CN1983921A - Method and system for realizing end to end media fluid safety - Google Patents
Method and system for realizing end to end media fluid safety Download PDFInfo
- Publication number
- CN1983921A CN1983921A CN 200510132131 CN200510132131A CN1983921A CN 1983921 A CN1983921 A CN 1983921A CN 200510132131 CN200510132131 CN 200510132131 CN 200510132131 A CN200510132131 A CN 200510132131A CN 1983921 A CN1983921 A CN 1983921A
- Authority
- CN
- China
- Prior art keywords
- media stream
- session
- user terminal
- protection
- request message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 239000012530 fluid Substances 0.000 title 1
- 230000006854 communication Effects 0.000 claims abstract description 17
- 238000004891 communication Methods 0.000 claims abstract description 16
- 230000004044 response Effects 0.000 claims description 19
- 238000012544 monitoring process Methods 0.000 claims description 16
- 230000000977 initiatory effect Effects 0.000 claims description 2
- 230000008569 process Effects 0.000 description 13
- 238000012545 processing Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 230000011664 signaling Effects 0.000 description 6
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 241000331006 Euchaeta media Species 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
The invention is concerned with the achievement method for end-to-end media flow safety, it is: the calling user terminal initiates the conversation request message, indicates the user terminal whether or not support the media flow protecting ability in the message; confirms the conversation whether or not need the protection of the media flow after the network entity receives the conversation request message, takes the correspond indication in the conversation request message; the called terminal make the estimation after receiving the conversation request message, the conversation requests the media flow protection and the called user terminal supports the media flow protecting ability if the calling user terminal support the media flow protecting ability, the conversation actualizes end-to-end media flow safety protection, otherwise, not actualizes end-to-end media flow safety protection. The invention is also concerned with the communication system and the terminal equipment.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and a system for implementing end-to-end media stream security.
Background
Network security schemes at the media level in IP Multimedia Subsystem (IMS) networks can be roughly divided into two categories: one type is non-end-to-end (or end-to-network) media stream protection, and the other type is end-to-end media stream protection.
The network model for non-end-to-end media stream protection is shown in fig. 1A, and the network model for end-to-end media stream protection is shown in fig. 1B, where RTP Proxy may be GGSN/SGSN for 3GPP, BGF for TISPAN, and PDSN for 3GPP 2.
Non-end-to-end media stream protection typically requires the intermediate entity to repeatedly perform encryption-decryption-encryption-decryption operations, which may affect the quality of the call.
The end-to-end media stream protection scheme is that a key is distributed to a calling terminal and a called terminal by a network side entity. During communication, the calling terminal encrypts and the called terminal decrypts, and decryption-encryption-decryption-encryption processes are repeatedly executed without intermediate entities (such as RTP-Proxy), so that the efficiency is high and the communication quality is high.
In addition, there is lawful interception traffic in the supervision of the telecommunication sector. Lawful interception is the interception of a certain user or a certain communication process by a security organization (country or region) for law enforcement. The monitoring comprises signaling level monitoring and media level monitoring. For monitoring of a signaling layer, monitoring related information of a monitored object needs to be output; for media level interception, the communication content (i.e. media stream) of the interception object needs to be output.
In 3GPP, a lawful interception architecture for transmitting the interception related information of the signaling plane is shown in fig. 2A, and a lawful interception architecture for transmitting the interception related information of the signaling plane and the communication content of the intercepted object of the media plane is shown in fig. 2B. The P-CSCF/S-CSCF and the GSN can know the user URI to be lawfully monitored through an X1_1 interface, the GSN carries a media stream security algorithm and a key to a monitoring center through an X2 interface, and the GSN can transmit the media stream to a lawful monitoring center (LEMF) through an X3 interface. The interception center can complete lawful interception of the encrypted media stream.
Because the existing end-to-end media stream protection only considers the situation that both communication parties support media stream protection, and does not consider the situation that one party or even both communication parties do not support media stream protection. If the caller supports media stream protection and the callee does not support media stream protection, the caller may encrypt the media stream, and the callee may not recognize the received media stream because the caller does not support media stream protection, which may result in a situation that a session cannot be performed. In addition, lawful interception generally refers to directly intercepting unprotected media streams, and therefore, how to distribute keys to a monitoring entity after end-to-end protection is performed on the media streams to ensure lawful interception also becomes a problem to be solved.
Disclosure of Invention
The invention provides a method and a system for realizing end-to-end media stream security, which aim to solve the problem that in the prior art, when the end-to-end media stream security is realized, one user terminal of two parties of a conversation does not support media stream protection, the conversation cannot be carried out; further, the problem that lawful interception is difficult due to the fact that end-to-end media stream protection is implemented is solved.
The invention provides the following technical scheme:
a method for implementing end-to-end media stream security comprises the following steps:
a calling user terminal initiates a session request message, and the message carries an indication whether the user terminal supports the media stream protection capability;
after receiving the session request message, the network entity determines whether the session needs media stream protection, and carries a corresponding indication in the session request message; and
after the called user terminal receives the session request message, if the calling user terminal is judged to support the media stream protection capability, the session needs the media stream protection, and the called user terminal supports the media stream protection capability, the end-to-end media stream security protection is implemented on the session, otherwise, the end-to-end media stream security protection is abandoned on the session.
Wherein:
the called user terminal carries the indication of whether the called user terminal supports the media stream protection capability in the response message returned to the calling user terminal, so that the calling user terminal can determine whether the session can implement the end-to-end media stream security protection.
The network entity distributes the media stream security key for the session and carries the key in the session request message only when the calling user terminal supports the media stream protection capability and determines that the session needs media stream protection.
Only the calling user terminal does not support the media protection capability, and when the session needs media stream protection, the called user terminal determines whether to continue the session.
Only the called user terminal does not support the media protection capability, and when the session needs media stream protection, the calling user terminal determines whether to continue the session.
The calling user terminal equipment further carries a media stream security algorithm list in the session request message; and when the called user terminal determines that both user terminals of the two parties of the session support the media stream protection capability and the session needs media stream protection, the media stream security algorithm supported by the user terminal is selected from the list and carried in a response message returned to the calling user terminal.
When the user terminals of both parties of the session support the media stream protection capability and the session needs media stream protection, if the user of the calling side or/and the called side needs to be monitored, the network entity of the calling side or/and the called side further transmits the distributed media stream security key and the media stream security algorithm selected by the final end to the corresponding supervision function entity.
And the supervision functional entity transmits the media stream security key and the media stream security algorithm selected by the final end to a monitoring center for monitoring the media streams of the calling side or/and the called side. Or,
and the supervision functional entity decrypts the media stream of the session by using the media stream security key and the media stream security algorithm selected by the final end, and transmits the decrypted media stream to a corresponding monitoring center.
The key typically only applies to one session. In special cases the key has a validity period during which the key is used for multiple sessions.
And expanding a SIP message header field in the session request message or adding an indication whether the media stream needs to be protected.
A communication system, comprising:
the first user equipment is used for initiating a session request message and indicating whether the user terminal supports the media stream protection capability or not in the message;
a network entity for determining whether the session needs media stream protection or not according to the session request message and carrying a corresponding indication in the session request message;
after receiving the session request message, if the calling user terminal supports the media stream protection capability, the session needs media stream protection, and the called user terminal supports the media stream protection capability, then performing end-to-end media stream security protection on the session, otherwise, giving up the second user terminal performing end-to-end media stream security protection on the session.
The communication system further comprises:
the device is used for receiving the media stream security key and the media stream security algorithm, decrypting the media stream by using the key and algorithm, or transmitting the key and algorithm to other equipment for decrypting the media stream supervision function entity.
A terminal device, comprising:
a sending module, configured to initiate a session request message and indicate in the message whether the user terminal device supports media stream protection capability;
and the receiving module is used for receiving the session request message, and determining to implement end-to-end media stream security protection on the session only when the terminal equipment which sends the session request message supports the media stream protection capability, the session needs media stream protection and the terminal equipment supports the media stream protection capability according to the session message.
The sending module further carries a media stream security algorithm list in the session request message.
After the receiving module confirms that end-to-end media stream security protection needs to be implemented on the session, the sending module selects a supported media stream security algorithm from the received media stream security algorithm list and carries the supported media stream security algorithm in the sent response message.
The invention carries the information whether the terminal supports the media stream protection capability in the session message, so that two communication parties can timely know whether the opposite terminal supports the media stream protection capability, thereby avoiding the problem that the session can not be carried out because one party supports the media stream protection capability and the other end does not support when the end-to-end media stream protection is implemented; when the end-to-end media stream protection is required to be implemented, the media stream security algorithm and the key can be sent to the monitoring entity according to the monitoring requirement, so that legal monitoring can be realized, and the telecommunication supervision is facilitated.
Drawings
FIG. 1A is a schematic diagram of a non-end-to-end media stream protection model;
FIG. 1B is a schematic diagram of an end-to-end media stream protection model;
fig. 2A is a schematic diagram of a model for transmitting monitoring related information of a signaling layer in an IMS;
fig. 2B is a schematic diagram of a model for transmitting monitoring related information of a signaling layer and a media layer in the IMS;
FIG. 3A is a schematic structural diagram of a terminal device according to the present invention;
FIG. 3B is a diagram illustrating a system architecture for implementing end-to-end media streaming according to the present invention;
FIG. 4 is a main flow chart of the present invention for implementing end-to-end media stream protection;
fig. 5 and fig. 6 are flow charts of end-to-end media stream protection not needed when only the calling user terminal or the called user terminal does not support the media protection capability in the present invention, respectively;
FIG. 7 is a flow chart of end-to-end media stream protection of a key distributed by a calling side when both calling and called subscriber terminals support media protection capability in the present invention;
FIG. 8 is a flow chart of end-to-end media stream protection of the called side distributing key when both the calling and called user terminals support media protection capability in the present invention;
FIG. 9 is a flow chart of the present invention when neither the calling nor the called subscriber terminal supports the media protection capability, without end-to-end media stream protection;
FIG. 10 is a flow chart of media stream protection renegotiation caused by terminal switch during session in the present invention;
fig. 11 is a flow chart of implementing lawful interception in the present invention.
Detailed Description
The present embodiment mainly takes an IMS network as an example for description.
The invention carries the identification whether the terminal supports the media stream protection capability in the session message initiated by the calling user terminal, and combines the identification whether the session needs the media stream protection determined by the network entity in the existing session establishing process, the called user terminal receiving the session message determines whether the session can implement the end-to-end media stream protection according to the identification and whether the terminal supports the media stream protection capability; furthermore, the called user terminal carries whether the terminal supports the media stream protection capability in the response message returned to the calling terminal, so that both parties of the session can determine whether the session can implement the media stream security protection, thereby avoiding the problem that the session cannot be carried out due to one terminal not supporting the media stream protection capability in the session process.
The calling user terminal further carries the media stream security algorithm in the session message, and the called user terminal selects the media stream security algorithm supported by the user terminal from the list and carries the selected algorithm in the response message returned to the calling user terminal when determining that both the user terminals of the two parties of the session support the media stream protection capability and that the session needs the media stream protection, so that the user terminals of the two parties of the session can negotiate the encryption and decryption algorithm for protecting the media stream in time.
The media stream security algorithm in the invention includes integrity protection algorithm and encryption algorithm, and the corresponding media stream security key includes integrity protection key and encryption key.
Preferably, the session message carries a set of media stream protection capabilities, which may include but are not limited to: whether the terminal supports the media stream protection capability, whether the session needs media stream protection, an integrity protection algorithm list, an encryption algorithm list, an integrity key, an encryption key and the like. Whether the terminal supports the media stream protection capability, the integrity protection algorithm and the encryption algorithm is determined by the terminal side, and whether the session needs the media stream protection is determined by the network entity according to the user subscription data and the service data signed by the user. The integrity key and the ciphering key are managed and distributed by a network entity, such as a service call session control function (S-CSCF) entity in the IMS network or distributed by other network entities, or may be managed and distributed by an independent key distribution center entity and then sent to a corresponding network entity of the IMS.
Whether the media stream needs to be protected can be indicated by extending a SIP message header field or adding a new parameter.
The structure of the terminal device 30 in the present invention is shown in fig. 3A, and includes a receiving processing module 300 and a sending processing module 310.
A sending processing module 310, configured to initiate a session request message and indicate in the message whether the ue supports media stream protection capability; further, a list of supported media stream security algorithms is carried in the session request message.
After receiving the session request message, the receiving processing module 300 further processes according to whether the user terminal and the terminal sending the session request message support the media stream protection capability:
1. if both sides support, it indicates that end-to-end media stream protection needs to be established.
2. If the method supports and the other party does not support, the end-to-end media stream protection does not need to be established. It is up to the present invention to decide whether to deny the session or continue the session.
3. If the method does not support the other party, the end-to-end media stream protection does not need to be established.
4. If both sides do not support, the end-to-end media stream protection is not needed to be established, and the normal conversation is continued.
According to these cases, the transmission processing module 310 is invoked to transmit a response message to the counterpart.
The system structure diagram of the present invention is shown in fig. 3B, in which the monitoring function entity is not shown, and may be shown in fig. 2A and fig. 2B as parameters.
Referring to fig. 4 (in conjunction with fig. 3B), the main flow of implementing end-to-end protection of media stream according to the present invention is as follows:
According to different results of whether the calling side terminal supports the media stream protection capability, whether the session needs the media stream protection, and whether the called side terminal supports the media stream protection capability. Several typical combinations are shown in the following table (the table is merely illustrative and not exhaustive of all combinations):
referring to fig. 5, only the called ue supports the media stream protection capability, and there is no need to establish end-to-end media stream protection, and whether the session is continued is determined by the called ue.
And 3, step 3 to 8: the calling side S-CSCF1 finds that the calling terminal does not support the media stream protection capability, and therefore, no matter whether the session needs media stream protection according to the user subscription data and the service data in the AS, it does not need to allocate an integrity key and an encryption key, sets "whether the terminal supports the media stream protection capability" to no "and" whether the session needs the media stream protection "to no" in the media stream protection capability set, and sends the set to the called side S-CSCF 2.
If the called UE2 decides to reject the session, it executes steps 17-1 to 17-5 and returns a response message of rejecting the session to the calling side. If the called UE2 decides to proceed normally, it executes steps 18-1 to 18-6 and returns a response message to the calling side.
Referring to fig. 6, only the calling user terminal supports the media stream protection capability, and there is no need to establish end-to-end media stream protection, and whether the session continues is determined by the calling terminal.
Step 15: the called-side P-CSCF2 sends the "media stream protection capability set" to the called-side UE2 encrypted with the encryption key between the UE2 and the P-CSCF2 generated during registration.
After the calling UE1 decrypts the information, although the terminal supports the media stream protection capability, it finds that the called UE2 does not support the media stream protection capability, and therefore, it is determined that the session does not need end-to-end media stream protection.
If the calling UE1 decides to reject the session, it performs steps 24-1 to 24-6 to send a session cancel message to the called side. If the calling UE1 decides to proceed normally, step 25-1 to step 25-6 are performed to send a session response message to the called side.
Referring to fig. 7, both the calling and called parties support the media stream protection capability, and the calling side S-CSCF1 assigns integrity keys and encryption keys to establish end-to-end media stream protection.
Step 15: the P-CSCF2 sends the called side UE2 with the set of media stream protection capabilities encrypted with the encryption key between the UE2 and the P-CSCF2 generated during registration.
Step 22: the calling side UE1 knows that an end-to-end media streaming session can be established. And continuing the session interaction until the end-to-end media stream protection session is established.
Referring to fig. 8, both parties of the calling and called parties support the media stream protection capability, and the called side S-CSCF2 distributes the integrity key and the encryption key to establish end-to-end media stream protection. The processing flow differs from the flow shown in fig. 7 in that: the calling side S-CSCF1 finds that the calling terminal supports the media stream protection capability, and finds that the session does not require media stream protection according to the user subscription data and the service data in the AS, the calling side S-CSCF1 does not allocate an integrity key and an encryption key, sets whether the session with the centralized media stream protection capability requires media stream protection to be negative, and sends the session request to the called side. Then, the called side S-CSCF2 finds that the session needs media stream protection according to the signed data of the called user and the service data in the AS, and the calling UE1 supports the media stream protection capability, and the called side S-CSCF2 allocates the integrity key and the encryption key, updates the media stream protection capability set, and sends the set to the called side P-CSCF 2. The rest of the processing procedure is the same as that in fig. 7, and is not described again.
Referring to fig. 9, neither the calling nor the called user terminals support the media stream protection capability, and there is no need to establish end-to-end media stream protection.
The "whether the terminal supports the media stream protection capability" in the media stream protection capability set carried in the session request message by the calling UE1 is no, or does not carry the media stream protection capability set; when the calling side S-CSCF1 and the called side S-CSCF2 know that the calling side UE1 does not support the media stream protection capability, even if the session needs media stream protection according to the subscription data of the user, the integrity key and the encryption key are not redistributed; the called UE2 knows that neither the terminal nor the calling UE1 support the media stream protection capability, so that the session does not require end-to-end media stream protection. For further details, refer to the above description.
In the session process of end-to-end media stream protection, the media stream protection renegotiation process caused by terminal switching is as shown in fig. 10, if the terminal is switched in the session process, the new terminal initiates a session request INVITE to perform the renegotiation process of the media stream protection algorithm and the key, at this time, the other side directly returns to 200, and therefore the new negotiated parameters are returned in 200. The processing procedure is the same as the flow shown in fig. 7, and is not described again.
The model for lawful interception of end-to-end protected media streams is shown in fig. 2B, where RTP-Proxy is GGSN/SGSN for 3GPP, BGF for TISPAN, and PDSN for 3GPP 2.
Because the integrity protection algorithm and the encryption algorithm have already been negotiated by the calling and called UEs in the session establishment process, and the lawful interception is that the RTP-Proxy copies the received media stream to a monitoring center, if a certain user needs to be lawfully intercepted, the P-CSCF can only send the negotiated integrity protection algorithm, encryption algorithm and corresponding key to the corresponding RTP-Proxy entity, that is, no algorithm negotiation process needs to be performed between the P-CSCF and the RTP-Proxy.
Referring to fig. 11, if it is required to lawfully monitor the called party, the called side P-CSCF2 sends the negotiated integrity protection algorithm and encryption algorithm and corresponding key to the RTP-Proxy entity of the called side. If the calling user needs to be monitored legally, the P-CSCF1 at the calling side sends the negotiated integrity protection algorithm and encryption algorithm and corresponding key to the RTP-Proxy entity at the calling side. RTP-Proxy carries the security algorithm and the key of the media stream with end-to-end protection to the interception center through an X2 interface, and the media stream with end-to-end protection can be transmitted to the interception center through an X3 interface. In this way, the interception center can perform lawful interception of the end-to-end protected media stream (the specific interception mechanism may adopt the prior art). In addition, the X2 interface may not carry the media stream security algorithm and key for end-to-end protection, and the RTP-Proxy may decrypt the copied media stream and then send it to the monitoring center through the X3 interface, so as to achieve the purpose of lawful monitoring.
The negotiated protection algorithm and the corresponding key can be sent between the P-CSCF and the RTP-Proxy by extending the Gq/Go (Gq'/Ia in TISPAN) interface function, or by other methods. The transmission may be in clear or encrypted form.
For all the above examples, the S-CSCF and the AS determine whether the media stream needs to be protected according to the subscription data and the service data of the user, respectively (AS long AS one of the entities determines that the media stream needs to be protected), and may perform the above exemplary process at multiple points, and the above process is only one of the possibilities described in the above exemplary process. In addition, for some simple call situations, the AS may not be needed to participate in the determination of whether to protect the media stream, which may only be determined by the S-CSCF, and at this time, the AS function related to the call may be considered to be embedded in the S-CSCF.
In addition, the key validity period is typically generated on a per session basis. After each session is over, the key is automatically invalidated. In the present invention, the key may also have a certain validity period, and for some services, the key may be used for multiple sessions within the validity period of the key, that is, the key may not need to be allocated for each session.
The invention takes the example of distributing the media stream key by the S-CSCF, and can also be other IMS network entities or a special key distribution center entity to distribute and manage the media stream key.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is intended to include such modifications and variations.
Claims (19)
1. A method for implementing end-to-end media stream security is characterized by comprising the following steps:
the calling user terminal initiates a session request message and indicates whether the user terminal supports the media stream protection capability in the message;
after receiving the session request message, the network entity determines whether the session needs media stream protection, and carries a corresponding indication in the session request message; and
after the called user terminal receives the session request message, if the calling user terminal is judged to support the media stream protection capability, the session needs the media stream protection, and the called user terminal supports the media stream protection capability, the end-to-end media stream security protection is implemented on the session, otherwise, the end-to-end media stream security protection is abandoned on the session.
2. The method of claim 1, wherein the called user terminal carries an indication of whether the called user terminal supports the media stream protection capability in a response message returned to the calling user terminal, so that the calling user terminal can determine whether the session can implement the end-to-end media stream security protection.
3. The method of claim 1, wherein the network entity allocates the media stream security key for the current session and carries the media stream security key in the session request message only when the calling user terminal supports the media stream protection capability and determines that the current session requires media stream protection.
4. The method of claim 1, wherein the calling user terminal does not support media protection capability, and when the session requires media stream protection, the called user terminal determines whether to continue the session.
5. The method of claim 1, wherein the called user terminal does not support media protection capability, and when the session requires media stream protection, the calling user terminal determines whether to continue the session.
6. The method according to any of claims 1 to 5, wherein the calling user terminal device further carries a list of media stream security algorithms in the session request message; and when the called user terminal determines that both user terminals of the two parties of the session support the media stream protection capability and the session needs media stream protection, the media stream security algorithm supported by the user terminal is selected from the list and carried in a response message returned to the calling user terminal.
7. The method according to claim 6, wherein when both user terminals of the two parties of the session support the media stream protection capability and the session needs media stream protection, if monitoring the user of the calling side or/and the called side is needed, the network entity of the calling side or/and the called side further transmits the allocated media stream security key and the media stream security algorithm selected by the final end to the corresponding supervision function entity.
8. The method of claim 7, wherein the supervising functional entity transmits the media stream security key and the media stream security algorithm selected by the final end to a monitoring center for monitoring the media stream of the calling side or/and the called side.
9. The method of claim 7, wherein the supervising functional entity decrypts the media stream of the session by using the media stream security key and the media stream security algorithm selected by the final end, and transmits the decrypted media stream to the corresponding monitoring center.
10. The method of claim 3, wherein the key is generally used for only one session; but in some cases the key may also have a validity period during which the key may be used for multiple sessions.
11. The method of claim 1, wherein a SIP message header field is extended or a new addition indication is added in the session request message to indicate whether the media stream needs to be protected.
12. A communication system, comprising:
the first user equipment is used for initiating a session request message and indicating whether the user terminal supports the media stream protection capability or not in the message;
a network entity for determining whether the session needs media stream protection or not according to the session request message and carrying a corresponding indication in the session request message;
after receiving the session request message, if the calling user terminal supports the media stream protection capability, the session needs media stream protection, and the called user terminal supports the media stream protection capability, then performing end-to-end media stream security protection on the session, otherwise, giving up the second user terminal performing end-to-end media stream security protection on the session.
13. The communication system of claim 12, wherein the second user terminal carries an indication of whether the called user terminal supports the media stream protection capability in a response message returned to the calling user terminal, so that the first user terminal can determine whether the session can implement end-to-end media stream security protection.
14. The communication system of claim 12, wherein the network entity allocates a media stream security key for the current session and carries the media stream security key in the session request message only when the first user terminal supports the media stream protection capability and determines that the current session requires media stream protection.
15. The communication system according to claim 12, 13 or 14, wherein the first user terminal further carries a list of media stream security algorithms in the session request message; and when the second user terminal determines that both user terminals of the two parties of the session support the media stream protection capability and the session needs media stream protection, the second user terminal selects the media stream security algorithm supported by the user terminal from the list and carries the media stream security algorithm in a response message returned to the first user terminal.
16. The communication system of claim 15, further comprising:
for receiving the media stream security key and the media stream security algorithm, decrypting the media stream using the key and algorithm, or transmitting the key and algorithm to other devices for decrypting the media stream policing function entity.
17. A terminal device, comprising:
a sending module, configured to initiate a session request message and indicate in the message whether the user terminal device supports media stream protection capability;
and the receiving module is used for receiving the session request message, and determining to implement end-to-end media stream security protection on the session only when the terminal equipment which sends the session request message supports the media stream protection capability, the session needs media stream protection and the terminal equipment supports the media stream protection capability according to the session message.
18. The terminal device of claim 17, wherein the sending module further carries a list of supported media stream security algorithms in a session request message.
19. The terminal device of claim 18, wherein after the receiving module determines that end-to-end media stream security protection needs to be performed on the session, the sending module selects a supported media stream security algorithm from the received media stream security algorithm list and carries the selected supported media stream security algorithm in the sent response message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510132131A CN1983921B (en) | 2005-12-16 | 2005-12-16 | Method and system for realizing end to end media fluid safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510132131A CN1983921B (en) | 2005-12-16 | 2005-12-16 | Method and system for realizing end to end media fluid safety |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1983921A true CN1983921A (en) | 2007-06-20 |
| CN1983921B CN1983921B (en) | 2010-05-05 |
Family
ID=38166183
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200510132131A Active CN1983921B (en) | 2005-12-16 | 2005-12-16 | Method and system for realizing end to end media fluid safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1983921B (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008083620A1 (en) * | 2007-01-11 | 2008-07-17 | Huawei Technologies Co., Ltd. | A method, a system and an apparatus for media flow security context negotiation |
| WO2009030155A1 (en) * | 2007-08-31 | 2009-03-12 | Huawei Technologies Co., Ltd. | Method, system and apparatus for negotiating the security ability when a terminal is moving |
| WO2009094812A1 (en) * | 2008-01-23 | 2009-08-06 | Zte Corporation | Method and apparatus for implementing the security of point to point media stream |
| WO2009132551A1 (en) * | 2008-04-29 | 2009-11-05 | 华为技术有限公司 | Obtaining method of the meida stream key, session equipment and key management function entity |
| CN101247218B (en) * | 2008-01-23 | 2012-06-06 | 中兴通讯股份有限公司 | Safety parameter negotiation method and device for implementing media stream safety |
| CN105873029A (en) * | 2015-01-21 | 2016-08-17 | 中国移动通信集团公司 | Method and device for call interception |
| US9572027B2 (en) | 2007-09-29 | 2017-02-14 | Huawei Technologies Co., Ltd. | Method, system and apparatus for negotiating security capabilities during movement of UE |
| CN106534895A (en) * | 2016-11-01 | 2017-03-22 | 青岛海信电器股份有限公司 | Method for playing encrypted multimedia file and terminal |
| CN106850526A (en) * | 2007-11-29 | 2017-06-13 | 艾利森电话股份有限公司 | The method and apparatus of the end-to-edge media protection in IMS systems |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100544247C (en) * | 2004-02-16 | 2009-09-23 | 华为技术有限公司 | The negotiating safety capability method |
| CN100571133C (en) * | 2004-02-17 | 2009-12-16 | 华为技术有限公司 | The implementation method of media flow security transmission |
-
2005
- 2005-12-16 CN CN200510132131A patent/CN1983921B/en active Active
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008083620A1 (en) * | 2007-01-11 | 2008-07-17 | Huawei Technologies Co., Ltd. | A method, a system and an apparatus for media flow security context negotiation |
| US10015669B2 (en) | 2007-08-31 | 2018-07-03 | Huawei Technologies Co., Ltd. | Communication method and device |
| US10595198B2 (en) | 2007-08-31 | 2020-03-17 | Huawei Technologies Co., Ltd. | Communication method and device |
| WO2009030155A1 (en) * | 2007-08-31 | 2009-03-12 | Huawei Technologies Co., Ltd. | Method, system and apparatus for negotiating the security ability when a terminal is moving |
| US8656169B2 (en) | 2007-08-31 | 2014-02-18 | Huawei Technologies Co., Ltd. | Method, system and device for negotiating security capability when terminal moves |
| US8812848B2 (en) | 2007-08-31 | 2014-08-19 | Huawei Technologies Co., Ltd. | Method, system and device for negotiating security capability when terminal moves |
| US9241261B2 (en) | 2007-08-31 | 2016-01-19 | Huawei Technologies Co., Ltd. | Method, system and device for negotiating security capability when terminal moves |
| US9497625B2 (en) | 2007-08-31 | 2016-11-15 | Huawei Technologies Co., Ltd. | Method for negotiating security capability when terminal moves |
| US9538373B2 (en) | 2007-08-31 | 2017-01-03 | Huawei Technologies Co., Ltd. | Method and device for negotiating security capability when terminal moves |
| US10548012B2 (en) | 2007-09-29 | 2020-01-28 | Huawei Technologies Co., Ltd. | Method, system and apparatus for negotiating security capabilities during movement of UE |
| US9572027B2 (en) | 2007-09-29 | 2017-02-14 | Huawei Technologies Co., Ltd. | Method, system and apparatus for negotiating security capabilities during movement of UE |
| CN106850526B (en) * | 2007-11-29 | 2020-09-04 | 艾利森电话股份有限公司 | Method and apparatus for end-to-edge media protection in IMS systems |
| CN106850526A (en) * | 2007-11-29 | 2017-06-13 | 艾利森电话股份有限公司 | The method and apparatus of the end-to-edge media protection in IMS systems |
| CN101247218B (en) * | 2008-01-23 | 2012-06-06 | 中兴通讯股份有限公司 | Safety parameter negotiation method and device for implementing media stream safety |
| CN101222324B (en) * | 2008-01-23 | 2012-02-08 | 中兴通讯股份有限公司 | Method and apparatus for implementing end-to-end media stream safety |
| WO2009094812A1 (en) * | 2008-01-23 | 2009-08-06 | Zte Corporation | Method and apparatus for implementing the security of point to point media stream |
| CN101572694B (en) * | 2008-04-29 | 2012-09-05 | 华为技术有限公司 | Method for acquiring media stream key, session equipment and key management function entity |
| WO2009132551A1 (en) * | 2008-04-29 | 2009-11-05 | 华为技术有限公司 | Obtaining method of the meida stream key, session equipment and key management function entity |
| CN105873029A (en) * | 2015-01-21 | 2016-08-17 | 中国移动通信集团公司 | Method and device for call interception |
| CN105873029B (en) * | 2015-01-21 | 2019-05-10 | 中国移动通信集团公司 | A kind of conversation monitoring method and device |
| CN106534895A (en) * | 2016-11-01 | 2017-03-22 | 青岛海信电器股份有限公司 | Method for playing encrypted multimedia file and terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1983921B (en) | 2010-05-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1983921B (en) | Method and system for realizing end to end media fluid safety | |
| US9537837B2 (en) | Method for ensuring media stream security in IP multimedia sub-system | |
| CN101232368B (en) | Method for distributing media stream cryptographic key and multimedia subsystem | |
| JP5106682B2 (en) | Method and apparatus for machine-to-machine communication | |
| CN106850526B (en) | Method and apparatus for end-to-edge media protection in IMS systems | |
| KR101367038B1 (en) | Efficient key management system and method | |
| CN101379802B (en) | Method and device for the encoded transmission of media data between the media server and the subscriber terminal | |
| CN104683098B (en) | A kind of implementation method of secure traffic, equipment and system | |
| WO2006134505A1 (en) | Method, system and network elements for establishing media protection over networks | |
| CN101222320B (en) | Method, system and device for media stream safety context negotiation | |
| CN101227272A (en) | System and method for obtaining media stream protection cryptographic key | |
| CN100527875C (en) | Method for achieving media flow security and communication system | |
| US20150150076A1 (en) | Method and device for instructing and implementing communication monitoring | |
| US8181013B2 (en) | Method, media gateway and system for transmitting content in call established via media gateway control protocol | |
| WO2011131051A1 (en) | Method and device for security communication negotiation | |
| WO2011131070A1 (en) | Lawful interception system for ims media security based on key management server | |
| CN102025485B (en) | Key negotiation method, key management server and terminal | |
| CN100583733C (en) | Method for realizing safety of media flow and communication system | |
| US20200204595A1 (en) | Media protection within the core network of an ims network | |
| CN114760625B (en) | Encryption call method, device and system | |
| CN102487519B (en) | Media content monitor method and device in IP Multimedia System | |
| WO2006081712A1 (en) | A method for switching the level of the plaintext and cyphertext during the conversation | |
| WO2008083620A1 (en) | A method, a system and an apparatus for media flow security context negotiation | |
| WO2012071875A1 (en) | Media content monitoring method and device in ip multimedia subsystem |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |