CN104683304A

CN104683304A - Processing method, equipment and system of secure communication service

Info

Publication number: CN104683304A
Application number: CN201310631793.2A
Authority: CN
Inventors: 杨志强; 侯长江; 刘斐; 田野; 柏洪涛
Original assignee: China Mobile Communications Group Co Ltd
Current assignee: China Mobile Communications Group Co Ltd
Priority date: 2013-11-29
Filing date: 2013-11-29
Publication date: 2015-06-03
Anticipated expiration: 2033-11-29
Also published as: CN104683304B

Abstract

The invention discloses a processing method, equipment and a system of secure communication service. The contents comprise the following steps: introducing an encryption application server and a key management center in an IMS (IP Multimedia Subsystem) network; when a secure communication service establishment request message transmitted by first terminal equipment is received through the encryption application server, a session key request message is transmitted to the key management center and an encrypted session key returned by the key management center is received, transmitting the encrypted session key to the first terminal equipment. The secure communication is used as the service provided for a user by an operator through the encryption application server, and the encrypted session key is acquired by the encryption application server from the key management center and issued to terminal equipment, so the control force of the operator over the secure communication is increased, and the processing efficiency of the system is improved; the management of a whole life cycle of the key by the user is realized by the introduced key management center, so the security for executing the secure communication service among the users is increased.

Description

Method, equipment and system for processing secure communication service

Technical Field

The present invention relates to the field of wireless communication technologies and security technologies, and in particular, to a method, a device, and a system for processing a secure communication service in an IMS service system based on an interactive multimedia service.

Background

In order to perform end-to-end encryption protection on user Service information carried and transmitted by an IMS (Interactive Multimedia Service) media plane, 3GPP (3 rd generation partnership Project, third generation mobile communication standardization organization) proposes two relatively independent media plane key management schemes in TS33.328 to implement negotiation of a media plane session key, and establishes Security association between a calling terminal and a called terminal or between the terminal and an IMS network by using the session key obtained by negotiation, and protects the user media plane information by using SRTP (Secure Real-time Transport Protocol) or IP Sec (Internet Protocol Security) Protocol.

Among them, the 3GPP proposed two relatively independent Media plane Key Management schemes in TS33.328, which are SDES (Session Description Protocol Security Descriptions for Media Streams) and KMS (Key Management Service), respectively.

First, a key management scheme based on SDES.

Specifically, SDES is a simple key management Protocol designed for protecting media streams, and adds a cryptographic attribute in an existing SDP (Session Initiation Protocol) for carrying Session keys and parameter information generated by a terminal to complete security parameter configuration of unicast stream media data.

When the SDES is applied in the IMS system, Session keys for media stream encryption generated by the terminal device a and the terminal device B, respectively, are exchanged in a Session Initiation Protocol (SIP) establishment process.

Fig. 1 is a schematic diagram of the work flow of SDES key management. On the one hand, when the SIP session is established, the terminal device a writes a session key K1 for encrypting a media stream sent by the terminal device a to the terminal device B into an SDP cryptographic attribute, and sends the session key K1 to the terminal device B through a signaling plane SIP message bearer.

On the other hand, after receiving the SIP message sent by terminal a, terminal B stores key K1, and sends session key K2 for encrypting the media stream that terminal B sent to terminal a, to terminal a via a SIP response message.

After terminal device a receives and stores key K2, both terminal device a and terminal device B obtain session key K1 and session key K2.

After that, the terminal device a and the terminal device B perform encryption and decryption operations on the media stream carried by the SRTP protocol by using the session key K1 and the session key K2, respectively, so as to achieve the security of the user data.

However, in the SDES scheme, the session key is transmitted through the signaling plane SIP message, and the security of the session key completely depends on the security of the SIP signaling.

Two common security mechanisms for SIP signaling are:

one is based on the IMS network domain security mechanism, that is, it completely depends on the security of the IMS network domain to ensure the security of the SIP signaling transmission, however, the IMS network usually adopts an encryption method between the terminal device and the SBC (session border Controller) to encrypt and protect the SIP signaling on the access link of the terminal device, and adopts a plaintext transmission mode for the SIP signaling inside the core network of the IMS network, so that an attacker obtains the session key included in the SIP signaling by using the vulnerability of the plaintext transmission SIP signaling, and monitors the media plane information between the terminal devices, so that the security of the communication between users is reduced.

The other one is based on S/MIME (Secure Multipurpose Internet Mail Extensions), that is, the S/MIME Protocol is used to encrypt the content of an SDP (Session Description Protocol) message carried in the SIP signaling end to end. Under the condition that the terminal device does not have a preset shared key, the public key certificate system is utilized, the terminal device needs to acquire a public key of an opposite terminal from the public key certificate system before sending the session key, and then the acquired public key is utilized to encrypt and transmit the content of the SIP signaling. This way makes the key management completely separate from the session management, the operator cannot control the key management, and the key management is bypassed in terms of security, which cannot meet the requirement of the operator to develop confidential communication services, and practical application is limited.

And secondly, a key management scheme based on the KMS.

Specifically, the KMS entity authenticates the calling and called terminals based on a GBA (Generic Bootstrapping Architecture) mechanism, and transmits the generated session key to the calling and called terminals through a secure channel established after successful authentication. Fig. 2 is a schematic flow chart of KMS key management.

Based on GBA, the KMS can establish security association with a calling terminal and a called terminal by utilizing the uniform authentication capability provided by an operator for upper-layer application services, and encrypt information such as a transmission session key.

However, since the core entity bsf (bean scaling framework) of GBA authentication is managed and maintained by the operator and is responsible for generating and maintaining the session key between the KMS and the terminal device, the operator is actually responsible for establishing the key security transmission channel, and the security of the session key transmission required by the terminal device depends on the operator. Thus, the KMS key management scheme cannot meet the high security level requirement of the terminal device for key management, and is not suitable for the operator to carry out secure communication services.

Therefore, the current end-to-end encryption protection mode of the user service information carried and transmitted by the media plane in the IMS network can not meet the respective requirements of users and operators, and has the problem of low safety.

Disclosure of Invention

The embodiment of the invention provides a method, equipment and a system for processing a confidential communication service, which are used for solving the problems that the respective requirements of a user and an operator cannot be met and the data transmission security of a media plane is lower in the existing end-to-end encryption protection mode of user service information carried and transmitted by the media plane in an IMS network.

A method of processing a secure communication service, comprising:

an Encryption Application Server (EAS) receives a secret communication service establishment request message sent by a first terminal device, wherein the secret communication service establishment request message is used for representing that secret communication service needs to be established between the first terminal device and a second terminal device, and the secret communication service establishment request message contains parameter information used for acquiring a session key;

the EAS carries the parameter information for acquiring the session key in a session key request message and sends the session key request message to a Key Management Center (KMC) to which the first terminal device and the second terminal device belong, wherein the session key request message is used for representing and requesting the KMC to generate the session key for a secret communication service to be established between the first terminal device and the second terminal device;

and the EAS receives the encrypted session key returned by the KMC and sends the encrypted session key to the first terminal device, so that the first terminal device can realize the secret communication with the second terminal device by using the session key, wherein the encrypted session key is obtained by encrypting the generated session key by the KMC according to the parameter information for acquiring the session key.

The parameter information for acquiring the session key includes the identification information of the first terminal device and the identification information of the second terminal device;

before the EAS carries the parameter information for acquiring the session key in a session key request message and sends the session key request message to the key management center KMC to which the first terminal device and the second terminal device belong, the method further includes:

and the EAS determines a key management center KMC to which the first terminal equipment and the second terminal equipment belong according to the identification information of the first terminal equipment and the identification information of the second terminal equipment.

The method further comprises the following steps:

and the EAS sends the encrypted session key to the second terminal equipment, so that the second terminal equipment can realize the secret communication with the first terminal equipment by using the session key.

The EAS sending the encrypted session key to the first terminal device and/or the second terminal device, including:

and the EAS sends the encrypted session key to the first terminal equipment and/or the second terminal equipment through IMS network signaling.

The encrypted session key comprises a session key encrypted by using a first protection key and a session key encrypted by using a second protection key;

the encrypted session key is obtained by the KMC encrypting the generated session key according to the parameter information for acquiring the session key, and includes:

the KMC determines a first protection key generated when the first terminal device corresponding to the identification information of the first terminal device logs in the KMC according to the identification information of the first terminal device contained in the parameter information for acquiring the session key, and performs encryption operation on the generated session key by using the first protection key to obtain the session key encrypted by using the first protection key; and

and determining a second protection key generated when the second terminal device corresponding to the identification information of the second terminal device logs in the KMC according to the identification information of the second terminal device contained in the parameter information for acquiring the session key, and performing encryption operation on the generated session key by using the second protection key to obtain the session key encrypted by using the second protection key.

A method of processing a secure communication service, comprising:

a first terminal device sends a request message for establishing a secure communication service to an Encryption Application Server (EAS), wherein the request message for establishing the secure communication service is used for representing that the secure communication service needs to be established between the first terminal device and a second terminal device, and the request message for establishing the secure communication service contains parameter information for acquiring a session key;

the first terminal device receives an encrypted session key sent by the EAS, wherein the encrypted session key is obtained by carrying parameter information for acquiring the session key in a session key request message by the EAS and sending the session key request message to a key management center KMC to which the first terminal device and the second terminal device belong, and the KMC encrypts the generated session key according to the parameter information for acquiring the session key, and the session key request message is used for representing and requesting the KMC to generate the session key for a secret communication service required to be established between the first terminal device and the second terminal device.

The method further comprises the following steps:

and when receiving the encrypted session key sent by the EAS, the first terminal equipment sends the encrypted session key to the second terminal equipment.

The sending, by the first terminal device, the encrypted session key to the second terminal device includes:

the first terminal equipment sends the encrypted session key to the second terminal equipment through IMS network signaling;

or,

and the first terminal equipment sends the encrypted session key to the second terminal equipment through the established media surface data transmission channel with the second terminal equipment.

The method further comprises the following steps:

when the first terminal device receives the encrypted session key sent by the EAS, the encrypted session key is decrypted by using a first protection key generated when the first terminal device logs in the KMC, and the KMC is obtained as the session key generated by the first terminal device and the second terminal device for performing the secure communication service.

A method of processing a secure communication service, comprising:

a Key Management Center (KMC) receives a session key request message sent by an Encryption Application Server (EAS), wherein the session key request message is used for representing that the KMC is requested to generate a session key for a secure communication service needing to be established between a first terminal device and a second terminal device, the session key request message comprises parameter information used for acquiring the session key, and the parameter information used for acquiring the session key is carried in the secure communication service establishment request message which is sent by the EAS and used for representing that the secure communication service needs to be established between the first terminal device and the second terminal device; and are

And returning an encrypted session key to the EAS, so that the EAS can send the encrypted session key to the first terminal device, and the first terminal device can realize secure communication with the second terminal device by using the session key, wherein the encrypted session key is obtained by the KMC encrypting the generated session key according to the parameter information for obtaining the session key.

The parameter information for acquiring the session key comprises the identification information of the first terminal device and the identification information of the second terminal device;

the KMC returns an encrypted session key to the EAS, including:

the KMC generates a session key required for executing a secure communication service between the first terminal equipment and the second terminal equipment;

the KMC determines a first protection key generated when the first terminal equipment corresponding to the identification information of the first terminal equipment logs in the KMC according to the identification information of the first terminal equipment contained in the parameter information for acquiring the session key, and performs encryption operation on the generated session key by using the first protection key to obtain the session key encrypted by using the first protection key; and

determining a second protection key generated when the second terminal device corresponding to the identification information of the second terminal device logs in the KMC according to the identification information of the second terminal device contained in the parameter information for acquiring the session key; performing encryption operation on the generated session key by using the second protection key to obtain a session key encrypted by using the second protection key;

and the KMC sends the session key encrypted by the first protection key and the session key encrypted by the second protection key to the EAS through a key response message as encrypted session keys.

An encrypted application server for securing communications traffic, comprising:

a receiving module, configured to receive a request message for establishing a secure communication service sent by a first terminal device, where the request message for establishing the secure communication service is used to characterize that a secure communication service needs to be established between the first terminal device and a second terminal device, and the request message for establishing the secure communication service includes parameter information used to obtain a session key;

a sending module, configured to carry the parameter information for obtaining the session key in a session key request message and send the session key request message to a key management center KMC to which the first terminal device and the second terminal device belong, where the session key request message is used to characterize and request the KMC to generate a session key for a secure communication service that needs to be established between the first terminal device and the second terminal device;

and the processing module is configured to receive the encrypted session key returned by the KMC, and send the encrypted session key to the first terminal device, so that the first terminal device can implement secure communication with the second terminal device by using the session key, where the encrypted session key is obtained by encrypting, by the KMC, the generated session key according to the parameter information for obtaining the session key.

the encryption application server further comprises:

a determining module, configured to determine, before the parameter information for acquiring the session key is carried in a session key request message and sent to the key management centers KMC to which the first terminal device and the second terminal device belong, the key management centers KMC to which the first terminal device and the second terminal device belong according to the identification information of the first terminal device and the identification information of the second terminal device.

The processing module is further configured to send the encrypted session key to the second terminal device, so that the second terminal device can utilize the session key to implement secure communication with the first terminal device.

The processing module is specifically configured to send the encrypted session key to the first terminal device and/or the second terminal device through an IMS network signaling.

A terminal device for performing a secure communication service, comprising:

a request message sending module, configured to send a secure communication service establishment request message to an encryption application server EAS, where the secure communication service establishment request message is used to characterize that a secure communication service needs to be established between the first terminal device and the second terminal device, and the secure communication service establishment request message includes parameter information used to obtain a session key;

a session key receiving module, configured to receive an encrypted session key sent by the EAS, where the encrypted session key is obtained by the KMC encrypting a generated session key according to parameter information used for acquiring a session key, where the parameter information used for acquiring the session key is carried in a session key request message and sent to a key management center KMC to which the first terminal device and the second terminal device belong, and the session key request message is used to characterize and request the KMC to generate a session key for a secret communication service that needs to be established between the first terminal device and the second terminal device.

The terminal device further includes:

and the processing module is used for sending the encrypted session key to the second terminal equipment when receiving the encrypted session key sent by the EAS.

The processing module is specifically configured to send the encrypted session key to the second terminal device through an IMS network signaling;

or,

and sending the encrypted session key to the second terminal equipment through the established media plane data transmission channel between the second terminal equipment and the second terminal equipment.

The terminal device further includes:

and the decryption module is used for decrypting the encrypted session key by using a first protection key generated when logging in the KMC when receiving the encrypted session key sent by the EAS, so as to obtain the session key generated by the KMC for carrying out secret communication service between the first terminal equipment and the second terminal equipment.

A key management center for securing communications traffic, comprising:

a key request receiving module, configured to receive a session key request message sent by an encrypted application server EAS, where the session key request message is used to characterize and request the KMC to generate a session key for a secure communication service that needs to be established between a first terminal device and a second terminal device, the session key request message includes parameter information used to obtain the session key, and the parameter information used to obtain the session key is carried in a secure communication service establishment request message, which is sent by the first terminal device and used to characterize that the secure communication service needs to be established between the first terminal device and the second terminal device, and is received by the EAS; and are

And the key sending module is configured to return an encrypted session key to the EAS, so that the EAS sends the encrypted session key to the first terminal device, and the first terminal device can realize secure communication with the second terminal device by using the session key, where the encrypted session key is obtained by encrypting, by the KMC, the generated session key according to the parameter information for obtaining the session key.

the key sending module is specifically configured to generate a session key required for executing a secure communication service between the first terminal device and the second terminal device, determine, according to identification information of the first terminal device included in parameter information for acquiring the session key, a first protection key generated when the first terminal device corresponding to the identification information of the first terminal device logs in the KMC, and perform an encryption operation on the generated session key by using the first protection key to obtain the session key encrypted by using the first protection key; and

and sending the session key encrypted by the first protection key and the session key encrypted by the second protection key as encrypted session keys to the EAS through a key response message.

A system for processing secure communication services, the system comprising: the encryption application server, the terminal device and the key management center.

The invention has the following beneficial effects:

the embodiment of the invention introduces an encryption application server and a key management center in an IMS network, receives a request message for establishing the secret communication service which is sent by a first terminal device and used for representing that the secret communication service needs to be established between the first terminal device and a second terminal device through the encryption application server, carries parameter information which is contained in the request message for establishing the secret communication service and used for acquiring a session key in the request message for requesting the session key to be sent to the key management centers of the first terminal device and the second terminal device, requests the key management center to generate the session key for the secret communication service which needs to be established between the first terminal device and the second terminal device, and when receiving the encrypted session key returned by the key management center, sending the encrypted session key to the first terminal device, the first terminal device is enabled to perform secure communication with the second terminal device using the session key. Therefore, the encryption application server enables the secret communication to be provided as a service for the operator to the user, and the encryption application server obtains the encrypted session key from the key management center and sends the encrypted session key to the terminal device, so that the control force of the operator on the secret communication is increased, the processing efficiency of the system is improved, the introduced key management center realizes the management of the user on the whole life cycle of the key, and the execution safety of the secret communication service between the users is improved.

Drawings

FIG. 1 is a schematic flow chart of SDES key management;

FIG. 2 is a flow chart of KMS key management;

fig. 3 is a flowchart illustrating a method for processing a secure communication service according to an embodiment of the present invention;

fig. 4 is a flowchart illustrating a processing method of a secure communication service according to a second embodiment of the present invention;

fig. 5 is a flowchart illustrating a processing method of a secure communication service according to a third embodiment of the present invention;

fig. 6 is a flowchart illustrating a processing method of a secure communication service according to a fourth embodiment of the present invention;

fig. 7 is a schematic structural diagram of an encryption application server for secure communication services according to a fifth embodiment of the present invention;

fig. 8 is a schematic structural diagram of a terminal device for performing a secure communication service according to a sixth embodiment of the present invention;

fig. 9 is a schematic structural diagram of a key management center for secure communication services according to a seventh embodiment of the present invention;

fig. 10 is a schematic structural diagram of a processing system for secure communication services according to an eighth embodiment of the present invention.

Detailed Description

In order to achieve the object of the present invention, embodiments of the present invention provide a method, a device, and a system for processing a secure communication service, where an encryption application server and a key management center are introduced into an IMS network, a secure communication service establishment request message sent by a first terminal device and used for characterizing that a secure communication service needs to be established between the first terminal device and a second terminal device is received by the encryption application server, parameter information included in the secure communication service establishment request message and used for acquiring a session key is carried in the session key request message and sent to the key management centers to which the first terminal device and the second terminal device belong, the key management center is requested to generate a session key for the secure communication service that needs to be established between the first terminal device and the second terminal device, and when an encrypted session key returned by the key management center is received, and sending the encrypted session key to the first terminal equipment, so that the first terminal equipment can realize the secret communication with the second terminal equipment by using the session key.

Therefore, the encryption application server enables the secret communication to be provided as a service for the operator to the user, and the encryption application server obtains the encrypted session key from the key management center and sends the encrypted session key to the terminal device, so that the control force of the operator on the secret communication is increased, the processing efficiency of the system is improved, the introduced key management center realizes the management of the user on the whole life cycle of the key, and the execution safety of the secret communication service between the users is improved.

It should be noted that the system architecture applied in the embodiment of the present invention includes, but is not limited to, an IMS core network (for example, network element devices including a SBC (Session Border Controller), a P-CSCF (Proxy Call Session Control Function), a S-CSCF (Serving Call Session Control Function), an HSS (home subscriber Server), an MGCF (Media Gateway Control Function), an MGW (Media Gateway), and the like), and when a system architecture includes a SIP (Session Initiation Protocol) Server, the technical solution provided in the embodiment of the present invention may also be used to provide a secure communication service for a user by using an SIP system, which is not specifically limited herein.

An Encryption Application Server (EAS) involved in various embodiments of the present invention is configured to provide a secure communication service for a terminal device (where the secure communication service includes, but is not limited to, an encrypted voice call service, an encrypted video call service, an encrypted conference call service, an encrypted short message service, an encrypted file transfer service, an encrypted mail service, etc.). The EAS includes the following functions: on one hand, the EAS is compatible with an AS (Application Server) session service logic starting function in the IMS network system, and can receive a service request message initiated by a terminal device from a core entity S-CSCF of the IMS network, trigger a secure communication service, and be responsible for call processing and connection control of various control planes, and charge for an executed service; on the other hand, the EAS communicates with a Key Management Center (KMC) through a set security interface, and can complete the transmission of information such as registration, identity authentication, Key Management and the like of the terminal device on the KMC according to the service processing logic, and support signaling interaction between the terminal device and the KMC.

The Key Management Center (KMC) involved in various embodiments of the present invention is used for managing keys required for secure communication services, and specifically includes but is not limited to: full lifecycle key management including generation keys, injection keys, distribution keys, storage keys, archival keys, derivation keys, renewal keys, and destruction keys. The KMC communicates with the EAS through the security interface, can receive password request messages from the terminal equipment through the EAS, complete operations such as registration, identity authentication, key distribution and the like of the terminal equipment, and can issue control instructions to the password module in the terminal equipment through the EAS to realize remote control of the password module in the terminal equipment, for example: the KMC realizes management of the password module contained in the terminal equipment and can remotely destroy the password module in the terminal equipment.

In addition, in order to improve the trust degree of the user on the operator confidential business service, the user can deploy the KMC by himself.

The terminal equipment related in each embodiment of the invention comprises an IP communication module and a password communication module. The IP communication module supports an SIP communication protocol, has IMS communication capability and supports the functions of login/logout, identity authentication, call control and processing and the like of a terminal in an IMS system; the cryptographic module is responsible for terminal key management and executing encryption and decryption algorithms, signaling interaction with the KMC is realized at a control plane to obtain a session key, and the obtained session key is utilized to establish security association with opposite-end equipment at a media plane to realize secret transmission of communication services.

The following detailed description of various embodiments of the invention refers to the accompanying drawings.

The first embodiment is as follows:

fig. 3 is a schematic flow chart of a processing method of a secure communication service according to an embodiment of the present invention, which may be described as follows.

Step 101: the EAS receives a secure communication service establishment request message sent by a first terminal device.

The secure communication service establishment request message is used for representing that a secure communication service needs to be established between the first terminal device and the second terminal device, and the secure communication service establishment request message contains parameter information for acquiring a session key.

In step 101, when calling a second terminal device, a first terminal device sends a request message for establishing a secure communication service to the IMS network, and the IMS network core network forwards the request message for establishing a secure communication service to the EAS, so as to inform the EAS that the first terminal device will establish a secure communication service with the second terminal device.

It should be noted that, at this time, the secret communication service establishment request message sent by the first terminal device may be implemented by a call establishment request message initiated by the first terminal device, that is, when the first terminal device initiates a call to the second terminal device, a call establishment message is sent to the IMS network, and at this time, the call establishment message has two functions: 1. requesting to establish call connection with a second terminal device; 2. the secure communication service is triggered while the call connection is established.

Or, at this time, the secure communication service establishment request message sent by the first terminal is randomly triggered after the call establishment request message is initiated by the first terminal device.

For example, after the first terminal device successfully establishes a call link with the second terminal device, and in the process of call service processing, the first terminal device sends a request message for establishing a secure communication service to the IMS network, and the IMS network core network forwards the request message for establishing the secure communication service to the EAS, so as to inform the EAS that the first terminal device needs to perform the secure communication service with the second terminal device.

That is, the call connection establishment and the secure communication service triggering between the terminal devices may be performed simultaneously, or may be performed at different times, and the secure communication service may be triggered first and then the call connection is established, or the call connection may be established first and then the secure communication service is triggered.

And the encryption application server starts a subsequent secret communication service processing flow when receiving the secret communication service establishment request message sent by the first terminal equipment.

Step 102: and the EAS carries the parameter information for acquiring the session key in a session key request message and sends the session key request message to the key management centers KMC to which the first terminal equipment and the second terminal equipment belong.

Wherein the session key request message is used for characterizing that the KMC is requested to generate a session key for a secure communication service needing to be established between the first terminal device and the second terminal device.

The parameter information for acquiring the session key includes the identification information of the first terminal device and the identification information of the second terminal device.

The parameter information for acquiring the session key at least includes identification information of the first terminal device, identification information of the second terminal device, a random number, and the like.

In step 102, the EAS determines the key management centers KMC to which the first terminal device and the second terminal device belong, based on the identification information of the first terminal device and the identification information of the second terminal device.

It should be noted that the key management center to which the calling and called terminal devices established this time belong is the same key management center, that is, the first terminal device and the second terminal device register and log in the same key management center.

Here, the calling and called terminal devices of the same group user group are combined into a user domain, and at least one key management center is included in the same user domain.

That is, the EAS determines a user domain to which the first terminal device and the second terminal device belong, based on the identification information of the first terminal device and the identification information of the second terminal device, and selects one key management center from at least one key management center included in the user domain.

The EAS carries the parameter information for acquiring the session key in a session key request message and sends the session key request message to the determined key management center KMC.

Specifically, the EAS sends a session key request message to the determined KMC via the secure interface requesting the determined key management center to generate a session key for the secure communication service to be established between the first terminal device and the second terminal device.

Step 103: and the EAS receives the encrypted session key returned by the KMC and sends the encrypted session key to the first terminal equipment.

Enabling the first terminal device to utilize the session key to realize secure communication with the second terminal device.

And the encrypted session key is obtained by encrypting the generated session key by the KMC according to the parameter information for acquiring the session key.

In step 103, the manner in which the EAS transmits the encrypted session key to the first terminal device includes:

and the EAS sends the encrypted session key to the first terminal equipment through IMS network signaling.

Specifically, the EAS sends the encrypted session key to the first terminal device through SIP signaling in the IMS network.

For example: SIP signaling includes, but is not limited to: MESSAGE MESSAGEs, OPTIONS, INFO, etc.

Or, the EAS sends the encrypted session key to the first terminal device through a call processing message in the IMS network.

For example: call setup response messages, session handling messages, etc.

Specifically, when the call establishment and the secure communication service establishment between the first terminal device and the second terminal device are synchronously implemented, after the EAS sends the session key request message to the KMC, the EAS can forward the call establishment request message initiated by the first terminal device to the second terminal device to attempt to establish a call connection with the second terminal device.

Meanwhile, when receiving the encrypted session key sent by the KMC, the EAS determines whether a call setup response message of the second terminal device is received, and when receiving the call setup response message of the second terminal device, the EAS sends the encrypted session key to the first terminal device by using the received call setup response message.

It should be noted that, the encrypted session key is obtained by the KMC encrypting the generated session key according to the parameter information for acquiring the session key, and specific embodiments include but are not limited to:

first, the KMC generates a session key for establishing a secure communication service between the first terminal device and the second terminal device after receiving the session key request message transmitted by the EAS.

It should be noted that, after receiving the session key request message sent by the EAS, the KMC may generate the session key randomly, or determine the session key according to the parameter information for acquiring the session key carried in the session key request message, for example: a session key generated using random number information in parameter information for acquiring a session key, and the like, which is not limited herein.

Secondly, in order to guarantee the security of the transmission of the session key in the communication link, the KMC performs an encryption process on the generated session key.

Because the KMC is deployed by the user, when the terminal device used by the user performs communication, the KMC can register the login KMC first, and when the terminal device performs login, the KMC generates a protection key for the terminal device, and the KMC locally stores the identification information of the terminal device and the corresponding relationship of the protection key, so that when the subsequent terminal device initiates a secure communication service, the KMC can encrypt the generated session key by using the protection key, which can ensure the security of the session key in the transmission process of the communication link, and can also ensure that when the terminal receives the encrypted session key, the terminal can accurately decrypt and obtain the real session key, thereby improving the efficiency of the secure communication service and ensuring the security of communication.

