CN103684787A - Encryption-decryption method and terminal of data pack based on network transmission - Google Patents

Encryption-decryption method and terminal of data pack based on network transmission Download PDF

Info

Publication number
CN103684787A
CN103684787A CN201310688322.5A CN201310688322A CN103684787A CN 103684787 A CN103684787 A CN 103684787A CN 201310688322 A CN201310688322 A CN 201310688322A CN 103684787 A CN103684787 A CN 103684787A
Authority
CN
China
Prior art keywords
packet
key
password table
key stream
starting point
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201310688322.5A
Other languages
Chinese (zh)
Other versions
CN103684787B (en
Inventor
雷凯
袁杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Peking University Shenzhen Graduate School
Original Assignee
Peking University Shenzhen Graduate School
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Peking University Shenzhen Graduate School filed Critical Peking University Shenzhen Graduate School
Priority to CN201310688322.5A priority Critical patent/CN103684787B/en
Publication of CN103684787A publication Critical patent/CN103684787A/en
Application granted granted Critical
Publication of CN103684787B publication Critical patent/CN103684787B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses an encryption-decryption method and terminal of a data pack based on network transmission. A terminal-to-terminal real-time encryption method based on a stream cipher algorithm is used, both sides of communication carry out negotiation on session parameters at an initial session stage, and cipher tables are established respectively. A sending side extracts data pack head information, a key stream starting point is generated, and according to the cipher tables and the starting point, a section of key stream is generated to encrypt data pack load. A receiving side judges whether network pack loss exists according to the data pack head information, when network pack loss exists, the receiving side completes cipher table synchronization at first, and then based on the updated cipher tables and the starting point, a synchronous key is generated to decrypt data pack load. On the basis that extra network communication flow is not increased and the key stream is generated on line in real time, the real-time encryption technology with key self-synchronizing function under the network condition that pack loss exists is achieved.

Description

The encrypting and decrypting method of the packet of transmission Network Based and terminal
Technical field
The application relates to secure network communications field, is specifically related to a kind of encrypting and decrypting method and terminal of packet of transmission Network Based.
Background technology
Internet because it is simple, cheap and openly in the communications field, be widely used, VoIP(Voice over Internet Protocol for example) be a kind of Novel Communication technology of utilizing the Internet to propagate packets of voice.Yet due to the insecurity of the open of the Internet and self existence, transmitted data on network has more unsafe factor with respect to traditional based on technology such as Circuit-switched voice communications.Fail safe when guaranteeing that voice, video, image and/or word transmit in open network, the most general technology is that packet is encrypted to transmission.But, packet is encrypted to the extra communication delay that increased, especially for voice communication requirement of real-time higher as VoIP be a bottleneck greatly.Because stream cipher encrypting algorithm is compared block cipher algorithm and wanted fast 4~5 times in speed, and do not have the bit-errors diffusion defect of block cipher algorithm, the encryption technology that therefore the Data Encryption Transmission technology based on stream cipher is compared based on block encryption has larger advantage.
For packet network, if transport layer protocol adopts insecure User Datagram Protoco (UDP) (as udp protocol), cannot guarantee that the packet of encrypting can all be transferred to receiving terminal.While there is packet loss in network, if the encryption technology based on stream cipher cannot realize decruption key and encryption key Complete Synchronization, will cause all packets of receiving of receiving terminal cannot be decrypted, thereby cause encrypted data transmission failure.At present existing partial monopoly technology has proposed to have the Data Encryption Transmission technology of key synchronization function.
Application number is the encipher-decipher method that 200710304592.6 Chinese patent application discloses a kind of VoIP of being suitable for media delivery, the method is to the effect that: communicating pair is ready to key list and PKI in advance, first speaker is selected a random number, by random number to PKI remainder and obtain remainder, according to remainder, from key list, take out key to plain text encryption, the data of transmission comprise random data and the encrypt data of random number, remainder length; Callee is received after data, first obtains random number and to PKI remainder, according to the definite side-play amount of remainder, obtains after encrypt data, takes out key realize deciphering based on remainder from key list.The deficiency of the method is: communicating pair need to be set up fixing key list in advance, and key list should enough guarantee greatly the randomness of key, and this need to consume very large memory source, for mobile terminal device, is especially inapplicable; The method has increased in order to guarantee encryption and decryption both sides' key synchronization the data of transmitting in network, has additionally added the random data of random number and remainder length; In addition, the method is difficult to effectively to define the random data of the remainder length of random number and interpolation.
Application number is that 200810300497.3 Chinese patent application discloses a kind of safe transmission method based on stream cipher encrypting, the method is to the effect that: in order to realize the synchronous of encryption and decryption key, communicating pair is connected with a source of synchronising signal simultaneously, use the clock independently transmitting with encrypt data as synchronizing signal, transmitting apparatus uses identical stream cipher arithmetic to produce identical key stream with receiving equipment; In encrypt data, add a fixing constant position and judge that whether encryption and decryption key is synchronous.The deficiency of the method is: simply communicating pair is connected with a source of synchronising signal and realizes key synchronization and in reality, be difficult to realize, and cannot carry out large-scale system extension; Add fixed constant position for judging whether synchronously to have brought new potential safety hazard.
Application number is that 201010171638.3 Chinese patent application discloses a kind of dynamic encryption for network service and decryption method and equipment, the method is to the effect that: first network entity produces key and also described key sent to second network entity, meanwhile, first network entity also by generated key storage in local key list; First network entity uses the secret key encryption data in key list and the indexing in described local key list arrives the data of encrypting by used key; Second network entity receives the key of first network entity distribution and is stored in local key list, second network entity receives after the data of encrypting, due to the enclose index of the key that is useful on encryption of data, and the decryption key of this invention supposition first network entity distribution can be received by second network entity, the key list that is second network entity and first network entity is that Complete Synchronization is consistent all the time, and some keys of therefore locating in the key list that obtains second network entity according to index are the key of first network entity for encrypting.The deficiency of the method is: be difficult in actual applications guarantee completely that the key of first network entity distribution can be received by second network entity, when some key of the first communication entity distribution cannot be received by second communication entity, the key list of communicating pair will lose synchronously, the method cannot correctly be implemented, so the method does not really realize key synchronization function; In order to guarantee the synchronous of encryption and decryption both sides encryption and decryption key, the method by additional keys index has additionally increased network traffic.
Application number is that 201110291636.2 Chinese patent application discloses a kind of end-to-end speech ciphering method for low speed arrowband radio digital communication, the method is to the effect that: communicating pair is set up in advance key mapping table and secure clock is set, calling party sends synchronous control frame to callee, synchronous control frame comprise cipher key index KI, initial vector IV and Synchronization Control frame check and etc.; Calling party specifies a sequence number to every frame voice, then the time T of extracting based on secure clock, initial vector IV, sequence number and produce key stream encrypted speech frame based on the definite encryption key TEK of cipher key index KI, the data of transmission comprise sequence number and encrypt data; Callee, according to the cipher key index KI in synchronous control frame, obtains encryption key TEK from key mapping table, uses correcting algorithm to determine time T and from synchronous control frame, extract initial vector IV; Receive after data, callee extracts speech frame sequence number, uses same algorithm to produce key stream decrypted voice frame.The deficiency of the method is: communicating pair need to be set up fixing key mapping table in advance, and this mapping table faces great resource consumption problem equally; Communicating pair need to safeguard that a secure clock is for synchronously all the time, and this is often difficult to realize in actual applications; The method need to periodically send the synchronous control frame that includes cipher key index, has increased extra network traffic.
Summary of the invention
The application provides a kind of encrypting and decrypting method and terminal of packet of transmission Network Based, and realization is real-time encrypted based on stream cipher, and does not increase extra network traffic.
According to the application's first aspect, the application provides a kind of encrypting and decrypting method of packet of transmission Network Based, comprising:
Communicating pair is determined common session key and the random initial vector using when initiation session;
Communicating pair is set up password table separately according to session key and random initial vector;
Transmitting terminal obtains raw data packets, and described raw data packets is unencrypted packet;
Transmitting terminal generates the first initial point according to the header packet information of raw data packets, according to described the first initial point and its password table, generates the first key stream, utilizes the first key stream to be encrypted to obtain encrypted packets to be sent to raw data packets;
Receiving terminal, after receiving encrypted packets, generates the second starting point according to the header packet information of the packet of encrypting, and according to described the second starting point and its password table, generates the second key stream, utilizes the second key stream that the packet of encrypting is decrypted and is obtained expressly.
Further, the method also comprises renewal operation:
Transmitting terminal when generating the first key stream or afterwards, will carry out the first renewal operation to its password table;
Receiving terminal when generating the second key stream or afterwards, will carry out the second renewal operation to its password table.
Further, the method also comprises simultaneous operation:
Receiving terminal, after receiving encrypted packets, first utilizes the header packet information of the up-to-date packet of receiving to judge whether to exist Network Packet Loss, and when there is packet loss, receiving terminal first carries out the simultaneous operation of password table; Alleged simultaneous operation directly utilizes the generating algorithm of stream cipher to carry out; Receiving terminal is after receiving encrypted packets, according to the header packet information of the packet of encrypting, generate the second starting point, according to the second starting point and described password table after synchronous, generate the second key stream, utilize the second key stream that the packet of encrypting is decrypted and is obtained expressly.
According to the application's second aspect, the application provides a kind of Data Packet Encryption deciphering terminal of transmission Network Based, comprising:
Key and initial vector acquiring unit, for determining common session key and the random initial vector using during in initiation session at communicating pair;
Password table generation unit, for according to session key and random initial vector generating cipher table;
Packet acquiring unit, for obtaining raw data packets, described raw data packets is unencrypted packet;
The first initial point generation unit, generates the first initial point for the header packet information from raw data packets;
The first key stream generation unit, generates the first key stream according to password table and the first initial point;
Ciphering unit, is encrypted to obtain encrypted packets to be sent according to the first key stream generating to raw data packets;
The second starting point generation unit, for generating the second starting point according to the header packet information of the packet of the encryption receiving;
The second key stream generation unit, for generating the second key stream according to described the second starting point and its password table;
Decryption unit, for being decrypted and obtaining expressly the packet of encrypting according to the second key stream generating.
Further, this terminal also comprises:
Packet loss judging unit, for judging whether to exist Network Packet Loss phenomenon according to the header packet information of the packet receiving;
Password table lock unit, for carrying out the synchronizing function of receiving terminal password table when there is Network Packet Loss.
The application's beneficial effect is: the header packet information that utilizes packet, the online key stream that produces is in real time encrypted packet, avoided increasing the defect of network traffic, compare prior preparation key list or key mapping subtabulation technology has higher fail safe, and utilize key stream generating algorithm to realize the key synchronization function of communicating pair.
Accompanying drawing explanation
Fig. 1 is that the embodiment of the present application one is encrypted, deciphering flow chart, wherein,
Fig. 1-a is the embodiment of the present application one encryption flow figure,
Fig. 1-b is the embodiment of the present application one deciphering flow chart;
Fig. 2 is the embodiment of the present application two receiving terminal flow charts;
Fig. 3 is the embodiment of the present application three encrypting and decrypting terminal block diagrams;
Fig. 4 is the embodiment of the present application four communication process schematic diagrames.
Embodiment
Below by embodiment, by reference to the accompanying drawings the present invention is described in further detail.
Thinking of the present invention is: the packet that makes full use of transmission Network Based is the header packet information such as sequence number and timestamp one to one, there is certain incidence relation in each packet header packet information that is Internet Transmission, according to the packet receiving, can calculate the part header packet information of the packet of loss, according to header packet information, packet be carried out to the online real-time encrypted deciphering based on stream cipher arithmetic.Network that the application carries comprises broadband networks, wireless communication networks and wireline communication network etc.The encrypting and decrypting method that the present invention proposes is applicable to the data packet transmission that any header packet information comprises sequence number and timestamp, as RTP(Real-time Transport Protocol) packet, TCP(Transmission Control Protocol) packet, UDT (UDP based Data Transfer protocol) packet etc.The VoP that the specific embodiment of the invention be take based on Real-time Transport Protocol is set forth technical scheme of the present invention as specific embodiment.
For following examples, do statement as follows:
For transmitting terminal, how receiving original VoP and receiving terminal reduction voice signal is not the scope of protection of present invention; be not technical scheme of the present invention, just in order to allow those skilled in the art can better, more clearly understand technical scheme of the present invention.In other embodiments, VoP can be also other the packet that can exist with packet loading as video, image and/or word etc., corresponding voice signal can be also other as signals such as video, image and/or words.
Embodiment mono-:
A kind of embodiment of encrypting and decrypting method that the present invention is based on the packet of Internet Transmission can be with reference to figure 1-a and Fig. 1-b, and concrete steps comprise:
M001. determine session key SK and random initial vector IV.
Communicating pair consults session key SK and 256 s' random initial vector IV based on particular safety mechanism in the conversation initialization stage.Alleged session key SK and random initial vector IV are that communicating pair is used jointly, and for setting up signcode table separately, therefore, communicating pair is set up before voice communication, need to consult the relevant parameters of call.Hold intelligiblely, because communicating pair has identical session key SK and random initial vector IV, therefore, any one party in communicating pair is determined session key SK and random initial vector IV, and the opposing party obtains and feed back.For example, calling party carries the parameter about session key SK and random initial vector IV in the request of initiating call, and callee obtains session key SK and random initial vector IV application from request.Or callee feeds back response message to calling party after closing of the circuit, in response message, carry the parameter about session key SK and random initial vector IV, and calling party obtains session key SK and random initial vector IV application from request.
M002. communicating pair is set up password table P and Q separately.
When communicating pair obtains after session key SK and random initial vector IV, just according to the common session key SK using of both sides and random initial vector IV, set up password table P and Q separately, for example, adopt existing algorithm to set up password table P and Q.Alleged password table P and Q comprise 1024 32bit elements, are the foundation of communicating pair generation stream cipher HC-256 '.
It should be noted that, the present embodiment adopts HC-256 ' stream cipher to be encrypted packet, and both sides' session key SK is identical with random initial vector IV, therefore, communicating pair is also consistent with Q with the password table P that random initial vector IV sets up according to session key SK.
When producing speech data, the method for encryption, as shown in Fig. 1-a, is carried out following steps.
M11. transmitting terminal obtains raw data packets.
After carrying out conversation initialization work, both sides just can communicate by letter, the speech data of communicating pair for example, generates some packets (for example RTP packet) according to communication protocol (Real-time Transport Protocol), when one party need to send speech data, a side who claim to send speech data is transmitting terminal, and the opposing party who receives this speech data is receiving terminal.In communication process, after the Counterchange roles of sending and receiving, title also changes.When needs send speech data, transmitting terminal obtains raw data packets, and alleged raw data packets is unencrypted packet.This packet has comprised the session plaintext load of the header packet informations such as sequence number and timestamp and transmitting terminal.
M12. transmitting terminal extracts sequence number and two fields of timestamp from the header packet information of the raw data packets obtained.
In the packet generating according to communication protocol, include the header packet informations such as sequence number and timestamp, first transmitting terminal should extract sequence number and two fields of timestamp of this packet in header packet information after obtaining raw data packets.
M13. generate the first initial point.
According to the starting point i of the sequence number extracting and two fields generation stream cipher HC-256 ' of timestamp, in one embodiment, transmitting terminal extracts after sequence number and two fields of timestamp, utilize hash function (for example hash function) to carry out computing to it, the output valve of hash function is assigned to the starting point i of stream cipher arithmetic HC-256 '.
M14. transmitting terminal generates the first key stream according to the first initial point and its password table.
In the present embodiment, the first key stream s 1pass through HC-256 ' algorithm to password table grey iterative generation, the starting point of HC-256 ' algorithm is provided by the first initial point.In other embodiments, also can adopt HC-128 ' algorithm iteration to generate the first key stream.
The first key stream s 1 = s 2 i ( 1 , i ) | | s 2 i + 1 ( 1 , i ) | | s 2 ( i + 1 ) ( 1 , i ) | | s 2 ( i + 1 ) + 1 ( 1 , i ) | | · · · s 2 ( i + n ) ( 1 , i ) | | s 2 ( i + n ) + 1 ( 1 , i ) | | · · · , In formula, || be series connection,
Figure BDA0000437159600000062
for take the output key of the n step that starting point is i.
In one embodiment, n step output key
Figure BDA0000437159600000063
for:
j=(i+n)mod1024
P[j]=P[j]+P[j-10]+g 1(P[j-3],P[j-1023]) (1)
s 2 ( i + n ) ( 1 , i ) = h 1 ( P [ j - 12 ] ) ⊕ P [ j ]
Q[j]=Q[j]+Q[j-10]+g 2(Q[j-3],Q[j-1023]) (2)
s 2 ( i + n ) + 1 ( 1 , i ) = h 2 ( Q [ j - 12 ] ) ⊕ Q [ j ]
n=n+1;
Wherein, g 1(), g 2(), h 1() and h 2() is SQL default in HC-256 ' algorithm, and ⊕ is XOR by turn, and operator "-" represents the subtraction of mould 1024; From formula (1) and formula (2), can find out, password table P and Q have automatically completed and have upgraded operation when following generation key stream.
Hold intelligible, the first key stream s 1length (figure place) can be unlimited, in the present embodiment, according to packet expressly the figure place of load determine when the first key stream ends.
M15. utilize the first key stream raw data packets to be encrypted to the packet that obtains encryption.
Generate the first key stream s 1after, transmitting terminal is by the session plaintext load in raw data packets and the first key stream s of generation 1carrying out XOR by turn encrypts.
M16. obtain the packet of encryption to be sent.
Transmitting terminal after step M15 encrypts, just obtains the packet of encryption to be sent to raw data packets.After obtaining the packet of encryption to be sent, the packet of encryption can be kept in or other processing, can also directly to receiving terminal, send the packet of encrypting by network.
In another specific embodiment, the method for encryption is further comprising the steps of:
M17. transmitting terminal carries out the first renewal to its password table.
By formula (1) and formula (2), can be obtained, transmitting terminal is generating after one section of key according to HC-256 ' algorithm, and the element in password table P and Q all can be automatically updated.In present specification, be referred to as the first renewal.
Hold intelligiblely, when transmitting terminal obtains raw data packets again, the password table after adopting first to upgrade generates key stream packet is encrypted.
After one section of key stream of every generation, password table P and Q are upgraded, can avoid each and adopt same password table, thereby improved the safety and reliability of encrypting.
When receiving terminal receives speech data, the method for deciphering is as shown in Fig. 1-b, and concrete steps comprise:
M21. receiving terminal receives the packet of encrypting.
At transmitting terminal, send out after the packet of encryption, receiving terminal just can receive the packet of encryption.It should be noted that, in the present embodiment, transmitting terminal is only encrypted the plaintext load of packet, and the header packet information of the original packet that the header packet information of the packet after encryption is corresponding with it is consistent.
M22. receiving terminal extracts sequence number and two fields of timestamp from the header packet information of the packet of encryption.
Same, in the packet of encryption, including the header packet informations such as sequence number and timestamp, receiving terminal also should extract sequence number and two fields of timestamp of this packet in header packet information.
M23. generate the second starting point.
Receiving terminal adopts the algorithm identical with M13 step to generate stream cipher the second starting point according to the sequence number extracting and timestamp.
Known according to M21 analysis, because header packet information is identical, so the second starting point is also identical with the first initial point.
M24. receiving terminal generates the second key stream according to the second starting point and its password table.
Receiving terminal adopts the HC-256 ' algorithm same with transmitting terminal to generate the second key stream, again because the second starting point is identical with the first initial point, and transmitting terminal and receiving terminal adopt same password table P and Q, so the second key stream of receiving terminal and the first key stream of transmitting terminal are also identical.
M25. utilize the second key stream to be decrypted the packet of encrypting.
In the present embodiment, due to adopt the first key stream by turn the method for XOR raw data packets is expressly encrypted, and the second key stream is identical with the first key stream, therefore, at receiving terminal, only the packet ciphertext of encryption and the second key stream need be carried out to the deciphering that XOR can be realized packet.
M26. obtain raw data packets.
After the deciphering of M25, receiving terminal just can obtain raw data packets expressly.
Hold intelligiblely, the packet load data that transmitting terminal sends is generally the digital signal after coding, so the plaintext that receiving terminal obtains is also digital signal.Receiving terminal is in order to obtain voice signal, the reduction voice signal thereby the plaintext that generally deciphering will be obtained is decoded.And in other embodiments, if transmission is the data such as video and/or image, need to be reduced into video and/or picture signal.
It should be noted that, be not one of technical scheme of the present invention for being reduced into original voice, video and/or picture signal, just in order to make those skilled in the art understand better technical scheme of the present invention.
In another specific embodiment, decryption method is further comprising the steps of:
M27. receiving terminal carries out the second renewal to its password table.
Principle is with step M17, and receiving terminal, also can through type (1) and formula (2) element in new password table P and Q more automatically after generating the second key stream, and the password table P after renewal is also consistent with password table P and Q after the first renewal with Q.In present specification, receiving terminal is referred to as the second renewal to the renewal of its password table P and Q after generating the second key stream.
Similarly, when receiving terminal obtains the packet of encryption again, the password table after adopting second to upgrade is generated to key stream packet is decrypted.
The embodiment providing according to the application, makes full use of the sequence number of packet and the header packet information of timestamp, and packet is encrypted online.The embodiment of the present application does not only increase network traffics, has also realized the continuous renewal of key stream, prevents more reliably the leakage of voice cleartext information, the fail safe that has improved intercommunication.
Embodiment bis-:
Due to inevitable factors such as networks, in communication process, can exist unavoidably some packets not receive receiving end, the application is referred to as packet loss phenomenon.Due to the generation of packet loss phenomenon, not only can make the Missing data of packet loss, also can cause the second renewal to mate with the first renewal.This is because the password table of transmitting terminal all upgrades when a packet of every encryption, thereby follow-up deciphering is not mated with the encryption of transmitting terminal, makes subsequent communications occur mistake.
The method that the present embodiment provides can be when packet loss phenomenon occurs, and synchronous second upgrades effectively.Please refer to Fig. 2, the difference of the present embodiment and embodiment mono-is, at receiving terminal, deciphers in flow process, and receiving terminal receives after the packet of encryption, also carries out the synchronous handling process M20 of packet loss, specifically comprises the following steps:
M202. packet loss judgement.
Receiving terminal is designated as m by the sequence number of the up-to-date encrypted packets extracting in M22 step after receiving the packet of encryption, sequence number m and the sequence number n of the encrypted packets once receiving are before made to difference operation: if m-n>1, illustrate and before receiving latest data bag, have Network Packet Loss phenomenon, therefore receiving terminal need to carry out key synchronization operation, execution step M204; If m-n=1, explanation does not have packet loss, performs step M23, generates the second starting point.If M202 packet loss judgment result is that, there is not packet loss phenomenon, so, just receiving terminal can the sequence number of direct basis latest data bag and the password table of timestamp and receiving terminal generate key stream latest data bag be decrypted.
M204. Synchronizing Passwords table.
If M202 packet loss judgment result is that, have packet loss phenomenon, so, first receiving terminal should synchronously be processed its password table.Specifically synchronously be treated to:
Sequence number and the timestamp of the packet that the sequence number of receiving terminal based in the up-to-date data packet head information of receiving and timestamp calculate all loss, and the packet of each loss is carried out to the second more operation of new password table, make finally to match with the first renewal.
The number of assumed lost bag is lost, according to formula (1) and formula (2), the second password table P and Q is carried out to lost wheel renewal operation.For any one, take turns and upgrade operation, suppose that the key generation starting point that sequence number based on this lost package and timestamp field hash obtain is i', the following computing that circulates is until cycle-index reaches the length of packet:
j=i′mod1024;
P[j]=P[j]+P[j-10]+g 1(P[j-3],P[j-1023]);
Q[j]=Q[j]+Q[j-10]+g 2(Q[j-3],Q[j-1023]);
i′=i′+1;
When executing lost wheel, upgrade after operation, the password table update times of receiving terminal is just in full accord with the update times of transmitting terminal password table; The up-to-date password table obtaining and transmitting terminal send the corresponding password table of latest data bag and also match completely, thereby have effectively prevented that receiving terminal password table and the unmatched phenomenon of transmitting terminal password table from occurring, and realized encryption and decryption both sides' key synchronization.Then, sequence number and the timestamp generation key stream according to the up-to-date password table obtaining and latest data bag is decrypted latest data bag.
After completing steps M202, regardless of judged result, all perform step M203.
M203. storage sequence n.
It should be noted that, regardless of the result of M202 packet loss judgement, after packet loss judgement, all the sequence number m of up-to-date encrypted packets will be assigned to n, so that the judgement of packet loss next time.
In other embodiments, the synchronous handling process M20 of packet loss also can be between step M23 " generation the second starting point " and step M24 " generation the second key stream ".That is: after the sequence number of the up-to-date packet receiving in receiving terminal basis and timestamp generate the second starting point, whether there is again the judgement of packet loss, if there is packet loss, Synchronizing Passwords table, then generates the second key stream according to synchronous password table and the second starting point; If there is no packet loss phenomenon, generates the second key stream according to the password table of the second renewal and the second starting point.
Embodiment tri-:
The present invention is suitable for a kind of embodiment of the encrypting and decrypting terminal of VoIP media delivery can be with reference to figure 3, and the present embodiment encrypting and decrypting terminal can be used for carrying out encryption, the decryption method relating in above-described embodiment.Concrete structure comprises:
Key and initial vector acquiring unit 301, for determining common session key SK and the random initial vector IV using during in initiation session at communicating pair;
Password table generation unit 302, for according to session key SK and random initial vector IV generating cipher table P and Q;
Packet acquiring unit 311, for obtaining raw data packets, alleged raw data packets is unencrypted packet;
Starting point extraction unit 312, extracts the first initial point according to header packet informations such as the sequence number of raw data packets and timestamps, and concrete extracting method can be referring to embodiment mono-;
The first key stream generation unit 313, generates the first key stream according to password table and the first initial point;
Ciphering unit 314, is encrypted to obtain encrypted packets to be sent according to the first key stream generating to raw data packets;
Transmitting element 300, sends for the packet of just encrypting;
Packet receiving element 321, for receiving the packet of the encryption of other terminal transmission;
Starting point extraction unit 322, generates the second starting point according to header packet informations such as the sequence number of the packet of encrypting and timestamps;
The second key stream generation unit 323, generates the second key stream according to the second starting point and its password table;
Decryption unit 324, is decrypted and obtains expressly the packet of encrypting according to the second key stream generating.
Further, the present embodiment encrypting and decrypting terminal also comprises:
The first updating block 315, after generating the first key stream according to the first initial point and its password table, carries out the first renewal to its password table;
The second updating block 325, after generating the second key stream according to the second starting point and its password table, carries out the second renewal to its password table.
When preventing that packet loss phenomenon from occurring, password table upgrades and does not mate the subsequent communications causing and occur mistake, and the present embodiment encrypting and decrypting terminal also comprises:
Judging unit 326, for after receiving up-to-date encrypted packets, compares the sequence number of the sequence number of up-to-date encrypted packets and the front encrypted packets once receiving, and judges whether both differences are greater than 1.If difference is greater than 1, there is Network Packet Loss phenomenon in explanation, needs Synchronizing Passwords table; If difference equals 1, explanation does not have lost package, and now the second updating block 325 carries out the second renewal to its password table.
Lock unit 327, is greater than 1 while there is packet loss phenomenon for the difference at both, and its password table is synchronously processed.
Embodiment tetra-:
The method that the application proposes is applicable to the communication system of usage data bag transmission, as the VoIP system of building based on sipX, ReSIProcate, Newfies-Dialer, oSIP and Asterisk etc.The invention will be further described as example to take build based on libosip2 protocol stack and mediastreamer2 storehouse one the safe VoIP voice communication system based on Session Initiation Protocol below, in other embodiments, can be also the communication systems such as video, image and/or word.
The embodiment of the present application has been built a safe VoIP voice communication system based on Session Initiation Protocol based on libosip2 protocol stack and mediastreamer2 storehouse.In the present embodiment, VoIP terminal obtains based on the exploitation of libosip2 storehouse, and sip server is used open source software partysip.
Transmitting terminal by adding a Custom Encryption plug-in unit in mediastreamer2 storehouse, and this plug-in unit is used for generating key stream; Receiving terminal also by the deciphering plug-in unit that increases in mediastreamer2 storehouse for generating the key stream matching with transmitting terminal.
Communicating pair, before setting up voice communication, need to carry out session setup stage based on Session Initiation Protocol to consult the relevant parameters of call.In the present embodiment system, transmit leg is used the param territory in the SDP message body of INVITE to carry key agreement parameter and initial vector, and recipient uses the param territory in the SDP message body of 200OK message to carry key agreement parameter.Through session setup after the stage, communicating pair has had identical session key SK and for password table P and the Q of HC-256 ' algorithm.
Communicating pair is after initiation session mounting phase, concrete communication process can be referring to Fig. 4, transmitting terminal utilizes microphone 401 gather user's speech data and adopt PCMA encoder 402 that analog voice signal is converted into digital signal, the encryption plug-in unit 403 of transmitting terminal is based on the first initial point and password table P and one section of key stream of Q generation, by this key stream, the key stream of packet payload segment and generation is carried out to the packet after XOR is encrypted, meanwhile, the password table P that transmitting terminal has and Q have carried out one and have taken turns renewal after generating encryption key stream; Then the packet of encryption is carried out by IP packet network 404, sending after the operations such as IP encapsulation.Receiving terminal is received after the packet of encryption, utilize the deciphering plug-in unit 405 of receiving terminal based on the second starting point and password table P and one section of key stream of Q generation, by this key stream, the packet payload segment of encryption being carried out to XOR deciphering obtains expressly, meanwhile, the password table P that receiving terminal has and Q have carried out one and have taken turns renewal after generating solution decryption key stream; The plaintext then by encoder 406, deciphering being obtained utilizes loud speaker 407 to play voice after decoding.
Above content is in conjunction with concrete execution mode further description made for the present invention, can not assert that specific embodiment of the invention is confined to these explanations.For general technical staff of the technical field of the invention, without departing from the inventive concept of the premise, can also make some simple deduction or replace.

Claims (11)

1. an encrypting and decrypting method for the packet of transmission Network Based, is characterized in that, comprising:
Communicating pair is determined common session key and the random initial vector using when initiation session;
Communicating pair is set up password table separately according to session key and random initial vector;
Transmitting terminal obtains raw data packets, and described raw data packets is unencrypted packet;
Transmitting terminal generates the first initial point according to the header packet information of raw data packets, according to described the first initial point and its password table, generates the first key stream, utilizes the first key stream to be encrypted to obtain encrypted packets to be sent to raw data packets;
Receiving terminal, after receiving encrypted packets, generates the second starting point according to the header packet information of the packet of encrypting, and according to described the second starting point and its password table, generates the second key stream, utilizes the second key stream that the packet of encrypting is decrypted and is obtained expressly.
2. the method for claim 1, is characterized in that, after described transmitting terminal generates the first key stream according to described the first initial point and its password table, its password table is carried out to the first renewal;
After described receiving terminal generates the second key stream according to described the second starting point and its password table, its password table is carried out to the second renewal;
3. method as claimed in claim 2, it is characterized in that, receiving terminal also comprises after receiving up-to-date encrypted packets and before generating the second key stream: the sequence number of the sequence number of up-to-date encrypted packets and the front encrypted packets once receiving is compared, if both differences are greater than 1, its password table is synchronously processed, if described difference equals 1, receiving terminal carries out the second renewal to its second password table.
4. method as claimed in claim 3, it is characterized in that, described synchronous processing comprises: according to the sequence number of up-to-date encrypted packets and timestamp field, calculate the header packet information of all lost package, then according to time order and function order, the corresponding password table of each lost package is carried out to the second renewal.
5. method as claimed in claim 2, is characterized in that, described the first renewal and second is updated to identical processing procedure.
6. the method as described in claim 1 to 5 any one, it is characterized in that, the password table that communicating pair is set up with random initial vector according to session key is identical, described header packet information is sequence number and the timestamp of this packet, described the first initial point and described the second starting point for by hash function to sequence number and the timestamp computing of packet obtain separately.
7. an encrypting and decrypting terminal for the packet of transmission Network Based, is characterized in that, comprising:
Key and initial vector acquiring unit (301), for determining common session key and the random initial vector using during in initiation session at communicating pair;
Password table generation unit (302), for according to session key and random initial vector generating cipher table;
Packet acquiring unit (311), for obtaining raw data packets, described raw data packets is unencrypted packet;
The first initial point generation unit (312), generates the first initial point for the header packet information from described raw data packets;
The first key stream generation unit (313), generates the first key stream according to password table and the first initial point;
Ciphering unit (314), is encrypted to obtain encrypted packets to be sent according to the first key stream generating to raw data packets;
The second starting point generation unit (322), for generating the second starting point according to the header packet information of the packet of the encryption receiving;
The second key stream generation unit (323), for generating the second key stream according to described the second starting point and its password table;
Decryption unit (324), for being decrypted and obtaining expressly the packet of encrypting according to the second key stream generating.
8. terminal as claimed in claim 7, is characterized in that,
Described the first initial point generation unit (312) adopts hash function to calculate and generate the first initial point the header packet information of described raw data packets;
Described the second starting point generation unit (322) adopts hash function to calculate and generate the second starting point the header packet information of the packet of described encryption;
Described header packet information is sequence number and the timestamp of packet.
9. terminal as claimed in claim 7 or 8, is characterized in that, also comprises:
The first updating block (315), for after generating the first key stream according to described the first initial point and its password table, carries out the first renewal to its password table;
The second updating block (325), for after generating the second key stream according to described the second starting point and its password table, carries out the second renewal to its password table.
10. terminal as claimed in claim 9, characterized by further comprising:
Judging unit (326), for after receiving up-to-date encrypted packets and before generating the second key stream, the sequence number of the sequence number of up-to-date encrypted packets and the front encrypted packets once receiving is compared, judge whether both differences are greater than 1;
Lock unit (327), is greater than at 1 o'clock for the difference at both, and its password table is synchronously processed;
Described the second updating block (325) equals its password table to be carried out to the second renewal at 1 o'clock in described difference.
11. terminals as claimed in claim 10, it is characterized in that, described lock unit (327) calculates the header packet information of all lost package according to the sequence number of up-to-date encrypted packets, then according to time order and function order, the corresponding password table of each lost package is carried out to the second renewal.
CN201310688322.5A 2013-12-13 2013-12-13 The encrypting and decrypting method and terminal of packet based on network transmission Active CN103684787B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310688322.5A CN103684787B (en) 2013-12-13 2013-12-13 The encrypting and decrypting method and terminal of packet based on network transmission

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310688322.5A CN103684787B (en) 2013-12-13 2013-12-13 The encrypting and decrypting method and terminal of packet based on network transmission

Publications (2)

Publication Number Publication Date
CN103684787A true CN103684787A (en) 2014-03-26
CN103684787B CN103684787B (en) 2018-01-16

Family

ID=50321181

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310688322.5A Active CN103684787B (en) 2013-12-13 2013-12-13 The encrypting and decrypting method and terminal of packet based on network transmission

Country Status (1)

Country Link
CN (1) CN103684787B (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104734843A (en) * 2013-12-19 2015-06-24 江苏吉美思物联网产业股份有限公司 Synchronous 3DES secret communication method
CN104883372A (en) * 2015-06-19 2015-09-02 中国电子科技集团公司第五十四研究所 Anti-cheating and anti-attack data transmission method based on wireless Ad Hoc network
CN105956840A (en) * 2016-05-30 2016-09-21 广东电网有限责任公司 Electricity charge payment method and device, and bank and power supply enterprise networking system
CN106549979A (en) * 2016-12-23 2017-03-29 成都鼎安华物联网工程应用有限公司 A kind of encryption and decryption transmission method of lightweight Internet of Things data
CN106789903A (en) * 2016-11-18 2017-05-31 海能达通信股份有限公司 Wireless communications method, device and communication equipment
CN107438065A (en) * 2016-05-27 2017-12-05 三星Sds株式会社 Data encryption device and method, data decryption apparatus and method
CN107819725A (en) * 2016-09-12 2018-03-20 山东量子科学技术研究院有限公司 Method and mobile terminal based on VoIP calls
CN108712363A (en) * 2018-03-22 2018-10-26 新华三信息安全技术有限公司 A kind of daily record encipher-decipher method
CN109327288A (en) * 2015-12-14 2019-02-12 华为技术有限公司 Data transmission acceleration method, apparatus and system
CN110798316A (en) * 2019-09-20 2020-02-14 西安瑞思凯微电子科技有限公司 Encryption key generation method, decryption key generation method, encryption key generation program, decryption key generation program, and decryption program
CN111262868A (en) * 2020-01-17 2020-06-09 中国科学院计算技术研究所 Message sending method and receiving method based on intelligent network card
CN111669650A (en) * 2020-06-10 2020-09-15 北京奇艺世纪科技有限公司 Video processing method and device, electronic equipment and storage medium
CN111741034A (en) * 2020-08-27 2020-10-02 北京安帝科技有限公司 Data transmission method, first terminal and second terminal
CN111988297A (en) * 2020-08-13 2020-11-24 北京诚志重科海图科技有限公司 Text communication secret transmission plain secret conversion system
CN112615718A (en) * 2020-12-14 2021-04-06 中国电子科技集团公司第五十四研究所 Hash function-based key updating method for sequence cipher encryption system
CN112821978A (en) * 2021-04-16 2021-05-18 北京乐研科技有限公司 Clock synchronization-based unidirectional network gate circuit, method and device
WO2022135498A1 (en) * 2020-12-25 2022-06-30 华为技术有限公司 Method, apparatus and system for securely transmitting data
CN116707771A (en) * 2023-08-04 2023-09-05 深圳市菲尼基科技有限公司 Communication method based on data encryption
CN116980232A (en) * 2023-09-21 2023-10-31 深圳市能数科技有限公司 Data processing method, device, computer equipment and readable storage medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109951501A (en) * 2019-05-07 2019-06-28 山东渔翁信息技术股份有限公司 A kind of network packet encryption method, decryption method and relevant apparatus

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002051096A1 (en) * 2000-12-18 2002-06-27 Koninklijke Philips Electronics N.V. Pointers to encrypted data in rtp header
CN101023649A (en) * 2004-09-21 2007-08-22 高通股份有限公司 Determining a session encryption key during a broadcast/multicast service session using secure real-time transport protocol
CN102006593A (en) * 2010-10-29 2011-04-06 公安部第一研究所 End-to-end voice encrypting method for low-speed narrowband wireless digital communication
CN202050421U (en) * 2010-09-21 2011-11-23 公安部第一研究所 End-to-end encrypted speech processing device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002051096A1 (en) * 2000-12-18 2002-06-27 Koninklijke Philips Electronics N.V. Pointers to encrypted data in rtp header
CN101023649A (en) * 2004-09-21 2007-08-22 高通股份有限公司 Determining a session encryption key during a broadcast/multicast service session using secure real-time transport protocol
CN202050421U (en) * 2010-09-21 2011-11-23 公安部第一研究所 End-to-end encrypted speech processing device
CN102006593A (en) * 2010-10-29 2011-04-06 公安部第一研究所 End-to-end voice encrypting method for low-speed narrowband wireless digital communication
CN102404729A (en) * 2010-10-29 2012-04-04 公安部第一研究所 End-to-end speech encryption method for low-speed narrowband wireless digital communication

Cited By (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104734843A (en) * 2013-12-19 2015-06-24 江苏吉美思物联网产业股份有限公司 Synchronous 3DES secret communication method
CN104883372A (en) * 2015-06-19 2015-09-02 中国电子科技集团公司第五十四研究所 Anti-cheating and anti-attack data transmission method based on wireless Ad Hoc network
CN104883372B (en) * 2015-06-19 2018-11-16 中国电子科技集团公司第五十四研究所 A kind of data transmission method of anti-fraud and attack resistance based on mobile Ad hoc network
CN109327288A (en) * 2015-12-14 2019-02-12 华为技术有限公司 Data transmission acceleration method, apparatus and system
CN109327288B (en) * 2015-12-14 2023-11-10 华为技术有限公司 Data transmission acceleration method, device and system
US10721059B2 (en) 2016-05-27 2020-07-21 Samsung Sds Co., Ltd. Apparatus and method for data encryption, apparatus and method for data decryption
CN107438065B (en) * 2016-05-27 2021-01-01 三星Sds株式会社 Data encryption device and method, data decryption device and method
CN107438065A (en) * 2016-05-27 2017-12-05 三星Sds株式会社 Data encryption device and method, data decryption apparatus and method
CN105956840A (en) * 2016-05-30 2016-09-21 广东电网有限责任公司 Electricity charge payment method and device, and bank and power supply enterprise networking system
CN107819725A (en) * 2016-09-12 2018-03-20 山东量子科学技术研究院有限公司 Method and mobile terminal based on VoIP calls
CN106789903B (en) * 2016-11-18 2020-11-13 海能达通信股份有限公司 Wireless communication method, device and communication equipment
CN106789903A (en) * 2016-11-18 2017-05-31 海能达通信股份有限公司 Wireless communications method, device and communication equipment
CN106549979B (en) * 2016-12-23 2019-07-09 成都鼎安华智慧物联网股份有限公司 A kind of encryption and decryption transmission method of lightweight internet of things data
CN106549979A (en) * 2016-12-23 2017-03-29 成都鼎安华物联网工程应用有限公司 A kind of encryption and decryption transmission method of lightweight Internet of Things data
CN108712363B (en) * 2018-03-22 2021-04-20 新华三信息安全技术有限公司 Log encryption and decryption method
CN108712363A (en) * 2018-03-22 2018-10-26 新华三信息安全技术有限公司 A kind of daily record encipher-decipher method
CN110798316A (en) * 2019-09-20 2020-02-14 西安瑞思凯微电子科技有限公司 Encryption key generation method, decryption key generation method, encryption key generation program, decryption key generation program, and decryption program
CN111262868A (en) * 2020-01-17 2020-06-09 中国科学院计算技术研究所 Message sending method and receiving method based on intelligent network card
CN111262868B (en) * 2020-01-17 2021-04-06 中国科学院计算技术研究所 Message sending method and receiving method based on intelligent network card
CN111669650A (en) * 2020-06-10 2020-09-15 北京奇艺世纪科技有限公司 Video processing method and device, electronic equipment and storage medium
CN111988297B (en) * 2020-08-13 2022-09-13 北京诚志重科海图科技有限公司 Text communication secret transmission plain secret conversion system
CN111988297A (en) * 2020-08-13 2020-11-24 北京诚志重科海图科技有限公司 Text communication secret transmission plain secret conversion system
CN111741034A (en) * 2020-08-27 2020-10-02 北京安帝科技有限公司 Data transmission method, first terminal and second terminal
CN112615718A (en) * 2020-12-14 2021-04-06 中国电子科技集团公司第五十四研究所 Hash function-based key updating method for sequence cipher encryption system
CN112615718B (en) * 2020-12-14 2022-09-02 中国电子科技集团公司第五十四研究所 Hash function-based key updating method for sequence cipher encryption system
WO2022135498A1 (en) * 2020-12-25 2022-06-30 华为技术有限公司 Method, apparatus and system for securely transmitting data
CN112821978A (en) * 2021-04-16 2021-05-18 北京乐研科技有限公司 Clock synchronization-based unidirectional network gate circuit, method and device
CN116707771A (en) * 2023-08-04 2023-09-05 深圳市菲尼基科技有限公司 Communication method based on data encryption
CN116707771B (en) * 2023-08-04 2023-12-05 深圳市菲尼基科技有限公司 Communication method based on data encryption
CN116980232A (en) * 2023-09-21 2023-10-31 深圳市能数科技有限公司 Data processing method, device, computer equipment and readable storage medium
CN116980232B (en) * 2023-09-21 2024-01-12 深圳市能数科技有限公司 Data processing method, device, computer equipment and readable storage medium

Also Published As

Publication number Publication date
CN103684787B (en) 2018-01-16

Similar Documents

Publication Publication Date Title
CN103684787B (en) The encrypting and decrypting method and terminal of packet based on network transmission
US11575660B2 (en) End-to-end encryption for personal communication nodes
CN104486077B (en) A kind of end-to-end cryptographic key negotiation method of VoIP real time datas safe transmission
CN105376261B (en) Encryption method and system for instant messaging message
WO2009086639A1 (en) Method and apparatus to enable lawful intercept of encrypted traffic
CN104683291B (en) Session key negotiation method based on IMS system
CN105025475A (en) Andriod system-oriented implement method of mobile secure terminal
US7466824B2 (en) Method and system for encryption of streamed data
CN105337969A (en) Safety communication method between two mobile terminals
CN101183935A (en) Cipher key negotiation method, device and system of RTP packet
WO2011044351A3 (en) Wireless security protocol
EP2649770B1 (en) Binding keys to secure media streams
CN104618387A (en) Method applying SIP signaling to quantum secure communication system, integrated access quantum gateway and system
CN104243146A (en) Encryption communication method and device and terminal
CN111064738A (en) TLS (transport layer Security) secure communication method and system
CN107517184A (en) Message transmitting method, apparatus and system
WO2017197968A1 (en) Data transmission method and device
CN117098123A (en) Quantum key-based Beidou short message encryption communication system
CN114363086B (en) Industrial Internet data encryption transmission method based on stream cipher
CN105991277B (en) Cryptographic key distribution method based on SIP communication system
Jung et al. One-time packet key exchange scheme for secure real-time multimedia applications
Jung et al. Securing RTP packets using per-packet selective encryption scheme for real-time multimedia applications
CN101500146A (en) Digital television receiving control method and apparatus based on bi-directional network
CN104753869A (en) SIP protocol based session encryption method
CN101729535B (en) Implementation method of media on-demand business

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant