CN114827093A - Communication method, device, system and storage medium - Google Patents

Communication method, device, system and storage medium Download PDF

Info

Publication number
CN114827093A
CN114827093A CN202110064807.1A CN202110064807A CN114827093A CN 114827093 A CN114827093 A CN 114827093A CN 202110064807 A CN202110064807 A CN 202110064807A CN 114827093 A CN114827093 A CN 114827093A
Authority
CN
China
Prior art keywords
encryption
target
decryption
session
forwarding
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110064807.1A
Other languages
Chinese (zh)
Inventor
李鹏
陈广华
钟敬辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN202110064807.1A priority Critical patent/CN114827093A/en
Publication of CN114827093A publication Critical patent/CN114827093A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Multimedia (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the application provides a communication method, equipment, a system and a storage medium. In the embodiment of the application, the encryption/decryption unit is used for bearing the encryption/decryption service work, so that the encryption/decryption service can be separated from the forwarding equipment, and the encryption/decryption service in the encryption communication process is not influenced by the restarting of the forwarding equipment; the forwarding equipment undertakes the work of forwarding service, and records the session state information of the running session in the storage unit in the forwarding process, and based on the session state information, the forwarding equipment can perform session recovery by taking the session state information in the storage unit as a basis after restarting, thereby realizing automatic session recovery and encryption/decryption service recovery after restarting. Therefore, in the embodiment of the application, the restarting of the forwarding device can not cause the interruption of the session any more, and the user basically has no perception of the restarting of the forwarding device, so that the user experience can be effectively improved.

Description

Communication method, device, system and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a communication method, device, system, and storage medium.
Background
In the RTC real-time audio/video communication process, an SFU (Selective forwarding Unit) is responsible for encryption/decryption and forwarding processing of audio/video media streams and is located at a central node of an audio/video communication system.
In many cases, such as a crash, upgrade, or capacity expansion, the SFU needs to be restarted. The SFU restart may cause encryption/decryption failure and session interruption in the RTC, and the user must re-establish the session, which brings inconvenience to the user, especially causes a greater loss due to the restart in the case of a higher user magnitude of SFU load.
Disclosure of Invention
Aspects of the present disclosure provide a communication method, apparatus, system, and storage medium to implement a warm reboot of an encrypted communication service.
The embodiment of the application provides a communication system, which comprises a forwarding device, an encryption/decryption unit and a storage unit, wherein the forwarding device is in communication connection with the encryption/decryption unit and the storage unit;
the forwarding device is configured to record session state information of a target session in the storage unit in a process of performing encryption forwarding on the target session, where the session state information is used as a basis for recovering the target session after the forwarding device is restarted; initiating an encryption/decryption service request to the encryption/decryption unit for the target session;
the encryption/decryption unit is used for carrying out encryption/decryption processing on the target session according to the encryption/decryption service request so as to support the forwarding equipment to carry out encryption forwarding on the target session;
the storage unit is used for storing the session state information of the target session.
The embodiment of the present application further provides a communication method, which is applicable to a forwarding device in a communication system, and includes:
in the process of encrypting and forwarding the target session, recording the session state information of the target session in a storage unit in the communication system as a basis for recovering the target session after the forwarding equipment is restarted;
and initiating an encryption/decryption service request to the encryption/decryption unit aiming at the target session, so that the encryption/decryption unit performs encryption/decryption processing on the target session according to the encryption/decryption service request, and supports the forwarding device to perform encryption forwarding on the target session.
The embodiment of the present application further provides a communication method, which is applicable to an encryption/decryption device in a communication system, and includes:
receiving a communication handshake message aiming at a target media stream, which is initiated by a communication terminal of a target session and forwarded by forwarding equipment in the communication system;
according to the communication handshake message, carrying out communication negotiation with a communication end corresponding to the target session to obtain a communication secret key;
based on the communication secret key, the target media stream is encrypted/decrypted;
and returning the media stream subjected to encryption/decryption processing to the forwarding equipment so that the forwarding equipment can encrypt and forward the target session.
The embodiment of the application also provides forwarding equipment, which comprises a memory, a processor and a communication component;
the memory is to store one or more computer instructions;
the processor, coupled with the memory and the communication component, to execute the one or more computer instructions to:
in the process of encrypting and forwarding the target session, recording the session state information of the target session in a storage unit in the communication system through the communication assembly, and taking the session state information as a basis for recovering the target session after the forwarding equipment is restarted;
and initiating an encryption/decryption service request to the encryption/decryption unit aiming at the target session, so that the encryption/decryption unit performs encryption/decryption processing on the target session according to the encryption/decryption service request, and supports the forwarding device to perform encryption forwarding on the target session.
The embodiment of the application also provides encryption/decryption equipment, which comprises a memory, a processor and a communication component;
the memory is to store one or more computer instructions;
the processor, coupled with the memory and the communication component, to execute the one or more computer instructions to:
receiving a communication handshake message aiming at a target media stream, which is initiated by a communication terminal of a target session and forwarded by forwarding equipment in the communication system;
according to the communication handshake message, carrying out communication negotiation with a communication end corresponding to the target session to obtain a communication secret key;
based on the communication secret key, the target media stream is encrypted/decrypted;
and returning the media stream subjected to encryption/decryption processing to the forwarding equipment so that the forwarding equipment can encrypt and forward the target session.
Embodiments of the present application also provide a computer-readable storage medium storing computer instructions that, when executed by one or more processors, cause the one or more processors to perform the aforementioned communication method.
In the embodiment of the application, the encryption/decryption unit is used for bearing the encryption/decryption service work, so that the encryption/decryption service can be separated from the forwarding equipment, and the encryption/decryption service in the encryption communication process is not influenced by the restarting of the forwarding equipment; the forwarding equipment undertakes the work of forwarding service, and records the session state information of the running session in the storage unit in the forwarding process, and based on the session state information, the forwarding equipment can perform session recovery by taking the session state information in the storage unit as a basis after restarting, thereby realizing automatic session recovery and encryption/decryption service recovery after restarting. Therefore, in the embodiment of the application, the session is not interrupted any more due to the restarting of the forwarding device, and the user basically has no perception of the restarting of the forwarding device, so that the user experience can be effectively improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic structural diagram of a communication system according to an exemplary embodiment of the present application;
fig. 2 is a logic diagram of an automatic recovery scheme after a forwarding device is restarted according to an exemplary embodiment of the present application;
fig. 3 is a schematic structural diagram of another communication system provided in an exemplary embodiment of the present application;
FIG. 4 is a logic diagram of an encryption/decryption scheme provided by an exemplary embodiment of the present application;
fig. 5 is a flowchart illustrating a communication method according to another exemplary embodiment of the present application;
fig. 6 is a flowchart illustrating another communication method according to another exemplary embodiment of the present application;
fig. 7 is a schematic structural diagram of a forwarding device according to another exemplary embodiment of the present application;
fig. 8 is a schematic structural diagram of an encryption/decryption device according to another exemplary embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, the restart of the forwarding device may cause session interruption, which brings inconvenience to the user. To ameliorate these problems, some embodiments of the present application: the encryption/decryption unit is used for undertaking the encryption/decryption service work, so that the encryption/decryption service can be separated from the forwarding equipment, and the encryption/decryption service in the encryption communication process is not influenced by the restarting of the forwarding equipment; the forwarding equipment undertakes the work of forwarding service, and records the session state information of the running session in the storage unit in the forwarding process, and based on the session state information, the forwarding equipment can perform session recovery by taking the session state information in the storage unit as a basis after restarting, thereby realizing automatic recovery of the session and recovery of encryption/decryption service after restarting. Therefore, in the embodiment of the application, the restarting of the forwarding device can not cause the interruption of the session any more, and the user basically has no perception of the restarting of the forwarding device, so that the user experience can be effectively improved.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic structural diagram of a communication system according to an exemplary embodiment of the present application. As shown in fig. 1, the system includes: a forwarding device 10, an encryption/decryption unit 20 and a storage unit 30, the forwarding device 10 being communicatively connected to the encryption/decryption unit 20 and the storage unit 30.
In terms of physical implementation, the forwarding device 10 may be a server device such as a conventional server, a cloud host, a virtual center, and the like, where the server device mainly includes a processor, a hard disk, a memory, a system bus, and the like, and is similar to a general computer architecture. For example, in an RTC scenario, the forwarding device 10 may be an SFU (Selective forwarding Unit). The storage unit 30 may be a distributed storage system or the like, for example, a Remote Dictionary service (redis). Of course, the present embodiment is not limited to this, and the physical implementation forms of the forwarding device 10 and the storage unit 30 are not limited in the present embodiment.
The communication system provided by the embodiment can be used in various encrypted communication scenes, for example, RTC (Real-time communication, Real-time audio and video communication) scenes, live broadcast scenes, and the like, wherein the RTC scenes can include but are not limited to scenes of an online conference, online education, video call, and the like, and the live broadcast scenes can include but are not limited to scenes of video monitoring, video live broadcast, and the like. The present embodiment does not limit the application scenario.
In the encrypted communication scenario, the session is encrypted to protect the privacy of the correspondent. The session is used for distinguishing different communication ends, and a single session corresponds to one communication end. When a communication terminal first initiates a forwarding request to the forwarding device 10, the forwarding device 10 may issue a session ID to the forwarding device 10, and when the communication terminal subsequently initiates a forwarding request to the forwarding device 10, the forwarding device 10 may determine whether a session ID corresponding to the communication terminal already exists, if so, the forwarding devices consider that the forwarding requests all belong to the same session, and if not (for example, if the communication terminal does not initiate a forwarding request for a long time, the forwarding device 10 deletes the session ID sent for the communication terminal), a new session ID may be created for the communication terminal. In this embodiment, the forwarding device 10 may provide forwarding services for different sessions (i.e. different communication terminals). In the RTC-like scenario, the session is usually bidirectional, and the communication end may initiate a push flow request or a pull flow request to the forwarding device 10. In the above live broadcast scenario, the session is usually unidirectional, and the communication end usually only initiates a stream pulling request to the forwarding device 10, which is not limited in this embodiment, and the session may be configured to be unidirectional or bidirectional according to actual needs.
Based on this, in this embodiment, the forwarding device 10 may create a target session and is responsible for performing encrypted forwarding on the target session. In the case that the communication system is operating normally, the forwarding device 10 may record the session state information of the target session in the storage unit 30 during the process of performing encryption forwarding on the target session, as a basis for recovering the target session after the forwarding device 10 is restarted. Preferably, the forwarding device 10 may optionally use the storage unit 30 closest to the forwarding device (e.g., in the same area or in the same machine room) to record the session state information, so as to improve the session recovery speed. Accordingly, the storage unit 30 may be configured to store session state information of the target session.
In this embodiment, forwarding device 10 may store the session state information in the form of a key-value. For this purpose, the forwarding device 10 may configure a session key for the target session, and record session state information under the session key. The session state information may be used to describe attributes and configuration information of the session, and the session state information may include, but is not limited to, a signaling state record, a connection state record, an encryption/decryption state record, a media description information record, or a subscription information record. These several exemplary session state information will be described below:
the signaling state record is used for recording a signaling interaction result;
a connection state record, configured to record a finally selected transmission path, for example, an ICE (interactive connectivity establishment) state may be recorded, and a candidate address pair candidate pair finally selected is mainly recorded;
an encryption/decryption state record for recording interaction information with the encryption/decryption unit 20, including but not limited to an identification of an encryption/decryption task corresponding to a recording session, an identification of a task address used in the encryption/decryption unit 20, and the like;
recording media Description information, which mainly records negotiation results of the media Description information, such as negotiation results of SDP (Session Description protocol);
and the subscription information record is used for recording the subscription relationship between the communication terminals.
It should be noted that the above session state information is only exemplary, in this embodiment, the forwarding device 10 may also record other types of information that can be used to support session recovery in the storage unit 30, and this embodiment is not limited thereto.
From the perspective of the target session, the forwarding device 10 may create a session key and session state information for the target session at the time of creation of the target session, and delete the session key and session state information corresponding to the target session in the storage unit 30 at the end of the target session. Similarly, from the overall perspective, the forwarding device 10 may create a session key and session state information for the new session in the storage unit 30 when the new session occurs, and delete the session key and session state information corresponding to the end session in the storage unit 30 when the end session occurs. In practical applications, various session states may be changed in real time, and in this embodiment, the forwarding device 10 may update corresponding new session state information into the storage unit 30 when determining that the new conference state is successfully executed. Accordingly, the session state information stored in the storage unit 30 is dynamically changed, so that the latest and most accurate session state information can be recorded in the storage unit 30.
Accordingly, in this embodiment, the storage unit 30 can accurately and comprehensively record the session state information of the running session on the forwarding device 10, and provide an accurate and comprehensive basis for the session recovery after the forwarding device 10 is restarted.
In addition, in this embodiment, the forwarding device 10 may also record the time information of the latest startup in the storage unit 30. The time information can be used as a basis for judging whether the cycle restart exists in the subsequent restart process.
In this embodiment, forwarding device 10 may also initiate an encryption/decryption service request to encryption/decryption unit 20 for the target session. The encryption/decryption unit 20 may perform encryption/decryption processing on the target session according to the encryption/decryption service request to support the forwarding device 10 to perform encryption forwarding on the target session. The encryption/decryption process performed by the encryption/decryption unit 20 will be described in detail later. Based on this, the encryption/decryption processing operation is no longer performed by the forwarding device 10, and therefore, the influence of the restart of the forwarding device 10 on the encryption/decryption service can be avoided, and the execution of the encryption/decryption service is automatically resumed from the restart of the forwarding device 10 that can be supported.
It should be noted that, in this embodiment, the forwarding devices 10, the encryption/decryption units 20, and the storage units 30 included in the communication system are not limited to the number shown in fig. 1, and the deployment locations of the forwarding devices 10, the encryption/decryption units 20, and the storage units 30 may be distributed in a plurality of areas, a plurality of rooms, and the like according to the communication requirements, which is not limited in this embodiment.
In this embodiment, the encryption/decryption unit 20 is used to undertake the encryption/decryption service, so that the encryption/decryption service can be separated from the forwarding device 10, which ensures that the encryption/decryption service in the encryption communication process is not affected by the restart of the forwarding device 10; the forwarding device 10 undertakes the forwarding service work, and records the session state information of the running session in the storage unit 30 during the forwarding process, based on this, after the forwarding device 10 is restarted, the session can be recovered based on the session state information in the storage unit 30, thereby realizing the automatic recovery of the session and the recovery of the encryption/decryption service after the restart. Accordingly, in the embodiment of the present application, the restart of the forwarding device 10 no longer causes session interruption, and the user basically has no perception of the restart of the forwarding device 10, so that the user experience can be effectively improved.
In the above or below embodiments, the forwarding device 10 may restart in the event of a crash, upgrade, or capacity expansion. Fig. 2 is a logic diagram of an automatic recovery scheme after a restart of a forwarding device according to an exemplary embodiment of the present application. Referring to fig. 2, for the forwarding device 10, session state information corresponding to each of at least one session may be read from the storage unit 30 after the restart; and recovering at least one session according to the session state information corresponding to the at least one session.
In general, a single session may contain at least one media stream in a generation period, and the media stream may be divided into a push stream, a pull stream, and the like, where the push stream may refer to a media stream provided by a communication terminal to the forwarding device 10, and the pull stream may refer to a push stream provided by another communication terminal to which the communication terminal subscribes. For example, the communication terminal a subscribes to the communication terminal B and the communication terminal C in the target session, the communication terminal a may provide the media stream acquired by the communication terminal a to the forwarding device 10 as a push stream, and the forwarding device 10 may provide the media stream provided by the communication terminal B and the communication terminal C as a pull stream subscribed by the communication terminal a and provide the pull stream subscribed by the communication terminal a to the communication terminal a. Based on this, in this embodiment, the forwarding device 10 may first recover the session including the push flow, and then recover the session including the pull flow, so as to ensure that the session including the pull flow can find the required push flow. Referring to fig. 2, forwarding device 10 may parse session state information including a push flow and restore a session including a push flow, and then parse session state information including a pull flow and restore a session including a pull flow. The forwarding device 10 may further determine whether a session containing a corresponding push flow exists in the forwarding device for the session containing the pull flow, if so, the subscription relationship between the push flow and the pull flow may be restored, and if not, the forwarding device 10 may establish a cascade connection with other forwarding devices 10, and pull up the corresponding push flow from other forwarding devices 10.
In this embodiment, the forwarding device 10 may read session state information corresponding to at least one session from the storage unit 30; and recovering the corresponding instance of at least one session and setting corresponding attributes and configuration parameters according to the read session state information. The recovery operation performed by forwarding device 10 on a single session, adapted to the aforementioned session state information, includes but is not limited to: signaling state recovery, connection state recovery, encryption/decryption state recovery, media description state recovery, subscription state recovery, or cascade recovery, etc.
The following description will be made of a session recovery procedure by taking the encryption/decryption state recovery and the cascade recovery operation as examples.
In the process of recovering the encryption/decryption state, the forwarding device 10 may determine, according to the record of the encryption/decryption state, an identifier of an encryption/decryption task corresponding to each of the at least one session and an identifier of a task address used in the encryption/decryption unit 20; and restoring the encryption/decryption task corresponding to at least one session according to the identification of the encryption/decryption task corresponding to at least one session and the identification of the used task address in the encryption/decryption unit 20. If a plurality of encryption/decryption devices 22 are included in encryption/decryption unit 20, the task address identifier used in encryption/decryption unit 20 may be the task address identifier of the encryption/decryption device 22 used. Encryption/decryption device 22 runs several encryption/decryption tasks, each encryption/decryption task occupies a different task address, and the task address identifier may be a port identifier, etc. In this way, the forwarding device 10 may parse the encryption/decryption task identifier corresponding to each of the at least one session from the encryption/decryption state record, so as to find the port identifier of the encryption/decryption device 22 that performs the encryption/decryption task, and based on this, the forwarding device 10 may reestablish the port mapping relationship between itself and the encryption/decryption device 22 under each encryption/decryption task, so as to recover each encryption/decryption task, i.e., recover the encryption/decryption service.
In the cascade recovery process, the forwarding device 10 may use the recovered session including the pull stream as a new session, and perform cascade operation according to a standard cascade flow, thereby recovering the cascade connection between the forwarding devices 10. The capacity and coverage requirements of the forwarding devices 10 can be effectively solved through the cascade restoration, and the forwarding devices 10 are supported to pull the session containing the corresponding push flow from other forwarding devices 10 for the restored session containing the pull flow.
In addition, as mentioned above, the forwarding device 10 may record the time information of the last start in the storage unit 30, based on which, referring to fig. 2, the forwarding device 10 may read the time information of the last start after connecting the storage unit 30, and determine whether the interval time between the last restart and the current time exceeds a preset threshold, for example, 30s in fig. 2, and if so, may perform the subsequent automatic recovery operation; and if not, it may be determined that the forwarding device 10 is in a cycle restart state. If it is determined that the forwarding device 10 is in the cycle restart state, the forwarding device 10 may clear the session state information stored in the storage unit 30, and no longer perform session recovery, so as to avoid affecting the forwarding device 10 to execute normal forwarding service.
After the recovery process is completed, the forwarding device 10 may enter a normal forwarding operating state, and in the whole recovery process, the session running before the restart is completely recovered, and various attributes and configuration parameters are basically unchanged, so that the user is unaware of the recovery process, and the problem that the session needs to be restarted after the session is interrupted is solved. In this way, the embodiment may implement an automatic recovery function after the forwarding device 10 is restarted, which may not only implement restart recovery after the forwarding device 10 crashes, but also provide preconditions for the functions of the forwarding device 10, such as hot upgrade, hot migration, and real-time expansion, and ensure that the forwarding device 10 is stable as rock.
In the above or below described embodiments, the encryption/decryption service may be provided by encryption/decryption unit 20 for the target session. It is to be noted that, in both the case where forwarding apparatus 10 operates normally and the case where forwarding apparatus 10 restarts, encryption/decryption unit 20 may provide encryption/decryption service, and therefore, in the present embodiment, it is not necessary to distinguish in which case encryption/decryption service is provided by encryption/decryption unit 20.
In this embodiment, the encryption/decryption unit 20 may provide encryption/decryption services in units of media streams. Accordingly, for the forwarding device 10, an encryption/decryption service request may be initiated to the encryption/decryption unit 20 in response to a forwarding request initiated by a communication end of the target session for a target media stream in the target session; encryption/decryption unit 20 may perform encryption/decryption processing on the target media stream to support forwarding of the target media stream by forwarding device 10.
Fig. 3 is a schematic structural diagram of another communication system according to an exemplary embodiment of the present application. Referring to fig. 3, encryption/decryption unit 20 may include a control device 21 and at least one encryption/decryption device 22. In terms of physical implementation, the control device 21 and the encryption/decryption device 22 may be server devices such as a conventional server, a cloud host, and a virtual center, and certainly, terminal devices such as a computer may also be used, which is not limited in this embodiment.
Based on this, the forwarding device 10 can send a forwarding request for the target media stream to the control device 21 in the encryption/decryption unit 20; the control device 21 may determine, in response to an encryption/decryption service request for a target media stream, a target encryption/decryption device 22 for providing an encryption/decryption service from among the at least one encryption/decryption device 22, and provide description information of the target encryption/decryption device 22 to the forwarding device 10; and a target encryption/decryption device 22 operable to encrypt/decrypt the target media stream.
In this embodiment, the control device 21 may schedule at least one encryption/decryption device 22. The control device 21 may manage device state information of at least one encryption/decryption device 22 using the storage unit 30; accordingly, at least one encryption/decryption device 22 may record its own device state information in the storage unit 30. Based on this, the control device 21 may read the device state information of the at least one encryption/decryption device 22 from the storage unit 30 upon receiving the forwarding request for the target media stream; an encryption/decryption device 22 that satisfies a preset condition is selected from among the at least one encryption/decryption device 22 as a target encryption/decryption device 22, based on the device state information of the at least one encryption/decryption device 22.
The device status information may include, but is not limited to, load information or deployment location information. The aforementioned preset condition may be that it is in an idle state and/or that it is closest to the forwarding device 10, etc. For example, when the control device 21 schedules the encryption/decryption device 22, it may be ensured that the encryption/decryption device 22 in the same computer room provides service for the forwarding device 10 as much as possible, so that the speed of the encryption/decryption service may be effectively increased, and the problem of packet loss during the interaction between the forwarding device 10 and the encryption/decryption device 22 may be reduced.
In this embodiment, the forwarding request may include media description information, where the media description information is used to describe attributes of the media stream and the session, for example, the media description information may describe a coding format adopted by the media stream, a transmission protocol adopted by session forwarding, and the like, so that both the communication terminal and the forwarding device 10 can know the interaction capability of the other party, which is not limited in this embodiment. For example, in an RTC scenario, the media description information may employ SDP. In this embodiment, the forwarding device 10 may obtain the identity authentication information of the target encryption/decryption device 22; adding the identity authentication information to the media description information to obtain response information; and returning the response information to the communication end corresponding to the target session so that the communication end can authenticate the target encryption/decryption device 22. In concert with the foregoing, the forwarding device 10 may record media description information to which authentication information is added in the storage unit 30 as a kind of session state information. The identity authentication information may be a digest of an identity certificate or the like, for example, a digest of a certificate issued by a CA. The authentication process may be integrated in the process of signaling interaction between the forwarding device 10 and the communication end corresponding to the target session, and the media description information may be one of the items of information of the signaling interaction. After the authentication is passed, the communication terminal corresponding to the target session may be triggered to perform subsequent operations such as handshake negotiation and media stream transmission.
On the basis of determining the target encryption/decryption device 22, the communication end corresponding to the target session may also perform handshake with the forwarding device 10 and initiate a communication handshake message, and the forwarding device 10 may forward the communication handshake message initiated by the communication end corresponding to the target session to the target encryption/decryption device 22. The target encryption/decryption device 22 may receive the communication handshake message initiated by the communication end of the target session forwarded by the forwarding device 10; according to the communication handshake message, carrying out communication negotiation with a communication terminal corresponding to the target session to obtain a communication secret key; and performing encryption/decryption processing on the target media stream based on the communication secret key. That is, the forwarding device 10 serves as an intermediary, and supports the communication end corresponding to the target session and the target encryption/decryption device 22 to perform handshake negotiation for the target media stream, so as to obtain a communication key for performing encryption/decryption processing on the target media stream.
In this embodiment, the forwarding request for the target media stream may be a push stream request or a pull stream request, and the encryption/decryption processes triggered by the push stream request and the pull stream request have the following slight differences:
if the forwarding request for the target media stream in the target session is a stream pushing request, the forwarding device 10 may receive the encrypted target media stream sent by the communication terminal corresponding to the target session; the encrypted target media stream is provided to the target encryption/decryption device 22. For the target encryption/decryption device 22, the encrypted target media stream may be decrypted according to the communication key corresponding to the target media stream, so as to obtain the target media stream; the target media stream is sent back to the forwarding device 10 over the secure transmission path.
If the forwarding request for the target media stream in the target session is a pull request, the forwarding device 10 may send the target media stream to the target encryption/decryption device 22 through the secure transmission path. The target encryption/decryption device 22 may encrypt the target media stream according to the communication key corresponding to the target media stream to obtain an encrypted target media stream; and sending the encrypted target media stream to the forwarding device 10, so that the forwarding device 10 forwards the encrypted target media stream to the communication end of the target session.
In practical applications, a secure transmission path, such as an intranet path, may be established between the forwarding device 10 and the target encryption/decryption device 22, so that data may be transmitted between the forwarding device 10 and the target encryption/decryption device 22 in a format of private information to ensure the security of the transmitted data.
Fig. 4 is a logic diagram of an encryption/decryption scheme according to an exemplary embodiment of the present application, and referring to fig. 4, an encryption scheme during a push flow performed by a communication terminal a and a decryption scheme during a pull flow performed by a communication terminal B are respectively shown.
In the process of pushing flow at the communication end A:
1. the communication terminal A sends the push flow request carrying SDP to the SFU.
The SFU requests the control device for an idle encryption/decryption device and obtains a digest of the certificate of the target encryption/decryption device.
And 3, the SFU fills the abstract of the certificate into the SDP of the response and returns the abstract of the certificate to the communication end A.
The SFU applies for an encryption/decryption service to the target encryption/decryption device.
5. After receiving the SDP to be communicated, the communication end A handshakes with the SFU, the SFU sends a handshake message to the target encryption/decryption device through a private message format, and the target encryption/decryption device actually performs handshake negotiation with the communication end A.
6. After the handshake is completed, both the communication terminal a and the target encryption/decryption device generate corresponding communication keys.
7. The communication terminal A sends the encrypted media stream to the SFU, the SFU encapsulates the encrypted media stream into a stream with a private format and sends the stream to the target encryption/decryption device, and the stream is sent to the SFU in the private format after being decrypted by the target encryption/decryption device.
In the process of carrying out pull flow on the communication end B:
1. the communication terminal B sends a pull flow request carrying SDP to the SFU, and the pull flow request carries the identification of the communication terminal A subscribed by the communication terminal B.
The SFU requests the control device for an idle encryption/decryption device and obtains a digest of the certificate of the target encryption/decryption device.
And 3, the SFU fills the abstract of the certificate into the SDP of the response and returns the abstract of the certificate to the communication end A.
The SFU applies for an encryption/decryption service to the target encryption/decryption device.
5. After receiving the SDP to be communicated, the communication end A handshakes with the SFU, the SFU sends a handshake message to the target encryption/decryption device through a private message format, and the target encryption/decryption device actually performs handshake negotiation with the communication end A.
6. After the handshake is completed, both the communication terminal a and the target encryption/decryption device generate corresponding communication keys.
And 7, the SFU sends the media stream of the communication terminal A decrypted by the target encryption/decryption device stored in the local machine to the target encryption/decryption device in a private packaging mode, the target encryption/decryption device encrypts the media stream and packages the encrypted media stream in a private format and sends the encrypted media stream back to the SFU, and the SFU sends the encrypted media stream to the communication terminal B, so that the function of pulling the media stream of the communication terminal A by the communication terminal B is completed.
It should be noted that the encryption/decryption scheme shown in fig. 4 is only exemplary, the order of each link is not limited thereto, and each link may also be increased or decreased as needed, and the encryption/decryption scheme provided in this embodiment is not limited to that shown in fig. 4.
In the above or the following embodiments, there may be a plurality of forwarding devices in the communication system, and the communication system may further include a management device, where the management device is configured to manage the plurality of forwarding devices, and the management device is in communication connection with the plurality of forwarding devices. Wherein, the deployment positions of the plurality of forwarding devices can be the same or different.
Based on this, in this embodiment, if the address of the communication end of the target session changes, load balancing is performed on at least one forwarding device to determine a target forwarding device; and the target forwarding device is used for reading the session state information of the target session from the storage unit so as to migrate the target session to the target forwarding device.
For example, the communication address of the communication end of the target session is changed when the communication end is switched from the mobile network to the wireless network, and in this case, no matter to which forwarding device the management device allocates the target session, the allocated forwarding device can read the session state information corresponding to the target session from the storage unit, so as to recover the target session, which can implement the hot migration of the target session. This can greatly improve the flexibility of the forwarding device in the communication system, and the user does not have perception in the process of the heat migration, thereby ensuring the user experience.
Fig. 5 is a flowchart illustrating a communication method according to another exemplary embodiment of the present application, where the method may be performed by a forwarding device, the forwarding device may be implemented as a combination of software and/or hardware, and the forwarding device may be integrated in a forwarding apparatus. Referring to fig. 5, the method includes:
step 500, in the process of encrypting and forwarding the target session, recording the session state information of the target session in a storage unit in the communication system as a basis for recovering the target session after the forwarding device is restarted;
step 510, initiating an encryption/decryption service request to the encryption/decryption unit for the encryption/decryption unit to perform encryption/decryption processing on the target session according to the encryption/decryption service request, so as to support the forwarding device to perform encryption forwarding on the target session.
In an optional embodiment, the target session includes at least one media stream, and the step of initiating a request for encryption/decryption service to the encryption/decryption unit for the target session includes:
and responding to a forwarding request initiated by a communication terminal of the target session and aiming at the target media stream in the target session, and initiating an encryption/decryption service request to an encryption/decryption unit.
In an optional embodiment, the method further comprises:
if the forwarding request aiming at the target media stream in the target session is a stream pushing request, receiving the encrypted target media stream sent by a communication terminal corresponding to the target session;
the encrypted target media stream is provided to an encryption/decryption unit, so that the encryption/decryption unit decrypts the encrypted target media stream;
the receiving encryption/decryption unit decrypts the obtained target media stream.
In an optional embodiment, the method further comprises:
if the forwarding request aiming at the target media stream in the target session is a stream pulling request, the target media stream is sent to the encryption/decryption unit through the safe transmission path so that the encryption/decryption unit can encrypt the target media stream;
receiving the encrypted target media stream sent by the encryption/decryption unit;
and forwarding the encrypted target media stream to a communication end of the target session.
In an optional embodiment, the media description information is included in a forwarding request for a target media stream in a target session, and the method further includes:
acquiring identity authentication information of a target encryption/decryption unit;
adding the identity authentication information to the media description information to obtain response information;
and returning the response information to the communication end corresponding to the target session so that the communication end can carry out identity authentication on the target encryption/decryption unit.
In an optional embodiment, the method further comprises:
receiving a communication handshake message which is initiated by a communication end of a target session and is communicated with an encryption/decryption unit;
and forwarding the communication handshake message to an encryption/decryption unit, so that the encryption/decryption danyang negotiates a communication key with a communication end handshake of the target session according to the communication handshake message, and performs encryption/decryption processing on the target media stream according to the communication key.
In an alternative embodiment, the session state information includes one or more of a signaling state record, a connection state record, an encryption/decryption state record, a media description information record, and a subscription information record.
In an optional embodiment, the method further comprises:
after restarting, reading session state information corresponding to at least one session from the storage unit;
and recovering at least one session according to the session state information corresponding to the at least one session.
In an optional embodiment, the session state information includes an encryption/decryption state record, and the method further includes:
according to the encryption/decryption state record, determining the identification of an encryption/decryption task corresponding to at least one session and the identification of a task address used in an encryption/decryption unit;
and recovering the encryption/decryption task corresponding to at least one session according to the identification of the encryption/decryption task corresponding to at least one session and the identification of the used task address in the encryption/decryption unit.
It should be noted that, for the technical details in the embodiments of the communication method, reference may be made to the related description of the forwarding device in the foregoing system embodiment, and for the sake of brevity, detailed description is not repeated here, but this should not cause a loss of the protection scope of the present application.
Fig. 6 is a flowchart of another communication method according to another exemplary embodiment of the present application, where the method may be performed by an encryption/decryption apparatus, the encryption/decryption apparatus may be implemented as a combination of software and/or hardware, and the encryption/decryption apparatus may be integrated in an encryption/decryption device. Referring to fig. 6, the method includes:
step 600, receiving a communication handshake message for a target media stream initiated by a communication terminal of a target session forwarded by a forwarding device in a communication system;
601, performing communication negotiation with a communication terminal corresponding to a target session according to a communication handshake message to obtain a communication key;
step 602, based on the communication secret key, performing encryption/decryption processing on the target media stream;
step 603, the media stream after encryption/decryption processing is returned to the forwarding device for the forwarding device to encrypt and forward the target session.
In an optional embodiment, the method further comprises:
recording own device state information in a storage unit in the communication system, so that a control device in the communication system determines a target encryption/decryption device for responding to an encryption/decryption request from at least one encryption/decryption device managed by the control device when receiving the encryption/decryption request initiated by a forwarding device;
and if the self is determined to be the target encryption/decryption device, executing communication handshake messages and subsequent operations aiming at the target media stream, which are initiated by the communication terminal of the target session and forwarded by the forwarding device in the communication system.
It should be noted that, for the sake of brevity, the technical details of the embodiments of the communication method described above may refer to the related descriptions of the encryption/decryption device in the foregoing system embodiments, which should not be repeated herein, but should not cause a loss of the scope of the present application.
It should be noted that, the executing subjects of the steps of the method provided in the foregoing embodiments may be the same device, or different devices may also be used as the executing subjects of the method. For example, the execution subjects of steps 601 to 603 may be device a; for another example, the execution subject of steps 601 and 602 may be device a, and the execution subject of step 603 may be device B; and so on.
In addition, in some of the flows described in the above embodiments and the drawings, a plurality of operations are included in a specific order, but it should be clearly understood that the operations may be executed out of the order presented herein or in parallel, and the sequence numbers of the operations, such as 601, 602, etc., are merely used for distinguishing different operations, and the sequence numbers themselves do not represent any execution order. Additionally, the flows may include more or fewer operations, and the operations may be performed sequentially or in parallel.
Fig. 7 is a schematic structural diagram of a forwarding device according to another exemplary embodiment of the present application. As shown in fig. 7, the forwarding device includes: a memory 70, a processor 71 and a communication component 72.
A processor 71, coupled to the memory 70 level communication component 72, for executing computer programs in the memory 70 for:
in the process of encrypting and forwarding the target session, the communication component 72 records the session state information of the target session in a storage unit in the communication system, and the session state information is used as a basis for recovering the target session after the forwarding equipment is restarted;
an encryption/decryption service request is initiated to the encryption/decryption unit for the target session through the communication component 72, so that the encryption/decryption unit performs encryption/decryption processing on the target session according to the encryption/decryption service request, so as to support the forwarding device to perform encryption forwarding on the target session.
In an alternative embodiment, the target session comprises at least one media stream, and the processor 71, when initiating a request for a cryptographic service to the cryptographic unit for the target session, is configured to:
and responding to a forwarding request initiated by a communication terminal of the target session and aiming at the target media stream in the target session, and initiating an encryption/decryption service request to an encryption/decryption unit.
In an alternative embodiment, processor 71 is further configured to:
if the forwarding request aiming at the target media stream in the target session is a stream pushing request, receiving the encrypted target media stream sent by a communication terminal corresponding to the target session;
the encrypted target media stream is provided to an encryption/decryption unit, so that the encryption/decryption unit decrypts the encrypted target media stream;
the receiving encryption/decryption unit decrypts the obtained target media stream.
In an alternative embodiment, processor 71 is further configured to:
if the forwarding request aiming at the target media stream in the target session is a stream pulling request, the target media stream is sent to the encryption/decryption unit through the safe transmission path so that the encryption/decryption unit can encrypt the target media stream;
receiving the encrypted target media stream sent by the encryption/decryption unit;
and forwarding the encrypted target media stream to a communication end of the target session.
In an optional embodiment, the media description information is included in a forwarding request for a target media stream in a target session, and the processor 71 is further configured to:
acquiring identity authentication information of a target encryption/decryption unit;
adding the identity authentication information to the media description information to obtain response information;
and returning the response information to the communication end corresponding to the target session so that the communication end can carry out identity authentication on the target encryption/decryption unit.
In an alternative embodiment, processor 71 is further configured to:
receiving a communication handshake message which is initiated by a communication end of a target session and is communicated with an encryption/decryption unit;
and forwarding the communication handshake message to an encryption/decryption unit, so that the encryption/decryption danyang negotiates a communication key with a communication end handshake of the target session according to the communication handshake message, and performs encryption/decryption processing on the target media stream according to the communication key.
In an alternative embodiment, the session state information includes one or more of a signaling state record, a connection state record, an encryption/decryption state record, a media description information record, and a subscription information record.
In an alternative embodiment, processor 71 is further configured to:
after restarting, reading session state information corresponding to at least one session from the storage unit;
and recovering at least one session according to the session state information corresponding to the at least one session.
In an alternative embodiment, the session state information includes an encryption/decryption state record, and the processor 71 is further configured to:
according to the encryption/decryption state record, determining the identification of an encryption/decryption task corresponding to at least one session and the identification of a task address used in an encryption/decryption unit;
and recovering the encryption/decryption task corresponding to at least one session according to the identification of the encryption/decryption task corresponding to at least one session and the identification of the used task address in the encryption/decryption unit.
Further, as shown in fig. 7, the computing device further includes: power supply components 73, and the like. Only some of the components are schematically shown in fig. 7, and it is not meant that the forwarding device includes only the components shown in fig. 7.
It should be noted that, for the technical details in the embodiments of the forwarding device, reference may be made to the related description in the foregoing system embodiments, and for the sake of brevity, detailed description is not provided herein, but this should not cause a loss of the scope of the present application.
Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program is capable of implementing each step that can be executed by a forwarding device in the foregoing method embodiments when executed.
Fig. 8 is a schematic structural diagram of an encryption/decryption device according to another exemplary embodiment of the present application. As shown in fig. 8, the encryption/decryption apparatus includes: memory 80, processor 81, and communications component 82.
A processor 81, coupled to the memory 80 and the communication component 82, for executing computer programs in the memory 80 for:
receiving, by the communication component 82, a communication handshake message for a target media stream initiated by a communication end of a target session forwarded by a forwarding device in the communication system;
according to the communication handshake message, carrying out communication negotiation with a communication terminal corresponding to the target session to obtain a communication secret key;
based on the communication secret key, the target media stream is encrypted/decrypted;
the media stream after the encryption/decryption process is returned to the forwarding device through the communication component 82, so that the forwarding device can perform encryption forwarding on the target session.
In an alternative embodiment, processor 81 is further configured to:
recording own device state information in a storage unit in the communication system, so that a control device in the communication system determines a target encryption/decryption device for responding to an encryption/decryption request from at least one encryption/decryption device managed by the control device when receiving the encryption/decryption request initiated by a forwarding device;
and if the self is determined to be the target encryption/decryption device, executing communication handshake messages and subsequent operations aiming at the target media stream, which are initiated by the communication terminal of the target session and forwarded by the forwarding device in the communication system.
Further, as shown in fig. 8, the encryption/decryption apparatus further includes: power supply components 83, and the like. Only some of the components are schematically shown in fig. 8, and it is not intended that the encryption/decryption apparatus includes only the components shown in fig. 8.
It should be noted that, for the technical details of the embodiments of the encryption/decryption device, reference may be made to the related description in the foregoing system embodiments, and for the sake of brevity, detailed description is not provided herein, but this should not cause a loss of scope of the present application.
Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program can implement the steps that can be performed by the encryption/decryption device in the foregoing method embodiments when executed.
The memory of fig. 7 and 8 described above is used to store computer programs and may be configured to store various other data to support operations on the computing platform. Examples of such data include instructions for any application or method operating on the computing platform, contact data, phonebook data, messages, pictures, videos, and so forth. The memory may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
The communication components of fig. 7 and 8 described above are configured to facilitate wired or wireless communication between the device in which the communication component is located and other devices. The device where the communication component is located can access a wireless network based on a communication standard, such as a WiFi, a 2G, 3G, 4G/LTE, 5G and other mobile communication networks, or a combination thereof. In an exemplary embodiment, the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In one exemplary embodiment, the communication component further includes a Near Field Communication (NFC) module to facilitate short-range communications. For example, the NFC module may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and other technologies.
The power supply components of fig. 7 and 8 described above provide power to the various components of the device in which the power supply components are located. The power components may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device in which the power component is located.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (26)

1. A communication system comprising a forwarding device, an encryption/decryption unit, and a storage unit, the forwarding device being communicatively coupled to the encryption/decryption unit and the storage unit;
the forwarding device is configured to record session state information of a target session in the storage unit in a process of performing encryption forwarding on the target session, where the session state information is used as a basis for recovering the target session after the forwarding device is restarted; initiating an encryption/decryption service request to the encryption/decryption unit for the target session;
the encryption/decryption unit is used for carrying out encryption/decryption processing on the target session according to the encryption/decryption service request so as to support the forwarding equipment to carry out encryption forwarding on the target session;
the storage unit is used for storing the session state information of the target session.
2. The system of claim 1, wherein the target session comprises at least one media stream, and wherein the forwarding device, when initiating a cryptographic service request to the cryptographic unit for the target session, is configured to:
and in response to a forwarding request initiated by a communication terminal of the target session and aiming at a target media stream in the target session, initiating an encryption/decryption service request to the encryption/decryption unit.
3. The system of claim 2, wherein the encryption/decryption unit comprises a control device and at least one encryption/decryption device;
the control device is used for responding to the encryption/decryption service request aiming at the target media stream, determining a target encryption/decryption device for providing the encryption/decryption service from the at least one encryption/decryption device, and providing the description information of the target encryption/decryption device to the forwarding device;
and the target encryption/decryption device is used for carrying out encryption/decryption processing on the target media stream.
4. The system of claim 3, wherein the forwarding device is further configured to:
if the forwarding request for the target media stream in the target session is a stream pushing request, receiving an encrypted target media stream sent by a communication terminal corresponding to the target session;
providing the encrypted target media stream to the target encryption/decryption device;
when the target encryption/decryption device performs encryption/decryption processing on the target media stream, the target encryption/decryption device is configured to:
decrypting the encrypted target media stream to obtain the target media stream;
and sending the target media stream back to the forwarding equipment through a secure transmission path.
5. The system of claim 3, wherein the forwarding device is further configured to:
if the forwarding request aiming at the target media stream in the target session is a stream pulling request, sending the target media stream to the target encryption/decryption equipment through a safe transmission path;
when the target encryption/decryption device performs encryption/decryption processing on the target media stream, the target encryption/decryption device is configured to:
encrypting the target media stream to obtain an encrypted target media stream;
and sending the encrypted target media stream to the forwarding equipment so that the forwarding equipment forwards the encrypted target media stream to a communication terminal of the target session.
6. The system of claim 3, wherein the target encryption/decryption device, when root-encrypting/decrypting the target media stream, is configured to:
receiving a communication handshake message initiated by a communication terminal of the target session forwarded by the forwarding device;
according to the communication handshake message, carrying out communication negotiation with a communication end corresponding to the target session to obtain a communication secret key;
and performing encryption/decryption processing on the target media stream based on the communication secret key.
7. The system of claim 3, wherein the forwarding request for the target media stream in the target session includes media description information, and the forwarding device is further configured to:
acquiring identity authentication information of the target encryption/decryption equipment;
adding the identity authentication information to the media description information to obtain response information;
and returning the response information to the communication terminal corresponding to the target session so that the communication terminal can perform identity authentication on the target encryption/decryption equipment.
8. The system of claim 3, wherein the storage unit is further configured to:
storing device state information of the at least one encryption/decryption device;
the control device, when determining a target encryption/decryption device for providing the encryption/decryption service from among the at least one encryption/decryption device, is configured to:
reading device state information of the at least one encryption/decryption device from the storage unit;
and selecting an encryption/decryption device which meets a preset condition from the at least one encryption/decryption device as the target encryption/decryption device according to the device state information of the at least one encryption/decryption device.
9. The system of claim 8, wherein the device status information comprises one or more of load information or deployment location information, and wherein the predetermined condition comprises being in an idle state and/or being closest in distance to the forwarding device.
10. The system of claim 1, wherein the session state information comprises one or more of a signaling state record, a connection state record, an encryption/decryption state record, a media description information record, and a subscription information record.
11. The system of claim 1, wherein the forwarding device is further configured to:
after the restart, reading session state information corresponding to at least one session from the storage unit;
and recovering the at least one session according to the session state information corresponding to the at least one session.
12. The system of claim 11, wherein the session state information includes an encryption/decryption state record, and wherein the forwarding device is further configured to:
according to the encryption/decryption state record, determining the identification of the encryption/decryption task corresponding to the at least one session and the identification of the task address used in the encryption/decryption unit;
and recovering the encryption/decryption tasks corresponding to the at least one session according to the identification of the encryption/decryption tasks corresponding to the at least one session and the identification of the used task address in the encryption/decryption unit.
13. The system according to claim 1, wherein the forwarding device is plural in number, the system further comprising a management device communicatively connected to the at least one forwarding device, the management device configured to:
if the address of the communication end of the target session changes, load balancing is carried out on the at least one forwarding device so as to determine a target forwarding device;
the target forwarding device is configured to read session state information of the target session from the storage unit, so as to migrate the target session to the target forwarding device.
14. A communication method, adapted to a forwarding device in a communication system, comprising:
in the process of encrypting and forwarding the target session, recording the session state information of the target session in a storage unit in the communication system as a basis for recovering the target session after the forwarding equipment is restarted;
and initiating an encryption/decryption service request to the encryption/decryption unit aiming at the target session, so that the encryption/decryption unit performs encryption/decryption processing on the target session according to the encryption/decryption service request, and supports the forwarding device to perform encryption forwarding on the target session.
15. The method of claim 14, wherein the target session includes at least one media stream, and wherein initiating a request for a cryptographic service from the cryptographic unit for the target session comprises:
and in response to a forwarding request initiated by a communication terminal of the target session and aiming at a target media stream in the target session, initiating an encryption/decryption service request to the encryption/decryption unit.
16. The method of claim 15, further comprising:
if the forwarding request for the target media stream in the target session is a stream pushing request, receiving an encrypted target media stream sent by a communication terminal corresponding to the target session;
providing the encrypted target media stream to the encryption/decryption unit so that the encryption/decryption unit decrypts the encrypted target media stream;
and receiving the target media stream obtained by the decryption of the encryption/decryption unit.
17. The method of claim 15, further comprising:
if the forwarding request for the target media stream in the target session is a stream pulling request, sending the target media stream to the encryption/decryption unit through a secure transmission path, so that the encryption/decryption unit encrypts the target media stream;
receiving the encrypted target media stream sent by the encryption/decryption unit;
and forwarding the encrypted target media stream to a communication end of the target session.
18. The method of claim 15, wherein the forwarding request for the target media stream in the target session includes media description information, and the method further comprises:
acquiring identity authentication information of the target encryption/decryption unit;
adding the identity authentication information to the media description information to obtain response information;
and returning the response information to the communication end corresponding to the target session so that the communication end can carry out identity authentication on the target encryption/decryption unit.
19. The method of claim 15, further comprising:
receiving a communication handshake message initiated by a communication end of the target session and sent by the encryption/decryption unit;
and forwarding the communication handshake message to the encryption/decryption unit, so that the encryption/decryption danyang negotiates a communication key with a communication end handshake of the target session according to the communication handshake message, and performs encryption/decryption processing on the target media stream according to the communication key.
20. The method of claim 14, wherein the session state information comprises one or more of a signaling state record, a connection state record, an encryption/decryption state record, a media description information record, and a subscription information record.
21. The method of claim 14, further comprising:
after the restart, reading session state information corresponding to at least one session from the storage unit;
and recovering the at least one session according to the session state information corresponding to the at least one session.
22. The method of claim 21, wherein the conference state information includes an encryption/decryption state record, the method further comprising:
according to the encryption/decryption state record, determining the identification of the encryption/decryption task corresponding to the at least one session and the identification of the task address used in the encryption/decryption unit;
and recovering the encryption/decryption tasks corresponding to the at least one session according to the identification of the encryption/decryption tasks corresponding to the at least one session and the identification of the used task address in the encryption/decryption unit.
23. A communication method applied to an encryption/decryption device in a communication system, comprising:
receiving a communication handshake message aiming at a target media stream, which is initiated by a communication terminal of a target session and forwarded by forwarding equipment in the communication system;
according to the communication handshake message, carrying out communication negotiation with a communication end corresponding to the target session to obtain a communication secret key;
based on the communication secret key, the target media stream is encrypted/decrypted;
and returning the media stream subjected to encryption/decryption processing to the forwarding equipment so that the forwarding equipment can encrypt and forward the target session.
24. A forwarding device comprising a memory, a processor, and a communication component;
the memory is to store one or more computer instructions;
the processor, coupled with the memory and the communication component, to execute the one or more computer instructions to:
in the process of encrypting and forwarding the target session, recording the session state information of the target session in a storage unit in the communication system through the communication assembly, and taking the session state information as a basis for recovering the target session after the forwarding equipment is restarted;
and initiating an encryption/decryption service request to the encryption/decryption unit aiming at the target session, so that the encryption/decryption unit performs encryption/decryption processing on the target session according to the encryption/decryption service request, and supports the forwarding device to perform encryption forwarding on the target session.
25. An encryption/decryption device comprising a memory, a processor and a communication component;
the memory is to store one or more computer instructions;
the processor, coupled with the memory and the communication component, to execute the one or more computer instructions to:
receiving a communication handshake message aiming at a target media stream, which is initiated by a communication terminal of a target session and forwarded by forwarding equipment in the communication system;
according to the communication handshake message, carrying out communication negotiation with a communication end corresponding to the target session to obtain a communication secret key;
based on the communication secret key, the target media stream is encrypted/decrypted;
and returning the media stream subjected to encryption/decryption processing to the forwarding equipment so that the forwarding equipment can encrypt and forward the target session.
26. A computer-readable storage medium storing computer instructions, which when executed by one or more processors, cause the one or more processors to perform the communication method of any one of claims 14-23.
CN202110064807.1A 2021-01-18 2021-01-18 Communication method, device, system and storage medium Pending CN114827093A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110064807.1A CN114827093A (en) 2021-01-18 2021-01-18 Communication method, device, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110064807.1A CN114827093A (en) 2021-01-18 2021-01-18 Communication method, device, system and storage medium

Publications (1)

Publication Number Publication Date
CN114827093A true CN114827093A (en) 2022-07-29

Family

ID=82524662

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110064807.1A Pending CN114827093A (en) 2021-01-18 2021-01-18 Communication method, device, system and storage medium

Country Status (1)

Country Link
CN (1) CN114827093A (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102463A (en) * 2007-07-25 2008-01-09 中国网络通信集团公司 Media stream transmission method
CN110489244A (en) * 2019-04-29 2019-11-22 北京达佳互联信息技术有限公司 Information processing method, system, device and computer readable storage medium
CN111010744A (en) * 2018-10-08 2020-04-14 华为技术有限公司 Method and device for establishing session and method and device for sending message

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101102463A (en) * 2007-07-25 2008-01-09 中国网络通信集团公司 Media stream transmission method
CN111010744A (en) * 2018-10-08 2020-04-14 华为技术有限公司 Method and device for establishing session and method and device for sending message
CN110489244A (en) * 2019-04-29 2019-11-22 北京达佳互联信息技术有限公司 Information processing method, system, device and computer readable storage medium

Similar Documents

Publication Publication Date Title
US11228590B2 (en) Data processing method and apparatus based on mobile application entrance and system
CN111510919B (en) Network configuration method, device, equipment and system
JP2013527656A (en) Method, apparatus and system for supporting multiple IMSIs
CN110661748B (en) Log encryption method, log decryption method and log encryption device
US20170201502A1 (en) Data synchronization method and apparatus
CN108880868B (en) BFD keep-alive message transmission method, device, equipment and machine readable storage medium
CN108289074B (en) User account login method and device
US20220141191A1 (en) Secure distribution of configuration to facilitate a privacy-preserving virtual private network system
CN113472722A (en) Data transmission method, storage medium, electronic device and automatic ticket selling and checking system
CN111901285A (en) Credibility verification method, system, equipment and storage medium
JP2024520781A (en) Terminal UE registration method and apparatus, electronic device, and storage medium
CN111865897A (en) Cloud service management method and device
CN113613227B (en) Data transmission method and device of Bluetooth equipment, storage medium and electronic device
CN113612612A (en) Data encryption transmission method, system, equipment and storage medium
CN114142995A (en) Key secure distribution method and device for block chain relay communication network
CN112073175B (en) Data processing method, device and system and electronic equipment
CN114827093A (en) Communication method, device, system and storage medium
CN114726518B (en) Communication method, device and system for cloud network system and storage medium
CN111181905A (en) File encryption method and device
CN115567926A (en) Unmanned aerial vehicle flight control message transmission method and device
CN112118210B (en) Authentication key configuration method, device, system and storage medium
CN113315626B (en) Communication method, key management method, device, system and storage medium
CN110928564B (en) Method for safely updating application, service server, cluster and storage medium
US10841792B2 (en) Network connection method, method for determining security node, and apparatus
CN115208555A (en) Gateway negotiation method, device and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination