WO2006066455A1 - Procede permettant d'accomplir une session avec differents niveaux de securite standard dans un reseau de communication - Google Patents

Procede permettant d'accomplir une session avec differents niveaux de securite standard dans un reseau de communication Download PDF

Info

Publication number
WO2006066455A1
WO2006066455A1 PCT/CN2004/001497 CN2004001497W WO2006066455A1 WO 2006066455 A1 WO2006066455 A1 WO 2006066455A1 CN 2004001497 W CN2004001497 W CN 2004001497W WO 2006066455 A1 WO2006066455 A1 WO 2006066455A1
Authority
WO
WIPO (PCT)
Prior art keywords
call
user
called
control device
core control
Prior art date
Application number
PCT/CN2004/001497
Other languages
English (en)
Chinese (zh)
Inventor
Xianli Hu
Dengjun Su
Ming Ni
Jiwen Lu
Original Assignee
Zte Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation filed Critical Zte Corporation
Priority to PCT/CN2004/001497 priority Critical patent/WO2006066455A1/fr
Publication of WO2006066455A1 publication Critical patent/WO2006066455A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Definitions

  • the present invention relates to the field of communications, and in particular, to a method for implementing different confidentiality level calls of end users under an architecture based on an IP communication network. Background technique
  • VOIP Voice over IP
  • the VOIP system needs to encrypt the user's signaling and media streams to prevent unauthorized users from stealing information from legitimate users.
  • the call if the media stream is encrypted, the call is called a secret message, otherwise it is called a clear message.
  • the usual practice is that the user terminal and the system device agree in advance on the authentication algorithm authentication parameter and the service encryption mode, and the communication security manner between the user terminal and the system device is based on these prior agreements.
  • the setup proceeds.
  • this method once the communication mode between the user terminal and the system device is set, the user cannot change the communication mode by himself; if the user needs to change the security mode of the communication, it must be re-agreed through the network management operation of the network system device. It is cumbersome to modify the corresponding parameters of the user terminal and the system device. Summary of the invention
  • the object of the present invention is to provide a method for implementing different levels of confidentiality calls in a communication network, so as to allow users to make calls at different levels of confidentiality according to different occasions, and the core control device performs call control according to the level of confidentiality set by the user. , thus automatically achieving the secret level of the call requested by the user.
  • the technical solution adopted by the present invention is: A method for implementing different levels of confidentiality in a communication network, wherein the terminal device of the network has the capability of supporting one or more confidential communication, the method comprising: registering each terminal user in a core control device of the network One or more sets of security parameters corresponding to the call privacy level; the terminal user initiates a call to the core control device, where the call request includes a security parameter corresponding to the current call privacy level specified by the terminal user; The core control device performs control of the corresponding secret level call according to the security parameter in the call request and the security parameter registered by the called user.
  • the step of registering one or more sets of security parameters of each terminal user further comprises: the terminal user initiating a registration request to the core control device; the terminal user setting the security of the call privacy level
  • the parameter is added to the message sent to the core control device during the registration process, and the core control device performs registration on the terminal user according to the subscription information of the terminal user and the information about the authentication in the security parameter.
  • the core control device registers the security parameter of the terminal user's current call privacy level into the call privacy level attribute table of the terminal user.
  • the message is a registration request message or other non-registration request message.
  • the step of registering one or more sets of security parameters of each terminal user further comprises: adding, by the terminal user, a security parameter of a call privacy level to a message sent to the core control device after successful registration Sending; the core control device processes the message correspondingly, and registers the security parameter carried in the terminal to the call privacy level attribute table of the terminal user.
  • the step of registering one or more sets of security parameters of each terminal user further comprises: pre-registering a security parameter of a default call privacy level in the core control device.
  • the step of the core control device performing control of the corresponding secret level call further comprises: determining, by the core control device, whether the primary called user is legal according to the primary called user identifier in the call request; When the requested primary and called users are both legitimate: the core control device obtains, according to the called user identifier, each group of security parameters registered by the called user in the core control device; according to the security parameters in the call request and The security parameters of each group registered by the called user determine whether the call confidentiality level between the primary and the called user is compatible; when the call confidentiality level between the primary and the called user is compatible, the primary called user is Establish a corresponding level of confidentiality If the call confidentiality level between the calling and called users is incompatible, the core control device determines whether the security parameter of the primary called user includes permission to establish a secret message with the other party through the intermediary resource, if included, The host and the called user establish a secret message through the intermediary resource; if not, the core control device determines whether the security parameter of the calling party and the called user is allowed to
  • the step of determining, by the core control device, whether the primary and the called user is legal is further: the core control device determines, according to the called user identifier, whether the called user is registered, and if the called user is not registered, determining the called user If the called user is already registered, the core control device determines whether to allow the calling party and the called party to establish a call according to the service status of the calling party and the called party. If the called party is not allowed to establish a call, the calling party and the called party do not. legitimate.
  • the step of establishing a corresponding secret level call between the calling and called users further comprises: the core control device initiating a call to the called user a call request; after receiving the response from the called user, the core control device controls the negotiation between the calling and the called user for the encryption parameter; the core control device controls the media connection between the calling and the called user, and the main Call the user to enter the secret call.
  • the step of establishing a secret message between the calling and called users through the intermediate resource further comprises: the core control device initiating a call request to the called user; and the core control device receiving the response of the called user Allocating an intermediary resource, and obtaining an encryption parameter corresponding to the intermediary resource; the core control device separately controls negotiation between the calling user and the intermediary resource, and between the called user and the intermediary resource; the core control device The media connection between the calling and called users is established through the intermediary resource, and the main called user enters the secret call.
  • the step of establishing a clear call between the calling and called users further comprises: the core control device initiating a call request to the called user; after receiving the response from the called user, the core control device controls the main A media connection is established between the called user terminals, and the calling party and the called user enter the call.
  • the user can flexibly retrieve various encryption methods (including no encryption) according to requirements, and specifically, the invention has the following advantages:
  • the core control device allows the end user to have more than one set of security parameters corresponding to the level of confidentiality. Number
  • the core control device allows the user to set its own confidential state through the terminal device according to different environmental needs
  • the user can decide the mode of interaction with other users, and the core control device performs call control according to the level of confidentiality set by the user;
  • the core control device provides call control services between user terminals using different encryption methods
  • the operator can provide users with hierarchical secure communication services. DRAWINGS
  • FIG. 1 is a flow chart of a method for implementing different secret level calls in a communication network, in accordance with one embodiment of the present invention
  • FIG. 2 is a flow chart showing an end user registration process in the method of FIG. 1 according to an embodiment of the present invention
  • FIG. 3 is a flow diagram of a control process for a core control device to perform a corresponding clear level call in the method of FIG. 1 in accordance with one embodiment of the present invention. detailed description
  • the present invention is proposed in an IP network system architecture based on softswitch technology, wherein a session between two terminals is established through a softswitch, if the media stream of the call between the two terminals is encrypted , the call is called a secret message, otherwise it is called a clear speech.
  • a terminal with encryption function it is possible to change a single communication method in the past, and to establish a clear voice or a different level of secret message with another terminal according to different occasions.
  • the idea of allowing the end user to establish a clear message or a different secret level with another terminal according to different occasions or needs is realized by allowing the user to indicate the secret level of the call when the call is initiated.
  • the level of the call here called the secret level
  • the set of security parameters sets the encrypted communication mode used by the terminal device, including at least the media encryption mode information.
  • the security parameter may further include information such as an authentication algorithm and an authentication parameter.
  • FIG. 1 is a flow diagram of a method of implementing different secret level calls in a communication network, in accordance with one embodiment of the present invention.
  • At least a core control device exists in the IP network architecture based on the softswitch technology, which may be a media gateway controller S; a calling user terminal device O; a called user terminal device T; a gateway G; Terminal devices O and T have the ability to locally encrypt and decrypt communication content.
  • each terminal user registers security parameters corresponding to the respective call privacy levels in the media gateway controller S.
  • the terminal user since the terminal user is allowed to set a plurality of call privacy levels, there are multiple sets of security parameters corresponding to the plurality of clearness levels, so in the core control device S, each terminal user is established.
  • the corresponding call privacy level attribute table records the security parameters corresponding to all the call privacy levels set by the terminal user in the call privacy level attribute table.
  • the new security level security parameter can be added to the established message and sent to the media gateway controller S for registration.
  • the registration of the security parameters of the secret level is implemented by the process of the terminal device registering with the media gateway controller S.
  • FIG. 2 is a flow diagram of an end user registering in the method of FIG. 1 in accordance with one embodiment of the present invention.
  • the step 105 of registering the security level security parameter in Fig. 1 will be described in detail with reference to the user terminal registration process shown in Fig. 2.
  • step 201 the user sets a security parameter of the level of confidentiality that the terminal device U complies with in the subsequent call on the terminal device U.
  • the security parameter set by the user is included in the registration message.
  • These security parameters include media encryption mode, authentication algorithm, authentication parameters, and whether to allow a clear call or use an intermediary resource to make a call when the primary and called terminal devices are incompatible.
  • the format of the registration message is not specified, because the embodiment is only an exemplary description, and the message format and the message of the registration message used by the terminal device to send the security parameter are
  • the capacity is related to the requirements of the specific core control device (such as the media gateway controller) and the protocol supported by the terminal device user.
  • step 202 the terminal device U initiates a registration request to the media gateway controller S, and sends a registration message containing the security parameters to the media gateway controller S.
  • the media gateway controller S authenticates the terminal device U.
  • the media gateway controller S obtains the user identifier and the security parameters therein from the registration message, so as to find the corresponding user subscription service information, and sends an authentication message to the terminal device U accordingly.
  • the media gateway controller S authenticates the terminal device U based on the subscription information of the user and the authentication requirement of the corresponding encryption method in the security parameter. It should be noted that the authentication message interaction is only schematically represented in FIG. 2, and the actual authentication message interaction process needs to be determined according to the actual authentication algorithm.
  • step 204 after the authentication is passed, the media gateway controller S sets the current visibility level registration status of the terminal device U according to the security parameters carried in the registration message, and records the security parameters in the call privacy level of the terminal device U. In the attribute table, a registration success message is sent to the terminal device U. On the other hand, if the authentication fails, the media gateway controller S will send a registration failure message to the terminal device U, and include a specific failure reason in the registration failure message.
  • the Media Gateway Controller S can provide services for it.
  • the end user initiates a call request and indicates the level of confidentiality of the call.
  • the terminal user can specify the desired call secret level when the call is requested, and the security parameter corresponding to the secret level is automatically sent as a parameter of the call request message along with the call request.
  • security parameters it may include the secret mode to initiate the call; when the called terminal device does not support the secret call, whether to adopt the call failure mode, or the clear call mode, and the like.
  • the specific parameter form is related to the specific media gateway controller S and the terminal's call protocol. When the user dials, a call request with security parameters is sent to the Media Gateway Controller S.
  • step 115 the media gateway controller S performs control of the corresponding secret level call.
  • 3 is a flow diagram of control of a media gateway controller S in a method of FIG. 1 to perform a corresponding secret level call, in accordance with an embodiment of the present invention.
  • the calling user terminal device The call request between the O and the called user terminal device T is taken as an example to describe the detailed process of the media gateway controller S performing the control of the corresponding secret level call.
  • steps 301 and 302 have been described in step 110 of Fig. 1, but for the consistency of the flow in Fig. 3, a brief description will be made here.
  • the calling user terminal O initiates a call to the called user terminal T, wherein the desired secret level of the call is indicated in the call request, and a call request with the corresponding security parameter is sent to the media gateway controller S.
  • step 303 after receiving the call request, the media gateway controller S analyzes the security parameter of the call confidentiality level and the calling and called user identifier in the call request message.
  • step 304 the media gateway controller S determines whether the called user is registered according to the called user identifier. If the called user is not registered, the call fails and the call processing is exited.
  • the media gateway controller S obtains the service information of the calling and called users according to the identity of the calling party and the called party, and determines whether the service information of the calling party and the called user is allowed to establish a call between the calling user O and the called user T. For example, if the calling user O is forbidden to call out due to arrears, or the calling user O is in the blacklist of the called user T, the call is not allowed to be established. If the call is not allowed between the primary and the called users, the call fails and the call processing is exited.
  • the media gateway controller S determines the calling user O and the called party according to the service information of the calling user O and the called user T and the security parameters corresponding to the call confidentiality level registered in the media gateway controller S. Whether the user T's level of confidentiality is compatible, so that the call is controlled by the corresponding level of confidentiality.
  • the compatibility of the confidentiality level means that the media encryption mode corresponding to the current secret level of the calling user O and the called user T is the same, or exists in the call privacy level attribute table of the called user T and the calling user O current.
  • the confidentiality level of the media encryption method is the same as the secret level.
  • the media gateway controller S processes according to the judgment result according to the following principles:
  • the media gateway controller S initiates a call request message to the called user terminal T.
  • the call request message contains the security parameters of the calling user O;
  • step 30611 the called terminal T sends an off-hook response message to the media gateway controller S.
  • the media gateway controller S controls the negotiation of the encryption parameters between the calling user terminal device O and the called user terminal device T. ;
  • step 30713 after the encryption parameter negotiation is successful, the media gateway controller S controls the media connection between the calling user terminal device O and the called user terminal device T to establish a communication state through the gateway G, and enters a call state.
  • step 30620 - 30625 is performed:
  • the intermediary resource has two functions: First, the intermediary resource participates in the negotiation of the call key. For the calling party, the intermediary resource simulates the called party with the same level as the calling party, and the called party In the case, the intermediary resource simulates the calling party with the same level as the called party.
  • the second function is to adapt and convert the communication content between the calling party and the called party.
  • step 30620 the media gateway controller S initiates a call request message to the called user terminal T, where the call request message includes the security parameter of the calling user 0;
  • step 30621 the called user terminal T sends an off-hook response message to the media gateway controller S.
  • the media gateway controller S allocates an intermediary resource for the call; in step 30623, the media gateway controller S obtains the encryption parameter corresponding to the allocated mediation resource, and in step 30624, controls the calling user terminal O and The intermediate resource, the called user terminal T and the intermediate resource perform negotiation of the encryption parameter;
  • the media gateway controller S controls the media connection between the calling user terminal O and the called user terminal T through the gateway G and the intermediary resource to enter the call state.
  • Mediation resources can be allocated from the gateway or independently of the gateway.
  • steps 30630-30632 are performed: In step 30630, the media gateway controller S initiating a call request message to the called user terminal T, where the call request message includes the security parameter of the calling user O;
  • step 30631 the called user terminal T sends an off-hook response message to the media gateway controller S.
  • the media gateway controller S controls the calling user terminal O and the called user terminal.
  • Terminal T establishes a media connection through gateway G and enters a call state.
  • the media gateway controller may also allocate a corresponding intermediary resource to the called user to establish a call; The timing can be selected if the user is willing to answer the question.
  • the media gateway controller needs to notify the calling terminal device user of the call state; whether the call is successfully established or the secret call is successfully established, the media gateway controller can According to the policy setting, it is decided whether to notify the called terminal device user of the call state; in the case that the secret call setup fails, it is decided according to the corresponding policy setting whether to notify the called terminal device user of the call state.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé permettant d'accomplir la session des différentes niveaux de sécurité standard dans le réseau de communication. Le dispositif terminal de ce réseau peut supporter la communication à au moins un niveau de sécurité. Ce procédé consiste à enregistrer le paramètre de sécurité d'un ou de plusieurs ensembles de niveaux de sécurité correspondant au niveau de sécurité standard de session que chaque utilisateur de terminal a dans le dispositif de commande principale de ce réseau. Les utilisateurs de terminaux initient l'appel vers ce dispositif de commande principale, où se trouve le paramètre de sécurité correspondant au niveau de sécurité standard de session actuel spécifié par l'utilisateur dans la demande d'appel. Ce dispositif de commande principale commande l'appel du niveau sécurité standard basé sur le paramètre de sécurité dans la demande d'appel et le paramètre de sécurité enregistré par l'utilisateur partie appelée. L'invention permet de régler les différentes manières de sécurité standard en interaction avec les autres utilisateurs sur la base des exigences de différentes situations. Le dispositif de commande principale commande l'appel sur la base du niveau sécurité standard réglé par l'utilisateur.
PCT/CN2004/001497 2004-12-22 2004-12-22 Procede permettant d'accomplir une session avec differents niveaux de securite standard dans un reseau de communication WO2006066455A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2004/001497 WO2006066455A1 (fr) 2004-12-22 2004-12-22 Procede permettant d'accomplir une session avec differents niveaux de securite standard dans un reseau de communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2004/001497 WO2006066455A1 (fr) 2004-12-22 2004-12-22 Procede permettant d'accomplir une session avec differents niveaux de securite standard dans un reseau de communication

Publications (1)

Publication Number Publication Date
WO2006066455A1 true WO2006066455A1 (fr) 2006-06-29

Family

ID=36601348

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2004/001497 WO2006066455A1 (fr) 2004-12-22 2004-12-22 Procede permettant d'accomplir une session avec differents niveaux de securite standard dans un reseau de communication

Country Status (1)

Country Link
WO (1) WO2006066455A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000064111A1 (fr) * 1999-04-16 2000-10-26 Unifree, L.L.C. Distribution de fichiers multimedia au moyen de protocoles de transmission adaptatifs
JP2001312486A (ja) * 2000-04-28 2001-11-09 Hitachi Ltd 計算機システム
US20020038431A1 (en) * 2000-09-15 2002-03-28 Chesko John E.A. Internet privacy system
CN1365562A (zh) * 1999-05-28 2002-08-21 艾利森电话股份有限公司 用于保密通信的方法和设备

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2000064111A1 (fr) * 1999-04-16 2000-10-26 Unifree, L.L.C. Distribution de fichiers multimedia au moyen de protocoles de transmission adaptatifs
CN1365562A (zh) * 1999-05-28 2002-08-21 艾利森电话股份有限公司 用于保密通信的方法和设备
JP2001312486A (ja) * 2000-04-28 2001-11-09 Hitachi Ltd 計算機システム
US20020038431A1 (en) * 2000-09-15 2002-03-28 Chesko John E.A. Internet privacy system

Similar Documents

Publication Publication Date Title
US7899174B1 (en) Emergency services for packet networks
EP2677788B1 (fr) Méthode et système pour l'aggrégation de données pour des tâches communes à plusieurs appareils
JP5039612B2 (ja) パケットモードスピーチ通信
US6996716B1 (en) Dual-tier security architecture for inter-domain environments
US6400707B1 (en) Real time firewall security
US7408948B2 (en) Packet mode speech communication
US8976968B2 (en) Intercepting a communication session in a telecommunication network
US8543818B2 (en) Controlling communications
EP2486714B1 (fr) Contrôle de communication
US7457627B2 (en) Transfer of information in a communication network with a verified QoS
US20070143470A1 (en) Facilitating integrated web and telecommunication services with collaborating web and telecommunication clients
CA2343066A1 (fr) Systeme et procede d'autorisation de connexions securisees pour appels voip h.323
WO2005112338A1 (fr) Procede de distribution de cles
US20220303150A1 (en) Systems and methods for video conference acceleration
WO2009029748A2 (fr) Système et procédé pour identifier u n trafic multimédia de conférence crypté
WO2007048301A1 (fr) Procede de cryptage pour service mgn
JP4965499B2 (ja) 認証システム、認証装置、通信設定装置および認証方法
WO2006066455A1 (fr) Procede permettant d'accomplir une session avec differents niveaux de securite standard dans un reseau de communication
JP2009135577A (ja) 情報中継システム、情報中継装置、方法及びプログラム
EP1161827B1 (fr) Arrangement relatif a une procedure d'appel
WO2001019018A1 (fr) Securite assuree par serveur mandataire d'authentification
WO2006081712A1 (fr) Méthode de commutation de niveau de texte normal et de texte chiffré pendant une conversation
CN1491002A (zh) Ip视频终端设备与信令网的交互

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 04802510

Country of ref document: EP

Kind code of ref document: A1