CN117082503A

CN117082503A - Method, device, equipment and storage medium for encrypting call

Info

Publication number: CN117082503A
Application number: CN202310841553.9A
Authority: CN
Inventors: 胡鹏; 郭茂文; 张�荣; 黎艳; 卢燕青
Original assignee: China Telecom Technology Innovation Center; China Telecom Corp Ltd
Current assignee: China Telecom Technology Innovation Center; China Telecom Corp Ltd
Priority date: 2023-07-10
Filing date: 2023-07-10
Publication date: 2023-11-17

Abstract

The embodiment of the application discloses a method, a device, equipment and a storage medium for encrypting a call. The method comprises the following steps: receiving a call request sent by a calling terminal to a called terminal; detecting the signing condition of a calling terminal and a called terminal aiming at voice encryption service and the calling capability condition of the calling terminal and the called terminal based on a call request; if the fact that the calling terminal and the called terminal have signed voice encryption service and the calling terminal and the called terminal have encryption call capability is detected, a session key is obtained; and sending the session key to the calling terminal and the called terminal so that the calling terminal and the called terminal can carry out encrypted communication based on the session key. On one hand, the embodiment of the application not only avoids the problem that normal call cannot be carried out after the mobile phone card signing the voice encryption service is inserted into the terminal without the encryption call capability; on the other hand, the charging accuracy of the voice encryption service is ensured, so that the use experience of the user is improved.

Description

Method, device, equipment and storage medium for encrypting call

Technical Field

The present application relates to the field of communications technologies, and in particular, to a method and apparatus for encrypting a call, an electronic device, and a computer readable storage medium.

Background

VOLTE, collectively referred to as Voice over Long Term Evolution (LTE) Voice over Event, is based on an IP Multimedia Subsystem (IMS) network, using configuration files tailored to the Control plane (Control plane) and the Media plane (Media plane) of the Voice service over LTE, enabling the Voice service (Control and Media planes) to be transported as a data stream in the LTE data bearer network without requiring maintenance and reliance on a traditional circuit switched Voice network.

Currently, voLTE voice services based on LTE networks have become a major mode for operators to offer voice services. The VoLTE voice service based on the IMS has the advantages of high bandwidth, high speed, low time delay, better QoS, shorter call connection duration and the like, and can bring better use experience to users.

In practical application, there is a scenario that a calling or called user inserts a SIM card of a number of an opened VoLTE cipher call service into a common terminal, and the calling or called terminal cannot identify a sip message, apply for a session key and encrypt and decrypt the VoLTE voice function. The voice encryption method and the voice encryption device can lead one party to enter a VoLTE voice encryption state, and the other party to enter a VoLTE common voice state, so that normal conversation cannot be carried out, user experience is poor, and the accuracy of VoLTE secret call service charging can be affected.

Disclosure of Invention

To solve the above technical problems, embodiments of the present application provide a method and apparatus for encrypting a call, an electronic device, and a computer-readable storage medium.

According to an aspect of an embodiment of the present application, there is provided a method for encrypting a call, including: receiving a call request sent by a calling terminal to a called terminal; detecting the signing conditions of the calling terminal and the called terminal aiming at voice encryption service and the calling capability conditions of the calling terminal and the called terminal based on the call request; if the fact that the calling terminal and the called terminal have signed voice encryption service and the calling terminal and the called terminal have encryption call capability is detected, a session key is obtained; and sending the session key to the calling terminal and the called terminal so that the calling terminal and the called terminal carry out encrypted communication based on the session key.

According to an aspect of the embodiment of the present application, the detecting, based on the call request, a subscription condition of the calling terminal and the called terminal for a voice encryption service, and a call capability condition of the calling terminal and the called terminal includes: acquiring subscription information respectively corresponding to the calling terminal and the called terminal and call capability information respectively corresponding to the calling terminal and the called terminal from a specified database based on the call request; detecting subscription conditions of the calling terminal and the called terminal for voice encryption service based on subscription information respectively corresponding to the calling terminal and the called terminal; and detecting the calling capability condition of the calling terminal and the called terminal according to the calling capability information corresponding to the calling terminal and the called terminal respectively.

According to an aspect of the embodiment of the present application, the acquiring subscription information corresponding to the calling terminal and the called terminal, respectively, and call capability information corresponding to the calling terminal and the called terminal, respectively, from a specified database based on the call request includes: responding to the call request, and sending a first acquisition request to a designated database, wherein the first acquisition request is used for indicating to acquire subscription information and conversation capacity information of the calling terminal; receiving subscription information and call capability information of the calling terminal returned by the appointed database based on the first acquisition request; responding to a response message fed back by the called terminal based on the call request, and sending a second acquisition request to the appointed database, wherein the second acquisition request is used for indicating to acquire subscription information and conversation capability information of the called terminal; and receiving subscription information and call capability information of the called terminal returned by the appointed database based on the second acquisition request.

According to an aspect of the embodiment of the present application, the method further includes: if the fact that the calling terminal and the called terminal have signed voice encryption service and have encryption calling capability is detected, a secret phone identifier is inserted into the call request; and sending the call request inserted with the secret identification to the called terminal so that the called terminal feeds back a response message for the call request based on the secret identification.

According to an aspect of the embodiment of the present application, the method further includes: receiving a response message returned by the called terminal; inquiring whether the calling terminal and the called terminal sign up voice encryption service or not from a user database based on the response message; if the calling terminal and the called terminal have contracted the voice encryption service, acquiring terminal secret call capacity parameters of the calling terminal and the called terminal; if the terminal secret call capability parameter of the calling terminal and the terminal secret call capability parameter of the called terminal represent that the calling terminal and the called terminal have the secret call capability, a secret call identifier is inserted into the response message; and forwarding the response message carrying the secret identification to the calling terminal.

According to an aspect of the embodiment of the present application, the method further includes: acquiring a session key of the calling terminal based on a secret phone identifier in a call message; and acquiring the session key of the called terminal based on the secret key identification in the response message.

According to an aspect of the embodiment of the present application, the method further includes: and if at least one of the calling terminal and the called terminal does not sign a voice encryption service, and/or at least one of the calling terminal and the called terminal does not have encryption call capability, sending the call request to the called terminal so as to enable the calling terminal and the called terminal to carry out the non-encryption call.

According to an aspect of an embodiment of the present application, there is provided an apparatus for encrypting a call, the apparatus including: the receiving module is used for receiving a call request sent by the calling terminal to the called terminal; the detection module is used for detecting the signing conditions of the calling terminal and the called terminal aiming at the voice encryption service and the calling capability conditions of the calling terminal and the called terminal based on the call request; the key acquisition module is used for acquiring a session key if the fact that the calling terminal and the called terminal have signed voice encryption service and the calling terminal and the called terminal have encryption call capability is detected; and the key sending module is used for sending the session key to the calling terminal and the called terminal so that the calling terminal and the called terminal can carry out encrypted communication based on the session key.

According to an aspect of an embodiment of the present application, there is provided an electronic apparatus including: one or more processors; and a storage means for storing one or more programs which, when executed by the one or more processors, cause the electronic device to implement the method for talk encryption as described above.

According to an aspect of an embodiment of the present application, there is provided a computer-readable storage medium having stored thereon computer-readable instructions which, when executed by a processor of a computer, cause the computer to perform a method for call encryption as described above.

In the technical scheme provided by the embodiment of the application, the call request sent by the calling terminal to the called terminal is received, so that the signing condition of the calling terminal and the called terminal for the voice encryption service and the calling capability condition of the calling terminal and the called terminal are detected based on the call request, and the problem that the calling cannot be performed due to the fact that after a mobile phone card signing the voice encryption service is inserted into a terminal without the encryption calling capability, the secret call forwarding is performed in the scene of a common terminal is avoided; and detecting that the calling terminal and the called terminal have signed voice encryption service, and the calling terminal and the called terminal have encryption call capability, acquiring a session key to encrypt the session of the calling terminal and the called terminal through the key, thereby not only realizing the security of the voice call process, but also ensuring the charging correctness of the voice encryption service and improving the use experience of users.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application as claimed.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application. It is evident that the drawings in the following description are only some embodiments of the present application and that other drawings may be obtained from these drawings without inventive effort for a person of ordinary skill in the art. In the drawings:

FIG. 1 is a schematic diagram of an implementation environment for call encryption shown in an exemplary embodiment of the present application;

FIG. 2 is a flow chart illustrating a method for call encryption in accordance with an exemplary embodiment of the present application;

fig. 3 is a schematic diagram illustrating IMS registration of a terminal according to an exemplary embodiment of the present application;

FIG. 4 is a flow chart of step S220 in the embodiment shown in FIG. 2 in an exemplary embodiment;

FIG. 5 is a flow chart of step S410 in the embodiment shown in FIG. 4 in an exemplary embodiment;

FIG. 6 is a detailed application scenario diagram illustrating call encryption according to an exemplary embodiment;

FIG. 7 is a flow chart illustrating a method for call encryption in accordance with another exemplary embodiment of the present application;

FIG. 8 is a flow chart illustrating a method for call encryption in accordance with another exemplary embodiment of the present application;

FIG. 9 is a flow chart illustrating a method for call encryption in accordance with another exemplary embodiment of the present application;

FIG. 10 is a schematic flow diagram of call encryption in an exemplary application scenario;

FIG. 11 is a block diagram of an apparatus for call encryption shown in an exemplary embodiment of the present application;

fig. 12 shows a schematic diagram of a computer system suitable for use in implementing an embodiment of the application.

Detailed Description

Reference will now be made in detail to exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numbers in different drawings refer to the same or similar elements, unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the application. Rather, they are merely examples of apparatus and methods consistent with aspects of the application as detailed in the accompanying claims.

The block diagrams depicted in the figures are merely functional entities and do not necessarily correspond to physically separate entities. That is, the functional entities may be implemented in software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor devices and/or microcontroller devices.

The flow diagrams depicted in the figures are exemplary only, and do not necessarily include all of the elements and operations/steps, nor must they be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the order of actual execution may be changed according to actual situations.

In the present application, the term "plurality" means two or more. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., a and/or B may represent: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.

It should be noted that the VOLTE is called Voice over Long-Term Evolution (LTE) and is based on an IP Multimedia Subsystem (IMS) network, and uses configuration files tailored to a Control plane (Control plane) and a Media plane (Media plane) of a Voice service on LTE, so that the Voice service (Control and Media planes) is transmitted as a data stream in the LTE data bearer network, without maintaining and relying on a conventional circuit switched Voice network.

VoLTE is essentially a call process based on IP data transmission. The voice service of the user VoLTE is possibly monitored due to the problems of the openness of the IP network, such as easy attack, intercepted traffic and the like. Therefore, when people enjoy the convenience brought by the voice multimedia service, the security problem in the voice call process is also inevitably faced, and the voice call is intercepted, which is one of the most common security problems.

Fig. 1 is a network architecture diagram for call encryption, shown in an exemplary embodiment of the present application. AS shown in fig. 1, the system architecture may include a calling party terminal 101, a called party terminal 102, an application Server (Application Server, AS) 103, a Key Server (KS) 104, and a subscriber database (HSS/UDM) 105, AS shown in fig. 1. Wherein, the terminals (including the calling party terminal 101 and the called party terminal 102) and the servers (including the application server 103 and the key server 104) can communicate Data through a Network, and the Network can include a Data Network (DN), an IMS (IPMultimedia Subsystem, an IP multimedia subsystem) and a 4G/5G Network for example; the network may be a wired network or a wireless network.

Referring to fig. 1, fig. 1 is a flowchart illustrating a method for call encryption according to an exemplary embodiment of the present application. The method may be applied to the implementation environment shown in fig. 1 and specifically performed by the application server 103 in the implementation environment. It should be understood that the method may be applied to other exemplary implementation environments and be specifically performed by devices in other implementation environments, and that the present embodiment is not limited by the real-time environment in which the method is applicable.

In an exemplary embodiment, the wired or wireless network described above uses standard communication techniques and/or protocols. The network is typically the Internet, but may be any network including, but not limited to, a local area network (Local Area Network, LAN), metropolitan area network (Metropolitan Area Network, MAN), wide area network (Wide Area Network, WAN), mobile, wired or wireless network, private network, or any combination of virtual private networks. In some embodiments, techniques and/or formats including HyperText Mark-up Language (HTML), extensible markup Language (ExtensibleMarkupLanguage, XML), and the like may be used to represent data exchanged over a network. In addition, all or some of the links may also be encrypted using conventional encryption techniques such as secure socket layer (Secure Socket Layer, SSL), transport layer security (Transport Layer Security, TLS), virtual private network (Virtual Private Network, VPN), internet protocol security (InternetProtocolSecurity, IPsec), and so on. In other embodiments, custom and/or dedicated data communication techniques may also be used in place of or in addition to the data communication techniques described above.

In an exemplary embodiment, the calling party terminal 101, the called party terminal 102 may be various electronic devices including, but not limited to, smartphones, tablet computers, laptop computers, desktop computers, wearable devices, augmented Reality (Augmented Reality, AR) devices, virtual Reality (VR) devices, and the like. Alternatively, the operating systems running on the calling party terminal 101, the called party terminal 102 may include, but are not limited to, android systems, IOS systems, linux systems, windows systems, etc.

Specifically, the calling terminal 101 sends a call request initiated to the called terminal to the application server 103, the application terminal 103 queries, based on the call request, whether the calling terminal and the called terminal sign up for the voice encryption service and terminal capability parameters of the calling terminal and the called terminal, if the calling terminal and the called terminal sign up for the voice encryption service and the calling terminal and the called terminal have the encryption call capability, sends call information including a secret key identifier to the called terminal 102, receives response information of the shoelace secret key identifier sent by the called terminal 102 and forwards the response information to the calling terminal 101 when the calling terminal and the called terminal have the encryption call capability and the calling terminal and the called terminal have the encryption call capability, and then the calling terminal 101 and the called terminal 102 send key application instructions to the key server 104 based on the secret key identifiers respectively, so as to obtain corresponding keys, and encrypt the session.

In practical application, there is a scenario that a calling or called user inserts a SIM card of a number of an opened VoLTE cipher call service into a common terminal, and the calling or called terminal cannot identify a sip message, apply for a session key and encrypt and decrypt the VoLTE voice function. This can lead to one end entering VoLTE voice encryption state and the other end entering VoLTE ordinary voice state, thereby failing to talk normally and the user experience is poor. This also affects the accuracy of VoLTE cipher service charging.

The problems noted above have general applicability in general call scenarios. In order to solve these problems, embodiments of the present application propose a method for call encryption, an apparatus for call encryption, an electronic device, and a computer-readable storage medium, respectively, which will be described in detail below.

As shown in fig. 2, in an exemplary embodiment, the method for encrypting a call at least includes steps S210 to S240, which are described in detail as follows:

step S210, receiving a call request sent by a calling terminal to a called terminal.

SIP (Session Initiation Protocol ), which is the most important signaling control protocol in VoIP. The first thing in SIP is that the caller sends an invite message to the callee, which rings back 180 messages.

Specifically, the application server AS receives a call request sent by a calling terminal to a called terminal, where the call request is a sip invite message, and the sip invite message includes a protocol version, an identifier of the calling terminal, an identifier of the called terminal, a session name, connection information, session activity time, a media name, a transport address, and the like.

Step S220, detecting the signing condition of the calling terminal and the called terminal aiming at the voice encryption service and the calling capability condition of the calling terminal and the called terminal based on the call request.

After receiving the sip invite message sent by the calling terminal, the application server AS queries whether the calling terminal and the called terminal sign up for the voice encryption service and terminal call capability parameters of the calling terminal and the called terminal according to the identifier of the calling terminal and the identifier of the called terminal contained in the sip invite message.

In some possible embodiments, as shown in fig. 3, when the terminal device UE performs IMS secondary registration, a parameter carrying the VoLTE cipher capability of the terminal is inserted in the Register message, and the parameter is sent and stored to the subscriber database HSS/UDM through the S-CSCF, where the VoLTE cipher capability parameter of the terminal device is stored in the HSS/UDM.

Specifically, during IMS registration of the terminal equipment, an initial IMS registration Register message is sent to the S-CSCF, the S-CSCF forwards the initial Register message to a user database HSS/UDM, the user database downloads a corresponding IMS authentication vector, a Response message is returned to the S-CSCF, and then the S-CSCF returns 401Una uthorized to the terminal equipment; and when the terminal equipment performs user network authentication and registers IMS for the second time, inserting the VoLTE secret call capability parameter of the terminal equipment into a Register message, then sending a secondary registration request to an S-CSCF, forwarding the secondary registration request to a user database HSS/UMD by the S-CSCF, reading the Register message carrying the VoLTE secret call capability parameter of the terminal equipment by the user database HSS/UMD, storing the extracted VoLTE secret call capability parameter of the terminal equipment into the user database HSS/UDM, downloading a subscription user file, returning a Response message to the S-CSCF, and sending a message of successful registration to the terminal equipment by the S-CSCF.

And whether the calling terminal signs the voice encryption service and the call capability of the terminal is judged, and whether the calling terminal enters the secret call flow or the common call flow is determined according to the judging result, so that the problem that the normal call cannot be performed due to the fact that the terminal without the encryption call capability is inserted into the mobile phone card with the voice encryption service opened in the practical application is solved.

Step S230, if the fact that the calling terminal and the called terminal have signed voice encryption service and the calling terminal and the called terminal have encryption call capability is detected, a session key is obtained.

Specifically, if the identifiers of the calling terminal and the called terminal are used for inquiring corresponding data from the user database to indicate that the calling terminal and the called terminal have signed voice encryption service, and the calling terminal and the called terminal have the capability of encrypting a call, the key management server can be further applied for the keys of the calling terminal and the called terminal for encrypting the call process respectively, so that the calling terminal and the called terminal can perform voice encryption session based on the applied keys.

Step S240, the session key is sent to the calling terminal and the called terminal, so that the calling terminal and the called terminal can carry out encrypted communication based on the session key.

In some possible embodiments, based on that the calling terminal and the called terminal have signed voice encryption service and that the calling terminal and the called terminal have encryption call capability, a session key in a call process can be applied to a key management server and sent to the calling terminal and the called terminal, so that the calling terminal and the called terminal perform encryption call operation based on the received session key.

In this embodiment, based on whether a calling terminal and a called terminal sign a voice encryption service and a call capability condition of the calling terminal and the called terminal are detected by receiving a call request sent by the calling terminal, after determining that both the calling terminal and the called terminal have the voice encryption service and the calling terminal have the call capability, a corresponding session key is applied to encrypt a call process, so that on one hand, the problem that a mobile phone card signing the voice encryption service cannot perform normal call after being inserted into a terminal without the call capability is avoided; on the other hand, the charging accuracy of the voice encryption service is ensured, so that the use experience of the user is improved.

Further, based on the foregoing embodiment, referring to fig. 4, in one exemplary embodiment provided by the present application, the specific implementation process of detecting the subscription condition of the calling terminal and the called terminal for the voice encryption service based on the call request and the call capability condition of the calling terminal and the called terminal may further include the following steps S410 to S430, which are described in detail below:

step S410, acquiring subscription information corresponding to the calling terminal and the called terminal respectively and call capability information corresponding to the calling terminal and the called terminal respectively from a designated database based on the call request.

As shown in fig. 3, in the above embodiment, during IMS secondary registration, the call capability parameter of the terminal device, that is, in this embodiment, the parameter of the VoLTE cipher capability of the terminal device is inserted into the Register message, and is sent to the subscriber database HSS/UDM through the S-CSCF, so as to store the parameter of the VoLTE cipher capability of the terminal device in the subscriber database.

The calling terminal initiates a sip invite message to the called terminal, and after the application server AS receives the sip invite message, the calling terminal and the called terminal are inquired from a user database HSS/UDM whether the calling terminal and the called terminal sign up for VoLTE secret call service or not and parameters of VoLTE secret call capability of the calling terminal and the called terminal based on the identification of the calling terminal and the identification of the called terminal in the sip invite message.

Step S420, based on the subscription information corresponding to the calling terminal and the called terminal respectively, detecting the subscription condition of the calling terminal and the called terminal for the voice encryption service; and

step S430, calling terminal and called terminal respectively corresponding call capability information, detecting calling terminal and called terminal call capability condition.

Detecting the VoLTE dense-speech service subscription conditions of the calling terminal and the called terminal and the VoLTE dense-speech capacity conditions of the calling terminal and the called terminal according to the VoLTE dense-speech service subscription conditions of the calling terminal and the called terminal stored in a user database.

Specifically, the VoLTE dense call service subscription conditions of the calling terminal and the called terminal may specifically include: (1) The calling and called terminals have contracted VoLTE secret telephone service subscription; (2) the called terminal has not signed VoLTE cipher service subscription; (3) The calling terminal signs a VoLTE (voice over LTE) secret call service sign, and the called terminal does not sign a VoLTE secret call service sign; (4) The calling terminal does not sign up for VoLTE dense call service sign up, and the called terminal signs up for VoLTE dense call service sign up.

The VoLTE cipher call capability conditions of the calling terminal and the called terminal may specifically include: the method comprises the steps that (1) a calling terminal and a called terminal both have VoLTE secret call capability; (2) the calling terminal and the called terminal do not have VoLTE secret call capability; (3) The calling terminal has VoLTE secret call capability, and the called terminal does not have VoLTE secret call capability; (4) The calling terminal does not have VoLTE cipher call capability, and the called terminal has VoLTE cipher call capability.

In this embodiment, by acquiring the VoLTE cipher call service subscription condition and the VoLTE cipher call capability condition of the calling and called terminals from the specified database, it is ensured that the user can perform normal VoLTE cipher call or normal call, and the problem that the terminal without VoLTE cipher call capability in practical application inserts a card that has already opened the VoLTE cipher call service, thereby causing a failure in normal call is solved.

Further, based on the above embodiment, referring to fig. 5, in one exemplary embodiment provided by the present application, the specific implementation process of obtaining subscription information corresponding to a calling terminal and a called terminal respectively and call capability information corresponding to the calling terminal and the called terminal respectively from a specified database based on a call request may further include the following steps S510 to S540, which are described in detail below:

step S510, responding to the call request, sending a first acquisition request to a specified database, wherein the first acquisition request is used for indicating to acquire subscription information and call capability information of a calling terminal and a called terminal;

step S520, receiving subscription information and call capability information of a calling terminal and a called terminal returned by a designated database based on the first acquisition request;

specifically, referring to fig. 6, after receiving a sip invite message sent by a calling terminal, an application server AS sends a first acquisition request to a subscriber database HSS/UDM, where the first acquisition request carries an identifier of the calling terminal and an identifier of a called terminal included in the sip invite message, so that service subscription information and call capability parameters of the calling terminal and the called terminal are queried from the subscriber database HSS/UDM based on the identifier of the calling terminal and the identifier of the called terminal. And receiving service subscription information and call capability parameters of the calling terminal and the called terminal returned by the subscriber database HSS/UDM.

That is, the application server AS, after receiving the sip invite message sent from the calling terminal to the called terminal, sends a first acquisition request to the subscriber database HSS/UDM (specified database) to acquire subscription service and session capability parameters for indicating acquisition of the calling terminal and the called terminal.

Step S530, responding to the response message fed back by the called terminal based on the call request, and sending a second acquisition request to the appointed database, wherein the second acquisition request is used for indicating to acquire the subscription information and the call capability information of the calling terminal and the called terminal;

step S540, receiving subscription information and call capability information of the calling terminal and the called terminal returned by the appointed database based on the second acquisition request.

Specifically, referring to fig. 6, after receiving the 180Ringing message returned by the called terminal, the application server AS sends a second acquisition request to the subscriber database HSS/UDM, where the second acquisition request carries the identifier of the calling terminal and the identifier of the called terminal included in the 180Ringing message, so that service subscription information and call capability parameters of the calling terminal and the called terminal are queried from the subscriber database HSS/UDM based on the identifier of the calling terminal and the identifier of the called terminal. And receiving service subscription information and call capability parameters of the calling terminal and the called terminal returned by the subscriber database HSS/UDM.

That is, the application server AS, upon receiving the 180Ringing message (i.e., ringing message) sent from the called terminal to the called terminal, sends a second acquisition request to the subscriber database HSS/UDM (designated database) to acquire the subscription service and call capability parameters for indicating acquisition of the calling terminal and the called terminal.

In this embodiment, after receiving a call message sent by a calling terminal, the subscription service information and the call capability parameter of a calling terminal and a called terminal are queried, and after receiving a response message returned by the called terminal, the subscription service information and the call capability parameter of the calling terminal and the called terminal are queried again, so that the fact that both the calling terminal and the called terminal for performing encrypted call have subscribed encrypted services and have encrypted call capability is ensured, and the problem that a terminal without VoLTE encrypted call capability is inserted into a card for opening VoLTE encrypted call service, so that normal call cannot be caused is avoided.

Further, based on the above embodiment, referring to fig. 7, in one exemplary embodiment of the present application, the method for encrypting a user call may further specifically include the following step S710 and step S720, which are described in detail below:

step S710, if it is detected that the calling terminal and the called terminal have both subscribed voice encryption service and the calling terminal and the called terminal have both encryption call capability, a secret call identifier is inserted in the call request.

Step S720, the call request with the inserted secret identification is sent to the called terminal, so that the called terminal feeds back the response message for the call request based on the secret identification.

In the above embodiment, if the application server AS inquires from the subscriber database HSS/UDM that both the calling terminal and the called terminal have subscribed to the voice encryption service and both the calling terminal and the called terminal have the capability of encrypting the call, the secret identifier is inserted into the received sip invite message of the calling terminal, and the sip invite message carrying the secret identifier is forwarded to the called terminal, so that the called terminal returns a response message to the application server AS after receiving the sip invite message.

In this embodiment, when both the calling terminal and the called terminal have signed up for the voice encryption service and both the calling terminal and the called terminal have the capability of encrypting the call, the secret call identifier is inserted into the call information, and the call information carrying the secret call identifier is forwarded to the called terminal, so that the voice encryption service is started only when both the calling terminal and the called terminal meet the encryption call, the charging of the voice encryption service is more accurate, and the user experience is improved.

Further, based on the above embodiment, referring to fig. 8, in one exemplary embodiment of the present application, the specific implementation process of the method for encrypting a call may further include the following steps S810 to S840, which are described in detail below:

step S810, receiving a response message returned by the called terminal;

step S820, detecting the signing condition of the calling terminal and the called terminal aiming at the voice encryption service and the calling capability condition of the calling terminal and the called terminal based on the response message.

Specifically, the application server AS receives a 180Ringing message (response message) returned by the called terminal based on the sip invite message (call message) of the calling terminal, where the 180Ringing message includes a protocol version, an identifier of the calling terminal, an identifier of the called terminal, a session name, connection information, a session activity time, a media name, a transport address, and the like.

The application server AS inquires the subscription condition of the calling terminal and the called terminal about the encrypted service and the call capability parameters of the calling terminal and the called terminal from a user database HSS/UDM based on the received 180Ringing message.

As in the above embodiment, when the terminal performs IMS secondary registration, a parameter carrying the VoLTE cipher capability of the terminal is inserted into the Register message, and the parameter is sent and stored into the subscriber database HSS/UDM through the S-CSCF, and the VoLTE cipher capability parameter of the terminal device is stored in the subscriber database HSS/UDM. So that the secret call capability parameters of the calling and called terminals, namely the call capability parameters, can be queried from the subscriber database HSS/UDM according to the identifiers of the calling and called terminals.

Step S830, if it is detected that the calling terminal and the called terminal have both signed voice encryption service and the calling terminal and the called terminal have both encryption call capability, then a secret call identifier is inserted in the response message;

step S840, the response message carrying the secret identification is forwarded to the calling terminal.

If the voice encryption service signed by the calling terminal and the called terminal is represented according to the data stored in the user database and the calling terminal and the called terminal have the encryption call capability, the secret mark is inserted into the 180Ringing message returned by the called terminal, and the 180Ringing message carrying the secret mark is forwarded to the calling terminal.

In this embodiment, after receiving a response message returned by the called terminal, the subscription condition of the encrypted service of the calling terminal and the called terminal in the response message and the call capability parameters of the calling terminal and the called terminal are queried, so that the calling terminal and the called terminal for performing encrypted call are further determined to have the encrypted call capability, and the problem that after a card signing the voice encrypted service is inserted into a terminal without the encrypted call capability, normal call cannot be performed is avoided; on the other hand, the method also comprises the charging accuracy of the voice encryption service, thereby improving the use experience of the user.

Further, based on the above embodiment, referring to fig. 9, in one exemplary embodiment of the present application, a specific implementation process of the method for encrypting a call may further include step S910 and step S920, which are described in detail below:

step S910, obtaining the session key of the calling terminal based on the secret identifier in the call message;

step S920, the session key of the called terminal is obtained based on the secret key identification in the response message.

In some possible embodiments, when it is determined that both the calling terminal and the called terminal have subscribed to the encrypted call service and have the encrypted call capability, the session key in the called terminal is applied to the key server according to the encrypted call identifier in the call message, and the session key of the calling terminal is obtained according to the encrypted call identifier in the response message. In some embodiments, applying for obtaining the session key from the key server may include: sending a calling session key application carrying calling information to a key server so that the key server carries out first authentication on a calling party based on the calling information; wherein, the call information includes: calling party number, called Fang Ma number and secret identification; receiving a session key and key identification information returned by a key server after the first authentication passes; sending a called session key application carrying response information to a key server so that the key server authenticates the called Fang Jinhang based on the response information; wherein the response information includes: calling party number, called Fang Ma number and secret identification; the receiving key server returns the session key and key identification information after determining that the second authentication passes. In some possible embodiments, because the session keys of the calling terminal and the called terminal are paired, in the subsequent call process, the calling terminal and the called terminal encrypt and decrypt the call process based on the key applied to the key manager, thereby ensuring the call security.

In the present embodiment, on the one hand, the session keys applied from the key server are paired to realize encryption of communication data (voice data, image data, etc.) when both parties of the caller and the callee make a call; on the other hand, both the calling party and the called party have signed encrypted call service, and the calling terminal and the called terminal have encrypted call capability, and then acquire the secret key from the secret key manager, thereby ensuring the accuracy of the charging of the encrypted service. Further, based on the above embodiment, in one exemplary embodiment provided by the present application, the implementation process of the method for encrypting a call may further include the following steps, which are described in detail below:

and if at least one of the calling terminal and the called terminal does not sign a voice encryption service and/or at least one of the calling terminal and the called terminal does not have encryption call capability, sending a call request to the called terminal so as to enable the calling terminal and the called terminal to conduct non-encryption call.

Specifically, after receiving a call message initiated by a calling terminal to a called terminal, an application server AS detects the signing condition of the calling terminal and the called terminal for voice encryption service and the calling capability condition of the calling terminal and the called terminal. The method comprises the following steps:

In the first scenario, the calling terminal and the called terminal sign up for voice encryption service, the calling terminal has call encryption capability, and the called terminal does not have call encryption capability, so that call information sent by the calling terminal is forwarded to the called terminal according to a common flow.

And in a second scenario, the calling terminal and the called terminal sign up for voice encryption service, the calling terminal does not have call encryption capability, and the called terminal has call encryption capability, so that call information sent by the calling terminal is forwarded to the called terminal according to a common flow.

And in a third scenario, the calling terminal signs a voice encryption service, and if the called terminal does not sign the voice encryption service, the calling information sent by the calling terminal is forwarded to the called terminal according to a common flow.

And in a fourth scenario, the calling terminal does not sign the voice encryption service, and the called terminal signs the voice encryption service, so that the call information sent by the calling terminal is forwarded to the called terminal according to a common flow.

In this embodiment, if at least one of the calling terminal and the called terminal does not sign a voice encryption service, and/or at least one of the calling terminal and the called terminal does not have an encryption call capability, a call request is sent to the called terminal. The subsequent processing can be performed according to the common call flow, thereby avoiding unnecessary negotiation and avoiding communication delay caused by whether to perform encrypted conversation or not after the call is connected.

Referring to fig. 10, fig. 10 is a schematic flow chart of call encryption in an exemplary application scenario of the present application. In the application scenario shown in fig. 10, an application server AS receives a sip invite message sent by a calling terminal, the application server AS queries a subscription condition of a calling terminal and a called terminal for a voice encryption service according to an identifier of a calling party and a called party in the sip invite message, and a call capability condition of the calling terminal and the called party, receives a query result returned by the user database HSS/UDM, if the query result represents that both the calling terminal and the called terminal have subscribed voice encryption service, and the calling terminal and the called terminal have encrypted call capability, then inserts a secret identifier in the sip invite message sent by the calling terminal, and forwards the sip invite message carrying the secret identifier to the called terminal, and then the called terminal analyzes the sip invite message carrying the secret identifier, and returns a 180Ringing message to the application server AS, and queries the calling terminal and the called party in the 180Ringing message, and the terminal have the subscription capability, and the HSS/the called party have the secret identifier, and the terminal have the encryption capability, and the query result is sent to the subscriber database 180, and the service is sent to the subscriber terminal, and the terminal has the encrypted call capability is queried. The calling terminal applies the session key to the key manager based on the secret identifier in the sip invite message, and the called terminal applies the session key to the key manager based on the secret identifier in the 180Ringing message, so that the calling and called parties encrypt and decrypt the call process, and the call security is ensured.

Fig. 11 is a block diagram illustrating a method for call encryption according to an exemplary embodiment of the present application. The apparatus may be applied to the implementation environment shown in fig. 1 and is specifically configured in the application server 103. The apparatus may also be adapted to other exemplary implementation environments and may be specifically configured in other devices, and the present embodiment is not limited to the implementation environments to which the apparatus is adapted.

As shown in fig. 11, the exemplary apparatus for call encryption includes: a receiving module 1110, configured to receive a call request sent by a calling terminal to a called terminal; the detection module 1120 is configured to detect a subscription condition of the calling terminal and the called terminal for the voice encryption service and a call capability condition of the calling terminal and the called terminal based on the call request; the key obtaining module 1130 is configured to obtain a session key if it is detected that both the calling terminal and the called terminal have subscribed to the voice encryption service and both the calling terminal and the called terminal have encrypted call capability; and the key sending module 1140 is configured to send the session key to the calling terminal and the called terminal, so that the calling terminal and the called terminal perform an encrypted call based on the session key.

According to an aspect of the embodiment of the present application, the detection module 1120 further specifically includes: the acquisition unit is used for acquiring subscription information corresponding to the calling terminal and the called terminal respectively and call capability information corresponding to the calling terminal and the called terminal respectively from the appointed database based on the call request; the first detection unit is used for detecting the signing conditions of the calling terminal and the called terminal aiming at the voice encryption service based on the signing information respectively corresponding to the calling terminal and the called terminal; and the second detection unit is used for detecting the calling capability information of the calling terminal and the called terminal, which correspond to the calling terminal and the called terminal respectively.

According to an aspect of the embodiment of the present application, the acquiring unit further specifically includes: the first acquisition subunit is used for responding to the call request, sending a first acquisition request to the appointed database, wherein the first acquisition request is used for indicating to acquire subscription information and call capability information of the calling terminal and the called terminal; the first receiving subunit is used for receiving subscription information and call capability information of the calling terminal and the called terminal returned by the appointed database based on the first acquisition request; the second acquisition subunit is used for responding to a response message fed back by the called terminal based on the call request, sending a second acquisition request to the appointed database, wherein the second acquisition request is used for indicating to acquire subscription information and call capability information of the calling terminal and the called terminal; and the second receiving subunit is used for receiving the subscription information and the call capability information of the calling terminal and the called terminal returned by the appointed database based on the second acquisition request.

According to an aspect of the embodiment of the present application, the apparatus for encrypting a call further includes: the first secret phone identifier inserting module is used for inserting a secret phone identifier into a call request if the fact that the calling terminal and the called terminal have signed voice encryption service and the calling terminal and the called terminal have encryption calling capability is detected; and the call request forwarding unit is used for sending the call request inserted with the secret word identifier to the called terminal so that the called terminal feeds back a response message for the call request based on the secret word identifier.

According to an aspect of the embodiment of the present application, the apparatus for encrypting a call further includes: a response message receiving unit, configured to receive a response message returned by the called terminal; the terminal detection unit is used for detecting the signing conditions of the calling terminal and the called terminal aiming at the voice encryption service and the calling capability conditions of the calling terminal and the called terminal based on the response message; the second secret phone identifier inserting unit is used for inserting the secret phone identifier into the response message if the fact that the calling terminal and the called terminal have signed voice encryption service and the calling terminal and the called terminal have encryption calling capability is detected; and the response message forwarding unit is used for forwarding the response message carrying the secret identification to the calling terminal.

According to an aspect of the embodiment of the present application, the apparatus for encrypting a call further includes: the first key acquisition module is used for acquiring a session key of the calling terminal based on the secret identification in the call message; and the second key acquisition module is used for acquiring the session key of the called terminal based on the secret identification in the response message.

According to an aspect of the embodiment of the present application, the apparatus for encrypting a call further includes: and the common call request forwarding module is used for sending a call request to the called terminal if at least one of the calling terminal and the called terminal is detected to have no voice encryption service signed and/or at least one of the calling terminal and the called terminal does not have encryption call capability, so that the calling terminal and the called terminal can carry out non-encryption call.

It should be noted that, the device for encrypting a call provided in the foregoing embodiment and the method for encrypting a call provided in the foregoing embodiment belong to the same concept, and the specific manner in which each module and unit perform the operation has been described in detail in the method embodiment, which is not repeated here. In practical applications, the device for encrypting a call provided in the above embodiment may allocate the functions to different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to perform all or part of the functions described above, which is not limited herein.

The embodiment of the application also provides electronic equipment, which comprises: one or more processors; and a storage device for storing one or more programs, which when executed by the one or more processors, cause the electronic device to implement the method for encrypting a call provided in the above embodiments.

Fig. 12 shows a schematic diagram of a computer system suitable for use in implementing an embodiment of the application. It should be noted that, the computer system 1200 of the electronic device shown in fig. 12 is only an example, and should not impose any limitation on the functions and the application scope of the embodiments of the present application.

As shown in fig. 12, the computer system 1200 includes a central processing unit (Central Processing Unit, CPU) 1201 that can perform various appropriate actions and processes, such as performing the methods described in the above embodiments, according to a program stored in a Read-Only Memory (ROM) 1202 or a program loaded from a storage section 1208 into a random access Memory (Random Access Memory, RAM) 1203. In the RAM 1203, various programs and data required for the system operation are also stored. The CPU 1201, ROM 1202, and RAM 1203 are connected to each other through a bus 1204. An Input/Output (I/O) interface 1205 is also connected to bus 1204.

The following components are connected to the I/O interface 1205: an input section 1206 including a keyboard, a mouse, and the like; an output portion 1207 including a Cathode Ray Tube (CRT), a liquid crystal display (Liquid Crystal Display, LCD), and a speaker, etc.; a storage section 1208 including a hard disk or the like; and a communication section 1209 including a network interface card such as a LAN (Local Area Network ) card, a modem, or the like. The communication section 1209 performs communication processing via a network such as the internet. The drive 1210 is also connected to the I/O interface 1205 as needed. A removable medium 1211 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 1210 so that a computer program read out therefrom is installed into the storage section 1208 as needed.

In particular, according to embodiments of the present application, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising a computer program for performing the method shown in the flowchart. In such an embodiment, the computer program can be downloaded and installed from a network via the communication portion 1209, and/or installed from the removable media 1211. When executed by a Central Processing Unit (CPU) 1201, performs the various functions defined in the system of the present application.

It should be noted that, the computer readable medium shown in the embodiments of the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium may be, for example, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-Only Memory (ROM), an erasable programmable read-Only Memory (Erasable Programmable Read Only Memory, EPROM), flash Memory, an optical fiber, a portable compact disc read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer-readable signal medium may comprise a data signal propagated in baseband or as part of a carrier wave, with a computer-readable computer program embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. A computer program embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. Where each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The units involved in the embodiments of the present application may be implemented by software, or may be implemented by hardware, and the described units may also be provided in a processor. Wherein the names of the units do not constitute a limitation of the units themselves in some cases.

Another aspect of the application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor implements a method for call encryption as described above. The computer-readable storage medium may be included in the electronic device described in the above embodiment or may exist alone without being incorporated in the electronic device.

Another aspect of the application also provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device performs the method for call encryption provided in the above-described respective embodiments.

The foregoing is merely illustrative of the preferred embodiments of the present application and is not intended to limit the embodiments of the present application, and those skilled in the art can easily make corresponding variations or modifications according to the main concept and spirit of the present application, so that the protection scope of the present application shall be defined by the claims.

Claims

1. A method for encrypting a call, comprising:

receiving a call request sent by a calling terminal to a called terminal;

detecting the signing conditions of the calling terminal and the called terminal aiming at voice encryption service and the calling capability conditions of the calling terminal and the called terminal based on the call request;

if the fact that the calling terminal and the called terminal have signed voice encryption service and the calling terminal and the called terminal have encryption call capability is detected, a session key is obtained;

and sending the session key to the calling terminal and the called terminal so that the calling terminal and the called terminal carry out encrypted communication based on the session key.

2. The method of claim 1, wherein the detecting the subscription conditions of the calling terminal and the called terminal for the voice encryption service based on the call request, and the call capability conditions of the calling terminal and the called terminal, comprises:

acquiring subscription information respectively corresponding to the calling terminal and the called terminal and call capability information respectively corresponding to the calling terminal and the called terminal from a specified database based on the call request;

Detecting subscription conditions of the calling terminal and the called terminal for voice encryption service based on subscription information respectively corresponding to the calling terminal and the called terminal; and

and detecting the calling capability condition of the calling terminal and the called terminal according to the calling capability information respectively corresponding to the calling terminal and the called terminal.

3. The method of claim 2, wherein the obtaining subscription information respectively corresponding to the calling terminal and the called terminal and call capability information respectively corresponding to the calling terminal and the called terminal from a specified database based on the call request comprises:

responding to the call request, and sending a first acquisition request to a specified database, wherein the first acquisition request is used for indicating to acquire subscription information and call capability information of the calling terminal and the called terminal;

receiving subscription information and call capability information of the calling terminal and the called terminal returned by the specified database based on the first acquisition request;

responding to a response message fed back by the called terminal based on the call request, and sending a second acquisition request to the appointed database, wherein the second acquisition request is used for indicating to acquire subscription information and conversation capacity information of the calling terminal and the called terminal;

And receiving subscription information and call capability information of the calling terminal and the called terminal returned by the appointed database based on the second acquisition request.

4. The method of claim 1, wherein the method further comprises:

if the fact that the calling terminal and the called terminal have signed voice encryption service and have encryption calling capability is detected, a secret phone identifier is inserted into the call request;

and sending the call request inserted with the secret identification to the called terminal so that the called terminal feeds back a response message for the call request based on the secret identification.

5. The method of claim 1, wherein the method further comprises:

receiving a response message returned by the called terminal;

detecting the signing conditions of the calling terminal and the called terminal aiming at voice encryption service and the calling capability conditions of the calling terminal and the called terminal based on the response message;

if the fact that the calling terminal and the called terminal have signed voice encryption service and the calling terminal and the called terminal have encryption call capability is detected, a secret call identifier is inserted into the response message;

And forwarding the response message carrying the secret identification to the calling terminal.

6. The method of claim 1, wherein the method further comprises:

acquiring a session key of the calling terminal based on a secret phone identifier in a call message;

and acquiring the session key of the called terminal based on the secret key identification in the response message.

7. The method of any one of claims 1-6, wherein the method further comprises:

and if at least one of the calling terminal and the called terminal does not sign a voice encryption service, and/or at least one of the calling terminal and the called terminal does not have encryption call capability, sending the call request to the called terminal so as to enable the calling terminal and the called terminal to carry out the non-encryption call.

8. An apparatus for encrypting a call, the apparatus comprising:

the receiving module is used for receiving a call request sent by the calling terminal to the called terminal;

the detection module is used for detecting the signing conditions of the calling terminal and the called terminal aiming at the voice encryption service and the calling capability conditions of the calling terminal and the called terminal based on the call request;

The key acquisition module is used for acquiring a session key if the fact that the calling terminal and the called terminal have signed voice encryption service and the calling terminal and the called terminal have encryption call capability is detected;

and the key sending module is used for sending the session key to the calling terminal and the called terminal so that the calling terminal and the called terminal can carry out encrypted communication based on the session key.

9. An electronic device, comprising:

one or more processors;

storage means for storing one or more programs that, when executed by the one or more processors, cause the electronic device to implement the method for talk encryption of any one of claims 1-7.

10. A computer readable storage medium having stored thereon computer readable instructions which, when executed by a processor of a computer, cause the computer to perform the method for call encryption of any one of claims 1 to 7.