WO2008083607A1 - Procédé et système pour transférer de manière sûre un flux multimédia - Google Patents

Procédé et système pour transférer de manière sûre un flux multimédia Download PDF

Info

Publication number
WO2008083607A1
WO2008083607A1 PCT/CN2007/071412 CN2007071412W WO2008083607A1 WO 2008083607 A1 WO2008083607 A1 WO 2008083607A1 CN 2007071412 W CN2007071412 W CN 2007071412W WO 2008083607 A1 WO2008083607 A1 WO 2008083607A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
terminal
media stream
calling
called
Prior art date
Application number
PCT/CN2007/071412
Other languages
English (en)
Chinese (zh)
Inventor
Kai Sun
Tao Kong
Jianghai Gao
Jing Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008083607A1 publication Critical patent/WO2008083607A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0457Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply dynamic encryption, e.g. stream encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Definitions

  • the present invention relates to media stream encryption techniques, and more particularly to a method and system for securely transmitting media streams. Background of the invention
  • the media stream is generally transmitted based on a real-time transport protocol (RTP), where the media stream is an audio media stream, a video media stream, or the like.
  • RTP real-time transport protocol
  • the media stream has security risks such as leaking and being attacked during the transmission process.
  • the terminal can use the allocated key to realize the transmission of the media stream, so as to achieve the purpose of securely transmitting the media stream.
  • MIKEY multimedia Internet key
  • the basic idea of the MIKEY public key mode is: a key and an envelope key are generated by the calling terminal, the key is encrypted by the envelope key, and the envelope key is encrypted by using the public key of the called terminal certificate, and then The encrypted key is sent to the called terminal through the MIKEY protocol, and the called terminal decrypts the key to complete the key negotiation process.
  • clock synchronization between the calling terminal and the called terminal is required, and the public key infrastructure (PKI) system is supported.
  • PKI public key infrastructure
  • clock synchronization and PKI system support are complex, which is not conducive to key negotiation.
  • the calling terminal and the called terminal are ordinary mobile terminals, and because of the large number of mobile terminals, it is difficult to complete the certificate management in the PKI system, and the key negotiation cannot be performed smoothly.
  • the basic idea of the MIKEY DH mode is: Generate DH values respectively at the calling terminal and the called terminal, and then exchange the DH values of each other by using the MIKEY protocol, and then generate a key according to the DH values of both parties.
  • the MIKEY DH mode also needs to perform clock synchronization, and the implementation of the MIKEY DH mode is very complicated, and the calculation amount is large, which requires high performance of the terminal, which is not conducive to the implementation of key agreement.
  • the operator needs to obtain the key in the media stream in order for the security organization to meet the requirements of lawful interception.
  • the terminal participating in the interaction can obtain the key.
  • the terminal participating in the interaction may be the calling terminal and the called terminal, or may be multiple terminals, and any third party participating in the interaction.
  • the key cannot be obtained, that is, the lawful interception requirement cannot be met.
  • the embodiment of the invention provides a method and a system for securely transmitting a media stream, which can avoid clock synchronization, PKI support, certificate management and the like under the condition of ensuring link security, reduce the complexity of generating a key, and facilitate media stream encryption. Promotion of business.
  • a method of securely transmitting a media stream comprising the steps of:
  • the key generation unit acquires the encryption capability information of the terminal in the call flow, and generates a key for the media stream according to the encryption capability information;
  • the terminal and the media stream carrying device transmit the media stream using the acquired key.
  • the embodiment of the invention further provides a system for securely transmitting a media stream, and the technical solution thereof is:
  • a system for securely transmitting a media stream comprising a terminal and a media stream carrying device, the system further comprising a key generating unit;
  • the terminal is configured to send the self-encryption capability information to the key generation unit, acquire the key, and transmit the media stream according to the key;
  • the media stream carrying device is configured to receive a key generated by the key generating unit, and is responsible for transmitting the media stream according to the key;
  • the key generating unit is configured to receive the encryption capability information input by the terminal, generate a key, and send the generated key to the terminal and the media stream carrying device respectively.
  • the embodiment of the present invention provides a method and system for securely transmitting a media stream.
  • the terminal does not generate a key by itself, but generates a key by the key generation unit, without clock synchronization or PKI system.
  • Support can greatly reduce the complexity of generating keys, achieve the purpose of secure transmission of media streams, and facilitate the promotion of media stream encryption services. Since the calling side and the called side can independently generate their own keys without negotiating with the other party, the execution of the call flow is not affected in the process of generating and delivering the keys.
  • the plaintext is transmitted between the media stream bearer devices on the calling side and the called side, the actual requirement of lawful interception can be met.
  • Embodiment 1 is a flow chart of Embodiment 1 of the method of the present invention.
  • FIG. 2 is a schematic diagram of a message flow according to Embodiment 2 of the method of the present invention.
  • FIG. 3 is a basic structural diagram of Embodiment 1 of the system of the present invention.
  • Embodiment 2 is a basic structural diagram of Embodiment 2 of the system of the present invention. Mode for carrying out the invention
  • the key generation unit may be preset to be responsible for the generation and distribution of the key.
  • the terminal and the media stream bearer device transmit the media stream by using the key obtained from the key generation unit, thereby achieving the purpose of securely transmitting the media stream.
  • Embodiment 1 is a flow chart of Embodiment 1 of the method of the present invention. As shown in FIG. 1, the method embodiment 1 may include the following steps:
  • Step 101 The key generation unit acquires the encryption capability information of the terminal in the call flow, and generates a key for the media flow according to the encryption capability information.
  • Step 102 The key generation unit sends the generated key to the terminal and the media stream carrying device separately.
  • Step 103 The terminal and the media stream carrying device transmit the media stream by using the obtained key. Since the call flow involves the calling side and the called side, the secure transmission media stream of the present invention is also divided into the calling side and the called side.
  • the terminal is a calling terminal;
  • the key generating unit is a calling side key generating unit, and the calling side key generating unit may be a functional unit in the calling side CSCF;
  • the media stream bearer device is a media stream bearer device on the calling side, that is, a calling side MP.
  • the step of acquiring the encryption capability information of the calling terminal may include: the calling terminal initiates a call, and sends a call request message carrying the information of the self-encryption capability to the calling side CSCF, the calling side CSCF Obtaining the encryption capability information of the calling terminal from the call request message.
  • the step of transmitting the key to the calling terminal in step 102 may include: when the calling side CSCF receives the call response message from the called terminal, carrying the previously generated key in the call response. The message is sent to the calling terminal.
  • the step of transmitting the key to the calling side MP in step 102 may include: the calling side CSCF sends the packet carrying the key to the calling side resource and the access control subsystem RACS; The side RACS then sends the key to the calling side MP. At this time, both the calling terminal and the calling side MP acquire the key from the calling side CSCF, and the key stream can be transmitted by using the key.
  • the transport media stream can be divided into two cases:
  • the calling terminal when the media stream is transmitted from the calling terminal to the called terminal, the calling terminal encrypts the media stream by using the obtained key, and transmits the encrypted media stream to the calling side MP, and the calling side MP
  • the media stream is decrypted by using the obtained key, and then the decrypted media stream is transmitted, that is, transmitted to the called side.
  • Another case is: when the media stream is transmitted from the called terminal to the calling terminal, the calling side MP encrypts the media stream from the called terminal by using the acquired key, and transmits the encrypted media stream to the calling terminal. The calling terminal then uses the obtained key to decrypt the media stream.
  • the media stream may be transmitted only from the calling terminal to the called terminal, or only from the called terminal to the calling terminal, or both the calling terminal and the called terminal transmit the media stream to the calling party.
  • the terminal is a called terminal;
  • the key generating unit is a called side key generating unit, and the called side key generating unit may be a functional unit in the called side CSCF;
  • the media stream 7 device is the called side media stream 7 carrier device, that is, the called side MP.
  • the step of acquiring the called terminal encryption capability information in the step 101 includes: the called terminal receives the call request message from the called terminal CSCF to the autonomous terminal, and carries the encrypted information of the called terminal itself. Call response message is returned to the called side
  • the called side CSCF obtains the encryption capability information of the called terminal from the call response message.
  • the step of transmitting the key to the called terminal in step 102 includes: when the called side CSCF receives the message related to the call from the autonomous calling terminal, carrying the previously generated key in the call related The message is sent to the called terminal.
  • the call related message described herein may be an acknowledgment message or an information change message or the like.
  • the method for transmitting the key to the called side MP in step 102 is as follows:
  • the called side CSCF sends the message carrying the key to the called side RACS, and the called side RACS is further encrypted.
  • the key is sent to the called side MP.
  • both the called terminal and the called side MP acquire the key from the called side CSCF, and the key stream can be transmitted by using the key. Similar to the calling side, the transmission media stream can be divided into two cases:
  • the called side MP encrypts the media stream of the autonomously called terminal by using the acquired key, and transmits the encrypted media stream to the called terminal.
  • the terminal is called to reuse the obtained key to decrypt the media stream.
  • the called terminal when the media stream is transmitted from the called terminal to the calling terminal, the called terminal encrypts the media stream by using the obtained key, and transmits the encrypted media stream to the called side MP, the called side MP.
  • the obtained stream is then used to decrypt the media stream, and then the decrypted media stream is transmitted.
  • both the calling side and the called side generate a key independently, and the generated key is sent to the terminal of the local side and the media stream carrying device. That is, when a key is generated by a certain side, since the key is only used to transmit the media stream in the area to which the side belongs, and the plaintext side and the called side area are transmitted in plaintext, therefore, When generating a key, it is not necessary to negotiate with the other party, and it is not necessary to send the key generated by itself to the other party.
  • the embodiment of the present invention is a method for describing a secure transmission media stream by using a calling side or a called side.
  • the calling process and the transmission media stream will involve both the calling side and the called party. side.
  • the following preferred embodiment relates to both the calling side and the called side to fully describe the method of securely transmitting the media stream.
  • a key generation unit is set in advance on the calling side and the called side, and the calling side key generation unit is a functional unit in the P-CSCF on the calling side, and the called side key generation unit is the called side.
  • a functional unit in the P-CSCF of course, in practical applications, the key generation unit can also Not a functional unit in the P-CSCF, but a separate server.
  • the calling side further includes a calling terminal, a calling side RACS, and a calling side MP.
  • the called side further includes a called terminal, a called side RACS, and a called side MP.
  • the key generated by the calling side P-CSCF is X
  • the key generated by the called side P-CSCF is y.
  • FIG. 2 is a schematic diagram of message flow in the embodiment. As shown in FIG. 2, this embodiment includes the following steps:
  • Step 201 The calling side initiates a call, and sends a call request message carrying the information of its own encryption capability to the calling side P-CSCF.
  • the call request message described here is an INVITE message in the SIP protocol, and the encryption capability information of the calling terminal can be carried in the INVITE message by using four methods: The first method is carried in the SDP of the INVITE message; The method is carried in the SIP caller attribute receiving negotiation (Accept-contact) header field in the INVITE message; the third method is carried in the extended negotiation field of the SIP in the INVITE message; the fourth method is to carry the request in the INVITE message. In the field defined by the draft (RFC 4568) standard.
  • the format of the encryption capability information is:
  • the m field carries media information and supports media capability declaration; the a field is used to The media stream performs attribute descriptions.
  • the meanings of these attribute descriptions are shown in Table 1:
  • the bearer is in the SIP caller attribute Accept-contact header field, and its format is:
  • the format is:
  • media_encryption SRTP-[AES-CM]-[128;256;512]-[HMAC-SHAl]-[160]
  • the meanings of the subfields are the same as those in Table 1, and are not described here.
  • Step 202 The calling side P-CSCF sends a call request message to the called side P-CSCF.
  • the newly added key generation unit is a functional unit in the P-CSCF, and the actual application may also be other CSCFs, such as an S-CSCF.
  • the key generation unit is not a functional unit in the P-CSCF but a separate server, then an interface between the P-CSCF and the server needs to be provided, and the P-CSCF obtains the generated key from the server through the interface.
  • Step 204 The calling side P-CSCF initiates a resource reservation process.
  • the calling side P-CSCF sends the generated key X to the calling side RACS.
  • Step 205 The calling side RACS sends the key X to the calling side MP.
  • the step 204 and the step 205 are a resource reservation process, which mainly determines the information such as the quality of service (Qos) and the threshold control, and sends the determined information such as the QoS and the threshold control to the calling side MP through the policy.
  • the P-CSCF may be extended in the Media-Sub-Component AVP of the Media-Component-Description in the Resource Request Message (AAR).
  • AAR Resource Request Message
  • the generated key is recorded in the field, and the key is sent to the calling side RACS.
  • the expanded format can be:
  • [Media-Encryption-Key] is an extended field for carrying keys.
  • the key can also be sent to the calling side RACS without using the AAR 4 message, but is sent through other packets, such as resource modification messages, etc., as to how to deliver and how to extend and specific implementation.
  • resource modification messages etc.
  • the calling side RACS After the calling side RACS receives the key, it can send the key to the calling side MP through the H.248 protocol or the Common Open Policy Service (COSS) protocol.
  • COSS Common Open Policy Service
  • the key can be carried based on the Stream Descriptor of the Media Descriptor when the endpoint is added to the association using the Add command.
  • the Media-Encryption-Key field value in the message is copied to the Media Descriptor's property identifiers SDP-A and encryptkey.
  • the calling party P-CSCF receives the call request message in step 202, the process of performing the subsequent call is continued, that is, step 206 is performed, and the key is generated and sent, that is, steps 203 to 205 are performed. That is to say, the subsequent call flow and key generation and delivery are two parallel processes, and there is no strict sequence in time.
  • the calling side P-CSCF sends the key to the calling side MP by initiating a resource reservation process, but in an actual application, the key may be secreted through an independent process of issuing a key.
  • the key is sent to the calling side MP. In other words, as long as the generated key can be sent to the calling MP.
  • Step 206 The called side P-CSCF sends a call request message to the called terminal.
  • Step 207 The called terminal returns a call response message carrying the self-encryption capability information to the called side P-CSCF, and the called side P-CSCF obtains the encryption capability information of the called terminal from the call response message.
  • the call response message is related to the call request message received by the called terminal, and may be a 183 message or a 200 OK message.
  • Step 208 The called side P-CSCF sends a call response message to the calling side P-CSCF.
  • the calling side P-CSCF may carry the previously generated key X in the k field of the SDP and send it to the calling terminal.
  • the key can be carried into the inline field.
  • a SIP header field can be extended in the 200 OK message to carry the key x.
  • Extend a Media-Key header field with the following format:
  • Step 210 The generated key unit in the called side P-CSCF generates a key y according to the encryption capability information of the called terminal.
  • Step 211 The called side P-CSCF initiates a resource reservation process, and sends a packet carrying the key y to the called side RACS in the resource reservation process.
  • Step 212 The called side RACS sends the key y to the called side MP.
  • step 211 to the step 212 are that the called side P-CSCF sends the generated key process resource reservation process to the called side MP, and the method is the same as the steps 204 to 205, and is not described in detail here. .
  • the subsequent call process is performed, that is, steps 208 to 209 are performed; the surface is generated and the key is sent, that is, steps 210 to 212 are performed. That is to say, on the called side, the subsequent call flow and key generation and delivery are also two parallel processes, and there is no strict sequence in time.
  • Step 215 The called side P-CSCF sends the generated key y to the called terminal by using an acknowledgement message.
  • the called side P-CSCF sends the key y to the called terminal through an acknowledgement message, that is, a PRACK message or an ACK message. If the called terminal returns a 183 message, the calling terminal needs to send a PRACK message to the called terminal, and the called side P-CSCF may carry the key y in the k field of the SDP in the PRACK message; The previously returned 200 OK message, the calling terminal needs to send an ACK message to the called terminal, and the called side P-CSCF can carry the key y in the extended Media-Key field in the ACK message.
  • an acknowledgement message that is, a PRACK message or an ACK message.
  • Step 216 The calling terminal, the calling side MP, the called side MP, and the called terminal utilize respective The obtained key transmission media stream.
  • the calling terminal calls the called terminal
  • the interactive message or signaling should be transmitted through the signaling link, but after the call is successful, the media stream data should be transmitted through the data link, that is, through the calling terminal.
  • the calling side MP, the called side MP and the called terminal transmit.
  • the steps of transmitting the media stream may include:
  • the calling terminal When the media stream is transmitted from the calling terminal to the called terminal, the calling terminal utilizes the acquired key.
  • X encrypts the media stream, and transmits the encrypted media stream to the calling side MP; the calling side MP then decrypts the media stream by using the obtained key X, and then transmits the decrypted media stream to the called side MP; The called side MP encrypts the media stream by using the acquired key y, and transmits the encrypted media stream to the called terminal, and the called terminal decrypts the media stream by using the obtained key y.
  • the called terminal When the media stream is transmitted from the called terminal to the calling terminal, the called terminal encrypts the media stream by using the key y, and transmits the encrypted media stream to the called side MP; the called side MP reuses the key y to the media.
  • the stream is decrypted, and then the decrypted media stream is transmitted to the calling side MP; the calling side MP encrypts the media stream by using the key X, and transmits the encrypted media stream to the calling terminal; the calling terminal reuses the key X decrypts the media stream.
  • the media stream is securely transmitted by the key X on the calling side, and is securely transmitted after being encrypted by the key y on the called side.
  • the calling terminal if the called terminal returns a 183 message, the calling terminal also needs to send an information update message, that is, an UPDATE message, to the called terminal after sending the PRACK message.
  • the called side P-CSCF may also send the key y to the called terminal without using the PACK message, but send the key y to the called terminal through the UPDATE message.
  • the key generation unit acquires the encryption capability information of the terminal in the call flow, generates a key according to the encryption capability information, and then sends the key to the terminal and the media stream bearer device respectively.
  • the key generation unit acquires the encryption capability information of the terminal in the call flow, generates a key according to the encryption capability information, and then sends the key to the terminal and the media stream bearer device respectively.
  • the key is sent to the terminal by the message, and the key is sent to the media stream bearer by the user who applies the solution of the present invention, and details are not described herein.
  • the second embodiment of the method is described by taking the case of a network containing an IP Multimedia Subsystem (IMS) and providing a security guarantee in the IMS network.
  • IMS IP Multimedia Subsystem
  • the method of the present invention can also be applied to other types of networks, such as: a softswitch-based next-generation network, etc., the method of which is similar to the present invention, and is not enumerated here.
  • the present invention also provides a system embodiment for securely transmitting a media stream.
  • 3 is a schematic diagram of the basic structure of an embodiment of a secure transmission media stream system. As shown in FIG. 3, the system includes: a terminal 301, a media streaming device 302, and a key generation unit 303.
  • the terminal 301 is configured to send the self-encryption capability information to the key generation unit 303, acquire the key, and be responsible for the media stream according to the key.
  • the media stream carrying device 302 is configured to receive the key generated by the key generating unit 303, and is responsible for transmitting the media stream according to the key.
  • the key generating unit 303 is configured to receive the encryption capability information input by the terminal 301, generate a key, and send the generated key to the terminal 301 and the media stream carrying device 302, respectively.
  • the terminal 301 may be a calling terminal or a called terminal;
  • the media streaming device 302 may be the media stream carrying device or the called side media stream carrying device on the calling side;
  • the key generating unit 303 The key generation unit may be a functional unit in the P-CSCF, or may be an independent service crying port.
  • the key generation unit is a functional unit in the P-CSCF, and the media stream
  • the bearer device is an MP, and the key is obtained through the RACS.
  • FIG. 4 is a schematic structural view of a second embodiment of the system of the present invention.
  • the system embodiment includes: a calling terminal 401, a calling side P-CSCF 402, a calling side RACS 403, a calling side MP 404, a called terminal 405, a called side P-CSCF 406, and a called side RACS 407. , called side MP408.
  • the calling terminal 401 and the called terminal 405 respectively transmit their own encryption capability information to the calling side P-CSCF 402 and the called side P-CSCF 406 to acquire a key, and are responsible for transmitting the media stream according to the key.
  • the calling side P-CSCF 402 and the called side P-CSCF 406 respectively generate a key, and send the generated key to the calling side RACS 403 and the called side RACS 407, respectively.
  • the calling side RACS 403 and the called side RACS 407 forward the keys generated by the calling side P-CSCF 402 and the called side P-CSCF 406 to the calling side MP 404 and the called side MP 408 respectively.
  • the calling side MP 404 and the called side MP 408 receive a key from the calling side RACS 403 and the called side RACS 407, respectively, and are responsible for transmitting the media stream according to the key.
  • the calling terminal 401 When the calling terminal 401 initiates a call, the calling terminal 401 transmits a call request message carrying its own encryption capability information to the calling side P-CSCF 402; the calling side P-CSCF 402 sends a call request message through the called side P-CSCF 406.
  • the calling side P-CSCF 402 To the called terminal 405, at the same time, the calling side P-CSCF 402 generates a key according to the encryption capability information of the calling terminal 401, and transmits the key to the calling side MP404 through the calling side RACS 403; when the called terminal 405 receives When the call request message is sent, the call side response message carrying the self-encryption capability information is returned to the called side P-CSCF 406; the called side P-CSCF 406 returns the call response message to the calling side P-CSCF 402, and the calling side P-CSCF 402 The previously generated key is carried in the call response message and returned to the calling terminal 401.
  • the called side P-CSCF 406 generates a key according to the encryption capability information of the called terminal 405, and sends the key to the called side RACS 407. Called side MP408; this Thereafter, the calling terminal 401, the calling side MP 404, the called side MP 408, and the called terminal 405 reuse the key to transmit the media stream.
  • the terminal and the media stream carrying device can acquire the key generated by the key generating unit, and do not need to perform a complicated process such as certificate management and clock synchronization, and can easily implement the secure transmission media stream;
  • the unfiltered media stream is transmitted between the called side media stream bearer device and the called side media stream bearer device, which can meet the actual requirement of the legitimate organization to perform lawful interception without a key;
  • the calling side and the called side generate keys are independent, no negotiation is required, and the execution of the call flow may not be affected when the key is generated and delivered.
  • the second embodiment of the system is described by taking the case of a network containing an IP Multimedia Subsystem (IMS) and providing a security guarantee in the IMS network.
  • IMS IP Multimedia Subsystem
  • the method of the present invention can also be applied to other types of networks, such as: Next-generation networks based on softswitch, which are not enumerated here.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention concerne un procédé et un système de transfert de manière sûre d'un flux multimédia. Une unité de génération de clé obtient l'information de capacité d'encryptage en provenance du terminal dans un processus de requête et génère une clé utilisée pour un flux multimédia sur la base de l'information de capacité d'encryptage (101) ; elle envoie ensuite la clé générée à un terminal et à un dispositif de transport de flux multimédia respectivement (102) ; le terminal et le dispositif de transport de flux multimédia transfèrent un flux multimédia en obtenant la clé (103). En appliquant la solution, la clé n'est pas générée par le terminal appelant ni par le terminal appelé mais est générée par l'unité de génération de clé, sans avoir besoin de synchronisation d'horloge et sans avoir besoin de supporter un système d'infrastructure de clé publique (PKI). La complexité d'une conférence de clé de flux multimédia d'un terminal à un autre serait considérablement réduite. Cela est commode pour le développement de l'opération d'encryptage de multimédia et pourrait satisfaire la demande d'un moniteur légal.
PCT/CN2007/071412 2007-01-12 2007-12-29 Procédé et système pour transférer de manière sûre un flux multimédia WO2008083607A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200710000851 CN101222612A (zh) 2007-01-12 2007-01-12 一种安全传输媒体流的方法和系统
CN200710000851.6 2007-01-12

Publications (1)

Publication Number Publication Date
WO2008083607A1 true WO2008083607A1 (fr) 2008-07-17

Family

ID=39608363

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/071412 WO2008083607A1 (fr) 2007-01-12 2007-12-29 Procédé et système pour transférer de manière sûre un flux multimédia

Country Status (2)

Country Link
CN (1) CN101222612A (fr)
WO (1) WO2008083607A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108123951A (zh) * 2017-12-25 2018-06-05 成都三零瑞通移动通信有限公司 一种集群通信脱网直通语音组呼传输加密方法及装置

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101635919B (zh) * 2009-08-20 2012-10-10 中兴通讯股份有限公司 一种ip多媒体系统会议媒体数据的加密方法及系统
CN104105073A (zh) * 2013-04-09 2014-10-15 中兴通讯股份有限公司 一种在长期演进集群网络中进行能力协商的方法及装置
CN104796401B (zh) * 2015-03-12 2017-11-03 天翼电信终端有限公司 一种通过中间平台实现加密语音通信的方法与系统
CN111884802B (zh) * 2020-08-25 2023-04-11 中移(杭州)信息技术有限公司 媒体流加密传输方法、系统、终端和电子设备

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1283063A (zh) * 1999-09-09 2001-02-07 深圳市中兴通讯股份有限公司 手机加密的方法
US20030070067A1 (en) * 2001-09-21 2003-04-10 Shin Saito Communication processing system, communication processing method, server and computer program
CN1681241A (zh) * 2004-04-07 2005-10-12 华为技术有限公司 一种端到端加密通信的密钥分发方法
CN1889767A (zh) * 2005-06-30 2007-01-03 华为技术有限公司 实现媒体流安全的方法及通信系统
JP2007005878A (ja) * 2005-06-21 2007-01-11 Kddi Corp 共有鍵生成方法、共有鍵生成方式、暗号化データコピー方法、共有鍵生成プログラム、暗号化データ送信プログラムおよび暗号化データ受信プログラム

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1283063A (zh) * 1999-09-09 2001-02-07 深圳市中兴通讯股份有限公司 手机加密的方法
US20030070067A1 (en) * 2001-09-21 2003-04-10 Shin Saito Communication processing system, communication processing method, server and computer program
CN1681241A (zh) * 2004-04-07 2005-10-12 华为技术有限公司 一种端到端加密通信的密钥分发方法
JP2007005878A (ja) * 2005-06-21 2007-01-11 Kddi Corp 共有鍵生成方法、共有鍵生成方式、暗号化データコピー方法、共有鍵生成プログラム、暗号化データ送信プログラムおよび暗号化データ受信プログラム
CN1889767A (zh) * 2005-06-30 2007-01-03 华为技术有限公司 实现媒体流安全的方法及通信系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108123951A (zh) * 2017-12-25 2018-06-05 成都三零瑞通移动通信有限公司 一种集群通信脱网直通语音组呼传输加密方法及装置
CN108123951B (zh) * 2017-12-25 2020-10-09 成都三零瑞通移动通信有限公司 一种集群通信脱网直通语音组呼传输加密方法及装置

Also Published As

Publication number Publication date
CN101222612A (zh) 2008-07-16

Similar Documents

Publication Publication Date Title
US9537837B2 (en) Method for ensuring media stream security in IP multimedia sub-system
EP2124379B1 (fr) Procédé et système permettant de distribuer des clés secrètes du flux multimédia
EP1717986B1 (fr) Procede de distribution de cles
WO2009021441A1 (fr) Procédé d'émission et de réception, appareil et système pour la politique de sécurité de la session en multidiffusion
KR100976635B1 (ko) Ims 네트워크에서 미디어 보안을 제공하는 방법 및 미디어 보안을 제공하는 ims 네트워크
JP4856723B2 (ja) メディアサーバと加入者機器との間においてメディアデータを暗号化して伝送するための方法、装置および/またはコンピュータプログラム製品
EP2426852A1 (fr) Procédé et système servant à mettre en place une session d'appel de ramification sécurisée dans un sous-système multimédia ip
WO2008089694A1 (fr) Procédé, système et équipement d'obtention de clé de protection de flux multimédia dans un réseau ims
CN101175074A (zh) 一种实现端到端媒体流密钥协商的方法和系统
WO2008040213A1 (fr) Procédé, système et dispositif de chiffrement et de signature de messages dans un système de communication
WO2010083695A1 (fr) Procédé et appareil de négociation sécurisée de clé de session
CN108833943A (zh) 码流的加密协商方法、装置及会议终端
WO2008083607A1 (fr) Procédé et système pour transférer de manière sûre un flux multimédia
WO2007048301A1 (fr) Procede de cryptage pour service mgn
WO2011020332A1 (fr) Procédé et système de chiffrement de données multimédias d'une session de sous-système multimédia ip
WO2011131051A1 (fr) Procédé et dispositif pour la négociation de communication de sécurité
WO2009094813A1 (fr) Procédé et appareil de négociation de paramètres de sécurité pour sécuriser le flux multimédia
KR101210938B1 (ko) 암호 통신 방법 및 이를 이용한 암호 통신 시스템
WO2009094812A1 (fr) Procédés et appareils pour assurer la sécurité de flux multimédia point à point
EP2266251B1 (fr) Échange efficace de clé entre plusieurs parties
WO2009094814A1 (fr) Procédé de génération de paramètres de sécurité pour sécuriser un flux multimédia et appareil associé
WO2008083620A1 (fr) Procédé, système et appareil pour une négociation de contexte de sécurité de flux multimédia
EP2846510A1 (fr) Extension de protocole SRTP
Zhao et al. Secure voice over internet protocol based on combined secret key method
WO2006081712A1 (fr) Méthode de commutation de niveau de texte normal et de texte chiffré pendant une conversation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07846238

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07846238

Country of ref document: EP

Kind code of ref document: A1