CN108696512B - Cross-protocol code stream encryption negotiation method and device and conference equipment - Google Patents
Cross-protocol code stream encryption negotiation method and device and conference equipment Download PDFInfo
- Publication number
- CN108696512B CN108696512B CN201810374991.8A CN201810374991A CN108696512B CN 108696512 B CN108696512 B CN 108696512B CN 201810374991 A CN201810374991 A CN 201810374991A CN 108696512 B CN108696512 B CN 108696512B
- Authority
- CN
- China
- Prior art keywords
- protocol
- code stream
- signaling
- conference terminal
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1073—Registration or de-registration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1101—Session protocols
- H04L65/1104—Session initiation protocol [SIP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/40—Support for services or applications
- H04L65/403—Arrangements for multi-party communication, e.g. for conferences
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/60—Network streaming of media packets
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Multimedia (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a cross-protocol code stream encryption negotiation method, a device and conference equipment, wherein the method comprises the following steps: receiving a first protocol connection request signaling sent by a first conference terminal; sending a second protocol connection request signaling to a second conference terminal; receiving a second protocol first signaling fed back by the second conference terminal based on the second protocol connection request signaling; storing the master-slave decision, and sending a first protocol first signaling to the first conference terminal; and receiving a first protocol second signaling sent by the first conference terminal. The invention can make both communication parties negotiate out a code stream key through the control of the interaction time sequence, can realize the encrypted communication between different protocols by converting the encrypted parts of different protocols, and ensures that the encrypted communication of the code stream can be realized between the conference terminals adopting different communication protocols in the same video conference system.
Description
Technical Field
The invention relates to the technical field of video conferences, in particular to a cross-protocol code stream encryption negotiation method and device and conference equipment.
Background
In recent years, people pay more attention to a safe, efficient and cost-saving video conference system under the promotion of the rapid development of the Internet. The video conference system connects conference terminals of two or more sites through a network, so that members in different places can discuss the same subject, can hear the voice of a speaker and see the image and the background of the speaker, and can communicate information such as data, characters, diagrams and the like of the related subject. Among the technologies of the video conference system, the protocol technology is undoubtedly one of the core technologies.
However, the difference of each conference terminal in the video conference system can cause that the negotiated signaling protocol of the audio and video code stream format is different when each conference terminal transmits the audio and video code stream; namely, the audio and video code stream can be transmitted by adopting signaling protocols with various formats in the same video conference system, so that the effect of the video conference is influenced.
In the prior art, in order to solve the problem of intercommunication of code streams between different protocols, some standards specify a scheme of non-encryption intercommunication. For example, Session Initiation Protocol (SIP) and h.323 Protocol are commonly used in a video conference system, wherein RFC4123 "Session Initiation Protocol (SIP) -h.323interworking requests" is formally published in month 7 of IETF2005, and defines that a gateway completes interworking between h.323 and SIP.
However, in the prior art, the transmission of the code stream between multiple protocols is generally realized by adopting a non-encryption intercommunication scheme, and the security of the transmission of the code stream across the protocols is low. With the rapid development of communication technology, the requirement of people on safety is higher and higher, and the non-encryption communication scheme can not meet the requirement of people on the safety of cross-protocol code stream transmission.
Disclosure of Invention
In view of this, embodiments of the present invention provide a cross-protocol code stream encryption negotiation method, apparatus, and conference device, so as to solve the problem of low security of cross-protocol code stream transmission.
According to a first aspect, an embodiment of the present invention provides a cross-protocol code stream encryption negotiation method, including: receiving a first protocol connection request signaling sent by a first conference terminal, wherein the first protocol connection request signaling carries code stream encryption information and an encrypted first code stream key;
sending a second protocol connection request signaling to a second conference terminal, wherein the second protocol connection request signaling carries the code stream encryption information and the encrypted first code stream key;
receiving a second protocol first signaling fed back by the second conference terminal based on the second protocol connection request signaling, wherein the second protocol first signaling carries a master-slave decision and a first message body, and the first message body comprises negotiated code stream encryption information and encrypted code stream encryption information;
storing the master-slave decision, and sending a first protocol first signaling to the first conference terminal, wherein the first protocol first signaling carries the first message body;
and receiving a first protocol second signaling sent by the first conference terminal, wherein the first protocol second signaling is used for indicating the end of code stream encryption negotiation.
The invention carries out negotiation of code stream encryption information and code stream keys between conference terminals adopting different protocols for communication (a first protocol corresponds to a first conference terminal, a second protocol corresponds to a second conference terminal), and decides which conference terminal's code stream key is adopted to encrypt subsequent code streams according to master-slave messages; the invention ensures that two communication parties can negotiate out a code stream key and code stream encryption information through the control of the interactive time sequence, and can realize the encrypted communication among different protocols through the conversion of the encryption parts of different protocols, thereby ensuring that the encrypted communication of the code stream can be realized among conference terminals adopting different communication protocols in the same video conference system, and realizing the safe intercommunication of cross protocols.
With reference to the first aspect, in a first implementation manner of the first aspect, before the step of receiving the first protocol connection request signaling sent by the first conference terminal, the method further includes:
sending a registration request to a server, wherein the registration request carries a public key;
receiving a main cipher table which is sent by a server and encrypted by using the public key and the version number of the main cipher table, wherein the main cipher keys in the main cipher table correspond to the labels one by one;
and decrypting the encrypted main password table by using a private key corresponding to the public key to obtain the main password table.
The invention sends the public key when registering to the server, namely the master key table obtained from the server side registration is in an encrypted form, thereby ensuring the transmission reliability of the master key table and further improving the safety of the master key.
With reference to the first implementation manner of the first aspect, in a second implementation manner of the first aspect, the code stream encryption information includes a version number of a master password table of the first conference terminal;
before the step of sending the second protocol connection request signaling to the second conference terminal, the method further includes:
judging whether the version number of the first conference terminal main code table is matched with the version number of the main code table of the first conference terminal;
and when the version number of the main cipher table of the conference terminal is not matched with the version number of the main cipher table of the first conference terminal, re-registering the server according to the level of the version number so as to update the version number.
The invention ensures that the two communication parties use the same main cipher table by matching the main cipher table before the negotiation of the code stream encryption information, and can ensure that the two communication parties use the same main cipher key according to the label, thereby being capable of correctly decrypting the code stream cipher key.
With reference to the second implementation manner of the first aspect, in a third implementation manner of the first aspect, the code stream encryption information further includes: a number of cryptographic algorithms and a first index for uniquely determining the master key in the master cryptographic table.
With reference to the third implementation manner of the first aspect, in the fourth implementation manner of the first aspect, the negotiating an encrypted code stream key includes:
when the first conference terminal is mainly used, the encrypted code stream key is determined by the encrypted code stream key; or the like, or, alternatively,
and when the first conference terminal is a slave conference terminal, the encrypted code stream key is determined by the negotiated code stream encryption information and a second code stream key generated by the second conference terminal.
In the encryption rule of the second protocol, a master (master) determines a code stream key, so that the encrypted code stream key realizes negotiation of the code stream key through two interactions; specifically, after the master-slave information is obtained, the code stream key of which party is used is finally determined; and through time sequence control, negotiation of code stream keys can be realized among different protocols.
