CN113840280A - Call encryption method, system, guide server, terminal and electronic equipment - Google Patents
Call encryption method, system, guide server, terminal and electronic equipment Download PDFInfo
- Publication number
- CN113840280A CN113840280A CN202010501282.9A CN202010501282A CN113840280A CN 113840280 A CN113840280 A CN 113840280A CN 202010501282 A CN202010501282 A CN 202010501282A CN 113840280 A CN113840280 A CN 113840280A
- Authority
- CN
- China
- Prior art keywords
- key
- terminal
- called terminal
- identifier
- calling terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000000034 method Methods 0.000 title claims abstract description 41
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 16
- 238000004891 communication Methods 0.000 claims abstract description 16
- 239000013598 vector Substances 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 10
- 238000003860 storage Methods 0.000 claims description 10
- 238000013523 data management Methods 0.000 claims description 8
- 230000004044 response Effects 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 18
- 230000007246 mechanism Effects 0.000 description 9
- 230000008569 process Effects 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 238000009826 distribution Methods 0.000 description 3
- 239000002699 waste material Substances 0.000 description 3
- 238000007726 management method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1069—Session establishment or de-establishment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
Abstract
The disclosure discloses a call encryption method, a call encryption system, a guide server, a terminal and electronic equipment, and relates to the field of communication safety. The method comprises the following steps: finishing bidirectional authentication with the calling terminal and generating a root key same as the calling terminal; sending a guide identifier corresponding to the authentication to the calling terminal so that the calling terminal carries the guide identifier to send a session request to the called terminal; receiving a request for acquiring a call shared key sent by a called terminal, wherein the request for acquiring the call shared key comprises a guide identifier and a called terminal identifier; inquiring a corresponding root key according to the guide identifier; generating a shared key according to the root key and the called terminal identifier; and sending the shared key to the called terminal so that the called terminal can carry out encrypted conversation with the calling terminal according to the shared key. The public guiding server does not need to distribute the shared secret key to the calling terminal, and the risk of secret key leakage is reduced.
Description
Technical Field
The present disclosure relates to the field of communication security, and in particular, to a method, a system, a bootstrap server, a terminal, and an electronic device for encrypting a call.
Background
Voice over Long-Term Evolution (LTE) is an end-to-end Voice scheme configured under the full IP condition on a 4G network, and Voice services are transmitted as data streams in the LTE network based on an IMS (IP Multimedia Subsystem) network.
The VoLTE voice data of the user terminal is easy to be intercepted or tampered in the transmission process, thereby threatening the privacy of the user. To realize end-to-end encrypted VoLTE voice, the generation, transmission, distribution and management of encryption keys are all difficult problems to be solved.
Disclosure of Invention
The technical problem to be solved by the present disclosure is to provide a call encryption method, system, boot server, terminal and electronic device, which reduces the risk of key leakage.
According to an aspect of the present disclosure, a method for encrypting a call is provided, including: finishing bidirectional authentication with the calling terminal and generating a root key same as the calling terminal; sending a guide identifier corresponding to the authentication to the calling terminal so that the calling terminal carries the guide identifier to send a session request to the called terminal; receiving a request for acquiring a call shared key sent by a called terminal, wherein the request for acquiring the call shared key comprises a guide identifier and a called terminal identifier; inquiring a corresponding root key according to the guide identifier; generating a shared key according to the root key and the called terminal identifier; and sending the shared key to the called terminal so that the called terminal can carry out encrypted conversation with the calling terminal according to the shared key.
In some embodiments, the lifetime of the root key is sent to the calling terminal, so that the calling terminal carries the bootstrap identifier to send the session request to the called terminal in the lifetime of the root key.
In some embodiments, the lifetime of the root key is sent to the called terminal, so that the called terminal performs encrypted communication with the calling terminal according to the shared key corresponding to the root key in the lifetime of the root key.
In some embodiments, the performing of the bidirectional authentication with the calling terminal comprises: receiving a guide authentication request sent by a calling terminal; acquiring an authentication vector in a user data management server according to the guiding authentication request; and authenticating the calling terminal according to the authentication vector.
According to another aspect of the present disclosure, a call encryption method is further provided, including: the calling terminal and the guide server complete bidirectional authentication and generate a root key same as that of the guide server; the calling terminal receives a guide identifier which is sent by a guide server and corresponds to the authentication, and sends a session request to the called terminal by carrying the guide identifier; a called terminal sends a request for obtaining a call shared key to a guide server, wherein the request for obtaining the call shared key comprises a guide identifier and a called terminal identifier; a called terminal receives a shared key sent by a guide server, wherein the shared key is generated according to a called terminal identifier and a root key corresponding to a guide identifier; and the called terminal and the calling terminal carry out encrypted communication according to the shared secret key.
