WO2009094813A1 - Security parameters negotiation method and apparatus for realizing the security of the media flow - Google Patents

Security parameters negotiation method and apparatus for realizing the security of the media flow Download PDF

Info

Publication number
WO2009094813A1
WO2009094813A1 PCT/CN2008/000638 CN2008000638W WO2009094813A1 WO 2009094813 A1 WO2009094813 A1 WO 2009094813A1 CN 2008000638 W CN2008000638 W CN 2008000638W WO 2009094813 A1 WO2009094813 A1 WO 2009094813A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
key
session
protocol
media stream
Prior art date
Application number
PCT/CN2008/000638
Other languages
French (fr)
Chinese (zh)
Inventor
Yinxing Wei
Zhimeng Teng
Original Assignee
Zte Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zte Corporation filed Critical Zte Corporation
Publication of WO2009094813A1 publication Critical patent/WO2009094813A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Definitions

  • the present invention relates to the field of communications, and in particular to a method and apparatus for negotiating security parameters for implementing media stream security.
  • IPTV Internet Protocol Television
  • VoIP Voice over IP
  • Media stream security protects user-side data (such as video, voice, pictures, text, etc.) to prevent unauthorized users from accessing the data illegally.
  • Media stream security is not only the basis for content providers to operate; it is also a value-added service for networks.
  • the security requirements related to user privacy in the media stream also require the network to provide corresponding security; Digital Right Management (DRM) and Lawful Interception (LI) technology also puts corresponding requirements on media stream security.
  • DRM Digital Right Management
  • LI Lawful Interception
  • the media stream security here refers to cryptographic security, that is to say, using cryptographic protection technologies (such as integrity protection, encryption protection), the attacker cannot decipher the protected media stream data with limited resources. .
  • NGN Next Generation Network
  • media stream security is a basic requirement.
  • the NGN network should be able to guarantee the confidentiality and integrity of the transmitted media stream.
  • the International Telecommunication Union (ITU-Telecommunication)-NGN currently stipulates the Secure Real-time Transport Protocol (SRTP) to implement media stream security, and the power of the current network is The Internet Converged Services and Protocols for Advanced Networks (TISPAN, Telecoms & Internet converged Services & Protocols for Advanced Networks) are currently available;
  • RTP Real-time Transport Protocol
  • SDP Session Description Protocol
  • SAVP represents a secure audio/video profile
  • the key negotiation method for media stream security in NGN has the following disadvantages: The user obtains the primary key of the SRTP from the SAA-FE/TAA-FE through the boundary element (BE, Border Element).
  • a security parameter negotiation method for implementing media stream security including the following steps: a communication party establishes a session including a control plane; and the communication parties adopt a key management protocol on the control plane.
  • the foregoing security parameter includes a key and at least one of the following: a key length, a key life cycle, and a cryptographic algorithm.
  • the above key management protocol comprises a multimedia internet key protocol.
  • the above key management protocol package 4 is a secure real-time transmission protocol and an associated key management protocol.
  • the foregoing session including the control plane includes at least one of the following: a Session Initiation Protocol (SIP)-compliant session; and a Session Description Protocol (SDP)-compliant session.
  • SIP Session Initiation Protocol
  • SDP Session Description Protocol
  • the negotiation module is configured to use the key management protocol to negotiate the security parameter on the control plane, and the protection module, configured to use the security parameter negotiated by the two communication parties to protect the media stream between the two communication parties.
  • the foregoing security parameter includes a key and at least one of the following: a key length, a key life cycle, and a cryptographic algorithm.
  • the key management protocol includes a multimedia internet key protocol.
  • the key management protocol includes a secure real-time transport protocol and an associated key management protocol.
  • the foregoing session including the control plane includes at least one of: a session following a session initial protocol; and a session following a session description protocol.
  • the key negotiation adopts an independent key management protocol, so it is expandable and has the following features: (1) Supporting negotiation of session-level and media-level security parameters; (2) Independent of the signaling channel, Directly support end-to-end security parameter negotiation; (3) support no signaling protection or signaling only supports hop-by-hop protection; (4) flexible configuration and good scalability.
  • FIG. 1 is a flow chart showing a method for implementing media stream security according to an embodiment of the present invention
  • FIG. 2 is a diagram showing a basic structure of NGN media stream security applied in an embodiment of the present invention
  • 3 shows the process of key negotiation process for NGN media stream security in the embodiment of the present invention
  • 4 is a structural diagram showing separation of signaling control and media transmission of an NGN media stream security device according to an embodiment of the present invention
  • FIG. 5 is a diagram showing a protocol of an NGN media stream security device according to an embodiment of the present invention
  • FIG. 7 is a structural diagram of NGN media stream security in a plurality of domain cases according to an embodiment of the present invention
  • FIG. 1 is a flowchart of a method for implementing media stream security according to an embodiment of the present invention, including the following steps: Step S10: A communication party establishes a session including a control plane; Step S20, the communication parties adopt a control plane.
  • the key management protocol negotiates the security parameters; and in step S30, the communication parties use the negotiated security parameters to protect the media stream between the two communicating parties.
  • the security parameter includes a key and at least one of the following: a key length, a key life cycle, and a cryptographic algorithm.
  • the key management protocol comprises a multimedia internet key agreement.
  • the key management protocol comprises a secure real-time transport protocol and an associated key management protocol.
  • the session including the control plane includes at least one of the following: a session following a session initiation protocol; and a session following the session description protocol.
  • the key negotiation mechanism is provided in the foregoing method, which obviously solves the problem that the prior art lacks security parameter negotiation and does not have scalability and flexibility.
  • the prior art adds a new attribute (a-crypto) in the SDP to negotiate a security parameter for the SRTP media stream.
  • the method uses a secure signaling channel to protect the SDP data, so other security requirements are required: ⁇ S/MIME (Secure/Multipurpose Internet Mail Extensions), TLS (Transport Layer Security) support.
  • This method cannot handle the following situations: (a) negotiation of session-level security parameters; (b) intermediate agent needs to access SDP media parameters when applying end-to-end protection to SDP; (c) end-to-end protection is not used for sessions In the case where the media stream requires end-to-end protection, security parameters need to be protected.
  • the key negotiation adopts an independent key management protocol, so it can be extended, and has the following features: (1) Support negotiation of session level and media level security parameters; (2) Independent of signaling Channels, directly support end-to-end security parameter negotiation; (3) support no signaling protection or signaling only supports hop-by-hop protection; (4) flexible configuration, good scalability.
  • the above method may include: executing on a terminal device, a network border device, and a home network gateway. Further, the foregoing method further has the following features: The device first checks the parameters included in the INVITE of the SDP, and if the conditions are met, the security parameters are generated according to the method of the independent key management protocol, and the security parameters are piggybacked by the SDP.
  • Figure 2 shows the end user 100 (End user 100) communicating through the NGN (120), the NGN (120) provides the ability to secure media streams, using the functional entity BE (110) to support the key management protocol. , SRTP protocol, encryption/decryption functions, and more. End user (100) also supports the ability of media stream security. The operator decides which device to implement media stream security based on the security policy.
  • the above BE corresponds to the S/BC (Session/Border Control) function and has the functions of control plane and user plane processing.
  • Figure 3 shows the process of the key negotiation process when the BE provides the media stream security monthly session during the session establishment process.
  • Step 320 End user 1 (300) and End user 2 ( 315 ) pass the boundary element BE1 ( Border Element, 305), BE2 (310) establish a session;
  • step 325 End user 1 (300) notifies BE1 (305) in the session control signaling that media stream security protection is required.
  • the attribute of the SDP part of the SIP INVITE request includes the parameters related to the media stream security;
  • Step 330 when the BE1 (305) receives the media stream protection request, processes the request message.
  • SIP control signaling check the attributes of the SDP.
  • BE2 (310) For SIP control signaling, these parameters are carried to the BE2 (310) through the SDP; Step 340, BE2 (310) processes the received key negotiation request, and selects appropriate parameters according to their capabilities, under normal circumstances, The media stream security parameters of the two are agreed upon; in step 345, BE2 (310) notifies end user 2 (315) of media stream protection; step 350, End user 2 (315) responds to BE2 (310) for media stream protection.
  • BE2 (10) responds to the key ten-office request of BE1 (305);
  • BE1 (305) responds to the request of media stream protection initiated by End user 1 (300);
  • Step 365 in session control Under the signaling, the secure media stream is transmitted;
  • Step 370 the secure media stream is transmitted between End user 1 (300) and End user 2 (315).
  • Figure 3 shows a typical situation. End user only sends out the request/response of media stream protection.
  • the security service is provided by BE. There are other possible situations: (1) End user has the ability to provide security services.
  • FIG. 4 shows the structure of the signaling control and media transmission separation of the NGN media stream security device.
  • the media stream security provided by the NGN is implemented by BE-SP (130) and BE-MP (140), respectively, where BE-SP represents The Border Element - Signaling Process function completes the negotiation of keys and security parameters in the media stream; MP represents the Border Element - Media Process function, completes the media stream encryption/decryption and integrity. Protection/verification function.
  • Step 500 is a device that implements media stream security, such as a terminal device or a border device.
  • the device needs to implement a basic protocol including a signaling protocol 530, a key management protocol 540, a secure media streaming protocol 550, and a media stream ten 560; these ten protocols belong to different planes, the first two belong to the control plane 510, and the last two belong to the control plane 510.
  • the user plane 520 belongs to the user plane 520.
  • the relevant parameters of the control plane 510 are transmitted to the user plane through the external interface or the internal interface.
  • Step 510 is to implement a media flow security control plane, complete the establishment of the session, and the key and security required for media stream security.
  • Step 520 is to implement a user plane of media stream security, complete encryption/decryption of media stream, integrity protection/checking of media stream, and processing of other basic media streams;
  • Step 530 is a session control letter
  • the protocol may be used to carry parameters related to the key management protocol;
  • step 540 which is a key management protocol, used to create keys and security parameters, negotiate keys and security parameters with other media stream security devices, and finally these The parameter is passed to the user plane;
  • step 550 is a secure media streaming protocol, receiving parameters from the control plane, providing confidentiality for the media stream Sex and integrity services;
  • Step 560 is a media streaming protocol that performs basic media processing functions.
  • FIG. 6 shows the structure of NGN media stream security in the case of a home network.
  • the Customer Network Gateway (CNG) 130 completes the negotiation of the media stream key and security parameters and provides the function of the media stream security service. In this case, End user (100) and BE (110) do not need to provide media stream security services. When End user (100) provides this function, then CNG (130) and BE (110) can ignore the signaling request for this media stream security service.
  • Figure 7 shows the structure of NGN media stream security in multiple domains.
  • BE1 ( 710 ) and BE2 ( 715 ) negotiate keys and security parameters and media streams Security services such as encryption/decryption.
  • Security services such as encryption/decryption.
  • a similar approach is used in roaming situations.
  • Media stream security means that the cryptography method is to protect the integrity and confidentiality of the media stream.
  • the next generation network needs to support the security of the media stream.
  • the core of the media stream security is to negotiate the security parameters used to protect the media stream (such as Key, key length, cryptographic algorithm, etc.).
  • the invention adopts an independent key management protocol to implement key negotiation of media stream security in the next generation network, and the method has the following features: (1) support negotiation of session level and media level security parameters; (2) independent of signaling Channels, directly support end-to-end security parameter negotiation; (3) support no signaling protection or signaling only supports hop-by-hop protection; (4) flexible configuration, good scalability
  • Figure 8 shows implementation according to the present invention
  • the block diagram of the device for implementing media stream security includes: an establishing module 10, configured to establish a session including a control plane by the communication parties; and a negotiation module 20, configured to use the key management protocol to negotiate security parameters on the control plane And a protection module 30 for the communication parties to use the negotiated security parameters to protect the media stream between the two parties.
  • the security parameter includes a key and at least one of the following: a key length, a key life cycle, and a cryptographic algorithm.
  • the key management protocol comprises a multimedia internet key agreement.
  • the key management protocol comprises a secure real-time transport protocol and an associated key management protocol.
  • the session including the control plane includes at least one of the following: a session following the session initiation protocol; a session following the protocol description protocol.
  • the core of the media stream security is to negotiate the security parameters used to protect the media stream (such as Key, key length, cryptographic algorithm, etc.).
  • the invention adopts an independent key management protocol to implement key negotiation of media stream security in a next generation network.
  • the method and device have the following features: (1) support negotiation of session level and media level security parameters; (2) independent of The signaling channel directly supports end-to-end security parameter negotiation; (3) Supports no signaling protection or signaling only supports hop-by-hop protection; (4) Flexible configuration and good scalability.
  • the network may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device, or they may be separately fabricated into individual integrated circuit modules, or they may be Multiple modules or steps in the fabrication are implemented as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software.
  • the above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A security parameters negotiation method for realizing the security of the media flow includes the following steps: both communication parties establish a session that includes the control layer; the communication parties use a key management protocol to negotiate the security parameters on the control layer; and the communication parties use the negotiated security parameters to protect the media flow between the communication parties. A security parameters negotiation apparatus is also provided for realizing the security of the media flow. The present invention uses a key management protocol to negotiate the security parameters, and realizes the secure transmission of the media flow effectively.

Description

用于实现媒体流安全的安全参数协商方法和装置 技术领域 本发明涉及通信领域, 具体而言, 涉及一种用于实现媒体流安全的安全 参数协商方法和装置。 背景技术 随着基于 IP的电视 ( IPTV, Internet Protocol Television ) 的兴起和基于 IP的语音 (VoIP, Voice over IP )技术的广泛应用, 媒体流安全变得越来越 重要。 媒体流安全就是对用户面的数据(如视频、 话音、 图片、 文本等)进行 保护, 以防止未授权的用户非法地访问这些数据。 媒体流安全不仅是内容提 供商可运营的基础; 也是一种网络的增值业务。 此外, 媒体流中涉及用户隐 私的安全需求也要求网络提供相应的安全; 数字版权管理 (DRM , Digital Right Management ) 和合法监听 (LI, Lawful Interception ) 的技术也对媒体 流安全提出了相应的要求; 这里的媒体流安全是指密码学意义上的安全, 也 就是说采用密码学的保护技术(如完整性保护、 加密保护), 攻击者无法在有 限资源的情况下破译被保护的媒体流数据。 在下一«网络 ( NGN, Next Generation Network ) 中, 媒体流安全是一 项基本需求。 NGN网络应该能够保证传输的媒体流的机密性和完整性。 国际 电 信 联 盟 ( ITU-T , International Telecommunication Union - Telecommunication ) 的 NGN 目前规定安全实时传输协议 ( SRTP , Secure Real-time Transport Protocol ) 来实现媒体流的安全, 而面向现 4弋网络的电^" 与因特网融合的业务与十办议( TISPAN, Telecoms & Internet converged Services & Protocols for Advanced Networks ) 目前还;殳有对 it匕进行规范。  The present invention relates to the field of communications, and in particular to a method and apparatus for negotiating security parameters for implementing media stream security. BACKGROUND With the rise of Internet Protocol Television (IPTV) and the widespread use of Voice over IP (VoIP) technology, media stream security becomes more and more important. Media stream security protects user-side data (such as video, voice, pictures, text, etc.) to prevent unauthorized users from accessing the data illegally. Media stream security is not only the basis for content providers to operate; it is also a value-added service for networks. In addition, the security requirements related to user privacy in the media stream also require the network to provide corresponding security; Digital Right Management (DRM) and Lawful Interception (LI) technology also puts corresponding requirements on media stream security. The media stream security here refers to cryptographic security, that is to say, using cryptographic protection technologies (such as integrity protection, encryption protection), the attacker cannot decipher the protected media stream data with limited resources. . In the next Next Generation Network (NGN), media stream security is a basic requirement. The NGN network should be able to guarantee the confidentiality and integrity of the transmitted media stream. The International Telecommunication Union (ITU-Telecommunication)-NGN currently stipulates the Secure Real-time Transport Protocol (SRTP) to implement media stream security, and the power of the current network is The Internet Converged Services and Protocols for Advanced Networks (TISPAN, Telecoms & Internet converged Services & Protocols for Advanced Networks) are currently available;
SRTP为基于实时传输协议 (RTP, Real-time Transport Protocol ) 的媒 体提供机密性与完整性安全服务, 通过会话描述协议 ( SDP , Session Description Protocol ) 中的媒体行( m= ) 中携带的媒体信息 ( ^ RTP/SAVP ) 来通知 SRTP进行媒体流的安全传输, 其中 SAVP表示安全的音频 /视频结构 ( Secure Audio/Video Profile )。 在实现本发明过程中, 发明人发现在 NGN中的媒体流安全的密钥协商 方法存在以下不足: 用户通过边界元素 ( BE , Border Element ) .从 SAA-FE/TAA-FE获取 SRTP的主密钥,然后从该主密钥导出加密和认证的会 话密钥, 其中 SAA-FE表示业务 正与^:权功能实体( Service Authentication and Authorization Functional Entity ), TAA-FE表示传输认证与 4吏权功能实体 ( Transport Authentication and Authorization Functional Entity )。这实际上是一 种静态配置的方法, 不具备可扩展性和灵活性。 发明内容 本发明旨在提供一种用于实现媒体流安全的安全参数协商方法和装置, 能够解决现有技术缺乏安全参数协商导致不具备可扩展性和灵活性的问题。 在本发明的实施例中,提供了一种用于实现媒体流安全的安全参数协商 方法, 包括以下步骤: 通信双方建立包括控制面的会话; 上述通信双方在上述控制面上采用密钥管理协议协商安全参数; 以及 上述通信双方使用协商的上述安全参数保护上述通信双方之间的媒体 流。 优选的, 上述安全参数包括密钥以及以下至少之一: 密钥长度、 密钥生 命周期、 密码算法。 优选的, 上述密钥管理协议包括多媒体因特网密钥协议。 优选的,上述密钥管理协议包 4舌安全实时传输协议和相关的密钥管理协 议。 优选的, 上述包括控制面的会话包括以下至少一种: 遵循会话初始协议 ( Session Initiation Protocol, SIP ) 的会话; 以及遵循会话描述协议( Session Description Protocol, SDP ) 的会话。 在本发明的实施例中,还提供了一种用于实现媒体流安全的安全参数协 商装置, 包括: 建立模块, 用于通信双方建立包括控制面的会话; 协商模块,用于上述通信双方在上述控制面上采用密钥管理协议协商安 全参数; 以及 保护模块,用于上述通信双方使用协商的上述安全参数保护所述通信双 方之间的媒体流。 优选的, 上述安全参数包括密钥以及以下至少之一: 密钥长度、 密钥生 命周期、 密码算法。 优选的, 在上述装置中, 还具有以下特点: 上述密钥管理协议包括多媒 体因特网密钥协议。 优选的, 在上述装置中, 还具有以下特点: 上述密钥管理协议包括安全 实时传输协议和相关的密钥管理协议。 优选的, 在上述装置中, 还具有以下特点: 上述包括控制面的会话包括 以下至少一种: 遵循会话初始协议的会话; 以及遵循会话描述协议的会话。 本发明上述实施例中密钥协商采用了独立的密钥管理协议, 所以可扩 展, 且具有以下特点: (1 ) 支持会话级和媒体级安全参数的协商; (2 )独立 于信令通道, 直接支持端到端安全参数的协商; ( 3 ) 支持没有信令保护或信 令只支持逐跳保护的情况; (4 ) 配置灵活, 可扩展性好。 上述的安全参数协商方法和装置通过使用独立的密钥管理协议来协商 安全参数, 提高了媒体流的安全性。 附图说明 此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部 分, 本发明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的 不当限定。 在附图中: 图 1示出了根据本发明实施例的用于实现媒体流安全的方法的流程图; 图 2示出了 居本发明实施例应用的 NGN媒体流安全的基本结构图; 图 3示出了 居本发明实施例中 NGN媒体流安全的密钥协商过程流程 图 4示出了根据本发明实施例中 NGN媒体流安全设备的信令控制和媒 体传输分离的结构图; 图 5示出了根据本发明实施例中 NGN媒体流安全设备的协议; 图 6示出了根据本发明实施例中家庭网络情况下 NGN媒体流安全的结 构图; 图 7示出了根据本发明实施例中多个域情况下 NGN媒体流安全的结构 图; 图 8 示出了根据本发明实施例的用于实现媒体流安全的安全参数协商 装置的方框图。 具体实施方式 下面将参考附图并结合实施例, 来详细说明本发明。 图 1示出了 ^居本发明实施例的用于实现媒体流安全的方法的流程图, 包括以下步骤: 步骤 S10, 通信双方建立包括控制面的会话; 步骤 S20, 通信双方在控制面上采用密钥管理协议协商安全参数; 以及 步骤 S30, 通信双方使用协商的安全参数保护通信双方之间的媒体流。 优选的, 安全参数包括密钥以及以下至少之一: 密钥长度、 密钥生命周 期、 密码算法。 优选的, 密钥管理协议包括多媒体因特网密钥协议。 优选的, 密钥管理协议包括安全实时传输协议和相关的密钥管理协议。 优选的, 包括控制面的会话包括以下至少一种: 遵循会话初始协议的会 话; 以及遵循会话描述协议的会话。 上述的方法中提供了密钥协商机制,显然解决了现有技术缺乏安全参数 协商导致不具备可扩展性和灵活性的问题。 另夕卜, 现有技术中直接通过 SDP 中会话级或媒体级的字段(k= ) 来传 输密钥。 该字段是不可扩展的, 因此该方法不适用于传输多个安全参数的情 况; 此外在 SDP中无法配置 SRTP中定义的密码变换。 另夕卜, 现有技术在 SDP中增加新属性( a-crypto ) 为 SRTP的媒体流协 商安全参数, 该方法利用安全的信令通道来保护 SDP的数据, 因此需要其它 安全十办议: δ口 S/MIME ( Secure/Multipurpose Internet Mail Extensions , 安全 /多 用途因特网邮件扩展), TLS ( Transport Layer Security , 传输层安全 )的支持。 该方法不能处理下面几种情况: (a )会话级安全参数的协商; (b )对 SDP应 用端到端的保护时, 中间代理需要访问 SDP媒体参数; (c )对于会话不是采 用端到端保护, 而媒体流需要端到端保护的情况下, 需要对安全参数提供保 护。 而本实施例的实现方法中密钥协商采用了独立的密钥管理协议,所以可 扩展, 且具有以下特点: ( 1 ) 支持会话级和媒体级安全参数的协商; (2 )独 立于信令通道, 直接支持端到端安全参数的协商; (3 ) 支持没有信令保护或 信令只支持逐跳保护的情况; ( 4 ) 配置灵活, 可扩展性好。 上述方法可以在包括: 在终端设备、 网络边界设备、 家庭网络网关上执 行。 进一步地, 上述方法还具有以下特点: 上述设备先检查 SDP的 INVITE 中包含的参数, 若符合条件, 则遵循独立密钥管理协议的方式来产生安全参 数, 安全参数通过 SDP来捎带。 图 2示出了终端用户 ( End user 100 )通过 NGN ( 120 ) 进行通讯的和无 念模型, NGN ( 120 )提供了媒体流安全的能力, 利用功能实体 BE ( 110 ) 来支持密钥管理协议、 SRTP协议、 加密 /解密功能等等。 End user ( 100 ) 也 支持媒体流安全的能力, 由运营商根据安全策略来决定媒体流安全在哪个设 备上实现。 上述的 BE对应 S/BC ( Session/Border Control, 会话 /边界控制) 功能, 具有控制面和用户面处理的功能。 图 3示出了会话建立过程中 BE提供媒体流安全月 务时密钥协商的处理 流程, 具体步骤如下: 步骤 320, End user 1( 300 )与 End user 2( 315 )通过边界元素 BE1( Border Element, 305 )、 BE2 ( 310 ) 建立会话; 步骤 325, End user 1 (300)在会话控制信令中通知 BE1 (305 ) 需要 进行媒体流安全的保护。对于 SIP控制信令来说, SIP的 INVITE请求中 SDP 部分的属性包含媒体流安全有关的参数; 步骤 330, BE1 ( 305 )收到媒体流保护请求时, 对该请求消息进行处理。 对于 SIP控制信令来说,检查 SDP的属性,如果在 "m= "行中包含" RTP/SAVP" , 则说明需要为媒体流提供安全服务; 进一步地,如果属性" a=key-mgmt"满足, 则采用独立的密钥管理协议如 MIKEY来协商媒体流的密钥和安全参数; 步骤 335, BE1 (305 ) 向 BE2 (310)发起密钥协商请求, 该请求中包 含 BE1 (305 ) 已经计算好的密钥和安全参数。 以对于 SIP控制信令来说, 这 些参数通过 SDP捎带到 BE2 (310) 中; 步骤 340, BE2 (310)处理收到的密钥协商请求, 根据自己的能力选择 合适的参数, 正常情况下, 二者的媒体流安全的参数达成一致; 步骤 345, BE2 (310) 向 End user 2 (315 ) 通知进行媒体流保护; 步骤 350, End user 2 (315 ) 响应 BE2 (310) 进行媒体流保护的通知; 步骤 355, BE2 (310) 响应 BE1 ( 305 ) 的密钥十办商请求; 步骤 360, BE1 (305 ) 响应 End user 1 (300) 发起的媒体流保护的请 求; 步骤 365, 在会话控制信令下, 进行安全媒体流传输; 步骤 370, End user 1 (300) 与 End user 2 (315)之间进行安全媒体流 传输。 图 3示出了一个典型的情况, End user只发出媒体流保护的请求 /响应, 安全服务具体有 BE来提供, 还存在其他可能的情况: ( 1 ) End user具备提 供安全服务的能力, 可以完成密钥协商和加 /解密等功能; (2) Enduser只是 哑终端, 如: 传统的电话机, 不能发出媒体流保护的请求, 但是又有安全媒 体流通信的需求, 这种情况下可以由用户与网络签订的协议并完全由 BE来 完成密钥协商和加 /解密等功能。 图 4示出了 NGN媒体流安全设备的信令控制和媒体传输分离的结构, NGN提供的媒体流安全分别通过 BE-SP ( 130 ) 和 BE-MP ( 140 ) 来实现, 其中 BE-SP表示边界元素信令处理 ( Border Element - Signaling Process ) 功 能,完成媒体流中密钥和安全参数的协商; MP表示边界元素媒体处理( Border Element - Media Process ) 功能, 完成媒体流加密 /解密以及完整性保护 /校验 的功能。 BE-SP 把协商好的密钥和安全参数通过接口传递到 BE-MP, 如果 BE-SP和 BE-MP是物理上分离的, 则需要通过标准的接口来传递参数; 如 果 BE-SP和 BE-MP是单个物理实体, 则可以通过标准接口或内部接口来传 递参数。 图 5示出了 NGN媒体流安全设备需要实现的协议, 其中密钥管理协议 可以是简单的密钥管理协议, 如嵌入到安全信令协议中的密钥和安全参数协 商过程; 也可釆用独立的密钥管理协议来完成上述过程。具体内容说明如下: 步骤 500, 是实现媒体流安全的设备, 如终端设备或边界设备。 该设备 需要实现基本协议包括信令协议 530, 密钥管理协议 540, 安全媒体流协议 550, 媒体流十办议 560; 这些十办议属于不同的平面, 前两个属于控制面 510, 后两个属于用户面 520, 控制面 510的有关参数通过外部接口或内部接口传 递到用户面; 步骤 510, 是实现媒体流安全的控制面, 完成会话的建立以及媒体流安 全中需要的密钥和安全参数的协商; 步骤 520, 是实现媒体流安全的用户面, 完成媒体流的加密 /解密, 媒体 流的完整性保护 /检查, 以及其他基本的媒体流的处理; 步骤 530 , 是会话控制的信令协议, 可以用来捎带与密钥管理协议有关 的参数; 步骤 540, 是密钥管理协议, 用来创建密钥和安全参数, 和其他媒体流 安全设备协商密钥和安全参数, 最后把这些参数传递到用户面; 步骤 550, 是安全媒体流协议, 接收来自控制面的参数, 为媒体流提供 机密性和完整性服务; 步骤 560, 是媒体流协议, 完成基本的媒体处理功能。 图 6示出了在家庭网络情况下 NGN媒体流安全的结构, 家庭网络网关 ( CNG, Customer Network Gateway ) 130完成媒体流密钥和安全参数的协商 以及提供媒体流安全服务的功能。在这个情况下, End user ( 100 )和 BE ( 110 ) 不需要提供媒体流安全服务。 当 End user ( 100 )提供这个功能时, 则 CNG ( 130 ) 和 BE ( 110 ) 可以忽略此媒体流安全服务的信令请求。 图 7示出了多个域情况下 NGN媒体流安全的结构,分为两种情况: ( 1 ) 跨不同 NGN运营商情况, 当 NGN-1 ( 720 )的用户 End user 1 ( 700 )与 NGN-2 ( 740 ) 的用户 End user 2 ( 750 )进行通讯时, 根据不同 NGN运营商之间的 安全策略, BE1 ( 710 ) 与 BE2 ( 715 )之间协商密钥和安全参数以及对媒体 流进行加密 /解密等安全良务。 (2 ) 漫游情况下也采用类似的处理方式。 媒体流安全是指采用密码学的方法是对媒体流进行完整性和机密性的 保护, 下一代网络需要支持媒体流的安全, 媒体流安全的核心是协商用于保 护媒体流的安全参数(如密钥、 密钥长度、 密码算法等)。 本发明采用独立的 密钥管理协议来实现下一代网络中媒体流安全的密钥协商, 该方法具有以下 特点: ( 1 ) 支持会话级和媒体级安全参数的协商; (2 ) 独立于信令通道, 直 接支持端到端安全参数的协商; (3 ) 支持没有信令保护或信令只支持逐跳保 护的情况; (4 ) 配置灵活, 可扩展性好 图 8示出了根据本发明实施例的用于实现媒体流安全的装置的方框图, 包括: 建立模块 10, 用于通信双方建立包括控制面的会话; 协商模块 20, 用于通信双方在控制面上采用密钥管理协议协商安全参 数; 以及 保护模块 30, 用于通信双方使用协商的安全参数保护通信双方之间的 媒体流。 优选的, 安全参数包括密钥以及以下至少之一: 密钥长度、 密钥生命周 期、 密码算法。 优选的, 密钥管理协议包括多媒体因特网密钥协议。 优选的, 密钥管理协议包括安全实时传输协议和相关的密钥管理协议。 优选的, 包括控制面的会话包括以下至少一种: 遵循会话初始协议的会 话; 遵循^舌描述协议的会话。 上述的实现装置通过使用独立的密钥管理协议来协商安全参数,提高了 媒体流的安全性。 媒体流安全是指采用密码学的方法是对媒体流进行完整性和机密性的 保护, 下一代网络需要支持媒体流的安全, 媒体流安全的核心是协商用于保 护媒体流的安全参数(如密钥、 密钥长度、 密码算法等)。 本发明采用独立的 密钥管理协议来实现下一代网络中媒体流安全的密钥协商, 该方法和装置具 有以下特点: ( 1 ) 支持会话级和媒体级安全参数的协商; (2 )独立于信令通 道, 直接支持端到端安全参数的协商; (3 ) 支持没有信令保护或信令只支持 逐跳保护的情况; (4 ) 配置灵活, 可扩展性好。 显然, 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可 以用通用的计算装置来实现, 它们寸以集中在单个的计算装置上, 或者分布 在多个计算装置所组成的网络上, 可选地, 它们可以用计算装置可执行的程 序代码来实现, 从而, 可以将它们存储在存储装置中由计算装置来执行, 或 者将它们分别制作成各个集成电路模块, 或者将它们中的多个模块或步骤制 作成单个集成电路模块来实现。 这样, 本发明不限制于任何特定的硬件和软 件结合。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本 领域的技术人员来说, 本发明可以有各种更改和变^ <。 凡在本发明的精神和 原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护 范围之内。 SRTP provides confidentiality and integrity security services for media based on Real-time Transport Protocol (RTP), and media information carried in media lines (m=) in the Session Description Protocol (SDP). ( ^ RTP/SAVP ) to inform SRTP of the secure transmission of media streams, where SAVP represents a secure audio/video profile (Secure Audio/Video Profile). In the process of implementing the present invention, the inventor has found that the key negotiation method for media stream security in NGN has the following disadvantages: The user obtains the primary key of the SRTP from the SAA-FE/TAA-FE through the boundary element (BE, Border Element). Key, and then derive the encrypted and authenticated session key from the master key, where SAA-FE indicates Service Authentication and Authorization Functional Entity, and TAA-FE indicates transmission authentication and authorization Transport Authentication and Authorization Functional Entity. This is actually a statically configured approach that is not scalable and flexible. SUMMARY OF THE INVENTION The present invention is directed to a security parameter negotiation method and apparatus for implementing media stream security, which can solve the problem that the lack of security parameter negotiation in the prior art leads to lack of scalability and flexibility. In an embodiment of the present invention, a security parameter negotiation method for implementing media stream security is provided, including the following steps: a communication party establishes a session including a control plane; and the communication parties adopt a key management protocol on the control plane. Negotiating the security parameters; and the foregoing communication parameters are used by the communication parties to protect the media stream between the two communication parties. Preferably, the foregoing security parameter includes a key and at least one of the following: a key length, a key life cycle, and a cryptographic algorithm. Preferably, the above key management protocol comprises a multimedia internet key protocol. Preferably, the above key management protocol package 4 is a secure real-time transmission protocol and an associated key management protocol. Preferably, the foregoing session including the control plane includes at least one of the following: a Session Initiation Protocol (SIP)-compliant session; and a Session Description Protocol (SDP)-compliant session. In an embodiment of the present invention, a security parameter negotiation apparatus for implementing media stream security is further provided, including: an establishing module, configured to establish, by the communication parties, a session including a control plane; The negotiation module is configured to use the key management protocol to negotiate the security parameter on the control plane, and the protection module, configured to use the security parameter negotiated by the two communication parties to protect the media stream between the two communication parties. Preferably, the foregoing security parameter includes a key and at least one of the following: a key length, a key life cycle, and a cryptographic algorithm. Preferably, in the above device, the following features are also included: The key management protocol includes a multimedia internet key protocol. Preferably, in the foregoing apparatus, the following features are also included: The key management protocol includes a secure real-time transport protocol and an associated key management protocol. Preferably, in the foregoing apparatus, the following features are also included: the foregoing session including the control plane includes at least one of: a session following a session initial protocol; and a session following a session description protocol. In the foregoing embodiment of the present invention, the key negotiation adopts an independent key management protocol, so it is expandable and has the following features: (1) Supporting negotiation of session-level and media-level security parameters; (2) Independent of the signaling channel, Directly support end-to-end security parameter negotiation; (3) support no signaling protection or signaling only supports hop-by-hop protection; (4) flexible configuration and good scalability. The foregoing security parameter negotiation method and apparatus improve the security of the media stream by using a separate key management protocol to negotiate security parameters. BRIEF DESCRIPTION OF THE DRAWINGS The accompanying drawings, which are set to illustrate,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, In the drawings: FIG. 1 is a flow chart showing a method for implementing media stream security according to an embodiment of the present invention; FIG. 2 is a diagram showing a basic structure of NGN media stream security applied in an embodiment of the present invention; 3 shows the process of key negotiation process for NGN media stream security in the embodiment of the present invention 4 is a structural diagram showing separation of signaling control and media transmission of an NGN media stream security device according to an embodiment of the present invention; FIG. 5 is a diagram showing a protocol of an NGN media stream security device according to an embodiment of the present invention; A structural diagram of NGN media stream security in the case of a home network according to an embodiment of the present invention; FIG. 7 is a structural diagram of NGN media stream security in a plurality of domain cases according to an embodiment of the present invention; A block diagram of a security parameter negotiation apparatus for implementing media stream security according to an embodiment of the present invention. BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, the present invention will be described in detail with reference to the accompanying drawings in conjunction with the embodiments. FIG. 1 is a flowchart of a method for implementing media stream security according to an embodiment of the present invention, including the following steps: Step S10: A communication party establishes a session including a control plane; Step S20, the communication parties adopt a control plane. The key management protocol negotiates the security parameters; and in step S30, the communication parties use the negotiated security parameters to protect the media stream between the two communicating parties. Preferably, the security parameter includes a key and at least one of the following: a key length, a key life cycle, and a cryptographic algorithm. Preferably, the key management protocol comprises a multimedia internet key agreement. Preferably, the key management protocol comprises a secure real-time transport protocol and an associated key management protocol. Preferably, the session including the control plane includes at least one of the following: a session following a session initiation protocol; and a session following the session description protocol. The key negotiation mechanism is provided in the foregoing method, which obviously solves the problem that the prior art lacks security parameter negotiation and does not have scalability and flexibility. In addition, in the prior art, the key is transmitted directly through the field (k=) of the session level or the media level in the SDP. This field is not extensible, so this method is not suitable for the case of transmitting multiple security parameters; in addition, the password conversion defined in SRTP cannot be configured in SDP. In addition, the prior art adds a new attribute (a-crypto) in the SDP to negotiate a security parameter for the SRTP media stream. The method uses a secure signaling channel to protect the SDP data, so other security requirements are required: δ S/MIME (Secure/Multipurpose Internet Mail Extensions), TLS (Transport Layer Security) support. This method cannot handle the following situations: (a) negotiation of session-level security parameters; (b) intermediate agent needs to access SDP media parameters when applying end-to-end protection to SDP; (c) end-to-end protection is not used for sessions In the case where the media stream requires end-to-end protection, security parameters need to be protected. In the implementation method of the embodiment, the key negotiation adopts an independent key management protocol, so it can be extended, and has the following features: (1) Support negotiation of session level and media level security parameters; (2) Independent of signaling Channels, directly support end-to-end security parameter negotiation; (3) support no signaling protection or signaling only supports hop-by-hop protection; (4) flexible configuration, good scalability. The above method may include: executing on a terminal device, a network border device, and a home network gateway. Further, the foregoing method further has the following features: The device first checks the parameters included in the INVITE of the SDP, and if the conditions are met, the security parameters are generated according to the method of the independent key management protocol, and the security parameters are piggybacked by the SDP. Figure 2 shows the end user 100 (End user 100) communicating through the NGN (120), the NGN (120) provides the ability to secure media streams, using the functional entity BE (110) to support the key management protocol. , SRTP protocol, encryption/decryption functions, and more. End user (100) also supports the ability of media stream security. The operator decides which device to implement media stream security based on the security policy. The above BE corresponds to the S/BC (Session/Border Control) function and has the functions of control plane and user plane processing. Figure 3 shows the process of the key negotiation process when the BE provides the media stream security monthly session during the session establishment process. The specific steps are as follows: Step 320, End user 1 (300) and End user 2 ( 315 ) pass the boundary element BE1 ( Border Element, 305), BE2 (310) establish a session; In step 325, End user 1 (300) notifies BE1 (305) in the session control signaling that media stream security protection is required. For the SIP control signaling, the attribute of the SDP part of the SIP INVITE request includes the parameters related to the media stream security; Step 330, when the BE1 (305) receives the media stream protection request, processes the request message. For SIP control signaling, check the attributes of the SDP. If "RTP/SAVP" is included in the "m=" line, it means that security services need to be provided for the media stream; further, if the attribute "a=key-mgmt" If yes, an independent key management protocol such as MIKEY is used to negotiate the key and security parameters of the media stream; Step 335, BE1 (305) initiates a key negotiation request to BE2 (310), where the request includes BE1 (305) Calculate good keys and security parameters. For SIP control signaling, these parameters are carried to the BE2 (310) through the SDP; Step 340, BE2 (310) processes the received key negotiation request, and selects appropriate parameters according to their capabilities, under normal circumstances, The media stream security parameters of the two are agreed upon; in step 345, BE2 (310) notifies end user 2 (315) of media stream protection; step 350, End user 2 (315) responds to BE2 (310) for media stream protection. In step 355, BE2 (310) responds to the key ten-office request of BE1 (305); step 360, BE1 (305) responds to the request of media stream protection initiated by End user 1 (300); Step 365, in session control Under the signaling, the secure media stream is transmitted; Step 370, the secure media stream is transmitted between End user 1 (300) and End user 2 (315). Figure 3 shows a typical situation. End user only sends out the request/response of media stream protection. The security service is provided by BE. There are other possible situations: (1) End user has the ability to provide security services. Complete key negotiation and encryption/decryption functions; (2) Enduser is only a dumb terminal, such as: a traditional telephone, can not send media stream protection requests, but there is a need for secure media stream communication, in this case The agreement between the user and the network is completely completed by the BE to perform key negotiation and encryption/decryption functions. Figure 4 shows the structure of the signaling control and media transmission separation of the NGN media stream security device. The media stream security provided by the NGN is implemented by BE-SP (130) and BE-MP (140), respectively, where BE-SP represents The Border Element - Signaling Process function completes the negotiation of keys and security parameters in the media stream; MP represents the Border Element - Media Process function, completes the media stream encryption/decryption and integrity. Protection/verification function. The BE-SP passes the negotiated key and security parameters to the BE-MP through the interface. If the BE-SP and BE-MP are physically separated, the parameters need to be passed through the standard interface; if BE-SP and BE -MP is a single physical entity, and parameters can be passed through standard interfaces or internal interfaces. Figure 5 shows the protocol that the NGN media stream security device needs to implement, where the key management protocol can be a simple key management protocol, such as a key and security parameter negotiation process embedded in the secure signaling protocol; A separate key management protocol to accomplish the above process. The specific content is as follows: Step 500 is a device that implements media stream security, such as a terminal device or a border device. The device needs to implement a basic protocol including a signaling protocol 530, a key management protocol 540, a secure media streaming protocol 550, and a media stream ten 560; these ten protocols belong to different planes, the first two belong to the control plane 510, and the last two belong to the control plane 510. The user plane 520 belongs to the user plane 520. The relevant parameters of the control plane 510 are transmitted to the user plane through the external interface or the internal interface. Step 510 is to implement a media flow security control plane, complete the establishment of the session, and the key and security required for media stream security. Negotiation of parameters; Step 520, is to implement a user plane of media stream security, complete encryption/decryption of media stream, integrity protection/checking of media stream, and processing of other basic media streams; Step 530, is a session control letter The protocol may be used to carry parameters related to the key management protocol; step 540, which is a key management protocol, used to create keys and security parameters, negotiate keys and security parameters with other media stream security devices, and finally these The parameter is passed to the user plane; step 550, is a secure media streaming protocol, receiving parameters from the control plane, providing confidentiality for the media stream Sex and integrity services; Step 560, is a media streaming protocol that performs basic media processing functions. FIG. 6 shows the structure of NGN media stream security in the case of a home network. The Customer Network Gateway (CNG) 130 completes the negotiation of the media stream key and security parameters and provides the function of the media stream security service. In this case, End user (100) and BE (110) do not need to provide media stream security services. When End user (100) provides this function, then CNG (130) and BE (110) can ignore the signaling request for this media stream security service. Figure 7 shows the structure of NGN media stream security in multiple domains. It is divided into two cases: (1) across NGN operators, when NGN-1 (720) users End user 1 (700) and NGN -2 ( 740 ) When user End user 2 ( 750 ) communicates, according to the security policy between different NGN operators, BE1 ( 710 ) and BE2 ( 715 ) negotiate keys and security parameters and media streams Security services such as encryption/decryption. (2) A similar approach is used in roaming situations. Media stream security means that the cryptography method is to protect the integrity and confidentiality of the media stream. The next generation network needs to support the security of the media stream. The core of the media stream security is to negotiate the security parameters used to protect the media stream (such as Key, key length, cryptographic algorithm, etc.). The invention adopts an independent key management protocol to implement key negotiation of media stream security in the next generation network, and the method has the following features: (1) support negotiation of session level and media level security parameters; (2) independent of signaling Channels, directly support end-to-end security parameter negotiation; (3) support no signaling protection or signaling only supports hop-by-hop protection; (4) flexible configuration, good scalability Figure 8 shows implementation according to the present invention The block diagram of the device for implementing media stream security includes: an establishing module 10, configured to establish a session including a control plane by the communication parties; and a negotiation module 20, configured to use the key management protocol to negotiate security parameters on the control plane And a protection module 30 for the communication parties to use the negotiated security parameters to protect the media stream between the two parties. Preferably, the security parameter includes a key and at least one of the following: a key length, a key life cycle, and a cryptographic algorithm. Preferably, the key management protocol comprises a multimedia internet key agreement. Preferably, the key management protocol comprises a secure real-time transport protocol and an associated key management protocol. Preferably, the session including the control plane includes at least one of the following: a session following the session initiation protocol; a session following the protocol description protocol. The above implementation device improves the security of the media stream by negotiating security parameters by using a separate key management protocol. Media stream security means that the cryptography method is to protect the integrity and confidentiality of the media stream. The next generation network needs to support the security of the media stream. The core of the media stream security is to negotiate the security parameters used to protect the media stream (such as Key, key length, cryptographic algorithm, etc.). The invention adopts an independent key management protocol to implement key negotiation of media stream security in a next generation network. The method and device have the following features: (1) support negotiation of session level and media level security parameters; (2) independent of The signaling channel directly supports end-to-end security parameter negotiation; (3) Supports no signaling protection or signaling only supports hop-by-hop protection; (4) Flexible configuration and good scalability. Obviously, those skilled in the art should understand that the above-mentioned modules or steps of the present invention can be implemented by a general-purpose computing device, which is concentrated on a single computing device or distributed among multiple computing devices. On the network, optionally, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device, or they may be separately fabricated into individual integrated circuit modules, or they may be Multiple modules or steps in the fabrication are implemented as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software. The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权 利 要 求 书 Claim
1. 一种用于实现媒体流安全的安全参数协商方法, 其特征在于, 包括以下 步骤: A security parameter negotiation method for implementing media stream security, comprising the steps of:
通信双方建立包括控制面的会话;  The communication parties establish a session including a control plane;
所述通信双方在所述控制面上采用密钥管理协议协商安全参数; 以 及  The communication parties use the key management protocol to negotiate security parameters on the control plane; and
所述通信双方使用协商的所述安全参数保护所述通信双方之间的 媒体流。  The communicating parties protect the media stream between the two communicating parties using the negotiated security parameters.
2. 根据权利要求 1 所述的安全参数协商方法, 其特征在于, 所述安全参数 包括密钥以及以下至少之一: 密钥长度、 密钥生命周期、 密码算法。 The security parameter negotiation method according to claim 1, wherein the security parameter comprises a key and at least one of the following: a key length, a key life cycle, and a cryptographic algorithm.
3. 根据权利要求 1 所述的安全参数协商方法, 其特征在于, 所述密钥管理 协议包括多媒体因特网密钥协议。 3. The security parameter negotiation method according to claim 1, wherein the key management protocol comprises a multimedia internet key protocol.
4. 根据权利要求 1 所述的安全参数协商方法, 其特征在于, 所述密钥管理 协议包括安全实时传输协议和相关的密钥管理协议。 4. The security parameter negotiation method according to claim 1, wherein the key management protocol comprises a secure real-time transmission protocol and an associated key management protocol.
5. 根据权利要求 1所述的安全参数协商方法, 其特征在于, 所述包括控制 面的会话包括以下至少一种: The security parameter negotiation method according to claim 1, wherein the session including the control plane comprises at least one of the following:
遵循会话初始协议的会话;  a session that follows the session initiation protocol;
遵循会话描述协议的会话。  A session that follows the session description protocol.
6. 一种用于实现媒体流安全的安全参数协商装置, 其特征在于, 包括: 建立模块, 用于通信双方建立包括控制面的会话; A security parameter negotiation device for implementing media stream security, comprising: an establishing module, configured to establish a session including a control plane by a communication party;
协商模块,用于所述通信双方在所述控制面上采用密钥管理协议协 商安全参数; 以及  a negotiation module, configured to: use, by the communication parties, a key management protocol to negotiate a security parameter on the control plane;
保护模块,用于所述通信双方使用协商的所述安全参数保护所述通 信双方之间的媒体 Ά。  And a protection module, configured to protect, by the communication parties, the media parameter between the two parties by using the negotiated security parameter.
7. 根据权利要求 6所述的安全参数协商装置, 其特征在于, 所述安全参数 包括密钥以及以下至少之一: 密钥长度、 密钥生命周期、 密码算法。 7. The security parameter negotiation apparatus according to claim 6, wherein the security parameter comprises a key and at least one of the following: a key length, a key life cycle, and a cryptographic algorithm.
8. 根据权利要求 6所述的安全参数协商装置, 其特征在于, 所述密钥管理 协议包括多媒体因特网密钥协议。 8. The security parameter negotiation apparatus according to claim 6, wherein the key management protocol comprises a multimedia internet key protocol.
9. 根据权利要求 6所述的安全参数协商装置, 其特征在于, 所述密钥管理 协议包括安全实时传输协议和相关的密钥管理协议。 9. The security parameter negotiation apparatus according to claim 6, wherein the key management protocol comprises a secure real-time transmission protocol and an associated key management protocol.
10. 根据权利要求 6所述的安全参数协商装置, 其特征在于, 所述包括控制 面的会话包括以下至少一种: 10. The security parameter negotiation apparatus according to claim 6, wherein the session including the control plane comprises at least one of the following:
遵循会话初始协议的会话;  a session that follows the session initiation protocol;
遵循会话描述协议的会话。  A session that follows the session description protocol.
PCT/CN2008/000638 2008-01-23 2008-03-31 Security parameters negotiation method and apparatus for realizing the security of the media flow WO2009094813A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810008742,3 2008-01-23
CN 200810008742 CN101247218B (en) 2008-01-23 2008-01-23 Safety parameter negotiation method and device for implementing media stream safety

Publications (1)

Publication Number Publication Date
WO2009094813A1 true WO2009094813A1 (en) 2009-08-06

Family

ID=39947452

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/000638 WO2009094813A1 (en) 2008-01-23 2008-03-31 Security parameters negotiation method and apparatus for realizing the security of the media flow

Country Status (2)

Country Link
CN (1) CN101247218B (en)
WO (1) WO2009094813A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111742529A (en) * 2018-02-19 2020-10-02 瑞典爱立信有限公司 Secure negotiation in service-based architecture (SBA)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101247218B (en) * 2008-01-23 2012-06-06 中兴通讯股份有限公司 Safety parameter negotiation method and device for implementing media stream safety
CN103475640A (en) * 2013-08-09 2013-12-25 杭州华三通信技术有限公司 Method and apparatus for realizing RTP (Real-time Transport Protocol) backspacing
CN103475639A (en) * 2013-08-09 2013-12-25 杭州华三通信技术有限公司 RTP (Real-time Transport Protocol) backspacing method and apparatus

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1658552A (en) * 2004-02-17 2005-08-24 华为技术有限公司 Method for safety transfering medium flow
US20050198490A1 (en) * 2004-03-02 2005-09-08 Microsoft Corporation Dynamic negotiation of encryption protocols
CN1956443A (en) * 2005-10-24 2007-05-02 华为技术有限公司 Encipher method of NGN service
US20070291669A1 (en) * 2004-03-17 2007-12-20 Perkinson Terry D Method and apparatus for a hybrid network service
CN101247218A (en) * 2008-01-23 2008-08-20 中兴通讯股份有限公司 Safety parameter negotiation method and device for implementing media stream safety

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1186906C (en) * 2003-05-14 2005-01-26 东南大学 Wireless LAN safety connecting-in control method
CN1983921B (en) * 2005-12-16 2010-05-05 华为技术有限公司 Method and system for realizing end to end media fluid safety

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1658552A (en) * 2004-02-17 2005-08-24 华为技术有限公司 Method for safety transfering medium flow
US20050198490A1 (en) * 2004-03-02 2005-09-08 Microsoft Corporation Dynamic negotiation of encryption protocols
US20070291669A1 (en) * 2004-03-17 2007-12-20 Perkinson Terry D Method and apparatus for a hybrid network service
CN1956443A (en) * 2005-10-24 2007-05-02 华为技术有限公司 Encipher method of NGN service
CN101247218A (en) * 2008-01-23 2008-08-20 中兴通讯股份有限公司 Safety parameter negotiation method and device for implementing media stream safety

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111742529A (en) * 2018-02-19 2020-10-02 瑞典爱立信有限公司 Secure negotiation in service-based architecture (SBA)
CN111742529B (en) * 2018-02-19 2023-03-10 瑞典爱立信有限公司 Security negotiation in service-based architecture (SBA)

Also Published As

Publication number Publication date
CN101247218A (en) 2008-08-20
CN101247218B (en) 2012-06-06

Similar Documents

Publication Publication Date Title
US9537837B2 (en) Method for ensuring media stream security in IP multimedia sub-system
JP5106682B2 (en) Method and apparatus for machine-to-machine communication
JP4856723B2 (en) Method, apparatus and / or computer program product for encrypting and transmitting media data between a media server and a subscriber device
WO2009021441A1 (en) Transmitting and receiving method, apparatus and system for security policy of multicast session
WO2005112338A1 (en) Key distribution method
WO2011022999A1 (en) Method and system for encrypting video conference data by terminal
WO2007073659A1 (en) Terminal access method based on h.323 protocol applied to packet network
KR101297936B1 (en) Method for security communication between mobile terminals and apparatus for thereof
WO2010083695A1 (en) Method and apparatus for securely negotiating session key
WO2008089694A1 (en) A method, a system and an equipment for obtaining the media stream protecting key in ims network
WO2007048301A1 (en) A encryption method for ngn service
WO2008040213A1 (en) Message encryption and signature method, system and device in communication system
WO2005104423A1 (en) The method of secret communication between the endpoints
WO2005079013A1 (en) A method for the achievement of the message transmission in the h323 system
WO2009094813A1 (en) Security parameters negotiation method and apparatus for realizing the security of the media flow
WO2011020332A1 (en) Method and system for encrypting media data of ip multimedia subsystem session
WO2007093079A1 (en) Implementation method of crossdomain multi-gatekeeper packet network key negotiation security policy
WO2017197968A1 (en) Data transmission method and device
WO2008083607A1 (en) Method and system of safely transferring media stream
WO2009094812A1 (en) Method and apparatus for implementing the security of point to point media stream
KR101121230B1 (en) Sip base voip service protection system and the method
CN113114644B (en) SIP architecture-based multi-stage cross-domain symmetric key management system
KR101210938B1 (en) Encrypted Communication Method and Encrypted Communication System Using the Same
WO2008074226A1 (en) A method for negotiating the session secret key between the endpoints across multiple gatekeeper zones
WO2009094814A1 (en) A security parameter generating method for implementing media stream security and the apparatus thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08733859

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08733859

Country of ref document: EP

Kind code of ref document: A1