CN105635078A - Method and system of realizing session initiation protocol (SIP) session transmission - Google Patents
Method and system of realizing session initiation protocol (SIP) session transmission Download PDFInfo
- Publication number
- CN105635078A CN105635078A CN201410625783.2A CN201410625783A CN105635078A CN 105635078 A CN105635078 A CN 105635078A CN 201410625783 A CN201410625783 A CN 201410625783A CN 105635078 A CN105635078 A CN 105635078A
- Authority
- CN
- China
- Prior art keywords
- sip
- service end
- client
- tls
- session
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
Abstract
The present invention discloses a method and system of realizing session initiation protocol (SIP) session transmission. The method comprises the steps of introducing server certificates in SIP servers; introducing client certificates in SIP clients; carrying out the secret key exchange between the SIP clients and the SIP servers; carrying out the SIP session encryption transmission among the SIP clients via the established TLS connection, the exchanged secret keys and the SIP servers. According to the method of realizing the SIP session of the present invention, the SIP servers are used as the servers determinately, namely the SIP serves only can be used as the servers, and the SIP clients are used as the clients determinately, namely the SIP clients only can be used as the clients, so that the certificates are introduced statically and in advance, also the certificate verification flows are simplified, the working efficiency is improved, the certificates are convenient to generate, and the conventional fussy certificate introduction problem is solved, namely, according to the technical scheme provided by the present invention, the certificate generation and verification operations are simplified, and the SIP encryption transmission is guaranteed at the same time.
Description
Technical field
The present invention relates to telecommunication technique, espespecially a kind of method and system realizing SIP session transmissions.
Background technology
For the importance of technology secret, increasing enterprise wishes energy encrypted transmission during telecommunication, and it is also increasing for using the demand to data encryption.
After video conferencing moves towards operation, the application of initial session protocol (SIP) is also increasingly wider, and the encrypted transmission of SIP will necessarily become important focus. Existing SIP encrypted transmission is all the certificate by client and service end and key realizes, substantially handling process is as shown in Figure 1, Fig. 1 realizes secure socket layer protocol (SSL between existing service end and client, SecureSocketsLayer) shake hands mutual schematic flow sheet, including:
Step 100: the handshake information that client sends is client hello (ClientHello) message, wherein carry the encryption parameter that client is recommended, such as client prepares the AES used, additionally, also carry a random value used in key generation procedure.
Step 101��step 103: service end replys server hello (ServerHello) message of Choice encryption and compression algorithm to client, wherein carries the random value that a service end produces; Service end sends certificate (Certificate) message to client, wherein carries the Public key of service end, such as RSA key; Service end sends to client and represents that the server hello of the not any further message of handshake phase terminates (ServerHelloDone) message.
Wherein, RSA cryptographic algorithms is a kind of rivest, shamir, adelman. In public key cryptography standards and e-business, RSA is widely used. RSA is proposed together for 1977 by Peter Lonard Lee Vista (RonRivest), A Di Shamir (AdiShamir) and Leonard A Deman (LeonardAdleman).
Step 104��step 106: user end to server sends client key exchange (Client_Key_Exchange) message, wherein carries the key of the RSA key encryption of a use service end randomly generated. Then, send all message for indicating client to send after this and all the amendment key using the above-mentioned key decided through consultation to be encrypted is illustrated (Change_Cipher_Spec) message. Last user end to server is sent completely (Finished) message, wherein carries the verification to whole connection procedure. So, service end just can interpolate that whether the AES to use is that safety is decided through consultation.
Step 107��step 108: once service end receives the Finished message from client, service end will send Change_Cipher_Spec message and the Finished message of self. So far, the connection between client and service end is ready for carrying out transmitting of application data.
Step 109��step 110: client and service end utilize the key consulted to send application data, to realize SIP session.
Connecting if client is closed, client first can be closed notice (close_notifyalter) message to service end transmission and be represented that connection is about to closedown.
Realize in SIP session encryption transmission existing, each terminal and multipoint control unit (MCU) are likely to be service end simultaneously, it it is again client, such as, for MCU, when MCU caller terminal, MCU plays the part of client role, and when MCU is as time called, MCU plays the part of service end role. It is to say, MCU needs to be directed respectively into two certificates, a client certificate, a service end certificate, such operation is just considerably complicated. For per call MCU and terminal be required for application certificate, and MCU as caller/terminal called time, the certificate of MCU and terminal application is also different; When MCU is as calling terminal, MCU needs application client certificate, and corresponding terminal needs application service end certificate; When MCU is as time called, namely during terminal caller MCU, MCU needs application service end certificate, and terminal then needs application client certificate.
Additionally, the generation of certificate and importing verification operation are all cumbersome, and service end certificate is relative to the certificate of client, more complicated. And needing to manage so much certificate for an equipment is also a troublesome thing.
Summary of the invention
In order to solve above-mentioned technical problem, the present invention provides a kind of method and system realizing SIP session transmissions, it is possible to simplifies certificates constructing and verification operation, guarantees SIP encrypted transmission simultaneously.
In order to reach the object of the invention, the invention provides a kind of method realizing initial session protocol SIP session transmissions, SIP service end imports service end certificate, SIP client imports client certificate; Also include:
Key exchange is carried out between SIP client and SIP service end;
SIP session encryption transmission is carried out by the key of the TLS connection set up and exchange via SIP service end between SIP client.
Described carry out SIP session encryption transmission before, the method also includes:
Described SIP client realizes registration on SIP service end, and sets up safe transmission layer protocol TLS between described SIP client with SIP service end and be connected.
Described SIP client includes MCU and terminal; Described SIP service end is for forwarding the SIP information after encrypting between SIP client.
Described SIP client includes the first SIP client and the second SIP client; Described carry out SIP session encryption transmission include:
First SIP client is connected inviting INVITE signaling to be encrypted and be sent to described SIP service end by the TLS between self with described SIP service end; Described SIP service end forwards the INVITE signaling after the encryption received, and passes through to issue the second SIP client after the 2nd TLS between the second SIP client with described SIP service end is connected the signaling deciphering after by encryption;
Second SIP client connects priority by the 2nd TLS and is sent to described SIP service end to after response 100Trying signaling, jingle bell 180Ringing signaling, the encryption of 200OK signaling; Described SIP service end forward the encryption that receives after signaling being connected by a TLS be decrypted after issue the first SIP client;
Response ACK signaling is encrypted and is sent to described SIP service end by a TLS connection by the first SIP client; Described SIP service end forwards the INVITE signaling after this encryption, and by issuing terminal after the 2nd TLS connection deciphering.
The method also includes: discharges a described TLS by log off procedure between described first SIP client with described SIP service end and is connected, and discharges described 2nd TLS and be connected between described second SIP client and SIP service end.
The invention also discloses a kind of system realizing SIP session transmissions, at least include SIP client and SIP service end; Wherein,
SIP client is imported with client certificate, is used for and between SIP service end, carries out key exchange, connected by the TLS set up and the key of exchange carries out SIP session encryption transmission via SIP service end;
SIP service end is imported with service end certificate, is used for and carries out between SIP client key exchange, forward encryption SIP information mutual between SIP client.
Described SIP client, is additionally operable to the registration on real presently described SIP service end, and sets up safe transmission layer protocol TLS between described SIP client with SIP service end and be connected.
Described SIP client includes MCU and terminal.
Compared with prior art, technical scheme includes importing service end certificate in SIP service end, imports client certificate in SIP client; Key exchange is carried out between SIP client and SIP service end; SIP session encryption transmission is carried out by the key of the TLS connection set up and exchange via SIP service end between SIP client. The present invention realizes in the method for SIP session, due to the SIP service end as service end (namely only as service end) determined, with the SIP client as client (namely only as client) determined, both the importing certificate in advance of static state had been achieved, in turn simplify the flow process of certification authentication, improve work efficiency, facilitate the generation of certificate, solve the problem that existing importing certificate is loaded down with trivial details. Also will saying, technical scheme provided by the invention had both simplified certificates constructing and verification operation, in turn ensure that SIP encrypted transmission simultaneously.
Other features and advantages of the present invention will be set forth in the following description, and, partly become apparent from description, or understand by implementing the present invention. The purpose of the present invention and other advantages can be realized by structure specifically noted in description, claims and accompanying drawing and be obtained.
Accompanying drawing explanation
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes the part of the application, and the schematic description and description of the present invention is used for explaining the present invention, is not intended that inappropriate limitation of the present invention. In the accompanying drawings:
Fig. 1 realizes SSL to shake hands mutual schematic flow sheet between existing service end and client;
Fig. 2 is the flow chart that the present invention realizes the method for SIP session transmissions;
Fig. 3 is the schematic flow sheet that the present invention realizes the embodiment of SIP Dialog processing;
Fig. 4 is the composition structural representation that the present invention realizes the system of SIP session transmissions.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention clearly understand, below in conjunction with accompanying drawing, embodiments of the invention are described in detail. It should be noted that when not conflicting, the embodiment in the application and the feature in embodiment can combination in any mutually.
Fig. 2 is the flow chart that the present invention realizes the method for SIP session transmissions, as in figure 2 it is shown, comprise the following steps:
Step 200: import service end certificate in SIP service end, imports client certificate in SIP client. This step implement the conventional techniques means belonging to those skilled in the art, specifically how to import the protection domain that certificate itself is not intended to limit the present invention, repeat no more here.
In the present invention, SIP client includes MCU and terminal; SIP service end (SIPSERVER) is to act as service end in the present invention, and after the certification authentication imported is passed through, the SIP information between SIP client is mutual, all will be forwarded by the SIPSERVER in the present invention.
This step it is emphasized that only import service end certificate in SIP service end; SIP client only imports client certificate.
By the SIP service end as service end (namely only as service end) determined in this step, with the SIP client as client (namely only as client) determined, both the importing certificate in advance of static state had been achieved, in turn simplify the flow process of certification authentication, improve work efficiency, facilitate the generation of certificate, solve the problem that existing importing certificate is loaded down with trivial details.
Key exchange is carried out between step 201:SIP client and SIP service end.
In this step, MCU or between terminal and SIP service end, all flow process shown in Fig. 1 and the mutual of that key that drive in the wrong direction, to determine the key adopted in follow-up SIP session.
SIP session encryption transmission is carried out by the key of the TLS connection set up and exchange via SIP service end between step 202:SIP client.
Also including before this step: SIP client realizes the registration on SIP service end, specifically how to register the known technology belonging to those skilled in the art, the protection domain being not intended to limit the present invention repeats no more here. This point it is emphasized that, MCU and terminal as SIP client all can register as on the SIP service end of service end. By registration process, the first safe transmission layer protocol (TLS) can be set up between MCU with SIP service end and be connected, between terminal with SIP service end, set up the 2nd TLS be connected.
Further, in log off procedure, SIP resource can be discharged, delete the above-mentioned TLS connection etc. set up.
In this step, SIP service end is in SIP encrypted transmission process, it is simply that serve as the role of service end, forwards the user data after encryption between MCU and terminal.
The present invention realizes in the method for SIP session, due to the SIP service end as service end (namely only as service end) determined, with the SIP client as client (namely only as client) determined, both the importing certificate in advance of static state had been achieved, in turn simplify the flow process of certification authentication, improve work efficiency, facilitate the generation of certificate, solve the problem that existing importing certificate is loaded down with trivial details. Also will saying, technical scheme provided by the invention had both simplified certificates constructing and verification operation, in turn ensure that SIP encrypted transmission simultaneously.
Fig. 3 is the schematic flow sheet that the present invention realizes the embodiment of SIP Dialog processing, as shown in Figure 3, in the present embodiment, assume to have imported service end certificate in SIPSERVER, MCU and terminal import client certificate all, and has assumed that MCU and terminal all and complete cipher key interaction between SIPSERVER; Comprise the following steps:
By registration process is set up TLS connection 1 between step 300:MCU and SIPSERVER; Set up TLS by registration process between terminal with SIPSERVER and be connected 2.
Step 301:MCU connects 1 to inviting (INVITE) signaling be encrypted and be sent to SIPSERVER by TLS; SIPSERVER forwards the INVITE signaling after the encryption received, and issues terminal by TLS connection 2 after the signaling deciphering after encryption.
Step 302: terminal connects 2 to response 100Trying signaling encrypting and transmitting to SIPSERVER by TLS; SIPSERVER forwards the 100Trying signaling after the encryption received, and passes through to issue MCU after TLS connection 1 is decrypted.
Step 303: terminal connects 2 to jingle bell (180Ringing) signaling encrypting and transmitting to SIPSERVER by TLS; SIPSERVER forwards the 180Ringing signaling after the encryption received, and passes through to issue MCU after TLS connection 1 is decrypted.
Step 304: terminal connects 2 to 200OK signaling encrypting and transmitting to SIPSERVER by TLS; SIPSERVER forwards the 200OK signaling after the encryption received, and is sent to MCU after being decrypted by TLS connection 1.
Step 305:MCU connects 1 by TLS and response (ACK) signaling is encrypted and is sent to SIPSERVER; SIPSERVER forwards the INVITE signaling after this encryption, and by issuing terminal after TLS connection 2 deciphering.
Further, connect 1 by log off procedure release TLS between MCU and SIPSERVER, discharge TLS between terminal with SIPSERVER and be connected 2.
Fig. 4 is the composition structural representation that the present invention realizes the system of SIP session transmissions, as shown in Figure 4, at least includes SIP client and SIP service end; Wherein,
SIP client is imported with client certificate, is used for and between SIP service end, carries out key exchange, connected by the TLS set up and the key of exchange carries out SIP session encryption transmission via SIP service end;
SIP service end is imported with service end certificate, is used for and carries out between SIP client key exchange, forward encryption SIP information mutual between SIP client.
Wherein, SIP client, it is additionally operable to realize registration on SIP service end, and between SIP client with SIP service end, sets up safe transmission layer protocol TLS be connected.
SIP client of the present invention includes MCU and terminal.
The above, be only the preferred embodiments of the present invention, be not intended to limit protection scope of the present invention. All within the spirit and principles in the present invention, any amendment of making, equivalent replacement, improvement etc., should be included within protection scope of the present invention.
Claims (8)
1. the method realizing initial session protocol SIP session transmissions, it is characterised in that import service end certificate in SIP service end, imports client certificate in SIP client; Also include:
Key exchange is carried out between SIP client and SIP service end;
SIP session encryption transmission is carried out by the key of the TLS connection set up and exchange via SIP service end between SIP client.
2. method according to claim 1, it is characterised in that described in carry out SIP session encryption transmission before, the method also includes:
Described SIP client realizes registration on SIP service end, and sets up safe transmission layer protocol TLS between described SIP client with SIP service end and be connected.
3. method according to claim 1 and 2, it is characterised in that described SIP client includes MCU and terminal; Described SIP service end is for forwarding the SIP information after encrypting between SIP client.
4. method according to claim 1, it is characterised in that described SIP client includes the first SIP client and the second SIP client; Described carry out SIP session encryption transmission include:
First SIP client is connected inviting INVITE signaling to be encrypted and be sent to described SIP service end by the TLS between self with described SIP service end; Described SIP service end forwards the INVITE signaling after the encryption received, and passes through to issue the second SIP client after the 2nd TLS between the second SIP client with described SIP service end is connected the signaling deciphering after by encryption;
Second SIP client connects priority by the 2nd TLS and is sent to described SIP service end to after response 100Trying signaling, jingle bell 180Ringing signaling, the encryption of 200OK signaling; Described SIP service end forward the encryption that receives after signaling being connected by a TLS be decrypted after issue the first SIP client;
Response ACK signaling is encrypted and is sent to described SIP service end by a TLS connection by the first SIP client; Described SIP service end forwards the INVITE signaling after this encryption, and by issuing terminal after the 2nd TLS connection deciphering.
5. method according to claim 4, it is characterized in that, the method also includes: discharges a described TLS by log off procedure between described first SIP client with described SIP service end and is connected, and discharges described 2nd TLS and be connected between described second SIP client and SIP service end.
6. the system realizing SIP session transmissions, it is characterised in that at least include SIP client and SIP service end; Wherein,
SIP client is imported with client certificate, is used for and between SIP service end, carries out key exchange, connected by the TLS set up and the key of exchange carries out SIP session encryption transmission via SIP service end;
SIP service end is imported with service end certificate, is used for and carries out between SIP client key exchange, forward encryption SIP information mutual between SIP client.
7. system according to claim 6, it is characterised in that described SIP client, is additionally operable to the registration on real presently described SIP service end, and sets up safe transmission layer protocol TLS between described SIP client with SIP service end and be connected.
8. the system according to claim 6 or 7, it is characterised in that described SIP client includes MCU and terminal.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410625783.2A CN105635078A (en) | 2014-11-07 | 2014-11-07 | Method and system of realizing session initiation protocol (SIP) session transmission |
| PCT/CN2015/090010 WO2016070685A1 (en) | 2014-11-07 | 2015-09-18 | Method and system for implementing sip session transmission |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410625783.2A CN105635078A (en) | 2014-11-07 | 2014-11-07 | Method and system of realizing session initiation protocol (SIP) session transmission |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105635078A true CN105635078A (en) | 2016-06-01 |
Family
ID=55908537
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410625783.2A Pending CN105635078A (en) | 2014-11-07 | 2014-11-07 | Method and system of realizing session initiation protocol (SIP) session transmission |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN105635078A (en) |
| WO (1) | WO2016070685A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112543164A (en) * | 2019-09-20 | 2021-03-23 | 中国移动通信有限公司研究院 | Message authentication method, device and equipment |
| WO2023098586A1 (en) * | 2021-11-30 | 2023-06-08 | 维沃移动通信有限公司 | Information interaction method and apparatus, and communication device |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107612931B (en) * | 2017-10-20 | 2020-04-28 | 苏州科达科技股份有限公司 | Multipoint conversation method and multipoint conversation system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102378982A (en) * | 2009-03-30 | 2012-03-14 | 西科姆株式会社 | Monitoring system and communication management device |
| CN102523217A (en) * | 2011-12-16 | 2012-06-27 | 淮安信息职业技术学院 | Secure communication method based on JAIN SIP (Session Initiation Protocol) |
| CN104113547A (en) * | 2014-07-23 | 2014-10-22 | 中国科学院信息工程研究所 | SIP (session initiation protocol) security protection video monitoring network access control system |
| CN104113409A (en) * | 2014-07-23 | 2014-10-22 | 中国科学院信息工程研究所 | Secret key managing method and system of SIP (session initiation protocol) video monitoring networking system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011040847A1 (en) * | 2009-10-01 | 2011-04-07 | Telefonaktiebolaget L M Ericsson (Publ) | Sending protected data in a communication network |
| CN103813309B (en) * | 2012-11-15 | 2019-03-29 | 中兴通讯股份有限公司 | Safety communicating method, apparatus and system between a kind of MTC device based on SIP |
-
2014
- 2014-11-07 CN CN201410625783.2A patent/CN105635078A/en active Pending
-
2015
- 2015-09-18 WO PCT/CN2015/090010 patent/WO2016070685A1/en active Application Filing
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102378982A (en) * | 2009-03-30 | 2012-03-14 | 西科姆株式会社 | Monitoring system and communication management device |
| CN102523217A (en) * | 2011-12-16 | 2012-06-27 | 淮安信息职业技术学院 | Secure communication method based on JAIN SIP (Session Initiation Protocol) |
| CN104113547A (en) * | 2014-07-23 | 2014-10-22 | 中国科学院信息工程研究所 | SIP (session initiation protocol) security protection video monitoring network access control system |
| CN104113409A (en) * | 2014-07-23 | 2014-10-22 | 中国科学院信息工程研究所 | Secret key managing method and system of SIP (session initiation protocol) video monitoring networking system |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112543164A (en) * | 2019-09-20 | 2021-03-23 | 中国移动通信有限公司研究院 | Message authentication method, device and equipment |
| CN112543164B (en) * | 2019-09-20 | 2023-05-09 | 中国移动通信有限公司研究院 | Message authentication method, device and equipment |
| WO2023098586A1 (en) * | 2021-11-30 | 2023-06-08 | 维沃移动通信有限公司 | Information interaction method and apparatus, and communication device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2016070685A1 (en) | 2016-05-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104486077B (en) | A kind of end-to-end cryptographic key negotiation method of VoIP real time datas safe transmission | |
| US8990569B2 (en) | Secure communication session setup | |
| KR101516909B1 (en) | Discovery of security associations for key management relying on public keys | |
| US20150089220A1 (en) | Technique For Bypassing an IP PBX | |
| US20100002880A1 (en) | SYSTEM AND METHOD FOR LAWFUL INTERCEPTION USING TRUSTED THIRD PARTIES IN SECURE VoIP COMMUNICATIONS | |
| CN104702611A (en) | Equipment and method for protecting session key of secure socket layer | |
| CN106936788B (en) | A kind of cryptographic key distribution method suitable for VOIP voice encryption | |
| CN101997679A (en) | Encrypted message negotiation method, equipment and network system | |
| CN104219041A (en) | Data transmission encryption method applicable for mobile internet | |
| JP2012518331A (en) | Identity-based authentication key agreement protocol | |
| KR101297936B1 (en) | Method for security communication between mobile terminals and apparatus for thereof | |
| CN104683291B (en) | Session key negotiation method based on IMS system | |
| Wang et al. | A dependable privacy protection for end-to-end VoIP via Elliptic-Curve Diffie-Hellman and dynamic key changes | |
| CN105337969A (en) | Safety communication method between two mobile terminals | |
| CN101958907A (en) | Method, system and device for transmitting key | |
| CN105530100A (en) | VoLTE secure communication method | |
| CN111064738B (en) | TLS (transport layer Security) secure communication method and system | |
| CN104243146A (en) | Encryption communication method and device and terminal | |
| CN105635078A (en) | Method and system of realizing session initiation protocol (SIP) session transmission | |
| CN107294968A (en) | The monitoring method and system of a kind of audio, video data | |
| CN102739660B (en) | Key exchange method for single sign on system | |
| KR102358965B1 (en) | Communication device, communication method, and program | |
| CN106656493A (en) | Software-defined network security communication method based on quantum key distribution | |
| KR101210938B1 (en) | Encrypted Communication Method and Encrypted Communication System Using the Same | |
| CN104753869A (en) | SIP protocol based session encryption method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160601 |