WO2007051415A1 - Mobile communication system, and information transmitting method and device wherein - Google Patents

Mobile communication system, and information transmitting method and device wherein Download PDF

Info

Publication number
WO2007051415A1
WO2007051415A1 PCT/CN2006/002932 CN2006002932W WO2007051415A1 WO 2007051415 A1 WO2007051415 A1 WO 2007051415A1 CN 2006002932 W CN2006002932 W CN 2006002932W WO 2007051415 A1 WO2007051415 A1 WO 2007051415A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
encryption
key
port
communication
Prior art date
Application number
PCT/CN2006/002932
Other languages
French (fr)
Chinese (zh)
Inventor
Peng Wang
Hanyan Huang
Jing Wang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN200510117145A external-priority patent/CN1881869B/en
Priority claimed from CNB2005101358594A external-priority patent/CN100471313C/en
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007051415A1 publication Critical patent/WO2007051415A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/037Protecting confidentiality, e.g. by encryption of the control plane, e.g. signalling traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/061Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying further key derivation, e.g. deriving traffic keys from a pair-wise master key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W92/00Interfaces specially adapted for wireless communication networks
    • H04W92/04Interfaces between hierarchically different network devices
    • H04W92/14Interfaces between hierarchically different network devices between access point controllers and backbone network device

