WO2007073659A1

WO2007073659A1 - Terminal access method based on h.323 protocol applied to packet network

Info

Publication number: WO2007073659A1
Application number: PCT/CN2006/003100
Authority: WO
Inventors: Chen Lu; Liang Zhang; Guangfeng Li; Zhong Yu; Wei Quan; Baolin Xue
Original assignee: Zte Corporation
Priority date: 2005-12-27
Filing date: 2006-11-17
Publication date: 2007-07-05
Also published as: CN1992593A; CN100461670C

Abstract

A terminal access method based on H.323 protocol applied to a packet network includes the steps of: a gatekeeper authenticating a calling terminal security by using a elliptic curve digital signature of the public key certificate mechanism, and adding the session cryptographic key generated by negotiating with the calling terminal to the signalling of the elliptic curve digital signature of the public key certificate; the calling terminal using a pre-shared secret mechanism to authenticate the security by the session cryptographic key, and to set-up a network access secure channel; the gatekeeper authenticating the receiving terminal security by using the elliptic curve digital signature of the public key certificate mechanism, and adding the session cryptographic key shared with the receiving terminal to the signalling of the elliptic curve digital signature of the public key certificate; the calling terminal and the gatekeeper setting-up a call connection secure channel on the network access secure channel by using a symmetric cryptographic key security mechanism based on the session cryptographic key; on the call connection secure channel, performing a cryptographic algorithm and a cryptographic key negotiation for the real-time media streams communication between the calling terminal and the receiving terminal by using the symmetric cryptographic key security mechanism.

Description

H.323-based protocol applied to packet networks

Terminal access method

TECHNICAL FIELD The present invention relates to packet network communication security technologies, and in particular, to a H.323 protocol-based terminal access method applied to a packet network. BACKGROUND Currently, a large number of terminals based on the ITU-T H.323 protocol with multimedia capabilities are deployed on a private network and the Internet to implement voice over IP (VoIP, voice over IP, IP-based voice transmission). , 枧frequency and other services and other value-added services, and may become the mainstream way of user access in the future. Due to the openness of the Internet itself and the lack of effective monitoring, security access issues are becoming more and more prominent, such as denial of service (DoS) attacks, service stealing, signaling flow monitoring, media stream monitoring and other security threats. In the existing H.323 network, the terminal needs to access the network securely, mainly based on the ITU-T (International Telecommunication Union-Telecommunication standardization sector) H.235 protocol symmetric cryptography technology to achieve network pairs. Terminal security authentication, as a means to achieve secure access to the terminal. The security mechanism is to protect various signaling security by pre-shared secrets between neighboring nodes or by using a secure port through TLS (Transport Layer Security) or IPSEC (IP Security) protocol. It is embodied in three control processes for communication between endpoints (Multimedia Terminals or Media Control Units): Call Admission (RAS, Registration, Admission and Status, Registration, Access, and Status). Call Control (H.225.0 Call Signaling Protocol), and Connection Control (H.245) implement security protection, including authentication, privacy (confidentiality), integrity, and non-repudiation. The pre-shared secret and secret symmetric cryptographic mechanism uses a single key during addition and decryption. Once the key is leaked, the entire communication system loses its security and anti-p function, so it exposes more and more defects in practical applications. Another disadvantage of this security mechanism is that when the network size is large, the user's pre-shared secret allocation is difficult, and even if it is feasible, it is difficult to manage. For hybrid networks, such as mobile networks and fixed networks, the mechanism for negotiating TLS or IPSEC in advance is difficult to implement. Public key cryptosystems are generally classified into three categories according to the problems they are based on: large integer decomposition problem classes, discrete logarithm problem classes, and elliptic curve classes. Elliptic curve classes are sometimes classified as discrete logarithmic classes. The elliptic curve cryptosystem is derived from the study of elliptic curves, which are referred to by the Weierstrass equation: ² +ai y+a ₃ y = x ³ +a ₂ x ² +a ₄ x +a ₆ ( 1 ) The determined plane curve. The coefficient (i = 1, 2, ..., 6) is defined in a domain, which can be a rational number field, a real number field, a complex number field, or a finite field GF ( p ), which is used in an elliptic curve cryptosystem. The elliptic curves are all defined on a finite field. All points on a finite field elliptic curve, 'a set of special points called an infinity point is combined with a defined "chord and tangent" addition rule to form an Abel group. The equation mP = P+P+...+P = Q ( 2 ) is called the scalar multiplication of the dot product or point. It is easier to find the scalar m and the point P to find the point Q. Otherwise, the known point Q and the point P are obtained. m is quite difficult. This problem is called elliptic curve discrete logarithm problem. The elliptic curve cryptosystem is designed using this difficult problem. The elliptic curve applied to cryptography was first independently proposed by Neal Koblitz and Victor Miller in 1985. The elliptic curve cryptosystem is a system in which the encryption strength of each bit is the highest in the public key cryptosystem. The best algorithm for solving the discrete logarithm problem on elliptic curves is the Pollard rho method, whose time complexity is fully exponential. Let n be the number of bits of the binary representation of m in equation (2). When n = 234, the complexity is about 2 ¹¹⁷ , which takes 1.6xl0 ²³ MIPS years. The well-known RSA utilizes the difficult problem of large integer decomposition. At present, the time complexity of the best algorithm for factorization in general is sub-sub-exponential order. When n = 2048, it takes about 2x10. ^2Q MIPS time. That is to say, when the RSA key uses 2048 bits, the security strength of the ECC (Elliptic Curve Cryptosystem) key using 234 bits is much higher. The key length between them is up to 9 times, and the difference between them is greater when the ECC key is larger. The advantage of the short ECC key is very obvious. As the encryption strength increases, the key length does not change much. At present, many cryptography research groups and some companies in Germany, Japan, France, the United States, Canada and other countries have implemented elliptic curve cryptosystems, and some cryptographers in China have written this work. Many standards organizations have or are developing standards for elliptic curves, and many vendors have developed or are developing products based on elliptic curves. The study of elliptic curve cryptography is also in the ascendant. IEEE ( Institute of Electrical and Standardization) in the standardization of elliptic curve cryptosystems Electronics Engineers, Institute of Electrical and Electronics Engineers, ANSI (American National Standard Institute), ISO (International Standardization Organization, International Standards Organization), IETF (Internet Engineering Task Force, Internet Engineering Task Force) ATM (Asynchronous Transfer Mode) has done a lot of work. The elliptic curve standard documents developed by them are: IEEE P1363 P1363a, ANSI X9.62 X9.63 ISO/IEC14888, etc.