At this time, the KMC determines, according to the identification information of the first terminal device included in the parameter information for acquiring the session key, a first protection key generated when the first terminal device corresponding to the identification information of the first terminal device logs in the KMC, and performs an encryption operation on the generated session key by using the first protection key to obtain the session key encrypted by using the first protection key; and determining a second protection key generated when the second terminal device corresponding to the identification information of the second terminal device logs in the KMC according to the identification information of the second terminal device included in the parameter information for acquiring the session key, and performing encryption operation on the generated session key by using the second protection key to obtain the session key encrypted by using the second protection key.

Finally, the encrypted session key, which includes the session key encrypted with the first protection key and the session key encrypted with the second protection key, is transmitted to the EAS.

In particular, the KMC sends the encrypted session key to the EAS via a session key response message.

The session key response message may include the encrypted session key (that is, the encrypted session key is a data packet, and is only divided into two parts, one part of the content is obtained by using the session key generated by encrypting the first protection key, and the other part is obtained by using the session key generated by encrypting the second protection key), or may include the session key encrypted by using the first protection key and the session key encrypted by using the second protection key, which is not limited herein.

Specifically, when the KMC sends the session key encrypted by the first protection key and the session key encrypted by the second protection key to the EAS through the session key response message, it indicates that two different data packets are sent by the KMC to the EAS, one data packet is the session key encrypted by the first protection key, and the other data packet is the session key encrypted by the second protection key.

Optionally, when the KMC obtains the session key encrypted by the first protection key and the session key encrypted by the second protection key, the KMC establishes a corresponding relationship between a first terminal device identifier corresponding to the first protection key and the session key encrypted by the first protection key, and establishes a corresponding relationship between a second terminal device identifier corresponding to the second protection key and the session key encrypted by the second protection key, and sends the session key encrypted by the first protection key and the session key encrypted by the second protection key to the EAS, and at the same time, sends the established corresponding relationship to the EAS, so that the EAS forwards the encrypted session key to the first terminal device, and then quickly determines the encrypted session key corresponding to its own identification information by using the corresponding relationship, thereby speeding up the system service processing, the efficiency of system operation is improved.

In another embodiment of the present invention, the EAS transmits the encrypted session key to the second terminal device, so that the second terminal device can perform secure communication with the first terminal device using the session key.

That is, the EAS simultaneously transmits the encrypted session key to the first terminal device and the second terminal device after receiving the encrypted session key transmitted by the KMC.

For example, when the call establishment and the secure communication service establishment between the first terminal device and the second terminal device are synchronously implemented, after the session key request message is sent to the KMC by the EAS, the call establishment request message for calling the second terminal device, which is initiated by the first terminal device, can be forwarded to the second terminal device to attempt to establish a call connection with the second terminal device.

Meanwhile, when receiving the encrypted session key sent by the KMC, the EAS determines whether a call setup response message of the second terminal device is received, and when receiving the call setup response message of the second terminal device, the EAS simultaneously sends the encrypted session key to the first terminal device and the second terminal device.

After the first terminal device and the second terminal device receive the encrypted session key sent by the EAS, the encrypted session key is decrypted by respectively using the protection key generated by logging in the KMC to obtain the session key generated by the KMC, and after a media plane transmission channel between the first terminal device and the second terminal device is established, the communication service is transmitted in the established media plane transmission channel by using the session key.

It should be noted that, after the encrypted session key for the secure communication service executed between the first terminal device and the second terminal device by the KMC is acquired by the EAS, the number of times of sending the encrypted session key to the first terminal device is not limited to one, and may be repeated multiple times to ensure the correctness of the transmission.

It should be noted that, assuming that the encrypted session key returned by the KMC received by the EAS belongs to one data packet, the EAS sends the encrypted session key including one data packet to the first terminal device and the second terminal device, respectively; if the encrypted session key returned by the KMC received by the EAS belongs to two data packets, that is, one data packet is the session key encrypted by using the first protection key, and the other data packet is the session key encrypted by using the second protection key, the EAS may send the encrypted session keys including the two data packets to the first terminal device and the second terminal device, respectively; the EAS may also determine terminal devices corresponding to different data packets, send a data packet including a session key encrypted by using the first protection key to the first terminal device, and send a data packet including a session key encrypted by using the second protection key to the second terminal device, which is not limited specifically herein.

By the scheme of the first embodiment of the invention, an encryption application server and a key management center are introduced into an IMS network, receiving a secret communication service establishing request message which is sent by a first terminal device and used for representing that secret communication service needs to be established between the first terminal device and a second terminal device through an encryption application server, carrying parameter information which is contained in the secret communication service establishing request message and used for acquiring a session key in the session key request message, and sending the session key to a key management center to which the first terminal device and the second terminal device belong, requesting the key management center to generate the session key for the secret communication service which needs to be established between the first terminal device and the second terminal device, and when receiving the encrypted session key returned by the key management center, sending the encrypted session key to the first terminal device, the first terminal device is enabled to perform secure communication with the second terminal device using the session key.

Example two:

fig. 4 is a schematic flow chart of a processing method for a secure communication service according to a second embodiment of the present invention, which is the invention based on the same inventive concept as the first embodiment of the present invention, and the second embodiment of the present invention describes the processing method for the secure communication service related to the present invention in detail from the perspective of a terminal device. The method may be as follows.

Step 201: the first terminal device sends a secure communication service establishment request message to the cryptographic application server EAS.

In step 201, when calling the second terminal device, the first terminal device sends a request message for establishing a secure communication service to the IMS network, and the core network of the IMS network forwards the request message for establishing a secure communication service to the EAS, so as to inform the EAS that the first terminal device will establish a secure communication service with the second terminal device.

For example, after the first terminal device successfully establishes a call link with the second terminal device, and in the process of call service processing, the first terminal device sends a secure communication service establishment request message to the EAS on the network side to inform the EAS that the first terminal device needs to perform secure communication with the second terminal device.

That is, the call establishment connection between the terminal devices and the triggering of the secure communication service may be performed simultaneously, or may not be performed simultaneously, and the secure communication service is triggered first and then the call connection is established, or the call connection is established first and then the secure communication service is triggered, which is not limited specifically herein.

Step 202: and the first terminal equipment receives the encrypted session key sent by the EAS.

The encrypted session key is obtained by the key management center KMC that the EAS carries the parameter information for acquiring the session key in a session key request message and sends the session key request message to the first terminal device and the second terminal device, and the KMC encrypts the generated session key according to the parameter information for acquiring the session key, wherein the session key request message is used for representing and requesting the KMC to generate the session key for the secure communication service that needs to be established between the first terminal device and the second terminal device.

In step 202, how the encryption application server obtains the encrypted session key is described in detail in the first embodiment of the present invention, which is not described herein again.

Step 203: when the first terminal device receives the encrypted session key sent by the EAS, the encrypted session key is decrypted by using a first protection key generated when the first terminal device logs in the KMC, and the KMC is obtained as the session key generated by the first terminal device and the second terminal device for performing the secure communication service.

The encrypted session key includes a session key encrypted by a first protection key and a session key encrypted by a second protection key.

In step 203, since the encrypted session key is obtained by the KMC encrypting the generated session key according to the parameter information for acquiring the session key, specific embodiments include, but are not limited to:

Therefore, when the encrypted session key received by the first terminal device belongs to a data packet, the first terminal device decrypts the encrypted session key by using the first protection key generated when logging in the KMC, and obtains the KMC as the session key generated by the secure communication service between the first terminal device and the second terminal device.

When the encrypted session key received by the first terminal device includes two data packets, that is, the received encrypted session key includes a session key encrypted by the first protection key and a session key encrypted by the second protection key, at this time, the first terminal device can only decrypt the session key encrypted by the first protection key through the first protection key, so as to obtain the session key generated by the KMC for the secure communication service between the first terminal device and the second terminal device, and prepare for subsequent secure communication with the second terminal device.

Optionally, when the encrypted session key received by the first terminal device includes the session key encrypted by the first protection key and the session key encrypted by the second protection key, the session key encrypted by the first protection key and corresponding to the first terminal device identifier may be determined according to a correspondence between the identifier information of the terminal device and the encrypted session key established by the KMC, and the session key encrypted by the first protection key is decrypted by the first protection key, so as to obtain the session key generated by the KMC for the secure communication service between the first terminal device and the second terminal device.

Step 204: and when receiving the encrypted session key sent by the EAS, the first terminal equipment sends the encrypted session key to the second terminal equipment.

In step 204, the manner in which the first terminal device sends the encrypted session key to the second terminal device includes, but is not limited to:

the first mode is as follows:

and the first terminal equipment sends the encrypted session key to the second terminal equipment through IMS network signaling.

Specifically, regardless of whether the establishment of the media plane data transmission channel between the first terminal device and the second terminal device is completed, when receiving the session key sent by the EAS, the first terminal sends the encrypted session key to the second terminal device by using the IMS network signaling.

It should be noted that the IMS network signaling includes, but is not limited to, SIP signaling, call processing message, and the like.

And the first terminal equipment sends the encrypted session key to the second terminal equipment through SIP signaling.

And the first terminal equipment sends the encrypted session key to the second terminal equipment through a temporary response acknowledgement message PRACK.

Specifically, in order to save the system signaling overhead, a signaling piggyback transmission mode may be adopted, that is, when receiving an encrypted session key transmitted by a call establishment response message sent by the EAS through the second terminal device, and after correctly processing the call establishment response message, and returning a provisional acknowledgement message PRACK to the second terminal device, the first terminal device carries the encrypted session key in the provisional acknowledgement message PRACK and sends the provisional acknowledgement message PRACK to the second terminal device.

The second mode is as follows:

Specifically, when the first terminal device receives a session key sent by the EAS and determines that establishment of a media plane transmission channel with the second terminal device is completed, the encrypted session key is sent to the second terminal device by using the established media plane transmission channel.

Specifically, when the encrypted session key received by the first terminal device belongs to a data packet, the first terminal device sends the encrypted session key containing the data packet to the second terminal device; when the encrypted session key received by the first terminal device belongs to two data packets, that is, one data packet is the session key encrypted by using the first protection key, and the other data packet is the session key encrypted by using the second protection key, the first terminal device may simultaneously send the encrypted session key including the two data packets to the second terminal device; the first terminal device EAS may determine terminal devices corresponding to different data packets, and send the data packet including the session key encrypted by the second protection key to the second terminal device, which is not limited specifically herein.

It should be noted that, in the second embodiment of the present invention, the step 203 and the step 204 are not distinguished by the execution sequence, and may be implemented according to the sequence described in the second embodiment of the present invention, or the step 204 may be executed first, and then the step 203 is executed, or the step 203 and the step 204 may be executed simultaneously.

Example three:

as shown in fig. 5, a flow chart of a processing method for a secure communication service according to a third embodiment of the present invention is schematically shown. The third embodiment of the present invention is an invention belonging to the same inventive concept as the first to second embodiments of the present invention, and the third embodiment of the present invention is a detailed description of each step in the first embodiment of the present invention standing on the side of the key management center. The method may be as follows.

Step 301: the key management centre KMC receives the session key request message sent by the cryptographic application server EAS.

Wherein, the session key request message is used for representing that the KMC is requested to generate a session key for the secure communication service needing to be established between the first terminal equipment and the second terminal equipment.

The session key request message includes parameter information for acquiring a session key.

The parameter information for acquiring the session key is carried in a secure communication service establishment request message which is sent by the EAS and used for representing that a secure communication service needs to be established between the first terminal device and the second terminal device.

Step 302: the KMC returns an encrypted session key to the EAS.

So that the EAS can send the encrypted session key to the first terminal device, so that the first terminal device can utilize the session key to realize secure communication with the second terminal device.

And the parameter information for acquiring the session key comprises the identification information of the first terminal device and the identification information of the second terminal device.

In step 302, the KMC returns the encrypted session key to the EAS in a manner including, but not limited to:

first, the KMC generates a session key required for performing a secure communication service between the first terminal device and the second terminal device.

At this time, the KMC determines, according to the identification information of the first terminal device included in the parameter information for acquiring the session key, a first protection key generated when the first terminal device corresponding to the identification information of the first terminal device logs in the KMC, and performs an encryption operation on the generated session key by using the first protection key to obtain the session key encrypted by using the first protection key; determining a second protection key generated when the second terminal device corresponding to the identification information of the second terminal device logs in the KMC according to the identification information of the second terminal device contained in the parameter information for acquiring the session key; and performing encryption operation on the generated session key by using the second protection key to obtain the session key encrypted by using the second protection key.

And finally, the KMC sends the session key encrypted by the first protection key and the session key encrypted by the second protection key to the EAS through a key response message as encrypted session keys.

Example four:

as shown in fig. 6, a flowchart of a processing method for a secure communication service according to a fourth embodiment of the present invention is shown. The fourth embodiment of the present invention is an invention in the same inventive concept as the first to third embodiments of the present invention, and the fourth embodiment of the present invention describes the technical solution of the present invention in detail by taking an example that the terminal device a and the terminal device B need to execute the secure communication service. The method may be as follows.

It should be noted that the time that the terminal device a and the terminal device B need to perform the secure communication service may be when the terminal device a and the terminal device B establish a call, or may be after the terminal device a and the terminal device B establish a call, which is not limited herein.

Step 1: when a user initiates a secure communication call to a terminal device B through a terminal device A, a call setup request message is initiated to an IMS network.

The call establishment request message may be an INVITE message, which is used to inform the IMS core network that an encrypted session connection needs to be established with the terminal device B.

The call setup request message includes identification information (or telephone number information) of terminal device a and identification information (or telephone number information) of terminal device B.

At this time, the call establishment request message also carries a session key request message.

In another embodiment of the present invention, the call establishment request message sent by the terminal device a and the terminal device B may also be used only to inform the IMS core network that a session connection needs to be established with the terminal device B; meanwhile, terminal device a sends a session key request MESSAGE through IMS signaling (e.g., MESSAGE), where the session key request MESSAGE is used to inform the IMS network that an encrypted session connection needs to be established between terminal device a and terminal device B.

Step 2: when receiving the call establishment request message, the EAS determines the user domains to which the terminal device A and the terminal device B belong according to the identification information of the terminal device A and the identification information of the terminal device B, and sends a session key request message to a key management center in the user domain.

And step 3: the KMC generates a session key for terminal device a and terminal device B and sends a key response message to the EAS.

Wherein, the key response message includes the encrypted session key.

In order to ensure that the session key is not leaked in the transmission process, the KMC performs encryption protection on the session key by using protection keys generated when the terminal device A and the terminal device B log in the KMC respectively.

And 4, step 4: the EAS immediately forwards the call setup request message to terminal device B after sending the session key request message to the KMC.

Therefore, the call connection is carried out in parallel while the session key is requested, so as to improve the processing efficiency.

In another embodiment of the invention, the EAS waits for the KMC to return a response message after sending a session key request message to the KMC.

After receiving the session key response message sent by the KMC, the terminal device B forwards the call establishment request message and continues call connection.

And 5: the EAS receives the session processing message returned by the terminal device B.

The session processing message is returned after the terminal device B processes the received call establishment request message.

In another embodiment of the invention, if the session key response message sent by the KMC has not been received by the EAS when receiving the session handling message, the EAS needs to wait for the KMC's feedback.

Step 6: the EAS carries the encrypted session key in the key response message fed back by the KMC in a session processing message and sends the session processing message to the terminal device A.

At this time, in another embodiment of the present invention, the EAS transmits the secret communication key in the session key response message received from the KMC to the terminal device a and the terminal device B by using IMS signaling.

And 7: after receiving the encrypted session key, the terminal device a decrypts the encrypted session key by using the first protection key generated when logging in the KMC, and obtains the KMC as the session key generated by the current call.

In another embodiment of the present invention, terminal device a sends the received encrypted session key to terminal device B in the following ways:

the first mode is as follows:

Or, the first terminal device sends the encrypted session key to the second terminal device through a provisional response acknowledgement message PRACK 183.

For example, in order to save system signaling overhead, a signaling piggyback transmission mode may be adopted, that is, when receiving an encrypted session key transmitted by a call establishment response message sent by an EAS device through a second terminal device, and after correctly processing the call establishment response message, and returning a provisional acknowledgement message PRACK to the second terminal device, the first terminal device carries the encrypted session key in the provisional acknowledgement message PRACK and sends the provisional acknowledgement message PRACK to the second terminal device.

The second mode is as follows:

and the first terminal equipment sends the encrypted session key to the second terminal equipment through the established media plane data transmission channel between the first terminal equipment and the second terminal equipment.

And 8: and after receiving the encrypted session key, the terminal device B decrypts the encrypted session key by using a second protection key generated when logging in the KMC to obtain the KMC which is the session key generated by the call.

And step 9: and when the call link is established, the terminal device A and the terminal device B encrypt the call data by using the obtained session key to realize encrypted call between the terminal device A and the terminal device B.

It should be noted that, the fourth embodiment of the present invention is a rough description of a processing flow of a secure communication service, and the related technical details may adopt the technical solutions described in the first to third embodiments of the present invention, which are not described in detail herein.

Example five:

fig. 7 is a schematic structural diagram of an encryption application server for secure communication services according to a fifth embodiment of the present invention. The fifth embodiment of the present invention is an invention that belongs to the same inventive concept as the first to fourth embodiments of the present invention, and the encryption application server includes: a receiving module 11, a sending module 12 and a processing module 13, wherein:

a receiving module 11, configured to receive a request message for establishing a secure communication service sent by a first terminal device, where the request message for establishing the secure communication service is used to characterize that a secure communication service needs to be established between the first terminal device and a second terminal device, and the request message for establishing the secure communication service includes parameter information used to obtain a session key;

a sending module 12, configured to carry the parameter information for obtaining the session key in a session key request message and send the session key request message to a key management center KMC to which the first terminal device and the second terminal device belong, where the session key request message is used to characterize and request the KMC to generate a session key for a secure communication service that needs to be established between the first terminal device and the second terminal device;

a processing module 13, configured to receive the encrypted session key returned by the KMC, and send the encrypted session key to the first terminal device, so that the first terminal device can implement secure communication with the second terminal device by using the session key, where the encrypted session key is obtained by encrypting, by the KMC, the generated session key according to the parameter information for obtaining the session key.

Specifically, the parameter information for acquiring the session key includes identification information of the first terminal device and identification information of the second terminal device.

The encryption application server further comprises: a determination module 14, wherein:

a determining module 14, configured to determine, before the parameter information for acquiring the session key is carried in a session key request message and sent to the key management centers KMC to which the first terminal device and the second terminal device belong, the key management centers KMC to which the first terminal device and the second terminal device belong according to the identification information of the first terminal device and the identification information of the second terminal device.

Specifically, the processing module 13 is further configured to send the encrypted session key to the second terminal device, so that the second terminal device can implement secure communication with the first terminal device by using the session key.

The processing module 13 is specifically configured to send the encrypted session key to the first terminal device and/or the second terminal device through an IMS network signaling.

Specifically, the encrypted session key includes a session key encrypted by using a first protection key and a session key encrypted by using a second protection key;

It should be noted that the encryption application server described in the fifth embodiment of the present invention may be a physical entity unit implemented by hardware, or may be a logic component implemented by software, and is not limited in this embodiment.

Example six:

fig. 8 is a schematic structural diagram of a terminal device for performing a secure communication service according to a sixth embodiment of the present invention. The sixth embodiment of the present invention is an invention that is under the same inventive concept as the first to fourth embodiments of the present invention, and the terminal device includes: a request message sending module 21 and a session key receiving module 22, wherein:

a request message sending module 21, configured to send a secure communication service establishment request message to an encryption application server EAS, where the secure communication service establishment request message is used to characterize that a secure communication service needs to be established between the first terminal device and the second terminal device, and the secure communication service establishment request message includes parameter information used to obtain a session key;

a session key receiving module 22, configured to receive an encrypted session key sent by the EAS, where the encrypted session key is obtained by the KMC encrypting the generated session key according to the parameter information for obtaining the session key, where the parameter information for obtaining the session key is carried in a session key request message and sent to a key management center KMC to which the first terminal device and the second terminal device belong, and the session key request message is used to characterize and request the KMC to generate the session key for a secret communication service that needs to be established between the first terminal device and the second terminal device.

Optionally, the terminal device further includes: a processing module 23, wherein:

and the processing module 23 is configured to send the encrypted session key to the second terminal device when receiving the encrypted session key sent by the EAS.

The processing module 23 is specifically configured to send the encrypted session key to the second terminal device through an IMS network signaling;

or,

The terminal device further includes: a decryption module 24, wherein:

a decryption module 24, configured to, when receiving the encrypted session key sent by the EAS, decrypt the encrypted session key with a first protection key generated when logging in the KMC to obtain a session key generated by the KMC for performing a secure communication service between the first terminal device and the second terminal device.

It should be noted that the terminal device described in the sixth embodiment of the present invention may be a physical entity unit implemented by hardware, or may be a logical component implemented by software, and is not limited in this embodiment.

In addition, the sixth embodiment of the invention also comprises an IP communication module and a password communication module.

The IP communication module supports an SIP communication protocol, has IMS communication capability and supports the functions of login/logout, identity authentication, call control and processing and the like of a terminal in an IMS system; the cryptographic module is responsible for terminal key management and executing encryption and decryption algorithms, signaling interaction with the KMC is realized at a control plane to obtain a session key, and the obtained session key is utilized to establish security association with opposite-end equipment at a media plane to realize secret transmission of communication services.

Example seven:

fig. 9 is a schematic structural diagram of a key management center for secure communication services according to a seventh embodiment of the present invention. The seventh embodiment of the present invention is an invention that belongs to the same inventive concept as the first to fourth embodiments of the present invention, wherein the key management center includes: a key request receiving module 31 and a key sending module 32, wherein:

a key request receiving module 31, configured to receive a session key request message sent by an encrypted application server EAS, where the session key request message is used to characterize that the KMC is requested to generate a session key for a secure communication service that needs to be established between a first terminal device and a second terminal device, the session key request message includes parameter information used to obtain the session key, and the parameter information used to obtain the session key is carried in a secure communication service establishment request message, which is sent by the EAS and used to characterize that the secure communication service needs to be established between the first terminal device and the second terminal device; and are

And a key sending module 32, configured to return an encrypted session key to the EAS, so that the EAS sends the encrypted session key to the first terminal device, so that the first terminal device can implement secure communication with the second terminal device by using the session key, where the encrypted session key is obtained by encrypting, by the KMC, the generated session key according to the parameter information for obtaining the session key.

Specifically, the parameter information for acquiring the session key includes identification information of the first terminal device and identification information of the second terminal device;

the key sending module 32 is specifically configured to generate a session key required for executing a secure communication service between the first terminal device and the second terminal device, determine, according to the identification information of the first terminal device included in the parameter information for obtaining the session key, a first protection key generated when the first terminal device corresponding to the identification information of the first terminal device logs in the KMC, and perform an encryption operation on the generated session key by using the first protection key to obtain the session key encrypted by using the first protection key; and

It should be noted that the key management center described in the seventh embodiment of the present invention may be a physical entity unit implemented by hardware, or may be a logical component implemented by software, which is not limited herein.

Example eight:

as shown in fig. 10, a schematic structural diagram of a system for processing a secure communication service according to an eighth embodiment of the present invention, the system includes: an encryption application server 41, a key management center 42, a first terminal device 43, and a second terminal device 44, wherein:

the first terminal device 43 is configured to send a secure communication service establishment request message to an encryption application server EAS, and receive an encrypted session key sent by the EAS, where the secure communication service establishment request message is used to characterize that a secure communication service needs to be established between the first terminal device and a second terminal device, and the secure communication service establishment request message includes parameter information used to obtain the session key.

The encryption application server 41 is configured to receive a request message for establishing a secure communication service sent by a first terminal device, carry parameter information for acquiring a session key in a session key request message, send the session key request message to a key management center KMC to which the first terminal device and the second terminal device belong, receive an encrypted session key returned by the KMC, and send the encrypted session key to the first terminal device, where the session key request message is used to characterize and request the KMC to generate a session key for the secure communication service to be established between the first terminal device and the second terminal device.

The key management center 42 is configured to receive a session key request message sent by an encryption application server EAS, and return an encrypted session key to the EAS, where the encrypted session key is obtained by the KMC encrypting a generated session key according to the parameter information for obtaining the session key.

the encryption application server 41 is configured to determine, before the parameter information for acquiring the session key is carried in the session key request message and sent to the key management centers KMC to which the first terminal device and the second terminal device belong, the key management centers KMC to which the first terminal device and the second terminal device belong according to the identification information of the first terminal device and the identification information of the second terminal device.

The encryption application server 41 is further configured to send the encrypted session key to the second terminal device, so that the second terminal device can utilize the session key to implement secure communication with the first terminal device.

The encryption application server 41 is specifically configured to send the encrypted session key to the first terminal device and/or the second terminal device through an IMS network signaling.

The first terminal device 43 is configured to send the encrypted session key to the second terminal device when receiving the encrypted session key sent by the EAS.

The first terminal device 43 is specifically configured to send the encrypted session key to the second terminal device through an IMS network signaling;

or,

the first terminal device 43 is configured to, when receiving the encrypted session key sent by the EAS, decrypt the encrypted session key by using the first protection key generated when logging in the KMC, so as to obtain the session key generated by the KMC for the secure communication service between the first terminal device and the second terminal device.

The key management center 42 is specifically configured to generate a session key required for executing a secure communication service between the first terminal device and the second terminal device, determine, according to the identification information of the first terminal device included in the parameter information for acquiring the session key, a first protection key generated when the first terminal device corresponding to the identification information of the first terminal device logs in the KMC, and perform an encryption operation on the generated session key by using the first protection key to obtain the session key encrypted by using the first protection key; and

As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus (device), or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (devices) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.

It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims

1. A method for processing a secure communication service, comprising:

2. The method according to claim 1, wherein the parameter information for acquiring the session key includes identification information of the first terminal device and identification information of the second terminal device;

3. The method of claim 1, wherein the method further comprises:

4. The method of claim 3, wherein the EAS sending the encrypted session key to the first terminal device and/or the second terminal device, comprising:

5. The method according to any one of claims 1 to 3, wherein the encrypted session key comprises a session key encrypted with a first protection key and a session key encrypted with a second protection key;

6. A method for processing a secure communication service, comprising:

7. The method of claim 6, wherein the method further comprises:

8. The method of claim 7, wherein the first terminal device sending the encrypted session key to the second terminal device, comprising:

or,

9. The method of any of claims 6 to 7, further comprising:

10. A method for processing a secure communication service, comprising:

11. The method according to claim 10, wherein the parameter information for acquiring the session key includes identification information of the first terminal device and identification information of the second terminal device;

the KMC returns an encrypted session key to the EAS, including:

12. An encrypted application server for securing communications traffic, comprising:

13. The encryption application server according to claim 12, wherein the parameter information for acquiring the session key includes identification information of the first terminal device and identification information of the second terminal device;

the encryption application server further comprises:

14. The cryptographic application server of claim 12,

15. The cryptographic application server of claim 14,

16. The encryption application server according to any one of claims 12 to 14, wherein the encrypted traffic key comprises a traffic key encrypted by a first protection key and a traffic key encrypted by a second protection key;

17. A terminal device for performing a secure communication service, comprising:

18. The terminal device of claim 17, wherein the terminal device further comprises:

19. The terminal device of claim 18,

or,

20. The terminal device according to any of claims 17 to 18, wherein the terminal device further comprises:

21. A key management center for securing communications traffic, comprising:

22. The key management center according to claim 21, wherein the parameter information for acquiring the session key includes identification information of the first terminal device and identification information of the second terminal device;

23. A system for processing secure communication services, the system comprising: an encryption application server according to any one of claims 12 to 16, a terminal device according to any one of claims 17 to 20 and a key management centre according to any one of claims 21 to 22.