Definitions

  • the present invention relates to the field of mobile communications, and in particular to a mobile communication system and a method and apparatus for transmitting information therein.
  • CDMA Code Division Multiple Access
  • Step 2 the Mobile Switch Center/Visited Location Register (MSC/VL) of the second generation mobile communication (2G) network is split into a mobile switching center emulation entity (Mobile Switch) Center Emulation (MSCe), Media Gateway (MGW) and Media Resource Function Processor (MRFP), wherein the mobile switching center emulation entity has a similarity to the mobile switching center. Function, can also be called directly as a mobile switching center.
  • MSC/VL Mobile Switch Center/Visited Location Register
  • MSCe Mobile Switch
  • MGW Media Gateway
  • MRFP Media Resource Function Processor
  • Home Location Register Emulation Home Location Register Emulation
  • other network elements including 2G base station subsystem (BSS) and 3G base station subsystem (BSS/) access, and public switched telephone network (PSTN),
  • PSTN public switched telephone network
  • PLMN public land mobile network
  • IP Internet Protocol
  • the MS 110 generally consists of a baseband, an intermediate frequency, and a radio frequency.
  • the baseband part is responsible for the forwarding control of the radio frequency signal and the baseband signal
  • the intermediate frequency is connected to the baseband part and the radio frequency part
  • the radio frequency part is responsible for transmitting and receiving the wireless signal.
  • the MS can be a terminal device such as a mobile phone, a PDA (Personal Digital Assistant).
  • the Base Station Controller (BSC) 120 is a part of the base station system.
  • the BSC 120 mainly handles functions such as system information broadcasting, handover, cell resource allocation, and user control and other radio resource management.
  • the MGW 130 provides voice service and circuit domain related data service transmission and exchange functions, and implements a wireless access network circuit domain and a public circuit switched network (PSTN, ISDN), other mobile networks (GSM, CDMA, etc.), and a packet network. Business flow conversion.
  • the MGW 130 provides packet switching functions, which can be upgraded to meet the development needs of wireless networks to all-IP networks.
  • the BSC 120 establishes an Alp link with the MSCe 140 through the Alp port, and the BSC 120 passes the signaling between the Al link 150 and the MSCe 140.
  • the BSC 120 is connected to the MGW 130 via the A2p port via the IP network 160, and the A2p port is used to carry services.
  • the MSCe 140 and the MGW 130 are in contact via an H248 link 170, which is a media gateway control protocol.
  • the CDMA system's receiving service uses Dual Tone Multi-Frequency (DTMF) to implement number transmission.
  • DTMF Dual Tone Multi-Frequency
  • the BSC A2p port uses DTMF information transmission using IP or Real-Time Streaming Protocol (IP/TP) packets, and the transmission method follows the RFC2833 protocol.
  • IP/TP Real-Time Streaming Protocol
  • the transmitted DTMF information is generally referred to as 2833 information.
  • the 2833 information is transmitted in clear code, which is easy to be captured.
  • the tool intercepts and parses out the actual DTMF information contained in it, which will result in the leakage of confidential information (such as bank account password).
  • the A2P port bearer establishment must use the RFC2833 protocol for DTMF information transmission.
  • the call when the call is turned on, the user presses the button in the MS 110, and the dialed number is first transmitted to the BSC 120 through the outband signaling on the wireless side; the BSC 120 first converts the button information into DTMF information, and The DTMF information is transmitted to the MGW 130 through the IP/RTP packet at the A2p port of the BSC.
  • This transmission method is the plain text standard 2833 mode. Because the A2p port is connected to the IP network, the packet is easily intercepted and illegally obtained from the DTMF information, resulting in the leakage of confidential information of the mobile user.
  • DTMF signals and other network signaling and events can be transmitted in RTP packets.
  • information transmitted a considerable part of the information has higher security requirements.
  • transaction data of the commercial sector such as banks, personal information of users, etc.
  • the prior art does not encrypt the transmitted information when transmitting the information, and the security of the communication is low.
  • the person who illegally obtains the information can directly read the content contained in the acquired information, which is likely to adversely affect the legitimate owner of the information, thereby reducing user satisfaction.
  • Embodiments of the present invention provide a mobile communication system and a method and apparatus for transmitting information therein, which can improve the security of DTMF information transmitted by an A2P port.
  • a method of transmitting information in a mobile communication system includes:
  • the sender between the base station controller and the mobile switching center emulation entity generates 2833 encryption control information and transmits related signaling carrying the 2833 encryption control information;
  • the 2833 encryption control information includes the A port key information and uses The name of the first encryption algorithm that encrypts the 2833 information;
  • the receiver of the related signaling obtains an A-port shared key for encrypting the 2833 information corresponding to the A-port key information;
  • the mobile switching center emulation entity generates 2833 encrypted attribute information by using the A port shared key, and sends the 2833 encrypted attribute information to the media gateway; the 2833 encrypted attribute information includes the first encryption algorithm name and the H248 port key Information
  • the media gateway obtains an A-port shared key according to the H248 port key information; the sending end between the base station controller and the media gateway uses the A-port shared key and the first encryption algorithm to encrypt and transmit the 2833 information; The peer end of the sending end decrypts by using the A port shared key and the first encryption algorithm.
  • the 2833 encryption control information is carried in the A2p bearer format feature parameter in the extended interoperability specification protocol related signaling, and the 2833 encrypted attribute information is carried in the extended H248 signaling.
  • a base station controller includes:
  • a signaling processing unit configured to send to the mobile switching center emulation entity or receive relevant signaling that carries the 2833 encrypted control information from the mobile switching center emulation entity;
  • the 2833 encrypted control information includes the A port key information and is used for The name of the first encryption algorithm that encrypts the 2833 information;
  • the information transmission unit is configured to implement 2833 information transmission with the media gateway, and process the 2833 information by using the A-port shared key corresponding to the A-port key information and the first encryption algorithm.
  • a mobile switching center emulation entity includes: a signaling processing unit, configured to send or receive, from a base station controller, related signaling carrying 2833 encrypted control information;
  • the 2833 encryption control information includes the A port key information and the first encryption algorithm name used to encrypt the 2833 information;
  • the encryption attribute information processing unit is configured to generate 2833 encrypted attribute information by using the A port shared key corresponding to the A port key information in the 2833 encryption control information, and send the 2833 encrypted attribute information to the media gateway; the 2833 encryption
  • the attribute information includes the first encryption algorithm name and H248 port key information.
  • a media gateway comprising: An encryption attribute information processing unit, configured to obtain an A-port shared key and a first encryption algorithm according to the 2833 encrypted attribute information sent by the mobile switching center emulation entity;
  • the information transmission unit is configured to implement 2833 information transmission with the base station controller, and process the 2833 information by using the A-port shared key corresponding to the A-port key information and the first encryption algorithm.
  • a mobile communication system includes a base station controller, a mobile switching center emulation entity, and a media gateway;
  • the base station controller is configured to send or receive relevant signaling that carries the 2833 encryption control information to the mobile switching center emulation entity; the 2833 encryption control information includes the A port key information and is used for The 2833 information is encrypted by the first encryption algorithm name; and when the media gateway performs the 2833 information transmission, the first encryption algorithm and the A port shared key corresponding to the A port key information are used to process the 2833 information;
  • the mobile switching center emulation entity is configured to send or receive the relevant signaling carrying the 2833 encryption control information to the base station controller, and share the A port corresponding to the A port key information in the 2833 encryption control information.
  • the key generation 2833 encrypts the attribute information, and sends the 2833 encrypted attribute information to the media gateway; the 2833 encrypted attribute information includes the first encryption algorithm name and the H248 port key information;
  • the media gateway is configured to obtain an A-port shared key according to the H248 port key information; and process the 2833 information by using the A-port shared key and the first encryption algorithm.
  • a method for transmitting information in a mobile communication system includes: a medium having communication encryption capability at a first communication node and a second communication node, and an intersection of a first communication node and a second communication node The capability, the first and second communication nodes determine the same data encryption key;
  • the first and second communication nodes apply the media capability of the intersection and the determined data encryption key for encrypted communication.
  • Embodiments of the present invention are between a base station controller (or target base station controller) and a mobile switching center emulation entity, a mobile switching center emulation entity, and a media gateway (or during call setup, during a call, or after call handover) (or Key information transmission between the target media gateways, enabling the media gateway (or target media gateway) to obtain the base station controller (or the target base station controller) The same key. Then, the key is used to encrypt and transmit the 2833 information in the A2p port. It can guarantee the security of 2833 information transmission on the A2p port, thus protecting the interests of mobile users and improving the service satisfaction of operators.
  • the key information can be transmitted by extending the A2p bearer format feature parameter of the IOS protocol and extending the H248 protocol, which is relatively simple to implement.
  • Embodiments of the present invention determine, by the first communication node and the second communication node, media capabilities and encrypted communication capabilities for supporting encrypted communications; when both the first and second communication nodes have communication encryption capabilities and media capabilities with intersections And determining, by the first and second communication nodes, the same data encryption key, and applying the media capability and the determined data encryption key to perform encrypted communication. Therefore, even if the information transmitted between the first and second communication nodes is illegally obtained, the information obtained by the illegally obtained information cannot be correctly parsed or directly read out, and the legal owner of the information may be avoided. The adverse effects caused by the communication have improved the security of communication. DRAWINGS
  • FIG. 1 is a schematic structural diagram of a CDMA access network in the prior art
  • FIG. 2 is a schematic structural diagram of a CDMA access network according to an embodiment of the present invention
  • FIG. 3 is a schematic diagram of the present invention when a CDMA call is established or called.
  • FIG. 4 is a flow chart of a second embodiment of the present invention for implementing encrypted transmission of 2833 information during a CDMA call setup or call; a flowchart of an embodiment
  • Figure 6 is a block diagram of a first embodiment of the mobile communication system of the present invention.
  • Figure 7 is a block diagram of a second embodiment of the mobile communication system of the present invention.
  • Figure 8 is a flow chart of an embodiment of a method of transmitting information in a mobile communication system of the present invention. detailed description
  • the embodiment of the present invention implements encrypted transmission of 2833 information in the A2p port in CDMA, which can improve the security of the DTMF information transmitted by the A2p port.
  • Embodiments of the present invention can be applied to a CDMA system as shown in FIG. 2.
  • the system includes a base station controller (BSC) 220, a media gateway (MGW) 230, and Mobile Switching Center Emulation Entity (MSCe) 240.
  • BSC base station controller
  • MGW media gateway
  • MSCe Mobile Switching Center Emulation Entity
  • the BSC 220 transmits signaling between the Alp link 250 and the MSCe 240.
  • the BSC 220 is coupled to the MGW 230 via an IP network 260 via an A2p port.
  • the MSCe 240 and the MGW 230 are in contact via the H248 link 270.
  • the BSC 220 is configured to send or receive information related to the 2833 encryption control information from the MSCe 240.
  • the 2833 encryption control information includes the A port key information and the second information for encrypting the 2833 information.
  • the MSCe 240 is configured to send or receive the relevant signaling that carries the 2833 encryption control information from the BSC 220, and generate the 2833 encryption by using the A-port shared key corresponding to the A-port key information in the 2833 encryption control information. Attribute information, and the 2833 encrypted attribute information is sent to the MGW 230; the 2833 encrypted attribute information includes the first encryption algorithm name and H248 port key information;
  • the MGW 230 is configured to obtain an A-port shared key according to the H248 port key information; and process the 2833 information by using the A-port shared key and the first encryption algorithm.
  • the parameters of the specific signaling in the Interoperability Specification (IOS) protocol are extended, so that the BSC (or the target BSC) is made at the time of call setup, during the call, and after the call is handed over.
  • the signaling transmitted in the Alp link between the MSCe may carry 2833 encrypted control information (including at least a key used to encrypt the 2833 information); through the H248 link between the MSCe and the MGW (or the target MGW), Make the MGW (or target MGW) get the key. Then the BSC (or the target BSC) and the MGW (or the target MGW) can use the same key to encrypt and decrypt the 2833 information.
  • the IOS protocol is a general term for defining the access side and the network side port in the CDMA system.
  • the key can also be encrypted during the transmission of the key.
  • step S30 it is required to expand parameters in the signaling in the IOS protocol (for example, A2p Bearer Format-Specific Parameters), and define extended information, indicating that the A2p port has encryption capability, and Specify the specific encryption algorithm type and Information such as the key used.
  • the extension information includes the following: Extended ID: may be represented by 1-byte type information, for example, a value of 2, indicating
  • Extended length can be expressed by 1 byte length information, including 1 byte flag bit and indefinite length byte (such as up to 8 bytes) key letter;
  • 1-bit information is used to indicate whether to use the 2833 encryption indication.
  • the value of the bit is “0”, it means that the current call does not use 2833 encryption.
  • the value of the bit is "1”, it means The second call uses 2833 encryption;
  • the type of the encryption algorithm is represented by 3-bit information, and the encryption algorithm must be a symmetric algorithm.
  • the value of the 3 bits is "000”, it means
  • A-SHARE-DATA A port key information
  • CALL-KEY the encrypted current call 2833 shared key
  • the first embodiment of the present invention also extends the H248 protocol to define a 2833 encryption attribute of the Session Description Protocol (SDP) format, so that the H428 link side of the MSCe and the MGW has the received BSC key encrypted.
  • SDP Session Description Protocol
  • the secret algorithm name is encrypted key (H248-SHARE-DATA)".
  • the keys can be different.
  • step S31 an A port control key (A1P-KEY) is preset between the BSC and the MSCe; and an H248 port control key is preset between the MGW and the MSCe. (1-1248-KEY).
  • A1P-KEY A port control key
  • H248 port control key is preset between the MGW and the MSCe. (1-1248-KEY).
  • the relevant signaling carrying the 2833 encryption control information is transmitted between the BSC and the MSCe during call setup or during the call.
  • the A2p bearer format feature parameter in the related signaling carries 2833 encryption control information, indicating that the call needs to be encrypted 2833.
  • the signaling may include: a CM Service Request message, a Paging Response message or a Bearer Update Response message, an assignment completion message, and a Additional Service Request message. Or switch the Handoff Request Acknowledge message.
  • the exchange process between the BSC and the MSCe of the above messages is the same as the normal bearer information exchange process defined by the protocol.
  • the 2833 encryption control information includes information such as A-port key information (A-SHARE-DATA), an encryption algorithm used (hereinafter referred to as a second encryption algorithm), and the second encryption algorithm is a symmetric algorithm (eg, RC4 algorithm), the A port key information (A-SHARE-DATA) is used by the A port shared key (CALL-KEY) and the A port control key (A1P-KEY) to utilize the second
  • the encryption algorithm is encrypted, and the A-port shared key (CALL-KEY) is different in each call, for example, it can be randomly generated.
  • the relevant signaling carrying the 2833 encryption control information is transmitted between the BSC and the MSCe.
  • the BSC is used as the key distribution entity, that is, the BSC sends the 2833 encryption control to the MSCe.
  • Signaling of information, wherein the A-port shared key (CALL-KEY) is generated by the BSC; the other is used by the MSCe as a key distribution entity, that is, the MSCe sends a message carrying the 2833 encryption control information to the BSC.
  • the A-port shared key (CALL-KEY) is generated by the MSCe.
  • step S33 after receiving the 2833 encryption control information, the signaling receiving end (MSCe or BSC) passes the pre-configured A port control key (A1P-KEY) and the 2833 encryption control information A port key.
  • the information (A-SHARE-DATA) is calculated by the second encryption algorithm (decryption process), and the A-port shared key (CALL-KEY) is obtained.
  • step S34 the MSCe uses the H248 port control key (H248-EY) to encrypt the generated or decrypted A-port shared key (CALL-KEY) with a third encryption algorithm to generate H248 port key information ( H248-SHARE- DATA ).
  • H248-EY H248 port control key
  • CALL-KEY A-port shared key
  • H248-SHARE- DATA H248 port key information
  • step S35 when the MSCe performs bearer establishment or bearer attribute modification, in the H248
  • step S36 after receiving the 2833 encrypted attribute information, the MGW adopts an H248 port control key (H248-KEY), and performs H248 port key information (H248-SHARE-DATA) in the received 2833 encrypted attribute information.
  • the decryption calculation (using the third encryption algorithm) obtains the A-port shared key (CALL-KEY). In this way, the MGW obtains the same A-port shared key (CALL-KEY) as in the BSC.
  • the BSC and the MGW can use the same A-port shared key (CALL-KEY) to perform encryption and decryption of the 2833 information.
  • CALL-KEY A-port shared key
  • the BSC first converts the button information into DTMF information, and uses the A port to share the key (CALL -KEY) Encrypt the DTMF information, and send the encrypted DTMF information to the MGW in the 2833 mode through the IP/RTP packet at the A2p port.
  • the MGW decrypts the obtained A-port shared key and obtains the decrypted DTMF information.
  • the MGW can also transmit it to the BSC's bearer service for encryption and decrypt it at the BSC end.
  • the first encryption algorithm can be used for adding/decrypting the 2833 information.
  • the foregoing first encryption algorithm, the second encryption algorithm, and the third encryption algorithm may be the same encryption algorithm, or may be different encryption algorithms.
  • the flexible selection may be performed according to requirements.
  • an algorithm name indication can be added to the extended parameters, which will be used to encrypt the key and force the 2833 information. If the secret algorithm name is transmitted at the same time, the three encryption algorithms can be completely different.
  • the 2833 encryption control information transmitted between the BSC and the MSCe carries the identifier for encrypting the A-port shared key.
  • the 2833 encryption attribute information transmitted between the MSCe and the MGW carries the first element for encrypting the shared key of the A port
  • the third encryption algorithm name and the first encryption algorithm name used to encrypt the 2833 information used to encrypt the 2833 information.
  • the MGW may recover the A-port shared key by using a third encryption algorithm, and adopt the first encryption calculation. The law encrypts and decrypts the 2833 information.
  • a second embodiment of the present invention is shown.
  • the network used for signaling such as the Alp signaling and H248 signaling link described above
  • the Alp interface and the I-I248 interface exchange keys that is, the A-port shared key
  • the key does not need to be encrypted and transmitted, and the plaintext transmission can be performed, and the application can be satisfied in many environments.
  • the specific steps are as follows:
  • step S40 the parameters in the signaling in the IOS protocol need to be extended.
  • the expansion method refer to the description of the first embodiment of the present invention.
  • the extended parameter only the portable parameter is used.
  • step S41 during the call setup or during the call, the BSC and the MSCe transmit the relevant signaling carrying the 2833 encryption control information; for example, the corresponding parameters in the relevant signaling (such as the A2p bearer format feature parameter) are carried in the relevant signaling.
  • 2833 Encryption control information indicating that the call requires 2833 encryption.
  • the 2833 encryption control information includes an A-port shared key (CALL-KEY), an encryption algorithm (first encryption algorithm) used for encrypting the 2833 information, and the A-port shared key (CALL-KEY). ) is different in every call, for example, it can be generated randomly.
  • the relevant signaling carrying the 2833 encryption control information is transmitted between the BSC and the MSCe.
  • the BSC is used as the key distribution entity, that is, the BSC sends the 2833 encryption control to the MSCe.
  • Signaling of information, wherein the A-port shared key (CALL-KEY) is generated by the BSC; the other is used by the MSCe as a key distribution entity, that is, the MSCe sends a message carrying the 2833 encryption control information to the BSC.
  • the A-port shared key (CALL-KEY) is generated by the MSCe.
  • step S44 after receiving the 2833 encrypted attribute information, the MGW obtains an A-port shared key (CALL-KEY) and a first encryption algorithm name.
  • the BSC and the MGW can use the same A-port shared key (CALL-KEY) to encrypt and decrypt the transmitted or received 2833 information by using the first encryption algorithm.
  • a message carrying A-port key information (for example, a bearer update response message) is transmitted between the BSC and the MSCe; and a new A-port shared key in the A-port key information is decrypted at the MSCe or BSC end.
  • the MSCe sends a 2833 encrypted attribute message containing the shared key of the A port to the MGW in the bearer modification message, where the shared key of the A port can be encrypted; then the MGW obtains (may need to decrypt) the new A port.
  • the shared key At this point, both the BSC and the MGW obtain the same new A-port shared key, and the new A-port shared key can be used to encrypt and decrypt the 2833 information to be transmitted or received.
  • FIG. 5 a flow diagram of an embodiment of the present invention for exchanging keys after switching is shown.
  • the call is established and a hard handoff occurs, it is necessary to enable the target BSC and the target MSCe to obtain the same encryption key.
  • an A-port control key is configured between the target BSC and the serving MSCe, and the A-port control key may be the same as or different from the A-port control key before the handover; H248 port control is configured between the target MGW and the serving MSCe. Key, the H248 port control key can be the same as or different from the H248 port control key before the switch.
  • related signaling carrying 2833 encryption control information is transmitted between the target BSC and the serving MSCe. In the present invention, 2833 encryption control information is carried in the A2p bearer format feature parameter in the related signaling.
  • the signaling may include: a Paging Request, an Assignment Request, a Service Notification, a Bearer Update Required message, and a Bearer Update Required message.
  • the bearer update response message or the handoff request message is carried out.
  • the exchange process between the BSC and the MSCe is the same as the normal bearer information exchange process defined by the protocol, where the 2833 encryption control information is included.
  • a port key information an encryption algorithm used (hereinafter referred to as a second encryption algorithm), and the second encryption algorithm is a symmetric algorithm (such as RC4 algorithm), and the A port key information is
  • the A-port shared key and the A-port control key are encrypted by using the second encryption algorithm, and the A-port shared key may be the same as or different from the A-port shared key used before the handover.
  • the relevant signaling carrying the 2833 encryption control information is transmitted between the target BSC and the serving MSCe.
  • the target BSC is used as the key distribution entity, that is, the target BSC sends the information to the serving MSCe.
  • the signaling carries the 2833 encryption control information, where the A-port shared key is generated by the target BSC; the other is used by the serving MSCe as a key distribution entity, that is, the serving MSCe sends the 2833 encryption to the target BSC. Controlling signaling of the information, wherein the A-port shared key is generated by the serving MSCe.
  • step S53 after receiving the 2833 encryption control information, the signaling receiving end (the serving MSCe or the target BSC) uses the pre-configured A port control key and the A port key information in the 2833 encryption control information.
  • the second encryption algorithm performs a calculation (decryption process) to obtain an A-port shared key.
  • step S54 the serving MSCe encrypts the generated or decrypted A-port shared key with the H248 interface control key by using a third encryption algorithm to generate H248 port key information.
  • step S56 after receiving the 2833 encrypted attribute information, the target MGW uses the H248 port control key to perform decryption calculation with the H248 port key information in the received 2833 encrypted attribute information (using the third encryption algorithm). , get the A port shared key. In this way, the target MGW obtains the same A-port shared key as in the target BSC.
  • the target BSC; the target MGW can use the same key to perform encryption and decryption processing on the 2833 information to be transmitted or received.
  • the embodiment of the present invention implements encrypted transmission of 2833 information in CDMA, and extends the A2p bearer format characteristic parameter of the IOS protocol and the extended H248 protocol by establishing a call, during a call, or after a call handover. And the key information exchange between the BSC (or the target BSC) and the MSCe, between the MSCe and the MGW (or the target MGW), so that the MGW (or the target MGW) end obtains the same key as the BSC (or the target BSC) end. . Then, the key is used to encrypt and transmit the 2833 information in the A2p port. It can guarantee the security of DTMF information transmission on the A2p port, thus protecting the interests of mobile users and improving the service satisfaction of operators.
  • an embodiment of the mobile communication system of the present invention includes a base station controller (BSC) 220, a media gateway (MGW) 230, and a mobile switching center emulation entity (MSCe) 240.
  • BSC base station controller
  • MGW media gateway
  • MSCe mobile switching center emulation entity
  • the BSC 220 includes:
  • the signaling processing unit 610 is configured to send, to the MSCe 240, related signaling that carries the 2833 encryption control information, where the 2833 encryption control information includes the A-port key information and the first encryption algorithm used to encrypt the 2833 information. Name
  • the information transmission unit 620 is configured to implement 2833 information transmission with the MGW 230, and process the 2833 information by using the A-port shared key corresponding to the A-port key information and the first encryption algorithm.
  • the MSCe 240 includes:
  • the signaling processing unit 630 is configured to receive, from the BSC 220, the 2833 encrypted control information.
  • the 2833 encryption control information includes A-port key information and a first encryption algorithm name used to encrypt 2833 information;
  • the encryption attribute information processing unit 640 is configured to generate 2833 encrypted attribute information by using the A port shared key corresponding to the A port key information in the 2833 encryption control information, and send the 2833 encrypted attribute information to the MGW 230;
  • the encrypted attribute information includes the first encryption algorithm name and H248 port key information.
  • the MGW 230 includes:
  • the encryption attribute information processing unit 650 is configured to: obtain an A-port shared key and a first encryption algorithm according to the 2833 encryption attribute information sent by the MSCe 240;
  • the information transmission unit 660 is configured to implement 2833 information transmission with the BSC 220, and process the 2833 information by using the A-port shared key corresponding to the A-port key information and the first encryption algorithm.
  • the signaling processing unit 610 includes: an A-port key information generating unit 611, configured to encrypt the A-port shared key and a pre-configured A-port control key by using a second encryption algorithm.
  • the A-port key information; the encryption control information filling unit 612 is configured to carry the A-port key information, the first encryption algorithm name, and the second encryption algorithm name in the 2833 encryption control information; the signaling sending unit 613 And for transmitting related signaling carrying the 2833 encryption control information.
  • the encryption control information filling unit 612 may be an A2p bearer format feature parameter expansion unit, configured to fill the A-port key information, the first encryption algorithm name, and the second encryption algorithm name into the A2p bearer format feature parameter.
  • the signaling processing unit 630 of the MSCe 240 includes: a signaling receiving unit 631, configured to receive related signaling that carries the 2833 encrypted control information; and the 2833 encrypted control information includes an A port.
  • the information obtaining unit 632 is configured to obtain the A port key information and the second encryption algorithm from the 2833 encryption control information;
  • the obtaining unit 633 is configured to decrypt the A port key information by using the second encryption algorithm to obtain an A port shared key.
  • the encryption attribute information processing unit 640 of the MSCe 240 includes: an H248 port key information generating unit 641, configured to use the A port shared key and the pre-configured
  • the H248 port control key is encrypted by the third encryption algorithm to generate the H248 port key information.
  • the encrypted attribute information filling unit 642 is configured to carry the H248 port key information, the first encryption algorithm name, and the pre-invention in the 2833 encryption attribute information.
  • the configured third encryption algorithm name; the encryption attribute information sending unit 643 is configured to send the 2833 encrypted attribute information to the media gateway when performing bearer establishment or bearer attribute modification.
  • the ciphering attribute information filling unit 642 is an H248 signaling filling unit, and is configured to carry the 2833 ciphering attribute information in the extended H248 signaling.
  • the encryption attribute information processing unit 650 of the MGW 230 includes: an information obtaining unit 651, configured to obtain H248 port key information and a third encryption algorithm from the 2833 encrypted attribute information; H248 port key information
  • the processing unit 652 is configured to use a pre-configured H248 port control key, perform decryption calculation on the H248 port key information by using a third encryption algorithm, obtain an A port shared key, and obtain the first key from the H248 port key information.
  • An encryption algorithm name is configured to use a pre-configured H248 port control key, perform decryption calculation on the H248 port key information by using a third encryption algorithm, obtain an A port shared key, and obtain the first key from the H248 port key information.
  • another embodiment of the mobile communication system of the present invention includes a base station controller (BSC) 220, a media gateway (MGW) 230, and a mobile switching center emulation entity (MSCe) 240.
  • BSC base station controller
  • MGW media gateway
  • MSCe mobile switching center emulation entity
  • This embodiment is substantially the same as the embodiment shown in FIG. 6, except that in this embodiment, the MSCe 240 transmits the relevant signaling carrying the 2833 encryption control information to the BSC 220.
  • the MSCe 240 includes:
  • the signaling processing unit 630 is configured to send, to the BSC 220, related signaling that carries the 2833 encryption control information, where the 2833 encryption control information includes the A-port key information and the first encryption algorithm used to encrypt the 2833 information. Name
  • the encryption attribute information processing unit 640 is configured to generate 2833 encrypted attribute information by using the A port shared key corresponding to the A port key information in the 2833 encryption control information, and send the 2833 encrypted attribute information to the MGW 230;
  • the encrypted attribute information includes the first encryption algorithm name and H248 port key information.
  • the BSC 220 includes:
  • the signaling processing unit 610 is configured to receive, from the MSCe 240, related signaling that carries the 2833 encryption control information, where the 2833 encryption control information includes the A-port key information and the first encryption algorithm used to encrypt the 2833 information. name;
  • the information transmission unit 620 is configured to implement 2833 information transmission with the MGW 230, and process the 2833 information by using the A-port shared key corresponding to the A-port key information and the first encryption algorithm.
  • the signaling processing unit 630 of the MSCe 240 includes: an A-port key information generating unit 631, configured to use the second encryption by using the A-port shared key and the pre-configured A-port control key.
  • the algorithm encrypts the A-port key information
  • the encryption control information filling unit 632 is configured to carry the A-port key information, the first encryption algorithm name, and the second encryption algorithm name in the 2833 encryption control information.
  • the signaling sending unit 633 is configured to send related signaling that carries the 2833 encrypted control information.
  • the encryption control information filling unit 632 may be an A2p bearer format feature parameter extension unit, configured to fill the A-port key information, the first encryption algorithm name, and the second encryption algorithm name into the A2p bearer format feature parameter.
  • the signaling processing unit 610 of the BSC 220 includes: a signaling receiving unit 611, configured to receive related signaling carrying the 2833 encrypted control information; and the 2833 encrypted control information includes an A port.
  • the information obtaining unit 612 is configured to obtain the A port key information and the second encryption algorithm from the 2833 encryption control information;
  • the obtaining unit 613 is configured to decrypt the A port key information by using the second encryption algorithm to obtain an A port shared key.
  • the transmission and exchange of the shared key between the two parties are completed by a third party.
  • the data encryption key can also be determined by negotiation between the communicating parties.
  • the process of determining an embodiment of a data encryption key by negotiation between two communicating parties includes:
  • Step 101 The same public key and encryption policy are preset in the calling communication node (the first communication node) and the called communication node (the second communication node).
  • the calling communication node sends a call setup request to the called communication node, which can be implemented by the Setup message of the Q931 protocol.
  • Step 102 After receiving the call setup request from the calling communication node, the called communication node sends a call processing response to the calling communication node to notify the calling communication node that the call is being processed.
  • the call processing response can be implemented by a Call Proceedin message of the Q931 protocol.
  • Step 103 The called communication node sends a ringing message to the calling communication node to notify the calling communication node that the called communication node is ringing.
  • the ringing message can be implemented by an alerting message of the Q931 protocol.
  • Step 104 When the called communication node accepts the call from the calling communication node by off-hook or the like, the called communication node sends a call response response to the calling communication node.
  • Step 105 A connection establishment process is performed between the primary and the called communication nodes to establish a communication connection for supporting communication between the primary and the called communication nodes.
  • the specific connection establishment process generally includes: the called communication node sends a connection establishment request including at least the called communication node communication identifier to the calling communication node; and the calling communication node receives the connection establishment request from the called communication node, determines and The communication node corresponding to the communication identifier included in the connection establishment request communicates, and sends a connection establishment response including the communication identifier of the calling communication node to the called communication node; the called communication node receives the connection establishment response from the calling communication node After that, it is determined that the communication node corresponding to the communication identifier included in the connection establishment response communicates.
  • the called communication node determines to communicate with the communication node corresponding to the communication identifier after receiving the communication identifier, and the calling communication node does not need to The communication identifier is carried in the connection establishment response.
  • connection establishment process can be implemented by the Connect message of the Q931 protocol or by the H245 protocol. If implemented by the H245 protocol, the communication identifier includes an H245 Internet Protocol (IP) address and a listening port number supported by the H245 protocol.
  • IP Internet Protocol
  • Step 106 When the calling communication node has communication encryption capability, the calling communication node initiates a communication encryption capability negotiation process with the called communication node.
  • the operation included in the negotiation process is mainly as follows:
  • the calling communication node sends a communication encryption capability negotiation request to the called communication node, where the communication encryption capability negotiation request includes at least the media capability information and the communication encryption capability information of the calling communication node.
  • the media capability information represents a media capability of the calling communication node. Specifically, the media capability information represents a media encoding and decoding capability of the calling communication node when performing data communication; the communication encryption capability information represents a calling communication.
  • the node has encrypted communication capabilities.
  • the communication encryption capability information may be represented by an extended field.
  • the called communication node After the called communication node receives the communication encryption capability negotiation request from the calling communication node, it is judged Whether the communication encryption capability and the media capability of the intersection with the calling communication node are present, if the called communication node sends a communication encryption capability negotiation response to the calling communication node, the communication encryption capability negotiation response may carry the called party The media capability information and the communication encryption capability information of the communication node; otherwise, the called communication node sends a negotiation failure message to the calling communication node, and the calling communication node stops performing subsequent encrypted communication with the called communication node after receiving the negotiation failure message. Operation.
  • the communication encryption capability and the respective media capabilities are usually preset in the primary and called communication nodes.
  • the called communication node determines whether it has communication encryption capability, such as: adding encryption enablement in the communication configuration parameter of the called communication node, and the encryption setting is enabled by the operator in advance. Or prohibited. Then, when the called communication node queries its own communication configuration parameters, if it is known that the encryption enable is currently enabled, the called communication node determines that it has communication encryption capability; otherwise, the called communication node determines that it does not have communication encryption capability. .
  • the communication encryption capability negotiation process initiated by the calling communication node and the called communication node may be various.
  • the first communication encryption capability negotiation process is:
  • the calling communication node sends a communication encryption capability negotiation request including the media capability information and the communication encryption capability information to the called communication node, and the communication encryption capability information is represented by a public key, that is, the communication encryption capability negotiation request includes The public key represents the communication encryption capability of the calling communication node.
  • the called communication node After receiving the communication encryption capability negotiation request from the calling communication node, the called communication node obtains the media capability that it has by using the existing technology, and compares the acquired media capability with the media capability information included in the communication encryption capability negotiation request. Whether there is an intersection of the represented media capabilities. If there is an intersection, the called communication node determines that it has the media capability of the intersection with the calling communication node; otherwise, the called communication node determines that it does not have the media that intersects with the calling communication node. ability.
  • the called communication node further determines whether it has communication encryption capability, and if so, the called communication node applies the encryption policy preset in advance to encrypt the public key included in the communication encryption capability negotiation request, and uses the encryption result as The called side data encryption key when subsequently communicating with the calling communication node. After that, the called communication node sends a communication encryption to the calling communication node.
  • the capability negotiation response notifies the calling communication node that the called communication node has the communication encryption capability and the media capability that intersects with the calling communication node; the calling communication node receives the communication encryption capability negotiation response from the called communication node, and determines that Performing encrypted communication with the calling communication node, and encrypting the public key by applying the encryption policy set in advance, and using the encryption result as a calling side data encryption key when communicating with the called communication node.
  • the master and the called communication node may also encrypt the public key without applying the encryption policy, and directly use the public key as the primary and called side data encryption keys for subsequent communication.
  • the communication encryption capability negotiation response may carry the called side data encryption key, and the calling communication node applies the encryption policy to the called party included in the received communication encryption capability negotiation response.
  • the side data encryption key is decrypted, and it is judged whether the result of the decryption is the same as the public key. If the same, the calling communication node sends an acknowledgement message to the called communication node; otherwise, the calling communication node sends the called communication node to the called communication node.
  • Negotiation failure message may carry the called side data encryption key, and the calling communication node applies the encryption policy to the called party included in the received communication encryption capability negotiation response.
  • the side data encryption key is decrypted, and it is judged whether the result of the decryption is the same as the public key. If the same, the calling communication node sends an acknowledgement message to the called communication node; otherwise, the calling communication node sends the called communication node to the called communication node.
  • Negotiation failure message may carry the called side data encryption key, and the calling communication no
  • the calling communication node may not directly perform the decryption operation, but directly determine whether the called side data encryption key included in the received response is related to the generated master. The calling side data encryption key is the same. If the same, the calling communication node sends an acknowledgement message to the called communication node; otherwise, the calling communication node sends a negotiation failure message to the called communication node.
  • the communication encryption capability negotiation response may further carry media capability information corresponding to the media capability of the called communication node that has an intersection with the calling communication node.
  • the second communication encryption capability negotiation process is: the calling communication node sends a communication encryption capability negotiation request including the media capability information and the communication encryption capability information to the called communication node, and the communication encryption capability information is randomly generated by the calling communication node.
  • the random number representation that is, the random number included in the communication encryption capability negotiation request represents that the calling communication node has communication encryption capability.
  • the called communication node determines whether it has the media capability of the intersection with the calling communication node, and the specific determination method is the same as the corresponding determination method in the negotiation process of the first communication encryption capability.
  • the called communication node also determines whether it has communication encryption capability, generates a called side data encryption key after determining that it has communication encryption capability, and performs subsequent transmission to the calling communication node.
  • the communication encryption capability negotiation response and the like, the specific operation method is substantially the same as the corresponding method in the first communication encryption capability negotiation process, except that the performed operation is no longer directed to the public key but to the random number.
  • the advantage of applying random numbers for encrypted communication is that: when a new communication such as a new session is performed between the primary and the called communication nodes, a new random number can be randomly generated, and the random encryption number is used to generate the data encryption key. . It can be seen that each time the primary and the called communication node perform a new communication, the generated data encryption key is different from the previous one.
  • the flexibility of the data encryption key generation makes the illegal acquisition of the information even in one communication. Deciphering the data encryption key, and the same method can not be used to decipher the data encryption key used in each communication, which can further improve communication security.
  • the calling communication node may use the random number as the calling side data encryption key when communicating with the called communication node, and encrypt the random number by using the set public key and encryption policy, and encrypt the random number.
  • the communication encryption capability information is carried in the communication encryption capability negotiation request and sent to the called communication node.
  • the public key and the encryption policy set by the application decrypt the communication encryption capability information included in the received communication encryption capability negotiation request, and The decrypted result is used as a called side data encryption key when subsequently communicating with the calling communication node. It can be seen that the called side data encryption key is the same as the random number sent by the calling communication node.
  • the third communication encryption capability negotiation process is: the calling communication node sends a pre-negotiation request including the media capability information and the communication encryption capability information to the called communication node, and the communication encryption capability information is represented by a communication encryption capability flag, the communication The cryptographic capability flag is used to notify the called communication node that the calling communication node has communication encryption capability. For example, when the communication encryption capability sent by the calling communication node is marked as 1, it indicates that the calling communication node has communication encryption capability.
  • the called communication node After the called communication node receives the pre-negotiation request from the calling communication node, it determines whether it has the media capability of the intersection with the calling communication node, and the specific determining method and the corresponding determining method in the negotiation process of the first communication encryption capability The same is true, the difference is that the current determination method is for pre-negotiation requests.
  • the called communication node also determines whether it has communication encryption capability and sends a pre-negotiation response to the calling communication node after determining that it has communication encryption capability.
  • the called communication section After the calling communication node receives the pre-negotiation response from the called communication node, the called communication section The point performs substantially the same operation as the second or third communication encryption capability negotiation process. Of course, since the called communication node has determined whether it has the media capability and the communication encryption capability, the called communication node does not need to perform the second and third communication encryption capability negotiation processes to determine the media capability and communication encryption. Ability to operate.
  • Step 107 When the called communication node has communication encryption capability, the called communication node initiates a communication encryption capability negotiation process with the calling communication node, and the operation included in the communication encryption capability negotiation process is substantially the same as the operation in step 106. The difference is that step 107 has an interchange of the operating body with respect to step 106.
  • the communication encryption capability information corresponding to the communication encryption capability set in the called communication node represents that the called communication node has an encrypted communication capability
  • the media capability information corresponding to the media capability set in the called communication node represents the called communication node.
  • the media capability information in particular, the media capability information represents the media encoding and decoding capability of the called communication node when performing data communication.
  • Step 107 and step 106 do not have a strict chronological relationship.
  • step 107 or step 106 may be performed, which does not affect subsequent data encryption communication.
  • Step 108 Applying the prior art to establish a media channel between the primary and the called communication node, the specific media channel establishment process is generally as follows:
  • the primary/called communication node sends at least the primary/called communication to the called/calling communication node. a media channel setup request for the node IP address and the communication port number;
  • the called/calling communication node receives the media channel setup request from the primary/called called communication node, and after receiving the request, sends the at least one included to the primary/called called communication node /
  • the media channel of the calling communication node IP address and the communication port number establishes a response.
  • the calling and called communication nodes acquire the address information used by the other party for data communication, and can perform subsequent data communication based on the address information.
  • a channel establishment rejection message is sent to the master/called communication node, and the channel establishment rejection message may also carry a rejection reason.
  • Step 109 The media channel established by the application between the primary and the called communication node performs an encrypted data communication process.
  • the specific operation is:
  • the master/called communication node applies the master/called side data encryption key and the encryption policy pair
  • the data sent to the called/calling communication node is encrypted, and the encrypted encrypted data is transmitted to the called/calling communication node;
  • the called/calling communication node applies the called/calling side data encryption key and the
  • the encryption policy decrypts the encrypted data from the master/called communication node and applies subsequent techniques to perform subsequent processing based on the decrypted data.
  • Steps 101 through 105 may be implemented by a communication protocol such as Q931, and may further include other signaling interactions.
  • Steps 106 to 109 are generally implemented by the H245 protocol, and the communication encryption capability negotiation request may be implemented by a Terminal Capability Set (TSS), and the communication encryption capability negotiation response may be confirmed by a terminal capability request (Terminal Capability).
  • TCS Terminal Capability Set
  • Set Ack, TCS Ack the media channel setup request may be implemented by an Open Logic Channel message
  • the media channel setup response may be implemented by an Open Logic Channel Ack
  • the establishment of a reject message can be implemented by an Open Logic Channel Reject message.
  • step 106 to step 109 may further include other signaling interactions, and may also be implemented by other communication protocols; and step 106 and step 107 may also be implemented by a Session Description Protocol (SDP).
  • SDP Session Description Protocol
  • Step 106 and/or step 107 can be performed at any time prior to step 109.
  • the media capability information may be any communication protocol name supported by the primary or called communication node to ensure that the recipient knows which communication protocol the sender supports. Such as: G.711, G.723, H.263, RFC 2833, etc.
  • the calling communication node can transmit the name of the communication protocol supported by itself as the media capability information to the called communication node; the called communication node obtains the communication protocol supported by itself, and compares the name and the received communication protocol. Whether there is an intersection of the communication protocol names, if there is an intersection, the called communication node determines that it has the media capability of the intersection with the calling communication node. Regardless of what content of the media capability information is represented, in order to ensure that the primary and the called communication node can communicate normally, both the primary and the called communication node apply the media capability communication in which the intersection exists.
  • the primary and called communication nodes may be communication terminals, gateways or media controller units (MCUs), and the like.
  • MCUs media controller units
  • the encryption policy may be a commonly used XOR algorithm, a negation algorithm, an MD5 algorithm, and the like.
  • the flow shown in FIG. 8 can be implemented by a communication protocol such as Session Initiation Protocol (SIP), H323 protocol, etc.
  • SIP Session Initiation Protocol
  • the encrypted communication in step 109 is usually encrypted for the RFC 2833 protocol data packet.
  • step 107 may not be performed, and the key operations in step 106 are split into steps 101 and 104, respectively.
  • the specific splitting manner is: performing the operation of sending the communication encryption capability negotiation request by the calling communication node to the called communication node in step 106 to step 101; sending the called communication node to the calling communication node to encrypt the communication in step 106; The operation of the capability negotiation response is performed in step 104.
  • the embodiment of the present invention simulates an entity between a base station controller (or a target base station controller) and a mobile switching center emulation entity, a mobile switching center emulation entity, during a call setup, during a call, or after a call handover.
  • the key information is transmitted between the media gateway (or the target media gateway) and the media gateway (or target media gateway) to obtain the same key as the base station controller (or the target base station controller). Then use the key to encrypt and transmit the 2833 information in the A2p port. It can guarantee the security of 2833 information transmission on the A2p port, thus protecting the interests of mobile users and improving the service satisfaction of operators.
  • the key information can be transmitted by extending the A2p bearer format feature parameter of the IOS protocol and the extended H248 protocol, and the implementation thereof is relatively simple.
  • the first communication node sends its own media capability information and communication encryption capability information to the second communication node; the media capability information represents the communication node. Having a media capability, the communication encryption capability information represents that the communication node has an encrypted communication capability; and the second communication node determines, according to the media capability information and the communication encryption capability information from the first communication node, whether it has communication encryption capability and the first The communication node has an intersecting media capability, if so, the first and second communication nodes determine the same data encryption key and apply the media capability and the determined data encryption key for encrypted communication.
  • the first communication node may be a calling communication node, and the second communication node may be a called communication node.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A mobile communication system, and information transmitting method and device wherein are provided in the invention. By means of extending the parameter in interaction criterion protocol, the transmitting signalling on A1p link between base station controller ( or goal base station controller) and mobile switch center (MSC) emulation entity can take 2833 encrpytion control information. The MSC emulation entity transmits the cryptographic key to media gateway(or goal media gateway), and the media gateway recover the cryptographic key. Then the base station controller ( or goal base station controller) and the media gateway(or goal media gateway) can encrypt/decode the 2833 information which is to be transmitted or has been transmitted by use of the same cryptographic key. By transmitting encrypted 2833 information between base station controller and media gateway, the security of transmitting 2833 information in A2p port can de improved, and accordingly service satisfaction level of operator will be increased.

Description

移动通信系统及在其中传送信息的方法、 设备 本申请要求于 2005 年 11 月 1 日提交中国专利局、 申请号为 200510117145.0、发明名称为"一种实现加密通信的方法,,的中国专利申请、 于 2005年 11月 29 日提交中国专利局、 申请号为 200510101949丄 发明 名称为 "一种在 CDMA中实现对 2833信息进行加密传送的方法"的中国 专利申请和于 2005 年 12 月 20 日提交中国专利局、 申请号为 200510135859.4, 发明名称为 "一种在 CDMA中实现对 2833信息进行加 密传送的方法 "的中国专利申请的优先权, 其全部内容通过引用结合在本 申请中。 技术领域  Mobile communication system and method and device for transmitting information therein The present application claims to be submitted to the Chinese Patent Office on November 1, 2005, the application number is 200510117145.0, and the invention name is "a method for implementing encrypted communication, Chinese patent application, Chinese patent application filed on November 29, 2005, China Patent Office, application number 200510101949, entitled "A method for encrypting and transmitting 2833 information in CDMA" and submitted to China on December 20, 2005 Patent Office, Application No. 200510135859.4, entitled "A Method for Implementing Encrypted Transmission of 2833 Information in CDMA", the entire contents of which are incorporated herein by reference.
本发明涉及移动通信领域, 具体来说, 涉及一种移动通信系统及在其 中传送信息的方法、 设备。  The present invention relates to the field of mobile communications, and in particular to a mobile communication system and a method and apparatus for transmitting information therein.
背景技术 Background technique
按第三代移动通信标准化的伙伴项目 2 ( 3GPP2 , Third Generation Partnership Project 2 ) 组织的划分, 码分多址 (Code Division Multiple Access, CDMA ) 网络从 IS- 95体制向 CDMA2000系列演进, 历经阶段 0 ( PhaseO )、 阶段 1 ( Phase 1 )、 阶段 2 ( Phase2 )和阶段 3 ( Phase3 )等阶 段, 最终实现 CDMA2000全 IP ( ALL-IP ) 网络。  According to the division of the 3GPP2 (3GPP2, Third Generation Partnership Project 2) organization, the Code Division Multiple Access (CDMA) network evolved from the IS-95 system to the CDMA2000 series, after stage 0. Phase (Phase 1), Phase 1 (Phase 1), Phase 2 (Phase 2), and Phase 3 (Phase 3), the CDMA2000 All-IP (ALL-IP) network is finally implemented.
在承前启后的阶段 2中, 信令和承载分离、 接入网和核心网独立演进 的原则已经显现。 阶段 2又细分为步驟 1 ( STEP1 )、 步骤 2 ( STEP2 )和 步骤 n ( STEPn )。 具体而言, 在步骤 2中, 将第二代移动通信(2G ) 网络 的移动交换中心 /访问位置寄存器(Mobile Switch Center /Visited Location Register, MSC/VL )分裂为移动交换中心仿真实体( Mobile Switch Center Emulation, MSCe )、 媒体网关( Media Gate Way, MGW )和媒体资源功能 处理器(Multimedia Resource Function Processor, MRFP )这三个网元, 其 中, 该移动交换中心仿真实体具有与移动交换中心类似的功能, 也可直接 称其为移动交换中心。 另外还新增了归属地位置寄存器仿真 (Home Location Register Emulation, HLRe )等网元, 完成包括 2G基站子系统 ( BaseStation Subsystem, BSS )和 3G基站子系统(BSS/ ) 的接入, 实现 与公共交换电话网 ( public switched telephone network, PSTN )、 公众陆地 移动电话网( Public Land Mobile Network, PLMN )以及因特网协议( Internet Protocol, IP ) 网络的互通, 提供对传统移动台 (Mobile Station, MS )业 务的支持。 In Phase 2, the principle of independent separation of signaling and bearer, access network and core network has emerged. Phase 2 is further subdivided into Step 1 (STEP1), Step 2 (STEP2), and Step n (STEPn). Specifically, in step 2, the Mobile Switch Center/Visited Location Register (MSC/VL) of the second generation mobile communication (2G) network is split into a mobile switching center emulation entity (Mobile Switch) Center Emulation (MSCe), Media Gateway (MGW) and Media Resource Function Processor (MRFP), wherein the mobile switching center emulation entity has a similarity to the mobile switching center. Function, can also be called directly as a mobile switching center. Also added a home location register emulation (Home Location Register Emulation, HLRe) and other network elements, including 2G base station subsystem (BSS) and 3G base station subsystem (BSS/) access, and public switched telephone network (PSTN), The public land mobile network (PLMN) and the Internet Protocol (IP) network interoperate to provide support for traditional mobile station (MS) services.
如图 1 , 示出一种 CDMA接入网的简要结构示意图。 其中, MS 110 一般由基带、 中频和射频等部分组成。 基带部分负责射频信号和基带信号 的转发控制, 中频连接基带部分和射频部分, 而射频部分负责无线信号的 发送和接收。 MS可以为诸如手机、 PDA ( Personal Digital Assistant, 个人 数字助理)等终端设备。  As shown in FIG. 1, a schematic structural diagram of a CDMA access network is shown. The MS 110 generally consists of a baseband, an intermediate frequency, and a radio frequency. The baseband part is responsible for the forwarding control of the radio frequency signal and the baseband signal, the intermediate frequency is connected to the baseband part and the radio frequency part, and the radio frequency part is responsible for transmitting and receiving the wireless signal. The MS can be a terminal device such as a mobile phone, a PDA (Personal Digital Assistant).
基站控制器(Base Station Controller, BSC ) 120是基站系统的一个部 分, BSC 120主要处理系统信息广播、 切换、 小区资源分配、 用户控制等 无线资源管理等功能。  The Base Station Controller (BSC) 120 is a part of the base station system. The BSC 120 mainly handles functions such as system information broadcasting, handover, cell resource allocation, and user control and other radio resource management.
MGW 130提供语音业务、 电路域相关数据业务的传输与交换功能, 实现无线接入网络电路域与公共电路交换网络(PSTN、 ISDN )、 其它移动 网络(GSM、 CDMA等)、 分組网络之间的业务流转换。 MGW 130提供 分組交换功能, 通过升级可以满足无线网絡向全 IP网络的发展需要。  The MGW 130 provides voice service and circuit domain related data service transmission and exchange functions, and implements a wireless access network circuit domain and a public circuit switched network (PSTN, ISDN), other mobile networks (GSM, CDMA, etc.), and a packet network. Business flow conversion. The MGW 130 provides packet switching functions, which can be upgraded to meet the development needs of wireless networks to all-IP networks.
其中, BSC 120通过 Alp口与 MSCe 140建立 Alp链路, BSC 120通 过该 Al 链路 150与 MSCe 140之间传逸信令。 BSC 120通过 A2p口与 MGW 130经 IP网络 160相连接, 该 A2p口用来承载业务。 而 MSCe 140 与 MGW 130之间通过 H248链路 170进行联系,所述 H248为一种媒体网 关控制协议。  The BSC 120 establishes an Alp link with the MSCe 140 through the Alp port, and the BSC 120 passes the signaling between the Al link 150 and the MSCe 140. The BSC 120 is connected to the MGW 130 via the A2p port via the IP network 160, and the A2p port is used to carry services. The MSCe 140 and the MGW 130 are in contact via an H248 link 170, which is a media gateway control protocol.
CDMA系统的收号业务(例如拨打运营商服务号码、 自动语音提示输 入语言选择)采用双音多频( Dual Tone Multi- Frequency, DTMF )来实现 号码传送。 CDMA系统呼叫控制与承载分离的架构下, 在实现 A口 IP化 之后, BSC的 A2p口是使用 IP或实时流传输协议 ( IP/ TP )包进行 DTMF 信息传送的, 传送的方式遵循 RFC2833协议, 一般将该传输的 DTMF信 息简称为 2833信息。 在 RTP包中, 2833信息为明码传送, 很容易被抓包 工具所拦截并解析出其中所包含的实际的 DTMF信息,这样,就会导致用 户的机密信息 (如银行帐号密码) 的泄密。 The CDMA system's receiving service (such as dialing the carrier service number and automatic voice prompt input language selection) uses Dual Tone Multi-Frequency (DTMF) to implement number transmission. In the framework of CDMA system call control and bearer separation, after implementing A-port IP, the BSC A2p port uses DTMF information transmission using IP or Real-Time Streaming Protocol (IP/TP) packets, and the transmission method follows the RFC2833 protocol. The transmitted DTMF information is generally referred to as 2833 information. In the RTP package, the 2833 information is transmitted in clear code, which is easy to be captured. The tool intercepts and parses out the actual DTMF information contained in it, which will result in the leakage of confidential information (such as bank account password).
如上所述, 在现有 CDMA协议标准的 IP化 A口处理中, A2p口承载 建立必须使用 RFC2833协议进行 DTMF信息传送。 例如在图 1中, 当呼 叫接通后, 用户在 MS 110中按键, 所拨号码会首先在无线侧通过带外信 令传送到 BSC 120; BSC 120首先将该按键信息转化为 DTMF信息, 并在 BSC的 A2p口通过 IP/RTP包将该 DTMF信息发送给 MGW 130, 这种传 送方式为明文标准 2833方式。 因为 A2p口连接的为 IP网络, 分组包极易 受到拦截并被非法获取其中 DTMF信息,从而导致移动用户机密信息的泄 密。  As described above, in the IP-based A-port processing of the existing CDMA protocol standard, the A2P port bearer establishment must use the RFC2833 protocol for DTMF information transmission. For example, in FIG. 1, when the call is turned on, the user presses the button in the MS 110, and the dialed number is first transmitted to the BSC 120 through the outband signaling on the wireless side; the BSC 120 first converts the button information into DTMF information, and The DTMF information is transmitted to the MGW 130 through the IP/RTP packet at the A2p port of the BSC. This transmission method is the plain text standard 2833 mode. Because the A2p port is connected to the IP network, the packet is easily intercepted and illegally obtained from the DTMF information, resulting in the leakage of confidential information of the mobile user.
也就是说, 现有技术中, 可以在 RTP数据包中传输 DTMF信号和其 它网絡信令和事件。 在所传输的上述信息中, 有相当一部分信息对安全性 要求较高。 如: 银行等商业部门的交易数据、 用户个人信息等。  That is, in the prior art, DTMF signals and other network signaling and events can be transmitted in RTP packets. Among the above information transmitted, a considerable part of the information has higher security requirements. Such as: transaction data of the commercial sector such as banks, personal information of users, etc.
然而, 现有技术在传输所述信息时并不对传输的信息加密, 通信的安 全性较低。 这种情况下, 如果信息在传输时被非法获取, 非法获取信息者 可以直接读出获取的信息所包含的内容, 这很可能对该信息的合法拥有者 造成不利影响, 进而降低用户满意度。  However, the prior art does not encrypt the transmitted information when transmitting the information, and the security of the communication is low. In this case, if the information is illegally acquired during transmission, the person who illegally obtains the information can directly read the content contained in the acquired information, which is likely to adversely affect the legitimate owner of the information, thereby reducing user satisfaction.
实际上, 目前还有很多其它种类的通信协议无法实现信息的加密通 信, 应用这些通信协议进行通信的安全性同样 4艮低, 这艮可能对信息的合 法拥有者造成不利的影响。  In fact, there are still many other types of communication protocols that cannot implement encrypted communication of information. The security of communication using these communication protocols is also low, which may adversely affect the legitimate owner of the information.
发明内容 Summary of the invention
本发明的实施例提供一种移动通信系统及在其中传送信息的方法、设 备, 可提高 A2p口所传送的 DTMF信息的安全性。  Embodiments of the present invention provide a mobile communication system and a method and apparatus for transmitting information therein, which can improve the security of DTMF information transmitted by an A2P port.
根据本发明的一个方面, 一种在移动通信系统中传送信息的方法, 包 括:  According to one aspect of the invention, a method of transmitting information in a mobile communication system includes:
基站控制器和移动交换中心仿真实体之间的发送方生成 2833加密控 制信息并传送携带有所述 2833加密控制信息的相关信令; 所述 2833加密 控制信息中包含有 A口密钥信息及用于对 2833信息进行加密的第一加密 算法名称; 所述相关信令的接收方获得所述 A口密钥信息对应的用于对 2833信 息进行加密的 A口共享密钥; The sender between the base station controller and the mobile switching center emulation entity generates 2833 encryption control information and transmits related signaling carrying the 2833 encryption control information; the 2833 encryption control information includes the A port key information and uses The name of the first encryption algorithm that encrypts the 2833 information; The receiver of the related signaling obtains an A-port shared key for encrypting the 2833 information corresponding to the A-port key information;
所述移动交换中心仿真实体利用该 A口共享密钥生成 2833加密属性 信息, 并将 2833加密属性信息发送给媒体网关; 所述 2833加密属性信息 包含所述第一加密算法名称及 H248口密钥信息;  The mobile switching center emulation entity generates 2833 encrypted attribute information by using the A port shared key, and sends the 2833 encrypted attribute information to the media gateway; the 2833 encrypted attribute information includes the first encryption algorithm name and the H248 port key Information
所述媒体网关根据该 H248口密钥信息获得 A口共享密钥; 所述基站控制器和媒体网关之间的发送端使用该 A 口共享密钥和第 一加密算法对 2833信息进行加密传送; 所述发送端的对端采用该 A口共 享密钥及第一加密算法进行解密。  The media gateway obtains an A-port shared key according to the H248 port key information; the sending end between the base station controller and the media gateway uses the A-port shared key and the first encryption algorithm to encrypt and transmit the 2833 information; The peer end of the sending end decrypts by using the A port shared key and the first encryption algorithm.
可选地, 所述 2833加密控制信息承载在扩展后的互操作性规范协议 相关信令中的 A2p承载格式特征参数中, 所述 2833加密属性信息承载在 扩展后的 H248信令中。  Optionally, the 2833 encryption control information is carried in the A2p bearer format feature parameter in the extended interoperability specification protocol related signaling, and the 2833 encrypted attribute information is carried in the extended H248 signaling.
根据本发明的另一方面, 一种基站控制器, 包括:  According to another aspect of the present invention, a base station controller includes:
信令处理单元, 用于向移动交换中心仿真实体发送或从移动交换中心 仿真实体接收携带有 2833加密控制信息的相关信令; 所述 2833加密控制 信息中包含有 A口密钥信息及用于对 2833信息进行加密的第一加密算法 名称;  a signaling processing unit, configured to send to the mobile switching center emulation entity or receive relevant signaling that carries the 2833 encrypted control information from the mobile switching center emulation entity; the 2833 encrypted control information includes the A port key information and is used for The name of the first encryption algorithm that encrypts the 2833 information;
信息传输单元, 用于实现和媒体网关之间的 2833信息传输, 利用所 述 A口密钥信息对应的 A口共享密钥和第一加密算法对 2833信息进行处 理。  The information transmission unit is configured to implement 2833 information transmission with the media gateway, and process the 2833 information by using the A-port shared key corresponding to the A-port key information and the first encryption algorithm.
才艮据本发明的又一方面, 一种移动交换中心仿真实体, 包括: 信令处理单元, 用于向基站控制器发送或从基站控制器接收携带有 2833加密控制信息的相关信令; 所述 2833加密控制信息中包含有 A口密 钥信息及用于对 2833信息进行加密的第一加密算法名称;  According to still another aspect of the present invention, a mobile switching center emulation entity includes: a signaling processing unit, configured to send or receive, from a base station controller, related signaling carrying 2833 encrypted control information; The 2833 encryption control information includes the A port key information and the first encryption algorithm name used to encrypt the 2833 information;
加密属性信息处理单元, 用于利用所述 2833加密控制信息中的 A口 密钥信息对应的 A口共享密钥生成 2833加密属性信息,并将 2833加密属 性信息发送给媒体网关; 所述 2833加密属性信息包含所述第一加密算法 名称及 H248口密钥信息。  The encryption attribute information processing unit is configured to generate 2833 encrypted attribute information by using the A port shared key corresponding to the A port key information in the 2833 encryption control information, and send the 2833 encrypted attribute information to the media gateway; the 2833 encryption The attribute information includes the first encryption algorithm name and H248 port key information.
才艮据本发明的再一方面, 一种媒体网关, 其特征在于, 包括: 加密属性信息处理单元,用于根据移动交换中心仿真实体发出的 2833 加密属性信息获得 A口共享密钥和第一加密算法; According to still another aspect of the present invention, a media gateway, comprising: An encryption attribute information processing unit, configured to obtain an A-port shared key and a first encryption algorithm according to the 2833 encrypted attribute information sent by the mobile switching center emulation entity;
信息传输单元, 用于实现和基站控制器之间的 2833信息传输, 利用 所述 A口密钥信息对应的 A口共享密钥和第一加密算法对 2833信息进行 处理。  The information transmission unit is configured to implement 2833 information transmission with the base station controller, and process the 2833 information by using the A-port shared key corresponding to the A-port key information and the first encryption algorithm.
根据本发明的另外一方面, 一种移动通信系统, 包括基站控制器、 移 动交换中心仿真实体和媒体网关;  According to another aspect of the present invention, a mobile communication system includes a base station controller, a mobile switching center emulation entity, and a media gateway;
所述基站控制器用于向移动交换中心仿真实体发送或从移动交换中 心仿真实体接收携带有 2833加密控制信息的相关信令; 所述 2833加密控 制信息中包含有 A口密钥信息及用于对 2833信息进行加密的第一加密算 法名称; 并在和媒体网关进行 2833信息传输时, 利用所述第一加密算法 和 A口密钥信息对应的 A口共享密钥对 2833信息进行处理;  The base station controller is configured to send or receive relevant signaling that carries the 2833 encryption control information to the mobile switching center emulation entity; the 2833 encryption control information includes the A port key information and is used for The 2833 information is encrypted by the first encryption algorithm name; and when the media gateway performs the 2833 information transmission, the first encryption algorithm and the A port shared key corresponding to the A port key information are used to process the 2833 information;
所述移动交换中心仿真实体用于向基站控制器发送或从基站控制器 接收携带有 2833加密控制信息的相关信令; 利用所述 2833加密控制信息 中的 A口密钥信息对应的 A口共享密钥生成 2833加密属性信息,并将 2833 加密属性信息发送给媒体网关; 所述 2833加密属性信息包含所述第一加 密算法名称及 H248口密钥信息;  The mobile switching center emulation entity is configured to send or receive the relevant signaling carrying the 2833 encryption control information to the base station controller, and share the A port corresponding to the A port key information in the 2833 encryption control information. The key generation 2833 encrypts the attribute information, and sends the 2833 encrypted attribute information to the media gateway; the 2833 encrypted attribute information includes the first encryption algorithm name and the H248 port key information;
所述媒体网关用于根据该 H248口密钥信息获得 A口共享密钥; 使用 该 A口共享密钥和第一加密算法对 2833信息进行处理。  The media gateway is configured to obtain an A-port shared key according to the H248 port key information; and process the 2833 information by using the A-port shared key and the first encryption algorithm.
根据本发明的又一方面,一种移动通信系统中传送信息的方法,包括: 在第一通信节点和第二通信节点均具有通信加密能力以及第一通信 节点和第二通信节点存在交集的媒体能力时, 第一、 第二通信节点确定相 同的数据加密密钥;  According to still another aspect of the present invention, a method for transmitting information in a mobile communication system includes: a medium having communication encryption capability at a first communication node and a second communication node, and an intersection of a first communication node and a second communication node The capability, the first and second communication nodes determine the same data encryption key;
第一、 第二通信节点应用存在交集的所述媒体能力和确定的数据加密 密钥进行加密通信。  The first and second communication nodes apply the media capability of the intersection and the determined data encryption key for encrypted communication.
本发明的实施例通过在建立呼叫时、 呼叫过程中或进行呼叫切换后, 在基站控制器(或目标基站控制器)和移动交换中心仿真实体之间、 移动 交换中心仿真实体和媒体网关(或目标媒体网关)之间进行密钥信息传送, 使媒体网关(或目标媒体网关)端获得与基站控制器(或目标基站控制器) 端相同的密钥。 然后利用该密钥对 A2p口中的 2833信息进行加密传送。 可以保证在 A2p口上进行 2833信息传送的安全性, 从而保障移动用户的 利益, 提高运营商的服务满意度。 Embodiments of the present invention are between a base station controller (or target base station controller) and a mobile switching center emulation entity, a mobile switching center emulation entity, and a media gateway (or during call setup, during a call, or after call handover) (or Key information transmission between the target media gateways, enabling the media gateway (or target media gateway) to obtain the base station controller (or the target base station controller) The same key. Then, the key is used to encrypt and transmit the 2833 information in the A2p port. It can guarantee the security of 2833 information transmission on the A2p port, thus protecting the interests of mobile users and improving the service satisfaction of operators.
本发明的实施例中 ,可以通过扩展 IOS协议的 A2p承载格式特征参数 及扩展 H248协议来实现密钥信息的传送, 其实现较为简单。  In the embodiment of the present invention, the key information can be transmitted by extending the A2p bearer format feature parameter of the IOS protocol and extending the H248 protocol, which is relatively simple to implement.
本发明的实施例由第一通信节点与第二通信节点协商确定用于支持 加密通信的媒体能力和加密通信能力; 在第一、 第二通信节点均具有通信 加密能力以及存在交集的媒体能力时, 由第一、 第二通信节点确定相同的 数据加密密钥, 并应用所述媒体能力和确定的数据加密密钥进行加密通 信。 因此, 即使第一、 第二通信节点之间传输的信息被非法获取, 也可保 证非法获取信息者无法正确解析或直接读出获取的信息所包含的内容, 避 免对该信息的合法拥有者可能造成的不利影响, 提高了通信的安全性。 附图说明  Embodiments of the present invention determine, by the first communication node and the second communication node, media capabilities and encrypted communication capabilities for supporting encrypted communications; when both the first and second communication nodes have communication encryption capabilities and media capabilities with intersections And determining, by the first and second communication nodes, the same data encryption key, and applying the media capability and the determined data encryption key to perform encrypted communication. Therefore, even if the information transmitted between the first and second communication nodes is illegally obtained, the information obtained by the illegally obtained information cannot be correctly parsed or directly read out, and the legal owner of the information may be avoided. The adverse effects caused by the communication have improved the security of communication. DRAWINGS
图 1是现有技术中的一种 CDMA接入网的简要结构示意图; 图 2是本发明实施方式的一种 CDMA接入网的简要结构示意图; 图 3是本发明在 CDMA呼叫建立时或呼叫过程中实现对 2833信息进 行加密传送的第一实施例的流程图;  1 is a schematic structural diagram of a CDMA access network in the prior art; FIG. 2 is a schematic structural diagram of a CDMA access network according to an embodiment of the present invention; FIG. 3 is a schematic diagram of the present invention when a CDMA call is established or called. A flowchart of a first embodiment for implementing encrypted transmission of 2833 information during the process;
图 4是本发明在 CDMA呼叫建立或呼叫过程中实现对 2833信息进行 加密传送的第二实施例的流程图; 实施例的流程图;  4 is a flow chart of a second embodiment of the present invention for implementing encrypted transmission of 2833 information during a CDMA call setup or call; a flowchart of an embodiment;
图 6是本发明的移动通信系统的第一实施例的框图;  Figure 6 is a block diagram of a first embodiment of the mobile communication system of the present invention;
图 7是本发明的移动通信系统的第二实施例的框图;  Figure 7 is a block diagram of a second embodiment of the mobile communication system of the present invention;
图 8是本发明的移动通信系统中传送信息的方法的实施例的流程图。 具体实施方式  Figure 8 is a flow chart of an embodiment of a method of transmitting information in a mobile communication system of the present invention. detailed description
本发明的实施例在 CDMA中的 A2p 口实现对 2833信息进行加密传 送, 可提高 A2p口所传送的 DTMF信息的安全性。 本发明的实施例可以 应用于如图 2所示的 CDMA系统中。  The embodiment of the present invention implements encrypted transmission of 2833 information in the A2p port in CDMA, which can improve the security of the DTMF information transmitted by the A2p port. Embodiments of the present invention can be applied to a CDMA system as shown in FIG. 2.
所述系统中包括基站控制器(BSC ) 220、 媒体网关 (MGW ) 230和 移动交换中心仿真实体(MSCe ) 240。 其中, BSC 220通过 Alp链路 250 与 MSCe 240之间传送信令。 BSC 220通过 A2p口与 MGW 230经 IP网络 260相连接。而 MSCe 240与 MGW 230之间通过 H248链路 270进行联系。 The system includes a base station controller (BSC) 220, a media gateway (MGW) 230, and Mobile Switching Center Emulation Entity (MSCe) 240. Among them, the BSC 220 transmits signaling between the Alp link 250 and the MSCe 240. The BSC 220 is coupled to the MGW 230 via an IP network 260 via an A2p port. The MSCe 240 and the MGW 230 are in contact via the H248 link 270.
所述 BSC 220用于向 MSCe 240发送或从 MSCe 240接收携带有 2833 加密控制信息的相关信令; 所述 2833加密控制信息中包含有 A口密钥信 息及用于对 2833信息进行加密的第一加密算法名称; 并在和 MGW 230 进行 2833信息传输时, 利用所述第一加密算法和 A口密钥信息对应的 A 口共享密钥对 2833信息进行处理。  The BSC 220 is configured to send or receive information related to the 2833 encryption control information from the MSCe 240. The 2833 encryption control information includes the A port key information and the second information for encrypting the 2833 information. An encryption algorithm name; and when the 2834 information transmission is performed with the MGW 230, the A-port shared key pair 2833 information corresponding to the A-port key information is processed by the first encryption algorithm.
所述 MSCe 240用于向 BSC 220发送或从 BSC 220接收携带有 2833 加密控制信息的相关信令; 利用所述 2833加密控制信息中的 A口密钥信 息对应的 A口共享密钥生成 2833加密属性信息,并将 2833加密属性信息 发送给 MGW 230; 所述 2833加密属性信息包含所述第一加密算法名称及 H248口密钥信息;  The MSCe 240 is configured to send or receive the relevant signaling that carries the 2833 encryption control information from the BSC 220, and generate the 2833 encryption by using the A-port shared key corresponding to the A-port key information in the 2833 encryption control information. Attribute information, and the 2833 encrypted attribute information is sent to the MGW 230; the 2833 encrypted attribute information includes the first encryption algorithm name and H248 port key information;
所述 MGW 230用于根据该 H248口密钥信息获得 A口共享密钥; 使 用该 A口共享密钥和第一加密算法对 2833信息进行处理。  The MGW 230 is configured to obtain an A-port shared key according to the H248 port key information; and process the 2833 information by using the A-port shared key and the first encryption algorithm.
本发明的实施例中,扩展互操作性规范( Interoperability Specification, IOS )协议中特定信令的参数, 从而在呼叫建立时、 呼叫过程中及进行呼 叫切换后, 使在 BSC (或目标 BSC )与 MSCe之间的 Alp链路中所传输 的信令可携带 2833加密控制信息(至少包含有用于对 2833信息进行加密 的密钥); 通过 MSCe与 MGW (或目标 MGW )之间的 H248链路, 使 MGW (或目标 MGW )获得该密钥。 则 BSC (或目标 BSC )和 MGW (或 目标 MGW )可使用相同的密钥进行 2833信息的加解密。 其中, IOS协议 是 CDMA 系统中定义接入侧与网络侧口的规范统称。 此外 , 在对该密钥 传送过程中, 也可对该密钥进行加密处理。  In the embodiment of the present invention, the parameters of the specific signaling in the Interoperability Specification (IOS) protocol are extended, so that the BSC (or the target BSC) is made at the time of call setup, during the call, and after the call is handed over. The signaling transmitted in the Alp link between the MSCe may carry 2833 encrypted control information (including at least a key used to encrypt the 2833 information); through the H248 link between the MSCe and the MGW (or the target MGW), Make the MGW (or target MGW) get the key. Then the BSC (or the target BSC) and the MGW (or the target MGW) can use the same key to encrypt and decrypt the 2833 information. Among them, the IOS protocol is a general term for defining the access side and the network side port in the CDMA system. In addition, the key can also be encrypted during the transmission of the key.
结合图 3, 对本发明中在呼叫建立时或呼叫过程中的第一实施例的具 体步骤进行说明。  The specific steps of the first embodiment at the time of call establishment or during the call of the present invention will be described with reference to Fig. 3.
在步骤 S30中, 需要扩展 IOS协议中的信令中的参数(例如, 可以扩 展 Α2 承载格式特征参数 ( A2p Bearer Format-Specific Parameters ) ),并定 义扩展信息,表示该 A2p口具有加密能力, 且指定具体的加密算法类型及 所采用的密钥等信息。 例如, 在一个实施例中, 扩展信息包括如下内容: 扩展 ID: 可以采用 1字节的类型信息来表示, 例如, 取值为 2, 表示In step S30, it is required to expand parameters in the signaling in the IOS protocol (for example, A2p Bearer Format-Specific Parameters), and define extended information, indicating that the A2p port has encryption capability, and Specify the specific encryption algorithm type and Information such as the key used. For example, in one embodiment, the extension information includes the following: Extended ID: may be represented by 1-byte type information, for example, a value of 2, indicating
2833加密控制信息; 2833 encryption control information;
扩展长度: 可以采用 1字节长度信息来表示, 包括 1字节标志位和不 定长度字节 (如最长为 8字节) 密钥信 ;  Extended length: can be expressed by 1 byte length information, including 1 byte flag bit and indefinite length byte (such as up to 8 bytes) key letter;
具体的扩展参数: 可以采用 1字节长度信息来表示。  Specific extended parameters: can be expressed in 1-byte length information.
具体的扩展参数中, 采用 1比特信息来表示是否使用 2833加密指示, 当该比特取值为 "0" 时, 表示本次呼叫不使用 2833加密, 当该比特取值 为 "1" 时表示本次呼叫使用 2833加密;  In the specific extended parameter, 1-bit information is used to indicate whether to use the 2833 encryption indication. When the value of the bit is "0", it means that the current call does not use 2833 encryption. When the value of the bit is "1", it means The second call uses 2833 encryption;
采用 3比特信息来表示加密算法类型, 该加密算法必须是对称算法, 例如, 在本发明的一个实施例中, 对该 3 比特取值为 "000" 时表示采用 The type of the encryption algorithm is represented by 3-bit information, and the encryption algorithm must be a symmetric algorithm. For example, in one embodiment of the present invention, when the value of the 3 bits is "000", it means
RC4加密算法, 其它的取值暂时保留; RC4 encryption algorithm, other values are temporarily reserved;
另外 4比特信息: 暂时保留;  Additional 4-bit information: Temporarily reserved;
另夕卜 4 ~ 8字节信息用来表示 A口密钥信息 (A- SHARE-DATA ), 其 为加密后的本次呼叫 2833共享密钥 (CALL-KEY ), 长度与算法相关。  In addition, 4 ~ 8 bytes of information is used to indicate the A port key information (A-SHARE-DATA), which is the encrypted current call 2833 shared key (CALL-KEY), and the length is related to the algorithm.
上述仅示出了本发明一个实施例中,一种扩展 A2p承载格式特征参数 的示例, 本发明不限于此, 本领域的技术人员可以从本发明中推导出更多 的扩展方法, 例如可以对 IOS信令中的其他的参数进行扩展。  The foregoing is only an example of an extended A2p bearer format feature parameter in an embodiment of the present invention. The present invention is not limited thereto, and those skilled in the art may derive more extended methods from the present invention, for example, Other parameters in the IOS signaling are extended.
本发明的第一实施例还扩展 H248协议, 定义会话描述协议(Session Description Protocol, SDP )格式的 2833加密属性, 以使 MSCe和 MGW 的 H428链路侧具有对所接收的来自 BSC密钥进行加密的能力。在该实施 例中,该 2833力。密属性的格式可为 "a = encrypt_params: 力。密算法名称 加 密后的密钥 (H248-SHARE-DATA )" , 该格式包括三部分。 例如对于 RC4 算法, 其 2833加密属性可能表现为 "a = encrypt_params: rc4 a6Z*oplK" , 其中 "a6Z*oplK" 为加密后的 32位密钥。 当然, 在不同的实施例中, 该 密钥可以不同。  The first embodiment of the present invention also extends the H248 protocol to define a 2833 encryption attribute of the Session Description Protocol (SDP) format, so that the H428 link side of the MSCe and the MGW has the received BSC key encrypted. Ability. In this embodiment, the 2833 force. The format of the secret attribute can be "a = encrypt_params: force. The secret algorithm name is encrypted key (H248-SHARE-DATA)". The format consists of three parts. For example, for the RC4 algorithm, its 2833 encryption attribute might appear as "a = encrypt_params: rc4 a6Z*oplK" , where "a6Z*oplK" is the encrypted 32-bit key. Of course, in different embodiments, the keys can be different.
在此基础上, 可以对呼叫过程进行扩展。  On this basis, the call process can be extended.
在步驟 S31 中, BSC 和 MSCe 之间预先设置有 A 口控制密钥 ( A1P-KEY ); 在 MGW 和 MSCe 之间预先设置有 H248 口控制密钥 ( 1-1248-KEY )。 In step S31, an A port control key (A1P-KEY) is preset between the BSC and the MSCe; and an H248 port control key is preset between the MGW and the MSCe. (1-1248-KEY).
在步骤 S32中, 在呼叫建立时或呼叫过程中, 在 BSC与 MSCe之间 传送携带有 2833加密控制信息的相关信令。 在本发明的实施例中, 是在 相关信令中的 A2p承载格式特征参数中携带有 2833加密控制信息, 表示 该次呼叫需要进行 2833加密。 所述信令可包括: 呼叫管理服务请求(CM Service Request )消息、 呼叫响应 ( Paging Response )消息或承载更新请求 (Bearer Update Response)消息、 指配完成消息、 增值业务请求 ( Additional Service Request )消息或切换请求应答 ( Handoff Request Acknowledge )消 息。 上述各消息在 BSC与 MSCe之间的交换流程与协议定义的正常承载 信息交换流程相同。 其中, 该 2833加密控制信息中包含有 A口密钥信息 ( A-SHARE-DATA )、 所采用的加密算法 (下称第二加密算法)等信息, 该第二加密算法为一对称算法 (如 RC4 算法), 该所述 A 口密钥信息 ( A-SHARE-DATA )是由所述 A口共享密钥 (CALL-KEY )与所述 A口 控制密钥 (A1P-KEY ) 利用该第二加密算法加密而来, 所述 A 口共享密 钥 (CALL- KEY )在每次呼叫中都是不相同的, 例如, 其可以随机产生。  In step S32, the relevant signaling carrying the 2833 encryption control information is transmitted between the BSC and the MSCe during call setup or during the call. In the embodiment of the present invention, the A2p bearer format feature parameter in the related signaling carries 2833 encryption control information, indicating that the call needs to be encrypted 2833. The signaling may include: a CM Service Request message, a Paging Response message or a Bearer Update Response message, an assignment completion message, and a Additional Service Request message. Or switch the Handoff Request Acknowledge message. The exchange process between the BSC and the MSCe of the above messages is the same as the normal bearer information exchange process defined by the protocol. The 2833 encryption control information includes information such as A-port key information (A-SHARE-DATA), an encryption algorithm used (hereinafter referred to as a second encryption algorithm), and the second encryption algorithm is a symmetric algorithm (eg, RC4 algorithm), the A port key information (A-SHARE-DATA) is used by the A port shared key (CALL-KEY) and the A port control key (A1P-KEY) to utilize the second The encryption algorithm is encrypted, and the A-port shared key (CALL-KEY) is different in each call, for example, it can be randomly generated.
在该实施例中, 在 BSC与 MSCe之间传送携带有 2833加密控制信息 的相关信令存在两种情况, 一种是由 BSC作为密钥分发主体, 即由 BSC 向 MSCe发送携带有 2833加密控制信息的信令, 其中, 所述 A口共享密 钥 (CALL-KEY ) 由该 BSC产生; 另一种是由 MSCe作为密钥分发主体, 即由 MSCe向 BSC发送携带有 2833加密控制信息的信令, 其中, 所述 A 口共享密钥 (CALL- KEY ) 由该 MSCe所产生。  In this embodiment, there are two cases in which the relevant signaling carrying the 2833 encryption control information is transmitted between the BSC and the MSCe. One is that the BSC is used as the key distribution entity, that is, the BSC sends the 2833 encryption control to the MSCe. Signaling of information, wherein the A-port shared key (CALL-KEY) is generated by the BSC; the other is used by the MSCe as a key distribution entity, that is, the MSCe sends a message carrying the 2833 encryption control information to the BSC. The A-port shared key (CALL-KEY) is generated by the MSCe.
在步骤 S33 中, 该信令接收端 (MSCe或 BSC )在接收到上述 2833 加密控制信息后, 通过预先配置的 A口控制密钥 (A1P-KEY )与 2833加 密控制信息中的 A 口密钥信息 (A-SHARE- DATA ) 采用所述的第二加密 算法进行计算(解密过程), 获得 A口共享密钥 ( CALL-KEY )。  In step S33, after receiving the 2833 encryption control information, the signaling receiving end (MSCe or BSC) passes the pre-configured A port control key (A1P-KEY) and the 2833 encryption control information A port key. The information (A-SHARE-DATA) is calculated by the second encryption algorithm (decryption process), and the A-port shared key (CALL-KEY) is obtained.
在步骤 S34中, MSCe使用 H248口控制密钥 ( H248- EY )对该产生 的或解密出来的 A口共享密钥 (CALL-KEY ) 以第三加密算法进行加密, 生成 H248口密钥信息 ( H248-SHARE- DATA )。  In step S34, the MSCe uses the H248 port control key (H248-EY) to encrypt the generated or decrypted A-port shared key (CALL-KEY) with a third encryption algorithm to generate H248 port key information ( H248-SHARE- DATA ).
在步骤 S35 中, MSCe在进行承载建立或承载属性修改时, 在 H248 承载建立请求消息或承载属性修改请求消息中将 2833加密属性信息(其 格式可以为 "a = encrypt jparams:加密算法名称 H248-SHARE-DATA" ) 发送给 MGW, 此处加密算法名称为该第三加密算法的名称。 In step S35, when the MSCe performs bearer establishment or bearer attribute modification, in the H248 The bearer setup request message or the bearer attribute modification request message sends 2833 encrypted attribute information (the format may be "a = encrypt jparams: encryption algorithm name H248-SHARE-DATA") to the MGW, where the encryption algorithm name is the third The name of the encryption algorithm.
在步骤 S36中, MGW接收该 2833加密属性信息后, 采用 H248口控 制密钥(H248-KEY ), 与所接收到的 2833加密属性信息中的 H248口密钥 信息(H248-SHARE- DATA )进行解密计算(采用所述第三加密算法), 获 得 A口共享密钥 (CALL-KEY )。 这样, MGW就获得了与 BSC中相同的 A口共享密钥 ( CALL-KEY )。  In step S36, after receiving the 2833 encrypted attribute information, the MGW adopts an H248 port control key (H248-KEY), and performs H248 port key information (H248-SHARE-DATA) in the received 2833 encrypted attribute information. The decryption calculation (using the third encryption algorithm) obtains the A-port shared key (CALL-KEY). In this way, the MGW obtains the same A-port shared key (CALL-KEY) as in the BSC.
在接下来的步驟 S37中, BSC、 MGW就可以使用相同的 A口共享密 钥 (CALL- KEY ), 进行 2833信息的加解密。  In the next step S37, the BSC and the MGW can use the same A-port shared key (CALL-KEY) to perform encryption and decryption of the 2833 information.
例如, 当呼叫接通后, 用户在 MS中按键, 所拨号码会首先在无线侧 通过带外信令传送到 BSC; BSC先将该按键信息转化为 DTMF信息, 用 A口共享密钥 (CALL-KEY )对该 DTMF信息进行加密, 并在 A2p口通 过 IP/RTP包将该加密后的 DTMF信息以 2833的方式发送给 MGW。MGW 收到该加密后的 DTMF信息后, 用已获得的 A口共享密钥, 对其进行解 密, 获取解密后的 DTMF信息。 同理 MGW也可以将其传送给 BSC的承 载业务进行加密, 在 BSC端再进行解密。 其中, 对 2833信息进行加 /解密 可采用第一加密算法。  For example, when the call is connected, the user presses the button in the MS, and the dialed number is first transmitted to the BSC through the outband signaling on the wireless side; the BSC first converts the button information into DTMF information, and uses the A port to share the key (CALL -KEY) Encrypt the DTMF information, and send the encrypted DTMF information to the MGW in the 2833 mode through the IP/RTP packet at the A2p port. After receiving the encrypted DTMF information, the MGW decrypts the obtained A-port shared key and obtains the decrypted DTMF information. Similarly, the MGW can also transmit it to the BSC's bearer service for encryption and decrypt it at the BSC end. Wherein, the first encryption algorithm can be used for adding/decrypting the 2833 information.
上述的第一加密算法、 第二加密算法及第三加密算法可以是相同的加 密算法, 也可以是互不相同的加密算法, 在实施应用中, 可以根据需要进 行灵活选用。 当选用不同的加密算法时, 可在所扩展参数中增加算法名称 指示, 将用于对密钥进行加密和对 2833信息进行力。密的算法名称同时传 送,则可以支持三个加密算法完全不同,即在上述实例中,在 BSC与 MSCe 之间传送的 2833加密控制信息中携带有用于对 A口共享密钥进行加密的 所述第二加密算法名称及用于对 2833信息进行加密的第一加密算法名称; 而在 MSCe与 MGW之间传送的 2833加密属性信息中携带有用于对该 A 口共享密钥进行加密的所述第三加密算法名称及用于对 2833信息进行加 密的第一加密算法名称。 这样, MGW在接收到该 2833加密属性信息后, 就可以采用第三加密算法恢复所述 A口共享密钥,并采用所述第一加密算 法对 2833信息进行加解密工作。 The foregoing first encryption algorithm, the second encryption algorithm, and the third encryption algorithm may be the same encryption algorithm, or may be different encryption algorithms. In the implementation application, the flexible selection may be performed according to requirements. When different encryption algorithms are selected, an algorithm name indication can be added to the extended parameters, which will be used to encrypt the key and force the 2833 information. If the secret algorithm name is transmitted at the same time, the three encryption algorithms can be completely different. In the above example, the 2833 encryption control information transmitted between the BSC and the MSCe carries the identifier for encrypting the A-port shared key. a second encryption algorithm name and a first encryption algorithm name for encrypting the 2833 information; and the 2833 encryption attribute information transmitted between the MSCe and the MGW carries the first element for encrypting the shared key of the A port The third encryption algorithm name and the first encryption algorithm name used to encrypt the 2833 information. In this way, after receiving the 2833 encryption attribute information, the MGW may recover the A-port shared key by using a third encryption algorithm, and adopt the first encryption calculation. The law encrypts and decrypts the 2833 information.
在图 4中, 示出了本发明的第二实施例。 一般来说, 在现实组网中, 用于信令传送的网络(如上述的 Alp信令、 H248信令链路) 比承载信息 的传送网络控制更为严格, 也更加安全, 所以在图 4中, Alp口和 I-I248 口进行密钥 (即 A口共享密钥)交换时, 无需对密钥进行加密传送, 可以 进行明文传送, 也可以满足较多环境的应用。 对其具体步骤说明如下: 在步骤 S40中, 需要扩展 IOS协议中的信令中的参数, 其扩展方法可 参见本对发明的第一实施例的叙述, 在该扩展参数中, 只需携带用于对 2833信息进行加密的算法名称及所采用的密钥等信息,而无需携带对该密 钥进行加密的算法名称。  In Fig. 4, a second embodiment of the present invention is shown. Generally, in a real-world networking, the network used for signaling (such as the Alp signaling and H248 signaling link described above) is more strict and more secure than the transport network carrying the information, so in Figure 4 When the Alp interface and the I-I248 interface exchange keys (that is, the A-port shared key), the key does not need to be encrypted and transmitted, and the plaintext transmission can be performed, and the application can be satisfied in many environments. The specific steps are as follows: In step S40, the parameters in the signaling in the IOS protocol need to be extended. For the expansion method, refer to the description of the first embodiment of the present invention. In the extended parameter, only the portable parameter is used. The name of the algorithm for encrypting the 2833 information and the key used, without carrying the algorithm name for encrypting the key.
扩展 H248†办议, 定义会话 办议 ( Session Description Protocol, SDP ) 格式的 2833 加密属性。 该 2833 加密属性的格式可为 " a = encryptjparams: 加密算法名称 密钥 ",该格式包括三部分。例如对于 RC4 算法 , 其 2833力。密属性可能表现为 "a = encrypt_params: rc4 a6Z*oplK" , 其中 "a6Z*oplK" 为加密后的 32位密钥。  Extend the H248 to define the 2833 encryption attribute in the Session Description Protocol (SDP) format. The format of the 2833 encryption attribute can be "a = encryptjparams: encryption algorithm name key", which consists of three parts. For example, for the RC4 algorithm, its 2833 force. The secret attribute may appear as "a = encrypt_params: rc4 a6Z*oplK" , where "a6Z*oplK" is the encrypted 32-bit key.
在步驟 S41中,呼叫建立时或呼叫过程中, BSC与 MSCe之间传送携 带有 2833加密控制信息的相关信令; 例如在相关信令中的相应参数(如 A2p承载格式特征参数) 中携带有 2833 加密控制信息, 表示该次呼叫需 要进行 2833加密。 其中, 该 2833加密控制信息中包含有 A口共享密钥 ( CALL-KEY )、 对 2833信息加密所采用的加密算法(第一加密算法)等 信息, 所述 A口共享密钥(CALL- KEY )在每次呼叫中都是不相同的, 例 如, 其可以随机产生。  In step S41, during the call setup or during the call, the BSC and the MSCe transmit the relevant signaling carrying the 2833 encryption control information; for example, the corresponding parameters in the relevant signaling (such as the A2p bearer format feature parameter) are carried in the relevant signaling. 2833 Encryption control information, indicating that the call requires 2833 encryption. The 2833 encryption control information includes an A-port shared key (CALL-KEY), an encryption algorithm (first encryption algorithm) used for encrypting the 2833 information, and the A-port shared key (CALL-KEY). ) is different in every call, for example, it can be generated randomly.
在该实施例中, 在 BSC与 MSCe之间传送携带有 2833加密控制信息 的相关信令存在两种情况, 一种是由 BSC作为密钥分发主体, 即由 BSC 向 MSCe发送携带有 2833加密控制信息的信令, 其中, 所述 A口共享密 钥 (CALL-KEY ) 由该 BSC产生; 另一种是由 MSCe作为密钥分发主体, 即由 MSCe向 BSC发送携带有 2833加密控制信息的信令, 其中, 所述 A 口共享密钥 (CALL-KEY ) 由该 MSCe所产生。  In this embodiment, there are two cases in which the relevant signaling carrying the 2833 encryption control information is transmitted between the BSC and the MSCe. One is that the BSC is used as the key distribution entity, that is, the BSC sends the 2833 encryption control to the MSCe. Signaling of information, wherein the A-port shared key (CALL-KEY) is generated by the BSC; the other is used by the MSCe as a key distribution entity, that is, the MSCe sends a message carrying the 2833 encryption control information to the BSC. In the order, the A-port shared key (CALL-KEY) is generated by the MSCe.
在步骤 S42中, 该信令的接收方 (如 MSCe或 BSC )在接收到上述 2833加密控制信息后, 取出其中 A口共享密钥 (CALL- KEY )及所述第 一加密算法名称信息。且在 MSCe端利用其所产生或获得的 A口共享密钥 ( CALL-KEY )生成一个 2833加密属性信息(其格式为 "a = encrypt_params: 加密算法名称 密钥), 其中, 加密算法名称为第一加密算法名称, 密钥 为 A口共享密钥 ( CALL-KEY )。 In step S42, the recipient of the signaling (such as MSCe or BSC) receives the above After the 2833 encryption control information, the A-port shared key (CALL-KEY) and the first encryption algorithm name information are extracted. And generating, by the MSCe end, a 2833 encryption attribute information (the format is "a = encrypt_params: encryption algorithm name key" by using the A-port shared key (CALL-KEY) generated or obtained, wherein the encryption algorithm name is An encryption algorithm name, the key is the A-port shared key (CALL-KEY).
在步骤 S43 中, MSCe在进行承载建立或承载属性修改时, 在 H248 承载建立请求消息或承载属性修改请求消息中将该 2833加密属性信息(其 格式可以为 "a = encrypt__params:加密算法名称 H248-SHARE-DATA" ) 发送给 MGW。  In step S43, the MSCe performs the bearer establishment or bearer attribute modification, and the 2833 encrypted attribute information (the format may be "a = encrypt__params: encryption algorithm name H248-" in the H248 bearer setup request message or the bearer attribute modification request message. SHARE-DATA" ) is sent to the MGW.
在步骤 S44中 , MGW接收该 2833加密属性信息后, 获得 A口共享 密钥 (CALL-KEY )及第一加密算法名称。 BSC、 MGW就可以使用相同 的 A口共享密钥( CALL-KEY ),采用第一加密算法对传送的或接收的 2833 信息进行加解密。  In step S44, after receiving the 2833 encrypted attribute information, the MGW obtains an A-port shared key (CALL-KEY) and a first encryption algorithm name. The BSC and the MGW can use the same A-port shared key (CALL-KEY) to encrypt and decrypt the transmitted or received 2833 information by using the first encryption algorithm.
在本发明的实施例中, 在呼叫建立后, 可以决定使用新的 A口共享密 钥。 其密钥传送过程与上述两个实施例类似。 简述如下, 在 BSC和 MSCe 之间传送携带有 A口密钥信息的消息(例如承载更新响应消息);在 MSCe 或 BSC端解密出该 A口密钥信息中的新的 A口共享密钥; MSCe在承载 修改消息中给 MGW发送包含有该 A口共享密钥的 2833加密属性消息, 其中, 可以对该 A口共享密钥进行加密处理; 则 MGW获得(可能需要解 密 )该新 A口共享密钥; 至此, BSC和 MGW都获取到相同的新 A口共 享密钥, 就可以使用新的 A口共享密钥对需传送的或已接收到的 2833信 息进行加解密处理。  In an embodiment of the invention, after the call is established, it may be decided to use the new A-port shared key. Its key transfer process is similar to the two embodiments described above. Briefly described as follows, a message carrying A-port key information (for example, a bearer update response message) is transmitted between the BSC and the MSCe; and a new A-port shared key in the A-port key information is decrypted at the MSCe or BSC end. The MSCe sends a 2833 encrypted attribute message containing the shared key of the A port to the MGW in the bearer modification message, where the shared key of the A port can be encrypted; then the MGW obtains (may need to decrypt) the new A port. The shared key; At this point, both the BSC and the MGW obtain the same new A-port shared key, and the new A-port shared key can be used to encrypt and decrypt the 2833 information to be transmitted or received.
如图 5所示, 示出了本发明进行切换后对密钥进行交换的实施例的流 程图。 在呼叫建立后, 且发生硬切换的情形下, 则需要使目标 BSC和目 标 MSCe能获得相同的加密密钥。  As shown in Figure 5, a flow diagram of an embodiment of the present invention for exchanging keys after switching is shown. In the case where the call is established and a hard handoff occurs, it is necessary to enable the target BSC and the target MSCe to obtain the same encryption key.
在步骤 S51中, 目标 BSC和服务 MSCe之间配置 A口控制密钥, 该 A口控制密钥可与切换前的 A口控制密钥相同或不同; 目标 MGW和服务 MSCe之间配置 H248口控制密钥 ,该 H248口控制密钥可与切换前的 H248 口控制密钥相同或不同。 在步骤 S52中, 在目标 BSC与服务 MSCe之间传送携带有 2833加密 控制信息的相关信令。在本发明中,是在相关信令中的 A2p承载格式特征 参数中携带有 2833加密控制信息。所述信令可包括:呼叫请求消息(Paging Request )、 指配请求消息 ( Assignment Request )、 增值业务通知消息 ( Additional Service Notification 业务通知消息 ( Service Notification )、 承载更新申请消息 (Bearer Update Required )、 承载更新响应消息 (Bearer Update Response )或切换请求消息( Handoff Request )。 上述各消息在 BSC 与 MSCe之间的交换流程与协议定义的正常承载信息交换流程相同。其中, 该 2833加密控制信息中包含有 A口密钥信息、 所釆用的加密算法(下称 第二加密算法)等信息, 该第二加密算法为一对称算法(如 RC4算法), 该所述 A口密钥信息是由所述 A口共享密钥与所述 A口控制密钥利用该 第二加密算法加密而来, 所述 A口共享密钥与切换前所采用的 A口共享 密钥可以相同, 也可以不同。 In step S51, an A-port control key is configured between the target BSC and the serving MSCe, and the A-port control key may be the same as or different from the A-port control key before the handover; H248 port control is configured between the target MGW and the serving MSCe. Key, the H248 port control key can be the same as or different from the H248 port control key before the switch. In step S52, related signaling carrying 2833 encryption control information is transmitted between the target BSC and the serving MSCe. In the present invention, 2833 encryption control information is carried in the A2p bearer format feature parameter in the related signaling. The signaling may include: a Paging Request, an Assignment Request, a Service Notification, a Bearer Update Required message, and a Bearer Update Required message. The bearer update response message or the handoff request message is carried out. The exchange process between the BSC and the MSCe is the same as the normal bearer information exchange process defined by the protocol, where the 2833 encryption control information is included. There is information such as A port key information, an encryption algorithm used (hereinafter referred to as a second encryption algorithm), and the second encryption algorithm is a symmetric algorithm (such as RC4 algorithm), and the A port key information is The A-port shared key and the A-port control key are encrypted by using the second encryption algorithm, and the A-port shared key may be the same as or different from the A-port shared key used before the handover.
在该实施例中, 在目标 BSC与服务 MSCe之间传送携带有 2833加密 控制信息的相关信令存在两种情况, 一种是由目标 BSC作为密钥分发主 体, 即由目标 BSC向服务 MSCe发送携带有 2833加密控制信息的信令, 其中, 所述 A口共享密钥由该目标 BSC产生; 另一种是由服务 MSCe作 为密钥分发主体, 即由服务 MSCe向目标 BSC发送携带有 2833加密控制 信息的信令, 其中, 所述 A口共享密钥由该服务 MSCe所产生。  In this embodiment, there are two cases in which the relevant signaling carrying the 2833 encryption control information is transmitted between the target BSC and the serving MSCe. One is that the target BSC is used as the key distribution entity, that is, the target BSC sends the information to the serving MSCe. The signaling carries the 2833 encryption control information, where the A-port shared key is generated by the target BSC; the other is used by the serving MSCe as a key distribution entity, that is, the serving MSCe sends the 2833 encryption to the target BSC. Controlling signaling of the information, wherein the A-port shared key is generated by the serving MSCe.
在步骤 S53中, 该信令接收端(服务 MSCe或目标 BSC )在接收到上 述 2833加密控制信息后,通过预先配置的 A口控制密钥与 2833加密控制 信息中的 A口密钥信息釆用所述的第二加密算法进行计算(解密过程), 获得 A口共享密钥。  In step S53, after receiving the 2833 encryption control information, the signaling receiving end (the serving MSCe or the target BSC) uses the pre-configured A port control key and the A port key information in the 2833 encryption control information. The second encryption algorithm performs a calculation (decryption process) to obtain an A-port shared key.
在步骤 S54中, 服务 MSCe使用 H248口控制密钥对该产生的或解密 出来的 A口共享密钥以第三加密算法进行加密, 生成 H248口密钥信息。  In step S54, the serving MSCe encrypts the generated or decrypted A-port shared key with the H248 interface control key by using a third encryption algorithm to generate H248 port key information.
在步骤 S55 中, 服务 MSCe在进行承载建立或承载属性修改时, 在 H248承载属性修改请求消息中将 2833加密属性信息(其格式可以为 "a = encrypt_params: 加密算法名称 H248口控制密钥")发送给目标 MGW, 此处加密算法名称为该第三加密算法的名称。 在步骤 S56中, 目标 MGW接收该 2833加密属性信息后 , 采用 H248 口控制密钥,与所接收到的 2833加密属性信息中的 H248口密钥信息进行 解密计算(采用所述第三加密算法),获得 A口共享密钥。这样,目标 MGW 就获得了与目标 BSC中相同的 A口共享密钥。 In step S55, when the bearer establishment or bearer attribute modification is performed, the serving MSCe encrypts the attribute information in the H248 bearer attribute modification request message (the format may be "a = encrypt_params: encryption algorithm name H248 port control key") Sent to the target MGW, where the encryption algorithm name is the name of the third encryption algorithm. In step S56, after receiving the 2833 encrypted attribute information, the target MGW uses the H248 port control key to perform decryption calculation with the H248 port key information in the received 2833 encrypted attribute information (using the third encryption algorithm). , get the A port shared key. In this way, the target MGW obtains the same A-port shared key as in the target BSC.
在接下来的步驟 S57中, 目标 BSC;、 目标 MGW就可以使用相同的密 钥, 对需传送的或已接收到的 2833信息进行加解密处理。  In the next step S57, the target BSC; the target MGW can use the same key to perform encryption and decryption processing on the 2833 information to be transmitted or received.
同样, 在该实施例中, 在服务 MSCe和目标 BSC之间、 服务 MSCe 和目标 MGW之间进行密钥(即 A口共享密钥)交换时, 无需对密钥进行 加密传送(诸如, 以明文形式传送)。 该过程与图 4所示的实施例类似, 不在此详述。  Also, in this embodiment, when a key (ie, A-port shared key) exchange is performed between the serving MSCe and the target BSC, between the serving MSCe and the target MGW, there is no need to encrypt the key (for example, in plaintext) Form transfer). This process is similar to the embodiment shown in Figure 4 and will not be described in detail herein.
本发明的实施例在 CDMA中实现对 2833信息进行加密传送, 通过在 建立呼叫时、呼叫过程中或进行呼叫切换后,扩展 IOS协议的 A2p承载格 式特征参数及扩展 H248协议。且通过 BSC (或目标 BSC )和 MSCe之间、 MSCe和 MGW (或目标 MGW )之间进行密钥信息交换, 使 MGW (或目 标 MGW )端获得与 BSC (或目标 BSC )端相同的密钥。 然后利用该密钥 对 A2p口中的 2833信息进行加密传送。 可以保证在 A2p口上进行 DTMF 信息传送的安全性,从而保障移动用户的利益,提高运营商的服务满意度。  The embodiment of the present invention implements encrypted transmission of 2833 information in CDMA, and extends the A2p bearer format characteristic parameter of the IOS protocol and the extended H248 protocol by establishing a call, during a call, or after a call handover. And the key information exchange between the BSC (or the target BSC) and the MSCe, between the MSCe and the MGW (or the target MGW), so that the MGW (or the target MGW) end obtains the same key as the BSC (or the target BSC) end. . Then, the key is used to encrypt and transmit the 2833 information in the A2p port. It can guarantee the security of DTMF information transmission on the A2p port, thus protecting the interests of mobile users and improving the service satisfaction of operators.
请参阅图 6, 本发明的移动通信系统的一个实施例中, 包括基站控制 器( BSC ) 220、媒体网关( MGW ) 230和移动交换中心仿真实体( MSCe ) 240。  Referring to FIG. 6, an embodiment of the mobile communication system of the present invention includes a base station controller (BSC) 220, a media gateway (MGW) 230, and a mobile switching center emulation entity (MSCe) 240.
其中, 所述 BSC 220包括:  The BSC 220 includes:
信令处理单元 610, 用于向 MSCe 240发送携带有 2833加密控制信息 的相关信令;所述 2833加密控制信息中包含有 A口密钥信息及用于对 2833 信息进行加密的第一加密算法名称;  The signaling processing unit 610 is configured to send, to the MSCe 240, related signaling that carries the 2833 encryption control information, where the 2833 encryption control information includes the A-port key information and the first encryption algorithm used to encrypt the 2833 information. Name
信息传输单元 620 , 用于实现和 MGW 230之间的 2833信息传输, 利 用所述 A口密钥信息对应的 A口共享密钥和第一加密算法对 2833信息进 行处理。  The information transmission unit 620 is configured to implement 2833 information transmission with the MGW 230, and process the 2833 information by using the A-port shared key corresponding to the A-port key information and the first encryption algorithm.
所述 MSCe 240包括:  The MSCe 240 includes:
信令处理单元 630, 用于从 BSC 220接收携带有 2833加密控制信息 的相关信令;所述 2833加密控制信息中包含有 A口密钥信息及用于对 2833 信息进行加密的第一加密算法名称; The signaling processing unit 630 is configured to receive, from the BSC 220, the 2833 encrypted control information. Corresponding signaling; the 2833 encryption control information includes A-port key information and a first encryption algorithm name used to encrypt 2833 information;
加密属性信息处理单元 640,用于利用所述 2833加密控制信息中的 A 口密钥信息对应的 A口共享密钥生成 2833加密属性信息,并将 2833加密 属性信息发送给 MGW 230; 所述 2833加密属性信息包含所述第一加密算 法名称及 H248口密钥信息。  The encryption attribute information processing unit 640 is configured to generate 2833 encrypted attribute information by using the A port shared key corresponding to the A port key information in the 2833 encryption control information, and send the 2833 encrypted attribute information to the MGW 230; The encrypted attribute information includes the first encryption algorithm name and H248 port key information.
所述 MGW 230包括:  The MGW 230 includes:
加密属性信息处理单元 650, 用于 >据 MSCe 240发出的 2833加密属 性信息获得 A口共享密钥和笫一加密算法;  The encryption attribute information processing unit 650 is configured to: obtain an A-port shared key and a first encryption algorithm according to the 2833 encryption attribute information sent by the MSCe 240;
信息传输单元 660, 用于实现和 BSC 220之间的 2833信息传输, 利 用所述 A口密钥信息对应的 A口共享密钥和第一加密算法对 2833信息进 行处理。  The information transmission unit 660 is configured to implement 2833 information transmission with the BSC 220, and process the 2833 information by using the A-port shared key corresponding to the A-port key information and the first encryption algorithm.
在一个实施例中, 所述信令处理单元 610包括: A口密钥信息生成单 元 611,用于将所述 A口共享密钥与预先配置的 A口控制密钥利用第二加 密算法加密生成所述 A口密钥信息; 加密控制信息填^单元 612, 用于在 2833加密控制信息中携带所述 A口密钥信息、 第一加密算法名称和第二 加密算法名称; 信令发送单元 613, 用于发送携带有所述 2833加密控制信 息的相关信令。  In an embodiment, the signaling processing unit 610 includes: an A-port key information generating unit 611, configured to encrypt the A-port shared key and a pre-configured A-port control key by using a second encryption algorithm. The A-port key information; the encryption control information filling unit 612 is configured to carry the A-port key information, the first encryption algorithm name, and the second encryption algorithm name in the 2833 encryption control information; the signaling sending unit 613 And for transmitting related signaling carrying the 2833 encryption control information.
所述加密控制信息填充单元 612可以为 A2p承载格式特征参数扩展单 元, 用于将所述 A口密钥信息、 第一加密算法名称和第二加密算法名称填 充至 A2p承载格式特征参数中。  The encryption control information filling unit 612 may be an A2p bearer format feature parameter expansion unit, configured to fill the A-port key information, the first encryption algorithm name, and the second encryption algorithm name into the A2p bearer format feature parameter.
此种情况下, 所述 MSCe 240的信令处理单元 630包括: 信令接收单 元 631, 用于接收携带有所述 2833加密控制信息的相关信令; 所述 2833 加密控制信息中包含有 A口密钥信息及用于对 2833信息进行加密的第一 加密算法名称; 信息获得单元 632, 用于从所述 2833加密控制信息中获得 A口密钥信息和第二加密算法; A口共享密钥获得单元 633 , 用于利用所 述第二加密算法对 A口密钥信息解密, 获得 A口共享密钥。  In this case, the signaling processing unit 630 of the MSCe 240 includes: a signaling receiving unit 631, configured to receive related signaling that carries the 2833 encrypted control information; and the 2833 encrypted control information includes an A port. The key information and the first encryption algorithm name used to encrypt the 2833 information; the information obtaining unit 632 is configured to obtain the A port key information and the second encryption algorithm from the 2833 encryption control information; The obtaining unit 633 is configured to decrypt the A port key information by using the second encryption algorithm to obtain an A port shared key.
在一个实施例中 ,所述 MSCe 240的加密属性信息处理单元 640包括: H248 口密钥信息生成单元 641 , 用于采用该 A口共享密钥与预先配置的 H248口控制密钥以第三加密算法进行加密生成所述 H248口密钥信息;加 密属性信息填充单元 642, 用于在 2833加密属性信息中携带 H248口密钥 信息、 第一加密算法名称和预先配置的第三加密算法名称; 加密属性信息 发送单元 643, 用于在进行承载建立或者承载属性修改时,将该 2833加密 属性信息发送给媒体网关。 In an embodiment, the encryption attribute information processing unit 640 of the MSCe 240 includes: an H248 port key information generating unit 641, configured to use the A port shared key and the pre-configured The H248 port control key is encrypted by the third encryption algorithm to generate the H248 port key information. The encrypted attribute information filling unit 642 is configured to carry the H248 port key information, the first encryption algorithm name, and the pre-invention in the 2833 encryption attribute information. The configured third encryption algorithm name; the encryption attribute information sending unit 643 is configured to send the 2833 encrypted attribute information to the media gateway when performing bearer establishment or bearer attribute modification.
其中, 所述加密属性信息填充单元 642为 H248信令填充单元, 用于 将所述 2833加密属性信息承载在扩展后的 H248信令中。  The ciphering attribute information filling unit 642 is an H248 signaling filling unit, and is configured to carry the 2833 ciphering attribute information in the extended H248 signaling.
此种情况下, 所述 MGW 230的加密属性信息处理单元 650包括: 信 息获得单元 651 , 用于从所述 2833加密属性信息中获得 H248口密钥信息 和第三加密算法; H248 口密钥信息处理单元 652, 用于采用预先配置的 H248口控制密钥, 对该 H248口密钥信息以第三加密算法进行解密计算, 获得 A口共享密钥, 并从该 H248口密钥信息中获得第一加密算法名称。  In this case, the encryption attribute information processing unit 650 of the MGW 230 includes: an information obtaining unit 651, configured to obtain H248 port key information and a third encryption algorithm from the 2833 encrypted attribute information; H248 port key information The processing unit 652 is configured to use a pre-configured H248 port control key, perform decryption calculation on the H248 port key information by using a third encryption algorithm, obtain an A port shared key, and obtain the first key from the H248 port key information. An encryption algorithm name.
请参阅图 7, 本发明的移动通信系统的另一个实施例中, 包括基站控 制器( BSC ) 220、媒体网关( MGW ) 230和移动交换中心仿真实体( MSCe ) 240。  Referring to FIG. 7, another embodiment of the mobile communication system of the present invention includes a base station controller (BSC) 220, a media gateway (MGW) 230, and a mobile switching center emulation entity (MSCe) 240.
该实施例与图 6所示的实施例大致相同, 不同之处在于, 该实施例中 是由 MSCe 240向 BSC 220发送携带有 2833加密控制信息的相关信令。  This embodiment is substantially the same as the embodiment shown in FIG. 6, except that in this embodiment, the MSCe 240 transmits the relevant signaling carrying the 2833 encryption control information to the BSC 220.
其中, 所述 MSCe 240包括:  The MSCe 240 includes:
信令处理单元 630, 用于向 BSC 220发送携带有 2833加密控制信息 的相关信令;所述 2833加密控制信息中包含有 A口密钥信息及用于对 2833 信息进行加密的第一加密算法名称;  The signaling processing unit 630 is configured to send, to the BSC 220, related signaling that carries the 2833 encryption control information, where the 2833 encryption control information includes the A-port key information and the first encryption algorithm used to encrypt the 2833 information. Name
加密属性信息处理单元 640,用于利用所述 2833加密控制信息中的 A 口密钥信息对应的 A口共享密钥生成 2833加密属性信息,并将 2833加密 属性信息发送给 MGW 230; 所述 2833加密属性信息包含所述第一加密算 法名称及 H248口密钥信息。  The encryption attribute information processing unit 640 is configured to generate 2833 encrypted attribute information by using the A port shared key corresponding to the A port key information in the 2833 encryption control information, and send the 2833 encrypted attribute information to the MGW 230; The encrypted attribute information includes the first encryption algorithm name and H248 port key information.
所述 BSC 220包括:  The BSC 220 includes:
信令处理单元 610, 用于从 MSCe 240接收携带有 2833加密控制信息 的相关信令;所述 2833加密控制信息中包含有 A口密钥信息及用于对 2833 信息进行加密的第一加密算法名称; 信息传输单元 620, 用于实现和 MGW 230之间的 2833信息传输, 利 用所述 A口密钥信息对应的 A口共享密钥和第一加密算法对 2833信息进 行处理。 The signaling processing unit 610 is configured to receive, from the MSCe 240, related signaling that carries the 2833 encryption control information, where the 2833 encryption control information includes the A-port key information and the first encryption algorithm used to encrypt the 2833 information. name; The information transmission unit 620 is configured to implement 2833 information transmission with the MGW 230, and process the 2833 information by using the A-port shared key corresponding to the A-port key information and the first encryption algorithm.
在一个实施例中, 所述 MSCe 240的信令处理单元 630包括: A口密 钥信息生成单元 631 ,用于将所述 A口共享密钥与预先配置的 A口控制密 钥利用第二加密算法加密生成所述 A口密钥信息;加密控制信息填充单元 632, 用于在 2833加密控制信息中携带所述 A口密钥信息、第一加密算法 名称和第二加密算法名称。 信令发送单元 633 , 用于发送携带有所述 2833 加密控制信息的相关信令。  In an embodiment, the signaling processing unit 630 of the MSCe 240 includes: an A-port key information generating unit 631, configured to use the second encryption by using the A-port shared key and the pre-configured A-port control key. The algorithm encrypts the A-port key information, and the encryption control information filling unit 632 is configured to carry the A-port key information, the first encryption algorithm name, and the second encryption algorithm name in the 2833 encryption control information. The signaling sending unit 633 is configured to send related signaling that carries the 2833 encrypted control information.
所述加密控制信息填充单元 632可以为 A2p承载格式特征参数扩展单 元, 用于将所述 A口密钥信息、 第一加密算法名称和第二加密算法名称填 充至 A2p承载格式特征参数中。  The encryption control information filling unit 632 may be an A2p bearer format feature parameter extension unit, configured to fill the A-port key information, the first encryption algorithm name, and the second encryption algorithm name into the A2p bearer format feature parameter.
此种情况下, 所述 BSC 220的信令处理单元 610包括: 信令接收单元 611 , 用于接收携带有所述 2833加密控制信息的相关信令; 所述 2833加 密控制信息中包含有 A口密钥信息及用于对 2833信息进行加密的第一加 密算法名称; 信息获得单元 612, 用于从所述 2833加密控制信息中获得 A 口密钥信息和第二加密算法; A口共享密钥获得单元 613, 用于利用所述 第二加密算法对 A口密钥信息解密, 获得 A口共享密钥。  In this case, the signaling processing unit 610 of the BSC 220 includes: a signaling receiving unit 611, configured to receive related signaling carrying the 2833 encrypted control information; and the 2833 encrypted control information includes an A port. The key information and the first encryption algorithm name used to encrypt the 2833 information; the information obtaining unit 612 is configured to obtain the A port key information and the second encryption algorithm from the 2833 encryption control information; The obtaining unit 613 is configured to decrypt the A port key information by using the second encryption algorithm to obtain an A port shared key.
上述实施例中, 是通过第三方来完成通信双方之间的共享密钥的传送 和交换。 本领域的技术人员理解, 也可以通过通信双方之间的协商来确定 数据加密密钥。  In the above embodiment, the transmission and exchange of the shared key between the two parties are completed by a third party. Those skilled in the art understand that the data encryption key can also be determined by negotiation between the communicating parties.
请参见图 8, 本发明中, 通过通信双方之间的协商确定数据加密密钥 的实施例的流程包括:  Referring to FIG. 8, in the present invention, the process of determining an embodiment of a data encryption key by negotiation between two communicating parties includes:
步骤 101 : 主叫通信节点(第一通信节点)、 被叫通信节点(第二通信 节点) 中预先设置有相同的公共密钥和加密策略。 主叫通信节点向被叫通 信节点发送呼叫建立请求, 该呼叫建立请求可以由 Q931协议的 Setup消 息实现。  Step 101: The same public key and encryption policy are preset in the calling communication node (the first communication node) and the called communication node (the second communication node). The calling communication node sends a call setup request to the called communication node, which can be implemented by the Setup message of the Q931 protocol.
步骤 102: 被叫通信节点收到来自主叫通信节点的呼叫建立请求后, 向主叫通信节点发送呼叫处理响应, 通知主叫通信节点呼叫正在处理中。 所述呼叫处理响应可以由 Q931协议的 Call Proceedin 消息实现。 Step 102: After receiving the call setup request from the calling communication node, the called communication node sends a call processing response to the calling communication node to notify the calling communication node that the call is being processed. The call processing response can be implemented by a Call Proceedin message of the Q931 protocol.
步骤 103: 被叫通信节点向主叫通信节点发送振铃消息, 通知主叫通 信节点被叫通信节点正在振铃。所述振铃消息可以由 Q931协议的 Alerting 消息实现。  Step 103: The called communication node sends a ringing message to the calling communication node to notify the calling communication node that the called communication node is ringing. The ringing message can be implemented by an alerting message of the Q931 protocol.
步骤 104: 当被叫通信节点以摘机等方式接受来自主叫通信节点的呼 叫时, 被叫通信节点向主叫通信节点发送呼叫应答响应。  Step 104: When the called communication node accepts the call from the calling communication node by off-hook or the like, the called communication node sends a call response response to the calling communication node.
步骤 105: 主、 被叫通信节点之间进行连接建立过程, 以建立用于支 持主、 被叫通信节点间通信的通信连接。  Step 105: A connection establishment process is performed between the primary and the called communication nodes to establish a communication connection for supporting communication between the primary and the called communication nodes.
具体的连接建立过程通常包括: 被叫通信节点向主叫通信节点发送至 少包含被叫通信节点通信标识的连接建立请求; 主叫通信节点收到来自被 叫通信节点的连接建立请求后, 确定与该连接建立请求中包含的通信标识 所对应的通信节点通信, 并向被叫通信节点发送包含主叫通信节点通信标 识的连接建立响应; 被叫通信节点收到来自主叫通信节点的连接建立响应 后, 确定与该连接建立响应中包含的通信标识所对应的通信节点通信。 当 然, 如果步骤 101中的呼叫建立请求中携带有主叫通信节点通信标识, 被 叫通信节点则在收到该通信标识后确定与该通信标识所对应的通信节点 通信 , 主叫通信节点不需要在上述连接建立响应中携带所述通信标识。  The specific connection establishment process generally includes: the called communication node sends a connection establishment request including at least the called communication node communication identifier to the calling communication node; and the calling communication node receives the connection establishment request from the called communication node, determines and The communication node corresponding to the communication identifier included in the connection establishment request communicates, and sends a connection establishment response including the communication identifier of the calling communication node to the called communication node; the called communication node receives the connection establishment response from the calling communication node After that, it is determined that the communication node corresponding to the communication identifier included in the connection establishment response communicates. Certainly, if the call setup request in step 101 carries the caller communication node communication identifier, the called communication node determines to communicate with the communication node corresponding to the communication identifier after receiving the communication identifier, and the calling communication node does not need to The communication identifier is carried in the connection establishment response.
上述的连接建立过程可以由 Q931协议的 Connect消息实现, 也可以 由 H245协议实现。 如果由 H245协议实现, 所述通信标识则包含 H245网 际协议 ( IP )地址和 H245协议支持的监听端口号。  The above connection establishment process can be implemented by the Connect message of the Q931 protocol or by the H245 protocol. If implemented by the H245 protocol, the communication identifier includes an H245 Internet Protocol (IP) address and a listening port number supported by the H245 protocol.
步骤 106: 当主叫通信节点具有通信加密能力时, 主叫通信节点发起 与被叫通信节点之间的通信加密能力协商过程。 该协商过程所包含的操作 主要为: 主叫通信节点向被叫通信节点发送通信加密能力协商请求, 该通 信加密能力协商请求中至少包含主叫通信节点的媒体能力信息和通信加 密能力信息。 其中, 媒体能力信息代表主叫通信节点所具有的媒体能力, 具体而言 , 所述媒体能力信息代表主叫通信节点进行数据通信时所具有的 媒体编解码能力; 通信加密能力信息代表主叫通信节点具有加密通信能 力。 所述通信加密能力信息可以以一个扩展字段表示。  Step 106: When the calling communication node has communication encryption capability, the calling communication node initiates a communication encryption capability negotiation process with the called communication node. The operation included in the negotiation process is mainly as follows: The calling communication node sends a communication encryption capability negotiation request to the called communication node, where the communication encryption capability negotiation request includes at least the media capability information and the communication encryption capability information of the calling communication node. The media capability information represents a media capability of the calling communication node. Specifically, the media capability information represents a media encoding and decoding capability of the calling communication node when performing data communication; the communication encryption capability information represents a calling communication. The node has encrypted communication capabilities. The communication encryption capability information may be represented by an extended field.
被叫通信节点收到来自主叫通信节点的通信加密能力协商请求后, 判 断自身是否具有通信加密能力以及与主叫通信节点存在交集的媒体能力, 如果具有, 被叫通信节点向主叫通信节点发送通信加密能力协商响应, 该 通信加密能力协商响应中可以携带有被叫通信节点的媒体能力信息和通 信加密能力信息;否则,被叫通信节点向主叫通信节点发送协商失败消息, 主叫通信节点收到该协商失败消息后停止与被叫通信节点进行后续有关 加密通信的操作。 主、 被叫通信节点中通常预先设置有通信加密能力和各 自具有的媒体能力。 After the called communication node receives the communication encryption capability negotiation request from the calling communication node, it is judged Whether the communication encryption capability and the media capability of the intersection with the calling communication node are present, if the called communication node sends a communication encryption capability negotiation response to the calling communication node, the communication encryption capability negotiation response may carry the called party The media capability information and the communication encryption capability information of the communication node; otherwise, the called communication node sends a negotiation failure message to the calling communication node, and the calling communication node stops performing subsequent encrypted communication with the called communication node after receiving the negotiation failure message. Operation. The communication encryption capability and the respective media capabilities are usually preset in the primary and called communication nodes.
图 8所示流程是以通信加密能力协商成功为例的。  The process shown in Figure 8 is based on the success of communication encryption capability negotiation.
所述被叫通信节点判断自身是否具有通信加密能力的方法有多种, 如: 在被叫通信节点的通信配置参数中添加加密使能, 并由操作人员预先 将该加密使能设置为使能或禁止。 那么, 当被叫通信节点查询自身的通信 配置参数时, 如果获知加密使能当前为使能状态, 被叫通信节点确定自身 具有通信加密能力; 否则, 被叫通信节点确定自身不具有通信加密能力。  There are various methods for the called communication node to determine whether it has communication encryption capability, such as: adding encryption enablement in the communication configuration parameter of the called communication node, and the encryption setting is enabled by the operator in advance. Or prohibited. Then, when the called communication node queries its own communication configuration parameters, if it is known that the encryption enable is currently enabled, the called communication node determines that it has communication encryption capability; otherwise, the called communication node determines that it does not have communication encryption capability. .
如果将上述通信加密能力协商过程的主要操作具体化, 则主叫通信节 点发起的与被叫通信节点之间的通信加密能力协商过程可以有多种, 第一 种通信加密能力协商过程为:  If the main operation of the communication encryption capability negotiation process is embodied, the communication encryption capability negotiation process initiated by the calling communication node and the called communication node may be various. The first communication encryption capability negotiation process is:
主叫通信节点向被叫通信节点发送包含媒体能力信息和通信加密能 力信息的通信加密能力协商请求, 并且所述通信加密能力信息以公共密钥 表示, 即: 所述通信加密能力协商请求中包含的公共密钥代表主叫通信节 点具有通信加密能力。 被叫通信节点收到来自主叫通信节点的通信加密能 力协商请求后, 应用现有技术获取自身具有的媒体能力, 并比较获取的媒 体能力与所述通信加密能力协商请求中包含的媒体能力信息所代表的媒 体能力是否存在交集, 如果存在交集, 被叫通信节点确定自身具有与主叫 通信节点存在交集的媒体能力; 否则, 被叫通信节点确定自身不具有与主 叫通信节点存在交集的媒体能力。  The calling communication node sends a communication encryption capability negotiation request including the media capability information and the communication encryption capability information to the called communication node, and the communication encryption capability information is represented by a public key, that is, the communication encryption capability negotiation request includes The public key represents the communication encryption capability of the calling communication node. After receiving the communication encryption capability negotiation request from the calling communication node, the called communication node obtains the media capability that it has by using the existing technology, and compares the acquired media capability with the media capability information included in the communication encryption capability negotiation request. Whether there is an intersection of the represented media capabilities. If there is an intersection, the called communication node determines that it has the media capability of the intersection with the calling communication node; otherwise, the called communication node determines that it does not have the media that intersects with the calling communication node. ability.
被叫通信节点还确定自身是否具有通信加密能力, 如果具有, 被叫通 信节点应用预先设置的所述加密策略对所述通信加密能力协商请求中包 含的公共密钥进行加密, 并将加密结果作为后续与主叫通信节点通信时的 被叫侧数据加密密钥。 之后, 被叫通信节点向主叫通信节点发送通信加密 能力协商响应, 通知主叫通信节点被叫通信节点具有通信加密能力以及与 主叫通信节点存在交集的媒体能力; 主叫通信节点收到来自被叫通信节点 的通信加密能力协商响应后, 确定可以与主叫通信节点进行加密通信, 并 应用预先设置的所述加密策略对所述公共密钥进行加密, 并将加密结果作 为后续与被叫通信节点通信时的主叫侧数据加密密钥。 The called communication node further determines whether it has communication encryption capability, and if so, the called communication node applies the encryption policy preset in advance to encrypt the public key included in the communication encryption capability negotiation request, and uses the encryption result as The called side data encryption key when subsequently communicating with the calling communication node. After that, the called communication node sends a communication encryption to the calling communication node. The capability negotiation response notifies the calling communication node that the called communication node has the communication encryption capability and the media capability that intersects with the calling communication node; the calling communication node receives the communication encryption capability negotiation response from the called communication node, and determines that Performing encrypted communication with the calling communication node, and encrypting the public key by applying the encryption policy set in advance, and using the encryption result as a calling side data encryption key when communicating with the called communication node.
当然, 主、 被叫通信节点也可以不应用所述加密策略对所述公共密钥 进行加密, 而是分别将所述公共密钥直接作为后续通信时的主、 被叫侧数 据加密密钥。  Of course, the master and the called communication node may also encrypt the public key without applying the encryption policy, and directly use the public key as the primary and called side data encryption keys for subsequent communication.
在实际应用中, 所述通信加密能力协商响应中可以携带有所述被叫侧 数据加密密钥, 主叫通信节点则应用所述加密策略对收到的通信加密能力 协商响应中包含的被叫侧数据加密密钥进行解密, 并判断解密所得结果是 否与所述公共密钥相同, 如果相同, 主叫通信节点向被叫通信节点发送确 认消息; 否则, 主叫通信节点向被叫通信节点发送协商失败消息。  In an actual application, the communication encryption capability negotiation response may carry the called side data encryption key, and the calling communication node applies the encryption policy to the called party included in the received communication encryption capability negotiation response. The side data encryption key is decrypted, and it is judged whether the result of the decryption is the same as the public key. If the same, the calling communication node sends an acknowledgement message to the called communication node; otherwise, the calling communication node sends the called communication node to the called communication node. Negotiation failure message.
当然, 主叫通信节点收到所述通信加密能力协商响应后, 也可以不进 行所述解密操作, 而是直接判断收到的响应中包含的被叫侧数据加密密钥 是否与自身生成的主叫侧数据加密密钥相同, 如果相同, 主叫通信节点向 被叫通信节点发送确认消息; 否则, 主叫通信节点向被叫通信节点发送协 商失败消息。  Certainly, after receiving the communication encryption capability negotiation response, the calling communication node may not directly perform the decryption operation, but directly determine whether the called side data encryption key included in the received response is related to the generated master. The calling side data encryption key is the same. If the same, the calling communication node sends an acknowledgement message to the called communication node; otherwise, the calling communication node sends a negotiation failure message to the called communication node.
所述通信加密能力协商响应中还可以进一步携带有被叫通信节点具 有的与主叫通信节点存在交集的媒体能力所对应的媒体能力信息。  The communication encryption capability negotiation response may further carry media capability information corresponding to the media capability of the called communication node that has an intersection with the calling communication node.
第二种通信加密能力协商过程为: 主叫通信节点向被叫通信节点发送 包含媒体能力信息和通信加密能力信息的通信加密能力协商请求, 并且所 述通信加密能力信息以主叫通信节点任意生成的随机数表示, 即: 所述通 信加密能力协商请求中包含的随机数代表主叫通信节点具有通信加密能 力。 被叫通信节点确定自身是否具有与主叫通信节点存在交集的媒体能 力, 具体的确定方法与第一种通信加密能力协商过程中的相应确定方法相 同。  The second communication encryption capability negotiation process is: the calling communication node sends a communication encryption capability negotiation request including the media capability information and the communication encryption capability information to the called communication node, and the communication encryption capability information is randomly generated by the calling communication node. The random number representation, that is, the random number included in the communication encryption capability negotiation request represents that the calling communication node has communication encryption capability. The called communication node determines whether it has the media capability of the intersection with the calling communication node, and the specific determination method is the same as the corresponding determination method in the negotiation process of the first communication encryption capability.
被叫通信节点还确定自身是否具有通信加密能力, 在确定具有通信加 密能力之后生成被叫侧数据加密密钥并进行后续的向主叫通信节点发送 通信加密能力协商响应等操作, 具体的操作方法与第一种通信加密能力协 商过程中的相应方法大体相同, 区别在于进行的操作不再针对所述公共密 钥而是针对所述随机数。 The called communication node also determines whether it has communication encryption capability, generates a called side data encryption key after determining that it has communication encryption capability, and performs subsequent transmission to the calling communication node. The communication encryption capability negotiation response and the like, the specific operation method is substantially the same as the corresponding method in the first communication encryption capability negotiation process, except that the performed operation is no longer directed to the public key but to the random number.
应用随机数进行加密通信的好处在于: 主、 被叫通信节点之间每次进 行新会话等新一次通信时, 均可随机生成新的随机数, 并应用该随机数生 成所述数据加密密钥。 可见, 每当主、 被叫通信节点进行新一次通信时, 生成的所述数据加密密钥都与前次的不同, 这种数据加密密钥生成的灵活 性使得非法获取信息者即使在一次通信中破译了数据加密密钥, 也无法应 用相同方法破译每次通信中所使用的数据加密密钥, 这能够进一步提高通 信安全性。  The advantage of applying random numbers for encrypted communication is that: when a new communication such as a new session is performed between the primary and the called communication nodes, a new random number can be randomly generated, and the random encryption number is used to generate the data encryption key. . It can be seen that each time the primary and the called communication node perform a new communication, the generated data encryption key is different from the previous one. The flexibility of the data encryption key generation makes the illegal acquisition of the information even in one communication. Deciphering the data encryption key, and the same method can not be used to decipher the data encryption key used in each communication, which can further improve communication security.
当然, 主叫通信节点可以将所述随机数作为后续与被叫通信节点通信 时的主叫侧数据加密密钥, 并应用设置的所述公共密钥和加密策略对该随 机数加密, 将加密结果作为通信加密能力信息携带于所述通信加密能力协 商请求中, 发送给被叫通信节点。 被叫通信节点收到该通信加密能力协商 请求并确定自身有加密能力后, 应用设置的所述公共密钥和加密策略对收 到的通信加密能力协商请求中包含的通信加密能力信息解密, 并将解密结 果作为后续与主叫通信节点通信时的被叫侧数据加密密钥。 可见, 该被叫 侧数据加密密钥与主叫通信节点发送的所述随机数相同。  Of course, the calling communication node may use the random number as the calling side data encryption key when communicating with the called communication node, and encrypt the random number by using the set public key and encryption policy, and encrypt the random number. As a result, the communication encryption capability information is carried in the communication encryption capability negotiation request and sent to the called communication node. After the called communication node receives the communication encryption capability negotiation request and determines that it has the encryption capability, the public key and the encryption policy set by the application decrypt the communication encryption capability information included in the received communication encryption capability negotiation request, and The decrypted result is used as a called side data encryption key when subsequently communicating with the calling communication node. It can be seen that the called side data encryption key is the same as the random number sent by the calling communication node.
第三种通信加密能力协商过程为: 主叫通信节点向被叫通信节点发送 包含媒体能力信息和通信加密能力信息的预协商请求, 并且所述通信加密 能力信息以通信加密能力标记表示, 该通信加密能力标记用于通知被叫通 信节点主叫通信节点具有通信加密能力。 比如: 主叫通信节点发送的通信 加密能力标记为 1时, 代表主叫通信节点具有通信加密能力。  The third communication encryption capability negotiation process is: the calling communication node sends a pre-negotiation request including the media capability information and the communication encryption capability information to the called communication node, and the communication encryption capability information is represented by a communication encryption capability flag, the communication The cryptographic capability flag is used to notify the called communication node that the calling communication node has communication encryption capability. For example, when the communication encryption capability sent by the calling communication node is marked as 1, it indicates that the calling communication node has communication encryption capability.
被叫通信节点收到来自主叫通信节点的预协商请求后, 确定自身是否 具有与主叫通信节点存在交集的媒体能力, 具体的确定方法与第一种通信 加密能力协商过程中的相应确定方法大体相同, 区别在于当前进行的确定 方法针对的是预协商请求。 被叫通信节点还确定自身是否具有通信加密能 力, 并在确定自身具有通信加密能力之后向主叫通信节点发送预协商响 应。 主叫通信节点收到来自被叫通信节点的预协商响应后, 同被叫通信节 点进行与第二或第三种通信加密能力协商过程基本相同的操作。 当然, 由 于被叫通信节点已经确定自身是否具有所述媒体能力和通信加密能力, 因 此被叫通信节点不需要再进行第二和第三种通信加密能力协商过程中所 述确定媒体能力和通信加密能力的操作。 After the called communication node receives the pre-negotiation request from the calling communication node, it determines whether it has the media capability of the intersection with the calling communication node, and the specific determining method and the corresponding determining method in the negotiation process of the first communication encryption capability The same is true, the difference is that the current determination method is for pre-negotiation requests. The called communication node also determines whether it has communication encryption capability and sends a pre-negotiation response to the calling communication node after determining that it has communication encryption capability. After the calling communication node receives the pre-negotiation response from the called communication node, the called communication section The point performs substantially the same operation as the second or third communication encryption capability negotiation process. Of course, since the called communication node has determined whether it has the media capability and the communication encryption capability, the called communication node does not need to perform the second and third communication encryption capability negotiation processes to determine the media capability and communication encryption. Ability to operate.
步骤 107: 当被叫通信节点具有通信加密能力时被叫通信节点发起与 主叫通信节点之间的通信加密能力协商过程, 该通信加密能力协商过程所 包含的操作与步骤 106中的操作大体相同, 区別在于: 步骤 107相对于步 骤 106发生了操作主体的互换。 当然, 被叫通信节点中设置的通信加密能 力所对应的通信加密能力信息代表被叫通信节点具有加密通信能力; 被叫 通信节点中设置的媒体能力所对应的媒体能力信息代表被叫通信节点所 具有的媒体能力, 具体而言, 所述媒体能力信息代表被叫通信节点进行数 据通信时所具有的媒体编解码能力。 、  Step 107: When the called communication node has communication encryption capability, the called communication node initiates a communication encryption capability negotiation process with the calling communication node, and the operation included in the communication encryption capability negotiation process is substantially the same as the operation in step 106. The difference is that step 107 has an interchange of the operating body with respect to step 106. Certainly, the communication encryption capability information corresponding to the communication encryption capability set in the called communication node represents that the called communication node has an encrypted communication capability; the media capability information corresponding to the media capability set in the called communication node represents the called communication node. The media capability information, in particular, the media capability information represents the media encoding and decoding capability of the called communication node when performing data communication. ,
步驟 107与步骤 106没有严格的时间先后关系。  Step 107 and step 106 do not have a strict chronological relationship.
在实际应用中, 也可以只执行步骤 107或步驟 106中的一个步驟, 这 不会影响后续的数据加密通信。  In practical applications, only one of step 107 or step 106 may be performed, which does not affect subsequent data encryption communication.
步驟 108: 应用现有技术建立主、 被叫通信节点之间的媒体通道, 具 体的媒体通道建立过程通常为: 主 /被叫通信节点向被 /主叫通信节点发送 至少包含主 /被叫通信节点 IP地址和通信端口号的媒体通道建立请求; 被 / 主叫通信节点接收来自主 /被叫通信节点的媒体通道建立请求,并在接受该 请求后向主 /被叫通信节点发送至少包含被 /主叫通信节点 IP地址和通信端 口号的媒体通道建立响应。 这样, 主、 被叫通信节点就彼此获取了对方用 于进行数据通信的地址信息, 可以根据该地址信息进行后续的数据通信 了。  Step 108: Applying the prior art to establish a media channel between the primary and the called communication node, the specific media channel establishment process is generally as follows: The primary/called communication node sends at least the primary/called communication to the called/calling communication node. a media channel setup request for the node IP address and the communication port number; the called/calling communication node receives the media channel setup request from the primary/called called communication node, and after receiving the request, sends the at least one included to the primary/called called communication node / The media channel of the calling communication node IP address and the communication port number establishes a response. In this way, the calling and called communication nodes acquire the address information used by the other party for data communication, and can perform subsequent data communication based on the address information.
当然, 如果被 /主叫通信节点拒绝了所述媒体通道建立请求, 则向主 / 被叫通信节点发送通道建立拒绝消息, 该通道建立拒绝消息中还可以携带 有拒绝原因。  Of course, if the media channel establishment request is rejected by the calling/calling communication node, a channel establishment rejection message is sent to the master/called communication node, and the channel establishment rejection message may also carry a rejection reason.
步驟 109: 主、 被叫通信节点间应用建立的所述媒体通道进行加密数 据通信过程。 具体操作为:  Step 109: The media channel established by the application between the primary and the called communication node performs an encrypted data communication process. The specific operation is:
主 /被叫通信节点应用所述主 /被叫侧数据加密密钥和所述加密策略对 发送给被 /主叫通信节点的数据进行加密,并将加密后的加密数据发送给被 /主叫通信节点; 被 /主叫通信节点应用所述被 /主叫侧数据加密密钥和所述 加密策略对来自主 /被叫通信节点的加密数据进行解密,并应用现有技术根 据完成解密的数据进行后续处理。 The master/called communication node applies the master/called side data encryption key and the encryption policy pair The data sent to the called/calling communication node is encrypted, and the encrypted encrypted data is transmitted to the called/calling communication node; the called/calling communication node applies the called/calling side data encryption key and the The encryption policy decrypts the encrypted data from the master/called communication node and applies subsequent techniques to perform subsequent processing based on the decrypted data.
步驟 101至步驟 105可以由 Q931等通信协议实现, 并可以进一步包 含其它信令交互。  Steps 101 through 105 may be implemented by a communication protocol such as Q931, and may further include other signaling interactions.
步驟 106至步骤 109通常是由 H245协议实现的, 所述通信加密能力 协商请求可以由终端能力请求 (Terminal Capability Set, TCS ) 实现, 所 述通信加密能力协商响应可以由终端能力请求确认(Terminal Capability Set Ack, TCS Ack ) 实现, 所述媒体通道建立请求可以由开放逻辑通道 ( Open Logic Channel )消息实现,所述媒体通道建立响应可以由开放逻辑 通道响应( Open Logic Channel Ack )实现, 所述通道建立拒绝消息可以由 开放逻辑通道拒绝(Open Logic Channel Reject ) 消息实现。  Steps 106 to 109 are generally implemented by the H245 protocol, and the communication encryption capability negotiation request may be implemented by a Terminal Capability Set (TSS), and the communication encryption capability negotiation response may be confirmed by a terminal capability request (Terminal Capability). Set Ack, TCS Ack) implementation, the media channel setup request may be implemented by an Open Logic Channel message, and the media channel setup response may be implemented by an Open Logic Channel Ack, the channel The establishment of a reject message can be implemented by an Open Logic Channel Reject message.
当然, 步骤 106至步驟 109可以进一步包含其它信令交互, 也可以由 其它通信协议实现; 并且步骤 106、 步驟 107 还可以由会话描述协议 ( Session Description Protocol , SDP ) 实现。  Of course, step 106 to step 109 may further include other signaling interactions, and may also be implemented by other communication protocols; and step 106 and step 107 may also be implemented by a Session Description Protocol (SDP).
步骤 106和 /或步骤 107可以在步骤 109之前的任意时刻进行。  Step 106 and/or step 107 can be performed at any time prior to step 109.
所述媒体能力信息可以是主、被叫通信节点支持的任一种通信协议名 称,以保证接收方获知发送方支持哪种通信协议。如: G.711、 G.723、 H.263、 RFC 2833 等。 这样, 主叫通信节点就可以将自身支持的通信协议的名称 作为媒体能力信息发送给被叫通信节点; 被叫通信节点则获取自身支持的 通信协议, 并比较获取的通信协议的名称与收到的通信协议名称是否存在 交集, 如果存在交集, 被叫通信节点确定自身具有与主叫通信节点存在交 集的媒体能力。 无论所述媒体能力信息以哪些内容表示, 为了保证主、 被 叫通信节点能正常通信, 主、 被叫通信节点均要应用存在交集的所述媒体 能力通信。  The media capability information may be any communication protocol name supported by the primary or called communication node to ensure that the recipient knows which communication protocol the sender supports. Such as: G.711, G.723, H.263, RFC 2833, etc. In this way, the calling communication node can transmit the name of the communication protocol supported by itself as the media capability information to the called communication node; the called communication node obtains the communication protocol supported by itself, and compares the name and the received communication protocol. Whether there is an intersection of the communication protocol names, if there is an intersection, the called communication node determines that it has the media capability of the intersection with the calling communication node. Regardless of what content of the media capability information is represented, in order to ensure that the primary and the called communication node can communicate normally, both the primary and the called communication node apply the media capability communication in which the intersection exists.
所述主、 被叫通信节点可以是通信终端、 网关或媒体控制器单元 ( MCU )等。  The primary and called communication nodes may be communication terminals, gateways or media controller units (MCUs), and the like.
所述加密策略可以是目前常用的异或算法、 取反算法、 MD5算法等。 图 8所示流程可以由会话发起协议(SIP )、 H323协议等通信协议实 现, 步驟 109中的加密通信通常是针对 RFC 2833协议数据包加密。 当图 8所示流程由 SIP实现时, 可以不进行步骤 107, 并且将步骤 106中的关 键操作拆分到步驟 101、 步骤 104中分别进行。 具体拆分方式为: 将步骤 106中主叫通信节点向被叫通信节点发送通信加密能力协商请求的操作放 到步骤 101中进行; 将步骤 106中被叫通信节点向主叫通信节点发送通信 加密能力协商响应的操作放到步骤 104中进行。 The encryption policy may be a commonly used XOR algorithm, a negation algorithm, an MD5 algorithm, and the like. The flow shown in FIG. 8 can be implemented by a communication protocol such as Session Initiation Protocol (SIP), H323 protocol, etc. The encrypted communication in step 109 is usually encrypted for the RFC 2833 protocol data packet. When the process shown in FIG. 8 is implemented by SIP, step 107 may not be performed, and the key operations in step 106 are split into steps 101 and 104, respectively. The specific splitting manner is: performing the operation of sending the communication encryption capability negotiation request by the calling communication node to the called communication node in step 106 to step 101; sending the called communication node to the calling communication node to encrypt the communication in step 106; The operation of the capability negotiation response is performed in step 104.
综上所述, 本发明的实施例通过在建立呼叫时、 呼叫过程中或进行呼 叫切换后, 在基站控制器(或目标基站控制器)和移动交换中心仿真实体 之间、 移动交换中心仿真实体和媒体网关(或目标媒体网关)之间进行密 钥信息传送, 使媒体网关(或目标媒体网关)端获得与基站控制器(或目 标基站控制器)端相同的密钥。 然后利用该密钥对 A2p口中的 2833信息 进行加密传送。 可以保证在 A2p口上进行 2833信息传送的安全性, 从而 保障移动用户的利益, 提高运营商的服务满意度。  In summary, the embodiment of the present invention simulates an entity between a base station controller (or a target base station controller) and a mobile switching center emulation entity, a mobile switching center emulation entity, during a call setup, during a call, or after a call handover. The key information is transmitted between the media gateway (or the target media gateway) and the media gateway (or target media gateway) to obtain the same key as the base station controller (or the target base station controller). Then use the key to encrypt and transmit the 2833 information in the A2p port. It can guarantee the security of 2833 information transmission on the A2p port, thus protecting the interests of mobile users and improving the service satisfaction of operators.
本发明的实施例中,可以通过扩展 IOS协议的 A2p承载格式特征参数 及扩展 H248协议来实现密钥信息的传送, 其实现较为简单。  In the embodiment of the present invention, the key information can be transmitted by extending the A2p bearer format feature parameter of the IOS protocol and the extended H248 protocol, and the implementation thereof is relatively simple.
综上所述, 本发明的实施例提供的实现加密通信的方法, 由第一通信 节点将自身的媒体能力信息和通信加密能力信息发送给第二通信节点; 所 述媒体能力信息代表通信节点所具有的媒体能力, 所述通信加密能力信息 代表通信节点具有加密通信能力; 第二通信节点根据来自第一通信节点的 媒体能力信息和通信加密能力信息, 判断自身是否具有通信加密能力以及 与第一通信节点存在交集的媒体能力, 如果具有, 第一、 第二通信节点确 定相同的数据加密密钥, 并应用所述媒体能力和确定的数据加密密钥进行 加密通信。 其中, 第一通信节点可以是主叫通信节点, 第二通信节点可以 是被叫通信节点。 因此, 即使第一、 笫二通信节点之间传输的信息被非法 获取, 也可保证非法获取信息者无法正确解析或直接读出获取的信息所包 含的内容, 避免对该信息的合法拥有者可能造成的不利影响, 提高了通信 的安全性。  In summary, the method for implementing encrypted communication provided by the embodiment of the present invention, the first communication node sends its own media capability information and communication encryption capability information to the second communication node; the media capability information represents the communication node. Having a media capability, the communication encryption capability information represents that the communication node has an encrypted communication capability; and the second communication node determines, according to the media capability information and the communication encryption capability information from the first communication node, whether it has communication encryption capability and the first The communication node has an intersecting media capability, if so, the first and second communication nodes determine the same data encryption key and apply the media capability and the determined data encryption key for encrypted communication. The first communication node may be a calling communication node, and the second communication node may be a called communication node. Therefore, even if the information transmitted between the first and second communication nodes is illegally obtained, the information obtained by the illegally obtained information cannot be correctly parsed or directly read out, and the legal owner of the information may be avoided. The adverse effects caused by the communication have improved the security of communication.

Claims

权 利 要 求 Rights request
1、 一种在移动通信系统中传送信息的方法, 其特征在于, 包括: 基站控制器和移动交换中心仿真实体之间的发送方生成 2833加密控 制信息并传送携带有所述 2833加密控制信息的相关信令; 所述 2833加密 控制信息中包含有 A口密钥信息及用于对 2833信息进行加密的第一加密 算法名称;  A method for transmitting information in a mobile communication system, comprising: a sender between a base station controller and a mobile switching center emulation entity generating 2833 encrypted control information and transmitting the 2833 encrypted control information Corresponding signaling; the 2833 encryption control information includes A-port key information and a first encryption algorithm name used to encrypt 2833 information;
所述相关信令的接收方获得所述 A口密钥信息对应的用于对 2833信 息进行加密的 A口共享密钥;  The receiver of the related signaling obtains an A-port shared key corresponding to the A-port key information for encrypting the 2833 information;
所述移动交换中心仿真实体利用该 A口共享密钥生成 2833加密属性 信息, 并将 2833加密属性信息发送给媒体网关; 所述 2833加密属性信息 包含所述第一加密算法名称及 H248口密钥信息;  The mobile switching center emulation entity generates 2833 encrypted attribute information by using the A port shared key, and sends the 2833 encrypted attribute information to the media gateway; the 2833 encrypted attribute information includes the first encryption algorithm name and the H248 port key Information
所述媒体网关根据该 H248口密钥信息获得 A口共享密钥;  The media gateway obtains an A-port shared key according to the H248 port key information;
所述基站控制器和媒体网关之间的发送端使用该 A 口共享密钥和第 一加密算法对 2833信息进行加密传送; 所述发送端的对端釆用该 A口共 享密钥及第一加密算法进行解密。  The transmitting end between the base station controller and the media gateway uses the shared key of the A port and the first encryption algorithm to encrypt and transmit the 2833 information; the peer end of the sending end uses the shared key of the A port and the first encryption The algorithm decrypts.
2、 根据权利要求 1所述的方法, 其特征在于, 所述 2833加密控制信 息承载在扩展后的互操作性规范协议相关信令中的 A2p承载格式特征参 数中, 所述 2833加密属性信息承载在扩展后的 H248信令中。  The method according to claim 1, wherein the 2833 encryption control information is carried in an A2p bearer format feature parameter in the extended interoperability specification protocol related signaling, and the 2833 encrypted attribute information bearer In the extended H248 signaling.
3、 根据权利要求 1所述的方法, 其特征在于, 所述 A口密钥信息及 H248口密钥信息均为所述 A口共享密钥。  The method according to claim 1, wherein the A port key information and the H248 port key information are all the A port shared key.
4、 根据权利要求 1所述的方法, 其特征在于,  4. The method of claim 1 wherein:
所述发送方生成 2833加密控制信息, 包括: 所述相关信令的发送方 将所述 A口共享密钥与预先配置的 A口控制密钥利用第二加密算法加密 生成所述 A口密钥信息;在 2833加密控制信息中携带所述 A口密钥信息、 第一加密算法名称和第二加密算法名称;  The sender generates 2833 encryption control information, including: the sender of the related signaling encrypts the A-port shared key and the pre-configured A-port control key by using a second encryption algorithm to generate the A-port key The information of the A port key information, the first encryption algorithm name, and the second encryption algorithm name are carried in the 2833 encryption control information;
所迷接收方获得所述 A口密钥信息对应的用于对 2833信息进行加密 的 A口共享密钥, 包括: 所述相关信令的接收方获得所述 A口密钥信息 后, 利用所述第二加密算法解密, 获得所述 A口共享密钥。  The receiving party obtains the A-port shared key for encrypting the 2833 information corresponding to the A-port key information, and the method includes: after the receiver of the related signaling obtains the A-port key information, The second encryption algorithm decrypts to obtain the A-port shared key.
5、 根据权利要求 4所述的方法, 其特征在于, 所述移动交换中心仿 真实体利用该 A口共享密钥生成 2833加密属性信息, 包括: 移动交换中 心仿真实体采用该 A口共享密钥与预先配置的 H248口控制密钥以第三加 密算法进行加密生成所述 H248口密钥信息;在 2833加密属性信息中携带 H248口密钥信息、 预先配置的第三加密算法名称; 5. The method according to claim 4, wherein the mobile switching center is simulated The real entity generates the 2833 encrypted attribute information by using the A-port shared key, and the method includes: the mobile switching center emulation entity uses the A-port shared key and the pre-configured H248 port control key to encrypt by using a third encryption algorithm to generate the H248 port. Key information; carrying the H248 port key information and the pre-configured third encryption algorithm name in the 2833 encryption attribute information;
所述将 2833加密属性信息发送给媒体网关, 包括: 所述移动交换中 心仿真实体在进行承载建立或者承载属性修改时, 将该 2833加密属性信 息发送给媒体网关;  The transmitting the 2833 encrypted attribute information to the media gateway, the method includes: sending, by the mobile switching center, the bearer establishment or the bearer attribute modification, the 2833 encrypted attribute information to the media gateway;
所述媒体网关根据该 H248口密钥信息获得 A口共享密钥, 包括: 所 述媒体网关接收该 2833加密属性信息后,采用预先配置的 H248口控制密 钥, 对该 H248口密钥信息以第三加密算法进行解密计算, 获得 A口共享 密钥, 并从该 H248口密钥信息中获得第一加密算法名称。  The media gateway obtains the A-port shared key according to the H248 port key information, and the method includes: after receiving the 2833 encryption attribute information, the media gateway adopts a pre-configured H248 port control key, and the H248 port key information is used by the media gateway. The third encryption algorithm performs decryption calculation, obtains an A-port shared key, and obtains a first encryption algorithm name from the H248 port key information.
6、 根据权利要求 5 所述的方法, 其特征在于, 在呼叫过程中进行切 换后, 所述移动交换中心仿真实体为服务移动交换中心仿真实体; 所述基 站控制器均为切换后的目标基站控制器; 所述媒体网关均为切换后的目标 媒体网关。  The method according to claim 5, wherein after the handover in the call, the mobile switching center emulation entity is a serving mobile switching center emulation entity; the base station controller is a switched target base station The controller is the target media gateway after the handover.
7、根据权利要求 1至 6任一项所述的方法,其特征在于,所述将 2833 加密属性信息发送给媒体网关, 为在进行承载建立、 承载属性修改时, 由 移动交换中心仿真实体将其携带在 H248承载建立请求消息或承载属性修 改请求消息中移动交换中心仿真实体发送给媒体网关。  The method according to any one of claims 1 to 6, wherein the sending of the 2833 encrypted attribute information to the media gateway is performed by the mobile switching center emulation entity when the bearer establishment and the bearer attribute modification are performed. The mobile switching center emulation entity sends the H248 bearer setup request message or the bearer attribute modification request message to the media gateway.
8、 根据权利要求 7所述的方法, 其特征在于, 所述携带有所述 2833 加密控制信息的相关信令是在呼叫建立或呼叫过程中所传送的; 所述相关 信令为呼叫管理服务请求消息、 呼叫响应消息、 承载更新请求消息、 指配 完成消息、 增值业务请求消息、 切换请求应答消息、 呼叫请求消息、 指配 请求消息、 增值业务通知消息、 业务通知消息、 承载更新申请消息、 承载 更新响应消息或切换请求消息。  The method according to claim 7, wherein the related signaling carrying the 2833 encryption control information is transmitted during a call setup or a call; the related signaling is a call management service. Request message, call response message, bearer update request message, assignment completion message, value added service request message, handover request response message, call request message, assignment request message, value added service notification message, service notification message, bearer update request message, Carry an update response message or a switch request message.
9、 根据权利要求 5所述的方法, 其特征在于, 所述第一加密算法、 第二加密算法及第三加密算法均为对称加密算法。  The method according to claim 5, wherein the first encryption algorithm, the second encryption algorithm, and the third encryption algorithm are all symmetric encryption algorithms.
10、 根据权利要求 9所述的方法, 其特征在于, 所述第一加密算法、 第二加密算法及第三加密算法为相同的加密算法; 或者所述第一加密算 法、 第二加密算法及第三加密算法为不同的加密算法。 The method according to claim 9, wherein the first encryption algorithm, the second encryption algorithm, and the third encryption algorithm are the same encryption algorithm; or the first encryption algorithm The method, the second encryption algorithm and the third encryption algorithm are different encryption algorithms.
11、 一种基站控制器, 其特征在于, 包括:  A base station controller, comprising:
信令处理单元, 用于向移动交换中心仿真实体发送或从移动交换中心 仿真实体接收携带有 2833加密控制信息的相关信令; 所述 2833加密控制 信息中包含有 A口密钥信息及用于对 2833信息进行加密的第一加密算法 名称;  a signaling processing unit, configured to send to the mobile switching center emulation entity or receive relevant signaling that carries the 2833 encrypted control information from the mobile switching center emulation entity; the 2833 encrypted control information includes the A port key information and is used for The name of the first encryption algorithm that encrypts the 2833 information;
信息传输单元, 用于实现和媒体网关之间的 2833信息传输, 利用所 述 A口密钥信息对应的 A口共享密钥和第一加密算法对 2833信息进行处 理。  The information transmission unit is configured to implement 2833 information transmission with the media gateway, and process the 2833 information by using the A-port shared key corresponding to the A-port key information and the first encryption algorithm.
12、 根据权利要求 11 所述的基站控制器, 其特征在于, 所述信令处 理单元包括:  The base station controller according to claim 11, wherein the signaling processing unit comprises:
A 口密钥信息生成单元, 用于将所述 A 口共享密钥与预先配置的 A 口控制密钥利用第二加密算法加密生成所述 A口密钥信息;  The A-port key information generating unit is configured to encrypt the A-port shared key and the pre-configured A-port control key by using a second encryption algorithm to generate the A-port key information;
加密控制信息填充单元, 用于在 2833加密控制信息中携带所述 A口 密钥信息、 第一加密算法名称和第二加密算法名称;  An encryption control information filling unit, configured to carry the A port key information, the first encryption algorithm name, and the second encryption algorithm name in the 2833 encryption control information;
信令发送单元, 用于发送携带有所述 2833加密控制信息的相关信令。 The signaling sending unit is configured to send related signaling that carries the 2833 encrypted control information.
13. 根据权利要求 12所述的基站控制器, 其特征在于, 所述加密控 制信息填充单元为 A2p承载格式特征参数扩展单元, 用于将所述 A口密 钥信息、第一加密算法名称和第二加密算法名称填充至 A2p承载格式特征 参数中。 The base station controller according to claim 12, wherein the encryption control information filling unit is an A2p bearer format feature parameter expansion unit, configured to use the A port key information, the first encryption algorithm name, and The second encryption algorithm name is populated into the A2p bearer format feature parameter.
14、 根据权利要求 11 所述的基站控制器, 其特征在于, 所述信令处 理单元包括:  The base station controller according to claim 11, wherein the signaling processing unit comprises:
信令接收单元, 用于接收携带有所述 2833加密控制信息的相关信令; 所述 2833加密控制信息中包含有 A口密钥信息及用于对 2833信息进行加 密的第一加密算法名称;  a signaling receiving unit, configured to receive related signaling that carries the 2833 encryption control information; the 2833 encryption control information includes A-port key information and a first encryption algorithm name used to encrypt 2833 information;
信息获得单元, 用于从所述 2833加密控制信息中获得 A口密钥信息 和第二加密算法;  An information obtaining unit, configured to obtain A-port key information and a second encryption algorithm from the 2833 encryption control information;
A口共享密钥获得单元,用于利用所述第二加密算法对 A口密钥信息 解密, 获得 A口共享密钥。 The A-port shared key obtaining unit is configured to decrypt the A-port key information by using the second encryption algorithm to obtain an A-port shared key.
15、 一种移动交换中心仿真实体, 其特征在于, 包括: 信令处理单元, 用于向基站控制器发送或从基站控制器接收携带有 2833加密控制信息的相关信令; 所迷 2833加密控制信息中包含有 A口密 钥信息及用于对 2833信息进行加密的第一加密算法名称; A mobile switching center emulation entity, comprising: a signaling processing unit, configured to send or receive, from a base station controller, related signaling carrying 2833 encrypted control information; The information includes the A port key information and the first encryption algorithm name used to encrypt the 2833 information;
加密属性信息处理单元, 用于利用所述 2833加密控制信息中的 A口 密钥信息对应的 A口共享密钥生成 2833加密属性信息,并将 2833加密属 性信息发送给媒体网关; 所述 2833加密属性信息包含所述第一加密算法 名称及 H248口密钥信息。  The encryption attribute information processing unit is configured to generate 2833 encrypted attribute information by using the A port shared key corresponding to the A port key information in the 2833 encryption control information, and send the 2833 encrypted attribute information to the media gateway; the 2833 encryption The attribute information includes the first encryption algorithm name and H248 port key information.
16、 根据权利要求 15所述的移动交换中心仿真实体, 其特征在于, 所述加密属性信息处理单元包括:  The mobile switching center emulation entity according to claim 15, wherein the encrypted attribute information processing unit comprises:
H248口密钥信息生成单元, 用于采用该 A口共享密钥与预先配置的 H248口控制密钥以第三加密算法进行加密生成所述 H248口密钥信息; 加密属性信息填充单元,用于在 2833加密属性信息中携带 H248口密 钥信息、 第一加密算法名称和预先配置的第三加密算法名称;  The H248 port key information generating unit is configured to use the A-port shared key and the pre-configured H248 port control key to perform the third encryption algorithm to generate the H248 port key information; the encrypted attribute information filling unit is configured to: Carrying the H248 port key information, the first encryption algorithm name, and the pre-configured third encryption algorithm name in the 2833 encryption attribute information;
加密属性信息发送单元, 用于在进行承载建立或者承载属性修改时, 将该 2833加密属性信息发送给媒体网关。  The encryption attribute information sending unit is configured to send the 2833 encrypted attribute information to the media gateway when performing bearer establishment or bearer attribute modification.
17、 根据权利要求 16所述的移动交换中心仿真实体, 其特征在于, 所述加密属性信息填充单元为 H248信令填充单元,用于将所述 2833加密 属性信息承载在扩展后的 H248信令中。  The mobile switching center emulation entity according to claim 16, wherein the encrypted attribute information padding unit is an H248 signaling padding unit, configured to carry the 2833 encrypted attribute information in the extended H248 signaling. in.
18、 根据权利要求 15所述的移动交换中心仿真实体, 其特征在于, 所述信令处理单元包括:  The mobile switching center emulation entity according to claim 15, wherein the signaling processing unit comprises:
A 口密钥信息生成单元, 用于将所述 A 口共享密钥与预先配置的 A 口控制密钥利用第二加密算法加密生成所述 A口密钥信息;  The A-port key information generating unit is configured to encrypt the A-port shared key and the pre-configured A-port control key by using a second encryption algorithm to generate the A-port key information;
加密控制信息填充单元, 用于在 2833加密控制信息中携带所述 A口 密钥信息、 第一加密算法名称和第二加密算法名称;  An encryption control information filling unit, configured to carry the A port key information, the first encryption algorithm name, and the second encryption algorithm name in the 2833 encryption control information;
信令发送单元, 用于发送携带有所述 2833加密控制信息的相关信令。  The signaling sending unit is configured to send related signaling that carries the 2833 encrypted control information.
19. 根据权利要求 18所述的移动交换中心仿真实体, 其特征在于, 所述加密控制信息填充单元为 A2p承载格式特征参数扩展单元,用于将所 述 A口密钥信息、 第一加密算法名称和第二加密算法名称填充至 A2p承 载格式特征参数中。 The mobile switching center emulation entity according to claim 18, wherein the encryption control information filling unit is an A2p bearer format feature parameter expansion unit, configured to use the A port key information and the first encryption algorithm. Name and second encryption algorithm name are filled to A2p Loaded in the format feature parameters.
20、 根据权利要求 15所述的移动交换中心仿真实体, 其特征在于, 所述信令处理单元包括:  The mobile switching center emulation entity according to claim 15, wherein the signaling processing unit comprises:
信令接收单元, 用于接收携带有所述 2833加密控制信息的相关信令; 所述 2833加密控制信息中包含有 A口密钥信息及用于对 2833信息进行加 密的第一加密算法名称;  a signaling receiving unit, configured to receive related signaling that carries the 2833 encryption control information; the 2833 encryption control information includes A-port key information and a first encryption algorithm name used to encrypt 2833 information;
信息获得单元, 用于从所述 2833加密控制信息中获得 A口密钥信息 和第二加密算法;  An information obtaining unit, configured to obtain A-port key information and a second encryption algorithm from the 2833 encryption control information;
A口共享密钥获得单元,用于利用所述第二加密算法对 A口密钥信息 解密, 获得 A口共享密钥。  The A-port shared key obtaining unit is configured to decrypt the A-port key information by using the second encryption algorithm to obtain an A-port shared key.
21、 一种媒体网关, 其特征在于, 包括:  21. A media gateway, comprising:
加密属性信息处理单元,用于根据移动交换中心仿真实体发出的 2833 加密属性信息获得 A口共享密钥和第一加密算法;  An encryption attribute information processing unit, configured to obtain an A-port shared key and a first encryption algorithm according to the 2833 encrypted attribute information sent by the mobile switching center emulation entity;
信息传输单元, 用于实现和基站控制器之间的 2833信息传输, 利用 所述 A口密钥信息对应的 A口共享密钥和第一加密算法对 2833信息进行 处理。  The information transmission unit is configured to implement 2833 information transmission with the base station controller, and process the 2833 information by using the A-port shared key corresponding to the A-port key information and the first encryption algorithm.
22、 根据权利要求 21 所述的媒体网关, 其特征在于, 所述加密属性 信息处理单元包括:  The media gateway according to claim 21, wherein the encryption attribute information processing unit comprises:
信息获得单元,用于从所述 2833加密属性信息中获得 H248口密钥信 息和第三加密算法;  An information obtaining unit, configured to obtain H248 port key information and a third encryption algorithm from the 2833 encryption attribute information;
H248口密钥信息处理单元, 用于采用预先配置的 H248口控制密钥, 对该 H248口密钥信息以第三加密算法进行解密计算,获得 A口共享密钥, 并从该 H248口密钥信息中获得第一加密算法名称。  The H248 port key information processing unit is configured to use a pre-configured H248 port control key, and decrypt the H248 port key information by using a third encryption algorithm to obtain an A port shared key, and obtain the A port shared key from the H248 port key. The first encryption algorithm name is obtained in the message.
23、 一种移动通信系统, 包括基站控制器、 移动交换中心仿真实体和 媒体网关; 其特征在于,  23. A mobile communication system comprising a base station controller, a mobile switching center emulation entity, and a media gateway; wherein
所述基站控制器用于向移动交换中心仿真实体发送或从移动交换中 心仿真实体接收携带有 2833加密控制信息的相关信令; 所述 2833加密控 制信息中包含有 A口密钥信息及用于对 2833信息进行加密的第一加密算 法名称; 并在和媒体网关进行 2833信息传输时, 利用所述第一加密算法 和 A口密钥信息对应的 A口共享密钥对 2833信息进行处理; 所述移动交换中心仿真实体用于向基站控制器发送或从基站控制器 接收携带有 2833加密控制信息的相关信令; 利用所述 2833加密控制信息 中的 A口密钥信息对应的. A口共享密钥生成 2833加密属性信息,并将 2833 加密属性信息发送给媒体网关; 所述 2833加密属性信息包含所述第一加 密算法名称及 H248口密钥信息; The base station controller is configured to send or receive relevant signaling that carries the 2833 encryption control information to the mobile switching center emulation entity; the 2833 encryption control information includes the A port key information and is used for 2833 the first encryption algorithm name for encrypting the information; and when the 2833 information transmission is performed with the media gateway, using the first encryption algorithm The A-port shared key pair 2833 information corresponding to the A-port key information is processed; the mobile switching center emulation entity is configured to send or receive, from the base station controller, relevant signaling carrying the 2833 encrypted control information; Generating 2833 encrypted attribute information by using the A port shared key corresponding to the A port key information in the 2833 encryption control information, and transmitting 2833 encrypted attribute information to the media gateway; the 2833 encrypted attribute information includes the first Encryption algorithm name and H248 port key information;
所述媒体网关用于根据该 H248口密钥信息获得 A口共享密钥; 使用 该 A口共享密钥和第一加密算法对 2833信息进行处理。  The media gateway is configured to obtain an A-port shared key according to the H248 port key information; and process the 2833 information by using the A-port shared key and the first encryption algorithm.
24、 根据权利要求 23所述的系统, 其特征在于, 所述 2833加密控制 信息承载在扩展后的互操作性规范协议相关信令中的 A2p承载格式特征 参数中, 所述 2833加密属性信息承载在扩展后的 H248信令中。  The system according to claim 23, wherein the 2833 encryption control information is carried in an A2p bearer format feature parameter in the extended interoperability specification protocol related signaling, and the 2833 encrypted attribute information bearer In the extended H248 signaling.
25、 根据权利要求 23或 24所述的系统, 其特征在于, 所述移动交换 中心仿真实体为服务移动交换中心仿真实体; 所述基站控制器均为切换后 的目标基站控制器; 所述媒体网关均为切换后的目标媒体网关。  The system according to claim 23 or 24, wherein the mobile switching center emulation entity is a serving mobile switching center emulation entity; the base station controller is a switched target base station controller; The gateways are all target media gateways after switching.
26、 一种移动通信系统中传送信息的方法, 其特征在于, 包括: 在第一通信节点和第二通信节点均具有通信加密能力以及第一通信 节点和第二通信节点存在交集的媒体能力时, 第一、 第二通信节点确定相 同的数据加密密钥;  26. A method of transmitting information in a mobile communication system, comprising: when both the first communication node and the second communication node have communication encryption capabilities and media capabilities at which the first communication node and the second communication node have intersections And the first and second communication nodes determine the same data encryption key;
第一、 第二通信节点应用存在交集的所述媒体能力和确定的数据加密 密钥进行加密通信。  The first and second communication nodes apply the media capability of the intersection and the determined data encryption key for encrypted communication.
27、 如权利要求 26所述的方法, 其特征在于, 所述通信加密能力信 息是第一通信节点生成的随机数或预先设置的公共密钥; 所述第一、 第二 通信节点确定相同的数据加密密钥, 包括:  The method according to claim 26, wherein the communication encryption capability information is a random number generated by a first communication node or a preset public key; the first and second communication nodes determine the same Data encryption key, including:
第二通信节点应用预先设置的加密策略对来自第一通信节点的随机 数或公共密钥加密, 并将加密结果作为后续与第一通信节点通信的数据加 密密钥;  The second communication node encrypts the random number or the public key from the first communication node by applying a preset encryption policy, and uses the encrypted result as a data encryption key for subsequent communication with the first communication node;
第一通信节点应用预先设置的加密策略对自身生成的随机数或发送 给第二通信节点的公共密钥加密, 并将加密结果作为后续与第二通信节点 通信的数据加密密钥。 The first communication node applies a pre-set encryption policy to encrypt the self-generated random number or the public key sent to the second communication node, and uses the encryption result as a data encryption key for subsequent communication with the second communication node.
28、 如权利要求 26所述的方法, 其特征在于, 所述通信加密能力信 息是第一通信节点应用预先设置的加密策略对其生成的随机数和预先设 置的公共密钥加密后所得的加密结果; 所述第一、 第二通信节点确定相同 的数据加密密钥, 包括: The method according to claim 26, wherein the communication encryption capability information is an encryption obtained by encrypting a random number generated by a first communication node by using a preset encryption policy and a preset public key. Result: the first and second communication nodes determine the same data encryption key, including:
第二通信节点应用预先设置的加密策略和公共密钥对来自第一通信 节点的通信加密能力信息进行解密, 并将解密结果作为后续与第一通信节 点通信的数据加密密钥;  The second communication node decrypts the communication encryption capability information from the first communication node by using a preset encryption policy and a public key, and uses the decryption result as a data encryption key for subsequent communication with the first communication node;
第一通信节点将所述加密结果作为后续与第二通信节点通信的数据 加密密钥。  The first communication node uses the encrypted result as a data encryption key for subsequent communication with the second communication node.
29、 如权利要求 26所述的方法, 其特征在于, 所述通信加密能力信 息是第一通信节点生成的随机数或预先设置的公共密钥; 所述第一、 第二 通信节点确定相同的数据加密密钥, 包括: '  The method according to claim 26, wherein the communication encryption capability information is a random number generated by a first communication node or a preset public key; the first and second communication nodes determine the same Data encryption key, including: '
第二通信节点将来自笫一通信节点的随机数或公共密钥作为后续与 第一通信节点通信的数据加密密钥;  The second communication node uses the random number or public key from the first communication node as a data encryption key for subsequent communication with the first communication node;
第一通信节点将自身生成的随机数或发送给第二通信节点的公共密 钥作为后续与第二通信节点通信的数据加密密钥。  The first communication node uses the random number generated by itself or the public key transmitted to the second communication node as a data encryption key to be subsequently communicated with the second communication node.
30、 如权利要求 26所述的方法, 其特征在于, 所述进行加密通信, 包括:  The method of claim 26, wherein the performing the encrypted communication comprises:
第一 /第二通信节点应用所述数据加密密钥和预先设置的加密策略对 发送给第二 /第一通信节点的数据进行加密,并将加密后的加密数据发送给 第二 /第一通信节点;  The first/second communication node encrypts the data sent to the second/first communication node by applying the data encryption key and a preset encryption policy, and transmits the encrypted encrypted data to the second/first communication Node
第二 /第一通信节点应用所述数据加密密钥和所述加密策略对来自第 一 /第二通信节点的加密数据进行解密。  The second/first communication node applies the data encryption key and the encryption policy to decrypt the encrypted data from the first/second communication node.
31、 如权利要求 26所述的方法, 其特征在于, 在确定相同的数据加 密密钥之前, 还包括:  31. The method of claim 26, wherein before determining the same data encryption key, the method further comprises:
第一通信节点将自身的媒体能力信息和通信加密能力信息发送给第 二通信节点;  The first communication node sends its own media capability information and communication encryption capability information to the second communication node;
第二通信节点根据来自第一通信节点的媒体能力信息和通信加密能 力信息, 判断自身是否具有通信加密能力以及与第一通信节点存在交集的 媒体能力。 The second communication node determines, according to the media capability information and the communication encryption capability information from the first communication node, whether it has communication encryption capability and an intersection with the first communication node. Media capabilities.
32、 如权利要求 31 所述的方法, 其特征在于, 所述判断自身是否具 有通信加密能力以及与第一通信节点存在交集的媒体能力, 包括:  The method according to claim 31, wherein the determining whether the user has the communication encryption capability and the media capability that intersects with the first communication node includes:
第二通信节点获取自身具有的媒体能力, 并比较获取的媒体能力与来 自第一通信节点的媒体能力信息所对应的媒体能力是否存在交集, 如果存 在交集, 第二通信节点确定自身具有与第一通信节点存在交集的媒体能 力;  The second communication node acquires the media capability that it has, and compares whether the acquired media capability has an intersection with the media capability corresponding to the media capability information from the first communication node. If there is an intersection, the second communication node determines that it has the first Communication nodes have overlapping media capabilities;
第二通信节点查询自身通信配置参数中有关通信加密能力的通信配 置参数, 如果查询到的通信配置参数支持通信加密, 第二通信节点确定自 身具有通信加密能力。  The second communication node queries the communication configuration parameter of the communication encryption capability in the communication configuration parameter of the communication. If the queried communication configuration parameter supports communication encryption, the second communication node determines that it has communication encryption capability.
33、 如权利要求 32所述的方法, 其特征在于, 所述媒体能力信息是 通信协议名称, 则所述第二通信节点确定自身是否具有与第一通信节点存 在交集的媒体能力, 为:  33. The method according to claim 32, wherein the media capability information is a communication protocol name, and the second communication node determines whether it has a media capability that intersects with the first communication node, and is:
第二通信节点获取自身支持的通信协议, 并比较获取的通信协议的名 称与来自第一通信节点的通信协议名称是否存在交集, 如果存在交集, 第 二通信节点确定自身具有与第一通信节点存在交集的媒体能力。  The second communication node acquires the communication protocol supported by itself, and compares whether the name of the obtained communication protocol and the communication protocol name from the first communication node are intersected. If there is an intersection, the second communication node determines that it has the existence with the first communication node. Intersection of media capabilities.
34、 如权利要求 32所述的方法, 其特征在于, 所述有关通信加密能 力的通信配置参数是加密使能, 则所述第二通信节点判断自身是否具有通 信加密能力, 为:  The method according to claim 32, wherein the communication configuration parameter related to the communication encryption capability is encryption enabled, and the second communication node determines whether it has communication encryption capability, which is:
第二通信节点查询自身通信配置参数中的加密使能, 如杲查询到的加 密使能设置于使能状态, 第二通信节点确定自身具有通信加密能力。  The second communication node queries the encryption enablement in the self communication configuration parameter. If the queried encryption enable is set to the enabled state, the second communication node determines that it has the communication encryption capability.
35、 如权利要求 26至 34任一项所述的方法, 其特征在于, 所述进行 加密通信是对 RFC 2833协议数据包进行加密传送。  The method according to any one of claims 26 to 34, wherein the performing the encrypted communication is to encrypt and transmit the RFC 2833 protocol data packet.
36、 如权利要求 26至 34任一项所述的方法, 其特征在于, 所述第一 通信节点与第二通信节点应用会话发起协议或 H323协议进行交互。  The method according to any one of claims 26 to 34, wherein the first communication node interacts with the second communication node by using a session initiation protocol or an H323 protocol.
PCT/CN2006/002932 2005-11-01 2006-11-01 Mobile communication system, and information transmitting method and device wherein WO2007051415A1 (en)

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
CN200510117145.0 2005-11-01
CN200510117145A CN1881869B (en) 2005-11-01 2005-11-01 Method for realizing encryption communication
CN200510101949.1 2005-11-29
CN200510101949 2005-11-29
CN200510135859.4 2005-12-20
CNB2005101358594A CN100471313C (en) 2005-11-29 2005-12-20 Method for carrying out encryption transfer on 2833 information in CDMA

Publications (1)

Publication Number Publication Date
WO2007051415A1 true WO2007051415A1 (en) 2007-05-10

Family

ID=38005447

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/002932 WO2007051415A1 (en) 2005-11-01 2006-11-01 Mobile communication system, and information transmitting method and device wherein

Country Status (1)

Country Link
WO (1) WO2007051415A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7983656B2 (en) 2007-09-12 2011-07-19 At&T Intellectual Property I, L.P. Method and apparatus for end-to-end mobile user security
US20230308867A1 (en) * 2021-06-09 2023-09-28 T-Mobile Usa, Inc. Determining and ameliorating wireless telecommunication network functionalities that are impaired when using end-to-end encryption

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003003691A1 (en) * 2001-06-27 2003-01-09 Amadeus S.A.S. Method and device for securing communications in a computer network
CN1430858A (en) * 2000-05-23 2003-07-16 诺泰网络有限公司 Method for controlling channel handover in wireless terminal and cellular radio communication network
JP2005244588A (en) * 2004-02-26 2005-09-08 Toshiba Corp Network system, gateway device, program and communication control method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1430858A (en) * 2000-05-23 2003-07-16 诺泰网络有限公司 Method for controlling channel handover in wireless terminal and cellular radio communication network
WO2003003691A1 (en) * 2001-06-27 2003-01-09 Amadeus S.A.S. Method and device for securing communications in a computer network
JP2005244588A (en) * 2004-02-26 2005-09-08 Toshiba Corp Network system, gateway device, program and communication control method

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7983656B2 (en) 2007-09-12 2011-07-19 At&T Intellectual Property I, L.P. Method and apparatus for end-to-end mobile user security
US20230308867A1 (en) * 2021-06-09 2023-09-28 T-Mobile Usa, Inc. Determining and ameliorating wireless telecommunication network functionalities that are impaired when using end-to-end encryption

Similar Documents

Publication Publication Date Title
US9537837B2 (en) Method for ensuring media stream security in IP multimedia sub-system
JP4284324B2 (en) Method and mobile radio system for forming and distributing encryption key in mobile radio system
TWI332345B (en) Security considerations for the lte of umts
CN106850526B (en) Method and apparatus for end-to-edge media protection in IMS systems
JP4856723B2 (en) Method, apparatus and / or computer program product for encrypting and transmitting media data between a media server and a subscriber device
CN100466805C (en) Method for end-to-end enciphoring voice telecommunication
US9258700B2 (en) Systems and methods for utilizing IMS data security mechanisms in a circuit switched network
WO2011022999A1 (en) Method and system for encrypting video conference data by terminal
CN104618901A (en) Method for processing NAS information in WTRU and WTRU
WO2012024903A1 (en) Method for encrypting voice calls in mobile communication network, and system, terminal, and network side thereof
KR101369793B1 (en) Method, devices and computer program product for encoding and decoding media data
CN1881869B (en) Method for realizing encryption communication
CN107251512B (en) Method, device and system for establishing a secure communication session
WO2012024905A1 (en) Method, terminal and ggsn for encrypting and decrypting data in mobile communication network
WO2012126321A1 (en) Method and system for achieving single radio voice call continuity
WO2007048301A1 (en) A encryption method for ngn service
CN100471313C (en) Method for carrying out encryption transfer on 2833 information in CDMA
WO2017197968A1 (en) Data transmission method and device
WO2007051415A1 (en) Mobile communication system, and information transmitting method and device wherein
US20200204595A1 (en) Media protection within the core network of an ims network
WO2009094813A1 (en) Security parameters negotiation method and apparatus for realizing the security of the media flow
EP2560435A1 (en) Method and system for implementing security of single radio voice call continuity
CN104753889A (en) Method for switching encryption by using SIP protocol
WO2008083620A1 (en) A method, a system and an apparatus for media flow security context negotiation
WO2006081712A1 (en) A method for switching the level of the plaintext and cyphertext during the conversation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06805133

Country of ref document: EP

Kind code of ref document: A1