JP2002176455A - Security system and voice data security method used for it - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a security system that can prevent falsification of data at an external device through the Internet and can be optimum to voice data with high real time performance without increasing the cost. SOLUTION: A data processing section 35 confirms contents of a voice signal or an IP packet that is transmitted. An IP packet voice signal conversion section 37 conducts mutual conversion between the voice signal and the IP packet, an IPv4(Internet Protocol version 4) authentication processing section 38 extracts a TOS(Type Of Service) field and an authentication field in a header part of an IP packet. An authentication field conversion section 39 converts the TOS filed into the authentication field, an authentication field collation section 40 collates whether or not data in the authentication field of the IP packet are voice data transferred from a true user and the IPv4 authentication processing section 38 discards the dissident IP packet.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to a security system and a voice data security method used for the same, and more particularly, to voice data and LAN (Local Area).
Network) and VoIP [voi
ce over IP (Internet Protocol)
ol)] technology.

[0002]

2. Description of the Related Art Conventionally, IP telephone, video conference, CTI
(Computer Telephony Integra
Network construction using VoIP technology that integrates voice data and LAN data typified by such ration is becoming mainstream. Before the establishment of the VoIP technology, the voice data and the LAN data have separate and independent network configurations, and a great deal of cost is required for construction.

[0003] However, it is possible to unify the network of the voice system and the data system by the VoIP technology integrating voice data and LAN data, and at present BtoB (Business) represented in a company.
to Business) as well as external business partners and BtoC (Business to Consume)
A network incorporating the VoIP technology has been constructed for individual users as in r).

[0004]

The above-mentioned conventional VoI
In the P technology, a network using the Internet that is easy to invade to external business partners and individual users is constructed. Therefore, when communicating to external business partners and individual users, communication from external to the Internet is required. There is a possibility of data tampering due to intrusion, privacy infringement of personal information, etc.

[0005] In the conventional VoIP technology, a firewall can be provided as a security system at the boundary between the internal (or external) network and the Internet to enhance security. Since hardware having a firewall function is deployed, the construction cost increases, and a cost is required to enhance security.

[0006] In addition to the above firewall,
IPsec (IP security protocol) that encrypts and decrypts packetized data using a key
There is a way to implement l), but encrypt the packet,
In the process of decoding again, the processing speed becomes slow and a delay occurs, so this method is not suitable for audio data with high real-time properties, and it is difficult to enhance security for audio data.

Accordingly, an object of the present invention is to solve the above-mentioned problems, prevent the data from being tampered externally via the Internet, and reduce the cost without increasing the cost. An object of the present invention is to provide a security system and a voice data security method used therefor.

[0008]

According to the security system of the present invention, voice data generated on the transmitting side is transmitted to the IP.
(Internet Protocol) VoIP packetized and transferred to the receiving side via the Internet
(Voice over IP) function and the I-side gateway device received via the Internet.
A receiving gateway device having a VoIP function for converting a P packet into voice data, wherein a TO header of an IP header is assigned to the IP packet.
A means for converting an S (type of service) field into an authentication field is provided in the originating gateway device, and means for checking tampering of the IP packet based on the authentication field of the IP header, Means for converting the authentication field to the TOS field when it is determined that tampering has not been performed, is provided in the receiving-side gateway device.

In the voice data security method according to the present invention, voice data generated on the transmitting side is transmitted to the IP (Inter).
VoIP (voice over IP) that is packetized and transferred to the receiving side via the Internet.
originating gateway device having a (ver IP) function;
A receiving-side gateway device having a VoIP function for converting an IP packet received via the Internet into voice data, the method comprising:
A step of converting the TOS (type of service) field of the header into an authentication field in the originating gateway device; checking the IP packet for tampering based on the authentication field of the IP header; Converting the authentication field into the TOS field when it is determined that the packet has not been tampered with.

That is, in the voice data security method of the present invention, the voice data generated from the telephone terminal (or telephone exchange) on the calling side is converted to IP (Internet Pr.
voI which is packetized and transferred to the destination telephone terminal (or telephone exchange) via the Internet.
In a P (voice over IP) process, a VoIP compliant GW that converts data into IP packets in order to prevent data tampering from the Internet from the outside.
(Gateway) I
8-bit TOS (type of ser) of P header
a) field is converted to an authentication field, thereby realizing enhanced security.

As described above, the boundary between the Internet and the voice network, that is, the VoIP GW device
By converting the TOS field in the IP header of the Pv4 compatible IP packet into an authentication field, data security on the Internet can be strengthened.
It is possible to prevent data tampering externally via the Internet.

Also, by providing a security function to a VoIP GW apparatus that originally has a function of packetizing voice data, there is no need to provide hardware conforming to a firewall function in a network, and the cost can be reduced. It becomes possible.

Further, by strengthening security by authentication, IPs by encryption / decryption by keys
The processing speed is faster than a security method called ec, and this method is suitable for voice data with high real-time properties.

[0014]

Next, an embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a block diagram showing a configuration of a security system according to one embodiment of the present invention. In FIG. 1, a security system according to an embodiment of the present invention includes a telephone terminal A1, a telephone exchange A2, and a Vo switch.
IPGW device A3, Internet 4, VoIPGW
It is composed of a device B5, a telephone exchange B6, and a telephone terminal B7.

The telephone terminal A1 and the telephone exchange A2 generate voice data. The VoIP GW device A3 is a device for converting voice data into IP packets and transferring the data on the Internet 4, and is also capable of converting voice data in an IP packet state into a voice signal state. The Internet 4 is a network for passing voice data.

The Internet 4 is a general-purpose Internet that can be used by any user such as a customer inside a company or outside a company. In the present embodiment, the Internet 4 is a network through which currently widely used IPv4 compliant IP packets pass.

The VoIP gateway B5 is provided with the above-mentioned VoIP gateway.
A device having a function equivalent to that of the W device A3 and capable of converting an audio signal into an IP packet and transferring the packet onto the Internet 4.
Similarly to the oIPGW apparatus A3, it is also possible to convert audio data in an IP packet state into an audio signal state. The telephone exchange B6 has the same function as the telephone exchange A2. The telephone terminal B7 has the same function as the telephone terminal A1. In the telephone terminals A1 and B7 and the telephone exchanges A2 and B6, voice data is communicated not as IP packets but as voice signals.

FIG. 2 is a block diagram showing a configuration of the VoIP GW apparatus A3 of FIG. In FIG. 2, VoIPGW
The device A3 includes an audio signal data receiving unit 31, an audio signal data transmitting unit 32, and an audio IP packet data receiving unit 33.
A voice IP packet data transmission unit 34, a data processing unit 35, a route information unit 36, an IP packet / voice signal conversion unit 37, an IPv4 authentication processing unit 38, an authentication field conversion unit 39, an authentication field verification Unit 40, authentication field information unit 41, and NAK (negative
acknowledgment) section 42.

The voice signal data receiving section 31 and the voice signal data transmitting section 32 are sections for transmitting and receiving voice data in a voice signal state. The voice IP packet data receiving section 33 and the voice I
The P packet data transmitting unit 34 is a part for transmitting and receiving voice data in an IP packet state.

The data processing unit 35 confirms the content of the transmitted audio data in the audio signal state or the IP packet state, and supervises the execution of the IP data packetization / signal state conversion and the authentication processing. The route information unit 36 manages information on the connection partner and the like, and information on the connection destination of the voice data transferred from the VoIP GW device A3 is input in advance.

The IP packet / voice signal conversion unit 37 converts voice data in a voice signal state into an IPv4-compliant IP packet and converts voice data in an IP packet state into a voice signal. The IPv4 authentication processing unit 38 converts the TOS field in the header portion of the IP packet into an authentication field in order to increase the security of the voice data converted into the IPv4-compliant IP packet by the IP packet / voice signal conversion unit 37. Necessary TOS
The extraction of the fields and the extraction of the authentication fields required to match the converted authentication fields are performed.

The authentication field converter 39 converts the TOS field in the header of the IP packet into an authentication field. The authentication field matching unit 40 checks the authentication field of the IP packet transferred from the outside.
Verification is performed to determine whether or not the voice data is transmitted from a true user. The IP packet whose matching does not match in the authentication field matching unit 40 is sent to the IPv4 authentication processing unit 38.
Discarded at.

The authentication field information section 41 has information on authentication fields required for the authentication field conversion section 39 and the authentication field collation section 40. The NAK unit 42 is information for notifying the transmission source when the authentication field does not match in the authentication field matching unit 40. The inside of the VoIP GW apparatus A3 is Diff-serv (different) for controlling the service quality.
compliant services) function.

Although not shown, the configuration of the VoIP GW apparatus B5 is the same as that of the above-mentioned VoIP GW apparatus A3, and its operation is the same as that of the above-described VoIP GW apparatus A3. A description will be given using the configuration of A3.

Referring to FIG. 1, this embodiment is a configuration diagram of a VoIP network in which a voice data network and a LAN data network are integrated via the Internet, and a transmitting side and a receiving side are telephone terminals A1 and A1, respectively.
It is assumed that the terminal is a telephone terminal B7.

When transferring voice data from the telephone terminal A1 to the telephone terminal B7, the voice data is generated from the telephone terminal A1 or the telephone exchange A2. The generated voice data is IP-packetized by the VoIP GW device A3,
After security is achieved by converting the TOS field in the header portion of the P packet into an authentication field, the packet is transferred to the Internet 4.

The voice data transferred through the Internet 4 is verified by an authentication field in the VoIP GW apparatus B5, and is considered to be suitable, and the voice data converted into IP packets is converted to voice data in the original voice signal state. Will be restored. The restored voice data is stored in telephone exchange B
6 or the telephone terminal B7.

Conversely, the transfer of voice data from the telephone terminal B7 to the telephone terminal A1 is performed in the same manner as described above.
The GW device B5 converts the voice data into an IP packet and secures the data, and the VoIP GW device A3 performs verification using the authentication field, and then restores the voice data to the original voice signal state.

FIG. 3 is a flowchart showing a voice data transfer process by the VoIP GW device A3 of FIG. 1, and FIG. 4 is a flowchart showing a voice data reception process by the VoIP GW device B5 of FIG. These FIGS. 1-4
The operation of the security system according to the embodiment of the present invention will be described with reference to FIG.

When voice data is transferred from the telephone terminal A1 to the telephone terminal B7, the telephone terminal A1, the telephone exchange A2
The audio data in the audio signal state transferred from the device is transferred to the data processing unit 35 through the audio signal data receiving unit 31 (step S1 in FIG. 3), and the data processing unit 35 checks the content of the audio data (FIG. 3). 3 steps S2).

Since it is impossible to transfer data on the Internet 4 in the state of the voice signal, it is necessary to convert the voice data into IP packets in the VoIP GW apparatus A3. In the VoIP GW device A3, the IP packet is converted by the IP packet / voice signal converter 37 (step S3 in FIG. 3). The audio data in the audio signal state is converted by the IP packet conversion unit 37 into an IP packet state corresponding to IPv4, and the audio data can be transferred on the Internet 4.

The IP address of an IPv4-compliant IP packet is composed of an IP header and data.
Convert the 8-bit TOS field in the header to an authentication field. Conventionally, the TOS field has been used for the purpose of controlling the service quality of communication. However, in the present embodiment, the TOS field is converted for authentication to enhance security. By converting the 8-bit TOS field into an authentication field, it is possible to use 256 authentication fields.

The voice data converted into an IPv4-compliant IP packet by the IP packet conversion unit 37 is transferred to the IPv4 authentication processing unit 38. The IPv4 authentication processing unit 38
Extract the TOS field of the header (FIG. 3, step S
4) Transfer to the authentication field conversion unit 39. The authentication field information section 41 inputs the information of the 256 authentication fields described above, and provides an authentication field suitable for a user inside a company or outside a company.

Based on the information obtained from the authentication field information section 41, the authentication field conversion section 39 converts the authentication field of the TOS field (step S5 in FIG. 3). The voice data that has been converted by the authentication field conversion unit 39 is transferred to the Internet 4 through the higher-level IPv4 authentication processing unit 38, the IP packet / voice signal conversion unit 37, the data processing unit 35, and the voice packet data transmission unit 34 ( FIG. 3 step S6). When the information is transmitted to the Internet 4, the information from the path control unit 36 to which the information of the transmission destination is input is transferred to the data processing unit 35.

The voice data transferred from the Internet 4 is transferred to the VoIP GW device B5. The transferred voice data is transferred to the data processing unit 35 through the voice IP packet data receiving unit 33 in an IP packet state (step S11 in FIG. 4). After the data processing unit 35 finishes checking the data contents (step S1 in FIG. 4)
2), through the IP packet / voice signal converter 37
It is transferred to the v4 authentication processing unit 38.

The IPv4 authentication processing unit 38 extracts the converted authentication field (step S13 in FIG. 4) and transfers it to the authentication field matching unit 40. Authentication field information part 4
It is confirmed whether or not the voice data transferred by the authentication field collating unit 40 is voice data from the transmission source (telephone terminal A1) based on the information 1 (step S in FIG. 4).
14).

If the authentication field of the transferred voice data does not match the authentication field of the authentication field information section 41 (step S15 in FIG. 4), the transferred IP packet is processed by the IPv4 authentication processing section 38. It is discarded (step S16 in FIG. 4). At this time, a negative response is transmitted from the NAK unit 42 to the transmission source confirmed by the data processing unit 35 (Step S17 in FIG. 4).

On the other hand, if the authentication fields match each other (step S15 in FIG. 4), the authentication field conversion unit 39
Is converted to a TOS field (step S1 in FIG. 4).
8), through the IPv4 authentication processing unit 38,
The data is transferred to the audio signal converter 37. The IP packet / voice signal conversion unit 37 converts the voice data in the IPv4-compliant IP packet state into data in the voice signal state (step S19 in FIG. 4), and based on the information in the path information unit 36, the data processing unit 3
5. The telephone exchange B through the voice signal data transmission unit 32
6. Transferred to telephone terminal B7 (step S2 in FIG. 4)
0).

As described above, at the boundary between the Internet 4 and the voice network, ie, the VoIP GW apparatus A3,
By converting the TOS field in the IP header of the Pv4 compatible IP packet into an authentication field, data security on the Internet 4 is enhanced,
It is possible to prevent falsification of data externally via the Internet 4.

Also, the VoIP GW apparatus A3 and the VoIP GW apparatus B5 which originally have the function of packetizing voice data
By providing the security function to the network, it is not necessary to deploy hardware conforming to the firewall function in the network, and the cost can be reduced.

Further, by strengthening the security by the authentication field, the processing speed is faster than that of a security method called IPsec by encryption / decryption using a key, and this method is suitable for voice data having high real-time properties.

In this embodiment, a one-to-one VoIP network configuration is used between the telephone terminal A1 and the telephone terminal B7. However, not only voice data but also data such as images are used using the VoIP network. Become. Also,
Shared VoI for audio and video such as video conferencing and CTI
When used in the P network, security of audio data and image data can be enhanced by the authentication field.

[0043]

As described above, according to the present invention, an originating-side gateway device having a VoIP function of converting voice data generated on the originating side into an IP packet and transferring it to the receiving side via the Internet is provided. In a security system including a receiving-side gateway device having a VoIP function of converting an IP packet received via the VoIP function into voice data, the transmitting-side gateway device converts the TOS field of the IP header into an authentication field for the IP packet and receives the IP packet. The side gateway device checks the falsification of the IP packet based on the authentication field of the IP header, and when the check determines that the IP packet has not been tampered with, converts the authentication field into a TOS field, thereby enabling transmission via the Internet. External data tampering It is possible to prevent, without causing cost increase, there is an effect that it is possible to obtain an optimal configuration with high real-time audio data.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a configuration of a security system according to an embodiment of the present invention.

FIG. 2 is a block diagram illustrating a configuration of a VoIP GW apparatus A of FIG. 1;

FIG. 3 is a flowchart showing a voice data transfer process by the VoIP GW apparatus A of FIG. 1;

FIG. 4 is a flowchart showing a voice data receiving process by the VoIP GW apparatus B of FIG. 1;

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 1 Telephone terminal A 2 Telephone exchange A 3 VoIPGW device A 4 Internet 5 VoIPGW device B 6 Telephone exchange B 7 Telephone terminal B 31 Voice signal data receiving part 32 Voice signal data transmitting part 33 Voice IP packet data receiving part 34 Voice IP packet data Transmission unit 35 Data processing unit 36 Route information unit 37 IP packet / voice signal conversion unit 38 IPv4 authentication processing unit 39 Authentication field conversion unit 40 Authentication field collation unit 41 Authentication field information unit 42 NAK unit

 ──────────────────────────────────────────────────続 き Continued on the front page F term (reference) 5K030 GA15 HA01 HA08 HB01 HB16 HC01 HD03 JA05 JL07 JT01 LA01 LB15 LC15 LD19 MA04 5K034 AA05 CC05 DD03 EE11 FF11 HH10 HH14 HH16 HH63 MM01 5K051 AA04 BB02 CC01 CG02 JJ

Claims (10)

[Claims] 1. An audio data generated on a transmitting side is transmitted to an IP.
(Internet Protocol) packetized,
VoIP (VoIP) transferred to the receiving side via the Internet
and a receiving-side gateway device having a VoIP function of converting an IP packet received via the Internet into voice data, the security system including: TOS (type
(e.g., e.sub.service) field in the originating gateway apparatus, wherein the source gateway device has means for converting the IP packet into an authentication field, and checking the IP packet for tampering based on the authentication field of the IP header. Means for converting the authentication field into the TOS field when it is determined that the authentication has not been performed, in the receiving-side gateway device. 2. The apparatus according to claim 1, wherein the voice data is generated by one of the calling telephone terminal and the telephone exchange and transferred to one of the receiving telephone terminal and the telephone exchange. The security system described. 3. The gateway device according to claim 1, wherein the originating gateway device and the receiving gateway device are VoIP gateway devices provided at a boundary between the Internet and a voice network.
The security system described. 4. The method according to claim 1, wherein said checking of said authentication field
4. The security system according to claim 1, wherein said receiving-side gateway device includes means for discarding said IP packet when it is determined that the P-packet has been tampered with. 5. The method according to claim 1, wherein said authentication field checks said I
5. The security system according to claim 4, wherein said receiving-side gateway device includes means for transmitting a negative acknowledgment to the transmission source when it is determined that the P-packet has been tampered with. 6. The voice data generated on the transmitting side is transmitted over IP
(Internet Protocol) packetized,
VoIP (VoIP) transferred to the receiving side via the Internet
A voice data security method for a security system, comprising: an originating gateway device having an IP address (ice over IP) function; and a receiving gateway device having a VoIP function for converting an IP packet received via the Internet into voice data, For the IP packet, TOS (type
(e.g., e of service) field in the originating gateway device, wherein the originating gateway device has a step of converting the IP packet into an authentication field, and checking the IP packet for tampering based on the authentication field of the IP header. Converting the authentication field to the TOS field when it is determined that the authentication has not been performed, in the receiving-side gateway device. 7. The telephone system according to claim 6, wherein the voice data is generated by one of the calling side telephone terminal and the telephone exchange, and transferred to one of the receiving side telephone terminal and the telephone exchange. The described voice data security method. 8. The VoIP gateway device according to claim 6, wherein the originating gateway device and the receiving gateway device are VoIP gateway devices provided at a boundary between the Internet and a voice network.
The described voice data security method. 9. The method according to claim 9, wherein said authentication field checks
9. The receiving side gateway device according to claim 6, further comprising a step of discarding the IP packet when it is determined that the P packet has been tampered with.
The voice data security method according to any one of the above. 10. The reception-side gateway device includes a step of transmitting a negative acknowledgment to a transmission source when it is determined that the IP packet has been tampered with by checking the authentication field. Item 6. The voice data security method according to Item 4.