WO2008083620A1 - Procédé, système et appareil pour une négociation de contexte de sécurité de flux multimédia - Google Patents

Procédé, système et appareil pour une négociation de contexte de sécurité de flux multimédia Download PDF

Info

Publication number
WO2008083620A1
WO2008083620A1 PCT/CN2008/070042 CN2008070042W WO2008083620A1 WO 2008083620 A1 WO2008083620 A1 WO 2008083620A1 CN 2008070042 W CN2008070042 W CN 2008070042W WO 2008083620 A1 WO2008083620 A1 WO 2008083620A1
Authority
WO
WIPO (PCT)
Prior art keywords
media stream
called
calling
key
security context
Prior art date
Application number
PCT/CN2008/070042
Other languages
English (en)
Chinese (zh)
Inventor
Chengdong He
Zhanjun Zhang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN2007101627602A external-priority patent/CN101222320B/zh
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008083620A1 publication Critical patent/WO2008083620A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption

Definitions

  • the present invention relates to media stream encryption technologies, and in particular, to a method, system and apparatus for media stream security context negotiation. Background of the invention
  • the IMS network is divided into an access domain and a network domain, and security specifications of the access domain and the network domain are respectively defined.
  • the method embodiment of the present invention provides a method for media network security context negotiation, which can implement media stream security context negotiation in the IMS system, which is beneficial for the IMS system to use the key obtained by the negotiation to protect the media stream;
  • the called UE checks the media stream protection indication information to determine that it supports the media stream protection; the called UE and the calling UE obtain the media stream security context information including the security algorithm and the key.
  • An apparatus for implementing media stream security context negotiation comprising:
  • the called UE may also carry the generated key in the media stream security capability information, and the media stream security capability information may further include information such as a key identifier, a key validity period, and the like.
  • the media stream security capability information is referred to as the media stream security context information
  • the security algorithm is a security algorithm supported by both parties, and the key can be generated directly according to the security algorithm.
  • steps 203 and 205 Different keys are generated for different media streams, and the key identifiers are used for distinguishing.
  • the calling UE and the MGW can also transmit the media stream using the derived key.
  • the method further includes: the MGCF deriving the key generated by the calling UE and the key generated by the UE to generate a new key; The key.
  • the calling UE further needs to derive a new key according to the key generated by itself and the key generated by the MGCF.
  • the call process will continue.
  • the calling UE also needs to send an UPDATE message to the MGCF, and the MGCF returns a 200 message.
  • 4 is a schematic diagram of a message flow of Embodiment 4 of the present invention.
  • the first entity is the calling UE
  • the second entity is the calling side CSCF
  • the method of user-to-network security capability negotiation is adopted, and both parties generate a key.
  • Step 401 The calling UE sends a session establishment request message to the calling side CSCF, where the session establishment request message carries the media of the calling UE.
  • Step 401 The calling UE sends a session establishment request message to the calling side CSCF, where the session establishment request message carries the media of the calling UE.
  • Flow security capability information The calling UE sends a session establishment request message to the calling side CSCF, where the session establishment request message carries the media of the calling UE.
  • the first entity needs to send the media stream security capability information to the second entity by using the session establishment request message, and the second entity returns the information provided by the second entity according to the media stream security capability information of the first entity.
  • Media stream security capability information In actual applications, the ability of the first entity and the second entity to support secure transmission of media streams may be different.
  • the first entity may set one or more media stream security capability information in advance, and the second entity selects one of the media stream security capability information.
  • Step 501 The first entity sends a session establishment request message to the second entity, where the session establishment request message includes one or more media stream security capability information.
  • the media stream security capability information may further include a priority.
  • the second entity may select the priority according to the priority level, and select the highest level media stream security capability information that can be supported by the second entity.
  • Media stream security capability information may be further included.
  • the generated key may be carried in the media stream security capability information and sent to the other party.
  • the media stream security capability information may further include parameters such as a key validity period. If there are multiple media streams to be protected, a different key may be generated for each different media stream, and the media stream security capability information may further include a key identifier to distinguish the corresponding media stream.
  • the key-method parameter can be used to indicate a key carrying method, such as an inline method. Use the key-info parameter to carry the key and parameters such as key identification and expiration date.
  • the security algorithm may also be extended by a security algorithm header field in the Session Initiation Protocol (SIP); likewise, the generated key, the key identifier, the key validity period, and the like are also The corresponding header field can be extended in the SIP protocol to carry.
  • SIP Session Initiation Protocol
  • FIG. 6 is a schematic diagram showing the basic structure of Embodiment 1 of a media stream security capability negotiation system. As shown in Figure 6, the system includes:
  • the first entity 601 may also be the calling UE, and the second entity 602 is the calling side CSCF; or the first entity 601 is the called side CSCF, and the second entity is the called UE; in this case, the
  • the system further includes an MP, configured to receive a key delivered from the CSCF.
  • the media stream security capability information and the media stream security capability information supported by the MGW 703 generate a key Y, and the key X and the key Y are sent to the MGW 701, and the key Y is returned to the calling UE 701 through the 200 message.
  • the session response message described in this step may also be a 200 response message.
  • Step 904' The called UE derives a media stream security key according to the key generation parameters Pa and Pb.
  • Step 905 After receiving the response message sent by the called UE, the calling UE derives the media stream security key according to the key generation parameters Pa and Pb. Similarly, in this step, the calling UE generates a key according to the key generation parameter Pb and the key generation parameter Pa in the media stream security context sent by the called UE in step 904.
  • KEY is the key of the derived encrypted media
  • the first method is: the called UE sends at least one set of media stream security context information provided by itself to the calling UE, and each set of media stream security context information includes a security algorithm and a corresponding key; the calling UE directly from the A set of all media stream security context information sent by the UE is selected, and the selected set of media stream security context information is sent to the called UE. That is, since the key already exists in the media stream security context information provided by the called UE, the calling UE only needs to select one set and notify the called UE, and both parties can determine the security algorithm and the corresponding key, thereby achieving The purpose of the consultation.
  • the method embodiment 7 includes the following steps:
  • Step 1003 The calling UE sends a PRACK response message to the called UE, where the media stream security context information provided by the local side is carried, for example, ( Algorithm 2, Key 2) in the 183 message is selected.
  • the media stream security context information provided by the local side is carried, for example, ( Algorithm 2, Key 2) in the 183 message is selected.
  • Step 1004 The called UE returns a 200 message corresponding to the PRACK to the calling UE, where the media stream security context information selected by the called UE is negotiated, in this embodiment, (algorithm 2, key 2).
  • the information such as the algorithm and the key correspondingly, the state of the security premise in the INVITE and the subsequent 183 message sent by the calling UE and the called UE is set to the value of the actual state, and the specific value can be set by referring to RFC 3312 and The state setting method in the IETF draft of the security premise, because the INVITE and the subsequent 183 messages do not carry information such as a security algorithm and a key, so the setting method of the security premise in the subsequent PRACK and 200 messages can be adopted.
  • a method of setting a transmission protocol of the media to be protected as a secure transmission protocol to indicate that the session media stream needs security protection for example, setting the media transmission protocol to RTP/SAVP.
  • Step 1104 The called UE returns a 200 message corresponding to the PRACK to the calling UE, where the media stream security context information selected by the called UE is carried, which is (Algorithm 2, Key 2) in this embodiment.
  • the media stream security context information described herein is a set selected by the called UE from at least one set of media stream security context information carried by the PRACK message, and sent to the calling UE in the PRACK 200 message. If the media stream security context information is arranged according to the priority order set in advance or the priority indication indicating the priority order is set, the selection may be performed according to the priority order, that is, the media stream security context information with the highest priority may be selected. .
  • the calling UE and the called UE transmit the key through the PRACK message and the 200 message.
  • other messages such as UPDATE messages and 200 messages, can also be used to transmit keys.
  • the key-method parameter can be used to indicate the carrying method, such as the inline method or the method using the key-method-ext extension.
  • the key generating unit 1201c is configured to generate a key according to the security algorithm in the selected media stream security context information.
  • the called UE 1202 includes:
  • the selecting unit 1202b is configured to select at least one set of media stream security upper and lower information supported by the media stream security context information provided by the calling UE 1201, and use the selected at least one set of media stream security context information as the media provided by itself.
  • the security context information is transmitted and sent to the calling UE 1201 through the transceiver unit 1202a.
  • the derivation unit 1201d derives a new key according to the key generated by the two parties;
  • the called UE 1302 receives the session request message carrying the media stream protection indication information, checks the media stream protection indication information, determines that it supports the media stream protection, and obtains the media stream security context including the security algorithm and the key.
  • the calling UE 1301 includes:
  • the selecting unit 1301b selects from all the media stream security context information sent by the called UE 1302.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé, un système et un appareil pour une négociation de contexte de sécurité de flux multimédia. L'équipement utilisateur (UE) appelant envoie les informations de contexte de sécurité de flux multimédia fournies par lui-même à l'UE appelé par le message de requête de session. Les informations de contexte de sécurité de flux multimédia comprennent une arithmétique de sécurité. L'UE appelant reçoit les informations de contexte de sécurité de flux multimédia provenant de l'UE appelé, l'UE appelant et l'UE appelé obtiennent la clef de chiffrage selon les informations de contexte de sécurité de flux multimédia comprenant l'arithmétique de sécurité fournie par ceux-ci. En conséquence du fait que l'UE appelant et l'UE appelé intercommuniquent pour obtenir les informations de contexte de sécurité de flux multimédia comprenant l'arithmétique de sécurité et la clef de chiffrage directement sans calcul compliqué de la part de l'UE, et sans la clef publique ou autres demandes dans le réseau, il est réalisé la négociation de contexte de sécurité de flux multimédia dans un système IMS, et les conditions sont propices au traitement de la protection de sécurité de flux multimédia dans le réseau IMS ultérieurement.
PCT/CN2008/070042 2007-01-11 2008-01-08 Procédé, système et appareil pour une négociation de contexte de sécurité de flux multimédia WO2008083620A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
CN200710001261 2007-01-11
CN200710001261.5 2007-01-11
CN200710162760.2 2007-09-30
CN2007101627602A CN101222320B (zh) 2007-01-11 2007-09-30 一种媒体流安全上下文协商的方法、系统和装置

Publications (1)

Publication Number Publication Date
WO2008083620A1 true WO2008083620A1 (fr) 2008-07-17

Family

ID=39608374

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070042 WO2008083620A1 (fr) 2007-01-11 2008-01-08 Procédé, système et appareil pour une négociation de contexte de sécurité de flux multimédia

Country Status (1)

Country Link
WO (1) WO2008083620A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1722689A (zh) * 2005-06-21 2006-01-18 中兴通讯股份有限公司 一种ip多媒体子系统接入安全的保护方法
CN1790982A (zh) * 2005-12-26 2006-06-21 北京航空航天大学 基于协商通信实现信任认证的方法及系统
CN1801698A (zh) * 2005-01-07 2006-07-12 华为技术有限公司 在ip多媒体业务子系统网络中保障媒体流安全性的方法
CN1983921A (zh) * 2005-12-16 2007-06-20 华为技术有限公司 一种端到端媒体流安全的实现方法及系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1801698A (zh) * 2005-01-07 2006-07-12 华为技术有限公司 在ip多媒体业务子系统网络中保障媒体流安全性的方法
CN1722689A (zh) * 2005-06-21 2006-01-18 中兴通讯股份有限公司 一种ip多媒体子系统接入安全的保护方法
CN1983921A (zh) * 2005-12-16 2007-06-20 华为技术有限公司 一种端到端媒体流安全的实现方法及系统
CN1790982A (zh) * 2005-12-26 2006-06-21 北京航空航天大学 基于协商通信实现信任认证的方法及系统

Similar Documents

Publication Publication Date Title
US9537837B2 (en) Method for ensuring media stream security in IP multimedia sub-system
EP2124379B1 (fr) Procédé et système permettant de distribuer des clés secrètes du flux multimédia
JP4284324B2 (ja) 移動無線システムにおける暗号鍵を形成および配布する方法および移動無線システム
CN101635823B (zh) 一种终端对视频会议数据进行加密的方法及系统
WO2015180654A1 (fr) Procédé et appareil permettant les communications secrètes
US7813509B2 (en) Key distribution method
JP4856723B2 (ja) メディアサーバと加入者機器との間においてメディアデータを暗号化して伝送するための方法、装置および/またはコンピュータプログラム製品
CN101222320B (zh) 一种媒体流安全上下文协商的方法、系统和装置
WO2008040213A1 (fr) Procédé, système et dispositif de chiffrement et de signature de messages dans un système de communication
JP4838881B2 (ja) メディアデータを符号化および復号化するための方法、装置ならびにコンピュータプログラム製品
CN101227272A (zh) 一种获取媒体流保护密钥的方法和系统
WO2011020332A1 (fr) Procédé et système de chiffrement de données multimédias d'une session de sous-système multimédia ip
WO2008083607A1 (fr) Procédé et système pour transférer de manière sûre un flux multimédia
WO2011131051A1 (fr) Procédé et dispositif pour la négociation de communication de sécurité
CN102025485B (zh) 密钥协商的方法、密钥管理服务器及终端
US11218515B2 (en) Media protection within the core network of an IMS network
WO2009094813A1 (fr) Procédé et appareil de négociation de paramètres de sécurité pour sécuriser le flux multimédia
WO2008083620A1 (fr) Procédé, système et appareil pour une négociation de contexte de sécurité de flux multimédia
WO2009094814A1 (fr) Procédé de génération de paramètres de sécurité pour sécuriser un flux multimédia et appareil associé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08700068

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08700068

Country of ref document: EP

Kind code of ref document: A1