According to a second aspect, an embodiment of the present invention further provides a cross-protocol code stream encryption negotiation method, including:
receiving a second protocol connection request signaling sent by a second conference terminal, wherein the second protocol connection request signaling carries code stream encryption information;
sending a first protocol connection request signaling to a first conference terminal, wherein the first protocol connection request signaling carries the code stream encryption information;
receiving a first protocol second signaling fed back by the first conference terminal based on the first protocol connection request signaling, wherein the first protocol second signaling carries a second message body, and the second message body comprises negotiated code stream encryption information and an encrypted first code stream key;
sending a second protocol first signaling to the second conference terminal, wherein the second protocol first signaling carries the negotiated code stream encryption information and the encrypted first code stream key;
receiving a second protocol second signaling fed back by the second conference terminal based on the second protocol first signaling, wherein the second protocol second signaling carries negotiated encrypted code stream key and master-slave decision;
and storing the master-slave decision, and sending a second protocol third signaling to the first conference terminal, wherein the second protocol third signaling is used for indicating the end of code stream encryption negotiation.
The invention carries out negotiation of code stream encryption information and code stream keys between the conference terminals adopting different protocol communication, and decides which conference terminal code stream key is adopted to encrypt the subsequent code stream according to the master-slave information; the invention ensures that two communication parties can negotiate out a code stream key and code stream encryption information through the control of the interactive time sequence, and can realize the encrypted communication among different protocols through the conversion of the encryption parts of different protocols, thereby ensuring that the encrypted communication of the code stream can be realized among conference terminals adopting different communication protocols in the same video conference system, and realizing the safe intercommunication of cross protocols.
According to a third aspect, an embodiment of the present invention provides a cross-protocol code stream encryption negotiation apparatus, including:
the first receiving module is used for receiving a first protocol connection request signaling sent by a first conference terminal, wherein the first protocol connection request signaling carries code stream encryption information and a plurality of encrypted first code stream keys;
the first sending module is used for sending a second protocol connection request signaling to a second conference terminal, wherein the second protocol connection request signaling carries the code stream encryption information and the encrypted first code stream key;
a second receiving module, configured to receive a second protocol first signaling fed back by the second conference terminal based on the second protocol connection request signaling, where the second protocol first signaling carries a master-slave decision and a first message body, and the first message body includes negotiated code stream encryption information and encrypted code stream encryption information;
a second sending module, configured to store the master-slave decision, and send a first protocol first signaling to the first conference terminal, where the first protocol first signaling carries the first message body;
and a third receiving module, configured to receive a first protocol second signaling sent by the first conference terminal, where the first protocol second signaling is used to indicate end of code stream encryption negotiation.
According to a fourth aspect, an embodiment of the present invention provides a cross-protocol code stream encryption negotiation apparatus, including:
a fourth receiving module, configured to receive a second protocol connection request signaling sent by a second conference terminal, where the second protocol connection request signaling carries code stream encryption information;
a third sending module, configured to send a first protocol connection request signaling to a first conference terminal, where the first protocol connection request signaling carries the code stream encryption information;
a fifth receiving module, configured to receive a first protocol second signaling fed back by the first conference terminal based on the first protocol connection request signaling, where the first protocol second signaling carries a second message body, and the second message body includes negotiated code stream encryption information and an encrypted first code stream key;
a fourth sending module, configured to send a second protocol first signaling to the second conference terminal, where the second protocol first signaling carries the negotiated code stream encryption information and the encrypted first code stream key;
a sixth receiving module, configured to receive a second protocol second signaling fed back by the second conference terminal based on the second protocol first signaling, where the second protocol second signaling carries a negotiated encrypted code stream key and a master-slave decision;
and a fifth sending module, configured to store the master-slave decision, and send a second protocol third signaling to the first conference terminal, where the second protocol third signaling is used to indicate end of code stream encryption negotiation.
According to a fifth aspect, an embodiment of the present invention provides a conference device, including: the code stream encryption negotiation method comprises a memory and a processor, wherein the memory and the processor are mutually connected in a communication manner, the memory stores computer instructions, and the processor executes the computer instructions so as to execute the code stream encryption negotiation method of the first aspect, or any one implementation manner of the first aspect, or the second aspect.
According to a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, which stores computer instructions for causing a computer to execute the first aspect, or any one of the implementation manners of the first aspect, or the method for negotiating inter-protocol stream encryption described in the second aspect.
Drawings
The features and advantages of the present invention will be more clearly understood by reference to the accompanying drawings, which are illustrative and not to be construed as limiting the invention in any way, and in which:
FIG. 1 is a flowchart of a cross-protocol code stream encryption negotiation method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a cross-protocol codestream encryption negotiation method according to another embodiment of the present invention;
FIG. 3 is a flowchart of a cross-protocol codestream encryption negotiation method according to another embodiment of the present invention;
fig. 4 shows an interaction flowchart of a first conference terminal calling a second conference terminal in an embodiment of the present invention;
fig. 5 shows an interaction flow diagram in which a first conference terminal calls a second conference terminal in another embodiment of the present invention;
fig. 6 shows an interaction flowchart in which a second conference terminal calls a first conference terminal in an embodiment of the present invention;
fig. 7 is a flowchart illustrating a specific schematic method of carrying SDP in a caller call in an encrypted call flow of an SIP terminal according to an embodiment of the present invention;
fig. 8 is a flowchart illustrating a specific schematic method that a caller does not carry an SDP in an encrypted call flow of an SIP terminal according to an embodiment of the present invention;
fig. 9 shows a specific schematic flow of gateway registration in the embodiment of the present invention;
FIG. 10 shows a specific exemplary flow of a SIP server updating a master password table to a gateway in an embodiment of the present invention;
fig. 11 shows a specific schematic flow of the SIP terminal calling the h.323 terminal in the embodiment of the present invention;
fig. 12 shows a specific schematic flow of the h.323 terminal calling the SIP terminal in the embodiment of the present invention;
FIG. 13 is a block diagram showing a specific schematic diagram of a cross-protocol codestream encryption negotiation apparatus according to an embodiment of the present invention;
FIG. 14 is a block diagram showing a specific schematic structure of a cross-protocol codestream encryption negotiation apparatus according to another embodiment of the present invention;
fig. 15 shows a specific schematic structural diagram of a conference device in the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that, in the present invention, the first conference terminal communicates based on a first protocol, the second conference terminal communicates based on a second protocol, and the first protocol is different from the second protocol. In addition, the first code stream key is generated by the first conference terminal, and the second code stream key is generated by the second conference terminal.
The technical scheme of the invention comprises the following concepts:
master key: and the key is used for encrypting the audio and video code stream key.
A main password table: that is, a set of multiple master key tables, each master key in the set having an mki number for correspondence.
The SIP terminal: denotes a terminal or MCU using SIP protocol;
h.323 terminal: representing a terminal or MCU using the h.323 protocol.
H.323-SIP gateway: indicating a gateway for converting the H.323 protocol and the SIP protocol into each other.
The technical scheme of the invention comprises the following abbreviations:
EAn set of all supported encryption algorithms, such as: 3DES, AES128, AES256, etc.
EAx selected encryption algorithm, one encryption algorithm is selected EAn as EAx.
EKn: the set of stream keys is encrypted using [ EAn, master key ].
EKx: and encrypting the code stream secret key by using [ EAx and master key ].
ver: and the version number of the main password table consists of the generation time + ID of the main password table. Which is used to confirm that the master password tables used by the two communicating parties are identical.
mki: the id number corresponding to the master key in the master key table is a positive integer other than 0, and mki corresponding to the same master key table have the same master key value. If mki is 0, this indicates that instead of the keys of the master key table, a master key is used that all products default to.
The invention realizes the encrypted communication between the conference terminals with different protocols through the conference equipment, particularly controls the time sequence of message interaction between the conference terminals through the conference equipment and converts the encrypted part of the protocol, so that the cross-protocol safe communication of information can be realized in the same conference system.
Fig. 1 shows a flow of a cross-protocol code stream encryption negotiation method in an embodiment of the present invention, where the method includes:
s101, receiving a first protocol connection request signaling sent by a first conference terminal.
