultaneously these paths do not intersect as far as possible, after being completed with the path delay of time, delay variation and packet loss situation feed back to calling terminal A, and the path that meets default reasonable voice communication condition deposits among the table R2; For example, other nodal terminals D among the table R1 of nodal terminal A, E, F etc. test out respectively separately path A-D-D1-B, A-D-D2-B, A-E-E1-B, A-E-E2-B, A-F-F1-B, A-F-F2-B by above scheme, then select wherein qualified path A-D-D1-B, A-E-E2-B, A-F-F1-B, after being completed the path situation is fed back to nodal terminal A;
I) after the whole nodal terminals among the R1 are completed, compare each paths situation among the R2, the selecting paths time delay, the path more than 3 or 3 that delay variation and packet loss better performances and performance approach is as the path of this voice call communication, and this forward-path more than 3 or 3 will be stored among the table R3; For example, nodal terminal among the R2 is divided into each group according to time delay, differs and be no more than 20ms and then be one group and deposit them in R3, as this communication path;
If can't find out 3 paths that satisfy above-mentioned condition among the R2, or the total path number is not less than 3, and the condition that then grouping differed expands to be twice and is 40ms; If still can't find out suitable groups, the condition that then differs continues double, until find out;
If can't find out 3 paths that satisfy above-mentioned condition among the R2, and the total path number is lower than 3, then the time delay in the test condition and delay variation can also be required to enlarge, and for example wherein the time delay absolute value is made as 200ms, packet loss is made as and is not less than 5%, again searching route; If still can't find out, condition continues to increase, until find out;
Find after these communication paths, notify the forward node terminal of this 3 paths, the latch node terminal is in order to avoid taken by other nodal terminals;
Calling terminal A directly sends to opposite end B with 3 paths, port numbers after with the public key encryption of opposite end B by fixing port numbers; Opposite end B receives, and after the deciphering, it is judged; If refusal, then sign off; If receive, communicating pair then is used for the encrypted speech packet by the symmetric key that the ID-based bilinearity consults to obtain this time communicating by letter to key agreement mechanism, and then calling terminal A brings into use 3 paths and opposite end B to communicate;
J) table R1 fixed time test and renewal nodal terminal information wherein have new contact person's nodal terminal to reach the standard grade and also test, and contact person's nodal terminal rolls off the production line and then will in time delete; For example, tested once the wherein situation of nodal terminal in per 5 minutes for table R1, tested once the wherein situation of nodal terminal in per 2 minutes for table R2, then need the once situation in path wherein of test in per 30 seconds for path among the table R3, if have among the R3 that nodal terminal rolls off the production line, when path quality descends temporarily, then from R2, select at once the replacing of substituting of suitable path;
K) after table has nodal terminal to roll off the production line among the R3, then in time change suitable nodal terminal, the both candidate nodes terminal is selected from the R2 table, and the nodal terminal among the R2 is fixed time test and renewal also.
Provided the voice encryption/decryption processing procedure of the method for the invention among Fig. 5.At calling terminal A, after voice are sampled, quantize and encode and compress, become a series of packet voice data.For example, if adopt the compression algorithm of the 4800bps of MELP, then every 20ms obtains 12bytes compressed encoding information one time.Speech data after the coding will divide into groups to adjust according to sequence number, encrypt, and the sequence number mark is processed and obtained encrypted packets.What consult out according to two ends is to adopt 3 paths or 3 above number of path to divide into groups to adjust, and encrypts and the mark processing.Obtain encrypted packets 1, encrypted packets 2 and encrypted packets 3 etc.Then, carry out data input and data output by the multipath passage that consults between calling terminal A and the opposite end B.Encrypted packets 1 is 1 transmission in the path; Encrypted packets 2 is 2 transmission in the path; And encrypted packets 33 transmission in the path.
At receiving terminal, opposite end B receive from mulitpath transmit receive packet after, buffering is got up first.Then reset according to sequence number, then be decrypted and divide into groups and adjust, recover at last the packet voice data by the restructuring of sequence number.
Voice encryption key between calling terminal A and the opposite end B will be consulted to finish by ID-based key agreement mechanism before conversation by communicating pair.Simultaneously, the transmission of the multipath encrypted speech from opposite end B to calling terminal A direction is still carried out based on this selected equally link paths, and the encryption and decryption key is with the encryption and decryption key agreement of calling terminal A to the negotiation of opposite end B direction.
When finishing communication, calling terminal A will empty table R2 and R3, and nodal terminal sign off in the notification path discharges the path simultaneously, improves self nodal terminal transfer quality value.
Fig. 6 has provided based on end to end key management and the negotiations process of voice secure multi-path communication means.Key management is mainly finished by central server, and the cipher key agreement process employing is finished based on the key agreement mechanism of user identity, wherein can adopt based on the right pattern of bilinearity.In Fig. 6,
Central server is just establishment and the openly parameter<G of system when whole system is set up
1, G
2,
e,
q,
P,
P Pub , H
1, H 〉, G wherein
1Be the addition cyclic group, its generator is
P e() is that bilinearity is to computing; Q is G
1Base.Central server is selected a random number at random
s, calculate
P Pub =
SP, wherein s is public private key, is retained in the central server, and is underground; And
P Pub Can disclosed public PKI.Central server is also selected a strong cipher hash function H and H
1, H wherein
1: { 0,1}
n* G
1→ G
1Then, step is as follows:
401: the user identity of establishing calling terminal A is ID
A, ID
ACan be that disclosed other users can know.And its oneself to generate private key be x
A, then with ID
AAnd x
AWarp
P Pub After the encryption, be transferred to central server.
402: central server is according to the ID that receives
AAnd x
A, generate the PKI of calling terminal A to P
A=<X
A, Y
A, X wherein
A=x
A P, Y
A=x
A SPThen calculate Q
A=H
1(ID
A|| P
A), and obtain D
A=
sQ
ACentral server is with D
AThrough X
AAfter the encryption, send it back to calling terminal A with other information.
403: the processing procedure of same opposite end B is as described in 401.If the user identity of opposite end B is ID
B, ID
BCan be that disclosed other users can know.And its oneself to generate private key be x
B, then with ID
BAnd x
BWarp
P Pub After the encryption, be transferred to central server.
404: central server is according to the ID that receives
BAnd x
B, generate the PKI of opposite end B to P
B=<X
B, Y
B, X wherein
B=x
B P, Y
B=x
B SPThen calculate Q
B=H
1(ID
B|| P
B), and obtain D
B=
sQ
BCentral server is with D
BThrough X
BAfter the encryption, send it back to opposite end B with other information.
Above-mentioned 401 to 402 key management step when each new node access, is just implemented after the registration login at once and is finished.Then each node will obtain its oneself public private key pair.For example for node A, PKI is to being P
A=<X
A, Y
A, private key is S
A=x
AD
A=x
A sQ
A=x
A sH
1(ID
A|| P
A).
After per call, before the conversation, to carry out the cipher key agreement process of following steps between calling terminal A and the opposite end B.
405: calling terminal A produces a random number a certainly, and produces a reply identifier TS according to the per call situation.Then with [ID
A, TS, T
A=a
P, P
A] send to opposite end B.
406: after receiving 405, random number b of the same self-generating of opposite end B is then with [ID
B, TS, T
B=b
P, P
B] send to calling terminal A.
Then calling terminal A generates KA
1=
e(S
A, T
B)
e(Q
B, aY
B), KA
2=(ID
A|| ID
B|| aT
B|| x
AX
B), the speech data encryption and decryption key SK when at every turn being conversed
AB=H (T
A|| T
B|| KA
1|| KA
2).
Equally, the opposite end generates KB
1=
e(S
B, T
A)
e(Q
A, bY
A), KB
2=(ID
A|| ID
B|| bT
A|| x
BX
A), the speech data encryption and decryption key SK when at every turn being conversed
BA=H (T
A|| T
B|| KB
1|| KB
2).
Can prove out SK
AB=SK
BA, namely negotiated consistent encryption and decryption key.And the benefit of key agreement is to resist the key substitution attack like this, possesses the forward security of improving and temporary key fail safe.
Communication process between calling terminal A and the opposite end B between above-mentioned 405 and 406 steps will be undertaken by a passage in the multi-path communications passage of selecting.
The above only is preferred embodiments of the present invention; protection scope of the present invention is not limited with above-mentioned execution mode; within the spirit and principles in the present invention all, any modification of doing, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. one kind based on voice secure multi-path communication system end to end, it is characterized in that: comprise a plurality of nodal terminals, central server, at least 3 network paths; Described a plurality of nodal terminal is respectively calling terminal A, opposite end B, ordinary node and super node; Described calling terminal A is by network path and opposite end B communication connection; Described ordinary node and super node are located on the network path; Each nodal terminal includes distributed hashtable interconnecting modules, speech processes forwarding module, multipath searching module and security module; Nodal terminal is realized mutually intercommunication by the distributed hashtable interconnecting modules, and connects into the end-to-end network infrastructure with issue and function of search; Distributed hashtable interconnection be with the address of each nodal terminal and relevant information by after the Hash calculation, form binary coding, and the interconnection mode that carries out deposit data and search based on the binary tree search mode; Described super node is the nodal terminal that carries out data retransmission; Described ordinary node is not for carrying out the nodal terminal of data retransmission.
2. as claimed in claim 1 based on voice secure multi-path communication system end to end, it is characterized in that: described central server comprises key generator; The newly added node terminal passes to central server with own identity id information when registration, central server generates private key according to this id information, and user's identity is as PKI; The private key that generates is given the newly added node terminal by the passage of safety.
3. as claimed in claim 1 based on voice secure multi-path communication system end to end, it is characterized in that: described speech processes forwarding module is used for realizing compression, the encryption of nodal terminal voice, and carry out multipath by maximum safe distance mode and cut apart, form the packet that transmits on the multipath, and packet interpolation sequence number is identified; Maximum safe distance mode refers to voice, divides it and is transmitting without the path; Described speech processes forwarding module is also transmitted relay voice; Nodal terminal will receive that according to transmitting target the packet with the forwarding mark carries out data retransmission.
4. as claimed in claim 3 based on voice secure multi-path communication system end to end, it is characterized in that: described multipath is sought module according to the consistency principle, under the prerequisite that guarantees QoS of voice, choose the good routed path more than 3 or 3 of consistent performance and opposite end B and set up conversation.
5. as claimed in claim 1 based on voice secure multi-path communication system end to end, it is characterized in that: described security module is finished the management of key and security algorithm, comprises from central server obtaining public and private key information.
6. one kind based on voice secure multi-path communication means end to end, it is characterized in that: at first after calling terminal A is with voice encryption, be divided into a plurality of packets, and to a plurality of packet sequence labels; Then described packet is arrived opposite end B by at least 3 independent routed paths, carry out again recombinating, decipher and reduction by sequence number of packet at opposite end B, realize the multi-path transmission of voice; Wherein, the nodal terminal on the path is realized mutually intercommunication by the distributed hashtable interconnecting modules, and connects into the end-to-end network infrastructure with issue and function of search.
7. as claimed in claim 6 based on voice secure multi-path communication means end to end, it is characterized in that: the issue of described Hash table interconnecting modules and search procedure comprise following 7 steps:
Step 1: the new node terminal obtains the public and private key information of oneself through finish registration and login at central server after;
Step 2: the new node terminal obtains the nodal terminal information of part systemic presupposition from central server, and these nodal terminals are added as the contact person;
Step 3: the new node terminal loads online information and the IP address information of other contact person's nodal terminals again by central server or distributed hash interconnecting modules, and is that online associated person information stores in the local linkages personal data storehouse with state;
Step 4: the new node terminal sends on-line message to online contact person's nodal terminal, and the address information of oneself is sent over together;
Step 5: the new node terminal is by measuring own platform computing capability and network condition, and judge according to measurement result and oneself to bear the super node role or as ordinary node, then the information with oneself comprises user name, IP address, node property, issuing time, is published on other nodal terminals through network path by the distributed hash list structure;
Step 6: the new node terminal can be carried out search and calling to other contact persons by the distributed hash list structure, and other nodal terminals also can be searched for and be called out new node by the distributed hash list structure;
Step 7: when having nodal terminal to roll off the production line, this nodal terminal that rolls off the production line sends to central server and its online connection people nodal terminal with offline information, withdraws from the distributed hashtable structural network.
8. as claimed in claim 6 based on voice secure multi-path communication means end to end, it is characterized in that: described packet is arrived opposite end B by at least 3 independent routed paths, wherein the foundation of at least 3 paths and select step as follows:
Arbitrary nodal terminal all has 3 routing tables to be used for the information of memory node terminal and associated pathway, it is respectively the good nodal terminal of the first routing table R1 storage networking situation, secondary route table R2 storing communication path candidate, Third Road are used for the path more than 3 or 3 of current communication by table R3 storage;
After calling terminal A login is reached the standard grade, the data retransmission quality of each nodal terminal in inquiry and the test local linkages personal data storehouse, on the basis that ensures the data retransmission quality, the nodal terminal that network condition is good is stored among the first routing table R1, transmits speech data when communicating by letter for calling terminal A;
If among the calling terminal A among the first routing table R1 enabled node less, be lower than setting threshold, then start the super node in the distributed hashtable interconnection search distributed hash network, replenish new super node information and deposit among the first routing table R1, so that nodal terminal arrival predetermined threshold value then stops search among the first routing table R1;
When calling terminal A calls out opposite end B, at first by the address information of local linkages personal data library lookup opposite end B, if do not find, then obtain the information of opposite end B by the function of search of distributed hash list structure;
Calling terminal A node in the first routing table R1 sends the pathfinding demand signalling, and the pathfinding demand signalling is used for to other nodal terminal transmit path test request, measures the accessibility and the lag characteristic that arrive purpose opposite end B; After if the nodal terminal C among the first routing table R1 receives the pathfinding demand signalling of calling terminal A, the work of repeated call end A sends to the pathfinding demand signalling other nodal terminals among oneself the first routing table R1;
After nodal terminal C1, C2, C3 among the first routing table R1 of nodal terminal C received the pathfinding demand signalling, testing self was the path situation of opposite end B to destination node terminal B, and the information such as time delay, delay variation and packet loss are fed back to nodal terminal C; Nodal terminal C is according to behind the feedback information that receives, relatively the path situation of path C-C1-B, C-C2-B, C-C3-B and with the Path selection of the best out and feed back to calling terminal A;
After calling terminal A receives optimal path information, judge whether the fullpath information from calling terminal A to optimal path meets the time delay of the reasonable voice communication of setting, the numerical value requirements such as delay variation and packet loss, meeting the requirements then is deposited among the secondary route table R2;
Kindred circumstances, other nodal terminals test out respectively separately optimal path by above scheme among the first routing table R1 of calling terminal A, guarantee that simultaneously these paths do not intersect, after being completed with the path delay of time, delay variation and packet loss situation feed back to calling terminal A, and the path that meets default reasonable voice communication condition deposits among the secondary route table R2;
After whole node tests among the first routing table R1 are complete, compare each paths situation among the secondary route table R2, the selecting paths time delay, the path more than 3 or 3 that delay variation and packet loss better performances and performance approach is as the path of this voice call communication, and this forward-path more than 3 or 3 will be stored into Third Road by among the table R3;
The first routing table R1 fixed time test and renewal nodal terminal information wherein have new contact person's nodal terminal to reach the standard grade and also test, and contact person's nodal terminal rolls off the production line and then will in time delete;
Third Road is then in time changed suitable nodal terminal by after having nodal terminal to roll off the production line among the table R3, and the both candidate nodes terminal is selected from secondary route table R2, also fixed time test and renewal of the nodal terminal among the secondary route table R2.
9. as claimed in claim 6 based on voice secure multi-path communication means end to end, it is characterized in that: the general standard that described judgement newly added node terminal is super node is, nodal terminal IP address is public network IP address, the comprehensive evaluation value of computing capability, the network bandwidth and memory space surpasses setting threshold, otherwise be ordinary node, ordinary node does not carry out data retransmission; During nodal terminal communication, transmit leg can be interrupted the VoP that generates a certain size, nodal terminal is encrypted each packet by the symmetric key of sharing, and then the packet after will encrypting is divided into the parcel more than 3 or 3, send to opposite end B by the path more than 3 or 3 respectively, and guarantee one section continuous voice packet not to be sent by the same path; Opposite end B after receiving the voice packet of each paths is decrypted voice packet, then voice packet is carried out again arranged in sequence, combination, and then decoding recovers former voice; The key of encrypted speech data when communicating pair ID-based key agreement mechanism consults to obtain per call; Signaling between calling terminal A and the opposite end B and key protocol are consulted to transmit and will be transmitted based on single-link.
10. as claimed in claim 8 based on voice secure multi-path communication means end to end, it is characterized in that: before carrying out the multipath voice communication, calling terminal A needs Third Road is sent to opposite end B by path, the port numbers selected among the table R3, packet directly sends to the called nodal terminal by fixing port numbers after encryption; Equally, if change the path in the communication, path, port numbers after the nodal terminal that makes a call also will be changed send to the called nodal terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210302491.6A CN102868683B (en) | 2012-08-23 | 2012-08-23 | Terminal-to-terminal based voice safety multi-path communication system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210302491.6A CN102868683B (en) | 2012-08-23 | 2012-08-23 | Terminal-to-terminal based voice safety multi-path communication system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102868683A true CN102868683A (en) | 2013-01-09 |
| CN102868683B CN102868683B (en) | 2015-06-03 |
Family
ID=47447274
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210302491.6A Expired - Fee Related CN102868683B (en) | 2012-08-23 | 2012-08-23 | Terminal-to-terminal based voice safety multi-path communication system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102868683B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104243142A (en) * | 2014-10-11 | 2014-12-24 | 江阴润玛电子材料股份有限公司 | Information segmented transmission system |
| CN104243135A (en) * | 2014-10-11 | 2014-12-24 | 江阴润玛电子材料股份有限公司 | Information communication method |
| CN104348599A (en) * | 2013-07-26 | 2015-02-11 | 富士施乐株式会社 | Communication device and information processing system |
| CN105913848A (en) * | 2016-04-13 | 2016-08-31 | 乐视控股(北京)有限公司 | Path storing method and path storing system based on minimal heap, and speech recognizer |
| CN108243152A (en) * | 2016-12-23 | 2018-07-03 | 航天星图科技(北京)有限公司 | A kind of secure data exchange method |
| CN110098931A (en) * | 2019-06-05 | 2019-08-06 | 浙江汇信科技有限公司 | Data transmission method based on trusted " government and enterprises' connection connects " platform |
| WO2019218786A1 (en) * | 2018-05-17 | 2019-11-21 | 北京大米科技有限公司 | Route detection method based on tunneling technology, and routing node and central server |
| CN112214647A (en) * | 2020-10-12 | 2021-01-12 | 北京同心尚科技发展有限公司 | Super node processing method and device, electronic equipment and readable storage medium |
| WO2024065732A1 (en) * | 2022-09-30 | 2024-04-04 | 新华三技术有限公司 | Data processing method and apparatus, forwarding chip, and network device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101394273A (en) * | 2008-10-17 | 2009-03-25 | 电子科技大学 | Multichannel ciphered information transmission method |
| CN101420434A (en) * | 2008-12-03 | 2009-04-29 | 深圳市众方信息科技有限公司 | P2P method for supporting VoIP communication |
| CN102137094A (en) * | 2010-12-31 | 2011-07-27 | 华为技术有限公司 | Method, device and system for transmitting voice message in multipath |
-
2012
- 2012-08-23 CN CN201210302491.6A patent/CN102868683B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101394273A (en) * | 2008-10-17 | 2009-03-25 | 电子科技大学 | Multichannel ciphered information transmission method |
| CN101420434A (en) * | 2008-12-03 | 2009-04-29 | 深圳市众方信息科技有限公司 | P2P method for supporting VoIP communication |
| CN102137094A (en) * | 2010-12-31 | 2011-07-27 | 华为技术有限公司 | Method, device and system for transmitting voice message in multipath |
Non-Patent Citations (2)
| Title |
|---|
| 陈伟涛 等: "基于Kademlia 的P2P VoIP系统的设计与实现", 《微计算机信息》 * |
| 陈智毅: "基于Kademlia协议的VoIP系统的研究与设计", 《江西师范大学硕士学位论文》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104348599A (en) * | 2013-07-26 | 2015-02-11 | 富士施乐株式会社 | Communication device and information processing system |
| CN104243142A (en) * | 2014-10-11 | 2014-12-24 | 江阴润玛电子材料股份有限公司 | Information segmented transmission system |
| CN104243135A (en) * | 2014-10-11 | 2014-12-24 | 江阴润玛电子材料股份有限公司 | Information communication method |
| CN105913848A (en) * | 2016-04-13 | 2016-08-31 | 乐视控股(北京)有限公司 | Path storing method and path storing system based on minimal heap, and speech recognizer |
| CN108243152A (en) * | 2016-12-23 | 2018-07-03 | 航天星图科技(北京)有限公司 | A kind of secure data exchange method |
| WO2019218786A1 (en) * | 2018-05-17 | 2019-11-21 | 北京大米科技有限公司 | Route detection method based on tunneling technology, and routing node and central server |
| CN110098931A (en) * | 2019-06-05 | 2019-08-06 | 浙江汇信科技有限公司 | Data transmission method based on trusted " government and enterprises' connection connects " platform |
| CN112214647A (en) * | 2020-10-12 | 2021-01-12 | 北京同心尚科技发展有限公司 | Super node processing method and device, electronic equipment and readable storage medium |
| CN112214647B (en) * | 2020-10-12 | 2023-10-27 | 北京同心尚科技发展有限公司 | Super node processing method, device, electronic equipment and readable storage medium |
| WO2024065732A1 (en) * | 2022-09-30 | 2024-04-04 | 新华三技术有限公司 | Data processing method and apparatus, forwarding chip, and network device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102868683B (en) | 2015-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102868683B (en) | Terminal-to-terminal based voice safety multi-path communication system and method | |
| EP1472849B1 (en) | Method and module for securing packet-based communications by address hopping | |
| Lazar et al. | Yodel: strong metadata security for voice calls | |
| US8023513B2 (en) | System and method for reducing overhead in a wireless network | |
| CN108847928B (en) | Communication system and communication method for realizing information encryption and decryption transmission based on group type quantum key card | |
| CN102035813B (en) | The implementation method of end-to-end calling, end-to-end calling terminal and system | |
| CN102202299A (en) | Realization method of end-to-end voice encryption system based on 3G/B3G | |
| CN101471772A (en) | Communication method, device and system | |
| CN101854244B (en) | Three-section type secure network architecture establishment and secret communication method and system | |
| US8345878B2 (en) | Method for distributing cryptographic keys in a communication network | |
| CN101515896A (en) | Safe socket character layer protocol message forwarding method, device, system and exchange | |
| Davoli et al. | An anonymization protocol for the internet of things | |
| US20080151873A1 (en) | Virtual internet protocol interconnection service | |
| KR20120072210A (en) | Network system and user device, call-processing device, and network bridge for the system | |
| CN100394719C (en) | Phonetic telecommunication method for mobile self-organizing network | |
| Kong | Challenges of routing in quantum key distribution networks with trusted nodes for key relaying | |
| CN101674178A (en) | User information storage method as well as user information authentication method and device | |
| CN114362938B (en) | Quantum communication key management dynamic route generation network architecture and method | |
| Xin et al. | Design improvement for tor against low-cost traffic attack and low-resource routing attack | |
| Ramasamy et al. | Ant colony optimization based handoff scheme and verifiable secret sharing security with MM scheme for VoIP. | |
| KR101078226B1 (en) | Gateway system for secure realtime transport protocol session transmission and redundancy providing method using the same | |
| Gurumoorthi et al. | Performance enhancement for QoS in VoIP applications over MANET | |
| CN1996838A (en) | AAA certification and optimization method for multi-host WiMAX system | |
| Buccafurri et al. | Extending routes in tor to achieve recipient anonymity against the global adversary | |
| Jyothi | A privacy preserving and efficient randomness routing in adhoc wireless network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150603 Termination date: 20180823 |