In some embodiments, the encrypted conversation between the called terminal and the calling terminal according to the shared key includes: the called terminal sends a session response to the calling terminal; the calling terminal generates a shared key according to the root key corresponding to the called terminal identifier and the guide identifier; and the calling terminal and the called terminal carry out encrypted communication according to the shared secret key.
In some embodiments, the calling terminal receives a life cycle of a root key sent by the bootstrap server, and if the root key is in the life cycle, the root key carries a bootstrap identifier to send a session request to the called terminal, otherwise, the root key sends a bootstrap authentication request to the bootstrap server.
In some embodiments, the called terminal receives a lifetime of the root key sent by the bootstrap server, and performs an encrypted session with the calling terminal according to a shared key corresponding to the root key in the lifetime of the root key.
According to another aspect of the present disclosure, there is also provided a guidance server, including: the terminal authentication unit is configured to complete bidirectional authentication with the calling terminal; a first root key generation unit configured to generate a root key identical to the calling terminal; the guiding data sending unit is configured to send a guiding identifier corresponding to the authentication to the calling terminal so that the calling terminal carries the guiding identifier to send a session request to the called terminal; the key request receiving unit is configured to receive a call shared key acquisition request sent by a called terminal, wherein the call shared key acquisition request comprises a guide identifier and a called terminal identifier; a root key query unit configured to query a corresponding root key according to the guide identifier; a shared key generation unit configured to generate a shared key from the root key and the called terminal identifier; and a shared key sending unit configured to send the shared key to the called terminal so that the called terminal performs encrypted conversation with the calling terminal according to the shared key.
According to another aspect of the present disclosure, there is also provided a terminal, including: a server authentication unit configured to perform bidirectional authentication with the bootstrap server; a second root key generation unit configured to generate a root key identical to the boot server; the guiding data receiving unit is configured to receive a guiding identifier which is sent by the guiding server and corresponds to the authentication; the session request unit is configured to carry the guide identifier and send a session request to the called terminal; a key request sending unit configured to send a request for obtaining a call shared key to a bootstrap server, wherein the request for obtaining the call shared key comprises a bootstrap identifier and a called terminal identifier; the shared key receiving unit is configured to receive a shared key sent by the guide server, wherein the shared key is generated according to a called terminal identifier and a root key corresponding to the guide identifier; and an encrypted call unit configured to perform an encrypted call according to the shared key.
According to another aspect of the present disclosure, there is also provided a call encryption system, including: a boot server on; and a terminal of the above.
According to another aspect of the present disclosure, there is also provided an electronic device, including: a memory; and a processor coupled to the memory, the processor configured to perform the call encryption method as described above based on instructions stored in the memory.
According to another aspect of the present disclosure, a computer-readable storage medium is also proposed, on which computer program instructions are stored, which instructions, when executed by a processor, implement the above-mentioned call encryption method.
In the embodiment of the disclosure, the original authentication mechanism is used for realizing the root key agreement between the guidance server and the calling terminal and the generation of the shared key, the guidance server does not need to distribute the shared key to the calling terminal, and the risk of key leakage is reduced.
Other features of the present disclosure and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure may be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
fig. 1 is a flow diagram illustrating some embodiments of a call encryption method of the present disclosure.
Fig. 2 is a flowchart illustrating a call encryption method according to another embodiment of the disclosure.
Fig. 3 is a flowchart illustrating a call encryption method according to another embodiment of the disclosure.
Fig. 4 is a schematic structural diagram of some embodiments of a bootstrap server of the present disclosure.
Fig. 5 is a schematic structural diagram of some embodiments of a terminal of the present disclosure.
Fig. 6 is a schematic block diagram of some embodiments of the call encryption system of the present disclosure.
Fig. 7 is a schematic structural diagram of some embodiments of an electronic device of the present disclosure.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions, and numerical values set forth in these embodiments do not limit the scope of the present disclosure unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the disclosure, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
In all examples shown and discussed herein, any particular value should be construed as merely illustrative, and not limiting. Thus, other examples of the exemplary embodiments may have different values.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
For the purpose of promoting a better understanding of the objects, aspects and advantages of the present disclosure, reference is made to the following detailed description taken in conjunction with the accompanying drawings.
The related VoLTE encryption method mainly has the following problems: (1) an encryption key is injected by using an offline TF card, so that key storage and data encryption are realized, extra key management and safety protection are needed, and a terminal needs to be internally provided with a password card and occupies a terminal card slot. (2) The Key is generated, stored and distributed by using a KMC (Key Management Center), and the Key is difficult to ensure in the distribution and transmission process and occupies communication resources. (3) The asymmetric digital envelope technology is used for realizing encryption, transmission and sharing of the key, the efficiency is low, and the terminal requirement is high.
Fig. 1 is a flow diagram illustrating some embodiments of a call encryption method of the present disclosure. This embodiment is performed by the boot server.
In step 110, the bidirectional authentication is completed with the calling terminal, and the same root key as the calling terminal is generated.
In some embodiments, a guiding authentication request sent by a calling terminal is received, an authentication vector is obtained in a user data management server according to the guiding authentication request, and the calling terminal is authenticated according to the authentication vector. The Subscriber Data Management Server is, for example, HSS (Home Subscriber Server), HLR (Home Location Register), UDM (Unified Data Management), AUSF (Authentication service Function), and the like.
The authentication and the root key survival process in the step are both based on the original safe and reliable mobile network authentication mechanism, and the safety risk of key distribution is avoided. For example, sharing of keys may be implemented using a user card mobile network Authentication mechanism based on AKA (Authentication and Key Agreement) based on GBA (Generic Bootstrapping Architecture).
The bootstrap server can obtain the authentication vector from the HSS for authentication, and the terminal also has the same authentication data, so that the bidirectional authentication of the calling terminal and the bootstrap server can be realized. In the authentication process, the calling terminal and the bootstrap server generate a root key for dispersing the shared key.
In some embodiments, the root key is generated from card data common to the network and the user's SIM card.
In step 120, a guiding identifier corresponding to the authentication is sent to the calling terminal, so that the calling terminal carries the guiding identifier to send a session request to the called terminal.
The guide server generates a new guide identifier B-TID for the guide authentication process and sends the guide identifier to the calling terminal.
In some embodiments, the bootstrap server may further send a lifetime of the root key to the calling terminal, and the calling terminal carries the bootstrap identifier to send the session request to the called terminal in the lifetime of the root key. If the calling terminal judges that the root key has passed the life cycle, the calling terminal needs to send the guiding authentication request to the guiding server again.
In step 130, a request for obtaining a call shared key sent by a called terminal is received, where the request for obtaining the call shared key includes a bootstrap identifier and a called terminal identifier.
For example, the calling terminal carries a bootstrap identifier to send a session request to the called terminal. The called terminal checks whether an effective shared key corresponding to the guide identifier exists in the terminal, and if not, the called terminal carries the guide identifier and the called terminal identifier to request the guide server to acquire the call shared key.
In step 140, the corresponding root key is queried based on the bootstrap identification.
In step 150, a shared key is generated based on the root key and the called terminal identification.
The bootstrap server and the calling terminal disperse the shared secret key by using the same algorithm. In some embodiments, the shared key may also be obtained according to the root key, the called terminal identifier, and other parameters.
Because the shared key is related to the called terminal identification, the guiding server and the calling terminal dispersedly generate different shared keys according to different called terminals in the root key life cycle. Even if the calling terminal sends a plurality of different calls to a plurality of called terminals, the calling terminal does not need to negotiate with the guide server repeatedly, one secret in one machine within the validity period can be realized, and the waste of communication resources is reduced under the condition of ensuring the safety of the calls. In addition, since the lifetime of the root key may be set, for example, the lifetime of the root key is set to be shorter, when the calling terminal initiates a call to another or the same called terminal again, since the last scattered key is expired, the guiding authentication needs to be performed again to obtain a new root key, that is, the shared keys of the two previous and subsequent calls are different, and one-time pad can be implemented.
In step 160, the shared key is sent to the called terminal, so that the called terminal performs encrypted conversation with the calling terminal according to the shared key.
In some embodiments, the bootstrap server may further send the lifetime of the root key to the called terminal, so that the called terminal performs an encrypted session with the calling terminal according to a shared key corresponding to the root key within the lifetime of the root key.
In the above embodiment, the root key agreement and the generation of the shared key between the guidance server and the calling terminal are realized by using the original authentication mechanism, and the guidance server does not need to distribute the shared key to the calling terminal, thereby reducing the risk of key leakage. And, in this embodiment, the bootstrap server in the existing network is utilized, and no additional key management center is required to be established.
Fig. 2 is a flowchart illustrating a call encryption method according to another embodiment of the disclosure. This embodiment is performed by a terminal, wherein the terminal may be a calling terminal or a called terminal. The calling terminal is used as a terminal role in the GBA architecture, and the called terminal is used as an application party role in the GBA architecture.
In step 210, the calling terminal and the bootstrap server complete the bidirectional authentication and generate the same root key as the bootstrap server.
In some embodiments, the calling terminal detects whether a valid root key exists, and if not, sends a boot authentication request to the boot server so that the boot server obtains an authentication vector in the user data management server, and authenticates the calling terminal according to the authentication vector. And simultaneously, the calling terminal authenticates the guide server by using the stored authentication vector. In the authentication process, the calling terminal and the bootstrap server generate a root key for dispersing the shared key.
In step 220, the calling terminal receives the guiding identifier corresponding to the authentication sent by the guiding server, and sends a session request to the called terminal with the guiding identifier.
In some embodiments, the bootstrap server generates a new bootstrap identifier B-TID for the bootstrap authentication process, and sends the bootstrap identifier to the calling terminal.
In some embodiments, the calling terminal further receives a life cycle of the root key sent by the bootstrap server, and if the root key is in the life cycle, the root key carries the bootstrap identifier to send a session request to the called terminal, otherwise, the root key sends a bootstrap authentication request to the bootstrap server.
In step 230, the called terminal sends a request for obtaining the call shared key to the bootstrap server, where the request for obtaining the call shared key includes a bootstrap identifier and a called terminal identifier.
In some embodiments, the called terminal checks whether a valid shared key corresponding to the guiding identifier exists in the terminal, and if not, the called terminal carries the guiding identifier and the called terminal identifier to request the guiding server to acquire the call shared key.
In step 240, the called terminal receives the shared key transmitted by the bootstrapping server. And the shared secret key is generated according to the root secret key corresponding to the called terminal identification and the guide identification. The bootstrap server and the calling terminal disperse the shared secret key by using the same algorithm.
In some embodiments, the called terminal receives a lifetime of the root key sent by the bootstrap server, and performs an encrypted session with the calling terminal according to a shared key corresponding to the root key in the lifetime of the root key.
In step 250, the called terminal and the calling terminal perform encrypted communication according to the shared key.
In some embodiments, the called terminal sends a session response to the calling terminal; the calling terminal generates a shared key according to the root key corresponding to the called terminal identifier and the guide identifier; and the calling terminal and the called terminal carry out encrypted communication according to the shared secret key.
In the above embodiment, the AKA authentication mechanism is used to implement root key agreement between the guidance server and the calling terminal and generation of the shared key, and the guidance server does not need to distribute the shared key to the calling terminal, thereby reducing the risk of key leakage. In addition, the terminal does not need to store the shared secret key, so that a built-in password card is not needed in the terminal, and the occupation of a terminal card slot is reduced.
Fig. 3 is a flowchart illustrating a call encryption method according to another embodiment of the disclosure.
In step 310, the user clicks the encrypted call button on the calling terminal to initiate an encrypted call.
In step 320, the calling terminal checks whether a valid root key exists, if not, step 330 is performed, otherwise, step 370 is performed.
The root key may be stored in the terminal or in the GBA-U supported user card.
In step 330, the calling terminal sends a bootstrapping authentication request to the bootstrapping server.
The bootstrapping server requests an authentication vector from the HSS in step 340.
In step 350, both the bootstrapping server and the calling terminal complete AKA authentication and generate the root key of the user distributed shared key using the same algorithm.
In step 360, the bootstrap server sends the bootstrap identity and the validity period of the root key to the calling terminal.
In step 370, the calling terminal sends a session request to the called terminal, where the session request carries the call type and the guiding identifier. The call type is, for example, that the call is an encrypted call, so that the called terminal knows to perform an encrypted call with the calling terminal. If the call type is a common call, encrypted call with the calling terminal is not needed.
In step 380, the called terminal detects whether there is a valid shared key corresponding to the guiding identifier in the terminal, if not, step 390 is executed, otherwise, step 3120 is executed.
In step 390, the called terminal carries the guiding identifier and the called terminal identifier to request the guiding server to obtain the call sharing key.
In step 3100, the bootstrap server queries a corresponding root key according to the bootstrap identifier, and distributes a corresponding shared key according to the root key and the called terminal identifier.
In step 3110, the bootstrap server sends the shared key and the key validity period to the called terminal.
In step 3120, the called terminal sends a session response to the calling terminal. I.e. in response to an encrypted call request from the calling terminal.
Each called terminal is equal to a Network Application Function (NAF) Network element of a global positioning system (GBA) architecture, and the called terminal acquires a dispersed key from a bootstrap server on the basis of the safety of internet protocol multimedia subsystem (IMS) registration authentication, so that the key sharing with the calling terminal is realized.
In step 3130, the calling terminal disperses a corresponding shared secret key according to the root secret key and the called terminal identity.
In step 3140, the calling terminal and the called terminal perform encrypted communication according to the shared key.
In the above embodiment, based on the GBA bootstrapping architecture, the root key agreement between the calling terminal and the bootstrapping server is realized by using the native and secure AKA authentication mechanism of the mobile network, and in the authentication and key agreement processes, the root key is generated according to the common card data of the network and the user SIM card, and the keys do not need to be transmitted and distributed, thereby improving the security of the call. In addition, existing network elements of the existing network are utilized, a key management center does not need to be additionally built, a terminal card slot does not need to be occupied, and resource waste is reduced.
The framework and the flow of the method can be applied to 4G and 5G networks, and the portability is high.
Fig. 4 is a schematic structural diagram of some embodiments of a bootstrap server of the present disclosure. The boot server includes: a terminal authentication unit 410, a first root key generation unit 420, a boot data transmission unit 430, a key request receiving unit 440, a root key inquiry unit 450, a shared key generation unit 460, and a shared key transmission unit 470.
The terminal authentication unit 410 is configured to perform bidirectional authentication with the calling terminal.
In some embodiments, the terminal authentication unit 410 receives the guiding authentication request sent by the calling terminal, obtains an authentication vector in the user data management server according to the guiding authentication request, and authenticates the calling terminal according to the authentication vector.
The first root key generation unit 420 is configured to generate the same root key as the calling terminal.
In some embodiments, the root key is generated from card data common to the network and the user's SIM card.
The guiding data sending unit 430 is configured to send a guiding identifier corresponding to the authentication to the calling terminal, so that the calling terminal carries the guiding identifier to send a session request to the called terminal.
In some embodiments, the guiding data sending unit 430 is further configured to send the lifetime of the root key to the calling terminal, and the calling terminal sends the session request to the called terminal with the guiding identifier in the lifetime of the root key.
The key request receiving unit 440 is configured to receive a call shared key obtaining request sent by a called terminal, where the call shared key obtaining request includes a bootstrap identifier and a called terminal identifier.
The root key querying unit 450 is configured to query the corresponding root key according to the bootstrap identification.
The shared key generation unit 460 is configured to generate a shared key from the root key and the called terminal identification.
The shared key transmitting unit 470 is configured to transmit the shared key to the called terminal so that the called terminal performs an encrypted call with the calling terminal according to the shared key.
In some embodiments, the shared key sending unit 470 may further send the lifetime of the root key to the called terminal, so that the called terminal performs an encrypted session with the calling terminal according to the shared key corresponding to the root key in the lifetime of the root key.
In the above embodiment, key agreement and shared key generation between the guidance server and the calling terminal are implemented by using an AKA authentication mechanism, and the guidance server does not need to distribute the shared key to the calling terminal, thereby reducing the risk of key leakage.
Fig. 5 is a schematic structural diagram of some embodiments of a terminal of the present disclosure. The terminal can be used as a calling terminal and a called terminal, wherein the calling terminal is used as a terminal role in the GBA architecture, and the called terminal is used as an application party role in the GBA architecture. The terminal includes a server authentication unit 510, a second root key generation unit 520, a boot data reception unit 530, a session request unit 540, a key request transmission unit 550, a shared key reception unit 560, and an encrypted call unit 570.
The server authentication unit 510 is configured to perform bidirectional authentication with the bootstrap server.
Second root key generation unit 520 is configured to generate the same root key as the boot server. In the authentication process, the calling terminal and the bootstrap server generate a root key for dispersing the shared key.
The bootstrap data receiving unit 530 is configured to receive the bootstrap identifier corresponding to the authentication sent by the bootstrap server.
In some embodiments, the bootstrap data receiving unit 530 is further configured to receive a lifetime of the root key sent by the bootstrap server, if the root key is in the lifetime, the session requesting unit 540 carries the bootstrap identifier to send the session request to the called terminal, otherwise, the server authenticating unit 510 sends the bootstrap authentication request to the bootstrap server.
The session request unit 540 is configured to send a session request to the called terminal with the bootstrap identifier.
The key request sending unit 550 is configured to send a request for obtaining a call shared key to the bootstrap server, where the request for obtaining the call shared key includes a bootstrap identifier and a called terminal identifier.
In some embodiments, the called terminal checks whether a valid shared key corresponding to the guiding identifier exists in the terminal, and if not, the called terminal carries the guiding identifier and the called terminal identifier to request the guiding server to acquire the call shared key.
The shared key receiving unit 560 is configured to receive a shared key sent by the bootstrap server, where the shared key is generated according to a root key corresponding to the called terminal identifier and the bootstrap identifier.
In some embodiments, the shared key receiving unit 560 is further configured to receive a lifetime of the root key sent by the bootstrap server.
The encrypted call unit 570 is configured to conduct an encrypted call according to the shared key.
In some embodiments, during the lifetime of the root key, the calling terminal and the called terminal perform encrypted conversation according to a shared key corresponding to the root key.
In some embodiments, the encrypted telephony unit 570, when located in the calling terminal, is further configured to generate a shared secret key based on the root key corresponding to the called terminal identity and the bootstrapping identity.
In the above embodiment, key agreement and shared key generation between the guidance server and the calling terminal are implemented by using an AKA authentication mechanism, and the guidance server does not need to distribute the shared key to the calling terminal, thereby reducing the risk of key leakage.
Fig. 6 is a schematic block diagram of some embodiments of the call encryption system of the present disclosure. The call encryption system includes the above-mentioned bootstrap server 610 and terminal 620, wherein the terminal can be used as a calling terminal 621 or a called terminal 622. The calling terminal 621 acts as a terminal in the GBA architecture, and the called terminal 622 acts as an application in the GBA architecture.
In some embodiments, the call encryption system further comprises a subscriber data management server 630 configured to provide authentication vectors to the bootstrapping server, e.g., HSS, HLR, UDM, AUSF, etc.
In the above embodiment, root key negotiation is performed between the calling terminal and the guidance server, and the guidance server sends the guidance identifier and the key validity period to the calling terminal without sending the shared key to the calling terminal. The calling terminal sends the guide identification to the called terminal within the validity period of the secret key, generates the shared secret key, and the called terminal obtains the shared secret key through the guide server, so that secret key sharing between the calling terminal and the called terminal is realized, encrypted conversation is carried out, the secret key leakage risk is reduced, and the system safety is improved. In addition, different shared keys are generated in a dispersed manner according to different called terminals in the life cycle of the root key, and one-time one-key or one-machine one-key can be realized without repeatedly negotiating the keys under the condition that the calling terminal initiates a plurality of different calls, so that the waste of communication resources is reduced.
Fig. 7 is a schematic structural diagram of some embodiments of an electronic device of the present disclosure. The electronic device 700 includes a memory 710 and a processor 720. Wherein: the memory 710 may be a magnetic disk, flash memory, or any other non-volatile storage medium. The memory 710 is used to store the instructions of the corresponding embodiment of fig. 1 when the electronic device is located in the boot server. The memory 710 is used to store instructions in the embodiment corresponding to fig. 2 when the electronic device is located in the terminal. Processor 720, coupled to memory 710, may be implemented as one or more integrated circuits, such as a microprocessor or microcontroller. The processor 720 is configured to execute instructions stored in the memory.
In some embodiments, processor 720 is coupled to memory 710 through a BUS BUS 730. The electronic device 700 may also be connected to an external storage system 750 through a storage interface 740 for retrieving external data, and may also be connected to a network or another computer system (not shown) through a network interface 760. And will not be described in detail herein.
In the embodiment, the data instruction is stored in the memory, the instruction is processed by the processor, the root key agreement between the guidance server and the calling terminal and the generation of the shared key are realized by utilizing the original authentication mechanism, the guidance server does not need to distribute the shared key to the calling terminal, and the risk of key leakage is reduced.
In other embodiments, a computer-readable storage medium has stored thereon computer program instructions which, when executed by a processor, implement the steps of the method in the embodiments corresponding to fig. 1-3. As will be appreciated by one skilled in the art, embodiments of the present disclosure may be provided as a method, apparatus, or computer program product. Accordingly, the present disclosure may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present disclosure may take the form of a computer program product embodied on one or more computer-usable non-transitory storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Thus far, the present disclosure has been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. It will be appreciated by those skilled in the art that modifications may be made to the above embodiments without departing from the scope and spirit of the present disclosure. The scope of the present disclosure is defined by the appended claims.
Claims (13)
1. A call encryption method comprises the following steps:
finishing bidirectional authentication with a calling terminal and generating a root key same as the calling terminal;
sending a guiding identification corresponding to the authentication to the calling terminal so that the calling terminal carries the guiding identification to send a session request to a called terminal;
receiving a request for acquiring a call shared key sent by the called terminal, wherein the request for acquiring the call shared key comprises the guide identifier and a called terminal identifier;
inquiring a corresponding root key according to the guide identifier;
generating a shared key according to the root key and the called terminal identification; and
and sending the shared secret key to the called terminal so that the called terminal can carry out encrypted communication with the calling terminal according to the shared secret key.
2. The call encryption method according to claim 1, further comprising:
and sending the life cycle of the root key to the calling terminal so that the calling terminal carries the guide identifier to send a session request to the called terminal in the life cycle of the root key.
3. The call encryption method according to claim 1, further comprising:
and sending the life cycle of the root key to the called terminal so that the called terminal can carry out encrypted communication with the calling terminal according to the shared key corresponding to the root key in the life cycle of the root key.
4. The call encryption method according to any one of claims 1 to 3, wherein performing bidirectional authentication with the calling terminal comprises:
receiving a guide authentication request sent by the calling terminal;
acquiring an authentication vector in a user data management server according to the guide authentication request; and
and authenticating the calling terminal according to the authentication vector.
5. A call encryption method comprises the following steps:
the calling terminal and the guide server complete bidirectional authentication and generate a root key same as that of the guide server;
the calling terminal receives a guide identifier which is sent by the guide server and corresponds to the authentication, and sends a session request to the called terminal by carrying the guide identifier;
the called terminal sends a request for obtaining a call shared key to the guide server, wherein the request for obtaining the call shared key comprises the guide identifier and the called terminal identifier;
the called terminal receives a shared key sent by the guide server, wherein the shared key is generated according to the called terminal identification and a root key corresponding to the guide identification; and
and the called terminal and the calling terminal carry out encrypted communication according to the shared secret key.
6. The call encryption method according to claim 5, wherein the encrypted call between the called terminal and the calling terminal according to the shared key comprises:
the called terminal sends a session response to the calling terminal;
the calling terminal generates the shared secret key according to the called terminal identification and the root secret key corresponding to the guide identification; and
and the calling terminal and the called terminal carry out encrypted communication according to the shared secret key.
7. The call encryption method according to claim 5, further comprising:
and the calling terminal receives the life cycle of the root key sent by the guide server, if the root key is in the life cycle, the root key carries the guide identifier to send a session request to the called terminal, and if not, the calling terminal sends a guide authentication request to the guide server.
8. The call encryption method according to claim 5, further comprising:
and the called terminal receives the life cycle of the root key sent by the guide server and carries out encrypted communication with the calling terminal according to the shared key corresponding to the root key in the life cycle of the root key.
9. A boot server, comprising:
the terminal authentication unit is configured to complete bidirectional authentication with the calling terminal;
a first root key generation unit configured to generate a root key identical to the calling terminal;
a guiding data sending unit configured to send a guiding identifier corresponding to the authentication to the calling terminal, so that the calling terminal carries the guiding identifier to send a session request to a called terminal;
a key request receiving unit, configured to receive a request for obtaining a call shared key sent by the called terminal, where the request for obtaining the call shared key includes the bootstrap identifier and a called terminal identifier;
a root key query unit configured to query a corresponding root key according to the guide identifier;
a shared key generating unit configured to generate a shared key according to the root key and the called terminal identifier; and
and the shared key sending unit is configured to send the shared key to the called terminal so that the called terminal can carry out encrypted conversation with the calling terminal according to the shared key.
10. A terminal, comprising:
a server authentication unit configured to perform bidirectional authentication with the bootstrap server;
a second root key generation unit configured to generate a root key identical to the boot server;
the guiding data receiving unit is configured to receive a guiding identifier which is sent by the guiding server and corresponds to the authentication;
the session request unit is configured to carry the guide identifier to send a session request to the called terminal;
a key request sending unit configured to send a request for obtaining a call shared key to the bootstrap server, wherein the request for obtaining the call shared key includes the bootstrap identifier and a called terminal identifier;
a shared key receiving unit configured to receive a shared key sent by the bootstrap server, wherein the shared key is generated according to the called terminal identifier and a root key corresponding to the bootstrap identifier; and
and the encrypted call unit is configured to carry out encrypted call according to the shared secret key.
11. A call encryption system comprising:
the bootstrap server of claim 9; and
the terminal of claim 10.
12. An electronic device, comprising:
a memory; and
a processor coupled to the memory, the processor configured to perform the call encryption method of any of claims 1-8 based on instructions stored in the memory.
13. A computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the call encryption method of any one of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010501282.9A CN113840280A (en) | 2020-06-04 | 2020-06-04 | Call encryption method, system, guide server, terminal and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010501282.9A CN113840280A (en) | 2020-06-04 | 2020-06-04 | Call encryption method, system, guide server, terminal and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113840280A true CN113840280A (en) | 2021-12-24 |
Family
ID=78963330
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010501282.9A Withdrawn CN113840280A (en) | 2020-06-04 | 2020-06-04 | Call encryption method, system, guide server, terminal and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113840280A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1870500A (en) * | 2006-01-24 | 2006-11-29 | 华为技术有限公司 | Method of strengthening universal authority identifying structure used for non-IMS terminal |
| CN101039311A (en) * | 2006-03-16 | 2007-09-19 | 华为技术有限公司 | Identification web page service network system and its authentication method |
| US20090138955A1 (en) * | 2007-11-28 | 2009-05-28 | Preetida Vinayakray-Jani | Using gaa to derive and distribute proxy mobile node home agent keys |
| CN101917711A (en) * | 2010-08-25 | 2010-12-15 | 中兴通讯股份有限公司 | Mobile communication system and voice call encryption method thereof |
| CN103051594A (en) * | 2011-10-13 | 2013-04-17 | 中兴通讯股份有限公司 | Method, network side equipment and system of establishing end-to-end security of marked net |
-
2020
- 2020-06-04 CN CN202010501282.9A patent/CN113840280A/en not_active Withdrawn
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1870500A (en) * | 2006-01-24 | 2006-11-29 | 华为技术有限公司 | Method of strengthening universal authority identifying structure used for non-IMS terminal |
| CN101039311A (en) * | 2006-03-16 | 2007-09-19 | 华为技术有限公司 | Identification web page service network system and its authentication method |
| US20090138955A1 (en) * | 2007-11-28 | 2009-05-28 | Preetida Vinayakray-Jani | Using gaa to derive and distribute proxy mobile node home agent keys |
| CN101917711A (en) * | 2010-08-25 | 2010-12-15 | 中兴通讯股份有限公司 | Mobile communication system and voice call encryption method thereof |
| CN103051594A (en) * | 2011-10-13 | 2013-04-17 | 中兴通讯股份有限公司 | Method, network side equipment and system of establishing end-to-end security of marked net |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11296877B2 (en) | Discovery method and apparatus based on service-based architecture | |
| KR101485230B1 (en) | Secure multi-uim authentication and key exchange | |
| US11496320B2 (en) | Registration method and apparatus based on service-based architecture | |
| US20190068591A1 (en) | Key Distribution And Authentication Method And System, And Apparatus | |
| CN107800539B (en) | Authentication method, authentication device and authentication system | |
| US9485232B2 (en) | User equipment credential system | |
| US8559633B2 (en) | Method and device for generating local interface key | |
| KR20190139203A (en) | Method for managing communication between server and user equipment | |
| CN111050314A (en) | Client registration method, device and system | |
| KR20070096060A (en) | Secure bootstrapping for wireless communications | |
| JP7301852B2 (en) | A method for determining a key for securing communication between a user device and an application server | |
| US9608971B2 (en) | Method and apparatus for using a bootstrapping protocol to secure communication between a terminal and cooperating servers | |
| JP2018532325A (en) | User equipment UE access method, access device, and access system | |
| WO2006097041A1 (en) | A general authentication former and a method for implementing the authentication | |
| JP2016519873A (en) | Establishing secure voice communication using a generic bootstrapping architecture | |
| CN111641498A (en) | Key determination method and device | |
| CN114338618A (en) | Multi-party call method, system, conference server and electronic equipment | |
| WO2013044766A1 (en) | Service access method and device for cardless terminal | |
| US20240089728A1 (en) | Communication method and apparatus | |
| US20090136043A1 (en) | Method and apparatus for performing key management and key distribution in wireless networks | |
| AU2010329814B2 (en) | Smart card security feature profile in home subscriber server | |
| CN116233832A (en) | Verification information sending method and device | |
| CN111800791B (en) | Authentication method, core network equipment and terminal | |
| CN113840280A (en) | Call encryption method, system, guide server, terminal and electronic equipment | |
| CN112995090B (en) | Authentication method, device and system for terminal application and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WW01 | Invention patent application withdrawn after publication | ||
| WW01 | Invention patent application withdrawn after publication |
Application publication date: 20211224 |