The conference equipment receives a first protocol connection request signaling sent by a first conference terminal, and the first protocol connection request signaling carries code stream encryption information and an encrypted first code stream key. The connection request signaling corresponding to different protocols and the content carried in the connection request signaling are different. For example, for the SIP protocol, the connection request signaling is INVITE, corresponding to the h.323 protocol, the connection request signaling is setup.
After the conference equipment receives the connection request signaling, the protocol adopted by the connection request signaling can be obtained through analyzing the protocol structure of the connection request signaling. After the conference device determines the protocol used by the connection request signaling (in this embodiment, it is determined that the protocol used by the connection request signaling is the first protocol, that is, the connection request signaling sent by the first conference terminal), the code stream encryption information carried in the connection request signaling and the encrypted first code stream key are extracted.
And the first code stream key and the first protocol connection request signaling correspond to the first conference terminal. Specifically, the first conference terminal generates a first code stream key, and the first code stream key is encrypted by using the code stream encryption information to form an encrypted first code stream key.
Because there may be a plurality of information for encrypting the code stream in the code stream encryption information, when the encrypted code stream key is formed, all the encryption information is required to encrypt the first code stream key, that is, a plurality of encrypted first code stream keys are obtained. Therefore, the first protocol connection request signaling carries a plurality of encrypted first code stream keys and code stream encryption information.
S102, sending a second protocol connection request signaling to the second conference terminal.
Because the code stream encryption information and the encrypted first code stream key in the connection request signaling are represented in the signaling format of the first protocol, the conference equipment needs to convert the extracted code stream encryption information and the encrypted first code stream key, and the code stream encryption information and the encrypted first code stream key are converted into the signaling format of the second protocol.
And the conference equipment carries the converted code stream encryption information and the encrypted first code stream key in a second protocol connection request signaling and sends the second protocol connection request signaling to the second conference terminal.
S103, receiving a second protocol first signaling fed back by the second conference terminal based on the second protocol connection request signaling.
The first signaling of the second protocol carries master-slave decision and a first message body, wherein the first message body comprises a first master-slave message and negotiated code stream encryption information. In addition, the bodies of the first protocol and the second protocol are several signaling entities, and these entities exchange information with the signaling entity of the opposite end through the process specified by the protocol, thereby realizing the communication control between the terminals. That is, the master-slave decision determines the master terminal and the slave terminal in the session by the signaling entity corresponding to the second protocol in the form of message, so as to avoid conflict in the subsequent communication process without a solution method.
After receiving a second protocol connection request signaling sent by the conference equipment, the second conference terminal extracts the code stream encryption information from the connection request signaling, and negotiates the code stream encryption information to form negotiated code stream encryption information.
And simultaneously, the second conference terminal negotiates a master-slave decision and negotiates an encrypted code stream key according to the master-slave decision and the negotiated code stream encryption information.
The second conference terminal carries the negotiated code stream encryption information and the negotiated encrypted code stream key in a first protocol first signaling in a first message body form and sends the negotiated encrypted code stream encryption information and the negotiated encrypted code stream key to the conference equipment; in addition, a master-slave decision is also carried in the second protocol first signaling.
S104, storing the master-slave decision, and sending a first protocol first signaling to the first conference terminal.
Wherein, the first protocol first signaling carries a first message body. And when the conference equipment receives a first signaling of a second protocol sent by a second conference terminal, the master-slave decision in the first signaling is stored. In addition, the first message body carried in the first signaling of the second protocol is converted into the signaling format of the first protocol, and the first message body carried in the first signaling of the first protocol is sent to the first conference terminal for confirmation.
S105, receiving a first protocol second signaling sent by the first conference terminal.
And the first protocol second signaling is used for indicating the end of the code stream encryption negotiation.
In this embodiment, negotiation of code stream encryption information and a code stream key is performed between conference terminals communicating by using different protocols (a first protocol corresponds to a first conference terminal, and a second protocol corresponds to a second conference terminal), and a decision is made as to which conference terminal's code stream key is used to encrypt a subsequent code stream according to master-slave messages; the invention ensures that two communication parties can negotiate out a code stream key and code stream encryption information through the control of the interactive time sequence, and can realize the encrypted communication among different protocols through the conversion of the encryption parts of different protocols, thereby ensuring that the encrypted communication of the code stream can be realized among conference terminals adopting different communication protocols in the same video conference system, and realizing the safe intercommunication of cross protocols.
In the subsequent communication process, the first conference terminal and the second conference terminal can decrypt the negotiated encrypted code stream key by using the negotiated code stream encryption information to obtain the negotiated code stream key. And the first conference terminal and the second conference terminal encrypt the audio and video code stream by using the negotiated code stream key and the negotiated code stream encryption information to directly carry out encrypted communication. The first conference terminal and the second conference terminal can directly perform encrypted communication or transfer through conference equipment. When the conference terminals carry out direct encryption communication, the addresses of the conference terminals on two sides need to be carried in the code stream encryption negotiation process.
In some optional implementations of this embodiment, the first protocol is an SIP protocol, and the first conference terminal is an SIP terminal; the second protocol is an h.323 protocol, and the second conference terminal is an h.323 terminal.
Fig. 2 shows a flowchart of a cross-protocol codestream encryption negotiation method in another embodiment of the present invention, where the method includes:
s201, sending a registration request to a server.
The conference device in this embodiment is equivalent to a terminal of a first protocol when communicating with the first conference terminal in the first protocol; when communicating with the second conference terminal with the second protocol, the terminal corresponds to the second protocol. Therefore, before information interaction between the conference devices and the conference terminals, corresponding registration needs to be performed respectively. And corresponding to the second protocol, the conference terminal registers to the server according to the rule of the second protocol to obtain a registration name and a registration address.
Corresponding to the first protocol, the conference device sends a registration request to the server to obtain a master key table, and the registration request carries a public key. In the conference device, a private key corresponding to the public key is stored. After the conference equipment sends the registration request to the server for the first time, the public key corresponding to the conference equipment is stored in the server, and when the conference equipment registers again subsequently, the public key does not need to be sent, so that the communication bandwidth is saved.
For example, when the first protocol is the SIP protocol, the registration request sent by the conference device to the server is REGISTER + public key, where REGISTER is the registration request.
S202, receiving the version number of the main cipher table and the main cipher table which are sent by the server and encrypted by the public key.
The master key table is a set of all master keys, and the labels in the master key table correspond to the master keys one to one, namely one label corresponds to a unique master key.
If the server confirms that the conference device can be successfully registered, the server encrypts the main password table by using the public key and sends the encrypted main password table to the conference device when sending 200 OK.
Specifically, when the first protocol is the SIP protocol, the message body received by the conference device is the master password table after 200OK + public key encryption.
The encrypted master cipher table further comprises a version number ver of the master cipher table, wherein the version number ver is composed of master cipher table generation time + ID and is used for confirming whether the master cipher tables used by the two communication parties are consistent. For example, the version number ver of the master crypto table is 20170607+ 20.
S203, the encrypted main password table is decrypted by using the private key corresponding to the public key to obtain the main password table.
And the conference equipment receives the successful registration reply of the server and decrypts the message body by using the private key of the conference equipment to obtain the master key table.
Optionally, when the conference device registers with the server for the first time, the server gives a specified time limit when replying that the registration is successful, and the conference device registers with the server again within the time limit so as to let the server know that the conference device is in an active state, otherwise, the registration server clears the registration information of the conference device without keeping the conference device alive after time out. When the conference equipment is registered in the follow-up keep-alive process, only the version number of the main password table is required to be taken, so that the communication bandwidth is reduced.
S204, receiving a first protocol connection request signaling sent by the first conference terminal.
Please refer to S101 in fig. 1 for details, which are not described herein again.
S205, judging whether the version number of the first conference terminal main password table is matched with the version number of the main password table of the first conference terminal.
In this embodiment, the code stream encryption information includes a version number ver of the master password table of the first conference terminal. The version number ver is composed of a master password table generation time + ID and is used for confirming whether the master password tables used by both communication parties are consistent. For example, the version number ver of the master crypto table is 20170607+ 20.
Before subsequent information interaction, the conference equipment can ensure that the same master key is used only by judging whether the version number of the master password table of the conference equipment is consistent with the version number of the master password table of the first conference terminal.
When the version number of the first conference terminal master password table is not matched with the version number of the own master password table, S206 is executed; when the version number of the first conference terminal master password table matches the version number of the own master password table, S207.
And S206, re-registering the server according to the level of the version number so as to update the version number.
The conference device identifies whether the conference device itself or the first conference terminal needs to register with the server again according to the version number. When the version number of the conference equipment is lower than that of the first conference terminal, the conference equipment registers to the server again to update the version number of the conference equipment, then whether the call is continuously received is determined, and if the call is received, S207 is executed; otherwise, hanging up the call connection request and waiting for the next call connection request. And when the version number of the conference equipment is higher than that of the first conference terminal, the conference equipment hangs up the call connection request and sends the call connection request to the first conference terminal with the reason. Wherein, the reason for carrying is as follows: please update the main password table and then call.
Specifically, when the first protocol is the SIP protocol, the version number of the master cipher table carried by the connection request signaling (INVITE) sent by the first conference terminal is 20170607+20, the conference device finds that the version number is different from that of the first conference terminal after receiving the version number, if the version number of the master cipher table is higher (for example, 20170608+21), the first conference terminal replies 400 (bad message), and adds an alarm header field (please update the master cipher table and then call). After receiving the information, the first conference terminal initiatively re-registers to the server to update the main password table of the first conference terminal and then calls the conference equipment. If the conference device finds that the version number of the main password table of the conference device is lower than that of the first conference terminal (for example, 20170606+19) after receiving the INVITE, the conference device firstly enters the server to update the main password table and then selects whether to continuously accept the call.
Optionally, if the server needs to update the master key table, then INFO signaling is used to actively push the latest master key table to all terminals registered in the server, and the sent message body is the master key table encrypted by using the public key of the corresponding terminal and carries the reason: and updating the master password table. And after receiving the INFO signaling, the terminal extracts the updated main cipher table and replies 200OK to the server to indicate that the updated main cipher table is accepted.
S207, sending a second protocol connection request signaling to the second conference terminal.
And the second protocol connection request signaling carries code stream encryption information and an encrypted first code stream key. In this embodiment, the code stream encryption information further includes a plurality of encryption algorithms and a first label, and the first label is used to uniquely determine the master key in the master password table. The second conference terminal negotiates an encryption algorithm from the plurality of encryption algorithms, and forms negotiated code stream encryption information together with the label corresponding to the master key.
In addition, the first conference terminal encrypts the first code stream key by using the master key and an encryption algorithm to form an encrypted first code stream key, wherein the encrypted first code stream key is carried in the connection request signaling sent by the first conference terminal.
Please refer to the description of S102 in the embodiment shown in fig. 1, which is not repeated herein.
S208, receiving a second protocol first signaling fed back by the second conference terminal based on the second protocol connection request signaling.
And after negotiating the code stream encryption information, the second conference terminal performs master-slave negotiation to generate master-slave decision. The master-slave decision determines who the first conference terminal and the second conference terminal are the master and who the slave is. In addition, the second protocol specifies that the master (master) decides the code stream key, so the encrypted code stream key is negotiated according to the master-slave decision, which is divided into the following two cases:
when the first conference terminal is the main terminal, the code stream key is determined by the first conference terminal, namely the encrypted code stream key is determined by the plurality of encrypted first code stream keys.
And when the first conference terminal is the slave conference terminal, the code stream key is determined by the second conference terminal, namely the encrypted code stream key is determined by the negotiated code stream encryption information and a second code stream key generated by the second conference terminal. Specifically, the second conference terminal encrypts the second stream key by using the negotiated encryption algorithm and the master key to form an encrypted stream key.
Please refer to S103 in the embodiment shown in fig. 1 for the remaining detailed steps, which are not described herein again.
S209, storing the master-slave decision, and sending a first protocol first signaling to the first conference terminal.
Please refer to S104 in fig. 1 for details, which are not described herein again.
S210, receiving a first protocol second signaling sent by the first conference terminal.
Please refer to S105 in fig. 1 for details, which are not repeated herein.
Compared with the embodiment shown in fig. 1, in this embodiment, before negotiation of the code stream encryption information, the master key table is matched to ensure that the two communication parties use the same master key table, so that the two communication parties can be ensured to use the same master key according to the labels, and the code stream key can be correctly decrypted.
Fig. 3 shows a flowchart of a cross-protocol codestream encryption negotiation method in another embodiment of the present invention, where the method includes:
s301, receiving a second protocol connection request signaling sent by a second conference terminal.
The second protocol connection request signaling carries code stream encryption information and does not carry an encrypted code stream key. After the conference equipment receives the connection request signaling, the protocol adopted by the connection request signaling can be obtained through analyzing the protocol structure of the connection request signaling. After the conference device determines the protocol used by the connection request signaling (in this embodiment, it is determined that the protocol used by the connection request signaling is the second protocol, that is, the second protocol connection request signaling sent by the second conference terminal), the code stream encryption information carried in the connection request signaling is extracted.
S302, a first protocol connection request signaling is sent to the first conference terminal.
And the second protocol connection request signaling carries code stream encryption information. Similar to S102 of the embodiment shown in fig. 1, the conference device needs to convert the bitstream encryption information into a signaling format of the first protocol before sending the first protocol connection request signaling to the first conference terminal.
S303, receiving a first protocol second signaling fed back by the first conference terminal based on the first protocol connection request signaling.
The first protocol second signaling carries a second message body, and the second message body comprises negotiated code stream encryption information and an encrypted first code stream key.
The first code stream key is generated by the first conference terminal; the first conference terminal firstly negotiates out code stream encryption information and encrypts a first code stream key by using the negotiated code stream encryption information to form an encrypted first code stream key.
And the first conference terminal takes the negotiated code stream encryption information and the encrypted first code stream key as a second message body and sends the second message body to the conference equipment in a first protocol second signaling mode.
S304, sending a first signaling of a second protocol to the second conference terminal.
And the second protocol first signaling carries negotiated code stream encryption information and an encrypted first code stream key.
S305, receiving a second protocol second signaling fed back by the second conference terminal based on the second protocol first signaling.
And the second protocol second signaling carries the negotiated encrypted code stream key and master-slave decision.
And after receiving the first protocol second signaling sent by the first conference terminal, the conference equipment establishes connection with a second conference terminal. And after the second conference terminal establishes connection with the conference equipment, negotiating a master-slave decision, and negotiating an encrypted code stream key according to the master-slave decision.
And the second conference terminal carries the negotiated encrypted code stream key and the master-slave decision in a second protocol second signaling and sends the second protocol second signaling to the conference equipment.
S306, storing the master-slave decision, and sending a second protocol third signaling to the first conference terminal.
And the second protocol third signaling is used for indicating the end of the code stream encryption negotiation. In this embodiment, the third signaling of the second protocol carries negotiated encryption information and negotiated encrypted code stream key.
In the embodiment, negotiation of code stream encryption information and a code stream key is performed between conference terminals adopting different protocol communication, and a decision is made as to which conference terminal's code stream key is adopted to encrypt subsequent code streams according to master-slave messages; the invention ensures that two communication parties can negotiate out a code stream key and code stream encryption information through the control of the interactive time sequence, and can realize the encrypted communication among different protocols through the conversion of the encryption parts of different protocols, thereby ensuring that the encrypted communication of the code stream can be realized among conference terminals adopting different communication protocols in the same video conference system, and realizing the safe intercommunication of cross protocols.
In some optional implementations of this embodiment, step of registering, by the conference device, the server is further included before S301, which is specifically the same as S201 to S203 in the embodiment shown in fig. 2, and is not described again here.
In other optional embodiments of this embodiment, S303 further includes: the determination of whether the version numbers of the main cipher tables match is specifically similar to S205 to S206 in the embodiment shown in fig. 2, and is not described herein again.
In some optional implementations of this embodiment, negotiating out the encrypted code stream key according to the master-slave decision in S305 may be divided into the following two cases:
when the first conference terminal is mainly used, the encrypted code stream key is determined by the encrypted first code stream key;
and when the first conference terminal is the slave terminal, the encrypted code stream key is determined by the negotiated code stream encryption information and a second code stream key generated by the second conference terminal. Optionally, the negotiated code stream encryption information includes an encryption algorithm and a label corresponding to the master key, and the master key can be determined by using the label; and the second conference terminal encrypts the second code stream key by using the negotiated encryption algorithm and the master key to form an encrypted code stream key.
The invention provides two calling methods among a first conference terminal, conference equipment and a second conference terminal; the first one is for the first conference terminal to call the second conference terminal, and the second one is for the second conference terminal to call the first conference terminal. Hereinafter, the above two cases are respectively described in detail in an interactive manner.
Fig. 4 shows an interaction flowchart of a first conference terminal calling a second conference terminal, and in this call mode, the code stream encryption negotiation method across protocols includes:
s401, receiving a connection request receiving signaling sent by a first conference terminal. The connection request signaling carries code stream encryption information and an encrypted first code stream key. Please refer to S101 in fig. 1 for details, which are not described herein again.
S402, sending a second protocol connection request signaling to the second conference terminal. Please refer to S102 in fig. 1 for details, which are not described herein again.
S403, receiving a second protocol first signaling fed back by the second conference terminal based on the second protocol connection request signaling. Please refer to S103 in fig. 1 for details, which are not described herein again.
S404, storing the master-slave decision, and sending a first protocol first signaling to the first conference terminal. Please refer to S104 in fig. 1 for details, which are not described herein again.
S405, receiving a first protocol second signaling sent by the first conference terminal. Please refer to S105 in fig. 1 for details, which are not repeated herein.
Fig. 5 shows an interaction flowchart of a first conference terminal calling a second conference terminal, and another inter-protocol code stream encryption negotiation method in the call mode includes:
s501, a registration request is sent to a server. Please refer to S201 in fig. 2 for details, which are not described herein again.
S502, receiving the version number of the main cipher table and the main cipher table which are sent by the server and encrypted by the public key. Please refer to S202 in fig. 2 for details, which are not described herein again.
S503, the encrypted main cipher table is decrypted by using the private key corresponding to the public key, and the main cipher table is obtained. Please refer to S203 in fig. 2 for details, which are not described herein again.
S504, receiving the connection request signaling sent by the first conference terminal. Please refer to S204 in fig. 2 for details, which are not described herein again.
And S505, judging whether the version number of the main password table of the first conference terminal is matched with the version number of the main password table of the first conference terminal. Please refer to S205 in fig. 2 for details, which are not described herein again.
When the version number of the first conference terminal master password table is not matched with the version number of the own master password table, S506 is executed; when the version number of the first conference terminal master password table matches the version number of the own master password table, S507.
And S506, re-registering the server according to the level of the version number so as to update the version number. Please refer to S206 in fig. 2 for details, which are not described herein.
S507, sending a second protocol connection request signaling to the second conference terminal. Please refer to S207 in fig. 2 for details, which are not described herein.
S508, receiving a second protocol first signaling fed back by the second conference terminal based on the second protocol connection request signaling. Please refer to S208 in fig. 2 for details, which are not described herein again.
S509, storing the master-slave decision, and sending a first protocol first signaling to the first conference terminal. Please refer to S209 in fig. 2 for details, which are not described herein.
S510, receiving a first protocol second signaling sent by the first conference terminal. Please refer to S210 in fig. 2 for details, which are not described herein again.
Fig. 6 shows an interaction flowchart of a second conference terminal calling a first conference terminal, and in this call mode, a cross-protocol code stream encryption negotiation method includes:
s601, receiving a second protocol connection request signaling sent by a second conference terminal. Please refer to S301 of the embodiment shown in fig. 3 for details, which are not described herein.
S602, sending a first protocol connection request signaling to the first conference terminal. Please refer to S302 of the embodiment shown in fig. 3 for details, which are not described herein.
S603, receiving a first protocol second signaling fed back by the first conference terminal based on the first protocol connection request signaling. Please refer to S303 of the embodiment shown in fig. 3 for details, which are not described herein.
S604, sending a first signaling of a second protocol to the second conference terminal. Please refer to S304 of the embodiment shown in fig. 3 for details, which are not described herein.
S605, receiving a second protocol second signaling fed back by the second conference terminal based on the second protocol first signaling. Please refer to S305 in fig. 3 for details, which are not described herein.
S606, the master-slave decision is saved, and a second protocol third signaling is sent to the first conference terminal. Please refer to S306 of the embodiment shown in fig. 3 for details, which are not described herein.
On the basis of the cross-protocol code stream encryption negotiation method provided by the invention, the following detailed description is made based on the first protocol being the SIP protocol and the second protocol being the H.323 protocol. The scheme mainly solves the problems of encryption call SIP and H.323 encryption intercommunication.
H.323 encrypted calls using the h.235 protocol have the characteristics: when calling, the negotiation algorithm and the master key are exchanged through DH; after the master-slave decision, the master decides the code stream key; and when the channel is opened, a code stream key encrypted by an encryption algorithm and a master key is obtained. Whereas encrypted calls of SIP must be compatible with the above characteristics of h.323 if they are to be communicated with h.323.
The audio and video code stream rules are as follows: in the h.323 encryption rule using h.235, the master decides the codestream key. Whereas SIP has no master-slave negotiation procedure, a rule is used to be h.323 compliant. The audio-video key in SIP is carried in the Session Description Protocol (SDP), which interacts at least twice, so the rule is to use the key of the party that needs to change the key.
There are three aspects to the key body that require changes to the key body:
1) SIP point-to-point calls, the answer party of the SDP wants to use the codestream key generated by itself:
for point-to-point two SIP terminals, the codestream key generated by the offer party of the SDP is used if the answer party of the SDP does not need to change the codestream key. When the answer side of the SDP replies to the SDP, the code stream key generated by the offer side is originally sealed and is not used;
if the answer side of the SDP wants to change the code stream key, the answer side with the own key replies the SDP, and the offer side of the SDP uses the key of the answer side.
Specifically, fig. 7 and 8 are processes of a point-to-point SIP terminal encrypting a call, where in the encrypting call, since different audio/video channels may use different communication keys, different code stream keys encrypted by using a master key are placed in each m-line for carrying. If EAn is in the signaling header, then for each m-line codestream key in the SDP, it is encrypted with all supported encryption algorithms in EAn using the corresponding master key of mki to generate several corresponding codestream keys EK. If the signaling header is EAx, the encryption algorithm of EAx is only needed to be used, and the master key corresponding to mki is used for encryption, so as to generate a corresponding code stream key EK.
Fig. 7 is a process of a main call carrying SDP in an SIP terminal encryption call flow, as shown in fig. 7, when an INVITE is sent, the SIP terminal MT1 carries an SDP, a main cipher table version number ver, all supported encryption algorithms EAn, mki corresponding to a main key in a selected main cipher table, and a code stream key EKn encrypted by using an encryption algorithm EAn and the main key in each m line of the SDP, and sends the code stream key EKn to the SIP terminal MT 2; if the MT2 agrees to encrypt the call, one of the encryption algorithms EAx is selected, and the MT1 is returned according to the codestream key determination rule.
If the MT2 wants to use the code stream key generated by itself when in final communication, the MT mki corresponding master key of the caller and the selected encryption algorithm EAx are used for encrypting the code stream key of the MT to generate EKx, and the reply is carried out in 200 OK;
if the MT2 uses the code stream key generated by the MT1, then the EKx reply corresponding to the encryption algorithm EAx selected on the tape is directly and originally not moved when the 200OK reply is carried out. After the subsequent call is successful, the RTP audio and video communication encrypted by using the negotiated encryption algorithm EAx and the code stream key can be carried out.
Fig. 8 is a process that a main call does not carry an SDP in an encrypted call flow of an SIP terminal, as shown in fig. 8, the SIP terminal MT1 carries a version number ver of a main cipher table, selects mki corresponding to one main key in the main cipher table, and sends all supported encryption algorithms EAx to the SIP terminal MT2 when INVITE; if the MT2 agrees to encrypt the call and finds that the caller INVITE does not carry an SDP, the MT1 is replied with the SDP, the selected encryption algorithm EAx, and the stream key EKx encrypted using the encryption algorithm EAx and the master key in each m-line of the SDP. After receiving the 200OK reply of the MT2, the MT1 confirms the encryption algorithm EAx and replies to the MT2 according to the stream key determination rule.
If the MT1 wants to use the code stream key generated by itself when in final communication, the MT mki corresponding master key of the caller and the encryption algorithm EAx are used for encrypting the code stream key of the MT to generate EKx, and the ACK is replied;
if the MT1 uses the code stream key generated by the MT2, then the ACK reply can be directly returned on the mobile tape EKx.
After the subsequent call is successful, the RTP audio and video communication which is encrypted by using the negotiated encryption algorithm and the code stream secret key can be carried out.
2) Encrypted calls for h.323 using h.235 encryption protocol will go through master-slave decision, the key must be decided by master:
for a SIP terminal and an H.323 terminal to call through the H.323-SIP-gateway, the H.323 terminal uses the H.235 protocol, and the key is determined by the master.
If the SIP terminal becomes master, the secret key is determined by the SIP terminal, the H.323 terminal does not have the need of changing the secret key, and the gateway replies the secret key carried by the SDP of the SIP terminal or the secret key of the SIP terminal;
if the H.323 terminal is master, it has to change the key, and the gateway replies to the SIP terminal SDP with the key generated by the H.323 terminal.
3) For a multipoint conference, the code stream key needs to be set by an MCU (multipoint control unit):
for a conference, the key is determined by the MCU, and for a call with the H.323 terminal, the MCU is often the master, so the MCU has the need of changing the key; for a call with a SIP terminal, the SIP terminal will work well with the key that the MCU replies to (or generates).
The whole scheme design mainly relates to the signaling time sequence control of the SIP and H.323 encryption pair communication and the conversion of the encryption representation, and the functions need a gateway to complete. And the calling is divided into two cases of the SIP terminal calling the H.323 terminal and the H.323 terminal calling the SIP terminal. In the two modes, the two modes are that the SIP terminal and the gateway are communicated, and the SIP point-to-point encryption calling is in one-to-one correspondence:
namely, the SIP terminal mainly calls H.323 terminal corresponding SIP point-to-point encrypted calling INVITE with SDP condition;
h.323 terminal calling SIP terminal corresponds to the SIP point-to-point encryption calling INVITE without SDP condition.
The gateway based on RFC4123 also needs to perform the following additional functions:
1) the gateway acquires a main password table when registering to the SIP registration server;
2) as with the SIP terminal, the version number of the main cipher table needs to be judged during calling, and the corresponding main key needs to be inquired through the label;
3) the encryption algorithm EAn of the SIP or the encryption algorithm forms of EAx and h.235 need to be converted into each other;
4) as with the SIP terminal, a code stream key needs to be decrypted according to an encryption algorithm negotiation rule and a master key rule;
5) the result of the master-slave decision at the H.323 side needs to be saved;
6) and the negotiation of the code stream key at the SIP side and the H.323 side is required to be completed according to the using rule of the audio and video code stream key.
As shown in the gateway registration process of fig. 9, in the encrypted call, the gateway needs to perform an encrypted call of h.323+ h.235 flow with the h.323 terminal and perform an SIP encrypted call with the SIP terminal, and when the gateway registers with the SIP registrar, in addition to the rule according to RFC4132 (alias/E164 of registration name h.323, the registration address is the address of the gateway), the gateway needs to carry the public key so as to resolve the main cipher table. And the gateway still goes through the normal H.323 flow when registering to the GK (gatekeeper), because the master key table does not need to be acquired. Fig. 10 shows the SIP server updating the master password table to the gateway.
Fig. 11 and 12 are diagrams of SIP and h.323 terminal turn-on timing diagrams, where the h.245 procedure includes: TCS capability set interaction, MSD master slave decision, OLC (audio, video) audio video channel on, etc. h.323-SIP-gateway does: except for normal signaling conversion and signaling timing control of H.323 and SIP, the method needs to convert encryption correlation, and the detailed method is as follows:
1) and (3) algorithm conversion: conversion of standard H.235 to SIP string-represented encryption algorithm EAn and EAx
Such as EAn ═ e
”AES-128”、
“AES-256”、
“3DES”
Conversion to h.235 form:
OID=
"itu-t recommendation h(8)235 0 3 24"、
"itu-t recommendation h(8)235 0 3 45"、
"itu-t recommendation h(8)235 0 1 5"
2) and saving the master-slave decision value to determine which code stream key is used. And the H.323 terminal negotiates out after master-slave decision:
the h.323 terminal is master and the SIP terminal is slave. The key is determined by the H.323 terminal, the gateway takes the code stream key brought by the H.323 terminal after OLC to the SIP terminal when the gateway replies as the answer party with the SDP at the SIP side;
similarly, if the SIP terminal becomes the master, the key is determined by the SIP terminal, the h.323 terminal waits for the master to generate the code stream key, the gateway takes the code stream key generated by the SIP terminal when opening a channel with the h.323 terminal, and the gateway also carries the code stream key generated by the SIP terminal when replying the SIP terminal SDP.
After the negotiation of the encryption algorithm and the code stream key is successful, the H.323 terminal and the SIP terminal can directly carry out encrypted RTP communication, certainly, if the RTP communication is directly encrypted without a gateway, the gateway needs to take the addresses of the two terminals when a channel is opened, otherwise, the gateway needs to transfer.
Accordingly, referring to fig. 13, an embodiment of the present invention provides a cross-protocol code stream encryption negotiation apparatus, including:
the first receiving module 1301 is configured to receive a first protocol connection request signaling sent by a first conference terminal, where the first protocol connection request signaling carries code stream encryption information and an encrypted first code stream key.
A first sending module 1302, configured to send a second protocol connection request signaling to a second conference terminal, where the second protocol connection request signaling carries the code stream encryption information and the encrypted first code stream key.
A second receiving module 1303, configured to receive a second protocol first signaling fed back by the second conference terminal based on the second protocol connection request signaling, where the second protocol first signaling carries a master-slave decision and a first message body, and the first message body includes negotiated code stream encryption information and encrypted code stream encryption information.
A second sending module 1304, configured to store the master-slave decision, and send a first protocol first signaling to the first conference terminal, where the first protocol first signaling carries the first message body.
A third receiving module 1305, configured to receive a first protocol second signaling sent by the first conference terminal, where the first protocol second signaling is used to indicate an end of code stream encryption negotiation.
Correspondingly, referring to fig. 14, an embodiment of the present invention further provides a cross-protocol code stream encryption negotiation apparatus, where the apparatus includes:
a fourth receiving module 1401, configured to receive a second protocol connection request signaling sent by a second conference terminal, where the second protocol connection request signaling carries code stream encryption information.
A third sending module 1402, configured to send a first protocol connection request signaling to the first conference terminal, where the first protocol connection request signaling carries the code stream encryption information.
A fifth receiving module 1403, configured to receive a first protocol second signaling fed back by the first conference terminal based on the first protocol connection request signaling, where the first protocol second signaling carries a second message body, and the second message body includes negotiated code stream encryption information and an encrypted first code stream key.
A fourth sending module 1404, configured to send a second protocol first signaling to the second conference terminal, where the second protocol first signaling carries the negotiated code stream encryption information and the encrypted first code stream key.
A sixth receiving module 1405, configured to receive a second protocol second signaling fed back by the second conference terminal based on the second protocol first signaling, where the second protocol second signaling carries the negotiated encrypted code stream key and the master-slave decision.
A fifth sending module 1406, configured to store the master-slave decision, and send a second protocol third signaling to the first conference terminal, where the second protocol third signaling is used to indicate the end of code stream encryption negotiation.
An embodiment of the present invention further provides a conference device, as shown in fig. 15, the conference device may include a processor 1501 and a memory 1502, where the processor 1501 and the memory 1502 may be connected by a bus or in another manner, and fig. 15 takes the example of being connected by a bus as an example.
The memory 1502, which is a non-transitory computer-readable storage medium, may be used to store non-transitory software programs, non-transitory computer-executable programs, and modules, such as program instructions/modules corresponding to the encryption negotiation method of the inter-protocol codestream encryption negotiation apparatus in the embodiment of the present invention (for example, the first receiving module 1301, the first sending module 1302, the second receiving module 1303, the second sending module 1304, and the third receiving module 1305 shown in fig. 13). The processor 1501 executes various functional applications and data processing of the processor by running non-transitory software programs, instructions and modules stored in the memory 1502, that is, implements the inter-protocol codestream encryption negotiation method in the above method embodiments.
The memory 1502 may include a program storage area that may store an operating system, an application program required for at least one function, and a data storage area; the stored data area may store data created by the processor 1501, and the like. Further, the memory 1502 may include high-speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid-state storage device. In some embodiments, the memory 1502 may optionally include memory located remotely from the processor 1501, which may be connected to the processor 1501 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 1502 and, when executed by the processor 1501, perform a cross-protocol codestream encryption negotiation method as in the embodiments of fig. 1-6.
The details of the conference device may be understood by referring to the corresponding descriptions and effects in the embodiments shown in fig. 1 to fig. 6, and are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk (Hard Disk Drive, abbreviated as HDD), a Solid State Drive (SSD), or the like; the storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present invention have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope defined by the appended claims.
Claims (9)
1. A code stream encryption negotiation method across protocols is characterized by comprising the following steps:
receiving a first protocol connection request signaling sent by a first conference terminal, wherein the first protocol connection request signaling carries code stream encryption information and an encrypted first code stream key;
sending a second protocol connection request signaling to a second conference terminal, wherein the second protocol connection request signaling carries the code stream encryption information and the encrypted first code stream key;
receiving a second protocol first signaling fed back by the second conference terminal based on the second protocol connection request signaling, wherein the second protocol first signaling carries master-slave decision and a first message body, and the first message body comprises negotiated code stream encryption information and a negotiated encrypted code stream key;
storing the master-slave decision, and sending a first protocol first signaling to the first conference terminal, wherein the first protocol first signaling carries the first message body;
receiving a first protocol second signaling sent by the first conference terminal, wherein the first protocol second signaling is used for indicating the end of code stream encryption negotiation;
wherein, before the step of receiving the first protocol connection request signaling sent by the first conference terminal, the method further comprises:
sending a registration request to a server, wherein the registration request carries a public key;
receiving a main cipher table which is sent by a server and encrypted by using the public key and the version number of the main cipher table, wherein the main cipher keys in the main cipher table correspond to the labels one by one;
and decrypting the encrypted main password table by using a private key corresponding to the public key to obtain the main password table.
2. The code stream encryption negotiation method of claim 1, wherein the code stream encryption information includes a version number of a master password table of the first conference terminal;
before the step of sending the second protocol connection request signaling to the second conference terminal, the method further includes:
judging whether the version number of the first conference terminal main code table is matched with the version number of the main code table of the first conference terminal;
and when the version number of the main cipher table of the conference terminal is not matched with the version number of the main cipher table of the first conference terminal, re-registering the server according to the level of the version number so as to update the version number.
3. The code stream encryption negotiation method of claim 2, wherein the code stream encryption information further comprises: a number of cryptographic algorithms and a first index for uniquely determining the master key in the master cryptographic table.
4. The code stream encryption negotiation method of claim 1, wherein the negotiated encrypted code stream key comprises:
when the first conference terminal is mainly used, the encrypted code stream key is determined by the encrypted first code stream key; or the like, or, alternatively,
and when the first conference terminal is a slave conference terminal, the encrypted code stream key is determined by the negotiated code stream encryption information and a second code stream key generated by the second conference terminal.
5. A code stream encryption negotiation method across protocols is characterized by comprising the following steps:
receiving a second protocol connection request signaling sent by a second conference terminal, wherein the second protocol connection request signaling carries code stream encryption information;
sending a first protocol connection request signaling to a first conference terminal, wherein the first protocol connection request signaling carries the code stream encryption information;
receiving a first protocol second signaling fed back by the first conference terminal based on the first protocol connection request signaling, wherein the first protocol second signaling carries a second message body, and the second message body comprises negotiated code stream encryption information and an encrypted first code stream key;
sending a second protocol first signaling to the second conference terminal, wherein the second protocol first signaling carries the negotiated code stream encryption information and the encrypted first code stream key;
receiving a second protocol second signaling fed back by the second conference terminal based on the second protocol first signaling, wherein the second protocol second signaling carries negotiated encrypted code stream key and master-slave decision;
storing the master-slave decision, and sending a second protocol third signaling to the first conference terminal, wherein the second protocol third signaling is used for indicating the end of code stream encryption negotiation;
before the step of receiving the second protocol connection request signaling sent by the second conference terminal, the method further includes:
sending a registration request to a server, wherein the registration request carries a public key;
receiving a main cipher table which is sent by a server and encrypted by using the public key and the version number of the main cipher table, wherein the main cipher keys in the main cipher table correspond to the labels one by one;
and decrypting the encrypted main password table by using a private key corresponding to the public key to obtain the main password table.
6. A cross-protocol code stream encryption negotiation device is characterized by comprising:
the first receiving module is used for receiving a first protocol connection request signaling sent by a first conference terminal, wherein the first protocol connection request signaling carries code stream encryption information and a plurality of encrypted first code stream keys; wherein, before the step of receiving the first protocol connection request signaling sent by the first conference terminal, the method further comprises: sending a registration request to a server, wherein the registration request carries a public key; receiving a main cipher table which is sent by a server and encrypted by using the public key and the version number of the main cipher table, wherein the main cipher keys in the main cipher table correspond to the labels one by one; decrypting the encrypted main password table by using a private key corresponding to the public key to obtain the main password table;
the first sending module is used for sending a second protocol connection request signaling to a second conference terminal, wherein the second protocol connection request signaling carries the code stream encryption information and the encrypted first code stream key;
a second receiving module, configured to receive a second protocol first signaling fed back by the second conference terminal based on the second protocol connection request signaling, where the second protocol first signaling carries a master-slave decision and a first message body, and the first message body includes negotiated code stream encryption information and encrypted code stream encryption information;
a second sending module, configured to store the master-slave decision, and send a first protocol first signaling to the first conference terminal, where the first protocol first signaling carries the first message body;
and a third receiving module, configured to receive a first protocol second signaling sent by the first conference terminal, where the first protocol second signaling is used to indicate end of code stream encryption negotiation.
7. A cross-protocol code stream encryption negotiation device is characterized by comprising:
a fourth receiving module, configured to receive a second protocol connection request signaling sent by a second conference terminal, where the second protocol connection request signaling carries code stream encryption information; before the step of receiving the second protocol connection request signaling sent by the second conference terminal, the method further includes: sending a registration request to a server, wherein the registration request carries a public key; receiving a main cipher table which is sent by a server and encrypted by using the public key and the version number of the main cipher table, wherein the main cipher keys in the main cipher table correspond to the labels one by one; decrypting the encrypted main password table by using a private key corresponding to the public key to obtain the main password table;
a third sending module, configured to send a first protocol connection request signaling to a first conference terminal, where the first protocol connection request signaling carries the code stream encryption information;
a fifth receiving module, configured to receive a first protocol second signaling fed back by the first conference terminal based on the first protocol connection request signaling, where the first protocol second signaling carries a second message body, and the second message body includes negotiated code stream encryption information and an encrypted first code stream key;
a fourth sending module, configured to send a second protocol first signaling to the second conference terminal, where the second protocol first signaling carries the negotiated code stream encryption information and the encrypted first code stream key;
a sixth receiving module, configured to receive a second protocol second signaling fed back by the second conference terminal based on the second protocol first signaling, where the second protocol second signaling carries a negotiated encrypted code stream key and a master-slave decision;
and a fifth sending module, configured to store the master-slave decision, and send a second protocol third signaling to the first conference terminal, where the second protocol third signaling is used to indicate end of code stream encryption negotiation.
8. A conferencing device, comprising:
a memory and a processor, the memory and the processor are connected with each other in communication, the memory stores computer instructions, and the processor executes the computer instructions to execute the inter-protocol codestream encryption negotiation method according to any one of claims 1 to 5.
9. A computer-readable storage medium storing computer instructions for causing a computer to execute the inter-protocol codestream encryption negotiation method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810374991.8A CN108696512B (en) | 2018-04-24 | 2018-04-24 | Cross-protocol code stream encryption negotiation method and device and conference equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810374991.8A CN108696512B (en) | 2018-04-24 | 2018-04-24 | Cross-protocol code stream encryption negotiation method and device and conference equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108696512A CN108696512A (en) | 2018-10-23 |
| CN108696512B true CN108696512B (en) | 2021-02-02 |
Family
ID=63845735
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810374991.8A Active CN108696512B (en) | 2018-04-24 | 2018-04-24 | Cross-protocol code stream encryption negotiation method and device and conference equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108696512B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110475095A (en) * | 2019-08-21 | 2019-11-19 | 苏州科达科技股份有限公司 | A kind of conference control method, device, equipment and readable storage medium storing program for executing |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1956443A (en) * | 2005-10-24 | 2007-05-02 | 华为技术有限公司 | Encipher method of NGN service |
| CN104753937A (en) * | 2015-03-24 | 2015-07-01 | 江苏物联网研究发展中心 | SIP (System In Package)-based security certificate registering method |
| US9485361B1 (en) * | 2012-02-22 | 2016-11-01 | West Corporation | Internet SIP registration/proxy service for audio conferencing |
| CN107251512A (en) * | 2015-01-21 | 2017-10-13 | 瑞典爱立信有限公司 | Enhancing with the IMS sessions of secure media is set up |
| CN107612931A (en) * | 2017-10-20 | 2018-01-19 | 苏州科达科技股份有限公司 | Multipoint session method and multipoint session system |
| CN107846567A (en) * | 2017-11-02 | 2018-03-27 | 苏州科达科技股份有限公司 | A kind of SRTP capability negotiations method and conference terminal |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8090392B2 (en) * | 2005-08-05 | 2012-01-03 | Interdigital Technology Corporation | Method and system for reporting a short message capability via an IP multimedia subsystem |
-
2018
- 2018-04-24 CN CN201810374991.8A patent/CN108696512B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1956443A (en) * | 2005-10-24 | 2007-05-02 | 华为技术有限公司 | Encipher method of NGN service |
| US9485361B1 (en) * | 2012-02-22 | 2016-11-01 | West Corporation | Internet SIP registration/proxy service for audio conferencing |
| CN107251512A (en) * | 2015-01-21 | 2017-10-13 | 瑞典爱立信有限公司 | Enhancing with the IMS sessions of secure media is set up |
| CN104753937A (en) * | 2015-03-24 | 2015-07-01 | 江苏物联网研究发展中心 | SIP (System In Package)-based security certificate registering method |
| CN107612931A (en) * | 2017-10-20 | 2018-01-19 | 苏州科达科技股份有限公司 | Multipoint session method and multipoint session system |
| CN107846567A (en) * | 2017-11-02 | 2018-03-27 | 苏州科达科技股份有限公司 | A kind of SRTP capability negotiations method and conference terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108696512A (en) | 2018-10-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104980395B (en) | The method and system and Media Gateway of the first system and second system media intercommunication | |
| US7464267B2 (en) | System and method for secure transmission of RTP packets | |
| US20150089220A1 (en) | Technique For Bypassing an IP PBX | |
| CN108833943B (en) | Code stream encryption negotiation method and device and conference terminal | |
| JP2018522512A (en) | Method and system for identity management across multiple planes | |
| CN106982419B (en) | Single call end-to-end encryption method and system for broadband cluster system | |
| US8743871B2 (en) | Media identification, classification, forwarding, and management for voice and video communications | |
| EP4184821A1 (en) | Ims data channel-based communication method and device | |
| CN113347215B (en) | Encryption method for mobile video conference | |
| WO2017215443A1 (en) | Message transmission method, apparatus and system | |
| CN114866234B (en) | Voice communication method, device, equipment and storage based on quantum key encryption and decryption | |
| CN104618387A (en) | Method applying SIP signaling to quantum secure communication system, integrated access quantum gateway and system | |
| WO2015154520A1 (en) | Call recording method, recording server, private branch exchange and recording system | |
| CN114630290A (en) | Key agreement method, device, equipment and storage medium for voice encryption communication | |
| Petraschek et al. | Security and Usability Aspects of Man-in-the-Middle Attacks on ZRTP. | |
| CN110798651A (en) | Video conference method, device, equipment and storage medium | |
| CN108696512B (en) | Cross-protocol code stream encryption negotiation method and device and conference equipment | |
| US8924722B2 (en) | Apparatus, method, system and program for secure communication | |
| WO2017197968A1 (en) | Data transmission method and device | |
| US20080298593A1 (en) | Gateway Shared Key | |
| WO2007145370A2 (en) | Authentication method and apparatus for integrating ticket-granting service into session initiation protocol | |
| US20160127421A1 (en) | Sip extension for dmr networks matching pmr features | |
| WO2017152566A1 (en) | Method for negotiating media coding/decoding, and terminal device | |
| CN104753869A (en) | SIP protocol based session encryption method | |
| CN104753876A (en) | Flexible and controllable session encryption method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |