CN104683304B - A kind of processing method of secure traffic, equipment and system - Google Patents
A kind of processing method of secure traffic, equipment and system Download PDFInfo
- Publication number
- CN104683304B CN104683304B CN201310631793.2A CN201310631793A CN104683304B CN 104683304 B CN104683304 B CN 104683304B CN 201310631793 A CN201310631793 A CN 201310631793A CN 104683304 B CN104683304 B CN 104683304B
- Authority
- CN
- China
- Prior art keywords
- session key
- terminal equipment
- key
- encrypted
- kmc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
Abstract
The invention discloses a kind of processing method of secure traffic, equipment and systems, content includes: to introduce encryption application server and Key Management Center in the ims network, request message is established in the secure traffic for receiving the transmission of first terminal equipment by encryption application server, and session key request message is sent to Key Management Center, and when receiving the encrypted session key of Key Management Center return, which is sent to first terminal equipment;Make secret communication as operator and be supplied to the business of user by encrypting application server, and it encrypts application server and obtains encrypted session key from Key Management Center, it is handed down to terminal device, operator is not only increased to the control force of secret communication, improve the treatment effeciency of system, the Key Management Center of introducing realizes management of the user to key Life cycle, increases the safety that secure traffic executes between user.
Description
Technical field
The present invention relates to wireless communication technology fields and security technology area, more particularly to one kind to be based on interactive multimedia
Service processing method, equipment and the system of secure traffic in IMS operation system.
Background technique
In order to IMS(Interactive Multimedia Service, interactive multi-media service) medium surface
The user service information of carrying transmission carries out End to End Encryption protection, 3GPP(3rd Generation Partnership
Project, 3G (Third Generation) Moblie standardization body) two kinds of relatively independent medium surface key pipes are proposed in TS33.328
Reason scheme realizes the negotiation of medium surface session key, and the session key obtained using negotiation, and communication system is in calling and called terminal
Between or terminal and IMS network between establish security association, pass through SRTP(Secure Real-time Transport
Protocol, Security Real Time Protocol) or IP Sec(Internet Protocol Security, IP safety) agreement pair
User media face information is protected.
Wherein, it is SDES respectively that 3GPP proposes two kinds of relatively independent medium surface key managing projects in TS33.328
(Session Description Protocol Security Descriptions for Media Streams, session are retouched
Protocol media stream is stated to describe safely) and KMS(Key Management Service, cipher key management services).
One, based on the key managing project of SDES.
Specifically, SDES is a kind of a kind of simple Key Management Protocol for protection Media Stream design, is in existing SDP
Cryptographic properties have been increased newly in (Session Initiation Protocol, Session Description Protocol), have been generated for carried terminal
Session key and parameter information complete the security parameter configuration of unicast stream medium data.
When SDES is applied in IMS system, in SIP(Session Initiation Protocol, conversation initial association
View) in establishment process, the session key for media stream privacy that exchange termination equipment A and terminal device B are respectively generated.
As shown in Figure 1, being the workflow schematic diagram of SDES key management.On the one hand, in SIP session establishment, terminal
Equipment A will be used to be sent to terminal device A in the session key K1 write-in SDP cryptographic properties of the media stream privacy of terminal device B,
And carried by signaling plane sip message, it is sent to terminal device B.
On the other hand, terminal device B stores key K1 after the sip message for receiving terminal device A transmission, and will use
Terminal is sent to by sip response message in the session key K2 for the media stream privacy for being sent to terminal device B terminal device A to set
Standby A.
After terminal device A receives and stores key K2, it is close that terminal device A and terminal device B just obtain session
Key K1 and session key K2.
Hereafter, terminal device A and terminal device B uses session key K1 and session key K2 to carry SRTP agreement respectively
Media Stream carry out encryption and decryption operation, to realize to the secrecy of user data.
But in SDES scheme, session key is transmitted by signaling plane sip message, safety places one's entire reliance upon SIP
The safety of signaling.
And the security mechanism of SIP signalling common are two kinds:
One is IMS network domain security mechanism is based on, that is, the safety in IMS network domain is completely dependent on to guarantee that SIP signaling passes
Defeated safety, still, IMS network are usually on terminal device and SBC(Session Border Controller, session side
Boundary's controller) between use cryptographic means, the SIP signaling on terminal device access link is encrypted, and in IMS net
The core network internal SIP signaling of network then uses plaintext transmission mode, allows for attacker in this way using plaintext transmission SIP signaling
Loophole obtains in SIP signaling and contains session key, realizes the monitoring to medium surface information between terminal device so that user it
Between the safety conversed reduce.
Another kind is based on S/MIME(Secure Multipurpose Internet Mail Extensions, safety
Multi purpose internet mail extensions) encipherment protection, i.e., using S/MIME agreement to the SDP(Session carried in SIP signaling
Description Protocol, Session Description Protocol) message content encrypted end to end.In terminal device without default total
In the case where enjoying key, using public key certificate system, terminal device is needed before sending session key from public key certificate system
The middle public key for obtaining opposite end, is transmitted after being encrypted later using content of the public key of acquisition to SIP signaling.This mode makes
Key management is kept completely separate with session management, and operator is unable to control key management, is bypassed in secure context, and fortune is unable to satisfy
The demand that quotient carries out secure traffic is sought, practical application is restricted.
Two, based on the key managing project of KMS.
Specifically, KMS entity is based on GBA(Generic Bootstrapping Architecture, universal guiding frame
Structure) mechanism sent to calling and called terminal authentication, and by the session key of generation by the exit passageway established after successful authentication
Calling and called terminal.As shown in Fig. 2, being the flow diagram of KMS key management.
Based on GBA, KMS can be the foundation of unified certification ability and calling and called that upper layer application business provides using operator
Security association between terminal, the information such as encrypted transmission session key.
But due to the kernel entity BSF(Bean Scripting Framework of GBA certification) tieed up by Carrier Management
Shield is responsible for generating the session key between maintenance KMS and terminal device, and therefore, it is logical that operator is actually responsible for key safe transmission
The safety of the foundation in road, the session key transmission that terminal device needs depends on operator.In this way, KMS key managing project
It is not able to satisfy terminal device to the high safety grade demand of key management, is less suitable for operator and carries out secure traffic.
It can be seen that the user service information of medium surface carrying transmission carries out End to End Encryption protection in IMS network at present
Mode be not only unable to satisfy user and operator respectively demand, but also there is a problem of that safety is lower.
Summary of the invention
The embodiment of the invention provides a kind of processing method of secure traffic, equipment and systems, for solving at present
The user service information of medium surface carrying transmission be both unable to satisfy existing for the mode of End to End Encryption protection in IMS network
The respective demand of user and operator, and the problem for making medium surface data transmission security lower.
A kind of processing method of secure traffic, comprising:
Encryption application server EAS receives the secure traffic that first terminal equipment is sent and establishes request message, wherein
The secure traffic establishes request message and needs to build between the first terminal equipment and second terminal equipment for characterizing
Vertical secure traffic, the secure traffic establish in request message the parameter letter contained for obtaining session key
Breath;
The parameter information for being used to obtain session key is carried and is sent in session key request message by the EAS
Key Management Center KMC belonging to the first terminal equipment and the second terminal equipment, wherein the session key request
Message is used to characterize the secrecy for requesting the KMC to need to establish between the first terminal equipment and the second terminal equipment
Communication service generates session key;
The EAS receives the encrypted session key that the KMC is returned, and the encrypted session key is sent
To the first terminal equipment, the first terminal equipment is realized and the second terminal using the session key
Secret communication between equipment, wherein the encrypted session key is that the KMC is used to obtain session according to described
What the parameter information of key obtained after the session key of generation is encrypted.
Identification information and the institute of the first terminal equipment are contained in the parameter information for obtaining session key
State the identification information of second terminal equipment;
The EAS is sent in session key request message by the parameter information carrying for being used to obtain session key
Before Key Management Center KMC belonging to the first terminal equipment and the second terminal equipment, the method also includes:
The EAS is according to the identification information of the first terminal equipment and the identification information of the second terminal equipment, really
Key Management Center KMC belonging to the fixed first terminal equipment and the second terminal equipment.
The method also includes:
Encrypted session key is sent to the second terminal equipment by the EAS, so that the second terminal equipment
The secret communication between the first terminal equipment can be realized using the session key.
Encrypted session key is sent to the first terminal equipment and/or second terminal equipment by the EAS, packet
It includes:
The EAS by IMS network signaling by encrypted session key be sent to the first terminal equipment and/or
Second terminal equipment.
The encrypted session key contains using the first encrypted session key of protection key and utilizes second
Protect the encrypted session key of key;
The encrypted session key is the KMC according to the parameter information pair for being used to obtain session key
What the session key of generation obtained after being encrypted, comprising:
The mark for the first terminal equipment that the KMC includes in the parameter information according to for obtaining session key
Know information, determines what the corresponding first terminal equipment of the identification information of the first terminal equipment was generated when logging in the KMC
First protection key, and cryptographic calculation is carried out using the session key that the first protection key pair generates, it is utilized
The first protection encrypted session key of key;And
According to described for obtaining the identification information for the second terminal equipment for including in the parameter information of session key,
Determine the second protection that the corresponding second terminal equipment of the identification information of the second terminal equipment is generated when logging in the KMC
Key, and cryptographic calculation is carried out using the session key that the second protection key pair generates, it is utilized the second protection
The encrypted session key of key.
A kind of processing method of secure traffic, comprising:
First terminal equipment sends secure traffic to encryption application server EAS and establishes request message, wherein described
Secure traffic establishes request message and needs to establish guarantor between the first terminal equipment and second terminal equipment for characterizing
Close communication service, the secure traffic establish in request message the parameter information contained for obtaining session key;
The first terminal equipment receives the encrypted session key that the EAS is sent, wherein the encrypted meeting
Words key is that the parameter information carrying for being used to obtain session key is sent to by the EAS in session key request message
Key Management Center KMC belonging to the first terminal equipment and the second terminal equipment, is used for according to as the KMC
What the parameter information of acquisition session key obtained after the session key of generation is encrypted, the session key request disappears
Breath is logical for characterizing the secrecy for requesting the KMC to need to establish between the first terminal equipment and the second terminal equipment
Communication service generates session key.
The method also includes:
The first terminal equipment, will be described encrypted when receiving the encrypted session key that the EAS is sent
Session key is sent to the second terminal equipment.
The encrypted session key is sent to the second terminal equipment by the first terminal equipment, comprising:
The encrypted session key is sent to described second eventually by IMS network signaling by the first terminal equipment
End equipment;
Alternatively,
The first terminal equipment by establish with the medium surface data transmission channel of second terminal equipment will it is described plus
Session key after close is sent to the second terminal equipment.
The method also includes:
The first terminal equipment utilizes the login KMC when receiving the encrypted session key that the EAS is sent
When generate first protection key pair described in encrypted session key be decrypted, obtain the KMC be the first terminal
The session key of secure traffic generation is carried out between equipment and the second terminal equipment.
A kind of processing method of secure traffic, comprising:
Key Management Center KMC receives the session key request message that encryption application server EAS is sent, wherein described
Session key request message is used to characterize what the request KMC needed to establish between first terminal equipment and second terminal equipment
Secure traffic generates session key, and the parameter letter for obtaining session key is contained in the session key request message
Breath, the parameter information for obtaining session key are being used for for the first terminal equipment transmission that the EAS is received
Characterize the secure traffic for needing to establish secure traffic between the first terminal equipment and the second terminal equipment
It establishes and carries in request message;And
Encrypted session key is returned to the EAS, in order to which the EAS sends the encrypted session key
To the first terminal equipment, the first terminal equipment is realized and the second terminal using the session key
Secret communication between equipment, wherein the encrypted session key is that the KMC is used to obtain session according to described
What the parameter information of key obtained after the session key of generation is encrypted.
The identification information for obtaining the first terminal equipment for including in the parameter information of session key and the
The identification information of two terminal devices;
The KMC returns to encrypted session key to the EAS, comprising:
The KMC is generated for executing secret communication industry between the first terminal equipment and the second terminal equipment
The session key that business needs;
The KMC believes according to the mark for the first terminal equipment for including in the parameter information for obtaining session key
Breath, determines the corresponding first terminal equipment of the identification information of the first terminal equipment is generated when logging in the KMC first
Key is protected, and carries out cryptographic calculation using the session key that the first protection key pair generates, is utilized first
Protect the encrypted session key of key;And
According to the identification information for the second terminal equipment for including in the parameter information for obtaining session key, determine
The second protection that the corresponding second terminal equipment of the identification information of the second terminal equipment is generated when logging in the KMC is close
Key;And cryptographic calculation is carried out using the session key that the second protection key pair generates, it is close to be utilized the second protection
The encrypted session key of key;
The KMC adds the encrypted session key of the first protection of utilization key and the utilization the second protection key
Session key after close is sent to the EAS by key response message as encrypted session key.
A kind of encryption application server for secure traffic, comprising:
Receiving module, the secure traffic for receiving the transmission of first terminal equipment establish request message, wherein described
Secure traffic establishes request message and needs to establish guarantor between the first terminal equipment and second terminal equipment for characterizing
Close communication service, the secure traffic establish in request message the parameter information contained for obtaining session key;
Sending module, for carrying the parameter information for being used to obtain session key in session key request message
It is sent to Key Management Center KMC belonging to the first terminal equipment and the second terminal equipment, wherein the session is close
Key request message requests the KMC to need to establish between the first terminal equipment and the second terminal equipment for characterizing
Secure traffic generate session key;
Processing module, the encrypted session key returned for receiving the KMC, and the encrypted session is close
Key is sent to the first terminal equipment, and the first terminal equipment is realized and described the using the session key
Secret communication between two terminal devices, wherein the encrypted session key is that the KMC is used to obtain according to described
It is obtained after taking the parameter information of session key that the session key of generation is encrypted.
Identification information and the institute of the first terminal equipment are contained in the parameter information for obtaining session key
State the identification information of second terminal equipment;
The encryption application server further include:
Determining module, for carrying by the parameter information for being used to obtain session key in session key request message
In be sent to before Key Management Center KMC belonging to the first terminal equipment and the second terminal equipment, according to described
The identification information of the identification information of first terminal equipment and the second terminal equipment determines the first terminal equipment and described
Key Management Center KMC belonging to second terminal equipment.
The processing module is also used to for encrypted session key to be sent to the second terminal equipment, so that described
Second terminal equipment can realize the secret communication between the first terminal equipment using the session key.
The processing module, specifically for encrypted session key is sent to described first by IMS network signaling
Terminal device and/or second terminal equipment.
The encrypted session key contains using the first encrypted session key of protection key and utilizes second
Protect the encrypted session key of key;
The encrypted session key is the KMC according to the parameter information pair for being used to obtain session key
What the session key of generation obtained after being encrypted, comprising:
The mark for the first terminal equipment that the KMC includes in the parameter information according to for obtaining session key
Know information, determines what the corresponding first terminal equipment of the identification information of the first terminal equipment was generated when logging in the KMC
First protection key, and cryptographic calculation is carried out using the session key that the first protection key pair generates, it is utilized
The first protection encrypted session key of key;And
According to described for obtaining the identification information for the second terminal equipment for including in the parameter information of session key,
Determine the second protection that the corresponding second terminal equipment of the identification information of the second terminal equipment is generated when logging in the KMC
Key, and cryptographic calculation is carried out using the session key that the second protection key pair generates, it is utilized the second protection
The encrypted session key of key.
A kind of terminal device executing secure traffic, comprising:
Request message sending module establishes request message for sending secure traffic to encryption application server EAS,
Wherein, the secure traffic is established request message and is needed between the first terminal equipment and second terminal equipment for characterizing
Secure traffic is established, the secure traffic establishes in request message the parameter contained for obtaining session key
Information;
Session key receiving module, the encrypted session key sent for receiving the EAS, wherein the encryption
Session key afterwards is that the EAS carries the parameter information for being used to obtain session key in session key request message
It is sent to Key Management Center KMC belonging to the first terminal equipment and the second terminal equipment, by the KMC according to institute
It states and obtains after the session key of generation is encrypted in the parameter information for obtaining session key, the session key
Request message requests to need to establish between the KMC first terminal equipment and the second terminal equipment for characterizing
Secure traffic generates session key.
The terminal device further include:
Processing module, for when receiving the encrypted session key that the EAS is sent, by the encrypted session
Key is sent to the second terminal equipment.
The processing module, it is described specifically for being sent to the encrypted session key by IMS network signaling
Second terminal equipment;
Alternatively,
By the medium surface data transmission channel between the second terminal equipment of foundation by the encrypted meeting
Words key is sent to the second terminal equipment.
The terminal device further include:
Deciphering module, for when receiving the encrypted session key that the EAS is sent, when using logging in the KMC
Encrypted session key described in the first protection key pair generated is decrypted, and obtaining the KMC is that the first terminal is set
The standby session key that secure traffic generation is carried out between the second terminal equipment.
A kind of Key Management Center for secure traffic, comprising:
Key request receiving module, the session key request message sent for receiving encryption application server EAS,
In, the session key request message requests the KMC to need between first terminal equipment and second terminal equipment for characterizing
The secure traffic to be established generates session key, contains in the session key request message for obtaining session key
Parameter information, the parameter information for obtaining session key is the first terminal equipment hair that the EAS is received
That send is used to characterize the secrecy for needing to establish secure traffic between the first terminal equipment and the second terminal equipment
Communication service, which is established, to be carried in request message;And
Key sending module, for returning to encrypted session key to the EAS, after being encrypted in order to the EAS
The session key be sent to the first terminal equipment, enable the first terminal equipment using the session key
Realize the secret communication between the second terminal equipment, wherein the encrypted session key is the KMC root
It is obtained after the session key of generation is encrypted according to the parameter information for obtaining session key.
The identification information for obtaining the first terminal equipment for including in the parameter information of session key and the
The identification information of two terminal devices;
The key sending module is specifically used for generating for being the first terminal equipment and the second terminal equipment
Between execute secure traffic need session key, according to including in the parameter information for obtaining session key
The identification information of first terminal equipment determines that the corresponding first terminal equipment of the identification information of the first terminal equipment is logging in
The the first protection key generated when the KMC, and added using the session key that the first protection key pair generates
Close operation is utilized the first encrypted session key of protection key;And
According to the identification information for the second terminal equipment for including in the parameter information for obtaining session key, determine
The second protection that the corresponding second terminal equipment of the identification information of the second terminal equipment is generated when logging in the KMC is close
Key;And cryptographic calculation is carried out using the session key that the second protection key pair generates, it is close to be utilized the second protection
The encrypted session key of key;
It will be described using the encrypted session key of the first protection key and described encrypted using the second protection key
Session key is sent to the EAS as encrypted session key, by key response message.
A kind of processing system of secure traffic, the system comprises: above-mentioned encryption application server, above-mentioned end
End equipment and above-mentioned Key Management Center.
The present invention has the beneficial effect that:
The embodiment of the present invention introduces encryption application server and Key Management Center in the ims network, is applied by encryption
Server needs to build for characterizing receiving first terminal equipment transmission between first terminal equipment and second terminal equipment
The secure traffic of vertical secure traffic establishes request message, and secure traffic is established to the use for including in request message
First terminal equipment and second terminal are sent in session key request message in the parameter information carrying for obtaining session key
Key Management Center belonging to equipment, request Key Management Center need to build between first terminal equipment and second terminal equipment
Vertical secure traffic generates session key, and when receiving the encrypted session key of Key Management Center return,
The encrypted session key is sent to first terminal equipment, first terminal equipment is realized using the session key
With the secret communication between second terminal equipment.In this way, mentioning secret communication as operator by encrypting application server
A kind of business realizing of user is supplied, and encrypts application server and obtains encrypted session key from Key Management Center,
It is handed down to terminal device, operator is not only increased to the control force of secret communication, also improves the treatment effeciency of system, simultaneously
The Key Management Center of introducing realizes management of the user to key Life cycle, increases secure traffic between user
The safety of execution.
Detailed description of the invention
Fig. 1 is the workflow schematic diagram of SDES key management;
Fig. 2 is the flow diagram of KMS key management;
Fig. 3 is a kind of flow diagram of the processing method for secure traffic that the embodiment of the present invention one provides;
Fig. 4 is a kind of flow diagram of the processing method of secure traffic provided by Embodiment 2 of the present invention;
Fig. 5 is a kind of flow diagram of the processing method for secure traffic that the embodiment of the present invention three provides;
Fig. 6 is a kind of flow diagram of the processing method for secure traffic that the embodiment of the present invention four provides;
Fig. 7 is that a kind of structure for encryption application server for secure traffic that the embodiment of the present invention five provides is shown
It is intended to;
Fig. 8 is a kind of structural schematic diagram of the terminal device for execution secure traffic that the embodiment of the present invention six provides;
Fig. 9 is a kind of structural representation for Key Management Center for secure traffic that the embodiment of the present invention seven provides
Figure;
Figure 10 is a kind of structural schematic diagram of the processing system for secure traffic that the embodiment of the present invention eight provides.
Specific embodiment
In order to achieve the object of the present invention, the embodiment of the invention provides a kind of processing method of secure traffic, set
Standby and system introduces encryption application server and Key Management Center in the ims network, is being received by encrypting application server
It needs to establish secret communication industry between first terminal equipment and second terminal equipment for characterizing to what first terminal equipment was sent
The secure traffic of business establishes request message, secure traffic is established include in request message be used to obtain session it is close
The parameter information carrying of key is sent to close belonging to first terminal equipment and second terminal equipment in session key request message
Key administrative center, the secret communication that request Key Management Center needs to establish between first terminal equipment and second terminal equipment
Business generates session key, and when receiving the encrypted session key of Key Management Center return, this is encrypted
Session key is sent to first terminal equipment, and first terminal equipment is set using session key realization with second terminal
Secret communication between standby.
In this way, real by encrypting a kind of business that application server makes secret communication be supplied to user as operator
It is existing, and encrypt application server and obtain encrypted session key from Key Management Center, it is handed down to terminal device, is not only increased
Operator is added to the control force of secret communication, has also improved the treatment effeciency of system, while the Key Management Center introduced is real
Show management of the user to key Life cycle, increases the safety that secure traffic executes between user.
It should be noted that the embodiment of the present invention application system architecture include but is not limited to IMS core network (such as:
Contain SBC(Session Border Controller, Session Border Controller), P-CSCF(Proxy Call Session
Control Function, Proxy Call Session Control Function), S-CSCF(Serving Call Session Control
Function, service call conversation control function), HSS(Home Subscriber Server, home subscriber server),
MGCF(Media Gateway Control Function, Media Gateway Control Function), MGW(Media Gateway, media
Gateway) etc. network element devices;In addition, when containing SIP(Session Initiation Protocol in system architecture, at the beginning of session
Beginning agreement) server when, also can be used technical solution provided in an embodiment of the present invention, realization is provided by SIP system for user
Secure traffic is not specifically limited here.
Encryption application server (EAS, Encryption Application involved in each embodiment of the present invention
Server), for providing secure traffic for terminal device, (wherein, secure traffic includes but is not limited to encrypt voice
Talk business, encrypted video talk business, encryption conference call service, Encrypted short message business, encryption Record Carrier, encryption
Mail service etc.).The function that EAS has includes: that on the one hand, EAS compatibility has AS(Application in IMS network system
Server, application server) session service logic sets out function, can receive from the kernel entity S-CSCF of IMS network eventually
The business request information that end equipment is initiated triggers secure traffic and is responsible for various control plane call treatments and connection control
System, and charging is carried out to the business of execution;On the other hand, EAS by setting safe interface and Key Management Center (KMC,
Key Management Center) communicated, can be completed according to business processing logic registration of the terminal device on KMC,
The Signalling exchange between terminal device and KMC is supported in the transmission of identification authentication, key management etc. information.
Key Management Center (KMC) involved in each embodiment of the present invention, it is close for being needed to secure traffic
Key is managed, and is specifically including but not limited to: generating key, injection key, distribution key, storage key, filing key, export
The key management of Life cycle including key, more new key and destruction key etc..KMC by safe interface and EAS into
Row communication can receive the password request message from terminal device by EAS, complete the registration of terminal device, identification authentication,
The operations such as key distribution, additionally it is possible to control instruction be issued by crypto module of the EAS into terminal device, realized to terminal device
In crypto module long-range control, such as: KMC realize to the management of crypto module is contained in terminal device, can be long-range
Destroy the crypto module in terminal device.
In addition, realizing user to the voluntarily portion of KMC to promote user to the degree of belief of operator's security service service
Administration.
Terminal device involved in each embodiment of the present invention, the terminal device contain IP communication module and cryptographic communication
Module.Wherein, IP communication module support SIP communication protocol, have IMS communication capacity, support terminal IMS system login/
The functions such as cancellation, authentication, Call- Control1 and processing;Crypto module is responsible for terminal key management and executes enciphering and deciphering algorithm,
In control plane, realize that carrying out Signalling exchange with KMC obtains session key, in medium surface, using acquisition Session key establishment with
The security association of opposite equip. realizes the secrecy transmission of communication service.
The each embodiment of the present invention is described in detail with reference to the accompanying drawings of the specification.
Embodiment one:
As shown in figure 3, being a kind of process signal of the processing method for secure traffic that the embodiment of the present invention one provides
Figure, the method can be as described below.
Step 101:EAS receives the secure traffic that first terminal equipment is sent and establishes request message.
Wherein, the secure traffic is established request message and is set for characterizing the first terminal equipment with second terminal
Need to establish secure traffic between standby, the secure traffic establish in request message contain it is close for obtaining session
The parameter information of key.
In a step 101, first terminal equipment sends secret communication industry to IMS network when calling second terminal equipment
Request message is established in business, and the secure traffic request message is transmitted to EAS by IMS network core net, informs EAS first
Terminal device will establish secure traffic between second terminal equipment.
It should be noted that the secure traffic that first terminal equipment is sent at this time establish request message can be by the
The call setup request message that one terminal device is initiated is realized, that is to say, that initiates calling second terminal in first terminal equipment
When equipment, call setup message is sent to IMS network, the call setup message has two functions at this time: 1, request and the
Calling connection is established between two terminal devices;2, secure traffic is triggered while establishing calling connection.
Alternatively, the secure traffic that first terminal is sent at this time, which establishes request message, is exhaled in the initiation of first terminal equipment
It cries and establishes what request message triggered at random later.
For example, first terminal equipment is after being successfully established call link with second terminal equipment, and at call business
During reason, secure traffic is sent to IMS network and establishes request message, and is led to the secrecy by IMS network core net
Communication service request message is transmitted to EAS, informs that EAS first terminal equipment needs to carry out secret communication between second terminal equipment
Business.
It is performed simultaneously that is, the calling connection between terminal device is established to can be with secure traffic triggering
, it is also possible to not to be performed simultaneously, first triggers secure traffic, resettle calling connection, or first establish calling connection,
Secure traffic is triggered again to be ok.
Encryption application server is opened when the secure traffic for receiving the transmission of first terminal equipment establishes request message
Move subsequent secure traffic process flow.
Step 102: the EAS carries the parameter information for being used to obtain session key in session key request message
In be sent to Key Management Center KMC belonging to the first terminal equipment and the second terminal equipment.
Wherein, for characterizing, to request the KMC be the first terminal equipment and described to the session key request message
The secure traffic for needing to establish between second terminal equipment generates session key.
Identification information and the institute of the first terminal equipment are contained in the parameter information for obtaining session key
State the identification information of second terminal equipment.
It should be noted that being used to obtain the mark for having included at least first terminal equipment in the parameter information of session key
Information, the identification information of second terminal equipment, random number etc..
In a step 102, EAS is according to the identification information of the first terminal equipment and the mark of the second terminal equipment
Information determines Key Management Center KMC belonging to first terminal equipment and second terminal equipment.
It should be noted that Key Management Center belonging to the calling and called terminal device of this call setup is same close
Key administrative center, i.e. first terminal equipment and second terminal facility registration log in the same Key Management Center.
Here, the calling and called terminal device of the same group user group is combined into a user domain, packet in same user domain
At least one Key Management Center is contained.
That is, EAS determines according to the identification information of first terminal equipment and the identification information of second terminal equipment
User domain belonging to one terminal device and second terminal equipment, and at least one Key Management Center for including out of this user domain
One Key Management Center of middle selection.
The parameter information for being used to obtain session key is carried and is sent to determination in session key request message by EAS
Key Management Center KMC.
Specifically, EAS sends session key request message to determining KMC by safe interface, requests determining key
The secure traffic that administrative center needs to establish between first terminal equipment and second terminal equipment generates session key.
Step 103: the EAS receives the encrypted session key that the KMC is returned, and by the encrypted session
Key is sent to the first terminal equipment.
The first terminal equipment is realized between the second terminal equipment using the session key
Secret communication.
Wherein, the encrypted session key is the KMC according to the parameter for being used to obtain session key
What information obtained after the session key of generation is encrypted.
In step 103, encrypted session key is sent to the mode of the first terminal equipment by the EAS, packet
It includes:
Encrypted session key is sent to the first terminal equipment by IMS network signaling by the EAS.
Specifically, encrypted session key is sent to described first by the SIP signaling in IMS network by the EAS
Terminal device.
Such as: SIP signaling is including but not limited to MESSAGE message, OPTIONS, INFO etc..
Alternatively, encrypted session key is sent to described by the call treatment message in IMS network by the EAS
One terminal device.
Such as: call setup response message, session progress message etc..
Specifically, the call setup between first terminal equipment and second terminal equipment is synchronous with secure traffic foundation
When implementation, EAS, can be by calling that first terminal equipment is initiated second eventually after sending session key request message to KMC
The call setup request message of end equipment is transmitted to second terminal equipment, it is intended to establish calling connection with second terminal equipment.
Meanwhile EAS is when receiving the session key of encryption of KMC transmission, it is determined whether receives second terminal equipment
Call setup response message exhaled using what is received and in the call setup response message for receiving second terminal equipment
It cries and establishes response message encrypted session key is sent to the first terminal equipment.
It should be noted that the encrypted session key is the KMC according to described close for obtaining session
What the parameter information of key obtained after the session key of generation is encrypted, specific embodiment includes but is not limited to:
Firstly, KMC receive EAS transmission session key request message after, generate for first terminal equipment with
The session key of secure traffic is established between second terminal equipment.
It should be noted that KMC receive EAS transmission session key request message after, the session key of generation
It can be and be randomly generated, be also possible to according to carrying in the session key request message for obtaining the parameter of session key
What information determined, such as: the session key etc. generated using the random number information in the parameter information for obtaining session key
Deng here without limitation.
Secondly, in order to guarantee safety that session key transmits in a communication link, KMC carries out the session key of generation
Encryption.
Since KMC is user's deployment, then terminal device used by a user when being communicated, can be registered first and be stepped on
KMC is recorded, and when logging in, KMC is that the terminal device generates a protection key, and KMC is in the mark that terminal device is locally stored
The corresponding relationship of information and the protection key, then KMC can be utilized should when subsequent terminal equipment initiates secure traffic
The session key that protection key pair generates is encrypted, and can either guarantee session key the communication link during
Safety, additionally it is possible to it is accurate to decrypt when so that terminal receiving encrypted session key, real session key is obtained, is mentioned
The high efficiency of secure traffic, has ensured the safety of communication.
At this point, the KMC is set according to the first terminal for including in the parameter information for obtaining session key
Standby identification information determines the corresponding first terminal equipment of the identification information of the first terminal equipment when logging in the KMC
The the first protection key generated, and cryptographic calculation is carried out using the session key that the first protection key pair generates, it obtains
The encrypted session key of key is protected to using first;And it is wrapped according in the parameter information for obtaining session key
The identification information of the second terminal equipment contained determines that the corresponding second terminal of identification information of the second terminal equipment is set
Standby the second protection key generated when logging in the KMC, and it is close using the session that the second protection key pair generates
Key carries out cryptographic calculation, is utilized the second encrypted session key of protection key.
Finally, after containing using the encrypted session key of the first protection key and using the second protection key encryption
The encrypted session key of session key be sent to EAS.
Specifically, encrypted session key is sent to EAS by session key response message by KMC.
Wherein, (the i.e. encrypted session of encrypted session key has been may include in the session key response message
Key is a data packet, and only the session key is divided into two parts, and a part of content is generated using the first protection key encryption
Session key obtain, another part using second protection key encryption generate session key obtain), also may include benefit
With the encrypted session key of the first protection key and using the second protection encrypted session key of key, do not limit here
It is fixed.
Specifically, when KMC by session key response message will using first protection the encrypted session key of key and
When being sent to EAS using the second protection encrypted session key of key, illustrate that KMC is sent to EAS is two different data
Packet, a data packet are using the first protection encrypted session key of key, another data packet is close using the second protection
The encrypted session key of key.
Optionally, KMC is being utilized the encrypted session key of the first protection key and is being added using the second protection key
When session key after close, establishes the corresponding first terminal device identification of the first protection key and encrypted using the first protection key
The corresponding relationship of session key afterwards, and establish the corresponding second terminal device identification of the second protection key and protected using second
The corresponding relationship of the encrypted session key of key is protected, and utilizes the encrypted session key of the first protection key and benefit sending
While with the second protection encrypted session key of key to EAS, the corresponding relationship of foundation is also sent to EAS, is made in this way
After encrypted session key is transmitted to first terminal equipment by EAS, using the corresponding relationship, quickly determine with itself
The corresponding encrypted session key of identification information accelerates the speed of system business processing in this way, improves the effect of system job
Rate.
In another embodiment of the present invention, encrypted session key is sent to the second terminal by the EAS
Equipment enables the second terminal equipment to realize the secrecy between the first terminal equipment using the session key
Communication.
That is, EAS is after the encrypted session key for receiving KMC transmission, while to first terminal equipment
The encrypted session key is sent with second terminal equipment.
For example, the call setup and secure traffic between first terminal equipment and second terminal equipment establish synchronous reality
Shi Shi, EAS, can be by calling second terminals that first terminal equipment is initiated after sending session key request message to KMC
The call setup request message of equipment is transmitted to second terminal equipment, it is intended to establish calling connection with second terminal equipment.
Meanwhile EAS is when receiving the encrypted session key of KMC transmission, it is determined whether receives second terminal and sets
Standby call setup response message, and in the call setup response message for receiving second terminal equipment, while eventually to first
End equipment and second terminal equipment send encrypted session key.
After the encrypted session key that first terminal equipment and second terminal equipment receive EAS transmission, respectively
Session key after being logged in the protection key pair encryption that KMC is generated using itself is decrypted, and the session for obtaining KMC generation is close
Key, and after the media plane transmission path foundation between first terminal equipment and second terminal equipment, it is passed in the medium surface of foundation
Session key transmission of traffic is utilized in defeated channel.
Lead to it should be noted that obtaining KMC in EAS and executing to maintain secrecy between first terminal equipment and second terminal equipment
After the encrypted session key of communication service, the number for sending encrypted session key to first terminal equipment is not limited to one
It is secondary, it can be repeated as many times, to guarantee the correctness of transmission.
It should be noted that the encrypted session key for assuming that the KMC that EAS is received is returned belongs to a data packet
When, the encrypted session key comprising a data packet is sent respectively to first terminal equipment and second terminal equipment by EAS;
Assuming that the encrypted session key that the KMC that EAS is received is returned belongs to two data packets, i.e. a data packet is to utilize first
The session key that protection key is encrypted, another data packet are the session keys encrypted using the second protection key
When, the encrypted session key for containing two data packets can be sent respectively to first terminal equipment and second eventually by EAS
End equipment;EAS can also determine the corresponding terminal device of different data packet respectively, will contain and carried out using the first protection key
The data packet of the session key of encryption is sent to first terminal equipment, will contain the meeting encrypted using the second protection key
The data packet of words key is sent to second terminal equipment, is not specifically limited here.
One scheme through the embodiment of the present invention introduces encryption application server and Key Management Center in the ims network,
Setting for characterizing first terminal equipment with second terminal for first terminal equipment transmission is being received by encryption application server
The secure traffic for needing to establish secure traffic between standby establishes request message, and secure traffic is established request and is disappeared
The parameter information carrying for obtaining session key for including in breath is sent to first terminal in session key request message and sets
Key Management Center belonging to standby and second terminal equipment, request Key Management Center are that first terminal equipment and second terminal are set
The secure traffic for needing to establish between standby generates session key, and is receiving the encrypted of Key Management Center return
When session key, which is sent to first terminal equipment, first terminal equipment is utilized should
Session key realizes the secret communication between second terminal equipment.
In this way, real by encrypting a kind of business that application server makes secret communication be supplied to user as operator
It is existing, and encrypt application server and obtain encrypted session key from Key Management Center, it is handed down to terminal device, is not only increased
Operator is added to the control force of secret communication, has also improved the treatment effeciency of system, while the Key Management Center introduced is real
Show management of the user to key Life cycle, increases the safety that secure traffic executes between user.
Embodiment two:
As shown in figure 4, for a kind of process signal of the processing method of secure traffic provided by Embodiment 2 of the present invention
Figure, the embodiment of the present invention is second is that invention with the embodiment of the present invention one under same inventive concept, and the embodiment of the present invention is second is that station
In terminal device angle to the detailed description of the processing method of secure traffic of the present invention.The method can be as follows
It is described.
Step 201: first terminal equipment sends secure traffic to encryption application server EAS and establishes request message.
Wherein, the secure traffic is established request message and is set for characterizing the first terminal equipment with second terminal
Need to establish secure traffic between standby, the secure traffic establish in request message contain it is close for obtaining session
The parameter information of key.
In step 201, first terminal equipment sends secret communication industry to IMS network when calling second terminal equipment
Request message is established in business, and the secure traffic request message is transmitted to EAS by IMS network core net, informs EAS first
Terminal device will establish secure traffic between second terminal equipment.
It should be noted that the secure traffic that first terminal equipment is sent at this time establish request message can be by the
The call setup request message that one terminal device is initiated is realized, that is to say, that initiates calling second terminal in first terminal equipment
When equipment, call setup message is sent to IMS network, the call setup message has two functions at this time: 1, request and the
Calling connection is established between two terminal devices;2, secure traffic is triggered while establishing calling connection.
Alternatively, the secure traffic that first terminal is sent at this time, which establishes request message, is exhaled in the initiation of first terminal equipment
It cries and establishes what request message triggered at random later.
For example, first terminal equipment is after being successfully established call link with second terminal equipment, and at call business
During reason, secure traffic is sent to the EAS of network side and establishes request message, inform that EAS first terminal equipment needs
Secret communication is carried out between second terminal equipment.
That is, the call setup connection between terminal device can be with secure traffic triggering and be performed simultaneously
, it is also possible to not to be performed simultaneously, first triggers secure traffic, resettle calling connection, or first establish calling connection,
Secure traffic is triggered again to be ok, and is not specifically limited here.
So that encryption application server establishes request message in the secure traffic for receiving the transmission of first terminal equipment
When, start subsequent secure traffic process flow.
Step 202: the first terminal equipment receives the encrypted session key that the EAS is sent.
Wherein, the encrypted session key is that the EAS takes the parameter information for being used to obtain session key
Band is sent to key management belonging to the first terminal equipment and the second terminal equipment in session key request message
Center KMC carries out encryption to the session key of generation according to the parameter information for obtaining session key by the KMC
It is obtained after reason, for characterizing, to request the KMC be the first terminal equipment and described the to the session key request message
The secure traffic for needing to establish between two terminal devices generates session key.
In step 202, how encryption application server obtains encrypted session key, in the embodiment of the present invention one
In be described in detail, be not described herein.
Step 203: the first terminal equipment is when receiving the encrypted session key that the EAS is sent, using stepping on
Encrypted session key described in the first protection key pair generated when recording the KMC is decrypted, and it is described for obtaining the KMC
The session key of secure traffic generation is carried out between first terminal equipment and the second terminal equipment.
Wherein, the encrypted session key, which contains, utilizes the encrypted session key of the first protection key and utilization
The second protection encrypted session key of key.
In step 203, since the encrypted session key is that the KMC is used to obtain session according to
What the parameter information of key obtained after the session key of generation is encrypted, specific embodiment includes but is not limited to:
Firstly, KMC receive EAS transmission session key request message after, generate for first terminal equipment with
The session key of secure traffic is established between second terminal equipment.
It should be noted that KMC receive EAS transmission session key request message after, the session key of generation
It can be and be randomly generated, be also possible to according to carrying in the session key request message for obtaining the parameter of session key
What information determined, such as: the session key etc. generated using the random number information in the parameter information for obtaining session key
Deng here without limitation.
Secondly, in order to guarantee safety that session key transmits in a communication link, KMC carries out the session key of generation
Encryption.
Since KMC is user's deployment, then terminal device used by a user when being communicated, can be registered first and be stepped on
KMC is recorded, and when logging in, KMC is that the terminal device generates a protection key, and KMC is in the mark that terminal device is locally stored
The corresponding relationship of information and the protection key, then KMC can be utilized should when subsequent terminal equipment initiates secure traffic
The session key that protection key pair generates is encrypted, and can either guarantee session key the communication link during
Safety, additionally it is possible to it is accurate to decrypt when so that terminal receiving encrypted session key, real session key is obtained, is mentioned
The high efficiency of secure traffic, has ensured the safety of communication.
At this point, the KMC is set according to the first terminal for including in the parameter information for obtaining session key
Standby identification information determines the corresponding first terminal equipment of the identification information of the first terminal equipment when logging in the KMC
The the first protection key generated, and cryptographic calculation is carried out using the session key that the first protection key pair generates, it obtains
The encrypted session key of key is protected to using first;And it is wrapped according in the parameter information for obtaining session key
The identification information of the second terminal equipment contained determines that the corresponding second terminal of identification information of the second terminal equipment is set
Standby the second protection key generated when logging in the KMC, and it is close using the session that the second protection key pair generates
Key carries out cryptographic calculation, is utilized the second encrypted session key of protection key.
Finally, after containing using the encrypted session key of the first protection key and using the second protection key encryption
The encrypted session key of session key be sent to EAS.
Wherein, (the i.e. encrypted session of encrypted session key has been may include in the session key response message
Key is a data packet, and only the session key is divided into two parts, and a part of content is generated using the first protection key encryption
Session key obtain, another part using second protection key encryption generate session key obtain), also may include benefit
With the encrypted session key of the first protection key and using the second protection encrypted session key of key, do not limit here
It is fixed.
Specifically, when KMC by session key response message will using first protection the encrypted session key of key and
When being sent to EAS using the second protection encrypted session key of key, illustrate that KMC is sent to EAS is two different data
Packet, a data packet are using the first protection encrypted session key of key, another data packet is close using the second protection
The encrypted session key of key.
Optionally, KMC is being utilized the encrypted session key of the first protection key and is being added using the second protection key
When session key after close, establishes the corresponding first terminal device identification of the first protection key and encrypted using the first protection key
The corresponding relationship of session key afterwards, and establish the corresponding second terminal device identification of the second protection key and protected using second
The corresponding relationship of the encrypted session key of key is protected, and utilizes the encrypted session key of the first protection key and benefit sending
While with the second protection encrypted session key of key to EAS, the corresponding relationship of foundation is also sent to EAS, is made in this way
After encrypted session key is transmitted to first terminal equipment by EAS, using the corresponding relationship, quickly determine with itself
The corresponding encrypted session key of identification information accelerates the speed of system business processing in this way, improves the effect of system job
Rate.
Therefore, when the encrypted session key that first terminal equipment receives belongs to a data packet, first terminal
Equipment utilization logs in encrypted session key described in the first protection key pair generated when the KMC and is decrypted, and obtains institute
State the session key that KMC carries out secure traffic generation between the first terminal equipment and the second terminal equipment.
When the encrypted session key that first terminal equipment receives contains two data packets, that is, what is received adds
After session key after close is contained using the encrypted session key of the first protection key and using the second protection key encryption
Session key, at this point, first terminal equipment can only by first protection key pair using first protection the encrypted meeting of key
Words key be decrypted, obtain the KMC carried out for the first terminal equipment and the second terminal equipment between secrecy lead to
The session key that communication service generates is prepared to be subsequent with the progress secret communication of second terminal equipment.
Optionally, added when the encrypted session key that first terminal equipment receives is contained using the first protection key
When session key after close and session key encrypted using the second protection key, it can also be set according to the terminal that KMC is established
Corresponding relationship between standby identification information and encrypted session key determines that first terminal device identification is corresponding and utilizes
The one protection encrypted session key of key, and it is close using the first protection encrypted session of key using the first protection key pair
Key is decrypted, and obtains the KMC and carries out secret communication industry between the first terminal equipment and the second terminal equipment
The session key that business generates.
Step 204: the first terminal equipment, will be described when receiving the encrypted session key that the EAS is sent
Encrypted session key is sent to the second terminal equipment.
In step 204, the encrypted session key is sent to the second terminal by the first terminal equipment
The mode of equipment includes but is not limited to:
First way:
The encrypted session key is sent to described second eventually by IMS network signaling by the first terminal equipment
End equipment.
Specifically, regardless of whether the medium surface data transmission channel between first terminal equipment and second terminal equipment is built
Vertical to complete, first terminal is when receiving the session key of EAS transmission, using IMS network signaling by the encrypted session
Key is sent to the second terminal equipment.
It should be noted that IMS network signaling is including but not limited to SIP signaling, call treatment message etc..
The encrypted session key is sent to the second terminal by SIP signaling and set by the first terminal equipment
It is standby.
Such as: SIP signaling is including but not limited to MESSAGE message, OPTIONS, INFO etc..
The encrypted session key is sent to by the first terminal equipment by Temporary Response confirmation message PRACK
The second terminal equipment.
Specifically, can be by the way of signaling piggyback in order to save system signaling expense, i.e., the described first terminal
Equipment is in the encrypted session key for receiving the call setup response message transmission that EAS is sent by second terminal equipment
When, after correctly handle to call setup response message, when returning to provisional confirmation message PRACK to second terminal equipment,
The encrypted session key carrying is sent to the second terminal equipment in provisional confirmation message PRACK.
The second way:
The first terminal equipment by establish with the medium surface data transmission channel of second terminal equipment will it is described plus
Session key after close is sent to the second terminal equipment.
Specifically, the first terminal equipment is when receiving the session key of EAS transmission, and determination is set with second terminal
It is using the media plane transmission path of foundation that the encrypted session is close after the completion of media plane transmission path between standby is established
Key is sent to the second terminal equipment.
Specifically, when the encrypted session key that first terminal equipment receives belongs to a data packet, first eventually
Encrypted session key comprising a data packet is sent to second terminal equipment by end equipment;When first terminal equipment receives
To encrypted session key belong to two data packets when, i.e. a data packet be using first protection key encrypted
Session key, when another data packet is the session key encrypted using the second protection key, first terminal equipment can be with
The encrypted session key of two data packets will be contained while being sent to second terminal equipment;First terminal equipment EAS can
To determine the corresponding terminal device of different data packet respectively, the session key encrypted using the second protection key will be contained
Data packet be sent to second terminal equipment, be not specifically limited here.
It should be noted that step 203 and step 204 are not carried out the differentiation of sequencing in the embodiment of the present invention two,
It can implement according to the sequence described in the embodiment of the present invention, step 204 can also be first carried out, then execute step 203, be also possible to
Step 203 and step 204 are implemented simultaneously.
Embodiment three:
As shown in figure 5, a kind of flow diagram of the processing method for secure traffic that the embodiment of the present invention three provides.
The embodiment of the present invention is third is that belong to the invention under same inventive concept with one~embodiment of the embodiment of the present invention two, the present invention is implemented
Example is third is that stand in Key Management Center side to the detailed description of each step in the embodiment of the present invention one.The method can be as follows
It is described.
Step 301: Key Management Center KMC receives the session key request message that encryption application server EAS is sent.
Wherein, the session key request message requests the KMC for first terminal equipment and second terminal for characterizing
The secure traffic for needing to establish between equipment generates session key.
The parameter information for obtaining session key is contained in the session key request message.
It is described for obtain the parameter information of session key to be that the first terminal equipment that the EAS is received is sent
Need to establish the secret communication of secure traffic between the first terminal equipment and the second terminal equipment for characterizing
Business, which is established, to be carried in request message.
Step 302:KMC returns to encrypted session key to the EAS.
In order to which the encrypted session key is sent to the first terminal equipment by the EAS, so that described
One terminal device can realize the secret communication between the second terminal equipment using the session key.
Wherein, the encrypted session key is the KMC according to the parameter for being used to obtain session key
What information obtained after the session key of generation is encrypted.
The identification information for obtaining the first terminal equipment for including in the parameter information of session key and the
The identification information of two terminal devices.
In step 302, the KMC includes but is not limited to the mode that the EAS returns to encrypted session key:
Firstly, the KMC is generated for executing secrecy between the first terminal equipment and the second terminal equipment
The session key that communication service needs.
It should be noted that KMC receive EAS transmission session key request message after, the session key of generation
It can be and be randomly generated, be also possible to according to carrying in the session key request message for obtaining the parameter of session key
What information determined, such as: the session key etc. generated using the random number information in the parameter information for obtaining session key
Deng here without limitation.
Secondly, in order to guarantee safety that session key transmits in a communication link, KMC carries out the session key of generation
Encryption.
Since KMC is user's deployment, then terminal device used by a user when being communicated, can be registered first and be stepped on
KMC is recorded, and when logging in, KMC is that the terminal device generates a protection key, and KMC is in the mark that terminal device is locally stored
The corresponding relationship of information and the protection key, then KMC can be utilized should when subsequent terminal equipment initiates secure traffic
The session key that protection key pair generates is encrypted, and can either guarantee session key the communication link during
Safety, additionally it is possible to it is accurate to decrypt when so that terminal receiving encrypted session key, real session key is obtained, is mentioned
The high efficiency of secure traffic, has ensured the safety of communication.
At this point, the KMC is according to the first terminal equipment for including in the parameter information for obtaining session key
Identification information determines the generation when logging in the KMC of the corresponding first terminal equipment of the identification information of the first terminal equipment
First protection key, and using it is described first protection key pair generate the session key progress cryptographic calculation, obtain benefit
With the first protection encrypted session key of key;And according to including in the parameter information for obtaining session key
The identification information of second terminal equipment determines that the corresponding second terminal equipment of the identification information of the second terminal equipment is logging in
The the second protection key generated when the KMC;And added using the session key that the second protection key pair generates
Close operation is utilized the second encrypted session key of protection key.
Finally, the KMC protects the encrypted session key of the first protection of utilization key and the utilization second
The encrypted session key of key is sent to the EAS as encrypted session key, by key response message.
Example IV:
As shown in fig. 6, a kind of flow diagram of the processing method for secure traffic that the embodiment of the present invention four provides.
The embodiment of the present invention is fourth is that invention with one~embodiment of the present invention of the embodiment of the present invention three under same inventive concept, the present invention
Example IV is by taking terminal device A and terminal device B need to be implemented secure traffic as an example to technical solutions according to the invention
It is described in detail.The method can be as described below.
It should be noted that the time that terminal device A and terminal device B need to be implemented secure traffic can be at end
End equipment A and when terminal device B call setup, is also possible to after terminal device A and terminal device B call setup, here
Without limitation.
Step 1: when user, which initiates secret communication to terminal device B by terminal device A, to be called, being initiated to IMS network
Call setup request message.
Wherein, the call setup request message can be INVITE message, for informing IMS core net needs and terminal
Equipment B establishes encryption session connection.
Identification information (or telephone number information) and the end of terminal device A are contained in the call setup request message
The identification information (or telephone number information) of end equipment B.
At this point, also carrying session key request message in the call setup request message.
In another embodiment of the present invention, the setup requests between terminal device B that terminal device A is sent
Message can also be only intended to inform that IMS core net needs to establish session connection with terminal device B;Meanwhile terminal device A is logical
It crosses IMS signaling (such as: MESSAGE message) and sends session key request message, the session key request message is for informing
It needs to establish encryption session connection between IMS network terminal device A and terminal device B.
Step 2:EAS is when receiving call setup request message, according to the identification information and terminal device of terminal device A
The identification information of B determines user domain belonging to terminal device A and terminal device B, and a key management into the user domain
Center sends session key request message.
Step 3:KMC is that terminal device A and terminal device B generates a session key, and sends key response to EAS and disappear
Breath.
Wherein, encrypted session key is contained in the key response message.
In order to guarantee that session key is not leaked in transmission process, KMC is utilized respectively terminal device A and terminal device B
The protection key pair session key generated when logging in KMC encrypts.
After step 4:EAS sends session key request message to KMC, establishes request to terminal device B forwarded call immediately
Message.
In this way while session key is requested, call proceeding is carried out, parallel to improve treatment effeciency.
In another embodiment of the present invention, it after EAS sends session key request message to KMC, waits KMC to return and rings
Answer message.
Disappear in the session key response message for receiving KMC transmission and then to terminal device B forwarded call foundation request
Breath continues call proceeding.
The session progress message that step 5:EAS receiving terminal apparatus B is returned.
The session progress message, which is terminal device B, to be returned to receiving after call setup request message is handled.
In another embodiment of the present invention, if EAS is when receiving session progress message, KMC transmission is not yet received
Session key response message, EAS needs to wait the feedback of KMC at this time.
Step 6:EAS carries the session key of the encryption in the key response message for receiving KMC feedback at session
Terminal device A is sent in reason message.
At this point, in another embodiment of the present invention, EAS will be in the session key response message that receive KMC feedback
Secret communication key be sent to terminal device A and terminal device B using IMS signaling.
Step 7: terminal device A utilizes the first protection generated when logging in KMC after receiving encrypted session key
Key is decrypted, and obtaining KMC is the session key that this call generates.
In another embodiment of the present invention, terminal device A is encrypted by what is received by following methods
Session key is sent to terminal device B:
First way:
The encrypted session key is sent to described second eventually by IMS network signaling by the first terminal equipment
End equipment.
Specifically, regardless of whether the medium surface data transmission channel between first terminal equipment and second terminal equipment is built
Vertical to complete, first terminal is when receiving the session key of EAS transmission, using IMS network signaling by the encrypted session
Key is sent to the second terminal equipment.
Alternatively, the first terminal equipment is close by the encrypted session by Temporary Response confirmation message PRACK183
Key is sent to the second terminal equipment.
For example, in order to save system signaling expense, it can be by the way of signaling piggyback, i.e., the described first terminal is set
It is standby when receiving the encrypted session key that EAS is transmitted by the call setup response message that second terminal equipment is sent,
After correctly handle to call setup response message, when returning to provisional confirmation message PRACK to second terminal equipment, by institute
It states encrypted session key carrying and is sent to the second terminal equipment in provisional confirmation message PRACK.
The second way:
The medium surface data transmission channel between the second terminal equipment that the first terminal equipment passes through foundation
The encrypted session key is sent to the second terminal equipment.
Specifically, the first terminal equipment is when receiving the session key of EAS transmission, and determination is set with second terminal
It is using the media plane transmission path of foundation that the encrypted session is close after the completion of media plane transmission path between standby is established
Key is sent to the second terminal equipment.
Step 8: terminal device B utilizes the second protection generated when logging in KMC after receiving encrypted session key
Key is decrypted, and obtaining KMC is the session key that this call generates.
Step 9: terminal device A and terminal device B is when call link establishes completion, using obtained session key to logical
Words data are encrypted, and realize the call encryption between terminal device A and terminal device B.
It should be noted that the embodiment of the present invention is fourth is that rough description to secure traffic process flow, is related to
Technical detail, can no longer be retouched in detail here using the technical solution described in describing in the embodiment of the present invention one~implementations three
It states.
Embodiment five:
As shown in fig. 7, a kind of encryption application server for secure traffic provided for the embodiment of the present invention five
Structural schematic diagram.The embodiment of the present invention is fifth is that belong to the hair under same inventive concept with one~example IV of the embodiment of the present invention
Bright, the encryption application server includes: receiving module 11, sending module 12 and processing module 13, in which:
Receiving module 11, the secure traffic for receiving the transmission of first terminal equipment establish request message, wherein institute
It states secure traffic and establishes request message and need to establish between the first terminal equipment and second terminal equipment for characterizing
Secure traffic, the secure traffic establish in request message the parameter information contained for obtaining session key;
Sending module 12, for carrying the parameter information for being used to obtain session key in session key request message
In be sent to Key Management Center KMC belonging to the first terminal equipment and the second terminal equipment, wherein the session
Secret key request message requests the KMC to need to build between the first terminal equipment and the second terminal equipment for characterizing
Vertical secure traffic generates session key;
Processing module 13, the encrypted session key returned for receiving the KMC, and by the encrypted session
Key is sent to the first terminal equipment, enable the first terminal equipment using the session key realize with it is described
Secret communication between second terminal equipment, wherein the encrypted session key is that the KMC is used for according to
What the parameter information of acquisition session key obtained after the session key of generation is encrypted.
Specifically, the mark letter of the first terminal equipment is contained in the parameter information for obtaining session key
The identification information of breath and the second terminal equipment.
The encryption application server further include: determining module 14, in which:
Determining module 14, for the parameter information carrying for being used to obtain session key to disappear in session key request
It is sent in breath before Key Management Center KMC belonging to the first terminal equipment and the second terminal equipment, according to institute
The identification information of first terminal equipment and the identification information of the second terminal equipment are stated, determines the first terminal equipment and institute
State Key Management Center KMC belonging to second terminal equipment.
Specifically, the processing module 13 is also used to for encrypted session key to be sent to the second terminal equipment,
The second terminal equipment is enabled to realize the secret communication between the first terminal equipment using the session key.
The processing module 13, specifically for encrypted session key is sent to described by IMS network signaling
One terminal device and/or second terminal equipment.
Specifically, the encrypted session key, which contains, utilizes the encrypted session key of the first protection key and benefit
With the second protection encrypted session key of key;
The encrypted session key is the KMC according to the parameter information pair for being used to obtain session key
What the session key of generation obtained after being encrypted, comprising:
The mark for the first terminal equipment that the KMC includes in the parameter information according to for obtaining session key
Know information, determines what the corresponding first terminal equipment of the identification information of the first terminal equipment was generated when logging in the KMC
First protection key, and cryptographic calculation is carried out using the session key that the first protection key pair generates, it is utilized
The first protection encrypted session key of key;And
According to described for obtaining the identification information for the second terminal equipment for including in the parameter information of session key,
Determine the second protection that the corresponding second terminal equipment of the identification information of the second terminal equipment is generated when logging in the KMC
Key, and cryptographic calculation is carried out using the session key that the second protection key pair generates, it is utilized the second protection
The encrypted session key of key.
It should be noted that encryption application server described in the embodiment of the present invention five can be hard-wired physics reality
Body unit is also possible to the logical block of software realization, is not specifically limited here.
Embodiment six:
As shown in figure 8, being a kind of structure of the terminal device for execution secure traffic that the embodiment of the present invention six provides
Schematic diagram.The embodiment of the present invention is sixth is that hair with the embodiment of the present invention one to the embodiment of the present invention four under same inventive concept
Bright, the terminal device includes: request message sending module 21 and session key receiving module 22, in which:
Request message sending module 21 disappears for sending secure traffic foundation request to encryption application server EAS
Breath, wherein the secure traffic establish request message for characterize the first terminal equipment and second terminal equipment it
Between need to establish secure traffic, the secure traffic, which is established in request message, to be contained for obtaining session key
Parameter information;
Session key receiving module 22, the encrypted session key sent for receiving the EAS, wherein described to add
Session key after close is that the EAS carries the parameter information for being used to obtain session key in session key request message
In be sent to Key Management Center KMC belonging to the first terminal equipment and the second terminal equipment, by the KMC according to
What the parameter information for obtaining session key obtained after the session key of generation is encrypted, the session is close
Key request message requests the KMC to need to establish between the first terminal equipment and the second terminal equipment for characterizing
Secure traffic generate session key.
Optionally, the terminal device further include: processing module 23, in which:
Processing module 23, for when receiving the encrypted session key that the EAS is sent, by the encrypted meeting
Words key is sent to the second terminal equipment.
The processing module 23, specifically for the encrypted session key is sent to institute by IMS network signaling
State second terminal equipment;
Alternatively,
By the medium surface data transmission channel between the second terminal equipment of foundation by the encrypted meeting
Words key is sent to the second terminal equipment.
The terminal device further include: deciphering module 24, in which:
Deciphering module 24, for utilizing the login KMC when receiving the encrypted session key that the EAS is sent
When generate first protection key pair described in encrypted session key be decrypted, obtain the KMC be the first terminal
The session key of secure traffic generation is carried out between equipment and the second terminal equipment.
It should be noted that terminal device described in the embodiment of the present invention six can be hard-wired physical entity list
Member is also possible to the logical block of software realization, is not specifically limited here.
In addition, the embodiment of the present invention six further comprises IP communication module and crypto communications module.
Wherein, IP communication module supports SIP communication protocol, has IMS communication capacity, supports terminal stepping in IMS system
The functions such as record/cancellation, authentication, Call- Control1 and processing;Crypto module is responsible for terminal key management and executes encryption and decryption calculation
Method realizes that carrying out Signalling exchange acquisition session key with KMC utilizes the Session key establishment of acquisition in medium surface in control plane
With the security association of opposite equip., the secrecy transmission of communication service is realized.
Embodiment seven:
As shown in figure 9, being a kind of Key Management Center for secure traffic that the embodiment of the present invention seven provides
Structural schematic diagram.The embodiment of the present invention is seventh is that belong to the hair under same inventive concept with the embodiment of the present invention one to example IV
Bright, the Key Management Center includes: key request receiving module 31 and key sending module 32, in which:
Key request receiving module 31, the session key request message sent for receiving encryption application server EAS,
In, the session key request message requests the KMC to need between first terminal equipment and second terminal equipment for characterizing
The secure traffic to be established generates session key, contains in the session key request message for obtaining session key
Parameter information, the parameter information for obtaining session key is the first terminal equipment hair that the EAS is received
That send is used to characterize the secrecy for needing to establish secure traffic between the first terminal equipment and the second terminal equipment
Communication service, which is established, to be carried in request message;And
Key sending module 32, for returning to encrypted session key to the EAS, in order to which the EAS will be encrypted
The session key afterwards is sent to the first terminal equipment, enables the first terminal equipment close using the session
Key realizes the secret communication between the second terminal equipment, wherein the encrypted session key is the KMC
It is obtained after the session key of generation is encrypted according to the parameter information for obtaining session key.
Specifically, the mark letter for the first terminal equipment for including in the parameter information for obtaining session key
The identification information of breath and second terminal equipment;
The key sending module 32, specifically for generating for being set for the first terminal equipment with the second terminal
The session key that secure traffic needs is executed between standby, according to the institute for including in the parameter information for obtaining session key
The identification information for stating first terminal equipment determines that the corresponding first terminal equipment of the identification information of the first terminal equipment is being stepped on
The the first protection key generated when recording the KMC, and carried out using the session key that the first protection key pair generates
Cryptographic calculation is utilized the first encrypted session key of protection key;And
According to the identification information for the second terminal equipment for including in the parameter information for obtaining session key, determine
The second protection that the corresponding second terminal equipment of the identification information of the second terminal equipment is generated when logging in the KMC is close
Key;And cryptographic calculation is carried out using the session key that the second protection key pair generates, it is close to be utilized the second protection
The encrypted session key of key;
It will be described using the encrypted session key of the first protection key and described encrypted using the second protection key
Session key is sent to the EAS as encrypted session key, by key response message.
It should be noted that Key Management Center described in the embodiment of the present invention seven can be hard-wired physical entity
Unit is also possible to the logical block of software realization, is not specifically limited here.
Embodiment eight:
As shown in Figure 10, a kind of structural representation of the processing system of the secure traffic provided for the embodiment of the present invention eight
Figure, the system comprises: encryption application server 41, Key Management Center 42, first terminal equipment 43 and second terminal equipment
44, in which:
The first terminal equipment 43 disappears for sending secure traffic foundation request to encryption application server EAS
Breath, and receive the encrypted session key that the EAS is sent, wherein the secure traffic is established request message and is used for
It characterizes and needs to establish secure traffic between the first terminal equipment and second terminal equipment, the secure traffic is built
The parameter information for obtaining session key is contained in vertical request message.
The encryption application server 41, the secure traffic for receiving the transmission of first terminal equipment establish request and disappear
The parameter information for being used to obtain session key carrying is sent to the first terminal equipment by breath in session key request message
With Key Management Center KMC belonging to the second terminal equipment, and the encrypted session key that the KMC is returned is received,
And the encrypted session key is sent to the first terminal equipment, wherein the session key request message is used for
The secure traffic that characterization requests the KMC to need to establish between the first terminal equipment and the second terminal equipment
Generate session key.
The Key Management Center 42, the session key request message sent for receiving encryption application server EAS, and
Encrypted session key is returned to the EAS, wherein the encrypted session key is the KMC according to
What the parameter information for obtaining session key obtained after the session key of generation is encrypted.
Specifically, the mark letter of the first terminal equipment is contained in the parameter information for obtaining session key
The identification information of breath and the second terminal equipment;
The encryption application server 41, for carrying by the parameter information for being used to obtain session key in session
Be sent in secret key request message Key Management Center KMC belonging to the first terminal equipment and the second terminal equipment it
Before, according to the identification information of the identification information of the first terminal equipment and the second terminal equipment, determine that described first is whole
Key Management Center KMC belonging to end equipment and the second terminal equipment.
The encryption application server 41 is also used to for encrypted session key to be sent to the second terminal equipment,
The second terminal equipment is enabled to realize the secret communication between the first terminal equipment using the session key.
The encryption application server 41, specifically for being sent to encrypted session key by IMS network signaling
The first terminal equipment and/or second terminal equipment.
The first terminal equipment 43, for that described will add when receiving the encrypted session key that the EAS is sent
Session key after close is sent to the second terminal equipment.
The first terminal equipment 43 is specifically used for sending the encrypted session key by IMS network signaling
To the second terminal equipment;
Alternatively,
By the medium surface data transmission channel between the second terminal equipment of foundation by the encrypted meeting
Words key is sent to the second terminal equipment.
The encrypted session key contains using the first encrypted session key of protection key and utilizes second
Protect the encrypted session key of key;
The first terminal equipment 43, for utilizing login when receiving the encrypted session key that the EAS is sent
Encrypted session key described in the first protection key pair generated when the KMC is decrypted, and obtaining the KMC is described the
The session key of secure traffic generation is carried out between one terminal device and the second terminal equipment.
The Key Management Center 42, specifically for generating for being set for the first terminal equipment with the second terminal
The session key that secure traffic needs is executed between standby, according to the institute for including in the parameter information for obtaining session key
The identification information for stating first terminal equipment determines that the corresponding first terminal equipment of the identification information of the first terminal equipment is being stepped on
The the first protection key generated when recording the KMC, and carried out using the session key that the first protection key pair generates
Cryptographic calculation is utilized the first encrypted session key of protection key;And
According to the identification information for the second terminal equipment for including in the parameter information for obtaining session key, determine
The second protection that the corresponding second terminal equipment of the identification information of the second terminal equipment is generated when logging in the KMC is close
Key;And cryptographic calculation is carried out using the session key that the second protection key pair generates, it is close to be utilized the second protection
The encrypted session key of key;
It will be described using the encrypted session key of the first protection key and described encrypted using the second protection key
Session key is sent to the EAS as encrypted session key, by key response message.
It will be understood by those skilled in the art that the embodiment of the present invention can provide as method, apparatus (equipment) or computer
Program product.Therefore, in terms of the present invention can be used complete hardware embodiment, complete software embodiment or combine software and hardware
Embodiment form.Moreover, it wherein includes the meter of computer usable program code that the present invention, which can be used in one or more,
The computer journey implemented in calculation machine usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of sequence product.
The present invention be referring to according to the method for the embodiment of the present invention, the flow chart of device (equipment) and computer program product
And/or block diagram describes.It should be understood that each process in flowchart and/or the block diagram can be realized by computer program instructions
And/or the combination of the process and/or box in box and flowchart and/or the block diagram.It can provide these computer programs to refer to
Enable the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to generate
One machine so that by the instruction that the processor of computer or other programmable data processing devices executes generate for realizing
The device for the function of being specified in one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (19)
1. a kind of processing method of secure traffic characterized by comprising
Encryption application server EAS receives the secure traffic that first terminal equipment is sent and establishes request message, wherein described
Secure traffic establishes request message and needs to establish guarantor between the first terminal equipment and second terminal equipment for characterizing
Close communication service, the secure traffic establish in request message the parameter information contained for obtaining session key;
The parameter information carrying for being used to obtain session key is sent to described by the EAS in session key request message
Key Management Center KMC belonging to first terminal equipment and the second terminal equipment, wherein the session key request message
For characterizing the secret communication for requesting the KMC to need to establish between the first terminal equipment and the second terminal equipment
Business generates session key;
The EAS receives the encrypted session key that the KMC is returned, and the encrypted session key is sent to institute
First terminal equipment is stated, the first terminal equipment is realized and the second terminal equipment using the session key
Between secret communication, encrypted session key is sent to the second terminal equipment, so that the second terminal equipment
The secret communication between the first terminal equipment can be realized using the session key, wherein the encrypted institute
Stating session key is that the KMC encrypts the session key of generation according to the parameter information for obtaining session key
It is obtained after processing.
2. the method as described in claim 1, which is characterized in that contained in the parameter information for obtaining session key
The identification information of the identification information of the first terminal equipment and the second terminal equipment;
The parameter information carrying for being used to obtain session key is being sent to institute by the EAS in session key request message
Before stating Key Management Center KMC belonging to first terminal equipment and the second terminal equipment, the method also includes:
The EAS determines institute according to the identification information of the first terminal equipment and the identification information of the second terminal equipment
State Key Management Center KMC belonging to first terminal equipment and the second terminal equipment.
3. the method as described in claim 1, which is characterized in that encrypted session key is sent to described by the EAS
One terminal device and/or second terminal equipment, comprising:
Encrypted session key is sent to the first terminal equipment and/or second by IMS network signaling by the EAS
Terminal device.
4. the method as described in claim 1~2 is any, which is characterized in that the encrypted session key contains utilization
First protects the encrypted session key of key and utilizes the second protection encrypted session key of key;
The encrypted session key is that the KMC is used to obtain the parameter information of session key to generation according to
Session key be encrypted after obtain, comprising:
The KMC believes according to the mark for the first terminal equipment for including in the parameter information for obtaining session key
Breath, determines the corresponding first terminal equipment of the identification information of the first terminal equipment is generated when logging in the KMC first
Key is protected, and carries out cryptographic calculation using the session key that the first protection key pair generates, is utilized first
Protect the encrypted session key of key;And
According to the identification information for the second terminal equipment for including in the parameter information for obtaining session key, determine
The second protection that the corresponding second terminal equipment of the identification information of the second terminal equipment is generated when logging in the KMC is close
Key, and cryptographic calculation is carried out using the session key that the second protection key pair generates, it is close to be utilized the second protection
The encrypted session key of key.
5. a kind of processing method of secure traffic characterized by comprising
First terminal equipment sends secure traffic to encryption application server EAS and establishes request message, wherein the secrecy
Communication service, which establishes request message and is used to characterize to need to establish between the first terminal equipment and second terminal equipment to maintain secrecy, leads to
Communication service, the secure traffic establish in request message the parameter information contained for obtaining session key;
The first terminal equipment receives the encrypted session key that the EAS is sent, and the encrypted session is close
Key is sent to the second terminal equipment, wherein the encrypted session key is that the EAS is used to obtain session by described
The first terminal equipment is sent in session key request message for the parameter information carrying of key and the second terminal is set
Standby affiliated Key Management Center KMC, by the KMC according to described for obtaining meeting of the parameter information to generation of session key
What words key obtained after being encrypted, the session key request message is described first for characterizing the request KMC
The secure traffic for needing to establish between terminal device and the second terminal equipment generates session key.
6. method as claimed in claim 5, which is characterized in that the first terminal equipment is by the encrypted session key
It is sent to the second terminal equipment, comprising:
The encrypted session key is sent to the second terminal by IMS network signaling and set by the first terminal equipment
It is standby;
Alternatively,
The first terminal equipment is by the medium surface data transmission channel between the second terminal equipment established by institute
It states encrypted session key and is sent to the second terminal equipment.
7. method as claimed in claim 5, which is characterized in that the method also includes:
The first terminal equipment is produced when receiving the encrypted session key that the EAS is sent using when logging in the KMC
Encrypted session key described in the first raw protection key pair is decrypted, and obtaining the KMC is the first terminal equipment
The session key of secure traffic generation is carried out between the second terminal equipment.
8. a kind of processing method of secure traffic characterized by comprising
Key Management Center KMC receives the session key request message that encryption application server EAS is sent, wherein the session
Secret key request message is used to characterize the secrecy for requesting the KMC to need to establish between first terminal equipment and second terminal equipment
Communication service generates session key, and the parameter information for obtaining session key is contained in the session key request message,
The parameter information for obtaining session key is the first terminal equipment transmission that the EAS is received for characterizing
The secure traffic for needing to establish secure traffic between the first terminal equipment and the second terminal equipment is established
It is carried in request message;And
Encrypted session key is returned to the EAS, in order to which the encrypted session key is sent to institute by the EAS
First terminal equipment is stated, the first terminal equipment is realized and the second terminal equipment using the session key
Between secret communication, and encrypted session key is sent to the second terminal equipment, so that the second terminal is set
The standby secret communication that can be realized using the session key between the first terminal equipment, wherein described encrypted
The session key is that the KMC adds the session key of generation according to the parameter information for obtaining session key
It is obtained after close processing.
9. method according to claim 8, which is characterized in that include in the parameter information for obtaining session key
The identification information of the first terminal equipment and the identification information of second terminal equipment;
The KMC returns to encrypted session key to the EAS, comprising:
The KMC is generated to be needed for executing secure traffic between the first terminal equipment and the second terminal equipment
The session key wanted;
The KMC according to the identification information for obtaining the first terminal equipment for including in the parameter information of session key,
Determine the first protection that the corresponding first terminal equipment of the identification information of the first terminal equipment is generated when logging in the KMC
Key, and cryptographic calculation is carried out using the session key that the first protection key pair generates, it is utilized the first protection
The encrypted session key of key;And
According to the identification information for the second terminal equipment for including in the parameter information for obtaining session key, determine described in
The second protection key that the corresponding second terminal equipment of the identification information of second terminal equipment is generated when logging in the KMC;And
Cryptographic calculation is carried out using the session key that the second protection key pair generates, is utilized the encryption of the second protection key
Session key afterwards;
The KMC by it is described using the first encrypted session key of protection key and it is described using the second protection key encryption after
Session key as encrypted session key, the EAS is sent to by key response message.
10. a kind of encryption application server for secure traffic characterized by comprising
Receiving module, the secure traffic for receiving the transmission of first terminal equipment establish request message, wherein the secrecy
Communication service, which establishes request message and is used to characterize to need to establish between the first terminal equipment and second terminal equipment to maintain secrecy, leads to
Communication service, the secure traffic establish in request message the parameter information contained for obtaining session key;
Sending module is sent in session key request message for carrying the parameter information for being used to obtain session key
To Key Management Center KMC belonging to the first terminal equipment and the second terminal equipment, wherein the session key is asked
Ask message for characterizing the guarantor for requesting the KMC to need to establish between the first terminal equipment and the second terminal equipment
Close communication service generates session key;
Processing module, the encrypted session key returned for receiving the KMC, and the encrypted session key is sent out
The first terminal equipment is given, the first terminal equipment is realized with described second eventually using the session key
Encrypted session key is sent to the second terminal equipment by the secret communication between end equipment, so that described second is whole
End equipment can realize the secret communication between the first terminal equipment using the session key, wherein the encryption
The session key afterwards be the KMC according to it is described for obtain the parameter information of session key to the session key of generation into
It is obtained after row encryption.
11. encryption application server as claimed in claim 10, which is characterized in that described for obtaining the parameter of session key
The identification information of the first terminal equipment and the identification information of the second terminal equipment are contained in information;
The encryption application server further include:
Determining module, for being sent out in session key request message by the parameter information carrying for being used to obtain session key
Before giving Key Management Center KMC belonging to the first terminal equipment and the second terminal equipment, according to described first
The identification information of the identification information of terminal device and the second terminal equipment determines the first terminal equipment and described second
Key Management Center KMC belonging to terminal device.
12. encryption application server as claimed in claim 10, which is characterized in that
The processing module, specifically for encrypted session key is sent to the first terminal by IMS network signaling
Equipment and/or second terminal equipment.
13. the encryption application server as described in claim 10~11 is any, which is characterized in that the encrypted communication industry
Business key contains using the encrypted communication service key of the first protection key and leads to using the second protection key is encrypted
Communication service key;
The encrypted session key is that the KMC is used to obtain the parameter information of session key to generation according to
Session key be encrypted after obtain, comprising:
The KMC believes according to the mark for the first terminal equipment for including in the parameter information for obtaining session key
Breath, determines the corresponding first terminal equipment of the identification information of the first terminal equipment is generated when logging in the KMC first
Key is protected, and carries out cryptographic calculation using the session key that the first protection key pair generates, is utilized first
Protect the encrypted session key of key;And
According to the identification information for the second terminal equipment for including in the parameter information for obtaining session key, determine
The second protection that the corresponding second terminal equipment of the identification information of the second terminal equipment is generated when logging in the KMC is close
Key, and cryptographic calculation is carried out using the session key that the second protection key pair generates, it is close to be utilized the second protection
The encrypted session key of key.
14. a kind of terminal device for executing secure traffic characterized by comprising
Request message sending module establishes request message for sending secure traffic to encryption application server EAS,
In, the secure traffic establishes request message and needs to establish between first terminal equipment and second terminal equipment for characterizing
Secure traffic, the secure traffic establish in request message the parameter information contained for obtaining session key;
Session key receiving module, the encrypted session key sent for receiving the EAS, and by the encrypted meeting
Words key is sent to the second terminal equipment, wherein the encrypted session key is that the EAS is used to obtain by described
The parameter information carrying of session key is sent to the first terminal equipment and described second eventually in session key request message
Key Management Center KMC belonging to end equipment, by the KMC according to the parameter information for obtaining session key to generation
Session key be encrypted after obtain, to request the KMC be described for characterizing for the session key request message
The secure traffic for needing to establish between first terminal equipment and the second terminal equipment generates session key.
15. terminal device as claimed in claim 14, which is characterized in that further include;
Processing module, specifically for the encrypted session key is sent to the second terminal by IMS network signaling
Equipment;
Alternatively,
It is by the medium surface data transmission channel between the second terminal equipment of foundation that the encrypted session is close
Key is sent to the second terminal equipment.
16. terminal device as claimed in claim 14, which is characterized in that the terminal device further include:
Deciphering module, for being generated using when logging in the KMC when receiving the encrypted session key that the EAS is sent
First protection key pair described in encrypted session key be decrypted, obtain the KMC be the first terminal equipment with
The session key of secure traffic generation is carried out between the second terminal equipment.
17. a kind of Key Management Center for secure traffic characterized by comprising
Key request receiving module, the session key request message sent for receiving encryption application server EAS, wherein institute
State the guarantor that session key request message needs to establish for characterizing request KMC between first terminal equipment and second terminal equipment
Close communication service generates session key, and the parameter letter for obtaining session key is contained in the session key request message
Breath, the parameter information for obtaining session key are being used for for the first terminal equipment transmission that the EAS is received
Characterize the secure traffic for needing to establish secure traffic between the first terminal equipment and the second terminal equipment
It establishes and carries in request message;And
Key sending module, for returning to encrypted session key to the EAS, in order to which the EAS is by encrypted institute
It states session key and is sent to the first terminal equipment, the first terminal equipment is realized using the session key
With the secret communication between the second terminal equipment, and encrypted session key is sent to the second terminal equipment,
The second terminal equipment is enabled to realize the secret communication between the first terminal equipment using the session key,
Wherein, the encrypted session key is that the KMC is used to obtain the parameter information of session key to production according to
What raw session key obtained after being encrypted.
18. Key Management Center as claimed in claim 17, which is characterized in that the parameter letter for obtaining session key
The identification information for the first terminal equipment for including in breath and the identification information of second terminal equipment;
The key sending module is specifically used for generating between the first terminal equipment and the second terminal equipment
The session key that secure traffic needs is executed, according to include in the parameter information for obtaining session key described first
The identification information of terminal device determines the corresponding first terminal equipment of the identification information of the first terminal equipment described in the login
The the first protection key generated when KMC, and encryption fortune is carried out using the session key that the first protection key pair generates
It calculates, is utilized the first encrypted session key of protection key;And
According to the identification information for the second terminal equipment for including in the parameter information for obtaining session key, determine described in
The second protection key that the corresponding second terminal equipment of the identification information of second terminal equipment is generated when logging in the KMC;And
Cryptographic calculation is carried out using the session key that the second protection key pair generates, is utilized the encryption of the second protection key
Session key afterwards;
By the encrypted session key of the first protection of utilization key and the utilization the second protection encrypted session of key
Key is sent to the EAS as encrypted session key, by key response message.
19. a kind of processing system of secure traffic, which is characterized in that the system comprises: such as claim 10~13 times
Encryption application server, the terminal device as described in claim 14~16 is any described in one and such as claim 17~18
Any Key Management Center.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310631793.2A CN104683304B (en) | 2013-11-29 | 2013-11-29 | A kind of processing method of secure traffic, equipment and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310631793.2A CN104683304B (en) | 2013-11-29 | 2013-11-29 | A kind of processing method of secure traffic, equipment and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104683304A CN104683304A (en) | 2015-06-03 |
| CN104683304B true CN104683304B (en) | 2019-01-01 |
Family
ID=53317907
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310631793.2A Active CN104683304B (en) | 2013-11-29 | 2013-11-29 | A kind of processing method of secure traffic, equipment and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104683304B (en) |
Families Citing this family (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103987037A (en) | 2014-05-28 | 2014-08-13 | 大唐移动通信设备有限公司 | Secret communication implementation method and device |
| CN106487501B (en) * | 2015-08-27 | 2020-12-08 | 华为技术有限公司 | Key distribution and reception method, key management center, first network element and second network element |
| CN106534044A (en) * | 2015-09-09 | 2017-03-22 | 中兴通讯股份有限公司 | Method and device for encrypting voice call |
| CN106714153B (en) * | 2015-11-13 | 2022-06-10 | 华为技术有限公司 | Key distribution, generation and reception method and related device |
| CN106714152B (en) | 2015-11-13 | 2021-04-09 | 华为技术有限公司 | Key distribution and receiving method, first key management center and first network element |
| CN106936570B (en) * | 2015-12-31 | 2021-08-20 | 华为技术有限公司 | Key configuration method, key management center and network element |
| CN107623912B (en) * | 2016-07-15 | 2020-12-11 | 中兴通讯股份有限公司 | Method and device for safety communication between internet of vehicles terminals |
| CN106535184A (en) * | 2016-10-18 | 2017-03-22 | 深圳市金立通信设备有限公司 | Key management method and system |
| CN107979836A (en) * | 2016-10-21 | 2018-05-01 | 中国移动通信有限公司研究院 | A kind of encryption call method and device applied to VoLTE |
| CN108155991B (en) * | 2018-03-22 | 2022-01-04 | 北京可信华泰科技有限公司 | Generation system of trusted key |
| CN108449347B (en) * | 2018-03-22 | 2021-08-13 | 北京可信华泰信息技术有限公司 | Key generation server |
| CN109344848A (en) * | 2018-07-13 | 2019-02-15 | 电子科技大学 | Mobile intelligent terminal security level classification method based on Adaboost |
| CN111404671B (en) * | 2019-01-02 | 2023-07-25 | 中国移动通信有限公司研究院 | Mobile quantum secret communication method, gateway, mobile terminal and server |
| CN112702734B (en) * | 2019-10-23 | 2023-04-28 | 中移物联网有限公司 | Key distribution system and method |
| WO2021155540A1 (en) * | 2020-02-06 | 2021-08-12 | 华为技术有限公司 | Key management method and communication apparatus |
| CN115549956A (en) * | 2022-08-17 | 2022-12-30 | 青岛海尔科技有限公司 | Session establishing method, device, storage medium and electronic device |
| CN117675235A (en) * | 2022-08-22 | 2024-03-08 | 中国移动通信有限公司研究院 | Secret communication processing method, first terminal and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100789668B1 (en) * | 2005-01-27 | 2007-12-31 | 정명식 | Mobile communications terminal having both general communication mode and secret communication service mode |
| CN101442742A (en) * | 2008-12-12 | 2009-05-27 | 华为技术有限公司 | Method, system and equipment for implementing end-to-end encipher of mobile cluster set call |
| CN101536399A (en) * | 2006-09-28 | 2009-09-16 | 西门子公司 | Method for providing a symmetric key for protecting a key management protocol |
| CN101572694A (en) * | 2008-04-29 | 2009-11-04 | 华为技术有限公司 | Method for acquiring media stream key, session equipment and key management function entity |
-
2013
- 2013-11-29 CN CN201310631793.2A patent/CN104683304B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100789668B1 (en) * | 2005-01-27 | 2007-12-31 | 정명식 | Mobile communications terminal having both general communication mode and secret communication service mode |
| CN101536399A (en) * | 2006-09-28 | 2009-09-16 | 西门子公司 | Method for providing a symmetric key for protecting a key management protocol |
| CN101572694A (en) * | 2008-04-29 | 2009-11-04 | 华为技术有限公司 | Method for acquiring media stream key, session equipment and key management function entity |
| CN101442742A (en) * | 2008-12-12 | 2009-05-27 | 华为技术有限公司 | Method, system and equipment for implementing end-to-end encipher of mobile cluster set call |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104683304A (en) | 2015-06-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104683304B (en) | A kind of processing method of secure traffic, equipment and system | |
| CN104486077B (en) | A kind of end-to-end cryptographic key negotiation method of VoIP real time datas safe transmission | |
| CN104702611B (en) | A kind of device and method for protecting Secure Socket Layer session key | |
| CN104168267B (en) | A kind of identity identifying method of access SIP security protection video monitoring systems | |
| EP1946479B1 (en) | Communication securiy | |
| CN103428221B (en) | Safe login method, system and device to Mobile solution | |
| CN105307165B (en) | Communication means, server-side and client based on mobile application | |
| CN102045210B (en) | End-to-end session key consultation method and system for supporting lawful interception | |
| CN102036238B (en) | Method for realizing user and network authentication and key distribution based on public key | |
| CN107800539A (en) | Authentication method, authentication device and Verification System | |
| CN104468126B (en) | A kind of safe communication system and method | |
| CN109194656A (en) | A kind of method of distribution wireless terminal secure accessing | |
| CN104683098B (en) | A kind of implementation method of secure traffic, equipment and system | |
| CN1658547B (en) | Crytographic keys distribution method | |
| CN102547688A (en) | Virtual-dedicated-channel-based establishment method for high-credibility mobile security communication channel | |
| CN104394123A (en) | A data encryption transmission system and method based on an HTTP | |
| CN101958907A (en) | Method, system and device for transmitting key | |
| CN109151508A (en) | A kind of video encryption method | |
| CN105792193A (en) | End-to-end voice encryption method of mobile terminal based on iOS operating system | |
| CN111756528B (en) | Quantum session key distribution method, device and communication architecture | |
| CN101790160A (en) | Method and device for safely consulting session key | |
| CN104683103B (en) | A kind of method and apparatus of terminal device logs certification | |
| CN100544247C (en) | The negotiating safety capability method | |
| CN102281303A (en) | Data exchange method | |
| CN105991277B (en) | Cryptographic key distribution method based on SIP communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |