JPWO2006087819A1 - Communication device - Google Patents

Communication device Download PDF

Info

Publication number
JPWO2006087819A1
JPWO2006087819A1 JP2007503556A JP2007503556A JPWO2006087819A1 JP WO2006087819 A1 JPWO2006087819 A1 JP WO2006087819A1 JP 2007503556 A JP2007503556 A JP 2007503556A JP 2007503556 A JP2007503556 A JP 2007503556A JP WO2006087819 A1 JPWO2006087819 A1 JP WO2006087819A1
Authority
JP
Japan
Prior art keywords
call
information
message
key information
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
JP2007503556A
Other languages
Japanese (ja)
Inventor
奈津子 荒井
奈津子 荒井
達宏 安藤
達宏 安藤
Original Assignee
富士通株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 富士通株式会社 filed Critical 富士通株式会社
Priority to PCT/JP2005/002734 priority Critical patent/WO2006087819A1/en
Publication of JPWO2006087819A1 publication Critical patent/JPWO2006087819A1/en
Granted legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Abstract

A communication device that transmits a call request to a call control device that transfers a call request to a callee, and that generates a call request for establishing a call and releases encryption A call request transmission unit that embeds key information for use and information indicating the type of encryption algorithm used for the encryption in the call request and transmits the call request in which the information is embedded to the callee Then, a response including key information for canceling encryption on the called side and information indicating that the encryption algorithm can be used is received from the called side.

Description

  The present embodiment relates to a communication device, a call control device, and a relay device that enable eavesdropping prevention in an IP telephone service and enable a caller to intercept a call.

  In recent years, broadband Internet and VoIP (Voice over Internet Protocol) telephones have become popular. VoIP is a technology for transmitting and receiving voice data using an IP network such as the Internet or an intranet. A VoIP phone using the Internet is called an Internet phone.

  In addition, a telephone service provided using VoIP technology on an IP network independent of the Internet may be referred to as an IP telephone. By converting voice signals into data and using the Internet as part of the communication network, it is possible to provide a telephone service at a lower price than a fixed telephone regardless of the distance to the other party.

  However, the current IP telephone service exchanges unencrypted voice packets as they are on the IP network. Therefore, anyone who can use IP wiretapping technology can easily wiretap even if they are not familiar with telephone technology.

  Currently, to prevent eavesdropping of voice packets, IP phone terminals are encrypted independently and encrypted between terminals of the same vendor (model), or encrypted for each network managed by the carrier. The method of doing is adopted.

  FIG. 15 is a diagram showing an overall configuration of a voice packet by the conventional unique encryption. The communication system in FIG. 15 can connect a call processing server 102 used for establishing a call between a transmitting terminal and a receiving terminal, an IP telephone terminal 104 installed as a user terminal, and an IP telephone terminal 104. Home gateway 106, a firewall 108 installed in a corporate organization, an edge router 110 arranged in a carrier IP network for controlling voice packets from each IP telephone terminal 104, and the like.

  Here, in the case where each IP telephone terminal 104 executes unique encryption and decryption, key information used for encryption and decryption is managed by each IP telephone terminal 104. For this reason, voice packets can be encrypted only between a plurality of IP telephone terminals 104 that can execute the same encryption and decryption. That is, a call using encryption cannot be performed between IP telephone terminals 104 of different vendors (models).

In addition, known techniques for encrypting voice packets include the following.
Patent Document 1 discloses a system in which a gateway controller generates and holds an encryption key and makes a call using encryption. The encryption key held in one gateway controller is sent to the other gateway controller with the encryption key information included in the signaling message.

  Further, the partner gateway controller sends and approves key information to the partner CTA (cable terminal adapter). After approval, the voice packet is encrypted and decrypted by CTA using the key generated by the gateway controller.

Patent Document 1 does not describe in detail which network the gateway controller belongs to. However, when it is installed in an access network, the third party can easily access it, so that it is not secure in managing key information. In addition, when installed in a home (company), when an investigation organization such as the Police Organization needs to intercept a specific user's call, it obtains the key information by intruding into the gateway controller installed in the home. There must be.
Special table 2003-521834 gazette

The prior art has a problem that calls using encryption cannot be performed between IP telephone terminals of different vendors (models).
In addition, when an IP telephone terminal is replaced from a fixed telephone in earnest, it is expected that a call interception will be established legally so that an investigation organization such as the police organization can intercept a specific user's call. At this time, there has been a problem that the investigating agency can easily obtain the key information and cannot securely manage the key information in the access network.

  The present invention provides a communication device and a call control device for securely managing key information in an access network, a communication device for preventing eavesdropping and intercepting calls in an IP telephone service, a call control device, and a relay device. The purpose is to do.

  In order to achieve the above object, the present invention provides a call request generation unit for generating a call request for establishing a call with the callee, and the encryption performed on the callee is released on the callee Key information processing unit for embedding key information for encryption and information indicating the type of encryption algorithm used for encryption in the call request, and a call request for transmitting the call request with the embedded information to the callee A transmission unit and a reception unit that receives a response including information indicating that the encryption information used on the called side and the encryption algorithm can be used from the called side are received. .

  According to the present invention, (i) a call in which key information for releasing encryption performed on the calling side and information indicating the type of encryption algorithm used for encryption are embedded Send a request to the called party, and (ii) receive a response from the called party that includes key information for decrypting the encryption made by the called party and information indicating that the encryption algorithm is available Thus, key information can be exchanged when establishing a call.

  In addition, the present invention provides a receiving unit that receives a message for establishing a telephone call from a communication terminal, an analyzing unit that analyzes a message, and a key from a message when the analyzing unit analyzes that key information is included in the message. An extraction unit for extracting information, a storage unit for storing key information in association with subscriber identification information for identifying a subscriber of a communication terminal, and a setting request receiving unit for receiving an intercept setting request including subscriber identification information from an external device When the analysis unit analyzes that the message related to the subscriber identification information included in the intercept setting request has been received, the transmitter includes a transmission unit that transmits a message including the key information and the subscriber identification information to an external device. .

  According to the present invention, when the analysis unit analyzes that a message related to the subscriber identification information included in the intercept setting request is received, the message including the key information and the subscriber identification information can be transmitted to the external device.

  In addition, the present invention provides a storage unit, a designation unit that specifies subscriber identification information that specifies a communication terminal of a person to be intercepted, and a carrier search unit that searches the storage unit for a carrier to which the communication terminal belongs using the subscriber identification information as a search key A relay device search unit for searching for a relay device on the communication terminal side from the storage unit using the searched carrier network configuration information and subscriber identification information, and for receiving and mirroring voice packets related to the communication terminal from the relay device A mirroring setting request unit for transmitting a mirroring setting request to the relay device, and transmitting an intercept setting request including subscriber identification information to obtain information regarding the communication terminal to a call control device that manages a request for establishing a call. A setting request unit is included.

  According to the present invention, a mirroring setting request for mirroring and receiving a voice packet related to a communication terminal from the relay device is transmitted to the relay device, and the call control device managing the request for establishing a call is related to the communication terminal. An intercept setting request including subscriber identification information can be transmitted to obtain information.

  The present invention also provides a mirroring setting unit for setting a voice packet including an IP address included in the mirroring setting request as a mirroring target when the mirroring setting request for requesting mirroring of the voice packet is received from the outside, and the received voice packet. Includes a search unit that determines whether or not includes an IP address, and a transmission unit that mirrors and transmits a voice packet when a voice packet including the IP address is received.

  According to the present invention, when a voice packet including an IP address included in a mirroring setting request is set as a mirroring target and a voice packet including an IP address is received, the voice packet can be mirrored and transmitted.

According to this embodiment, it is possible to make a call using encryption between IP telephone terminals of different vendors (models).
In addition, according to the present embodiment, an investigation organization or the like can easily obtain key information and can securely manage the key information in the access network.

It is a figure which shows the whole structure of the encryption communication system in this embodiment. It is a functional block diagram which shows the structure of the home gateway and IP telephone terminal in this embodiment. It is a functional block diagram which shows the structure of the call processing server in one Embodiment of this invention. It is a flowchart explaining the key exchange between the communication terminals in one Embodiment of this invention. It is a flowchart explaining the negotiation procedure of key information exchange in one Embodiment of this invention. It is a figure which shows an example of the key information management table in one Embodiment of this invention. It is a figure which shows an example of the key information management procedure (key information acquisition sequence) in one Embodiment of this invention. It is a figure which shows an example of the key information management procedure (key information deletion sequence) in one Embodiment of this invention. It is a functional block diagram which shows the structure of the communication apparatus only for interception in one Embodiment of this invention. It is a flowchart explaining the call intercept setting in one Embodiment of this invention. It is a flowchart explaining the call intercept setting in one Embodiment of this invention. It is a flowchart explaining the mirroring object apparatus and the method of specifying an object packet in one Embodiment of this invention. It is a figure explaining the mirroring object apparatus and the method of specifying an object packet in one Embodiment of this invention. It is a figure explaining the procedure which manages call interception of the some communication terminal in one Embodiment of this invention. It is a figure which shows the whole structure of the voice packet by the conventional original encryption.

Explanation of symbols

2 IP telephone terminal 4 Analog telephone terminal 6 Computer 8 Home gateway 10 Call processing server 12 Interception dedicated communication device 14 Firewall 16 Edge router 18 VoIP GW
20 PSTN
22 Switch 24 General Telephone 26 Hardware 28 Operating System 30 Middleware Function Module 32 Key Information Processing Unit 34 Call Processing Signal Processing Unit 36 SIP Control Unit 38 Subscriber Data Table 40 Voice Packet Encryption / Decryption Processing Unit 42 Server Operating System 44 SIP register control unit 46 SIP call control unit 48 Subscriber information table 50 Key information data processing unit 52 Subscriber data cache table 54 SIP software function module 56 Call request message 58 Success response message 60 Network monitoring unit 62 Mirroring setting processing unit 64 Interception setting section 66 Voice packet processing section for communication interception 68 Decoding processing section 70 Communication interception / key data processing section 72 Call data section for communication interception 74 Mirroring setting Part ER
76 Target packet search unit ER
78 Target packet sending part ER
102 Call processing server 104 IP telephone terminal 106 Home gateway 108 Firewall 110 Edge router

  Hereinafter, a communication system according to an embodiment of the present invention will be described with reference to the drawings. The configuration of the embodiment is an exemplification, and the present invention is not limited to the configuration of the embodiment. Note that this embodiment can be implemented by hardware and software. When the program is executed by software comprising a program, various functions can be realized by installing the program constituting the software in hardware such as a computer. The program is installed in a computer or the like through a communication line or using a computer-readable storage medium.

  Here, the computer-readable storage medium refers to a storage medium in which information such as data and programs is accumulated by electrical, magnetic, optical, mechanical, or chemical action and can be read from a computer. Examples of such a storage medium that can be removed from the computer include a flexible disk, a magneto-optical disk, a CD-ROM, a CD-R / W, a DVD, a DAT, an 8 mm tape, and a memory card. Further, there are a hard disk, a ROM (read only memory) and the like as a storage medium fixed to the computer.

  FIG. 1 is a diagram showing an example of the overall configuration of an encrypted communication system in the present embodiment. The communication system in FIG. 1 establishes a call between an IP telephone terminal 2 or an analog telephone terminal 4 installed as a user terminal, a home gateway 8 to which other computers 6 can be connected, a transmitting terminal and a receiving terminal. Call processing server 10 used for communications, interception dedicated communication device 12 (dedicated device) installed in an investigation organization such as the police organization, firewall 14 installed in a corporate organization, voice from each IP telephone terminal 2 It is composed of an edge router 16 and the like arranged in a carrier IP network that controls packets.

  Further, by providing the VoIP GW 18 (Voice over IP Gate Way) with the encryption / decryption function of the present embodiment described in FIG. 2, it is possible to make a call to a PSTN 20 (public switched telephone network). The voice signal decoded by the VoIP GW 18 can be transmitted to the general telephone 24 through the exchange 22. The voice signal from the general telephone 24 can be transmitted to the carrier IP network through the exchange 22 and the VoIP GW 18.

  FIG. 1 shows an example in which encryption and decryption of this embodiment are performed by the home gateway 8, the firewall 14, and the VoIP GW 18. Not limited to this, the IP telephone terminal 2 may perform encryption and decryption. Next, the basic operation of the present embodiment will be described with reference to an example in which a call is made from the IP telephone terminal 2 in a general home to the IP telephone terminal 2 on the company side. When the general home IP phone terminal 2 makes a call to the company IP phone terminal 2, the call request (SIP message) from the general home IP phone terminal 2 is sent to the call processing server via the home gateway and the edge router 16. 10 is transmitted.

  At this time, the home gateway 8 embeds and transmits key information for decrypting the voice packet encrypted by the home gateway 8 in the call request. At this time, the call request is encrypted by an encryption method different from the encryption of the voice packet. The encryption of the call request is encryption that can be decrypted by the call processing server 10.

  The call processing server 10 decrypts the received call request. Then, the call processing server 10 extracts the key information from the call request including the key information, and associates the key information with the user information (caller subscriber ID, caller location information, callee location information, etc.). Memorize temporarily.

  The call processing server 10 manages the IP address of the IP telephone terminal 2. The call processing server 10 functions as a call processing server for the IP telephone terminal 2. The IP phone 2 serving as the transmission source transmits a call request to the other IP phone terminal 2 corresponding to the call destination to the call processing server 10 in accordance with SIP which is a call control protocol of the application layer. The call processing server 10 transfers the received call request to the destination.

  That is, when the call processing server 10 receives a call request transmitted from the IP telephone terminal 2, the call processing server 10 searches for the IP address of the company-side IP telephone terminal 2 corresponding to the destination, and makes a call to the searched IP address. Forward the call request. Then, a call request is received via the firewall 14 to the IP telephone terminal 2 on the receiving side of the company. The firewall 14 extracts the key information and temporarily stores the key information in association with user information (sender subscriber ID, sender location information, etc.).

  When receiving the call request, the company-side IP telephone terminal 2 transmits a response message (SIP message) in response to the call request. When the firewall 14 receives the SIP message from the IP telephone terminal 2 on the company side, the key information for decryption is embedded in the SIP message.

  The key information embedded here is key information for the home gateway 8 to decrypt the voice packet encrypted by the firewall 14. Next, the firewall 14 transmits a SIP message to the call processing server 10 via the edge router 16. At this time, the SIP message is encrypted by an encryption method different from the encryption of the voice packet. The encryption of the response is an encryption that can be decrypted by the call processing server 10.

  When the call processing server 10 receives the response including the key information for the call request, the call processing server 10 extracts the key information included in the SIP message, and associates it with user information (caller subscriber ID, caller location information, etc.) and the like. Memorize temporarily. As a result, the key information of both the caller and the callee is associated and temporarily stored.

  Then, the call processing server 10 transmits a SIP message to the home gateway 8 via the edge router 16. The home gateway 8 extracts key information from the SIP message received from the company and temporarily stores the key information.

  In this way, the key information for decrypting the voice packet encrypted by each IP telephone terminal 2 is exchanged between the home gateway 8 and the firewall 14 interposed between the IP telephone terminals 2 and encrypted voice. Packet decoding is possible. The encrypted voice packet is transmitted / received in an encrypted state at least on the public network between the IP telephone terminals 2 via the edge router 16.

  The key information stored in the call processing server 10 is transmitted to the interception dedicated communication device 12 in response to a request from the interception dedicated communication device 12. The interception-only communication device 12 can obtain the voice packet so that it can be intercepted by decrypting the voice packet received from the edge router 16 using the key information. A method for obtaining a voice packet from the edge router 16 will be described later.

<Home gateway 8, IP telephone terminal 2>
FIG. 2 is a functional block diagram showing the configuration of the home gateway 8, IP telephone terminal, etc. (corresponding to the “communication device” of the present invention) in this embodiment.

  The home gateway 8 or the like includes (i) hardware 26 including a NIC (Network Interface Card) used to connect a computer to a network, (ii) an operating system 28 (operating system), (iii) TCP / IP processing, Middleware function module 30 for performing encryption processing, (iv) SIP control unit 36 including key information processing unit 32 and call processing signal processing unit 34, (v) Corresponding to destination data and source subscriber data and key information A subscriber data table 38 to be added and (vi) a voice packet encryption / decryption processing unit 40 is included.

  As shown in FIG. 1, in the configuration in which the IP telephone terminal is connected to the public network via the home gateway 8 and the firewall 14, the SIP control unit 36 of the home gateway 8 and the firewall 14 functions, and the IP telephone The terminal may provide a conventional IP telephone function. On the other hand, in a configuration in which the IP telephone terminal is connected to the carrier IP network without passing through the home gateway 8, the firewall 14, etc., the SIP control unit 34 of the IP telephone terminal may function.

  Here, the hardware 26 converts an Ethernet (registered trademark) frame received from the outside into an IP packet and passes it to the operating system 28. Also, the hardware 26 converts the IP packet received from the operating system 28 into an Ethernet (registered trademark) frame and transmits it to the outside.

  An IP packet is passed between the middleware function module 30 and the operating system 28. Further, SIP messages are passed between the middleware function module 30 and the call processing signal processing unit 34 and between the call processing signal processing unit 34 and the key information processing unit 32.

  The call processing signal processing unit 34 generates a call processing signal (SIP message) for establishing a call (corresponding to the “call request generation unit” of the present invention) and passes it to the key information processing unit 32. When the call processing signal processing unit 34 receives a response to the call request, the call processing signal processing unit 34 passes the response to the key information processing unit 32.

  When receiving the call request, the key information processing unit 32 generates key information (corresponding to the “key information processing unit 32” of the present invention). The key information processing unit 32 uses time information and the like to generate different key information (encryption key and decryption key, or common key) each time a call is made. Next, the key information processing unit 32 associates key information (encryption key, common key) and the key information in association with information (for example, “call-ID” shown in FIG. 6) for specifying the call request. Information indicating the type of encryption algorithm used for generation is registered in the subscriber data table 38.

  The encryption algorithm is not limited to a specific encryption algorithm, and a general-purpose encryption algorithm can also be used. The encrypted communication protocol is not limited to a specific protocol, and general-purpose algorithms such as IPsec and SRTP (Secure RTP) can be used.

  Here, the encryption key is used to encrypt an audio signal to be transmitted to the destination, and the decryption key is embedded in the call request and transmitted to the destination. Further, when receiving a response to the call request, the key information processing unit 32 extracts the destination key information (decryption key) from the SIP message and registers it in the subscriber data table 38 in association with the encryption key.

  The key information processing unit 32 embeds the generated key information (decryption key, common key) in the SIP extension unit of the SIP message. Then, the key information processing unit 32 passes the SIP message to the middleware function module 30 through the call processing signal processing unit 34 for transmission to the call processing server 10. The encryption processing unit of the middleware function module 30 encrypts the SIP message by converting it into an IP packet.

  When the call is established, the voice packet encryption / decryption processing unit 40 encrypts the voice packet to be transmitted using the stored key information (encryption key, common key), and receives the key information received from the destination. The received voice packet is decrypted using (decryption key, common key) (corresponding to the “encryption processing unit” and “decryption processing unit” of the present invention).

  When a call request (SIP message) is received from the outside, the key information processing unit 32 extracts key information (decryption key, common key) from the call request. The key information processing unit 32 associates the key information with the user information of the sender included in the call request (sending subscriber ID, sender location information, encryption algorithm, key information (decryption key), etc.). Register in the subscriber data table 38.

  Then, when generating the response message, the key information processing unit 32 generates key information (encryption key and decryption key) and registers the encryption key in the subscriber data table 38 in association with the user data of the transmission source. . The key information processing unit 32 embeds the decryption key in the response message and transmits it to the transmission source. For the encryption and decryption of the voice packet, the same processing as that for transmitting a call request is executed.

<Call processing server 10>
Next, the call processing server 10 (corresponding to the “call control device” of the present invention) used for establishing a telephone call will be described. FIG. 3 is a functional block diagram showing a configuration example of the call processing server 10 in one embodiment of the present invention.

  The call processing server 10 includes (i) hardware 26 including a network interface card (NIC) used to connect a computer to a network, (ii) a server operating system 42, (iii) TCP / IP processing and encryption processing. A middleware function module 30 that performs the above, (iv) a SIP software function module 54 including a SIP register control unit 44, a SIP call control unit 46, a subscriber information table 48, a key information data processing unit 50, and a subscriber data cache table 52 Including.

  Here, the hardware 26 converts an Ethernet (registered trademark) frame received from the outside into an IP packet and passes it to the server operating system 42. Further, the hardware 26 converts the IP packet received from the server operating system 42 into an Ethernet (registered trademark) frame and transmits it to the outside.

  An IP packet is passed between the middleware function module 30 and the server operating system 42. Further, the SIP message is transferred between the middleware function module 30 and the SIP call control unit 46. A SIP register message (SIP register message) is passed between the SIP call control unit 46 and the SIP register control unit 44.

  The middleware function module 30 (i) controls basic TCP / IP termination processing and encryption with middleware, and (ii) delivers a SIP message or the like as application data to the SIP software function module.

  The SIP call control unit 46 performs basic operations of SIP call control such as call establishment and call disconnection. When receiving the call request, the SIP call control unit 46 passes the SIP register message to the SIP register control unit 44. Further, when the SIP call control unit 46 receives an intercept setting request including information (such as a calling subscriber ID) for specifying a person to be intercepted from the interception-only communication device 12, the SIP call control unit 46 sends the key information and the interceptee to the interception-only communication device 12. And a response message including information for specifying (corresponding to “analysis unit” and “transmission unit” of the present invention).

  The SIP register control unit 44 registers SIP subscriber terminal information (IP telephone terminal information: originating side subscriber ID, called side subscriber ID, IP address port, etc.) in the subscriber information table 48 from the SIP register message.

  The key data processing unit analyzes and extracts key information from the SIP message (corresponding to “analysis unit” and “extraction unit” of the present invention). Next, the key data processing unit registers the key information in the subscriber data cache table 52. The subscriber data cache table 52 stores session information and key information of a call during a call (corresponding to the “storage unit” of the present invention).

  FIG. 6 is a diagram showing an example of a key information management table in an embodiment of the present invention. Description will be made in order from the upper left of the key information management table. (I) The Call-ID column is ID information for managing call session information, and is identification information assigned for each call request unit. (Ii) The calling subscriber ID (DN / SIP-URI) field is information for identifying the calling subscriber and corresponds to the telephone number of the general telephone 24. The column of (iii) caller location information (IP address: port number) is location information of the caller, and is used to specify address information. (Iv) The called party location information (IP address: port number) column is the location information of the called subscriber and is information for identifying the address information. The column (v) Encryption algorithm is information for identifying the type of encryption algorithm used for encrypting the voice packet. (Vi) The column of authentication method is information for identifying the authentication method and the type of encryption key. (Vii) In the field of key information (Private Key), an encryption / decryption key when the private key (Pre-Shared-Key) method is used is stored. (Viii) In the field of key information (Public Key), an encryption / decryption key when the public key method is used is stored. (Ix) The time at which a call occurs is stored in the call generation time column.

  The types of encryption algorithms in this embodiment are NULL [no encryption applied], DES, 3DES, and AES. However, the present invention is not limited to this, and other encryption methods can be used. In FIG. 6, “2” in the encryption algorithm column indicates that “DES” is used for encryption of the voice packet.

  The types of authentication methods include a pre-shared secret key (Pre-Shared-Key) and a public key. However, the present invention is not limited to this, and other authentication methods can be used. In FIG. 6, “1” in the column of the authentication method indicates that the “pre-shared secret key” is used for authentication of the user terminal.

  FIG. 4 is a flowchart for explaining key exchange between communication apparatuses (terminals / HGWs) according to an embodiment of the present invention. The communication device A transmits a call request message (INVITE) to the other communication device. The call processing server 10 obtains the calling side decryption key from the call request message and temporarily stores the key information. The call processing server 10 specifies the destination of the communication apparatus B of the other party and transfers the call request message (INVITE).

  The communication device B transmits a success response message (200 OK) to the communication device A. The call processing server 10 obtains the receiving side decryption key from the success response message, and temporarily stores the key information. The call processing server 10 specifies the destination of the communication device A and transfers a success response message. When a telephone call (RTP session) is established, a telephone call can be made between telephone terminals.

  When a call end message (BYE) is transmitted from the communication terminal A, the call processing server 10 deletes the record including the key information from the key information management table. In FIG. 4, the 100s are provisional responses indicating that a request (INVITE) has been received and processed (eg, 100 Trying, 180 Ringing). The 200 series is a successful response, indicating that the request has been understood and accepted (eg, 200 OK, 202 Accepted). ACK indicates that the communication apparatus A has received a response corresponding to INVITE.

  FIG. 5 is a flowchart for explaining the negotiation procedure of key information exchange in one embodiment of the present invention. FIG. 5 shows a SIP message as a call request message which is one of the SIP messages transmitted by the communication device A as a transmission source and a success response message transmitted by the communication device B.

  As shown in FIG. 5, the call request message 56 includes the identification information (SIP-URI: 0447777111@10.1.1.1: 5060) of the other party. When establishing a call with the communication apparatus B of the other party via the call processing server 10, the IP address of the call processing server 10 is set as the transmission destination address.

  In the present embodiment, an encryption algorithm negotiation request is added as a SIP extension to the SIP header portion of the call request message 56. The communication apparatus A embeds “key1” as key information (decryption key or common key). The second key information (decryption key or common key) is also embedded at the same time for the case where the communication apparatus B does not support the “key1” encryption algorithm.

  The session description protocol part describes the type of encryption algorithm corresponding to the key information in the SIP header part. In the present embodiment, it is indicated that the encryption algorithm type of “key1” is “3DES” and the encryption algorithm type of “key2” is “DES”.

  The communication device A transmits a call request message 56 in which the key information is embedded to the call processing server 10. The call processing server 10 retrieves and stores the key information of the communication device A in the call request message 56 and transfers the SIP message to the communication device B.

  Next, the communication apparatus B extracts and stores the key information and the like of the communication apparatus A from the call request message 56, and determines the type of encryption algorithm transmitted from the communication apparatus A. When the communication device B supports the encryption algorithm, the communication device B generates a success response message 58.

  When it is determined that the communication device B supports the type of encryption algorithm transmitted from the communication device A, the key information of the communication device A may be extracted from the call request message 56 and stored. .

  The success response message 58 in FIG. 5 indicates that the communication apparatus B can use three types of encryption algorithms “key1”, “key3”, and “key4”. The communication apparatus B transmits a success response message 58 (200 OK) to the call processing server 10.

  The call processing server 10 extracts and saves key information and the like from the success response message 58 and transfers the SIP message to the communication apparatus A. When the communication device A stores the key information and the like of the communication device B, communication using the encrypted voice packet is started between the communication device A and the communication device B.

FIG. 7 is a diagram showing an example of a key information management procedure (key information acquisition sequence) in an embodiment of the present invention. FIG. 7 shows a management procedure of key information in the call processing server 10.
The call processing server 10 receives an INVITE message for connecting a call from a calling terminal such as an IP telephone device (S10). The call processing server 10 acquires calling subscriber information (calling subscriber ID, IP address, port number) from the INVITE message (S11).

  Next, the call processing server 10 searches the subscriber table using the calling subscriber information as a search key, and acquires the called subscriber information (IP address, etc.) (S12). The call processing server 10 determines whether key information is included in the INVITE message (S13).

  When the call processing server 10 determines that the key information is included in the INVITE message, the key information is extracted (S14). Then, call session information and key information are written in the subscriber table (key management table) (S15).

  When the call processing server 10 determines that the key information is not included in the INVITE message, “1” is written in the subscriber table as “NULL” (“NO” in step S13). Then, the call processing server 10 creates a signaling message in order to proceed with the call establishment process, and transfers the INVITE message to the receiving terminal (S16 to S18).

  When the call processing server 10 receives the 200 OK message for accepting the call connection from the receiving terminal, the call processing server 10 determines whether the key information is included in the message from the receiving terminal (S19, S20).

  When the call processing server 10 determines that the key information is included in the success response message 58, the key information is extracted (S21). Then, the key information is written in the subscriber table (key management table) in association with the call session information (S22).

  When the call processing server 10 determines that the key information is not included in the success response message 58, the receiving terminal considers that the encryption is not supported, and deletes all the key information corresponding to the call session information (S24). The call processing server 10 creates a signaling message to proceed with the call establishment process, and transfers a success response message 58 to the calling terminal (S23, S25).

  With the above procedure, after the call processing server 10 stores the key information of both the calling terminal and the called terminal, a call in which the voice packet is encrypted is established between the calling terminal and the called terminal. When the receiving terminal does not support encryption, the call is established without encrypting the voice packet.

FIG. 8 is a diagram showing an example of a key information management procedure (key information deletion sequence) in one embodiment of the present invention. An example when a BYE message is received from the calling terminal will be described.
The call processing server 10 receives a SIP-BYE message for disconnecting the call from the calling terminal (S30). The call processing server 10 acquires calling subscriber information (calling subscriber ID, IP address, port number) from the BYE message (S31).

  Next, the call processing server 10 searches the subscriber table using the calling subscriber information as a search key, and acquires the called subscriber information (IP address, etc.) (S32). The call processing server 10 creates a signaling message in order to proceed with the call disconnection process, and transfers the BYE message to the receiving terminal (S33, S35).

  The call processing server 10 receives a 200 OK message for accepting the call disconnection from the receiving terminal (S36). Then, the call processing server 10 searches the subscriber table using the subscriber information as a search key, and deletes all the key information corresponding to the call session information in the subscriber table (key management table) (S37).

  Finally, the call processing server 10 creates a signaling message in order to proceed with the call disconnection process, and transfers the BYE message to the calling terminal (S38, S39). The call between the calling terminal and the receiving terminal is terminated.

<Interception dedicated communication device 12 (dedicated device)>
Next, the interception-only communication device 12 (corresponding to the “communication device” of the present invention) that intercepts the call of the person to be intercepted using the key information managed by the call processing server 10 in the above procedure will be described. . FIG. 9 is a functional block diagram showing the configuration of the interception-only communication device 12 in one embodiment of the present invention.

  The interception-only communication device 12 is a device that obtains a voice packet so that it can be intercepted by decrypting the voice packet received from the edge router 16 with key information. The interception-only communication device 12 requests and obtains key information from the call processing server 10.

  The interception dedicated communication device 12 includes (i) hardware 26 including a network interface card (NIC) used to connect a computer to a network, (ii) an operating system 28 (operating system), and (iii) TCP / IP processing. Middleware function module 30 that performs encryption processing and the like, (iv) interception setting unit 64 including network monitoring unit 60 and mirroring setting processing unit 62, (v) communication interception target voice packet processing unit 66, encrypted IP packet A decryption processing unit 68 that processes the decryption key, a communication interception / key data processing unit 70 that processes the decryption key, and a communication interception target call data unit 72 that manages the decrypted voice packet.

  Here, the hardware 26 converts an Ethernet (registered trademark) frame received from the outside into an IP packet and passes it to the operating system 28. The Ethernet (registered trademark) frame is a mirroring IP voice packet received from the edge router 16 or a key information packet received from the call processing server 10. Also, the hardware 26 converts the IP packet received from the operating system 28 into an Ethernet (registered trademark) frame and transmits it to the outside.

  An IP packet is passed between the middleware function module 30 and the operating system 28. Further, IP packets are transferred between the middleware function module 30 and the mirroring setting processing unit 62, and between the mirroring setting processing unit 62 and the network monitoring unit 60.

  The network monitor unit 60 monitors the network state of the intercept target and obtains an IP address and a port number from the call processing server 10 at the start of the intercept. The mirroring setting processing unit 62 performs mirroring setting on the edge router 16 based on (1) subscriber information and (2) information related to the network configuration obtained online or offline from the carrier. The mirroring setting processing unit 62 instructs the edge router 16 on the mirroring target packet based on the information obtained from the network monitor unit 60. As a type of mirroring, port mirroring that obtains only voice data related to a call of an intercept target is suitable.

  The communication interception voice packet processing unit receives the mirroring target packet related to the call of the interception target person and passes it to the decoding processing unit 68. Further, the communication interception target voice packet processing unit may determine whether or not the received voice packet is encrypted, and may pass only the encrypted voice packet to the decryption processing unit 68.

  At this time, a voice packet that is not encrypted by the communication interception target voice packet processing unit may be stored in the communication interception target call data unit 72. Further, the communication interception target voice packet processing unit obtains information for identifying the encrypted packet from the communication interception target call data unit 72 in order to determine whether or not the voice packet is encrypted.

  The decryption processing unit 68 decrypts the obtained encrypted packet based on the encryption algorithm and key information. The communication interception target call data unit 72 manages the decrypted packet for each interception target person. The communication interception / key data processing unit 70 receives the subscriber information and key information of the subject of interception from the middleware function module 30, and searches for an encryption algorithm.

  10 and 11 are flowcharts for explaining call intercept setting according to an embodiment of the present invention. Hereinafter, a procedure in which the interception-only communication device 12 transmits a setting request to the call processing server and the edge router 16 to intercept a call between the communication devices (terminal / HGW) will be described. A case where the communication device A is a device on the intercept target side and the communication terminal A transmits the call request message 56 will be described.

The interception dedicated communication device 12 is connected to the call processing server 10 via a communication line capable of ensuring security such as encryption or a dedicated line. The interception-only communication device 12 transmits a setting request message (SIP message) including information for specifying an intercept target person to the call processing server 10 (corresponding to the “setting request unit” of the present invention). The call processing server 10 enters a call interception waiting state. When the call processing server 10 receives the setting request message, the SIP call control unit 46 manages information (such as a calling subscriber ID) that identifies the intercept target person.
The communication device A transmits a call request message 56 to the communication device B in the call intercept standby state. At this time, the call processing server 10 obtains the calling-side decryption key from the call request message 56 and temporarily stores the key information.

  Then, the call processing server 10 specifies the destination of the communication apparatus B of the other party and transfers the call request message 56. The call processing server 10 notifies the interception dedicated communication device 12 of the SIP message including the IP address / port number of the target person. The IP address / port number of the subject is transmitted to the edge router in order to identify the mirroring target packet.

  Upon receiving the notification, the interception-only communication device 12 transmits a mirroring setting request including an IP address to the edge router 16 based on (1) subscriber information and (2) information on the network configuration. The edge router 16 transmits a setting confirmation response indicating that the mirroring setting is completed to the interception-only communication device 12.

  The communication device B transmits a success response message 58 to the communication device A. The call processing server 10 obtains the receiving side decryption key from the success response message 58 and temporarily stores the key information. The call processing server 10 specifies the destination of the communication device A and transfers the success response message 58.

  When the call processing device receives the success response message 58, the call processing device transmits the obtained incoming-side key information to the interception-only communication device 12. The interception-only communication device 12 manages the outgoing side key information and the incoming side key information together with the subscriber information. Then, when a call (RTP session) is established, a call is started between the communication devices.

  When the edge router 16 receives the voice packet to be intercepted, the edge router 16 duplicates the voice packet and transfers it to the interception-only communication device 12 (mirroring). The interception-only communication device 12 decrypts the encrypted voice packet using the decryption key. This makes it possible to intercept calls.

  When a call end message (BYE) is transmitted from the communication terminal A, the call processing server 10 deletes the record including the key information from the key information management table. The call processing server 10 notifies the interception dedicated communication device 12 that the call has ended.

  Upon receiving the notification, the interception-only communication device 12 transmits a mirroring setting cancellation request to the edge router 16. The edge router 16 transmits a cancellation confirmation response indicating that the mirroring setting has been canceled to the interception dedicated communication device 12. When the interception-only communication device 12 receives the release confirmation response, the call interception waiting state is entered. Here, when the call processing server 10 receives a call request related to the communication device A of the person to be intercepted, the call interception is resumed.

  Finally, when the call interception ends, the interception-only communication device 12 transmits an intercept cancellation request to the call processing server 10. The call processing server 10 transmits a release confirmation response indicating that the intercept setting has been canceled to the interception-only communication device 12.

  10 and 11, reference numeral 100 is a provisional response indicating that a request (INVITE) has been received and is being processed (eg, 100 Trying, 180 Ringing). The 200 series is a successful response, indicating that the request has been understood and accepted (eg, 200 OK, 202 Accepted). ACK indicates that a response corresponding to INVITE has been received from the communication apparatus B.

  Next, the mirroring target device (edge router 16) and the method for specifying the interception target packet will be described with reference to FIGS. FIG. 12 is a flowchart for explaining a mirroring target device and a method for specifying a target packet in one embodiment of the present invention. The interception-only communication device 12 is a device used by being connected to a single device or a plurality of terminals.

  The interception-only communication device 12 designates subject information (such as a calling subscriber ID) by input using an input device such as a mouse or a keyboard or a search using carrier user information (name, address, etc.) (S40, (Corresponding to the “designating part” of the present invention)).

  Next, in order to identify the edge router 16 on the intercept target person side, the interception-only communication device 12 analyzes the intercept target person (S41). For this purpose, the interception dedicated communication device 12 uses (i) a search for a carrier using the target person information as a search key, and (ii) an edge router 16 to which a user is connected based on network configuration information and user information that the carrier has. (Corresponding to “carrier search unit” and “relay device search unit” of the present invention). The edge router 16 close to the intercept target person side is the search target.

  Further, the interception-only communication device 12 searches for a mirroring target device based on network service information (Load balance, redundancy, etc.) possessed by the carrier (S42). Then, the interception-only communication device 12 identifies one or more mirroring target devices and performs mirroring settings (S43 (corresponding to the “mirroring setting request unit” of the present invention)). Two or more mirroring target devices are specified when load distribution or the like may be performed on the voice packet.

  When the call processing server 10 receives the call request message 56 relating to the intercepted person, the interception-only communication device 12 receives the IP address information and port number information of the intercepted person from the call processing server 10 (SIP server) (S44). ).

  The interception-only communication device 12 transmits a mirroring setting request including the IP address information to the mirroring target device (S45). When receiving the voice packet related to the received IP address information, the mirroring target device mirrors the voice packet and transmits it to the interception-only communication device 12.

  When receiving the mirroring packet, the interception-only communication device 12 determines whether or not decoding is necessary (S46, S47). If decryption is necessary, the interception-only communication device 12 decrypts the voice packet using the key information obtained from the call processing server 10 (S48). The decrypted voice packet is stored in the communication interception target call data unit 72 and can be intercepted (S49).

  FIG. 13 is a diagram for explaining a mirroring target device and a method for specifying a target packet in an embodiment of the present invention. The interception-only communication device 12 searches for the edge router 16 connected from the subscriber information and the network configuration information, and performs mirroring setting for the device. At this time, when load balancing or a redundant configuration service is provided, mirroring is set to all the target edge routers 16.

  The edge router 16 includes a mirroring setting unit ER74, a target packet search unit ER76, and a target packet sending unit ER78. When receiving the mirroring setting request from the interception-only communication device 12, the mirroring setting unit ER74 manages the setting and cancellation of mirroring (corresponding to the “mirroring setting unit” of the present invention). The mirroring setting request includes the IP address of the person to be intercepted. The target packet search unit ER76 holds the IP address of the subject of interception, and determines whether the received voice packet includes the IP address of the subject of interception (corresponding to the “search unit” of the present invention).

  When the voice packet including the IP address of the intercept target person is received, the target packet sending unit ER78 mirrors the target packet and transmits it to the interception-only communication device 12 (corresponding to the “transmission unit” of the present invention). The target packet search unit ER76 is in a standby state until it receives a mirroring setting cancellation request from the interception-only communication device 12.

  FIG. 14 is a diagram illustrating a procedure for managing call interception of a plurality of communication terminals according to an embodiment of the present invention. FIG. 14 shows a case where a plurality of target persons A-C are set in the interception-only communication device 12.

  The interception-only communication device 12 identifies the edge router A as the mirroring setting target device for the user A. The interception dedicated communication device 12 identifies the edge router B as the mirroring setting target device for the user B and the user C.

  User A and user B send and receive encrypted audio signals. On the other hand, the user C transmits / receives an unencrypted voice packet. When the call processing server 10 receives the call request message 56 relating to the user A or the user B, the interception-only communication device 12 receives and stores the key information from the call processing server 10 (corresponding to the “storage unit” of the present invention). .

When the voice packet received from the edge router 16 is encrypted, it is decrypted by the decryption processing unit 68. The decoded voice packet is distributed and stored for each user. For example, voice packets relating to user A are stored and managed in order using time information included in the voice packets. As the voice packet related to the user A, only the voice packet related to the user A may be stored, or the voice packet of the user A and the other party may be stored in one folder.
As described above, according to the present invention, the key information is embedded and exchanged in the SIP message, and the voice packet is decrypted with the key information. As the encryption algorithm, the development scale of each device can be minimized by applying an existing algorithm.

  Further, by providing the home gateway 8 with the encryption and decryption functions, the load caused by the encryption process in the IP telephone terminal 2 or the like can be reduced. Further, the user can freely select the IP telephone terminal 2. Also, wiretapping of unencrypted voice packets can be prevented by performing encryption processing with an apparatus that is as close to the user as possible.

  Further, the key information can be centrally managed by the call processing server 10 by exchanging the key information with the SIP message. Further, by using the SIP message INVITE and BYE as triggers, security can be improved by performing temporary data management only during a call.

  Furthermore, by centrally managing the key information in the call processing server 10, when there is a request for interception, the key information acquisition process is performed only between the interception dedicated communication device 12 and the call processing server 10, Processing is simplified.

  However, if the intercept function is not provided, it is not necessary to provide a function for managing key information in the call processing server. In that case, the key information data processing unit 50 may be provided in the SIP control unit 36 as shown in the figure in the home gateway 8, the firewall 14, and the IP telephone terminal.

  When a user makes a call using the IP phone terminal 2, the voice packet is encrypted even if it goes through the access network, core network, network used by an unspecified number of people, etc. Even if a packet is intercepted, it becomes extremely difficult to decipher. Therefore, the user can make a call with peace of mind.

  Furthermore, the risk of eavesdropping on the decrypted packet can be reduced by performing encryption / decryption processing with an apparatus closer to the user terminal instead of encrypting with each network. In addition, there is an advantage that the delay occurring in the encryption process is minimized.

  On the other hand, since the storage of the key information is centrally managed by the call processing server 10 (SIP server), the inquiry destination is only the call processing server 10 during communication interception. For this reason, the key information acquisition process can be reduced.

[Document Name] Statement
Patent application title: COMMUNICATION DEVICE
【Technical field】
[0001]
The present invention relates to a communication device, a call control device, and a relay device that can prevent eavesdropping in an IP telephone service and that enable a legal authority to intercept a call.
[Background]
[0002]
In recent years, broadband Internet and VoIP (Voice over Internet Protocol) telephones have become popular. VoIP is a technology for transmitting and receiving voice data using an IP network such as the Internet or an intranet. A VoIP phone using the Internet is called an Internet phone.
[0003]
In addition, a telephone service provided using VoIP technology on an IP network independent of the Internet may be referred to as an IP telephone. By converting voice signals into data and using the Internet as part of the communication network, it is possible to provide a telephone service at a lower price than a fixed telephone regardless of the distance to the other party.
[0004]
However, the current IP telephone service exchanges unencrypted voice packets as they are on the IP network. Therefore, anyone who can use IP wiretapping technology can easily wiretap even if they are not familiar with telephone technology.
[0005]
Currently, to prevent eavesdropping of voice packets, IP phone terminals are encrypted independently and encrypted between terminals of the same vendor (model), or encrypted for each network managed by the carrier. The method of doing is adopted.
[0006]
FIG. 15 is a diagram showing an overall configuration of a voice packet by the conventional unique encryption. The communication system in FIG. 15 can connect a call processing server 102 used for establishing a call between a transmitting terminal and a receiving terminal, an IP telephone terminal 104 installed as a user terminal, and an IP telephone terminal 104. Home gateway 106, a firewall 108 installed in a corporate organization, an edge router 110 arranged in a carrier IP network for controlling voice packets from each IP telephone terminal 104, and the like.
[0007]
Here, in the case where each IP telephone terminal 104 executes unique encryption and decryption, key information used for encryption and decryption is managed by each IP telephone terminal 104. For this reason, voice packets can be encrypted only between a plurality of IP telephone terminals 104 that can execute the same encryption and decryption. That is, a call using encryption cannot be performed between IP telephone terminals 104 of different vendors (models).
[0008]
In addition, known techniques for encrypting voice packets include the following.
Patent Document 1 discloses a system in which a gateway controller generates and holds an encryption key and makes a call using encryption. The encryption key held in one gateway controller is sent to the other gateway controller with the encryption key information included in the signaling message.
[0009]
In addition, the partner gateway controller is connected to the partner CTA (cable, terminal, adapter).
Send key information to and approve it. After authorization, the key generated by the gateway controller
The voice packet is encrypted / decrypted by CTA using.
[0010]
Patent Document 1 does not describe in detail which network the gateway controller belongs to. However, when it is installed in an access network, the third party can easily access it, so that it is not secure in managing key information. In addition, when installed in a home (company), when an investigation organization such as the Police Organization needs to intercept a specific user's call, it obtains the key information by intruding into the gateway controller installed in the home. There must be.
[Patent Document 1] Japanese Patent Publication No. 2003-521834
DISCLOSURE OF THE INVENTION
[Problems to be solved by the invention]
[0011]
The prior art has a problem that calls using encryption cannot be performed between IP telephone terminals of different vendors (models).
In addition, when an IP telephone terminal is replaced from a fixed telephone in earnest, it is expected that a call interception will be established legally so that an investigation organization such as the police organization can intercept a specific user's call. At this time, there has been a problem that the investigating agency can easily obtain the key information and cannot securely manage the key information in the access network.
[0012]
The present invention provides a communication device and a call control device for securely managing key information in an access network, a communication device for preventing eavesdropping and intercepting calls in an IP telephone service, a call control device, and a relay device. The purpose is to do.
[Means for Solving the Problems]
[0013]
In order to achieve the above object, the present invention provides a call request generation unit for generating a call request for establishing a call with the callee, and the encryption performed on the callee is released on the callee Key information processing unit for embedding key information for encryption and information indicating the type of encryption algorithm used for encryption in the call request, and a call request for transmitting the call request with the embedded information to the callee A transmission unit and a reception unit that receives a response including information indicating that the encryption information used on the called side and the encryption algorithm can be used from the called side are received. .
[0014]
According to the present invention, (i) a call in which key information for releasing encryption performed on the calling side and information indicating the type of encryption algorithm used for encryption are embedded Send a request to the called party, and (ii) receive a response from the called party that includes key information for decrypting the encryption made by the called party and information indicating that the encryption algorithm is available Thus, key information can be exchanged when establishing a call.
[0015]
In addition, the present invention provides a receiving unit that receives a message for establishing a telephone call from a communication terminal, an analyzing unit that analyzes a message, and a key from a message when the analyzing unit analyzes that key information is included in the message. An extraction unit for extracting information, a storage unit for storing key information in association with subscriber identification information for identifying a subscriber of a communication terminal, and a setting request receiving unit for receiving an intercept setting request including subscriber identification information from an external device When the analysis unit analyzes that the message related to the subscriber identification information included in the intercept setting request has been received, the transmitter includes a transmission unit that transmits a message including the key information and the subscriber identification information to an external device. .
[0016]
According to the present invention, when the analysis unit analyzes that a message related to the subscriber identification information included in the intercept setting request is received, the message including the key information and the subscriber identification information can be transmitted to the external device.
[0017]
In addition, the present invention provides a storage unit, a designation unit that specifies subscriber identification information that specifies a communication terminal of a person to be intercepted, and a carrier search unit that searches the storage unit for a carrier to which the communication terminal belongs using the subscriber identification information as a search key A relay device search unit for searching for a relay device on the communication terminal side from the storage unit using the searched carrier network configuration information and subscriber identification information, and for receiving and mirroring voice packets related to the communication terminal from the relay device A mirroring setting request unit for transmitting the mirroring setting request to the relay device, and transmitting an intercept setting request including subscriber identification information to obtain information about the communication terminal to the call control device managing the request for establishing a call. A setting request unit is included.
[0018]
According to the present invention, a mirroring setting request for mirroring and receiving a voice packet related to a communication terminal from a relay device is transmitted to the relay device, and the request for establishing a call is managed.
An intercept setting request including subscriber identification information can be transmitted to a call control device to manage information related to the communication terminal.
[0019]
The present invention also provides a mirroring setting unit for setting a voice packet including an IP address included in the mirroring setting request as a mirroring target when the mirroring setting request for requesting voice packet mirroring is received from the outside, and the received voice packet. Includes a search unit that determines whether or not includes an IP address, and a transmission unit that mirrors and transmits a voice packet when a voice packet including the IP address is received.
[0020]
According to the present invention, when a voice packet including an IP address included in a mirroring setting request is set as a mirroring target and a voice packet including an IP address is received, the voice packet can be mirrored and transmitted.
【The invention's effect】
[0021]
According to the present invention, calls can be made between IP telephone terminals of different vendors (models) using encryption.
Further, according to the present invention, an investigation organization or the like can easily obtain key information and can securely manage the key information in the access network.
BEST MODE FOR CARRYING OUT THE INVENTION
[0022]
Hereinafter, a communication system according to an embodiment of the present invention will be described with reference to the drawings. The configuration of the embodiment is an exemplification, and the present invention is not limited to the configuration of the embodiment. Note that this embodiment can be implemented by hardware and software. When the program is executed by software comprising a program, various functions can be realized by installing the program constituting the software in hardware such as a computer. The program is installed in a computer or the like through a communication line or using a computer-readable storage medium.
[0023]
Here, a computer-readable storage medium is information such as data and programs.
A storage medium that can be stored and read from a computer by electrical, magnetic, optical, mechanical, or chemical action. Examples of such a storage medium that can be removed from the computer include a flexible disk, a magneto-optical disk, a CD-ROM, a CD-R / W, a DVD, a DAT, an 8 mm tape, and a memory card. Further, there are a hard disk, a ROM (read only memory) and the like as a storage medium fixed to the computer.
[0024]
FIG. 1 is a diagram showing an example of the overall configuration of an encrypted communication system in the present embodiment. The communication system in FIG. 1 establishes a call between an IP telephone terminal 2 or an analog telephone terminal 4 installed as a user terminal, a home gateway 8 to which other computers 6 can be connected, a transmitting terminal and a receiving terminal. Call processing server 10 used for the purpose, an interception dedicated communication device 12 (dedicated device) installed in an investigation organization such as the police organization, a firewall 14 installed in a corporate organization, and voice from each IP telephone terminal 2 It is composed of an edge router 16 and the like arranged in a carrier IP network that controls packets.
[0025]
Further, by providing the VoIP GW 18 (Voice over IP Gate Way) with the encryption / decryption function of the present embodiment described in FIG. 2, it is possible to make a call to a PSTN 20 (public switched telephone network). The voice signal decoded by the VoIP GW 18 can be transmitted to the general telephone 24 through the exchange 22. The voice signal from the general telephone 24 can be transmitted to the carrier IP network through the exchange 22 and the VoIP GW 18.
[0026]
FIG. 1 shows an example in which encryption and decryption of this embodiment are performed by the home gateway 8, the firewall 14, and the VoIP GW 18. Not limited to this, the IP telephone terminal 2 may perform encryption and decryption. Next, the basic operation of the present embodiment will be described with reference to an example in which a call is made from the IP telephone terminal 2 in a general home to the IP telephone terminal 2 on the company side. When the general home IP phone terminal 2 makes a call to the company IP phone terminal 2, the call request (SIP message) from the general home IP phone terminal 2 is sent to the call processing server via the home gateway and the edge router 16. 10 is transmitted.
[0027]
At this time, the home gateway 8 embeds and transmits key information for decrypting the voice packet encrypted by the home gateway 8 in the call request. At this time, the call request is encrypted by an encryption method different from the encryption of the voice packet. The encryption of the call request is encryption that can be decrypted by the call processing server 10.
[0028]
The call processing server 10 decrypts the received call request. Then, the call processing server 10 extracts the key information from the call request including the key information, and associates the key information with the user information (caller subscriber ID, caller location information, callee location information, etc.). Memorize temporarily.
[0029]
The call processing server 10 manages the IP address of the IP telephone terminal 2. The call processing server 10 functions as a call processing server for the IP telephone terminal 2. The IP phone 2 serving as the transmission source transmits a call request to the other IP phone terminal 2 corresponding to the call destination to the call processing server 10 in accordance with SIP which is a call control protocol of the application layer. The call processing server 10 transfers the received call request to the destination.
[0030]
That is, when the call processing server 10 receives a call request transmitted from the IP telephone terminal 2, the call processing server 10 searches for the IP address of the company-side IP telephone terminal 2 corresponding to the destination, and makes a call to the searched IP address. Forward the call request. Then, a call request is received via the firewall 14 to the IP telephone terminal 2 on the receiving side of the company. The firewall 14 extracts the key information and temporarily stores the key information in association with user information (sender subscriber ID, sender location information, etc.).
[0031]
When receiving the call request, the company-side IP telephone terminal 2 transmits a response message (SIP message) in response to the call request. When the firewall 14 receives the SIP message from the IP telephone terminal 2 on the company side, the key information for decryption is embedded in the SIP message.
[0032]
The key information embedded here is key information for the home gateway 8 to decrypt the voice packet encrypted by the firewall 14. Next, the firewall 14 transmits a SIP message to the call processing server 10 via the edge router 16. At this time, the SIP message is encrypted by an encryption method different from the encryption of the voice packet. The encryption of the response is an encryption that can be decrypted by the call processing server 10.
[0033]
When the call processing server 10 receives the response including the key information for the call request, the call processing server 10 extracts the key information included in the SIP message, and associates it with user information (caller subscriber ID, caller location information, etc.) and the like. Memorize temporarily. As a result, the key information of both the caller and the callee is associated and temporarily stored.
[0034]
Then, the call processing server 10 transmits a SIP message to the home gateway 8 via the edge router 16. The home gateway 8 extracts key information from the SIP message received from the company and temporarily stores the key information.
[0035]
In this way, the key information for decrypting the voice packet encrypted by each IP telephone terminal 2 is exchanged between the home gateway 8 and the firewall 14 interposed between the IP telephone terminals 2 and encrypted voice. Packet decoding is possible. The encrypted voice packet is transmitted / received in an encrypted state at least on the public network between the IP telephone terminals 2 via the edge router 16.
[0036]
The key information stored in the call processing server 10 is transmitted to the interception dedicated communication device 12 in response to a request from the interception dedicated communication device 12. The interception-only communication device 12 can obtain the voice packet so that it can be intercepted by decrypting the voice packet received from the edge router 16 using the key information. A method for obtaining a voice packet from the edge router 16 will be described later.
[0037]
<Home gateway 8, IP telephone terminal 2>
FIG. 2 is a functional block diagram showing the configuration of the home gateway 8, IP telephone terminal, etc. (corresponding to the “communication device” of the present invention) in this embodiment.
[0038]
The home gateway 8 or the like includes (i) hardware 26 including a NIC (Network Interface Card) used to connect a computer to a network, (ii) an operating system 28 (operating system), (iii) TCP / IP processing, Middleware function module 30 for performing encryption processing, (iv) SIP control unit 36 including key information processing unit 32 and call processing signal processing unit 34, (v) Corresponding to destination data and source subscriber data and key information A subscriber data table 38 to be added and (vi) a voice packet encryption / decryption processing unit 40 is included.
[0039]
As shown in FIG. 1, in the configuration in which the IP telephone terminal is connected to the public network via the home gateway 8 and the firewall 14, the SIP control unit 36 of the home gateway 8 and the firewall 14 functions, and the IP telephone The terminal may provide a conventional IP telephone function. On the other hand, in a configuration in which the IP telephone terminal is connected to the carrier IP network without passing through the home gateway 8, the firewall 14, etc., the SIP control unit 34 of the IP telephone terminal may function.
[0040]
Here, the hardware 26 converts an Ethernet (registered trademark) frame received from the outside into an IP packet and passes it to the operating system 28. Also, the hardware 26 converts the IP packet received from the operating system 28 into an Ethernet (registered trademark) frame and transmits it to the outside.
[0041]
An IP packet is passed between the middleware function module 30 and the operating system 28. Further, SIP messages are passed between the middleware function module 30 and the call processing signal processing unit 34 and between the call processing signal processing unit 34 and the key information processing unit 32.
[0042]
The call processing signal processing unit 34 generates a call processing signal (SIP message) for establishing a call (corresponding to the “call request generation unit” of the present invention) and passes it to the key information processing unit 32. When the call processing signal processing unit 34 receives a response to the call request, the call processing signal processing unit 34 passes the response to the key information processing unit 32.
[0043]
When receiving the call request, the key information processing unit 32 generates key information (corresponding to the “key information processing unit 32” of the present invention). The key information processing unit 32 uses time information and the like to generate different key information (encryption key and decryption key, or common key) each time a call is made. Next, the key information processing unit 32 associates information for specifying the call request (for example, “call-ID” shown in FIG. 6).
Key information (encryption key, common key) and information indicating the type of encryption algorithm used to generate the key information are registered in the subscriber data table 38.
[0044]
The encryption algorithm is not limited to a specific encryption algorithm, and a general-purpose encryption algorithm can also be used. The encrypted communication protocol is not limited to a specific protocol, and general-purpose algorithms such as IPsec and SRTP (Secure RTP) can be used.
[0045]
Here, the encryption key is used to encrypt an audio signal to be transmitted to the destination, and the decryption key is embedded in the call request and transmitted to the destination. Further, when receiving a response to the call request, the key information processing unit 32 extracts the destination key information (decryption key) from the SIP message and registers it in the subscriber data table 38 in association with the encryption key.
[0046]
The key information processing unit 32 embeds the generated key information (decryption key, common key) in the SIP extension unit of the SIP message. Then, the key information processing unit 32 passes the SIP message to the middleware function module 30 through the call processing signal processing unit 34 for transmission to the call processing server 10. The encryption processing unit of the middleware function module 30 encrypts the SIP message by converting it into an IP packet.
[0047]
When the call is established, the voice packet encryption / decryption processing unit 40 encrypts the voice packet to be transmitted using the stored key information (encryption key, common key), and receives the key information received from the destination. The received voice packet is decrypted using (decryption key, common key) (corresponding to the “encryption processing unit” and “decryption processing unit” of the present invention).
[0048]
When a call request (SIP message) is received from the outside, the key information processing unit 32 extracts key information (decryption key, common key) from the call request. The key information processing unit 32 associates the key information with the user information of the sender included in the call request (sending subscriber ID, sender location information, encryption algorithm, key information (decryption key), etc.). Register in the subscriber data table 38.
[0049]
Then, when generating the response message, the key information processing unit 32 generates key information (encryption key and decryption key) and registers the encryption key in the subscriber data table 38 in association with the user data of the transmission source. . The key information processing unit 32 embeds the decryption key in the response message and transmits it to the transmission source. For the encryption and decryption of the voice packet, the same processing as that for transmitting a call request is executed.
[0050]
<Call processing server 10>
Next, the call processing server 10 (corresponding to the “call control device” of the present invention) used for establishing a telephone call will be described. FIG. 3 is a functional block diagram showing a configuration example of the call processing server 10 in one embodiment of the present invention.
[0051]
The call processing server 10 includes (i) hardware 26 including a network interface card (NIC) used to connect a computer to a network, (ii) a server operating system 42, (iii) TCP / IP processing and encryption processing. A middleware function module 30 that performs the above, (iv) a SIP software function module 54 including a SIP register control unit 44, a SIP call control unit 46, a subscriber information table 48, a key information data processing unit 50, and a subscriber data cache table 52 Including.
[0052]
Here, the hardware 26 converts an Ethernet (registered trademark) frame received from the outside into an IP packet and passes it to the server operating system 42. Hardware 26 also receives from server operating system 42.
The IP packet is converted into an Ethernet (registered trademark) frame and transmitted to the outside.
[0053]
An IP packet is passed between the middleware function module 30 and the server operating system 42. Further, the SIP message is transferred between the middleware function module 30 and the SIP call control unit 46. A SIP register message (SIP register message) is passed between the SIP call control unit 46 and the SIP register control unit 44.
[0054]
The middleware function module 30 (i) controls basic TCP / IP termination processing and encryption with middleware, and (ii) delivers a SIP message or the like as application data to the SIP software function module.
[0055]
The SIP call control unit 46 performs basic operations of SIP call control such as call establishment and call disconnection. When receiving the call request, the SIP call control unit 46 passes the SIP register message to the SIP register control unit 44. Further, when the SIP call control unit 46 receives an intercept setting request including information (such as a calling subscriber ID) for specifying a person to be intercepted from the interception-only communication device 12, the SIP call control unit 46 sends the key information and the interceptee to the interception-only communication device 12. And a response message including information for specifying (corresponding to “analysis unit” and “transmission unit” of the present invention).
[0056]
The SIP register control unit 44 registers SIP subscriber terminal information (IP telephone terminal information: originating side subscriber ID, called side subscriber ID, IP address port, etc.) in the subscriber information table 48 from the SIP register message.
[0057]
The key data processing unit analyzes and extracts key information from the SIP message (corresponding to “analysis unit” and “extraction unit” of the present invention). Next, the key data processing unit registers the key information in the subscriber data cache table 52. The subscriber data cache table 52 stores session information and key information of a call during a call (corresponding to the “storage unit” of the present invention).
[0058]
FIG. 6 is a diagram showing an example of a key information management table in an embodiment of the present invention. Description will be made in order from the upper left of the key information management table. (I) Call-ID column is call session information
It is ID information for management, and is identification information assigned for each call request unit. (Ii) The calling subscriber ID (DN / SIP-URI) field is information for identifying the calling subscriber,
This corresponds to the telephone number of the telephone 24. The column of (iii) caller location information (IP address: port number) is location information of the caller, and is used to specify address information. (Iv) The called party location information (IP address: port number) column is the location information of the called subscriber.
This is information for identifying dress information. The column (v) Encryption algorithm is information for identifying the type of encryption algorithm used for encrypting the voice packet. (Vi) The column of authentication method is information for identifying the authentication method and the type of encryption key. (Vii) In the field of key information (Private Key), an encryption / decryption key when the private key (Pre-Shared-Key) method is used is stored. (Viii) In the Key Information (Public Key) field,
The encryption / decryption key when using the brick key (Public key) method is stored. (Ix) The time at which a call occurs is stored in the call generation time column.
[0059]
The types of encryption algorithms in this embodiment are NULL [no encryption applied], DES, 3DES, and AES. However, the present invention is not limited to this, and other encryption methods can be used. In FIG. 6, “2” in the encryption algorithm column indicates that “DES” is used for encryption of the voice packet.
[0060]
The types of authentication methods include a pre-shared secret key (Pre-Shared-Key) and a public key. However, the present invention is not limited to this, and other authentication methods can be used. In FIG. 6, “1” in the column of the authentication method indicates that the “pre-shared secret key” is used for authentication of the user terminal.
[0061]
FIG. 4 is a flowchart for explaining key exchange between communication apparatuses (terminals / HGWs) according to an embodiment of the present invention. The communication device A transmits a call request message (INVITE) to the other communication device. The call processing server 10 obtains the calling side decryption key from the call request message and temporarily stores the key information. The call processing server 10 specifies the destination of the communication apparatus B of the other party and transfers the call request message (INVITE).
[0062]
The communication device B transmits a success response message (200 OK) to the communication device A. The call processing server 10 obtains the receiving side decryption key from the success response message, and temporarily stores the key information. The call processing server 10 specifies the destination of the communication device A and transfers a success response message. When a telephone call (RTP session) is established, a telephone call can be made between telephone terminals.
[0063]
When a call end message (BYE) is transmitted from the communication terminal A, the call processing server 10 deletes the record including the key information from the key information management table. In FIG. 4, the 100s are provisional responses indicating that a request (INVITE) has been received and processed (eg, 100 Trying, 180 Ringing). The 200 series is a successful response, indicating that the request has been understood and accepted (eg, 200 OK, 202 Accepted). ACK to INVITE
It shows that the communication apparatus A received the corresponding response.
[0064]
FIG. 5 is a flowchart for explaining the negotiation procedure of key information exchange in one embodiment of the present invention. FIG. 5 shows a SIP message as a call request message which is one of the SIP messages transmitted by the communication device A as a transmission source and a success response message transmitted by the communication device B.
[0065]
As shown in FIG. 5, the call request message 56 includes destination identification information (SIP-URI:
0447777111@10.1.1.1: 5060). When establishing a call with the communication apparatus B of the other party via the call processing server 10, the IP address of the call processing server 10 is set as the transmission destination address.
[0066]
In the present embodiment, an encryption algorithm negotiation request is added as a SIP extension to the SIP header portion of the call request message 56. The communication apparatus A embeds “key1” as key information (decryption key or common key). The second key information (decryption key or common key) is also embedded at the same time for the case where the communication apparatus B does not support the “key1” encryption algorithm.
[0067]
The session description protocol part describes the type of encryption algorithm corresponding to the key information in the SIP header part. In the present embodiment, it is indicated that the encryption algorithm type of “key1” is “3DES” and the encryption algorithm type of “key2” is “DES”.
[0068]
The communication device A transmits a call request message 56 in which the key information is embedded to the call processing server 10. The call processing server 10 retrieves and stores the key information of the communication device A in the call request message 56 and transfers the SIP message to the communication device B.
[0069]
Next, the communication apparatus B extracts and stores the key information and the like of the communication apparatus A from the call request message 56, and determines the type of encryption algorithm transmitted from the communication apparatus A. When the communication device B supports the encryption algorithm, the communication device B generates a success response message 58.
[0070]
In addition, communication device B supports the type of encryption algorithm transmitted from communication device A.
When it is determined that the key information of the communication apparatus A is extracted from the call request message 56, the key information and the like may be stored.
[0071]
The success response message 58 in FIG. 5 indicates that the communication apparatus B can use three types of encryption algorithms “key1”, “key3”, and “key4”. The communication apparatus B transmits a success response message 58 (200 OK) to the call processing server 10.
[0072]
The call processing server 10 extracts and saves key information and the like from the success response message 58 and transfers the SIP message to the communication apparatus A. When the communication device A stores the key information and the like of the communication device B, communication using the encrypted voice packet is started between the communication device A and the communication device B.
[0073]
FIG. 7 is a diagram showing an example of a key information management procedure (key information acquisition sequence) in an embodiment of the present invention. FIG. 7 shows a management procedure of key information in the call processing server 10.
The call processing server 10 receives an INVITE message for connecting a call from a calling terminal such as an IP telephone device (S10). The call processing server 10 acquires calling subscriber information (calling subscriber ID, IP address, port number) from the INVITE message (S11).
[0074]
Next, the call processing server 10 searches the subscriber table using the calling subscriber information as a search key, and acquires the called subscriber information (IP address, etc.) (S12). The call processing server 10 determines whether key information is included in the INVITE message (S13).
[0075]
When the call processing server 10 determines that the key information is included in the INVITE message, the key information is extracted (S14). Then, call session information and key information are written in the subscriber table (key management table) (S15).
[0076]
When the call processing server 10 determines that the key information is not included in the INVITE message, “1” is written in the subscriber table as “NULL” (“N” in step S13).
O ″). Then, the call processing server 10 creates a signaling message to proceed with the call establishment process, and transfers the INVITE message to the receiving terminal (S16 to S18).
[0077]
When the call processing server 10 receives the 200 OK message for accepting the call connection from the receiving terminal, the call processing server 10 determines whether the key information is included in the message from the receiving terminal (S19, S20).
[0078]
When the call processing server 10 determines that the key information is included in the success response message 58, the key information is extracted (S21). Then, the key information is written in the subscriber table (key management table) in association with the call session information (S22).
[0079]
When the call processing server 10 determines that the key information is not included in the success response message 58, the receiving terminal considers that the encryption is not supported, and deletes all the key information corresponding to the call session information (S24). The call processing server 10 creates a signaling message to proceed with the call establishment process, and transfers a success response message 58 to the calling terminal (S23, S25).
[0080]
With the above procedure, after the call processing server 10 stores the key information of both the calling terminal and the called terminal, a call in which the voice packet is encrypted is established between the calling terminal and the called terminal. When the receiving terminal does not support encryption, the call is established without encrypting the voice packet.
[0081]
FIG. 8 is a diagram showing an example of a key information management procedure (key information deletion sequence) in one embodiment of the present invention. An example when a BYE message is received from the calling terminal will be described.
The call processing server 10 receives the SIP-BYE message for disconnecting the call from the calling terminal.
(S30). The call processing server 10 sends the calling subscriber information (calling information) from the BYE message.
Subscriber ID, IP address, and port number) are acquired (S31).
[0082]
Next, the call processing server 10 searches the subscriber table using the calling subscriber information as a search key, and acquires the called subscriber information (IP address, etc.) (S32). The call processing server 10 creates a signaling message in order to proceed with the call disconnection process, and transfers the BYE message to the receiving terminal (S33, S35).
[0083]
The call processing server 10 receives a 200 OK message for accepting the call disconnection from the receiving terminal (S36). Then, the call processing server 10 searches the subscriber table using the subscriber information as a search key, and deletes all the key information corresponding to the call session information in the subscriber table (key management table) (S37).
[0084]
Finally, the call processing server 10 creates a signaling message in order to proceed with the call disconnection process, and transfers the BYE message to the calling terminal (S38, S39). The call between the calling terminal and the receiving terminal is terminated.
[0085]
<Interception dedicated communication device 12 (dedicated device)>
Next, the interception-only communication device 12 (corresponding to the “communication device” of the present invention) that intercepts the call of the person to be intercepted using the key information managed by the call processing server 10 in the above procedure will be described. . FIG. 9 is a functional block diagram showing the configuration of the interception-only communication device 12 in one embodiment of the present invention.
[0086]
The interception-only communication device 12 is a device that obtains a voice packet so that it can be intercepted by decrypting the voice packet received from the edge router 16 with key information. The interception-only communication device 12 requests and obtains key information from the call processing server 10.
[0087]
The interception dedicated communication device 12 includes (i) hardware 26 including a network interface card (NIC) used to connect a computer to a network, (ii) an operating system 28 (operating system), and (iii) TCP / IP processing. Middleware function module 30 that performs encryption processing and the like, (iv) interception setting unit 64 including network monitoring unit 60 and mirroring setting processing unit 62, (v) communication interception target voice packet processing unit 66, encrypted IP packet A decryption processing unit 68 that processes the decryption key, a communication interception / key data processing unit 70 that processes the decryption key, and a communication interception target call data unit 72 that manages the decrypted voice packet.
[0088]
Here, the hardware 26 converts an Ethernet (registered trademark) frame received from the outside into an IP packet and passes it to the operating system 28. The Ethernet frame is a mirroring IP voice packet received from the edge router 16 or a key information packet received from the call processing server 10. Also, the hardware 26 converts the IP packet received from the operating system 28 into an Ethernet (registered trademark) frame and transmits it to the outside.
[0089]
An IP packet is passed between the middleware function module 30 and the operating system 28. Further, IP packets are transferred between the middleware function module 30 and the mirroring setting processing unit 62, and between the mirroring setting processing unit 62 and the network monitoring unit 60.
[0090]
The network monitor unit 60 monitors the network state of the intercept target and obtains an IP address and a port number from the call processing server 10 at the start of the intercept. Mirroring setting processor
62 sets mirroring in the edge router 16 based on (1) subscriber information and (2) network configuration information obtained online or offline from the carrier. The mirroring setting processing unit 62 instructs the edge router 16 on the mirroring target packet based on the information obtained from the network monitor unit 60. As a type of mirroring, port mirroring that obtains only voice data related to a call of an intercept target is suitable.
[0091]
The communication interception voice packet processing unit receives the mirroring target packet related to the call of the interception target person and passes it to the decoding processing unit 68. Further, the communication interception target voice packet processing unit may determine whether or not the received voice packet is encrypted, and may pass only the encrypted voice packet to the decryption processing unit 68.
[0092]
At this time, a voice packet that is not encrypted by the communication interception target voice packet processing unit may be stored in the communication interception target call data unit 72. Further, the communication interception target voice packet processing unit obtains information for identifying the encrypted packet from the communication interception target call data unit 72 in order to determine whether or not the voice packet is encrypted.
[0093]
The decryption processing unit 68 decrypts the obtained encrypted packet based on the encryption algorithm and key information. The communication interception target call data unit 72 manages the decrypted packet for each interception target person. The communication interception / key data processing unit 70 receives the subscriber information and key information of the subject of interception from the middleware function module 30, and searches for an encryption algorithm.
[0094]
10 and 11 are flowcharts for explaining call intercept setting according to an embodiment of the present invention. Hereinafter, a procedure in which the interception-only communication device 12 transmits a setting request to the call processing server and the edge router 16 to intercept a call between the communication devices (terminal / HGW) will be described. A case where the communication device A is a device on the intercept target side and the communication terminal A transmits the call request message 56 will be described.
[0095]
The interception dedicated communication device 12 is connected to the call processing server 10 via a communication line capable of ensuring security such as encryption or a dedicated line. The interception-only communication device 12 transmits a setting request message (SIP message) including information for specifying an intercept target person to the call processing server 10 (corresponding to the “setting request unit” of the present invention). The call processing server 10 enters a call interception waiting state. When the call processing server 10 receives the setting request message, the SIP call control unit 46 manages information (such as a calling subscriber ID) that identifies the intercept target person.
The communication device A transmits a call request message 56 to the communication device B in the call intercept standby state. At this time, the call processing server 10 obtains the calling-side decryption key from the call request message 56 and temporarily stores the key information.
[0096]
Then, the call processing server 10 specifies the destination of the communication apparatus B of the other party and transfers the call request message 56. The call processing server 10 notifies the interception dedicated communication device 12 of the SIP message including the IP address / port number of the target person. The IP address / port number of the subject is transmitted to the edge router in order to identify the mirroring target packet.
[0097]
Upon receiving the notification, the interception-only communication device 12 transmits a mirroring setting request including an IP address to the edge router 16 based on (1) subscriber information and (2) information on the network configuration. The edge router 16 transmits a setting confirmation response indicating that the mirroring setting is completed to the interception-only communication device 12.
[0098]
The communication device B transmits a success response message 58 to the communication device A. The call processing server 10 obtains the receiving side decryption key from the success response message 58 and temporarily stores the key information. Call
The physical server 10 identifies the destination of the communication device A and forwards the success response message 58.
[0099]
When the call processing device receives the success response message 58, the call processing device transmits the obtained incoming-side key information to the interception-only communication device 12. The interception-only communication device 12 manages the outgoing side key information and the incoming side key information together with the subscriber information. Then, when a call (RTP session) is established, a call is started between the communication devices.
[0100]
When the edge router 16 receives the voice packet to be intercepted, the edge router 16 duplicates the voice packet and transfers it to the interception-only communication device 12 (mirroring). The interception-only communication device 12 decrypts the encrypted voice packet using the decryption key. This makes it possible to intercept calls.
[0101]
When a call end message (BYE) is transmitted from the communication terminal A, the call processing server 10 deletes the record including the key information from the key information management table. The call processing server 10 notifies the interception dedicated communication device 12 that the call has ended.
[0102]
Upon receiving the notification, the interception-only communication device 12 transmits a mirroring setting cancellation request to the edge router 16. The edge router 16 transmits a cancellation confirmation response indicating that the mirroring setting has been canceled to the interception dedicated communication device 12. When the interception-only communication device 12 receives the release confirmation response, the call interception waiting state is entered. Here, when the call processing server 10 receives a call request related to the communication device A of the person to be intercepted, the call interception is resumed.
[0103]
Finally, when the call interception ends, the interception-only communication device 12 transmits an intercept cancellation request to the call processing server 10. The call processing server 10 transmits a cancellation confirmation response indicating that the intercept setting has been canceled to the interception-only communication device 12.
[0104]
10 and 11, reference numeral 100 is a provisional response indicating that a request (INVITE) has been received and is being processed (eg, 100 Trying, 180 Ringing). The 200 range is a successful response, indicating that the request was understood and accepted (eg, 200 OK
202 Accepted). ACK indicates that a response corresponding to INVITE was received from communication device B.
It shows.
[0105]
Next, the mirroring target device (edge router 16) and the method for specifying the interception target packet will be described with reference to FIGS. FIG. 12 is a flowchart for explaining a mirroring target device and a method for specifying a target packet in one embodiment of the present invention. The interception-only communication device 12 is a device used by being connected to a single device or a plurality of terminals.
[0106]
The interception-only communication device 12 designates subject information (such as a calling subscriber ID) by input using an input device such as a mouse or a keyboard or a search using carrier user information (name, address, etc.) (S40, (Corresponding to the “designating part” of the present invention)).
[0107]
Next, in order to identify the edge router 16 on the intercept target person side, the interception-only communication device 12 analyzes the intercept target person (S41). For this purpose, the interception-only communication device 12 uses (i) a search for a carrier by using the interception target person information as a search key, and (ii) an edge router 16 to which a user is connected based on network configuration information and user information that the carrier has (Corresponding to “carrier search unit” and “relay device search unit” of the present invention). The edge router 16 close to the intercept target person side is the search target.
[0108]
Further, the interception-only communication device 12 searches for a mirroring target device based on network service information (Load balance, redundancy, etc.) possessed by the carrier (S42). And interception
The dedicated communication device 12 identifies one or more mirroring target devices and performs mirroring settings (S43 (corresponding to the “mirroring setting request unit” of the present invention)). Two or more mirroring target devices are specified when load distribution or the like may be performed on the voice packet.
[0109]
When the call processing server 10 receives the call request message 56 relating to the intercepted person, the interception-only communication device 12 receives the IP address information and port number information of the intercepted person from the call processing server 10 (SIP server) (S44). ).
[0110]
The interception-only communication device 12 transmits a mirroring setting request including the IP address information to the mirroring target device (S45). When receiving the voice packet related to the received IP address information, the mirroring target device mirrors the voice packet and transmits it to the interception-only communication device 12.
[0111]
When receiving the mirroring packet, the interception-only communication device 12 determines whether or not decoding is necessary (S46, S47). If decryption is necessary, the interception-only communication device 12 decrypts the voice packet using the key information obtained from the call processing server 10 (S48). The decrypted voice packet is stored in the communication interception target call data unit 72 and can be intercepted (S49).
[0112]
FIG. 13 is a diagram for explaining a mirroring target device and a method for specifying a target packet in an embodiment of the present invention. The interception-only communication device 12 searches for the edge router 16 connected from the subscriber information and the network configuration information, and performs mirroring setting for the device. At this time, when load balancing or a redundant configuration service is provided, mirroring is set to all the target edge routers 16.
[0113]
The edge router 16 includes a mirroring setting unit ER74, a target packet search unit ER76, and a target packet sending unit ER78. When receiving the mirroring setting request from the interception-only communication device 12, the mirroring setting unit ER74 manages the setting and cancellation of mirroring (corresponding to the “mirroring setting unit” of the present invention). The mirroring setting request includes the IP address of the person to be intercepted. The target packet search unit ER76 holds the IP address of the subject of interception, and determines whether the received voice packet includes the IP address of the subject of interception (corresponding to the “search unit” of the present invention).
[0114]
When the voice packet including the IP address of the intercept target person is received, the target packet sending unit ER78 mirrors the target packet and transmits it to the interception-only communication device 12 (corresponding to the “transmission unit” of the present invention). The target packet search unit ER76 is in a standby state until it receives a mirroring setting cancellation request from the interception-only communication device 12.
[0115]
FIG. 14 is a diagram illustrating a procedure for managing call interception of a plurality of communication terminals according to an embodiment of the present invention. FIG. 14 shows a case where a plurality of target persons A-C are set in the interception-only communication device 12.
[0116]
The interception-only communication device 12 identifies the edge router A as the mirroring setting target device for the user A. The interception dedicated communication device 12 identifies the edge router B as the mirroring setting target device for the user B and the user C.
[0117]
User A and user B send and receive encrypted audio signals. On the other hand, the user C transmits / receives an unencrypted voice packet. When the call processing server 10 receives the call request message 56 related to the user A or the user B, the interception dedicated communication device 12
The key information is received and stored from the server 10 (corresponding to the “storage unit” of the present invention).
[0118]
When the voice packet received from the edge router 16 is encrypted, it is decrypted by the decryption processing unit 68. The decoded voice packet is distributed and stored for each user. For example, voice packets relating to user A are stored and managed in order using time information included in the voice packets. As the voice packet related to the user A, only the voice packet related to the user A may be stored, or the voice packet of the user A and the other party may be stored in one folder.
As described above, according to the present invention, the key information is embedded and exchanged in the SIP message, and the voice packet is decrypted with the key information. As the encryption algorithm, the development scale of each device can be minimized by applying an existing algorithm.
[0119]
Further, by providing the home gateway 8 with the encryption and decryption functions, the load caused by the encryption process in the IP telephone terminal 2 or the like can be reduced. Further, the user can freely select the IP telephone terminal 2. Also, wiretapping of unencrypted voice packets can be prevented by performing encryption processing with an apparatus that is as close to the user as possible.
[0120]
Further, the key information can be centrally managed by the call processing server 10 by exchanging the key information with the SIP message. Further, by using the SIP message INVITE and BYE as triggers, security can be improved by performing temporary data management only during a call.
[0121]
Further, by centrally managing the key information in the call processing server 10, when there is a request for interception, the key information acquisition process is performed only between the interception dedicated communication device 12 and the call processing server 10, Processing is simplified.
[0122]
However, if the intercept function is not provided, it is not necessary to provide a function for managing key information in the call processing server. In that case, the key information data processing unit 50 may be provided in the SIP control unit 36 as shown in the figure in the home gateway 8, the firewall 14, and the IP telephone terminal.
[0123]
When a user makes a call using the IP phone terminal 2, the voice packet is encrypted even if it goes through the access network, core network, network used by an unspecified number of people, etc. Even if a packet is intercepted, it becomes extremely difficult to decipher. Therefore, the user can make a call with peace of mind.
[0124]
In addition, encryption / decryption is not performed by each network but by a device closer to the user terminal.
By executing the encoding process, it is possible to reduce the risk that the decrypted packet is wiretapped. In addition, there is an advantage that the delay occurring in the encryption process is minimized.
[0125]
On the other hand, since the storage of the key information is centrally managed by the call processing server 10 (SIP server), the inquiry destination is only the call processing server 10 at the time of communication interception. For this reason, the key information acquisition process can be reduced.
[0126]
<Others>
(Appendix 1)
A call request generator for generating a call request for establishing a call with a called party;
A key information processing unit for embedding key information for releasing encryption performed on the calling side on the called side and information indicating the type of encryption algorithm used for the encryption into the calling request;
A call request transmitter for transmitting a call request in which the information is embedded to a callee;
A receiving unit for receiving from the called side a response including key information for canceling encryption performed on the called side and information indicating that the encryption algorithm is usable;
Including a communication device.
[0127]
(Appendix 2)
Appendix 1 further comprising: an encryption processing unit for encrypting voice information using the encryption algorithm after a call is established; and a voice information transmitting unit for transmitting the encrypted voice information to the called party. Communication equipment.
[0128]
(Appendix 3)
When the receiving unit receives encrypted voice information from the called side, the receiving unit further includes a decrypting unit that decrypts the voice information using key information for releasing the encryption on the called side The communication apparatus according to appendix 1.
[0129]
(Appendix 4)
The communication apparatus according to supplementary note 2, wherein when the information indicating that the encryption algorithm is usable is not included in the response, the voice information transmitting unit transmits the voice information that is not encrypted.
[0130]
(Appendix 5)
The communication device is a SIP server according to SIP (Session Initiation Protocol).
A SIP terminal or a home gateway that establishes a telephone call via a call control device
The communication apparatus according to appendix 1, wherein the call request generation unit generates a call request message using an SIP message of the call request.
[0131]
(Appendix 6)
A receiving unit for receiving a message for establishing a telephone call from a communication terminal;
An analysis unit for analyzing the message;
An extraction unit that extracts key information from the message when the analysis unit analyzes that the key information is included in the message;
A storage unit for storing the key information in association with subscriber identification information for identifying a subscriber of the communication terminal;
A setting request receiving unit for receiving an intercept setting request including subscriber identification information from an external device;
A transmitter for transmitting a message including the key information and subscriber identification information to the external device when the analysis unit analyzes that a message related to the subscriber identification information included in the intercept setting request has been received;
A call control device.
[0132]
(Appendix 7)
The call control device according to appendix 6, wherein the message for establishing a telephone call is a SIP message, and is a call request message from a caller and a response message to the call request message.
[0133]
(Appendix 8)
The call control device according to appendix 6, wherein the key information is deleted from the storage unit after the receiving unit receives a request to end a call from the communication terminal.
[0134]
(Appendix 9)
A storage unit;
A designating unit for designating subscriber identification information for identifying a communication terminal of an intercept target;
A carrier search unit that searches the storage unit for a carrier to which the communication terminal belongs using the subscriber identification information as a search key;
A relay device search unit for searching the relay device on the communication terminal side from the storage unit using the network configuration information of the searched carrier and the subscriber identification information;
A mirroring setting requesting unit for transmitting a mirroring setting request for mirroring and receiving a voice packet related to the communication terminal from the relay device;
A setting request unit for transmitting an intercept setting request including subscriber identification information to obtain information related to the communication terminal to a call control device that manages a request for establishing a telephone call;
Including a communication device.
[0135]
(Appendix 10)
A receiver for receiving key information from the call control device and a mirrored voice packet from the relay device;
A decryption unit that decrypts the voice packet using key information when the voice packet is encrypted;
The communication device according to appendix 9, further including:
[0136]
(Appendix 11)
A mirroring setting unit for setting a voice packet including an IP address included in the mirroring setting request as a mirroring target when receiving a mirroring setting request for requesting mirroring of the voice packet;
A search unit for determining whether a received voice packet includes the IP address;
When receiving a voice packet including the IP address, a transmission unit that mirrors and transmits the voice packet;
A relay device including
[0137]
(Appendix 12)
A call request generation step for generating a call request for establishing a telephone call with the called party;
A key information processing step of embedding key information for releasing encryption performed on the calling side on the called side and information indicating a type of encryption algorithm used for the encryption into the calling request;
A call request transmission step of transmitting a call request in which the information is embedded to a callee;
A receiving step for receiving from the called side a response including key information for canceling encryption performed on the called side and information indicating that the encryption algorithm is usable;
Including a communication method.
[0138]
(Appendix 13)
Additional steps further comprising: an encryption processing step for encrypting voice information using the encryption algorithm after a call is established; and a voice information transmitting step for transmitting the encrypted voice information to the called party. 12. The communication method according to 12.
[0139]
(Appendix 14)
When the receiving step receives encrypted voice information from the called side, the receiving step further includes a decrypting step of decrypting the voice information using key information for releasing the encryption on the called side The communication method according to attachment 12.
[0140]
(Appendix 15)
14. The communication method according to supplementary note 13, wherein when the information indicating that the encryption algorithm is usable is not included in the response, the voice information transmission step transmits the voice information that is not encrypted.
[0141]
(Appendix 16)
The communication method is a SIP server according to SIP (Session Initiation Protocol).
Used in SIP terminals or home gateways to establish telephone calls via call control devices
,
The communication method according to appendix 12, wherein the call request generation step generates a call request message using a SIP message of the call request.
[0142]
(Appendix 17)
A receiving step for receiving a message for establishing a telephone call from a communication terminal;
An analysis step of analyzing the message;
An extraction step for extracting key information from the message when the analysis step analyzes that the key information is included in the message;
A storage step of storing the key information in association with subscriber identification information for specifying a subscriber of the communication terminal;
A setting request receiving step for receiving an intercept setting request including subscriber identification information from an external device;
A transmission step of transmitting a message including the key information and the subscriber identification information to the external device when the analysis step analyzes that a message related to the subscriber identification information included in the intercept setting request has been received;
A call control method.
[0143]
(Appendix 18)
18. The call control method according to appendix 17, wherein the message for establishing a call is an SIP message, and is a call request message from a caller and a response message to the call request message.
[0144]
(Appendix 19)
18. The call control method according to appendix 17, wherein the storing step deletes the key information after the receiving step receives a request to end the call from the communication terminal.
[0145]
(Appendix 20)
A storage step of storing information in the storage unit;
A designation step for designating subscriber identification information for identifying a communication terminal of an intercept target;
A carrier search step of searching the storage unit for a carrier to which the communication terminal belongs using the subscriber identification information as a search key;
A relay device search step of searching for a relay device on the communication terminal side from the storage unit using the network configuration information of the searched carrier and the subscriber identification information;
A mirroring setting request step of transmitting to the relay device a mirroring setting request for mirroring and receiving a voice packet related to the communication terminal from the relay device;
A setting request step for transmitting an intercept setting request including subscriber identification information to obtain information on the communication terminal to a call control device that manages a request for establishing a call;
Including a communication method.
(Appendix 21)
Receiving the key information from the call control device and the mirrored voice packet from the relay device;
The communication method according to appendix 20, further comprising: a decrypting step of decrypting the voice packet using key information when the voice packet is encrypted.
(Appendix 22)
A mirroring setting step for setting a voice packet including an IP address included in the mirroring setting request as a mirroring target when a mirroring setting request for requesting mirroring of the voice packet is received from the outer step;
A search step of determining whether a received voice packet includes the IP address;
A transmission step of mirroring and transmitting a voice packet when a voice packet including the IP address is received;
Relay method including.
[Brief description of the drawings]
FIG. 1 is a diagram showing an overall configuration of an encrypted communication system in the present embodiment.
FIG. 2 is a functional block diagram showing configurations of a home gateway and an IP telephone terminal in the present embodiment.
FIG. 3 is a functional block diagram showing a configuration of a call processing server in an embodiment of the present invention.
FIG. 4 is a flowchart illustrating key exchange between communication terminals in an embodiment of the present invention.
FIG. 5 is a flowchart for explaining key information exchange negotiation procedures according to an embodiment of the present invention;
FIG. 6 is a diagram showing an example of a key information management table in an embodiment of the present invention.
FIG. 7 is a diagram showing an example of a key information management procedure (key information acquisition sequence) in an embodiment of the present invention.
FIG. 8 is a diagram showing an example of a key information management procedure (key information deletion sequence) in an embodiment of the present invention.
FIG. 9 is a functional block diagram showing a configuration of a communication device dedicated to interception in an embodiment of the present invention.
FIG. 10 is a flowchart illustrating call intercept setting according to an embodiment of the present invention.
FIG. 11 is a flowchart illustrating call intercept setting according to an embodiment of the present invention.
FIG. 12 is a flowchart for explaining a mirroring target device and a method for specifying a target packet in an embodiment of the present invention.
FIG. 13 is a diagram illustrating a mirroring target device and a method for specifying a target packet according to an embodiment of the present invention.
FIG. 14 is a diagram illustrating a procedure for managing call interception of a plurality of communication terminals according to an embodiment of the present invention.
FIG. 15 is a diagram showing an overall configuration of a voice packet by conventional unique encryption.
[Explanation of symbols]
2 IP phone terminals
4 analog telephone terminals
6 Computer
8 Home gateway
10 Call processing server
12 Interception dedicated communication device
14 Firewall
16 Edge router
18 VoIP GW
20 PSTN
22 exchange
24 General telephone
26 hardware
28 Operating system
30 middleware function module
32 Key information processing section
34 Call processing signal processor
36 SIP controller
38 Subscriber data table
40 Voice packet encryption / decryption processor
42 Server operating system
44 SIP register controller
46 SIP call controller
48 subscriber information table
50 Key data processing part
52 Subscriber Data Cache Table
54 SIP software function module
56 Call request message
58 Success response message
60 Network monitor
62 Mirroring setting processor
64 Interception setting section
66 Voice packet processing unit for communication interception
68 Decryption processing unit
70 Communication interception / key data processing section
72 Communication data section for communication interception
74 Mirroring setting part ER
76 Target packet search unit ER
78 Target packet sending part ER
102 Call processing server
104 IP phone terminal
106 Home gateway
108 Firewall
110 Edge router

Claims (22)

  1. A call request generator for generating a call request for establishing a call with the called party;
    A key information processing unit for embedding key information for releasing encryption performed on the calling side on the called side and information indicating the type of encryption algorithm used for the encryption in the calling request;
    A call request transmitter for transmitting a call request in which the information is embedded to a callee;
    A communication device including a receiving unit that receives from the called side a response including key information for canceling encryption performed on the called side and information indicating that the encryption algorithm is usable.
  2.   2. An encryption processing unit that encrypts voice information using the encryption algorithm after a call is established, and a voice information transmission unit that transmits the encrypted voice information to a called party. The communication device described.
  3.   When the receiving unit receives encrypted voice information from the called side, the receiving unit further includes a decrypting unit that decrypts the voice information using key information for releasing the encryption on the called side The communication apparatus according to claim 1.
  4.   The communication apparatus according to claim 2, wherein when information indicating that the encryption algorithm is usable is not included in the response, the voice information transmitting unit transmits the voice information that is not encrypted.
  5. The communication device is a SIP terminal or a home gateway that establishes a telephone call via a call control device that is a SIP server in accordance with SIP (Session Initiation Protocol),
    The communication device according to claim 1, wherein the call request generation unit generates a call request message using a SIP message of the call request.
  6. A receiver for receiving a message for establishing a telephone call from a communication terminal;
    An analysis unit for analyzing the message;
    An extraction unit that extracts key information from the message when the analysis unit analyzes that the key information is included in the message;
    A storage unit for storing the key information in association with subscriber identification information for identifying a subscriber of the communication terminal;
    A setting request receiving unit for receiving an intercept setting request including subscriber identification information from an external device;
    A call control device including a transmission unit that transmits a message including the key information and subscriber identification information to the external device when the analysis unit analyzes that a message related to subscriber identification information included in the intercept setting request is received.
  7.   The call control device according to claim 6, wherein the message for establishing a call is a SIP message, and is a call request message from a caller and a response message to the call request message.
  8.   The call control device according to claim 6, wherein the storage unit deletes the key information after the receiving unit receives a request to end a call from the communication terminal.
  9. Storage unit,
    A designation unit for designating subscriber identification information for identifying a communication terminal of a person to be intercepted;
    A carrier search unit that searches the storage unit for a carrier to which the communication terminal belongs using the subscriber identification information as a search key;
    A relay device search unit that searches for the relay device on the communication terminal side from the storage unit using the network configuration information of the searched carrier and the subscriber identification information;
    A mirroring setting request unit for transmitting a mirroring setting request for mirroring and receiving a voice packet related to the communication terminal from the relay device;
    A communication apparatus including a setting request unit that transmits an intercept setting request including subscriber identification information to obtain information related to the communication terminal to a call control apparatus that manages a request for establishing a call.
  10. A receiving unit for receiving key information from the call control device and a mirrored voice packet from the relay device;
    The communication device according to claim 9, further comprising: a decryption unit that decrypts the voice packet using key information when the voice packet is encrypted.
  11. A mirroring setting unit configured to set a voice packet including an IP address included in the mirroring setting request as a mirroring target when a mirroring setting request for requesting mirroring of the voice packet is received from the outside;
    A search unit for determining whether a received voice packet includes the IP address;
    A relay device including a transmission unit that receives and transmits a voice packet including the IP address by mirroring the voice packet.
  12. A call request generation step for generating a call request for establishing a telephone call with the called party;
    A key information processing step of embedding key information for releasing encryption performed on the calling side on the called side and information indicating a type of encryption algorithm used for the encryption into the calling request;
    A call request transmission step of transmitting a call request in which the information is embedded to a callee;
    A communication method including a receiving step of receiving from the called side a response including key information for canceling encryption performed on the called side and information indicating that the encryption algorithm is usable.
  13.   13. An encryption processing step for encrypting voice information using the encryption algorithm after a call is established, and a voice information transmission step for transmitting the encrypted voice information to a called party. The communication method described.
  14.   When the receiving step receives encrypted voice information from the called side, the receiving step further includes a decrypting step of decrypting the voice information using key information for releasing the encryption on the called side The communication method according to claim 12.
  15.   14. The communication method according to claim 13, wherein when the information indicating that the encryption algorithm is usable is not included in the response, the voice information transmission step transmits the voice information that is not encrypted.
  16. The communication method is used in a SIP terminal or a home gateway that establishes a telephone call via a call control device that is a SIP server in accordance with SIP (Session Initiation Protocol),
    13. The communication method according to claim 12, wherein the call request generation step generates a call request message using a call request SIP message.
  17. A receiving step for receiving a message for establishing a telephone call from a communication terminal;
    An analysis step of analyzing the message;
    An extraction step for extracting key information from the message when the analysis step analyzes that the key information is included in the message;
    A storage step of storing the key information in association with subscriber identification information for identifying a subscriber of the communication terminal;
    A setting request receiving step for receiving an intercept setting request including subscriber identification information from an external device;
    A call control method including a transmission step of transmitting a message including the key information and the subscriber identification information to the external device when the analysis step analyzes that a message related to the subscriber identification information included in the intercept setting request is received.
  18.   The call control method according to claim 17, wherein the message for establishing a call is an SIP message, and is a call request message from a caller and a response message to the call request message.
  19.   18. The call control method according to claim 17, wherein after the receiving step receives a request to end a call from the communication terminal, the storing step deletes the key information.
  20. A storage step of storing information in the storage unit;
    A designation step for designating subscriber identification information for identifying a communication terminal of a person to be intercepted;
    A carrier search step of searching the storage unit for a carrier to which the communication terminal belongs using the subscriber identification information as a search key;
    A relay device search step of searching for a relay device on the communication terminal side from the storage unit using the network configuration information of the searched carrier and the subscriber identification information;
    Mirroring setting request step for transmitting a mirroring setting request for mirroring and receiving a voice packet related to the communication terminal from the relay device to the relay device;
    A communication method including a setting request step for transmitting an intercept setting request including subscriber identification information to obtain information on the communication terminal to a call control device that manages a request for establishing a call.
  21. A receiving step of receiving key information from the call control device and a mirrored voice packet from the relay device;
    The communication method according to claim 20, further comprising a decrypting step of decrypting the voice packet using key information when the voice packet is encrypted.
  22. A mirroring setting step for setting a voice packet including an IP address included in the mirroring setting request as a mirroring target when a mirroring setting request for requesting mirroring of the voice packet is received from the outer step;
    A search step for determining whether a received voice packet includes the IP address;
    A relay method including a transmission step of transmitting a voice packet after mirroring the voice packet when the voice packet including the IP address is received.
JP2007503556A 2005-02-21 2005-02-21 Communication device Granted JPWO2006087819A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2005/002734 WO2006087819A1 (en) 2005-02-21 2005-02-21 Communication device

Publications (1)

Publication Number Publication Date
JPWO2006087819A1 true JPWO2006087819A1 (en) 2008-07-03

Family

ID=36916235

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2007503556A Granted JPWO2006087819A1 (en) 2005-02-21 2005-02-21 Communication device

Country Status (2)

Country Link
JP (1) JPWO2006087819A1 (en)
WO (1) WO2006087819A1 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4910655B2 (en) * 2006-11-20 2012-04-04 コニカミノルタビジネステクノロジーズ株式会社 communications system
US8345871B2 (en) * 2007-03-15 2013-01-01 Palo Alto Research Center Incorporated Fast authentication over slow channels
EP2197187A4 (en) * 2007-10-04 2012-08-08 Fujitsu Ltd Intercept system, path changing device, and computer program
US8549615B2 (en) 2007-11-29 2013-10-01 Telefonaktiebolaget L M Ericsson Method and apparatuses for end-to-edge media protection in an IMS system
JP2011035800A (en) * 2009-08-05 2011-02-17 National Institute Of Information & Communication Technology Electronic price-proposing system, electronic price-proposing device, and electronic price-proposing method
JP5482046B2 (en) * 2009-09-15 2014-04-23 ブラザー工業株式会社 Communication terminal device, communication terminal communication control method, and communication control program
CN102487344B (en) * 2010-12-06 2014-11-05 中兴通讯股份有限公司 Method and system for monitoring identity and position separating network
JP5598302B2 (en) * 2010-12-13 2014-10-01 富士通株式会社 Pass control device, pass control method, and pass control program
JP6554851B2 (en) * 2015-03-24 2019-08-07 日本電気株式会社 IP phone encryption apparatus and encryption method

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002539716A (en) * 1999-03-12 2002-11-19 ノキア ネットワークス オサケ ユキチュア Interception system and method
JP2003521834A (en) * 1999-01-29 2003-07-15 ジェネラル・インストルメント・コーポレーション Key management for telephone calls protecting signaling and call packets between CTAs
JP2004173051A (en) * 2002-11-21 2004-06-17 Nippon Telegr & Teleph Corp <Ntt> VoIP PACKET INFORMATION STORAGE SYSTEM
JP2004241954A (en) * 2003-02-05 2004-08-26 Nippon Telegr & Teleph Corp <Ntt> Speech monitoring method
JP2004248169A (en) * 2003-02-17 2004-09-02 Nippon Telegr & Teleph Corp <Ntt> Communications control system, communication control method and program, and communication terminal
JP2004336602A (en) * 2003-05-12 2004-11-25 Nakayo Telecommun Inc VoIP COMMUNICATION EQUIPMENT
JP2005346556A (en) * 2004-06-04 2005-12-15 Canon Inc Providing device, and communication device, method and program
JP2006032997A (en) * 2004-07-12 2006-02-02 Hitachi Ltd Network system, data relaying apparatus, session monitor system, and packet monitor relaying apparatus
JP2006050407A (en) * 2004-08-06 2006-02-16 Canon Inc Security policy setting method, program, and communication apparatus

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001298449A (en) * 2000-04-12 2001-10-26 Matsushita Electric Ind Co Ltd Security communication method, communication system and its unit
JP2004235697A (en) * 2003-01-28 2004-08-19 Mitsubishi Space Software Kk One external station type private branch exchange system ip telephone system

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003521834A (en) * 1999-01-29 2003-07-15 ジェネラル・インストルメント・コーポレーション Key management for telephone calls protecting signaling and call packets between CTAs
JP2002539716A (en) * 1999-03-12 2002-11-19 ノキア ネットワークス オサケ ユキチュア Interception system and method
JP2004173051A (en) * 2002-11-21 2004-06-17 Nippon Telegr & Teleph Corp <Ntt> VoIP PACKET INFORMATION STORAGE SYSTEM
JP2004241954A (en) * 2003-02-05 2004-08-26 Nippon Telegr & Teleph Corp <Ntt> Speech monitoring method
JP2004248169A (en) * 2003-02-17 2004-09-02 Nippon Telegr & Teleph Corp <Ntt> Communications control system, communication control method and program, and communication terminal
JP2004336602A (en) * 2003-05-12 2004-11-25 Nakayo Telecommun Inc VoIP COMMUNICATION EQUIPMENT
JP2005346556A (en) * 2004-06-04 2005-12-15 Canon Inc Providing device, and communication device, method and program
JP2006032997A (en) * 2004-07-12 2006-02-02 Hitachi Ltd Network system, data relaying apparatus, session monitor system, and packet monitor relaying apparatus
JP2006050407A (en) * 2004-08-06 2006-02-16 Canon Inc Security policy setting method, program, and communication apparatus

Also Published As

Publication number Publication date
WO2006087819A1 (en) 2006-08-24

Similar Documents

Publication Publication Date Title
JP5870156B2 (en) Method and apparatus for end-to-edge media protection in IMS systems
US9537837B2 (en) Method for ensuring media stream security in IP multimedia sub-system
KR101501399B1 (en) Policy routing-based lawful interception in communication system with end-to-end encryption
CN102769848B (en) The evolved packet system Non-Access Stratum monitored using real-time LTE is decrypted
US8488775B2 (en) Method and system for recording automatic call distributor calls
US20150089220A1 (en) Technique For Bypassing an IP PBX
JP4299102B2 (en) Wireless network handoff encryption key
EP1022922B1 (en) Authentication method establishing a secured channel between a subscriber and a service provider accessed through a telecommunication operator
EP1896982B1 (en) Lan-based uma network controller with aggregated transport
EP2356791B1 (en) Communication system and method
CN100568800C (en) The system and method that is used for safety remote access
US8108677B2 (en) Method and apparatus for authentication of session packets for resource and admission control functions (RACF)
KR100642375B1 (en) Systems and Methods For Communication Protection
EP1632862B1 (en) Address conversion method, access control method, and device using these methods
US7197297B2 (en) Authentication method for enabling a user of a mobile station to access to private data or services
US8762726B2 (en) System and method for secure access
US7587757B2 (en) Surveillance implementation in managed VOP networks
US7464267B2 (en) System and method for secure transmission of RTP packets
US7092385B2 (en) Policy control and billing support for call transfer in a session initiation protocol (SIP) network
AU2005206976B2 (en) Method and apparatus for transporting encrypted media streams over a wide area network
US7881471B2 (en) Systems and methods for recording an encrypted interaction
JP3973961B2 (en) Wireless network connection system, terminal device, remote access server, and authentication function device
US8024785B2 (en) Method and data processing system for intercepting communication between a client and a service
US6907034B1 (en) Out-of-band signaling for network based computer session synchronization
US7720227B2 (en) Encryption method for SIP message and encrypted SIP communication system

Legal Events

Date Code Title Description
A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20100713

A02 Decision of refusal

Free format text: JAPANESE INTERMEDIATE CODE: A02

Effective date: 20101109