On May 12, 2003, China's WLAN national standard GB15629.il included a new WAPI (WLAN Authentication and Privacy Infrastructure) security mechanism, which provides comprehensive coverage for users' WLAN systems. Security protection. This security system consists of two parts: WAI (WLAN Authentication Infrastructure) and WPI (WLAN Privacy Infrastructure), which respectively authenticate the user's identity and encrypt the transmitted data. WAI uses a public key cryptosystem to authenticate users and APs in a WLAN (Wireless Local Area Network) system. The certificate contains the public key and signature of the certificate issuer (ASU, Authentication Service Unit) and the certificate holder's public key and signature. The signature here is especially the elliptic curve ECC algorithm. The Sixth International Cryptography Conference recommends two encryption algorithms for public key cryptosystems: the RS A algorithm based on the Integer Factorization Problem (IFP) and the discrete logarithm calculation based on the elliptic curve ( ECDLP, Elliptic Curve Discrete Logarithm Problem) ECC algorithm. One of the characteristics of the RSA algorithm is that the mathematical principle is simple, and it is relatively easy to implement in engineering applications, but its unit security strength is relatively low. Currently the most effective attack method for the RSA algorithm is recognized internationally. NFS, Number

The Field Sieve method is used to decipher and attack the RSA algorithm. Its difficulty in deciphering or solving is sub- exponential. The mathematical theory of the ECC algorithm is very esoteric and complex, and it is difficult to implement in engineering applications, but its unit security strength is relatively high. Using the Pollard rho method, the most effective attack method for the ECC algorithm, to decipher and attack the ECC algorithm, its deciphering or solving difficulty is basically exponential. It is precisely because of the obvious difference between the RSA algorithm and the ECC algorithm that the unit security strength of the ECC algorithm is higher than that of the RSA algorithm, that is, to achieve the same security strength, the key length required by the ECC algorithm is much lower than the RSA algorithm. This effectively solves the problem that the engineering implementation difficulty caused by the increase of the key length in order to improve the security strength. A feasible method for the defects of the existing network security mechanism of Ke Yueliang is based on the public key cryptosystem. Therefore, a method for secure access to the multimedia terminal based on elliptic curve public key cryptography is needed. SUMMARY OF THE INVENTION A primary object of the present invention is to provide a terminal access method based on the H.323 protocol applied to a packet network, including authentication, integrity, non-repudiation, and anti-replay attacks of the terminal. Its characteristics are based on the assumption of the discrete logarithm problem on the elliptic curve. By means of the hash function, the elliptic curve public key certificate, the elliptic curve digital signature method is used to realize the secure access of the terminal and the secure transmission of the shared secret or session key. In order to achieve the above object, the present invention provides a terminal access method based on the H.323 protocol applied to a packet network. The terminal access method includes the following steps: Step S102: The gatekeeper uses the elliptic curve public key certificate digital signature system to perform security authentication on the incoming terminal, and adds the call signaling channel session key generated by the negotiation with the incoming terminal to the elliptic curve. The public key certificate is digitally signed and sent to the incoming terminal to establish a first network access security channel. Step S104: The incoming terminal uses the pre-shared secret mechanism to perform security authentication by using a call signaling channel session key. And establishing a second network access security channel with the receiving terminal; Step S106, the gatekeeper uses the elliptic curve public key certificate digital signature system to perform security authentication on the receiving terminal, and the call signaling channel session key shared with the receiving terminal Adding the digital signature of the elliptic curve public key certificate to the receiving terminal, and transmitting to the receiving terminal, thereby establishing a third network access security channel; Step S108, the incoming terminal and the gatekeeper are based on the call signaling channel session key, in the second On the network access security channel, a symmetric password security mechanism is used to establish a call connection security channel; Step S11 0. On the call connection security channel, a symmetric cryptographic security mechanism is used to perform encryption algorithm and key negotiation for real-time media stream communication between the incoming terminal and the receiving terminal, thereby realizing real-time secure communication of the media stream. Preferably, in step S102, the call signaling channel session key is negotiated by a Diffie-Hellman key distribution scheme. In step S102 and step S106, the step of the gatekeeper performing security authentication on the terminal by using the elliptic curve public key certificate digital signature system may include the following steps: a. > a public elliptic curve algorithm set according to an elliptic curve public key certificate , defining a system parameter set D = (p, a, b, G, n, h), where p is a prime integer greater than 160 bits, specifying a finite or GF (p); a, b specifying a curve E; G = ( x _G , y _G ) GE (GF (p)) is a base point; prime number n is the order of the base point G; h = #E (GF (p)) / n is a cofactor integer; #E ( GF ( p ) ) Indicates the order of the elliptic curve point group; b. sets the sequence random number, time stamp, challenge number, transmission terminal name, receiving gatekeeper name, full signaling signature, or part of the signaling message signature flag in the signaling, and puts a plaintext message token; c is based on different security policies to decide whether to digitally sign the entire signaling or only part of the signaling message and put it in a plaintext message token; d. Select a secure hash function, use a hash The function performs a digitally signed signaling message on a part of the message to generate a fixed length. Message digest; e. Establish a key pair (d, Q), where d is the private key, Q = dG is the public key; send a hash function to the gatekeeper, elliptic curve parameters a, b and public key Q; f. a random or pseudo-random number k, l ≤ k < n - 1; g. Calculate kG = (x _{l5 yi} ), r = X! modn, :3⁄4 口 r = 0, then return to step f; calculate s = k '— ¹ (e + dr) modn, if s = 0, return to step f; h. The incoming terminal completes the signature (r, s) of the signaling message, and embeds the signature in the signaling message and sends To the gatekeeper; i. The gatekeeper takes out the public elliptic curve parameter set D = {p, a, b, G, n, h} and the authorized copy of the terminal-related public key Q, verifying whether the terminal's signature (r, s) exceeds The range of the elliptic curve base point group, if it is, it is an illegal digital signature, rejecting the access of the terminal; j. If the signature (r, s) of the terminal does not exceed the range of the elliptic curve base point group, the gatekeeper judges Whether the message signature is a signature of the entire signaling message or just a partial signature of the message, and then generates a different message 4 e; calculate w = s - ¹ mod n, ui = ew mod n, u ₂ = rw mod n, and X = UiG + u ₂ Q= ( The value of x _{l5 yi} ); when! for. Or not equal to r, the signature is not Effect, reject the access of the terminal; k. When _Xl is equal to r and not equal to 0, - verify the correctness of the signature calculation itself, and the gatekeeper completes the access authentication to the terminal. In step c, the step of digitally signing the entire signaling or only partially signing the partial signaling based on different security policies may include: if the terminal is physically adjacent to the gatekeeper, The entire signaling is digitally signed; if there is a firewall between the terminal and the gatekeeper, only part of the message is digitally signed. Optionally, the digital signature internal format of the digital certificate is specified by CCITT (International Telegraph and Telephone Consultative Committee) X.509, and the content may include: a version number of the certificate, a serial number of the digital certificate, The name of the certificate owner, the signature algorithm, the unit that issued the digital certificate, the signature of the unit that issued the digital certificate, and the validity period of the public key. The gatekeeper can defend against denial of service attacks by verifying the lifetime of the incoming terminal timestamp and the uniqueness of the random sequence value. The gatekeeper can prove whether the receiving terminal is a legitimate user by comparing the receiving terminal appearance with its own identifier.

Respond to the appropriate access rights. In step S102, the step of generating the call signaling channel session key through the Diffie-Hellman key allocation scheme may include the following steps: a. The inbound terminal establishes a data unit dhKey{halfkey in the signaling. ( g ^x ), modsize (primary modulus p ), generator (generating element g of the multiplicative group) }; the incoming terminal generates a random number X, performs corresponding calculation, and sends it to the gatekeeper; b. After receiving the signaling message, the gatekeeper randomly generates a secret number y, and calculates (g ^x ) y - g ^x y as the shared session key with the incoming terminal, and fills in the data unit in the returned signaling. Each field {halfkey ( g ^y ), modsize ( p ), generator ( g ) } ; c. the incoming terminal performs the same calculation as the gatekeeper after receiving the signaling, ( g ^y ) ^x = g ^yx = g ^xy , complete sharing the session key with the gatekeeper. Preferably, in step S10, on the call connection security channel, using the call signaling channel session key, using a pre-shared secret mechanism to implement security authentication of the H.245 control channel, establishing a connection control security channel; And on the connection control security channel, using the security capability exchange procedure of the H.245 protocol, negotiating an encryption algorithm and an encryption key supported by the incoming terminal and the receiving terminal for media stream communication, and using the encryption key The call signaling channel session key is transport protected. The secure access of the gatekeeper to the terminal may include: confidentiality, identity authentication, integrity authentication, and non-compliance certification. Through the above technical solution, the present invention implements secure access, secure channel establishment, and secure transmission of media streams between terminals when no pre-shared secret is established between the network, and has high-intensity security per bit, and the processing speed is fast. Low overhead, suitable for H. 323 multimedia terminals with low memory and low processing capability for network security access. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 1 is a flowchart of a terminal access method according to the present invention; FIG. 2 is a call mode scene diagram according to an embodiment of the present invention; FIG. 3 is an elliptic curve number when a terminal is accessed according to an embodiment of the present invention; FIG. 4 is a flowchart of an elliptic curve digital signature process of a gatekeeper certificate terminal according to an embodiment of the present invention; and FIG. 5 is a terminal security connection in a gatekeeper route direct call mode according to an embodiment of the present invention; Enter the protocol flow chart. DETAILED DESCRIPTION OF THE INVENTION The present invention will be described in detail below with reference to the accompanying drawings. Because the symmetric key system has a much faster encryption speed than the public key cryptosystem. Therefore, a hybrid encryption method can be utilized to combine their advantages, that is, the public key encryption system securely transmits the session key, and the session key is used for information encryption and decryption. In combination with the H.323 multimedia terminal communication system, the public key cryptography is used to securely transfer RAS messages between the terminal or the MCU and the gatekeeper, thereby realizing secure access of the terminal, and securely accessing a secure session key at the same time, based on The shared session key uses a symmetric crypto mechanism to establish a secure call connection channel (H.225.0) that satisfies various call routing modes, and then uses the call control (H.245) protocol security negotiation capability on the secure channel. The real-time media stream communication between the multimedia terminals performs encryption algorithm and key negotiation, and finally completes real-time communication security of the media stream. The H.323 protocol-based terminal access method applied to a packet network provided by the present invention includes the following steps:

(1) In the network call admission communication phase, the gatekeeper uses the elliptic curve public key certificate digital signature system to implement secure authentication of the incoming terminal, and establishes a data unit in the signaling of the elliptic curve public key certificate digital signature for passing The Diffie-Hellman key distribution scheme negotiates with the calling terminal to generate a shared session key, and establishes a network access security channel;

(2) The gatekeeper adopts the elliptic curve public key certificate digital signature system to realize the security authentication of the receiving terminal, and establishes a data unit in the signaling of the elliptic curve public key certificate digital signature, and transmits the Diffie-Hellman key distribution to the receiving terminal. a session key generated by the solution and shared by the receiving terminal, establishing a network access security channel;

(3) Network call control communication phase: the incoming terminal and the gatekeeper establish a matching call routing mode based on the shared session key generated in step (1) on the established network access-safe channel using a symmetric cryptosystem. Call connection secure channel;

(4) In the network connection control communication phase, a symmetric crypto mechanism is used to perform encryption algorithm and key negotiation for real-time media stream communication between multimedia terminals on the call connection security channel, so as to realize real-time secure communication of media streams between multimedia terminals. The method for implementing the secure authentication between the terminal and the gatekeeper using the elliptic curve public key certificate digital signature system in the method may be: a. defining a system parameter set D = (based on the public elliptic curve algorithm set given by the elliptic curve public key certificate) p, a, b, G, n, h), where p is a prime integer greater than 160 bits, specifying a finite field GF(p); a, b specifying a curve E; G = (x _G , y _G ) EE (GF (p)) is a base point; prime number n is the order of base point G; h=#E(GF(p))/n is a cofactor integer; #E(GF(p)) represents an elliptical curve The order of the line point group; b. Set the sequence random number, time stamp, challenge number, transmission terminal name, receiving gatekeeper name, full signaling signature or partial signaling message signature flag in the signaling, and put a plaintext In the message token;

C. Based on different security policies, decide whether to digitally sign the entire signaling or only part of the signaling message and put it in the plaintext message token; d. Select the secure hash function and use the hash function to digitize some of the messages. The signed signaling message is operated to generate a fixed length message digest; e. Establish a key pair (d, Q), where d is the private key, Q = dG is the public key; send a hash function to the gatekeeper, elliptic curve Parameters a, b and public key Q; f. Select a random or pseudo-random number k, l ≤ k ≤ n - 1; g. Calculate kG - ^ y,), r = xi mod n, if r = 0, then Return to step f; calculate s = k" ^] (e + dr) mocl n, if s = 0, return step f; h. The incoming terminal completes the signature (r, s) of the signaling message, and will The signature is embedded in the signaling message and sent to the gatekeeper; i. The gatekeeper takes out the public elliptic curve parameter set D={p, a, b, G, n, h} and the authorized copy of the terminal-related public key Q, verifying the terminal Whether the signature (r, s) exceeds the range of the elliptic curve base point group, and if so, it is represented as an illegal digital signature, denying access to the terminal; j. (R, s) does not exceed the range of the group order elliptic curve point, gatekeeper message signature is determined for the whole or only part of the signaling message signature signed message, and then generates a different message from 4 to e; w = s ^"1 Mod n, uj = ew mod n, u ₂ = rw mod n, and the value of X - u!G + uzQ xuO; when xi is 0 or not equal to r, the signature is invalid, denying access to the terminal; k. When _Xl is equal to r and is not equal to 0, the correctness of the calculation of the signature itself is verified, and the gatekeeper completes the access authentication to the terminal. In step c of the foregoing method, the step of digitally signing the entire signaling or only partially signing the partial message based on different security policies may be: if the terminal and the gatekeeper are physically adjacent, the entire signaling Digital signature; if the terminal is stored with the gatekeeper In the firewall, only some messages are digitally signed. In the method step (1), the digital signature internal format of the digital certificate is specified by CCITT X.509, and may include the following aspects: the version number of the certificate, the serial number of the digital certificate, the name of the certificate owner, the signature algorithm, The unit that issued the digital certificate, the signature of the unit that issued the digital certificate, and the validity period of the public key. In the method, the gatekeeper can defend against the denial of service attack by verifying the lifetime of the incoming timestamp and the uniqueness of the random sequence value. In the method, the gatekeeper can verify whether the receiving terminal is a legitimate user by comparing the identity of the receiving terminal with its own identifier. In the method, the gatekeeper can verify whether the identifier of the incoming terminal is consistent with the identity identifier in the certificate and has corresponding access rights. In the method, the step of the inbound terminal to generate the shared session key by negotiating with the gatekeeper through the Diffie-Hellman key distribution scheme may be: a. The inbound terminal establishes a data unit dhKey {halfkey(g ^x) in the signaling. ), modsize (primary modulus p), generator (generating group g of the multiplicative group)}; the terminal generates a random number X, sends the corresponding calculation to the gatekeeper; b. the gatekeeper receives the signaling message and randomly generates a secret number y and calculate (g ^x )y = g ^xy as the shared session key with the terminal. In the returned signaling, fill in the fields of the data unit.

{halfkey(g ^y ), modsize(p) , generator(g)}; c. After receiving the signaling, the terminal performs the same calculation as the gatekeeper, (g ^y ) ^x = g ^yx = g ^xy , The gatekeeper shares the session key. In the method, the network connection control communication phase can use the call signaling channel session key, use the pre-shared secret mechanism to implement the security authentication of the H.245 control channel, establish a connection control security channel, and connect in the call connection security channel; On the control safety channel, using the security capability exchange procedure of the H.245 protocol, the encryption algorithm and the encryption key supported by the multimedia terminal communication parties for media stream communication are negotiated, and the call signaling channel session key is used for transmission protection. In the method, the secure access of the gatekeeper to the terminal may include: confidentiality, identity recognition Certification, integrity certification and non-compliance certification. The object of the present invention is to provide a digital signature method based on an elliptic curve public key certificate.

Under the H.323 network, there is a multimedia processing capability terminal security access network method. The invented method starts from the discrete logarithm of the elliptic curve, supplemented by the anti-collision hash function, and uses the elliptic curve public key certificate digital signature method to realize the identity confirmation and integrity check in the terminal access process, and can also be implemented if necessary. Denial and other security attributes. While determining the identity of the user, combined with the interaction of H.225 RAS signaling, the Diffie-Hellman key 1 operator scheme is used to generate a secret, secret or session key for the terminal and the network access node gatekeeper to connect to the subsequent call. And media stream communication establishes a secure communication channel. The method used in the present invention is based on the elliptic curve discrete logarithm problem. Given a elliptic curve E defined in the finite field GF(p), a point PEE of order n and a point <5 = 1^, where 0 ≤ k ≤ n - 1 , determine k. The elliptic curve discrete logarithm problem has provable security. Compared with the current popular RSA public key cryptosystem, it has the advantages of high speed, high security and low processing capability for the terminal. The invention realizes the secure access network content of the multimedia terminal in the H.323 system, that is, three communications of network access (H.225.0 RAS), call control (H.225.0 call signaling protocol) and connection control (H.245) Phases implement certification, privacy (confidentiality), integrity and non-repudiation protection. First, in the network access process, the elliptic curve public key certificate digital signature process is used to implement security authentication, and a shared session key is negotiated based on the Diffie-Hellman key distribution scheme to establish a secure channel on the secure channel. For the latter two communication phases, the corresponding secure channels are respectively established based on the traditional symmetric cryptography technology to realize communication security and confidentiality between multimedia terminals. Before the terminal accesses the network, there is no pre-shared secret with the network. There are two problems involved in achieving secure access to the terminal: one is the security confirmation of the user identity; the other is the key exchange, that is, between the terminal and the gatekeeper. The exchange of shared secrets or session keys is implemented through signaling interaction. The solution to these two problems is to introduce a digital certificate that represents the identity of the user. The digital certificate can effectively indicate the identity of the terminal, and the key exchange method can be implemented at the same time. The internal format of the digital certificate can be specified by CCITT X.509. It must contain the following information: the version number of the certificate; the serial number of the digital certificate; the name of the certificate owner; the signature algorithm; the unit that issued the digital certificate; The signature of the unit of the certificate; the validity period of the public key, etc. This information is called Certification Data. Referring to FIG. 1, a 接入.323 protocol-based terminal access method applied to a packet network according to the present invention includes the following steps: Step S102: A gatekeeper uses an elliptic curve public key certificate digital signature system to perform security authentication on an incoming terminal. And the call signaling channel session key generated by the negotiation with the incoming terminal is added to the signaling of the elliptic curve public key certificate digital signature, and sent to the incoming terminal, thereby establishing the first network access security channel; Step S104, calling The ingress terminal uses the pre-shared secret mechanism to perform security authentication through the call signaling channel session key, thereby establishing a second network access security channel with the receiving terminal; Step S106, the gatekeeper adopts an elliptic curve public key certificate digital signature system to the receiving terminal Performing security authentication, and adding the call signaling channel session key shared with the receiving terminal to the signaling of the elliptic curve public key certificate digital signature, and transmitting the signal to the receiving terminal, thereby establishing a third network access security channel; Step S108, The incoming terminal and the gatekeeper are based on the call signaling channel session key, and are accessed on the second network access security channel. The symmetric security mechanism establishes a call connection security channel; Step S110, on the call connection security channel, uses a symmetric cryptographic security mechanism to perform encryption algorithm and key negotiation for real-time media stream communication between the incoming terminal and the receiving terminal, thereby implementing media Real-time secure communication of the stream. As shown in FIG. 2, it is a call mode scenario diagram according to the method of the embodiment of the present invention, which illustrates that the method according to the embodiment of the present invention implements a terminal network security access process based on an elliptic curve public key certificate digital signature method, including signaling authentication, Security features such as integrity and non-compliance. The method of the embodiment of the present invention assumes that each node of the network has the public key certificate or the elliptic curve public key certificate of the communication party when the security access and the key agreement are completed in advance, and the specific steps are as follows:

(Step 101) The terminal Α or C uses the signaling GRQ or RRQ to implement the digital signature process: the public elliptic curve algorithm set given by the elliptic curve certificate, and the related user authentication information in the GRQ or RRQ is set, and the terminal A or C is completed. After signing the signaling message, the signature is embedded in the GRQ or RRQ message and sent to the gatekeeper B.

(Step 102) After receiving the signaling GRQ or RRQ message, the gatekeeper B completes the security authentication process, and after verifying the correctness of the calculation of the signature itself, completes the access of the terminal A or C.

(Step 103) After the terminal network security access is completed, the terminal A issues an ARQ to the gatekeeper B. Or LRQ signaling, requiring negotiation of a call signaling channel session key.

(Step 104) Gatekeeper B replies to ACF or LCF signaling to terminal A, and based on the session secret exchanged securely in the H.225.0 RAS signaling process, the Diffie-Hellman algorithm is used to negotiate a call signaling channel session secret. The key is sent to terminal A.

(Step 105) Terminal A establishes a secure channel with terminal C by using the call signaling channel session key, using the pre-shared secret mechanism H.245 control channel security authentication.

(Step 106) Terminal C sends ARQ or LRQ signaling to Gatekeeper B, requesting the transmission of the Call Signalling Channel Session Key negotiated by Gatekeeper B with Terminal C.

(Step 107) The gatekeeper B replies to the terminal C with ACF or LCF signaling, and transmits the call signaling channel session key negotiated with the terminal A to the terminal C.

(Step 108) The gatekeeper B completes the negotiation with the terminal C, opens the media logical channel established by the encryption algorithm and the encryption key negotiated by the gatekeeper B and the terminal C, and uses the real-time transmission protocol/real-time transmission control protocol (RTP/RTCP). Implement packet-based network-based media security communications. As shown in FIG. 3, it is a flowchart of an elliptic curve digital signature process when a terminal accesses according to an embodiment of the present invention, and the steps are as follows:

(Step 201) A set of common elliptic curve algorithms given by the elliptic curve certificate, defining a system parameter set D = (p, a, b, G, n, h). Where p is a large prime integer (eg 160 bit long), specifying the finite field GF(p); a, b specifies the curve E; G = (x _G , y _G )eE(GF(p)) is a base point The prime number n is the order of the base point G; h = #E(GF(p))/n is a cofactor integer, and #E(GF(p)) represents the order of the elliptic curve point group.

(Step 202) setting related user authentication information in the GRQ or RRQ, and putting it into a token ClearToken transmitted in a plaintext message, including a sequence random number, a time stamp, a 4 megabytes, a sending terminal name, and a receiving network. Namekeeping, full signaling signature or partial signaling message signature marking, etc.

(Step 203) It is determined based on the security policy whether the entire signaling of the GRQ or RRQ is digitally signed or only part of the message is digitally signed and placed in a field in the token ClearToken. If a token tokenOip is set, "A" indicates a full message signature, and "B" indicates a partial message signature. The former is suitable for the physical connection between the terminal and the gatekeeper; the latter is required to be modified between the GRQ or the RRQ signaling when there is a NAT/firewall between the terminal and the gatekeeper. Happening.

(Step 204) Calculate the message digest and convert it into a whole 3⁄4 e, establish a key pair (d, Q), where d is the private key, Q = dG is the public key; send a hash function to the gatekeeper, ellipse Curve parameters a, b and public key Q.

(Step 205) Using the hash function SHA to operate the variable length signaling message to generate a fixed length message digest e, establishing a key pair (d, Q), where d is the private key and Q = dG is the public key; Send a hash function to the gatekeeper, elliptic curve parameters a, b, and public key Q.

(Step 206) Select a random or pseudo-random number k, l < k < n - 1.

(Step 207) Calculate kG = (x _{l 5} yi), r = X] mod n.

(Step 208) If r = 0, then return to step 206 to recalculate the message digest.

(Step 209) Calculate s = k"](e + dr) mod n.

(Step 210) If s = 0, then return to step 206 to recalculate the message digest.

(Step 211) The terminal completes the signature of the signaling message as (r, s), and embeds the signature into the GRQ or RRQ message and sends it to the gatekeeper B. As shown in FIG. 4, it is a flowchart of the elliptic curve digital signature process of the gatekeeper terminal according to the embodiment of the present invention, and the specific steps are as follows:

(Step 301) The gatekeeper B authenticates the validity of the terminal A certificate, and takes out the public elliptic curve parameter set D = {p, a, b, G, n, h} and the authorized copy of the public key Q associated with the terminal A.

(Step 302) The gatekeeper B verifies whether the signature (r, s) of the terminal A exceeds the range of the elliptic curve base group level, and if so, indicates an illegal signature. The gatekeeper B goes to step 311 to reject the access of the terminal A, returns with the GRJ or RRJ message and explains the reason for the related denial of access security.

(Step 303) It is judged whether the message signature indicated by the tokenOID is a signature on the entire signaling message or only a part of the message. (Step 304) Generate a message digest e of the entire signaling message signature.

(Step 305) Generating a message digest e of the partial signaling message signature.

(Step 306) Calculate w = s ^{- 1} mod n; = ew mod n; u ₂ = rw mod n; and X = u, G + u ₂ Q = (the value of x _b ).

(Step 307) when the abscissa _Xl X is 0, indicating invalid signature, gatekeeper 311 proceeds to step B, reject the access terminal A, or RJ GRJ message is returned to and the reasons for denying access related security.

(Step 308) When the abscissa of X X! If it is not equal to r, the signature is invalid. Gatekeeper B goes to step 31 1, and the terminal A receives the GRJ or RRJ message and explains the related reasons for denying access security.

(Step 309) After verifying the correctness of the calculation of the signature itself, it indicates that the message signature has not been tampered with, and the gatekeeper B completes the access authentication of the terminal A. The method of the embodiment of the present invention uses the Diffie-Hellman key agreement algorithm to complete the sharing of the terminal A and the gatekeeper B. The process is as follows: ^: While the network is securely connected, the terminal A and the gatekeeper B can negotiate a sharing. secret. This is done by creating a data structure dhKey {halfkey(g ^x ) , modsize (prime modulus p) , generator (multiplication group generation) in ITU-T H.225.0 RAS Signaling GRQ/GCF/GRJ or RQ/RCF/RRJ Yuan g)} to achieve. In GRQ or RRQ signaling, terminal A generates a random number x, performs corresponding calculations, puts it in the dhKey structure in the message, and then sends the message to gatekeeper B. After the gatekeeper B receives the GRQ/RRQ message, after verifying the terminal A as a legitimate access user through the previous steps, it randomly generates a secret number y and calculates (g ^x ) ^y = g ^xy as the terminal A. Share secrets. And in the returned GCF RCF signaling, fill in the dhKey fields as {halfkey(g ^y ) , modsize(p) , generator(g) }. After receiving the GCF/RRQ, the terminal A performs the same calculation as the gatekeeper B, (g ^y ) ^x = g ^x = g ^xy , thereby completing the negotiation and transmission of the shared secret with the gatekeeper B. The process of the call signaling channel (H.225.0) and the secure access of the media control channel (H.245 Control Protocol) of the method of the embodiment of the present invention is as follows: After the terminal network security access is completed, the ARQ/ACF or LRQ/LCF signaling can be used to interact, and the session secrets securely exchanged in the H.225.0 RAS signaling process can be used to implement the security authentication using symmetric cryptography. Integrity, the dhkey field in a single token ClearToken can also be used to negotiate a call signaling channel session key using the Diffie-Hellman algorithm. Reusing this key, using the pre-shared secret mechanism H.245 control channel security authentication, and establish a secure channel. On the secure H.245 channel, the security capability exchange procedure of the H.245 protocol is used to negotiate the parameters of the media stream communication, such as video or audio, supported encryption algorithms and encryption keys, by the communication terminal of the multimedia terminal. And use the previous session key for transmission protection. Once the negotiation is completed, the confidentiality of packet-based media communication can be realized by the Real-Time Transport Protocol/Real-Time Transport Control Protocol (RTP/RTCP) in the media logical channel that is opened later. As shown in FIG. 5, it is a flowchart of a terminal security access protocol in a single-gateway direct call mode according to an embodiment of the present invention. The solution in this embodiment is applicable to the direct routing mode of the single-gatekeeper management scope of the H.323 system. Assume that the master/called terminals A and B are respectively registered on the same gatekeeper, and the communication process is performed on an IP network without security guarantees. The premise of implementing the technical solution is: the gatekeeper performs authentication and integrity check on all RAS messages of the management endpoint, and the endpoint pair also performs authentication and integrity check on the RAS message of the gatekeeper, so that the endpoint and the associated gatekeeper are reached. The purpose of mutual trust is to be able to detect fraudulent entities and minimize the possibility of being bullied, and to implement call signaling security based on this. Each RAS/H.225.0 signaling message has a dedicated data structure that describes the security mechanisms used by different entities (gatekeepers, endpoints) for communication. Based on the public key certificate digital signature security mechanism, its data structure is called cryptoToken, which can be used to describe the terminal secure access of the H.323 system by using the digital signature of the elliptic curve public key certificate. The fields can be set as follows: tokenOID: Set to "A" to indicate that the entire H.225.0 RAS signaling message, such as implementing authentication/integrity/non-repudiation calculations, can be used for physical security occasions that are physically connected. "B" indicates that only a subset of the H.225.0 RAS messages are authenticated and non-repudiation-calculated for end-to-end security occasions that cause signaling message modification across the NAT/firewall. Token: is the subdata structure to be signed and stores the result, where: toBeSigned: A token ClearToken that stores the entire signaling message signature or only one associated authentication information.

AlgorithmOID: Indicates the signature algorithm used by the receiving entity, such as "V" to indicate the signature algorithm given by the present invention. Signature signature {r, s}. Depending on the tokenOID value, the decision is whether to digitally sign the entire signaling or only toBeSigned. The signed plaintext token ClearToken contains the following set of fields: tokenOID: set to "S", indicating that ClearToken is being used as authentication/integrity/non-repudiation information; "R" indicates use as authentication/non-repudiation security, For end-to-end applications across NAT/firewalls. Challenge: 4 battles, used for three handshake authentication protocols. Random: a monotonically increasing sequence number. When the timestamp granularity is insufficient, guarantee that it is only

generallD: accept entity identifier; sendersID: send entity identifier; dhkey: used for connection establishment and subsequent media stream encryption, using Diffie-Hellman algorithm, 1⁄4, business session key, structure is {halfkey ( gx ), midsize ( Prime modulus p), generator (the generator g of the multiplicative group). Certificate: The sender's digital signature certificate, which contains the ECC range parameter D and the sending entity public key Q. The type field refers to the type of certificate algorithm: If set to "V", it means that the elliptic curve password is combined with the SHA-1 algorithm for digital signature. When the sending terminal is in a signaling message (such as GRQ, RRQ), the data structure is set as described above, and the corresponding signature operation is completed, and then sent to the gatekeeper B. After receiving the signaling message, the receiving entity immediately checks the signatures indicated by the tokenOIDs sent to it, and completes the security authentication process. The specific process can be based on the following criteria: Verify that the sender is a one by comparing the generallD identity with its own identity. A valid user; verify that the sendersID is consistent with the certificate and has the corresponding access rights; whether the message signature matches the signature of the self-verification calculation to verify whether the message has been tampered with; and verify the sending entity by checking the received certificate Whether it is a legally registered entity and non-repudiation in e-commerce. After verifying the validity of the sending entity, the Diffie-Hellman key negotiation algorithm specified in dhkey can be used to complete the negotiation and exchange of the session key in the returned response message (GCF, RCF). The specific steps of this embodiment are:

(Step 401) The terminal A or C puts the challenge number challengeA into the challenge field in the ClearToken, and the generallDA indicates the identifier of the terminal C. In the following field identifiers, subscripts A, B, and C represent the identifiers of terminals A, C, and gatekeeper B, respectively, and the English word names represent the corresponding fields.

(Step 402) After receiving the terminal A gatekeeper discovery request signaling, the gatekeeper B determines that the digital signature is used to implement the security authentication with the terminal A according to the terminal A name and the local security policy, so as to ensure the secure access of the terminal A. Among them: sequence random number randomB and ^ L battle number challengeB The combination of the two should be guaranteed to be unique, to prevent replay attacks on signaling, DhB contains gx value. {}SignB represents a digital signature of the value in {}, assuming a partial signature of the signaling message. Certificate Stores the actual elliptic curve certificate for gatekeeper B.

(Step 403) After obtaining the response message GCF of the gatekeeper B, the terminal A performs the validity verification on the elliptic curve certificate in the gatekeeper B, and verifies whether the received challengeA is equal to the sending time. If they are equal, the other authentication rules are used. If the gatekeeper B is a legal gatekeeper, the related settings of the RRQ message are performed: Regenerate the sequence random number randomA (such as the incremental addition of the received randomB) and the 4 battle number challengeA (where the value is not in the GRQ) The same value) and ensure that the combination is unique. DhA contains the value of gy. Certificate Stores the actual elliptic curve certificate for terminal A.

(Step 404) After receiving the Terminal A Registration Request (RRQ) signaling, the Gatekeeper B determines to adopt a symmetric password authentication algorithm according to the local security policy, such as based on symmetric key encryption, sharing. Protocol algorithm as specified by the ITU-T H.235 protocol, such as the secret + hash algorithm. The shared secret is generated by the gxy derived from the Diffie-Hellman protocol in the previous signaling exchange process. In order for terminal A to verify the shared secret negotiated, gatekeeper B is on a separate token. According to the determined symmetric cryptographic algorithm, the following operation is performed ClearToken [...sendersIDB, ({generallDA XOR randomA XOR ...}EDH- Secret)...] , where EDH-secret represents the shared secrets exported by the Diffie-Hellman protocol.

(Step 405) After the terminal network security access is completed, the terminal A sends the ARQ signaling to the gatekeeper B, and uses the symmetric crypto technology to implement the security authentication/integrity based on the session key exchanged securely in the network access process. The Diffie-Hellman algorithm can be used to negotiate a call signaling channel session key for communication between multimedia terminals using the dhkey field in a single token ClearToken.

(Step 406) Gatekeeper B returns ACF signaling to terminal A, and returns the negotiated call signaling channel session key.

(Step 407) Terminal A uses the call signaling channel session key to implement secure authentication of the call signaling channel and the H.245 control channel by using a pre-shared secret mechanism, and establishes a secure channel.

(Step 408) The gatekeeper B responds to the terminal with the response information for completing the establishment of the H.245 secure channel.

(Step 409) The terminal C sends ARQ signaling to the gatekeeper B on the secure H.245 channel, and requests to use the security capability exchange procedure of the H.245 protocol to negotiate the media stream communication between the two parties of the multimedia terminal, such as Video or audio, supported encryption algorithms and encryption keys and other parameters.

(Step 410) The gatekeeper B returns the parameters of the encryption algorithm and the encryption key of the communication of the multimedia terminal after negotiation to the terminal C through the signaling ACF.

(Step 411) The gatekeeper B sends the encryption algorithm and the encryption key and other parameters of the multimedia terminal communication negotiated by the terminal C to the terminal A, and the media logical channel is established.

(Step 412) Terminal C implements packet-based media secure communication using a Real-Time Transport Protocol/Real-Time Transport Control Protocol (RTP/RTCP) in the media logical channel. The elliptic curve cryptosystem employed in the method of the present invention has a known public key cryptosystem The highest strength security per bit, the fastest processing speed and the lowest overhead, especially suitable for H.323 multimedia terminals with low memory and low processing capability to achieve network security access. With the deployment and application of large-scale H.323 multimedia communication systems, such as a global VoIP network or a national-wide video conferencing/visual telephone system, the secure access method proposed by the present invention can be used for various operations. It can also be used to interconnect between different operators. The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and the present invention may be variously modified and changed. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

Claims A H.323 protocol-based terminal access method for a packet network, characterized in that it comprises the following steps:

Step S102: The gatekeeper uses the elliptic curve public key certificate digital signature system to perform security authentication on the incoming terminal, and adds the call signaling channel session key generated by the negotiation with the incoming terminal to the digital signature of the elliptic curve public key certificate. In the signaling, and sent to the incoming terminal, thereby establishing a first network access security channel;

Step S104: The inbound terminal uses the pre-shared secret mechanism to perform security authentication by using the call signaling channel session key, so as to establish a second network access security channel with the receiving terminal.

Step S106: The gatekeeper performs security authentication on the receiving terminal by using an elliptic curve public key certificate digital signature system, and adds the call signaling channel session key shared by the receiving terminal to an elliptic curve public key certificate. The signaling of the digital signature is sent to the receiving terminal, thereby establishing a third network access security channel;

Step S108: The inbound terminal and the gatekeeper establish a call connection security channel by using a symmetric cryptographic security mechanism on the second network access security channel based on the call signaling channel session key.

Step S110: Perform a encryption algorithm and key negotiation on the call connection security channel for real-time media stream communication between the incoming terminal and the receiving terminal by using a symmetric cryptographic security mechanism, thereby realizing real-time security of the media stream. Communication. The terminal access method according to claim 1, wherein in step S102, the call signaling channel session key is negotiated by a Diffie-Hellman key distribution scheme. The terminal access method according to claim 1, wherein in step S102 and step S106, the step of the gatekeeper performing security authentication on the terminal by using an elliptic curve public key certificate digital signature system comprises the following steps:

a set of common elliptic curve algorithms given by the elliptic curve public key certificate, defining a system parameter set 0 = ( p, a, b, G, n, h ), where p is a prime integer greater than 160 bits, with a specified number of Domain GF ( p ); a, b specifies curve E; G = ( xG, yG ) EE(GF(p)) is a base point; prime number n is the order of base point G; h = #E ( GF ( p ) ) /n is a cofactor integer; #E (GF (p)) represents the elliptic curve point group Order

b. setting a sequence random number, a time stamp, a challenge number, a sending terminal name, a receiving gatekeeper name, a full signaling signature, or a partial signaling message signature flag in the signaling, and putting it into a plaintext message token;

c Deciding whether to digitally sign the entire signaling or only part of the signaling message based on different security policies and put it in a plaintext message token;

d. Select a secure hash function, and use a hash function to perform a digitally signed signaling message on a part of the message to generate a message summary of a fixed length;

e. Establish a key pair (d, Q), where d is the private key, Q = dG is the public key; send a hash function to the gatekeeper, elliptic curve 'line parameters a, b and public key Q;

f. Select a random or pseudo-random number k, l<k<n- 1;

g. Calculate kG= (xl, yl), r = xl modn, mouth r = 0, shell ' J returns to step f; calculate s = k - 1 (e + dr) modn, if s = 0, send back Step f; h. The incoming terminal completes the signature (r, s) of the signaling message, and embeds the signature into the signaling message and sends it to the gatekeeper;

i. The gatekeeper takes out the public elliptic curve parameter set D = {p, a, b, G, n, h} and the authorized copy of the terminal-related public key Q, and verifies whether the signature (r, s) of the terminal exceeds the elliptic curve base point group. The range of the order, if it is, is represented as an illegal digital signature, denying access to the terminal;

j. If the signature (r, s) of the terminal does not exceed the range of the elliptic curve base point group, the gatekeeper determines whether the message signature is to sign the entire signaling message or just a partial signature of the message, and then generate a different message 6; Calculate the value of w = s - 1 modn, ul = ew mod n, u2 = rwmodn, and X = ulG + u2Q = (xl, yl ); when xl is 0 or not equal to r, the signature is invalid, rejecting the terminal Access

k. When xl is equal to r and not equal to 0, the correctness of the calculation of the signature itself is verified, and the gatekeeper completes the access authentication to the terminal.

The terminal access method according to claim 3, wherein, in the step, the step of determining whether to digitally sign the entire signaling or only partially signing the partial signaling based on different security policies comprises: If the terminal is physically adjacent to the gatekeeper, the entire signaling is digitally signed; if the terminal is confused with the There is a firewall between the gatekeepers, and only some messages are digitally signed.

5. The terminal access method according to claim 1, wherein the digitally signed digital certificate internal format is specified by CCITT X.509, and the content thereof is selected from the group consisting of: a version number of the certificate, a digital certificate The serial number, the name of the certificate owner, the signature algorithm, the unit that issued the digital certificate, the signature of the unit that issued the digital certificate, and the expiration date of the public key.

The terminal access method according to claim 1, wherein the gatekeeper defends against the denial of service attack by the lifetime of the time stamp incoming call terminal and the uniqueness of the random sequence value.

The terminal access method according to claim 1, wherein the gatekeeper compares the identity of the receiving terminal with its own identifier to determine whether the receiving terminal is a legitimate user.

The terminal access method according to claim 1, wherein the gatekeeper verifies whether the identifier of the incoming terminal is consistent with an identity identifier in the certificate and has a corresponding access right.

The terminal access method according to claim 2, wherein in step S102, the step of generating the call signaling channel session key by using a Diffie-Hellman key distribution scheme comprises the following steps:

a. The incoming terminal establishes a data unit dhKey{halfkey(gx), modsize (gene modulus), generator (generating element g of the multiplicative group) in the signaling; the incoming terminal generates a random number X After the corresponding calculation is performed, the gatekeeper is sent to the gatekeeper; b. after receiving the signaling message, the gatekeeper randomly generates a secret number y, and calculates (gx) y = gxy as the sharing with the incoming terminal. Session key, in the returned signaling, fill in the data unit fields {halfkey ( gy ), modsize ( p ), generator

( g ) } ;

c. After receiving the signaling, the incoming terminal performs the same calculation as the gatekeeper, (gy) x = gyx = gxy, and completes sharing the session key with the gatekeeper.

The terminal access method according to claim 1, wherein in step S110, using the call signaling channel session key on the call connection secure channel, using a pre-sharing and secret mechanism H.245 control channel security authentication, establish connection control a security channel; on the connection control security channel, using the security capability exchange procedure of the H.245 protocol, negotiating an encryption algorithm and encryption secret supported by the incoming terminal and the receiving terminal for media stream communication Key, and use the call signaling channel session key to transmit protection. '

The terminal access method according to claim 1, wherein the secure access of the gatekeeper to the terminal comprises at least one of the following: confidentiality, identity authentication, integrity authentication, and Sexual certification.