WO2006066455A1 - A method for achieving session with different plain and security level in the communication network - Google Patents

A method for achieving session with different plain and security level in the communication network Download PDF

Info

Publication number
WO2006066455A1
WO2006066455A1 PCT/CN2004/001497 CN2004001497W WO2006066455A1 WO 2006066455 A1 WO2006066455 A1 WO 2006066455A1 CN 2004001497 W CN2004001497 W CN 2004001497W WO 2006066455 A1 WO2006066455 A1 WO 2006066455A1
Authority
WO
WIPO (PCT)
Prior art keywords
call
user
called
control device
core control
Prior art date
Application number
PCT/CN2004/001497
Other languages
French (fr)
Chinese (zh)
Inventor
Xianli Hu
Dengjun Su
Ming Ni
Jiwen Lu
Original Assignee
Zte Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation filed Critical Zte Corporation
Priority to PCT/CN2004/001497 priority Critical patent/WO2006066455A1/en
Publication of WO2006066455A1 publication Critical patent/WO2006066455A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Definitions

  • the present invention relates to the field of communications, and in particular, to a method for implementing different confidentiality level calls of end users under an architecture based on an IP communication network. Background technique
  • VOIP Voice over IP
  • the VOIP system needs to encrypt the user's signaling and media streams to prevent unauthorized users from stealing information from legitimate users.
  • the call if the media stream is encrypted, the call is called a secret message, otherwise it is called a clear message.
  • the usual practice is that the user terminal and the system device agree in advance on the authentication algorithm authentication parameter and the service encryption mode, and the communication security manner between the user terminal and the system device is based on these prior agreements.
  • the setup proceeds.
  • this method once the communication mode between the user terminal and the system device is set, the user cannot change the communication mode by himself; if the user needs to change the security mode of the communication, it must be re-agreed through the network management operation of the network system device. It is cumbersome to modify the corresponding parameters of the user terminal and the system device. Summary of the invention
  • the object of the present invention is to provide a method for implementing different levels of confidentiality calls in a communication network, so as to allow users to make calls at different levels of confidentiality according to different occasions, and the core control device performs call control according to the level of confidentiality set by the user. , thus automatically achieving the secret level of the call requested by the user.
  • the technical solution adopted by the present invention is: A method for implementing different levels of confidentiality in a communication network, wherein the terminal device of the network has the capability of supporting one or more confidential communication, the method comprising: registering each terminal user in a core control device of the network One or more sets of security parameters corresponding to the call privacy level; the terminal user initiates a call to the core control device, where the call request includes a security parameter corresponding to the current call privacy level specified by the terminal user; The core control device performs control of the corresponding secret level call according to the security parameter in the call request and the security parameter registered by the called user.
  • the step of registering one or more sets of security parameters of each terminal user further comprises: the terminal user initiating a registration request to the core control device; the terminal user setting the security of the call privacy level
  • the parameter is added to the message sent to the core control device during the registration process, and the core control device performs registration on the terminal user according to the subscription information of the terminal user and the information about the authentication in the security parameter.
  • the core control device registers the security parameter of the terminal user's current call privacy level into the call privacy level attribute table of the terminal user.
  • the message is a registration request message or other non-registration request message.
  • the step of registering one or more sets of security parameters of each terminal user further comprises: adding, by the terminal user, a security parameter of a call privacy level to a message sent to the core control device after successful registration Sending; the core control device processes the message correspondingly, and registers the security parameter carried in the terminal to the call privacy level attribute table of the terminal user.
  • the step of registering one or more sets of security parameters of each terminal user further comprises: pre-registering a security parameter of a default call privacy level in the core control device.
  • the step of the core control device performing control of the corresponding secret level call further comprises: determining, by the core control device, whether the primary called user is legal according to the primary called user identifier in the call request; When the requested primary and called users are both legitimate: the core control device obtains, according to the called user identifier, each group of security parameters registered by the called user in the core control device; according to the security parameters in the call request and The security parameters of each group registered by the called user determine whether the call confidentiality level between the primary and the called user is compatible; when the call confidentiality level between the primary and the called user is compatible, the primary called user is Establish a corresponding level of confidentiality If the call confidentiality level between the calling and called users is incompatible, the core control device determines whether the security parameter of the primary called user includes permission to establish a secret message with the other party through the intermediary resource, if included, The host and the called user establish a secret message through the intermediary resource; if not, the core control device determines whether the security parameter of the calling party and the called user is allowed to
  • the step of determining, by the core control device, whether the primary and the called user is legal is further: the core control device determines, according to the called user identifier, whether the called user is registered, and if the called user is not registered, determining the called user If the called user is already registered, the core control device determines whether to allow the calling party and the called party to establish a call according to the service status of the calling party and the called party. If the called party is not allowed to establish a call, the calling party and the called party do not. legitimate.
  • the step of establishing a corresponding secret level call between the calling and called users further comprises: the core control device initiating a call to the called user a call request; after receiving the response from the called user, the core control device controls the negotiation between the calling and the called user for the encryption parameter; the core control device controls the media connection between the calling and the called user, and the main Call the user to enter the secret call.
  • the step of establishing a secret message between the calling and called users through the intermediate resource further comprises: the core control device initiating a call request to the called user; and the core control device receiving the response of the called user Allocating an intermediary resource, and obtaining an encryption parameter corresponding to the intermediary resource; the core control device separately controls negotiation between the calling user and the intermediary resource, and between the called user and the intermediary resource; the core control device The media connection between the calling and called users is established through the intermediary resource, and the main called user enters the secret call.
  • the step of establishing a clear call between the calling and called users further comprises: the core control device initiating a call request to the called user; after receiving the response from the called user, the core control device controls the main A media connection is established between the called user terminals, and the calling party and the called user enter the call.
  • the user can flexibly retrieve various encryption methods (including no encryption) according to requirements, and specifically, the invention has the following advantages:
  • the core control device allows the end user to have more than one set of security parameters corresponding to the level of confidentiality. Number
  • the core control device allows the user to set its own confidential state through the terminal device according to different environmental needs
  • the user can decide the mode of interaction with other users, and the core control device performs call control according to the level of confidentiality set by the user;
  • the core control device provides call control services between user terminals using different encryption methods
  • the operator can provide users with hierarchical secure communication services. DRAWINGS
  • FIG. 1 is a flow chart of a method for implementing different secret level calls in a communication network, in accordance with one embodiment of the present invention
  • FIG. 2 is a flow chart showing an end user registration process in the method of FIG. 1 according to an embodiment of the present invention
  • FIG. 3 is a flow diagram of a control process for a core control device to perform a corresponding clear level call in the method of FIG. 1 in accordance with one embodiment of the present invention. detailed description
  • the present invention is proposed in an IP network system architecture based on softswitch technology, wherein a session between two terminals is established through a softswitch, if the media stream of the call between the two terminals is encrypted , the call is called a secret message, otherwise it is called a clear speech.
  • a terminal with encryption function it is possible to change a single communication method in the past, and to establish a clear voice or a different level of secret message with another terminal according to different occasions.
  • the idea of allowing the end user to establish a clear message or a different secret level with another terminal according to different occasions or needs is realized by allowing the user to indicate the secret level of the call when the call is initiated.
  • the level of the call here called the secret level
  • the set of security parameters sets the encrypted communication mode used by the terminal device, including at least the media encryption mode information.
  • the security parameter may further include information such as an authentication algorithm and an authentication parameter.
  • FIG. 1 is a flow diagram of a method of implementing different secret level calls in a communication network, in accordance with one embodiment of the present invention.
  • At least a core control device exists in the IP network architecture based on the softswitch technology, which may be a media gateway controller S; a calling user terminal device O; a called user terminal device T; a gateway G; Terminal devices O and T have the ability to locally encrypt and decrypt communication content.
  • each terminal user registers security parameters corresponding to the respective call privacy levels in the media gateway controller S.
  • the terminal user since the terminal user is allowed to set a plurality of call privacy levels, there are multiple sets of security parameters corresponding to the plurality of clearness levels, so in the core control device S, each terminal user is established.
  • the corresponding call privacy level attribute table records the security parameters corresponding to all the call privacy levels set by the terminal user in the call privacy level attribute table.
  • the new security level security parameter can be added to the established message and sent to the media gateway controller S for registration.
  • the registration of the security parameters of the secret level is implemented by the process of the terminal device registering with the media gateway controller S.
  • FIG. 2 is a flow diagram of an end user registering in the method of FIG. 1 in accordance with one embodiment of the present invention.
  • the step 105 of registering the security level security parameter in Fig. 1 will be described in detail with reference to the user terminal registration process shown in Fig. 2.
  • step 201 the user sets a security parameter of the level of confidentiality that the terminal device U complies with in the subsequent call on the terminal device U.
  • the security parameter set by the user is included in the registration message.
  • These security parameters include media encryption mode, authentication algorithm, authentication parameters, and whether to allow a clear call or use an intermediary resource to make a call when the primary and called terminal devices are incompatible.
  • the format of the registration message is not specified, because the embodiment is only an exemplary description, and the message format and the message of the registration message used by the terminal device to send the security parameter are
  • the capacity is related to the requirements of the specific core control device (such as the media gateway controller) and the protocol supported by the terminal device user.
  • step 202 the terminal device U initiates a registration request to the media gateway controller S, and sends a registration message containing the security parameters to the media gateway controller S.
  • the media gateway controller S authenticates the terminal device U.
  • the media gateway controller S obtains the user identifier and the security parameters therein from the registration message, so as to find the corresponding user subscription service information, and sends an authentication message to the terminal device U accordingly.
  • the media gateway controller S authenticates the terminal device U based on the subscription information of the user and the authentication requirement of the corresponding encryption method in the security parameter. It should be noted that the authentication message interaction is only schematically represented in FIG. 2, and the actual authentication message interaction process needs to be determined according to the actual authentication algorithm.
  • step 204 after the authentication is passed, the media gateway controller S sets the current visibility level registration status of the terminal device U according to the security parameters carried in the registration message, and records the security parameters in the call privacy level of the terminal device U. In the attribute table, a registration success message is sent to the terminal device U. On the other hand, if the authentication fails, the media gateway controller S will send a registration failure message to the terminal device U, and include a specific failure reason in the registration failure message.
  • the Media Gateway Controller S can provide services for it.
  • the end user initiates a call request and indicates the level of confidentiality of the call.
  • the terminal user can specify the desired call secret level when the call is requested, and the security parameter corresponding to the secret level is automatically sent as a parameter of the call request message along with the call request.
  • security parameters it may include the secret mode to initiate the call; when the called terminal device does not support the secret call, whether to adopt the call failure mode, or the clear call mode, and the like.
  • the specific parameter form is related to the specific media gateway controller S and the terminal's call protocol. When the user dials, a call request with security parameters is sent to the Media Gateway Controller S.
  • step 115 the media gateway controller S performs control of the corresponding secret level call.
  • 3 is a flow diagram of control of a media gateway controller S in a method of FIG. 1 to perform a corresponding secret level call, in accordance with an embodiment of the present invention.
  • the calling user terminal device The call request between the O and the called user terminal device T is taken as an example to describe the detailed process of the media gateway controller S performing the control of the corresponding secret level call.
  • steps 301 and 302 have been described in step 110 of Fig. 1, but for the consistency of the flow in Fig. 3, a brief description will be made here.
  • the calling user terminal O initiates a call to the called user terminal T, wherein the desired secret level of the call is indicated in the call request, and a call request with the corresponding security parameter is sent to the media gateway controller S.
  • step 303 after receiving the call request, the media gateway controller S analyzes the security parameter of the call confidentiality level and the calling and called user identifier in the call request message.
  • step 304 the media gateway controller S determines whether the called user is registered according to the called user identifier. If the called user is not registered, the call fails and the call processing is exited.
  • the media gateway controller S obtains the service information of the calling and called users according to the identity of the calling party and the called party, and determines whether the service information of the calling party and the called user is allowed to establish a call between the calling user O and the called user T. For example, if the calling user O is forbidden to call out due to arrears, or the calling user O is in the blacklist of the called user T, the call is not allowed to be established. If the call is not allowed between the primary and the called users, the call fails and the call processing is exited.
  • the media gateway controller S determines the calling user O and the called party according to the service information of the calling user O and the called user T and the security parameters corresponding to the call confidentiality level registered in the media gateway controller S. Whether the user T's level of confidentiality is compatible, so that the call is controlled by the corresponding level of confidentiality.
  • the compatibility of the confidentiality level means that the media encryption mode corresponding to the current secret level of the calling user O and the called user T is the same, or exists in the call privacy level attribute table of the called user T and the calling user O current.
  • the confidentiality level of the media encryption method is the same as the secret level.
  • the media gateway controller S processes according to the judgment result according to the following principles:
  • the media gateway controller S initiates a call request message to the called user terminal T.
  • the call request message contains the security parameters of the calling user O;
  • step 30611 the called terminal T sends an off-hook response message to the media gateway controller S.
  • the media gateway controller S controls the negotiation of the encryption parameters between the calling user terminal device O and the called user terminal device T. ;
  • step 30713 after the encryption parameter negotiation is successful, the media gateway controller S controls the media connection between the calling user terminal device O and the called user terminal device T to establish a communication state through the gateway G, and enters a call state.
  • step 30620 - 30625 is performed:
  • the intermediary resource has two functions: First, the intermediary resource participates in the negotiation of the call key. For the calling party, the intermediary resource simulates the called party with the same level as the calling party, and the called party In the case, the intermediary resource simulates the calling party with the same level as the called party.
  • the second function is to adapt and convert the communication content between the calling party and the called party.
  • step 30620 the media gateway controller S initiates a call request message to the called user terminal T, where the call request message includes the security parameter of the calling user 0;
  • step 30621 the called user terminal T sends an off-hook response message to the media gateway controller S.
  • the media gateway controller S allocates an intermediary resource for the call; in step 30623, the media gateway controller S obtains the encryption parameter corresponding to the allocated mediation resource, and in step 30624, controls the calling user terminal O and The intermediate resource, the called user terminal T and the intermediate resource perform negotiation of the encryption parameter;
  • the media gateway controller S controls the media connection between the calling user terminal O and the called user terminal T through the gateway G and the intermediary resource to enter the call state.
  • Mediation resources can be allocated from the gateway or independently of the gateway.
  • steps 30630-30632 are performed: In step 30630, the media gateway controller S initiating a call request message to the called user terminal T, where the call request message includes the security parameter of the calling user O;
  • step 30631 the called user terminal T sends an off-hook response message to the media gateway controller S.
  • the media gateway controller S controls the calling user terminal O and the called user terminal.
  • Terminal T establishes a media connection through gateway G and enters a call state.
  • the media gateway controller may also allocate a corresponding intermediary resource to the called user to establish a call; The timing can be selected if the user is willing to answer the question.
  • the media gateway controller needs to notify the calling terminal device user of the call state; whether the call is successfully established or the secret call is successfully established, the media gateway controller can According to the policy setting, it is decided whether to notify the called terminal device user of the call state; in the case that the secret call setup fails, it is decided according to the corresponding policy setting whether to notify the called terminal device user of the call state.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method for achieving the session of the different plain and security levels in the communication network. The terminal device of this network can support the communication at one or plurality of security levels. The method comprises: registering the security parameter of a set or plurality sets of the security levels corresponding to the session plain and security level what each terminal user had in the core control device of said network; the terminal users originate the call to said core control device, wherein there is the security parameter corresponding to the current session plain and security level specified by said user in the call request; said core control device controls the call of plain and security level based on the security parameter in the call request and the security parameter registered by the called party user. The invention permits to set the different manners of plain and security interacted with the other users based on the requirement for the different situations, the core control device controls the call based on the plain and security level setted by the user.

Description

在通信网络中实现不同明密级别通话的方法  Method for realizing different secret level calls in a communication network
技术领域 Technical field
本发明涉及通信领域,尤其涉及在基于 IP通信网络的体系架构下实现 终端用户的不同明密级别通话的方法。 背景技术  The present invention relates to the field of communications, and in particular, to a method for implementing different confidentiality level calls of end users under an architecture based on an IP communication network. Background technique
随着互联网和宽带技术的发展, 基于 IP网络的语音传输(VOIP )技 术在企业网和公共网络中得到了越来越多的应用。 但由于 IP 网络的开放 性, VOIP技术存在一些安全性问题, 如语音数据 IP包被嗅探监听; 用户 账号和设备欺骗等等。  With the development of Internet and broadband technologies, Voice over IP (VOIP) technology has gained more and more applications in enterprise networks and public networks. However, due to the openness of IP networks, VOIP technology has some security issues, such as voice data IP packets being sniffed and monitored; user accounts and device spoofing, and so on.
针对这些安全问题, VOIP 系统需要对用户的信令和媒体流进行加密 处理, 以防止非法用户对合法用户的信息窃取。 在通话过程中, 如果媒体 流是经过加密的, 则称本次通话为密话, 否则称为明话。  For these security issues, the VOIP system needs to encrypt the user's signaling and media streams to prevent unauthorized users from stealing information from legitimate users. During the call, if the media stream is encrypted, the call is called a secret message, otherwise it is called a clear message.
目前, 在通信系统的安全体系中, 通常的做法是用户终端与系统设备 事先约定好鉴权算法 鉴权参数和业务加密方式, 用户终端与系统设备之 间的通信安全方式都以这些事先约定的设置进行。 但采用这种方法, 一旦 设置了用户终端与系统设备之间的通信方式后, 用户就不能自行改变通信 方式; 如果用户需要改变通信的安全方式, 则必须通过网络系统设备的网 管操作, 重新约定用户终端与系统设备的相应参数, 修改比较麻烦。 发明内容  At present, in the security system of a communication system, the usual practice is that the user terminal and the system device agree in advance on the authentication algorithm authentication parameter and the service encryption mode, and the communication security manner between the user terminal and the system device is based on these prior agreements. The setup proceeds. However, with this method, once the communication mode between the user terminal and the system device is set, the user cannot change the communication mode by himself; if the user needs to change the security mode of the communication, it must be re-agreed through the network management operation of the network system device. It is cumbersome to modify the corresponding parameters of the user terminal and the system device. Summary of the invention
本发明的目的在于提供一种在通信网络中实现不同明密级别通话的方 法, 以允许用户根据不同场合请求进行不同明密级别的通话, 核心控制设 备根据用户设定的明密级别进行呼叫控制, 从而自动实现用户所请求的明 密级别的通话。  The object of the present invention is to provide a method for implementing different levels of confidentiality calls in a communication network, so as to allow users to make calls at different levels of confidentiality according to different occasions, and the core control device performs call control according to the level of confidentiality set by the user. , thus automatically achieving the secret level of the call requested by the user.
为实现以上目的, 本发明所采取的技术方案为: 一种在通信网络中实现不同明密级别通话的方法, 其中该网络的终端 设备具有支持一种或多种密级通信的能力, 该方法包括: 在所述网络的核 心控制设备中登记各终端用户的一组或多组对应通话明密级别的安全参 数; 终端用户向所述核心控制设备发起呼叫, 其中在呼叫请求中包括与该 终端用户指定的本次通话明密级别对应的安全参数; 所述核心控制设备根 据该呼叫请求中的安全参数及被叫用户所登记的安全参数进行相应明密级 别呼叫的控制。 In order to achieve the above object, the technical solution adopted by the present invention is: A method for implementing different levels of confidentiality in a communication network, wherein the terminal device of the network has the capability of supporting one or more confidential communication, the method comprising: registering each terminal user in a core control device of the network One or more sets of security parameters corresponding to the call privacy level; the terminal user initiates a call to the core control device, where the call request includes a security parameter corresponding to the current call privacy level specified by the terminal user; The core control device performs control of the corresponding secret level call according to the security parameter in the call request and the security parameter registered by the called user.
优选地, 所述登记各终端用户的一组或多组安全参数的步骤进一步包 括: 所述终端用户向所述核心控制设备发起注册请求; 所述终端用户将设 定的通话明密级别的安全参数添加到在注册过程中发给所述核心控制设备 的消息中进行发送; 所述核心控制设备根据所述终端用户的签约信息和安 全参数中有关鉴权的信息对所迷终端用户进行注册鉴权操作; 当注册鉴权 操作成功时, 所述核心控制设备将所述终端用户当前的通话明密级别的安 全参数登记到所述终端用户的通话明密级别属性表中。  Preferably, the step of registering one or more sets of security parameters of each terminal user further comprises: the terminal user initiating a registration request to the core control device; the terminal user setting the security of the call privacy level The parameter is added to the message sent to the core control device during the registration process, and the core control device performs registration on the terminal user according to the subscription information of the terminal user and the information about the authentication in the security parameter. When the registration authentication operation is successful, the core control device registers the security parameter of the terminal user's current call privacy level into the call privacy level attribute table of the terminal user.
所述消息是注册请求消息或其它非注册请求消息。 优选地, 所述登记 各终端用户的一组或多组安全参数的步骤进一步包括: 所述终端用户将通 话明密级别的安全参数添加到注册成功后发给所述核心控制设备的消息中 进行发送; 所述核心控制设备对所述消息进行相应处理, 并将其中携带的 安全参数登记到所述终端用户的通话明密级别属性表中。  The message is a registration request message or other non-registration request message. Preferably, the step of registering one or more sets of security parameters of each terminal user further comprises: adding, by the terminal user, a security parameter of a call privacy level to a message sent to the core control device after successful registration Sending; the core control device processes the message correspondingly, and registers the security parameter carried in the terminal to the call privacy level attribute table of the terminal user.
优选地, 所述登记各终端用户的一组或多组安全参数的步骤还包括: 在所述核心控制设备中预先登记缺省的通话明密级別的安全参数。  Preferably, the step of registering one or more sets of security parameters of each terminal user further comprises: pre-registering a security parameter of a default call privacy level in the core control device.
优选地, 所述核心控制设备进行相应明密级别呼叫的控制的步骤进一 步包括: 所述核心控制设备根据所述呼叫请求中的主被叫用户标识确定主 被叫用户是否合法; 当所述呼叫请求的主被叫用户均合法时: 所述核心控 制设备根据被叫用户标识获得所述被叫用户在所述核心控制设备中登记的 各组安全参数; 根据所述呼叫请求中的安全参数及被叫用户所登记的各组 安全参数, 确定主被叫用户之间的通话明密级别是否兼容; 当所述主被叫 用户之间的通话明密级别兼容时, 在所述主被叫用户之间建立相应明密级 别的通话; 当所述主被叫用户之间的通话明密级别不兼容时, 所述核心控 制设备判断主被叫用户的安全参数是否包含允许与对方通过中介资源建立 密话, 若包含, 则主被叫用户之间通过中介资源建立密话; 若没有包含, 则所述核心控制设备判断主被叫用户的安全参数是否包含允许与对方建立 明话, 若包含, 则主被叫用户之间建立明话; 若没有包含, 则此次呼叫失 败。 Preferably, the step of the core control device performing control of the corresponding secret level call further comprises: determining, by the core control device, whether the primary called user is legal according to the primary called user identifier in the call request; When the requested primary and called users are both legitimate: the core control device obtains, according to the called user identifier, each group of security parameters registered by the called user in the core control device; according to the security parameters in the call request and The security parameters of each group registered by the called user determine whether the call confidentiality level between the primary and the called user is compatible; when the call confidentiality level between the primary and the called user is compatible, the primary called user is Establish a corresponding level of confidentiality If the call confidentiality level between the calling and called users is incompatible, the core control device determines whether the security parameter of the primary called user includes permission to establish a secret message with the other party through the intermediary resource, if included, The host and the called user establish a secret message through the intermediary resource; if not, the core control device determines whether the security parameter of the calling party and the called user is allowed to establish a clear message with the other party, and if so, the calling party and the called user Establish a clear message; if not, the call fails.
优选地, 所述核心控制设备确定主被叫用户是否合法的步骤进一步包 括: 所述核心控制设备根据被叫用户标识, 判断被叫用户是否注册, 若被 叫用户未注册, 则确定被叫用户不合法; 若被叫用户已注册, 则所述核心 控制设备根据主被叫用户的业^ H言息,判断是否允许主被叫用户建立呼叫, 若不允许建立呼叫, 则主被叫用户不合法。  Preferably, the step of determining, by the core control device, whether the primary and the called user is legal is further: the core control device determines, according to the called user identifier, whether the called user is registered, and if the called user is not registered, determining the called user If the called user is already registered, the core control device determines whether to allow the calling party and the called party to establish a call according to the service status of the calling party and the called party. If the called party is not allowed to establish a call, the calling party and the called party do not. legitimate.
优选地, 当所迷主被叫用户之间的通话明密级别兼容时, 在所述主被 叫用户之间建立相应明密级别的通话的步骤进一步包括: 所述核心控制设 备向被叫用户发起呼叫请求; 所述核心控制设备收到所述被叫用户的应答 后, 控制主被叫用户之间进行加密参数的协商; 所述核心控制设备控制主 被叫用户之间建立媒体连接, 主被叫用户进入密话通话。  Preferably, when the call confidentiality level between the calling and called users is compatible, the step of establishing a corresponding secret level call between the calling and called users further comprises: the core control device initiating a call to the called user a call request; after receiving the response from the called user, the core control device controls the negotiation between the calling and the called user for the encryption parameter; the core control device controls the media connection between the calling and the called user, and the main Call the user to enter the secret call.
优选地, 所述主被叫用户之间通过中介资源建立密话的步驟进一步包 括: 所述核心控制设备向被叫用户发起呼叫请求; 所述核心控制设备收到 所述被叫用户的应答后, 分配中介资源, 并获得中介资源所对应的加密参 数; 所述核心控制设备分别控制主叫用户与中介资源之间、 被叫用户与中 介资源之间进行加密参数的协商; 所述核心控制设备控制主被叫用户之间 建立通过中介资源的媒体连接, 主被叫用户进入密话通话。  Preferably, the step of establishing a secret message between the calling and called users through the intermediate resource further comprises: the core control device initiating a call request to the called user; and the core control device receiving the response of the called user Allocating an intermediary resource, and obtaining an encryption parameter corresponding to the intermediary resource; the core control device separately controls negotiation between the calling user and the intermediary resource, and between the called user and the intermediary resource; the core control device The media connection between the calling and called users is established through the intermediary resource, and the main called user enters the secret call.
优选地, 所述主被叫用户之间建立明话的步骤进一步包括: 所述核心 控制设备向被叫用户发起呼叫请求; 所述核心控制设备收到所述被叫用户 的应答后,控制主被叫用户终端之间建立媒体连接,主被叫用户进入通话。  Preferably, the step of establishing a clear call between the calling and called users further comprises: the core control device initiating a call request to the called user; after receiving the response from the called user, the core control device controls the main A media connection is established between the called user terminals, and the calling party and the called user enter the call.
采用本发明, 用户可以根据需要灵活釆取各种加密方式(包括不加密) 进行通信, 具体来说, 本发明有如下的优点:  By adopting the invention, the user can flexibly retrieve various encryption methods (including no encryption) according to requirements, and specifically, the invention has the following advantages:
1.核心控制设备允许终端用户有一组以上的对应明密级别的安全参 数; 1. The core control device allows the end user to have more than one set of security parameters corresponding to the level of confidentiality. Number
2.核心控制设备允许用户根据不同环境需要, 自行通过终端设备设定 其明密状态;  2. The core control device allows the user to set its own confidential state through the terminal device according to different environmental needs;
3.用户可自行决定与其他用户的明密交互方式, 核心控制设备根据用 户设定的明密级别进行呼叫控制;  3. The user can decide the mode of interaction with other users, and the core control device performs call control according to the level of confidentiality set by the user;
4.核心控制设备为采用不同加密方式的用户终端之间提供呼叫控制服 务;  4. The core control device provides call control services between user terminals using different encryption methods;
5.运营商可以向用户提供分级的安全通信服务。 附图说明  5. The operator can provide users with hierarchical secure communication services. DRAWINGS
图 1是根据本发明一个实施例的在通信网络中实现不同明密级别通话 的方法的流程图;  1 is a flow chart of a method for implementing different secret level calls in a communication network, in accordance with one embodiment of the present invention;
图 2是根据本发明一个实施例的图 1方法中终端用户注册过程的流程 图;  2 is a flow chart showing an end user registration process in the method of FIG. 1 according to an embodiment of the present invention;
图 3是根据本发明一个实施例的图 1方法中核心控制设备进行相应明 密级别呼叫的控制过程的流程图。 具体实施方式  3 is a flow diagram of a control process for a core control device to perform a corresponding clear level call in the method of FIG. 1 in accordance with one embodiment of the present invention. detailed description
相信通过下面结合附图对本发明的优选实施例的详细说明, 可以更清 楚地了解本发明的上述和其它目的、 特征和优点。  The above and other objects, features and advantages of the present invention will become apparent from the <RTIgt
本发明是在以软交换技术为基础的 IP网络系统体系架构中提出的,其 中, 两个终端之间的会话是通过软交换建立的, 如果两个终端之间通话的 媒体流是经过加密的, 则称本次通话为密话, 否则称为明话。 对于带有加 密功能的终端来说, 可以改变过去单一的通信方式, 而根据不同场合与另 一个终端建立明话, 或是不同级别的密话。  The present invention is proposed in an IP network system architecture based on softswitch technology, wherein a session between two terminals is established through a softswitch, if the media stream of the call between the two terminals is encrypted , the call is called a secret message, otherwise it is called a clear speech. For a terminal with encryption function, it is possible to change a single communication method in the past, and to establish a clear voice or a different level of secret message with another terminal according to different occasions.
本发明中允许终端用户根据不同场合或需要与另一终端建立明话或不 同密级的密话的思想是通过允许用户在发起呼叫时指出本次呼叫的明密级 别来实现的。 而呼叫的明密级别, 这里称为密级, 是由一组安全参数设定 的, 这组安全参数设定了终端设备所使用的加密通信方式, 至少包括媒体 加密方式信息。 此外, 安全参数中还可以包括鉴权算法、鉴权参数等信息。 The idea of allowing the end user to establish a clear message or a different secret level with another terminal according to different occasions or needs is realized by allowing the user to indicate the secret level of the call when the call is initiated. The level of the call, here called the secret level, is set by a set of security parameters. The set of security parameters sets the encrypted communication mode used by the terminal device, including at least the media encryption mode information. In addition, the security parameter may further include information such as an authentication algorithm and an authentication parameter.
图 1是根据本发明一个实施例的在通信网络中实现不同明密级别通话 的方法的流程图。  1 is a flow diagram of a method of implementing different secret level calls in a communication network, in accordance with one embodiment of the present invention.
本实施例中,以软交换技术为基础的 IP网络体系架构中至少存在核心 控制设备, 可以是媒体网关控制器 S; 主叫用户终端设备 O ; 被叫用户终 端设备 T; 网关 G; 其中用户终端设备 O和 T具备本地加密和解密通信内 容的能力。  In this embodiment, at least a core control device exists in the IP network architecture based on the softswitch technology, which may be a media gateway controller S; a calling user terminal device O; a called user terminal device T; a gateway G; Terminal devices O and T have the ability to locally encrypt and decrypt communication content.
如图 1所示, 在步骤 105, 各终端用户在媒体网关控制器 S中登记各 自的通话明密级别对应的安全参数。  As shown in FIG. 1, in step 105, each terminal user registers security parameters corresponding to the respective call privacy levels in the media gateway controller S.
本实施例中, 由于允许终端用户设定多个通话明密级别, 因此存在与 这多个明密级别对应的多组安全参数, 所以在核心控制设备 S中, 为每位 终端用户都建立了相应的通话明密级别属性表, 将终端用户设定的所有通 话明密级别对应的安全参数都记录在该通话明密级别属性表中。 各终端用 户在需要登记或添加新的明密级别时, 可以随时将新的明密级别的安全参 数添加到既定的消息中, 发送给媒体网关控制器 S进行登记。 在本实施例 中, 通过终端设备向媒体网关控制器 S注册的过程来实现明密级别的安全 参数的登记。  In this embodiment, since the terminal user is allowed to set a plurality of call privacy levels, there are multiple sets of security parameters corresponding to the plurality of clearness levels, so in the core control device S, each terminal user is established. The corresponding call privacy level attribute table records the security parameters corresponding to all the call privacy levels set by the terminal user in the call privacy level attribute table. When each terminal user needs to register or add a new secret level, the new security level security parameter can be added to the established message and sent to the media gateway controller S for registration. In this embodiment, the registration of the security parameters of the secret level is implemented by the process of the terminal device registering with the media gateway controller S.
图 2是根据本发明一个实施例的图 1方法中终端用户进行注册的流程 图。 现在以某一用户终端设备 U为例, 参照图 2所示的用户终端注册过程 来详细说明图 1中的登记明密级别的安全参数的步骤 105。  2 is a flow diagram of an end user registering in the method of FIG. 1 in accordance with one embodiment of the present invention. Now, taking a certain user terminal device U as an example, the step 105 of registering the security level security parameter in Fig. 1 will be described in detail with reference to the user terminal registration process shown in Fig. 2.
如图 2所示, 首先在步驟 201, 用户在终端设备 U上设置在以后的通 话中终端设备 U所遵从的明密级别的安全参数。在用户终端 U发起注册请 求时, 用户设置的明密级别的安全参数包含在注册消息中。 这些安全参数 包括媒体加密方式、 鉴权算法、 鉴权参数以及当主被叫终端设备明密级别 不兼容时是否允许明话呼叫或利用中介资源进行呼叫等信息。 需要说明的 是, 本实施例未对注册消息的格式进行规定, 因为本实施例只是示例性的 说明, 而且终端设备发送安全参数所使用的注册消息的消息格式和消息内 容是与具体的核心控制设备(如媒体网关控制器) 的要求和终端设备用户 支持的协议有关的。 As shown in FIG. 2, first in step 201, the user sets a security parameter of the level of confidentiality that the terminal device U complies with in the subsequent call on the terminal device U. When the user terminal U initiates a registration request, the security parameter set by the user is included in the registration message. These security parameters include media encryption mode, authentication algorithm, authentication parameters, and whether to allow a clear call or use an intermediary resource to make a call when the primary and called terminal devices are incompatible. It should be noted that, in this embodiment, the format of the registration message is not specified, because the embodiment is only an exemplary description, and the message format and the message of the registration message used by the terminal device to send the security parameter are The capacity is related to the requirements of the specific core control device (such as the media gateway controller) and the protocol supported by the terminal device user.
在步驟 202, 终端设备 U向媒体网关控制器 S发起注册请求, 将包含 了安全参数的注册消息发送到媒体网关控制器 S。  In step 202, the terminal device U initiates a registration request to the media gateway controller S, and sends a registration message containing the security parameters to the media gateway controller S.
在步骤 203, 媒体网关控制器 S对终端设备 U进行鉴权。 在这一步骤 中, 媒体网关控制器 S从注册消息中获取用户标识和其中的安全参数, 从 而查找对应的用户签约业务信息, 并依此向终端设备 U发送鉴权消息。 媒 体网关控制器 S对终端设备 U进行鉴权的依据是用户的签约信息以及安全 参数中对应的加密方式的鉴权要求。 需要说明的是, 在图 2中对鉴权消息 交互仅进行了示意性的表示, 真正的鉴权消息交互流程需要视实际鉴权算 法而定。  At step 203, the media gateway controller S authenticates the terminal device U. In this step, the media gateway controller S obtains the user identifier and the security parameters therein from the registration message, so as to find the corresponding user subscription service information, and sends an authentication message to the terminal device U accordingly. The media gateway controller S authenticates the terminal device U based on the subscription information of the user and the authentication requirement of the corresponding encryption method in the security parameter. It should be noted that the authentication message interaction is only schematically represented in FIG. 2, and the actual authentication message interaction process needs to be determined according to the actual authentication algorithm.
在步骤 204, 当鉴权通过之后, 媒体网关控制器 S根据注册消息中携 带的安全参数设置终端设备 U的当前明密级别注册状态, 并将这些安全参 数记录在终端设备 U的通话明密级别属性表中,并向终端设备 U发送注册 成功消息。 反之, 如果鉴权失败, 则媒体网关控制器 S将向终端设备 U发 送注册失败信息, 并在注册失败消息中包含具体的失败原因。  In step 204, after the authentication is passed, the media gateway controller S sets the current visibility level registration status of the terminal device U according to the security parameters carried in the registration message, and records the security parameters in the call privacy level of the terminal device U. In the attribute table, a registration success message is sent to the terminal device U. On the other hand, if the authentication fails, the media gateway controller S will send a registration failure message to the terminal device U, and include a specific failure reason in the registration failure message.
一旦终端设备注册成功, 媒体网关控制器 S就可以为其提供服务了。 返回图 1, 在步骤 110, 终端用户发起呼叫请求, 同时指出此次呼叫的 明密级别。 本步骤中, 终端用户在呼叫请求时可以指定所期望的通话明密 级别, 而与该明密级别对应的安全参数便自动作为呼叫请求消息的参数随 呼叫请求一起发送。 在这些安全参数中, 可以包括采用何种密级方式发起 呼叫; 当被叫终端设备不支持该密级呼叫时, 是采取呼叫失败方式, 还是 采用明话呼叫方式等等。 具体的参数形式与具体的媒体网关控制器 S和终 端的呼叫协议有关。 用户拨号时, 带有安全参数的呼叫请求被发送到媒体 网关控制器 S。  Once the terminal device is successfully registered, the Media Gateway Controller S can provide services for it. Returning to Figure 1, in step 110, the end user initiates a call request and indicates the level of confidentiality of the call. In this step, the terminal user can specify the desired call secret level when the call is requested, and the security parameter corresponding to the secret level is automatically sent as a parameter of the call request message along with the call request. Among these security parameters, it may include the secret mode to initiate the call; when the called terminal device does not support the secret call, whether to adopt the call failure mode, or the clear call mode, and the like. The specific parameter form is related to the specific media gateway controller S and the terminal's call protocol. When the user dials, a call request with security parameters is sent to the Media Gateway Controller S.
接着, 在步骤 115, 媒体网关控制器 S进行相应明密级别呼叫的控制。 图 3是根据本发明一个实施例的图 1方法中媒体网关控制器 S进行相 应明密级别呼叫的控制的流程图。 现在, 参照图 3, 以主叫用户终端设备 O和被叫用户终端设备 T之间的呼叫请求为例, 来说明媒体网关控制器 S 进行相应明密级别呼叫的控制的详细过程。 Next, at step 115, the media gateway controller S performs control of the corresponding secret level call. 3 is a flow diagram of control of a media gateway controller S in a method of FIG. 1 to perform a corresponding secret level call, in accordance with an embodiment of the present invention. Now, referring to Figure 3, the calling user terminal device The call request between the O and the called user terminal device T is taken as an example to describe the detailed process of the media gateway controller S performing the control of the corresponding secret level call.
图 3中, 步骤 301和步驟 302已在图 1的步骤 110中进行了介绍, 但 为了图 3中流程的连贯性, 在此进行简单地描述。 主叫用户终端 O向被叫 用户终端 T发起呼叫,其中在呼叫请求中指出了此次呼叫的期望明密级别, 并将带有对应安全参数的呼叫请求发送给媒体网关控制器 S。  In Fig. 3, steps 301 and 302 have been described in step 110 of Fig. 1, but for the consistency of the flow in Fig. 3, a brief description will be made here. The calling user terminal O initiates a call to the called user terminal T, wherein the desired secret level of the call is indicated in the call request, and a call request with the corresponding security parameter is sent to the media gateway controller S.
在步骤 303, 媒体网关控制器 S接收到该呼叫请求后, 分析呼叫请求 消息中的通话明密级别的安全参数和主被叫用户标识。  In step 303, after receiving the call request, the media gateway controller S analyzes the security parameter of the call confidentiality level and the calling and called user identifier in the call request message.
在步骤 304, 媒体网关控制器 S根据被叫用户标识判断被叫用户是否 注册。 如果被叫用户没有注册, 则呼叫失败, 退出呼叫处理。  In step 304, the media gateway controller S determines whether the called user is registered according to the called user identifier. If the called user is not registered, the call fails and the call processing is exited.
在步骤 305, 媒体网关控制器 S根据主被叫用户标识, 获得主被叫用 户的业务信息,判断主被叫用户的业务信息是否允许在主叫用户 O和被叫 用户 T之间建立呼叫。 例如, 在主叫用户 O因欠费而禁止呼出, 或主叫用 户 O在被叫用户 T的黑名单中等情况下, 该呼叫就不允许建立。如果主被 叫用户之间不允许建立呼叫, 则呼叫失败, 退出呼叫处理。  In step 305, the media gateway controller S obtains the service information of the calling and called users according to the identity of the calling party and the called party, and determines whether the service information of the calling party and the called user is allowed to establish a call between the calling user O and the called user T. For example, if the calling user O is forbidden to call out due to arrears, or the calling user O is in the blacklist of the called user T, the call is not allowed to be established. If the call is not allowed between the primary and the called users, the call fails and the call processing is exited.
在步驟 306,媒体网关控制器 S根据主叫用户 O和被叫用户 T的业务 信息及其在媒体网关控制器 S中登记的通话明密级别对应的安全参数, 判 断主叫用户 O和被叫用户 T的明密级别是否兼容,从而对呼叫进行相应的 明密级别的控制。其中明密级别兼容是指主叫用户 O和被叫用户 T当前的 明密级别所对应的媒体加密方式相同, 或在被叫用户 T的通话明密级别属 性表中存在与主叫用户 O 当前的明密级别的媒体加密方式相同的明密级 别。 媒体网关控制器 S根据判断结果, 按照如下原则进行处理:  In step 306, the media gateway controller S determines the calling user O and the called party according to the service information of the calling user O and the called user T and the security parameters corresponding to the call confidentiality level registered in the media gateway controller S. Whether the user T's level of confidentiality is compatible, so that the call is controlled by the corresponding level of confidentiality. The compatibility of the confidentiality level means that the media encryption mode corresponding to the current secret level of the calling user O and the called user T is the same, or exists in the call privacy level attribute table of the called user T and the calling user O current. The confidentiality level of the media encryption method is the same as the secret level. The media gateway controller S processes according to the judgment result according to the following principles:
( 1 )如果明密级别兼容, 则执行步骤 30610 - 30613:  (1) If the level of confidentiality is compatible, go to steps 30610 - 30613:
在步骤 30610, 媒体网关控制器 S向被叫用户终端 T发起呼叫请求消 息。 在此呼叫请求消息中包含着主叫用户 O的安全参数;  At step 30610, the media gateway controller S initiates a call request message to the called user terminal T. The call request message contains the security parameters of the calling user O;
在步骤 30611, 被叫终端 T向媒体网关控制器 S发送摘机应答消息; 在步骤 30612, 媒体网关控制器 S控制主叫用户终端设备 O与被叫用 户终端设备 T之间进行加密参数的协商; 在步骤 30613, 加密参数协商成功后, 媒体网关控制器 S控制主叫用 户终端设备 O与被叫用户终端设备 T之间建立通过网关 G的媒体连接, 进入通话状态。 In step 30611, the called terminal T sends an off-hook response message to the media gateway controller S. In step 30612, the media gateway controller S controls the negotiation of the encryption parameters between the calling user terminal device O and the called user terminal device T. ; In step 30713, after the encryption parameter negotiation is successful, the media gateway controller S controls the media connection between the calling user terminal device O and the called user terminal device T to establish a communication state through the gateway G, and enters a call state.
( 2 )如果明密级别不兼容, 但主叫用户终端 O与被叫用户终端 T允 许通过中介资源建立密话, 则执行步骤 30620 - 30625:  (2) If the confidentiality level is not compatible, but the calling user terminal O and the called user terminal T are allowed to establish a secret message through the intermediary resource, step 30620 - 30625 is performed:
需要说明的是, "中介资源" 是为了满足不同明密级别的用户之间的 通话而引进的。 在本发明中, 中介资源的作用有两个: 一是中介资源参与 呼叫密钥的协商, 对主叫方来说, 中介资源将模拟与主叫方相同密级的被 叫方, 而对被叫方来说, 中介资源则模拟与被叫方相同密级的主叫方。 第 二个作用是对主叫方和被叫方之间的通信内容进行适配转换。  It should be noted that the "intermediary resources" are introduced to meet the calls between users of different levels of confidentiality. In the present invention, the intermediary resource has two functions: First, the intermediary resource participates in the negotiation of the call key. For the calling party, the intermediary resource simulates the called party with the same level as the calling party, and the called party In the case, the intermediary resource simulates the calling party with the same level as the called party. The second function is to adapt and convert the communication content between the calling party and the called party.
在步骤 30620, 媒体网关控制器 S向被叫用户终端 T发起呼叫请求消 息, 在此呼叫请求消息中包含着主叫用户 0的安全参数;  In step 30620, the media gateway controller S initiates a call request message to the called user terminal T, where the call request message includes the security parameter of the calling user 0;
在步骤 30621, 被叫用户终端 T向媒体网关控制器 S发送摘机应答消 息;  In step 30621, the called user terminal T sends an off-hook response message to the media gateway controller S.
在步骤 30622 , 媒体网关控制器 S为此次呼叫分配中介资源; 在步骤 30623, 媒体网关控制器 S获得所分配的中介资源对应的加密 参数, 并在步骤 30624, 分别控制主叫用户终端 O与中介资源、 被叫用户 终端 T与中介资源进行加密参数的协商;  In step 30622, the media gateway controller S allocates an intermediary resource for the call; in step 30623, the media gateway controller S obtains the encryption parameter corresponding to the allocated mediation resource, and in step 30624, controls the calling user terminal O and The intermediate resource, the called user terminal T and the intermediate resource perform negotiation of the encryption parameter;
在步骤 30625, 加密参数协商成功后, 媒体网关控制器 S控制主叫用 户终端 O与被叫用户终端 T之间建立通过网关 G和中介资源的媒体连接 , 进入通话状态。 中介资源可以从网关中分配也可独立于网关。  In step 30625, after the encryption parameter negotiation is successful, the media gateway controller S controls the media connection between the calling user terminal O and the called user terminal T through the gateway G and the intermediary resource to enter the call state. Mediation resources can be allocated from the gateway or independently of the gateway.
( 3 )如果明密级别不兼容且不允许通过中介资源建立通话,但主叫用 户终端 O与被叫用户终端 T允许建立明话, 则执行步驟 30630 - 30632: 在步骤 30630, 媒体网关控制器 S向被叫用户终端 T发起呼叫请求消 息, 在此呼叫请求消息中包含着主叫用户 O的安全参数;  (3) If the confidentiality level is incompatible and the call is not allowed to be established through the intermediate resource, but the calling user terminal O and the called user terminal T are allowed to establish a clear voice, steps 30630-30632 are performed: In step 30630, the media gateway controller S initiating a call request message to the called user terminal T, where the call request message includes the security parameter of the calling user O;
在步骤 30631 , 被叫用户终端 T向媒体网关控制器 S发送摘机应答消 息;  In step 30631, the called user terminal T sends an off-hook response message to the media gateway controller S.
在步骤 30632, 媒体网关控制器 S控制主叫用户终端 O与被叫用户终 端 T建立通过网关 G的媒体连接, 进入通话状态。 At step 30632, the media gateway controller S controls the calling user terminal O and the called user terminal. Terminal T establishes a media connection through gateway G and enters a call state.
( 4 )如果以上情况皆不满足, 则此次呼叫失败, 退出呼叫控制流程。 以上对本发明的优选实施例进行了详细描述, 需要说明的是, 在密级 兼容的情况下, 媒体网关控制器也可为主被叫用户分配相应的中介资源, 建立呼叫; 此外, 中介资源分配操作的时机可以选在用户愿意接听的情况 下再进行, 如在被叫用户终端设备上显示一个来话信息后, 用户按下接听 键之后, 也可以选在此之前进行; 而且, 无论明 /密话呼叫建立成功与否, 媒体网关控制器都需将呼叫状态通知主叫终端设备用户; 无论是明话呼叫 建立成功的情况下, 还是在密话建立成功的情况下, 媒体网关控制器都可 根据策略设置决定是否将呼叫状态通知被叫终端设备用户; 在密话呼叫建 立失败的情况下, 根据相应的策略设置决定是否将呼叫状态通知被叫终端 设备用户。  (4) If none of the above conditions are met, the call fails and the call control process is exited. The preferred embodiment of the present invention has been described in detail above. It should be noted that, in the case of confidential level compatibility, the media gateway controller may also allocate a corresponding intermediary resource to the called user to establish a call; The timing can be selected if the user is willing to answer the question. For example, after the incoming message is displayed on the called user terminal device, after the user presses the answer button, the user can also select the previous call; If the call setup is successful or not, the media gateway controller needs to notify the calling terminal device user of the call state; whether the call is successfully established or the secret call is successfully established, the media gateway controller can According to the policy setting, it is decided whether to notify the called terminal device user of the call state; in the case that the secret call setup fails, it is decided according to the corresponding policy setting whether to notify the called terminal device user of the call state.

Claims

权利要求 Rights request
1. 一种在通信网络中实现不同明密级别通话的方法, 该网络 的终端设备具有支持一种或多种密级通信的能力, 其特征在于, 该方法 包括: A method for implementing different levels of confidentiality in a communication network, the terminal device of the network having the capability of supporting one or more confidential communication, the method comprising:
在所述网络的核心控制设备中登记各终端用户的一组或多组 对应通话明密级别的安全参数;  Registering one or more sets of security parameters corresponding to the call confidentiality level of each terminal user in the core control device of the network;
终端用户向所述核心控制设备发起呼叫, 其中在呼叫请求中 包括与所述终端用户指定的本次通话明密级别对应的安全参数; 所述核心控制设备根据所述呼叫请求中的安全参数及被叫用 户所登记的安全参数进行相应明密级别呼叫的控制。  The terminal user initiates a call to the core control device, where the call request includes a security parameter corresponding to the current call privacy level specified by the terminal user; the core control device according to the security parameter in the call request and The security parameters registered by the called user are controlled by the corresponding secret level call.
2. 如权利要求 1所述的方法, 其特征在于, 所述安全参数包 括媒体加密方式、 鉴权算法、 鉴权参数以及当主被叫终端设备明 密级别不兼容时是否允许明话呼叫或利用中介资源进行呼叫。  2. The method according to claim 1, wherein the security parameter comprises a media encryption mode, an authentication algorithm, an authentication parameter, and whether a clear call or use is allowed when the primary and the called terminal device are incompatible. The intermediary resource makes a call.
3. 如权利要求 2所述的方法, 其特征在于, 所述登记各终端 用户的一组或多组安全参数的步骤进一步包括:  The method according to claim 2, wherein the step of registering one or more sets of security parameters of each terminal user further comprises:
所述终端用户向所述核心控制设备发起注册请求;  The terminal user initiates a registration request to the core control device;
所述终端用户将设定的通话明密级别的安全参数添加到在注 册过程中发给所述核心控制设备的消息中进行发送;  The terminal user adds the set security parameter of the call privacy level to the message sent to the core control device during the registration process for sending;
所述核心控制设备根据所述终端用户的签约信息和安全参数 中有关鉴权的信息对所述终端用户进行注册鉴权操作;  The core control device performs a registration authentication operation on the terminal user according to the subscription information of the terminal user and the information about the authentication in the security parameter;
当注册鉴权操作成功时, 所述核心控制设备将所述终端用户 的通话明密级別的安全参数登记到所述终端用户的通话明密级别 属性表中。  When the registration authentication operation is successful, the core control device registers the security parameter of the terminal user's call privacy level into the call privacy level attribute table of the terminal user.
4. 如权利要求 3所述的方法, 其特征在于, 所述消息是注册 请求消息或其它非注册请求消息。  4. The method of claim 3, wherein the message is a registration request message or other non-registration request message.
5. 如权利要求 2所述的方法, 其特征在于, 所述登记各终端 用户的一组或多组安全参数的步骤进一步包括: 所述终端用户将通话明密级别的安全参数添加到注册成功后 发给所述核心控制设备的消息中进行发送; The method of claim 2, wherein the step of registering one or more sets of security parameters of each end user further comprises: The terminal user adds the security parameter of the call privacy level to the message sent to the core control device after the registration is successful, and sends the message;
所述核心控制设备对所述消息进行相应处理, 并将其中携带 的安全参数登记到所述终端用户的通话明密级别属性表中。  The core control device processes the message correspondingly, and registers the security parameter carried therein into the call privacy level attribute table of the terminal user.
6. 如权利要求 3或 5所述的方法, 其特征在于, 所述登记各 终端用户的一组或多组安全参数的步骤还包括: 在所述核心控制设 备中预先登记缺省的通话明密级别的安全参数。  The method according to claim 3 or 5, wherein the step of registering one or more sets of security parameters of each terminal user further comprises: pre-registering a default call in the core control device Security parameters at the secret level.
7. 如权利要求 2、 3 或 5 所述的方法, 其特征在于, 所述核 心控制设备进行相应明密级别的呼叫控制的步骤进一步包括: 所述核心控制设备根据所述呼叫请求中的主被叫用户标识确 定主被叫用户是否合法;  The method according to claim 2, 3 or 5, wherein the step of the core control device performing call control of a corresponding secret level further comprises: the core control device according to the main in the call request The called user ID determines whether the calling party and the called user are legitimate;
当所述呼叫请求的主被叫用户均合法时:  When the calling and called users of the call request are both legal:
所述核心控制设备根据被叫用户标识获得所述被叫用户在所 述核心控制设备中登记的各组安全参数;  The core control device obtains, according to the called user identifier, each set of security parameters registered by the called user in the core control device;
根据所述呼叫请求中的安全参数及被叫用户所登记的各组安 全参数, 确定主被叫用户之间的通话明密级别是否兼容;  Determining whether the call confidentiality level between the calling party and the called user is compatible according to the security parameter in the call request and each group of security parameters registered by the called user;
当所述主被叫用户之间的通话明密级别兼容时, 在所述主被 叫用户之间建立相应明密级别的通话;  When the call confidentiality level between the calling and called users is compatible, a call of a corresponding secret level is established between the primary and the called users;
当所述主被叫用户之间的通话明密级别不兼容时, 所述核心 控制设备判断主被叫用户的安全参数是否包含允许与对方通过中 介资源建立密话, 若包含, 则主被叫用户之间通过中介资源建立 密话, 若没有包含, 则所述核心控制设备判断主被叫用户的安全 参数是否包含允许与对方建立明话, 若包含, 则主被叫用户之间 建立明话; 若没有包含, 则此次呼叫失败。  When the confidentiality level of the call between the calling and called users is incompatible, the core control device determines whether the security parameter of the primary called user includes permission to establish a secret message with the other party through the intermediary resource, and if so, the primary called party The user establishes a secret message through the intermediary resource. If not, the core control device determines whether the security parameter of the calling party and the called user is allowed to establish a clear voice with the other party. If yes, the calling party and the called user establish a clear message. If not included, the call fails.
8. 如权利要求 7所述的方法, 其特征在于, 所述核心控制设 备确定主被叫用户是否合法的步驟进一步包括:  The method according to claim 7, wherein the step of determining, by the core control device, whether the calling party and the called user are legitimate further comprises:
所述核心控制设备根据被叫用户标识, 判断被叫用户是否注 册, 若被叫用户未注册, 则确定被叫用户不合法; 若被叫用户已注册, 则所述核心控制设备根据主被叫用户的 业务信息, 判断是否允许主被叫用户建立呼叫, 若不允许建立呼 叫, 则主被叫用户不合法。 The core control device determines, according to the called user identifier, whether the called user is registered, and if the called user is not registered, determining that the called user is illegal; If the called user is already registered, the core control device determines whether to allow the calling party and the called party to establish a call according to the service information of the calling party and the called party. If the called party is not allowed to establish a call, the calling party and the called party are not legal.
9. 如权利要求 7所述的方法, 其特征在于, 当所述主被叫用 户之间的通话明密级别兼容时, 在所迷主被叫用户之间建立相应 明密级别的通话的步骤进一步包括:  9. The method according to claim 7, wherein when the call-to-speech level between the calling and called users is compatible, the step of establishing a corresponding secret level call between the called and called users is performed. Further includes:
所述核心控制设备向被叫用户发起呼叫请求;  The core control device initiates a call request to the called user;
所述核心控制设备收到所述被叫用户的应答后, 控制主被叫 用户之间进行加密参数的协商;  After receiving the response from the called user, the core control device controls the negotiation between the calling and the called user to perform encryption parameters;
所述核心控制设备控制主被叫用户之间建立媒体连接, 主被 叫用户进入密话通话。  The core control device controls a media connection between the calling and called users, and the primary called user enters a secret call.
10. 如权利要求 7 所述的方法, 其特征在于, 所述主被叫用 户之间通过中介资源建立密话的步骤进一步包括:  10. The method according to claim 7, wherein the step of establishing a secret message between the calling and called users through the intermediary resource further comprises:
所述核心控制设备向被叫用户发起呼叫请求;  The core control device initiates a call request to the called user;
所述核心控制设备收到所述被叫用户的应答后, 分配中介资 源, 并获得中介资源所对应的加密参数;  After receiving the response from the called user, the core control device allocates an intermediate resource, and obtains an encryption parameter corresponding to the intermediary resource;
所述核心控制设备分别控制主叫用户与中介资源之间、 被叫 用户与中介资源之间进行加密参数的协商;  The core control device controls the negotiation of the encryption parameters between the calling user and the intermediation resource, and between the called user and the intermediation resource, respectively;
所述核心控制设备控制主被叫用户之间建立通过中介资源的 媒体连接, 主被叫用户进入密话通话。  The core control device controls a media connection between the calling and called users through the intermediary resource, and the primary called user enters the secret call.
11. 如权利要求 7 所述的方法, 其特征在于, 所述主被叫用 户之间建立明话的步骤进一步包括:  The method according to claim 7, wherein the step of establishing a clear call between the calling and called users further comprises:
所述核心控制设备向被叫用户发起呼叫请求;  The core control device initiates a call request to the called user;
所述核心控制设备收到所述被叫用户的应答后, 控制主被叫 用户终端之间建立媒体连接, 主被叫用户进入通话。  After receiving the response from the called user, the core control device controls a media connection between the calling and called user terminals, and the primary called user enters the call.
12. 如权利要求 7或 9 所述的方法, 其特征在于, 所述明密 级别兼容是指主被叫用户当前的明密级别所对应的媒体加密方式 相同, 或在被叫用户的通话明密级别属性表中存在与主叫用户当 前的明密级别的媒体加密方式相同的明密级别。 The method according to claim 7 or 9, wherein the confidentiality level compatibility means that the media encryption mode corresponding to the current secret level of the calling party and the user is the same, or the call of the called user is clear. The secret level attribute table exists in the presence of the calling user. The former secret level media encryption method has the same level of confidentiality.
13. 如权利要求 1 所述的方法, 其特征在于, 所述终端用户 在呼叫请求中指定的本次通话的明密级别不同于其在所述核心控 制设备中登记的各组安全参数对应的明密级别。  The method according to claim 1, wherein the terminal user specifies a secret level of the current call in the call request different from each group of security parameters registered in the core control device. Confidential level.
14. 如权利要求 1 所述的方法, 其特征在于, 所述通信网络 采用 IP网络体系架构, 所述核心控制设备采用软交换技术。  14. The method according to claim 1, wherein the communication network adopts an IP network architecture, and the core control device adopts a soft switching technology.
PCT/CN2004/001497 2004-12-22 2004-12-22 A method for achieving session with different plain and security level in the communication network WO2006066455A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2004/001497 WO2006066455A1 (en) 2004-12-22 2004-12-22 A method for achieving session with different plain and security level in the communication network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2004/001497 WO2006066455A1 (en) 2004-12-22 2004-12-22 A method for achieving session with different plain and security level in the communication network

Publications (1)

Publication Number Publication Date
WO2006066455A1 true WO2006066455A1 (en) 2006-06-29

Family

ID=36601348

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2004/001497 WO2006066455A1 (en) 2004-12-22 2004-12-22 A method for achieving session with different plain and security level in the communication network

Country Status (1)

Country Link
WO (1) WO2006066455A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000064111A1 (en) * 1999-04-16 2000-10-26 Unifree, L.L.C. Media file distribution with adaptive transmission protocols
JP2001312486A (en) * 2000-04-28 2001-11-09 Hitachi Ltd Computer system
US20020038431A1 (en) * 2000-09-15 2002-03-28 Chesko John E.A. Internet privacy system
CN1365562A (en) * 1999-05-28 2002-08-21 艾利森电话股份有限公司 Method and apparatus for secure communication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000064111A1 (en) * 1999-04-16 2000-10-26 Unifree, L.L.C. Media file distribution with adaptive transmission protocols
CN1365562A (en) * 1999-05-28 2002-08-21 艾利森电话股份有限公司 Method and apparatus for secure communication
JP2001312486A (en) * 2000-04-28 2001-11-09 Hitachi Ltd Computer system
US20020038431A1 (en) * 2000-09-15 2002-03-28 Chesko John E.A. Internet privacy system

Similar Documents

Publication Publication Date Title
US7899174B1 (en) Emergency services for packet networks
EP2677788B1 (en) Method and system for data aggregation for communication tasks common to multiple devices
AU2002246172B2 (en) Packet mode speech communication
US6996716B1 (en) Dual-tier security architecture for inter-domain environments
US6400707B1 (en) Real time firewall security
US7408948B2 (en) Packet mode speech communication
US8976968B2 (en) Intercepting a communication session in a telecommunication network
US8543818B2 (en) Controlling communications
EP2486714B1 (en) Controlling communications
US7457627B2 (en) Transfer of information in a communication network with a verified QoS
US20070143470A1 (en) Facilitating integrated web and telecommunication services with collaborating web and telecommunication clients
CA2343066A1 (en) System and method for enabling secure connections for h.323 voip calls
WO2005112338A1 (en) Key distribution method
US20220303150A1 (en) Systems and methods for video conference acceleration
WO2009029748A2 (en) System and method for identifying encrypted conference media traffic
WO2007048301A1 (en) A encryption method for ngn service
JP4965499B2 (en) Authentication system, authentication device, communication setting device, and authentication method
WO2006066455A1 (en) A method for achieving session with different plain and security level in the communication network
JP2009135577A (en) Information relay system, information relay apparatus and method thereof, and program
EP1161827B1 (en) Arrangement related to a call procedure
WO2001019018A1 (en) Security with authentication proxy
WO2006081712A1 (en) A method for switching the level of the plaintext and cyphertext during the conversation
CN1491002A (en) IP video frequency terminal apparatus and interaction of signalling network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 04802510

Country of ref document: EP

Kind code of ref document: A1