WO2011131051A1 - Method and device for security communication negotiation - Google Patents

Method and device for security communication negotiation Download PDF

Info

Publication number
WO2011131051A1
WO2011131051A1 PCT/CN2011/071028 CN2011071028W WO2011131051A1 WO 2011131051 A1 WO2011131051 A1 WO 2011131051A1 CN 2011071028 W CN2011071028 W CN 2011071028W WO 2011131051 A1 WO2011131051 A1 WO 2011131051A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
user equipment
security capability
negotiation
called user
Prior art date
Application number
PCT/CN2011/071028
Other languages
French (fr)
Chinese (zh)
Inventor
田甜
朱允文
韦银星
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2011131051A1 publication Critical patent/WO2011131051A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1045Proxies, e.g. for session initiation protocol [SIP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1046Call controllers; Call servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1069Session establishment or de-establishment

Definitions

  • the present invention relates to the field of communications, and in particular, to a secure communication negotiation method and apparatus. Background technique
  • IMS IP Multimedia System
  • media plane security is divided into end-to-end (e2e) security, end to access edge (e2ae) security.
  • e2e end-to-end
  • e2ae end to access edge
  • Figure 1 is a typical example of the end-to-access side edge, that is, the network architecture diagram of the end (user equipment) to the IMS media access gateway; in Figure 1, the solid line is the media stream path and the dashed line is the signaling path.
  • the user equipment is the sender of the media information; the P-CSCF (Proxy-Call Session Control Function) and the S-CSCF (Service-Call Session Control Function) are IMS network elements.
  • P-CSCF Proxy-Call Session Control Function
  • S-CSCF Service-Call Session Control Function
  • the SDES (Session Description Protocol Security Key Attribute) scheme is used in 3GPP TS 33.328v9.0.0 to address e2ae scenario security.
  • the SDES solution is very simple.
  • user A calls user B.
  • the SDP key attribute of the call setup request INVITE message that initiates the call carries the key K1, and K1 is used to encrypt the media stream sent from user A to user B.
  • User B This key will be saved after receiving the K1 and used to decrypt the encrypted media stream received from User A.
  • the SDP key attribute carrying the key K2 in the call success response 200 OK message sent back by the user B to the user A is used for the encryption of the media stream sent by the user B to the user A; the user A receives the message.
  • K2 is saved for decrypting the encrypted media stream received from User B.
  • the SDES and KMS (Key Management Service) schemes are currently used in this specification.
  • the SDES scheme relies on signaling plane security and is an e2e security solution for most common users; the KMS scheme does not depend on Secure on the signaling plane, it is an e2e security solution that can meet a small number of users with higher security level requirements.
  • the calling party and its associated P-CSCF support e2ae the calling party can initiate a session request requesting e2ae security, and when any one of the P-CSCFs of the network to which the responder or the responder belongs does not support e2ae, both parties use No media surface security measures to communicate.
  • the main object of the present invention is to provide a secure communication negotiation method and apparatus to achieve security between communication participants and improve user satisfaction.
  • a secure communication negotiation method comprising:
  • the primary and the called user equipments perform media plane security negotiation and communicate according to the negotiated key.
  • the media plane security negotiation is performed in the e2ae security scenario, including:
  • the calling user equipment carries the security capability parameter in the session initiation request, where the security capability parameter refers to the security capability required by the calling user equipment;
  • the called user equipment or its network returns a session response message, and the session response message carries a security capability parameter, which refers to the security capability supported by the called user equipment or its network.
  • the method for the called user equipment or its network to return a session response message includes:
  • the called user equipment If the network where the called user equipment is located does not support the e2ae security capability of the access side edge, if the called user equipment does not support the e2ae security capability from the end to the access side edge, only the end-to-end e2e security is supported. Fully capable, the called user equipment carries an e2e security capability parameter in the session response message; if the called user equipment supports the access side edge e2ae security capability, the called user equipment is in the session response message The SDES e2e security capability parameter with the session description protocol security key attribute is carried.
  • the method for the called user equipment or the network to return the session response message includes: if the called user equipment supports the access side edge e2ae security capability, the called user equipment carries the SDES e2e security in the session response message. Capability parameter
  • the result of the negotiation is: The primary and called user equipments perform secure communication according to the SDES e2e security mode.
  • the negotiation process includes:
  • the calling user equipment performs security negotiation with the called user equipment according to its e2e security capability and a preset policy.
  • the result of the security negotiation is at least one of the following: encrypted communication, the called user equipment uses unencrypted communication and the calling user equipment uses encrypted communication, does not encrypt communication, and terminates communication.
  • the method for communicating according to the negotiated key is: the called user equipment determines whether to continue communication according to a preset policy.
  • the session response message returned by the network where the called user equipment is located carries the called party The user equipment does not support an indication of encrypted communication.
  • a secure communication negotiation device comprising: a security capability maintenance unit, a security capability negotiation unit, and a security capability decision unit;
  • the security capability maintenance unit is configured to save and maintain the obtained security capabilities of the primary and the called user equipment;
  • the security capability negotiation unit is configured to perform media plane security negotiation on the primary and called user equipments;
  • the security capability decision unit is configured to apply the negotiated key support communication.
  • Each unit included in the device is combined or divided into at least one of the following:
  • the calling user equipment the called user equipment, the proxy-call session control function P-CSCF, the service-call session control function S-CSCF.
  • the media plane security negotiation performed by the security capability negotiation unit is performed in the e2ae security scenario, and the security capability negotiation unit performs the media plane security negotiation when used for:
  • the security capability parameter is carried in the session initiation request initiated by the calling user equipment, where the security capability parameter refers to the security capability required by the calling user equipment;
  • the security response parameter is carried in the session response message returned by the called user equipment or the network it is in.
  • the security capability parameter refers to the security capability supported by the called user equipment or the network where it is located.
  • the method and device for negotiating the secure communication method of the present invention can realize the negotiation of the secure communication mode between the communication participants, thereby improving user satisfaction.
  • FIG. 1 is a network architecture diagram of a prior art end-to-access gateway
  • FIG. 2 is a call flow diagram of an end-to-access gateway in which a peer terminal does not support any media plane security capability according to an embodiment of the present invention
  • FIG. 3 is a flow chart of a called end to an access gateway of a peer terminal that does not support any media plane security capability according to an embodiment of the present invention
  • FIG. 4 is a flow chart of a call from the end to the access gateway supporting the SDES e2e security capability of the peer terminal according to an embodiment of the present invention
  • FIG. 5 is a flow chart of the called end to the access gateway of the peer terminal supporting the SDES e2e security capability according to an embodiment of the present invention
  • FIG. 6 is an end-to-end connection of a peer terminal only supporting KMS e2e security capability according to an embodiment of the present invention. Call flow diagram into the gateway;
  • FIG. 7 is a flow chart of a called end-to-access gateway of a peer terminal only supporting KMS e2e security capability according to an embodiment of the present invention
  • FIG. 8 is a schematic diagram of a negotiation process of a secure communication mode according to an embodiment of the present invention.
  • FIG. 9 is a diagram of a secure communication mode negotiating apparatus according to an embodiment of the present invention. detailed description
  • Figure 2 and Figure 3 show the end-to-access gateway scenario where the peer terminal does not support any media plane security capability in the e2ae security scenario.
  • Figure 2 shows the call flow. The specific steps are as follows:
  • Step 201 User equipment A sends an SDP request (SDP offer) to the P-CSCF, and the SDP offer includes an SDES key attribute, where the key attribute includes the key K1 l.
  • SDP Offer indicates that the user needs the security capabilities of e2ae.
  • Step 202 The P-CSCF interacts with the IMS access gateway of the media plane to allocate the required resources.
  • SRTP Secure Real-Time Transport Protocol
  • RTP Real-Time Transport Protocol
  • Step 204 The S-CSCF forwards the received SDP Offer to the called party network.
  • Step 205 The S-CSCF receives an SDP answer (SDP Answer) from the called party network, where
  • Step 206 The S-CSCF forwards the received SDP Answer to the P-CSCF.
  • Step 207 The P-CSCF forwards the received SDP Answer to the user equipment A.
  • Step 208 User equipment A accepts the peer device according to the policy to accept the unencrypted communication mode and uses e2ae to continue communication or terminate communication.
  • Figure 3 illustrates the terminal-to-access gateway call flow when the peer terminal does not support any media plane security capability when using e2ae security. The specific steps are as follows:
  • Step 301 The S-CSCF of the called party network receives the SDP of the RTP from the calling party network. Offer.
  • Step 302 The S-CSCF forwards the received SDP Offer to the P-CSCF.
  • Step 303 The P-CSCF checks the security capability of the user equipment B.
  • user equipment B does not have any security capabilities.
  • Step 304 The P-CSCF returns an SDP Answer to the S-CSCF, where the message indicates that the user device B does not have any security capabilities.
  • Step 305 The S-CSCF returns the received SDP Answer to the calling party network in the corresponding SIP message.
  • Figure 4 and Figure 5 show the scenario of the end-to-end access gateway supporting the SDES e2e security capability in the e2ae security scenario.
  • Figure 4 shows the call flow. The specific steps are as follows:
  • Step 401 to step 404 User equipment A initiates an SDP offer to the called party network.
  • the operations of steps 401 through 404 have similar principles to those of steps 201 through 204, respectively.
  • Step 405 The S-CSCF receives an SDP Answer from the called party network, where the SDP Answer indicates that the called user equipment has e2e SDES capability.
  • Step 406 The S-CSCF forwards the received SDP Answer to the P-CSCF.
  • Step 407 The P-CSCF forwards the received SDP Answer to the user equipment A.
  • Step 408 User equipment A sends a new SDP Offer to the P-CSCF, where the new SDP offer includes an SDES key attribute, and the key attribute contains the key K1.
  • the new SDP Offer indicates that the user is using e2e security.
  • Step 409 The P-CSCF forwards the received SDP Offer to the S-CSCF.
  • Step 410 The S-CSCF sends the received SDP Offer to the called party network.
  • Step 411 The S-CSCF receives an SDP Answer from the called party network, and the SDP Answer indicates that the other party also uses the e2e SDES.
  • the SDP Answer carries the key K2.
  • Step 412 The S-CSCF forwards the received SDP Answer to the P-CSCF.
  • Step 413 The P-CSCF forwards the received SDP Answer to the user equipment A.
  • the user equipment ⁇ can send the K1 encrypted media stream to the called party network, and can also receive the K2 encrypted media stream from the called party network.
  • Figure 5 illustrates the called process of the end-to-end gateway supporting the SDES e2e security capability in the e2ae security scenario. The specific steps are as follows:
  • Step 501 The S-CSCF of the called party network receives the SDP of the RTP from the calling party network.
  • Step 502 The S-CSCF forwards the received SDP Offer of the RTP to the P-CSCF.
  • Step 503 The P-CSCF checks the security capability of the user equipment B.
  • the user device B has the SDES e2e security capability.
  • Step 504 The P-CSCF returns an SDP Answer to the S-CSCF, where the SDP Answer indicates that the user equipment B uses the SDES e2e security.
  • Step 505 The S-CSCF sends the received SDP Answer to the calling party network.
  • Step 506 The S-CSCF of the called party network receives an SDP Offer from the calling party network indicating that the SDES e2e security is used, and the SDP Offer carries the key K1.
  • Step 507 The S-CSCF forwards the received SDP Offer to the P-CSCF.
  • Step 508 The P-CSCF forwards the received SDP Offer to the user equipment B.
  • Step 509 User equipment B returns an SDP Answer message, and the SDP Answer carries the key K2.
  • Step 510 The P-CSCF forwards the received SDP Answer message to the S-CSCF.
  • Step 511 The S-CSCF sends the received SDP Answer message to the calling party network.
  • user equipment B can receive the K1 encrypted media stream from the calling party network, and can also send the K2 encrypted media stream to the calling party network.
  • Figure 6 and Figure 7 show the scenario where the peer terminal only supports the KMS e2e security capability from the end to the access gateway in the e2ae security scenario.
  • Figure 6 shows the call flow. The specific steps are as follows:
  • Step 601 User equipment A sends an SDP offer to P-CSCF, where the SDP offer includes SDES key attribute, which contains the key Kl l.
  • the SDP Offer indicates that the user needs the security capability of e2ae.
  • Step 602 The P-CSCF interacts with the IMS access gateway of the media plane to allocate the required resources.
  • Step 604 The S-CSCF forwards the received SDP Offer to the called party network.
  • Step 605 The S-CSCF receives an SDP Answer from the called party network, and the SDP Answer indicates that the peer terminal uses a higher level of e2e KMS security.
  • Step 606 The S-CSCF forwards the received SDP Answer to the P-CSCF.
  • Step 607 The P-CSCF forwards the received SDP Answer to the user equipment A.
  • Step 608 User equipment A selects to use the same higher-level security scheme as the peer terminal according to its own security capabilities and policies, accepts the peer device to use unencrypted communication, and uses e2ae to continue communication or terminate communication. If the unencrypted communication method is used, the peer terminal needs to be notified.
  • Figure 7 shows the process of the called end to the access gateway of the KMS e2e security capability in the e2ae security scenario. The specific steps are as follows:
  • Step 701 The S-CSCF of the called party network receives the SDP of the RTP from the calling party network.
  • Step 702 The S-CSCF forwards the received SDP Offer of the RTP to the P-CSCF.
  • Step 703 The P-CSCF checks the security capability of the user equipment B.
  • user equipment B only has higher security capabilities: e2e KMS security.
  • Step 704 The P-CSCF returns an SDP Answer to the S-CSCF, where the SDP Answer indicates that the user equipment B has the e2e KMS security capability.
  • Step 705 The S-CSCF returns the received SDP Answer to the calling party network in the corresponding SIP message. If the information returned from the calling party network indicates that the same security protection as the user equipment B is used, that is, e2e KMS, the subsequent communication process uses the same process as the existing KMS scheme, and will not be described again. If the information returned from the calling party network indicates that encryption protection is not used, the user equipment B can decide whether to continue communication according to the policy.
  • calling user equipment and the called user equipment may be referred to as calling and called, respectively.
  • FIG. 8 is a schematic diagram of a negotiation process of a secure communication mode according to an embodiment of the present invention, where the process includes the following steps:
  • Step 810 The primary and called user equipments negotiate a secure communication manner based on their own security capabilities.
  • Step 820 The primary and the called user equipment determine the communication mode according to the result of the negotiation.
  • the P-CSCF in the called party network receives the message requesting e2ae security, and then the SDP Answer message.
  • the caller carries the indication that the called party does not have any security capability and returns to the calling party network.
  • the calling party network needs to notify the calling party that the communication cannot achieve media plane security, whether to continue to use the unencrypted communication mode or terminate the communication according to the policy or the user. Choose the decision.
  • the SDP message carries the key K2 and carries the e2e security indication.
  • the SDP message is returned to the calling party network to indicate that the called party supports e2e security, and the subsequent communication uses the SDES e2e security mode.
  • the called user equipment does not support SDES e2e security, select a higher-level security scheme such as KMS e2e security, and carry an indication that the corresponding security capability is supported in the return message; the calling party according to its own security capability, ie Whether to support the security capabilities returned by the called party, and according to the security policy to decide to use a higher level of security to communicate or not to use media side security to communicate or terminate communication.
  • a higher-level security scheme such as KMS e2e security
  • the security capability of the communication network may be further considered in the negotiation process; in actual applications, the corresponding users may be considered according to different application scenarios.
  • Equipment security capabilities and/or communication network security capabilities to determine the communication methods that need to be used in subsequent communications.
  • the network where the user equipment is located may also participate, such as: indicating the required security capability, returning an indication to indicate the supported security capabilities, and the like.
  • the present technology can be applied to other communication environments using the SIP protocol, in addition to being applicable to IMS.
  • the secure communication method negotiation method of the present invention can realize the secure communication mode negotiation between the communication participants, and can improve user satisfaction.
  • FIG. 9 is a diagram of a secure communication mode negotiating device according to an embodiment of the present invention.
  • the device includes a security capability maintenance unit, a security capability negotiation unit, and a security capability decision unit that can be connected in pairs.
  • the functional units can be combined or It is divided into devices such as user equipment, CSCF, etc., and the CSCF may be a P-CSCF and/or an S-CSCF.
  • the security capability maintenance unit can obtain the security capability of the user equipment by checking the security capability of the user equipment, and perform maintenance operations including saving and providing for the security capability of the user equipment.
  • the security capability negotiation unit is configured to perform a negotiation interaction operation including a request, a response, and the like according to the user equipment, and finally obtain a result obtained by the negotiation of the user equipment, for example, a security capability that can be implemented by the called user equipment.
  • the security capability negotiation unit can transmit the content of the negotiation, the response, and the like through the S-CSCF, the P-CSCF, and the like as the negotiation transit unit, so as to ensure that the negotiation process can be successfully completed.
  • the security capability decision-making unit can obtain the result of negotiation (such as a key) of the security capability negotiation unit by means of active acquisition or passive acceptance, and determine the communication mode to be used in the subsequent communication process to support communication according to the obtained result of the negotiation.
  • the key supported by the application security capability negotiation unit supports communication.
  • the security capability maintenance unit can save and maintain the acquired security capabilities of the primary and the called; the security capability negotiation unit can perform media surface security negotiation between the primary and the called; the security capability decision unit can apply security.
  • the key negotiation communication after negotiation by the capability negotiation unit.
  • the secure communication method negotiation method of the present invention can realize the secure communication mode negotiation between the communication participants, and can improve user satisfaction.

Abstract

The present invention discloses a method and device for security communication negotiation. When a called user device or its own network does not support security capability of end to access edge, a calling user device and the called user device process media plane security negotiation and communicate according to a negotiated key. The media plane security negotiation is usually processed in the security scenario of end to access edge. The media plane security negotiation includes the steps as follows: the calling user device carries a security capability parameter in the conversation initiating request, wherein the security capability parameter indicates a required security capability of the calling user device; the called user device or its own network returns a conversation response message which carries a security capability parameter, wherein the security capability parameter indicates the security capability supported by the called user device or its own network. The negotiation method and device for security communication mode of the present invention can realize the negotiation of security communication mode among the communication participators and improve the user satisfaction.

Description

一种安全通信协商方法和装置 技术领域  Safety communication negotiation method and device
本发明涉及通信领域, 具体涉及一种安全通信协商方法和装置。 背景技术  The present invention relates to the field of communications, and in particular, to a secure communication negotiation method and apparatus. Background technique
目前, 从安全的角度来看, IMS(IP多媒体系统)媒体面安全分为端到端 (e2e)安全, 端到接入侧边缘 (end to access edge, e2ae)安全。 媒体安全终结 点越深入到网络越好, 即 e2e安全级别要高于 e2ae安全。  At present, from the security point of view, IMS (IP Multimedia System) media plane security is divided into end-to-end (e2e) security, end to access edge (e2ae) security. The deeper the media security endpoint is, the better the network is, ie the e2e security level is higher than the e2ae security.
图 1是端到接入侧边缘的一个典型案例, 即端 (用户设备)到 IMS媒体 接入网关的网络架构图; 图 1 中, 实线为媒体流路径, 虚线为信令路径。 用户设备是媒体信息的发送方; P-CSCF(代理 -呼叫会话控制功能)和 S-CSCF (服务-呼叫会话控制功能)为 IMS网络网元。  Figure 1 is a typical example of the end-to-access side edge, that is, the network architecture diagram of the end (user equipment) to the IMS media access gateway; in Figure 1, the solid line is the media stream path and the dashed line is the signaling path. The user equipment is the sender of the media information; the P-CSCF (Proxy-Call Session Control Function) and the S-CSCF (Service-Call Session Control Function) are IMS network elements.
3GPP TS 33.328v9.0.0中使用 SDES (会话描述协议安全密钥属性)方案 来解决 e2ae场景安全。 SDES方案非常简单, 例如用户 A呼叫用户 B, 在 发起呼叫的呼叫建立请求 INVITE消息的 SDP密钥属性中携带了密钥 K1 , K1用于从用户 A发往用户 B的媒体流加密;用户 B收到该 K1后会将这个 密钥保存下来, 用于解密从用户 A收到的加密媒体流。 呼叫建立成功后, 用户 B在回送给用户 A的呼叫成功响应 200OK消息中的 SDP密钥属性携 带密钥 K2 , K2用于用户 B发往用户 A的媒体流的加密; 用户 A收到该消 息后, 保存 K2 , 用于解密从用户 B收到的加密媒体流。  The SDES (Session Description Protocol Security Key Attribute) scheme is used in 3GPP TS 33.328v9.0.0 to address e2ae scenario security. The SDES solution is very simple. For example, user A calls user B. The SDP key attribute of the call setup request INVITE message that initiates the call carries the key K1, and K1 is used to encrypt the media stream sent from user A to user B. User B This key will be saved after receiving the K1 and used to decrypt the encrypted media stream received from User A. After the call is successfully established, the SDP key attribute carrying the key K2 in the call success response 200 OK message sent back by the user B to the user A is used for the encryption of the media stream sent by the user B to the user A; the user A receives the message. After that, K2 is saved for decrypting the encrypted media stream received from User B.
对于 e2e安全, 目前该规范中釆用 SDES和 KMS (密钥管理服务)两种 方案, SDES方案依赖于信令面安全, 是针对大部分的普通用户的 e2e安全 解决方案; KMS方案则不依赖于信令面安全, 是可以满足少数具有更高安 全级别要求的用户的 e2e安全解决方案。 目前, 当呼叫方与其所属 P-CSCF都支持 e2ae时, 呼叫方可以发起要 求 e2ae安全的会话请求, 而当应答方或应答方所属网络的 P-CSCF中任意 一个不支持 e2ae时, 则双方使用无媒体面安全保护措施进行通信。 For e2e security, the SDES and KMS (Key Management Service) schemes are currently used in this specification. The SDES scheme relies on signaling plane security and is an e2e security solution for most common users; the KMS scheme does not depend on Secure on the signaling plane, it is an e2e security solution that can meet a small number of users with higher security level requirements. Currently, when the calling party and its associated P-CSCF support e2ae, the calling party can initiate a session request requesting e2ae security, and when any one of the P-CSCFs of the network to which the responder or the responder belongs does not support e2ae, both parties use No media surface security measures to communicate.
显然, 上述处理方式显然是不合适的, 尤其是当通信双方或任一方支 持媒体面安全加密能力并付费使用加密通信时, 在被叫方或因其所在网络 原因不支持 e2ae安全能力的情况下, 为呼叫方和被叫方建立起来的通信实 际上是没有任何媒体面保护的, 而呼叫方和被叫方双方可能都不为所知, 这对用户来说不公平不合理, 并且也不利于通信安全性, 会明显降低用户 满意度。 发明内容  Obviously, the above processing method is obviously inappropriate, especially when the communication parties or any party support the media face security encryption capability and pay for the encrypted communication, if the called party does not support the e2ae security capability due to the network reason The communication established for the calling party and the called party is actually without any media protection, and neither the calling party nor the called party may be aware of it, which is unfair and unreasonable to the user, and Conducive to communication security, will significantly reduce user satisfaction. Summary of the invention
有鉴于此, 本发明的主要目的在于提供一种安全通信协商方法和装置, 以实现通信参与方之间的安全, 提高用户满意度。  In view of this, the main object of the present invention is to provide a secure communication negotiation method and apparatus to achieve security between communication participants and improve user satisfaction.
为达到上述目的, 本发明的技术方案是这样实现的:  In order to achieve the above object, the technical solution of the present invention is achieved as follows:
一种安全通信协商方法, 该方法包括:  A secure communication negotiation method, the method comprising:
被叫用户设备或其所在网络不支持端到接入侧边缘 e2ae安全能力时, 主、 被叫用户设备进行媒体面安全协商, 并根据协商后的密钥进行通信。  When the called user equipment or its network does not support the e2ae security capability of the access side edge, the primary and the called user equipments perform media plane security negotiation and communicate according to the negotiated key.
所述媒体面安全协商在 e2ae安全场景下进行, 包括:  The media plane security negotiation is performed in the e2ae security scenario, including:
主叫用户设备在会话发起请求中携带安全能力参数, 该安全能力参数 指所述主叫用户设备需要的安全能力;  The calling user equipment carries the security capability parameter in the session initiation request, where the security capability parameter refers to the security capability required by the calling user equipment;
被叫用户设备或其所在网络返回会话应答消息, 所述会话应答消息携 带安全能力参数, 该安全能力参数指所述被叫用户设备或其所在网络所支 持的安全能力。  The called user equipment or its network returns a session response message, and the session response message carries a security capability parameter, which refers to the security capability supported by the called user equipment or its network.
被叫用户设备或其所在网络返回会话应答消息的方法包括:  The method for the called user equipment or its network to return a session response message includes:
被叫用户设备所在网络不支持端到接入侧边缘 e2ae安全能力时, 若被 叫用户设备不支持端到接入侧边缘 e2ae安全能力, 而仅支持端到端 e2e安 全能力, 所述被叫用户设备在所述会话应答消息中携带 e2e安全能力参数; 若被叫用户设备支持端到接入侧边缘 e2ae安全能力, 所述被叫用户设备在 所述会话应答消息中携带具有会话描述协议安全密钥属性 SDES e2e安全能 力参数。 If the network where the called user equipment is located does not support the e2ae security capability of the access side edge, if the called user equipment does not support the e2ae security capability from the end to the access side edge, only the end-to-end e2e security is supported. Fully capable, the called user equipment carries an e2e security capability parameter in the session response message; if the called user equipment supports the access side edge e2ae security capability, the called user equipment is in the session response message The SDES e2e security capability parameter with the session description protocol security key attribute is carried.
被叫用户设备或其所在网络返回会话应答消息的方法包括: 若被叫用 户设备支持端到接入侧边缘 e2ae安全能力, 所述被叫用户设备在所述会话 应答消息中携带具有 SDES e2e安全能力参数;  The method for the called user equipment or the network to return the session response message includes: if the called user equipment supports the access side edge e2ae security capability, the called user equipment carries the SDES e2e security in the session response message. Capability parameter
所述协商的结果为: 所述主、 被叫用户设备根据 SDES e2e安全方式进 行安全通信。  The result of the negotiation is: The primary and called user equipments perform secure communication according to the SDES e2e security mode.
若被叫用户设备不支持端到接入侧边缘 e2ae安全能力, 而仅支持端到 端 e2e安全能力, 所述协商的过程包括:  If the called user equipment does not support the end-to-end e2ae security capability, but only supports the end-to-end e2e security capability, the negotiation process includes:
所述主叫用户设备根据自身 e2e安全能力及预设策略与所述被叫用户 设备进行安全协商;  The calling user equipment performs security negotiation with the called user equipment according to its e2e security capability and a preset policy.
所述安全协商的结果为至少以下之一: 加密通信、 所述被叫用户设备 使用不加密通信而所述主叫用户设备使用加密通信、 不加密通信、 终止通 信。  The result of the security negotiation is at least one of the following: encrypted communication, the called user equipment uses unencrypted communication and the calling user equipment uses encrypted communication, does not encrypt communication, and terminates communication.
所述安全协商的结果为不加密通信时, 所述根据协商后的密钥进行通 信的方法为: 所述被叫用户设备根据预设策略决定是否继续通信。  When the result of the security negotiation is that the communication is not encrypted, the method for communicating according to the negotiated key is: the called user equipment determines whether to continue communication according to a preset policy.
若所述被叫用户设备不支持端到接入侧边缘 e2ae安全能力, 也不支持 端到端 e2e安全能力时,所述被叫用户设备所在网络返回的会话应答消息中 携带有所述被叫用户设备不支持加密通信的指示。  If the called user equipment does not support the end-to-end e2ae security capability and does not support the end-to-end e2e security capability, the session response message returned by the network where the called user equipment is located carries the called party The user equipment does not support an indication of encrypted communication.
一种安全通信协商装置, 该装置包括安全能力维护单元、 安全能力协 商单元、 安全能力决策单元; 其中,  A secure communication negotiation device, comprising: a security capability maintenance unit, a security capability negotiation unit, and a security capability decision unit; wherein
所述安全能力维护单元, 用于保存并维护获得的主、 被叫用户设备的 安全能力; 所述安全能力协商单元, 用于所述主、 被叫用户设备进行媒体面安全 协商; The security capability maintenance unit is configured to save and maintain the obtained security capabilities of the primary and the called user equipment; The security capability negotiation unit is configured to perform media plane security negotiation on the primary and called user equipments;
所述安全能力决策单元, 用于应用协商后的密钥支持通信。  The security capability decision unit is configured to apply the negotiated key support communication.
该装置所包含的各单元合设或分设于至少以下之一:  Each unit included in the device is combined or divided into at least one of the following:
所述主叫用户设备、 被叫用户设备、 代理 -呼叫会话控制功能 P-CSCF、 服务 -呼叫会话控制功能 S-CSCF。  The calling user equipment, the called user equipment, the proxy-call session control function P-CSCF, the service-call session control function S-CSCF.
所述安全能力协商单元所进行的所述媒体面安全协商是在 e2ae安全场 景下进行的, 所述安全能力协商单元进行媒体面安全协商时用于:  The media plane security negotiation performed by the security capability negotiation unit is performed in the e2ae security scenario, and the security capability negotiation unit performs the media plane security negotiation when used for:
在主叫用户设备所发起的会话发起请求中携带安全能力参数, 该安全 能力参数指所述主叫用户设备需要的安全能力;  The security capability parameter is carried in the session initiation request initiated by the calling user equipment, where the security capability parameter refers to the security capability required by the calling user equipment;
在被叫用户设备或其所在网络返回的会话应答消息中携带安全能力参 数, 该安全能力参数指所述被叫用户设备或其所在网络所支持的安全能力。  The security response parameter is carried in the session response message returned by the called user equipment or the network it is in. The security capability parameter refers to the security capability supported by the called user equipment or the network where it is located.
本发明的安全通信方式协商方法和装置, 均能实现通信参与方之间的 安全通信方式协商, 能够提高用户满意度。 附图说明  The method and device for negotiating the secure communication method of the present invention can realize the negotiation of the secure communication mode between the communication participants, thereby improving user satisfaction. DRAWINGS
图 1为现有技术的端到接入网关的网络架构图;  1 is a network architecture diagram of a prior art end-to-access gateway;
图 2为本发明一实施例的对端终端不支持任何媒体面安全能力的端到 接入网关的呼叫流程图;  2 is a call flow diagram of an end-to-access gateway in which a peer terminal does not support any media plane security capability according to an embodiment of the present invention;
图 3 为本发明一实施例的对端终端不支持任何媒体面安全能力的端到 接入网关的被叫流程图;  3 is a flow chart of a called end to an access gateway of a peer terminal that does not support any media plane security capability according to an embodiment of the present invention;
图 4为本发明一实施例的对端终端支持 SDES e2e安全能力的端到接入 网关的呼叫流程图;  4 is a flow chart of a call from the end to the access gateway supporting the SDES e2e security capability of the peer terminal according to an embodiment of the present invention;
图 5为本发明一实施例的对端终端支持 SDES e2e安全能力的端到接入 网关的被叫流程图;  FIG. 5 is a flow chart of the called end to the access gateway of the peer terminal supporting the SDES e2e security capability according to an embodiment of the present invention;
图 6为本发明一实施例的对端终端仅支持 KMS e2e安全能力的端到接 入网关的呼叫流程图; FIG. 6 is an end-to-end connection of a peer terminal only supporting KMS e2e security capability according to an embodiment of the present invention; Call flow diagram into the gateway;
图 7为本发明一实施例的对端终端仅支持 KMS e2e安全能力的端到接 入网关的被叫流程图;  FIG. 7 is a flow chart of a called end-to-access gateway of a peer terminal only supporting KMS e2e security capability according to an embodiment of the present invention; FIG.
图 8为本发明一实施例的安全通信方式协商流程简图;  FIG. 8 is a schematic diagram of a negotiation process of a secure communication mode according to an embodiment of the present invention; FIG.
图 9为本发明一实施例的安全通信方式协商装置图。 具体实施方式  FIG. 9 is a diagram of a secure communication mode negotiating apparatus according to an embodiment of the present invention. detailed description
图 2和图 3是在 e2ae安全场景下, 对端终端不支持任何媒体面安全能 力的端到接入网关的场景。 其中图 2为呼叫流程, 具体步骤为:  Figure 2 and Figure 3 show the end-to-access gateway scenario where the peer terminal does not support any media plane security capability in the e2ae security scenario. Figure 2 shows the call flow. The specific steps are as follows:
步骤 201: 用户设备 A发送 SDP请求 (SDP offer)给 P— CSCF, SDP offer 中包含 SDES密钥属性, 该密钥属性包含密钥 Kl l。 SDP Offer中表明用户 需要 e2ae的安全能力。  Step 201: User equipment A sends an SDP request (SDP offer) to the P-CSCF, and the SDP offer includes an SDES key attribute, where the key attribute includes the key K1 l. The SDP Offer indicates that the user needs the security capabilities of e2ae.
步骤 202: P— CSCF和媒体面的 IMS接入网关交互, 分配需要的资源。 步骤 203: P-CSCF改变收到的 SDP Offer,把传输方式从安全实时传输 协议 (SRTP)变为实时传输协议 (RTP), 同时删除 SDES的安全属性, 之后将 已改变的 SDP Offer发到 S-CSCF。  Step 202: The P-CSCF interacts with the IMS access gateway of the media plane to allocate the required resources. Step 203: The P-CSCF changes the received SDP Offer, changes the transmission mode from the Secure Real-Time Transport Protocol (SRTP) to the Real-Time Transport Protocol (RTP), deletes the security attributes of the SDES, and then sends the changed SDP Offer to the S. -CSCF.
步骤 204: S-CSCF将收到的 SDP Offer转发给被叫方网络。  Step 204: The S-CSCF forwards the received SDP Offer to the called party network.
步骤 205: S-CSCF收到来自被叫方网络的 SDP应答 (SDP Answer), 该 Step 205: The S-CSCF receives an SDP answer (SDP Answer) from the called party network, where
SDP Answer中表明对方用户无任何安全能力。 SDP Answer indicates that the other user does not have any security capabilities.
步骤 206: S-CSCF将收到的 SDP Answer转发给 P-CSCF。  Step 206: The S-CSCF forwards the received SDP Answer to the P-CSCF.
步骤 207: P-CSCF将收到的 SDP Answer转发给用户设备 A。  Step 207: The P-CSCF forwards the received SDP Answer to the user equipment A.
步骤 208: 用户设备 A根据策略选择接受对端设备使用不加密通信方 式而自身使用 e2ae继续通信或者终止通信。  Step 208: User equipment A accepts the peer device according to the policy to accept the unencrypted communication mode and uses e2ae to continue communication or terminate communication.
图 3描述了使用 e2ae安全时, 对端终端不支持任何媒体面安全能力的 端到接入网关的被叫流程, 具体步骤为:  Figure 3 illustrates the terminal-to-access gateway call flow when the peer terminal does not support any media plane security capability when using e2ae security. The specific steps are as follows:
步骤 301: 被叫方网络的 S-CSCF收到来自呼叫方网络的 RTP的 SDP Offer。 Step 301: The S-CSCF of the called party network receives the SDP of the RTP from the calling party network. Offer.
步骤 302: S-CSCF将收到的 SDP Offer转发给 P-CSCF。  Step 302: The S-CSCF forwards the received SDP Offer to the P-CSCF.
步骤 303: P-CSCF检查用户设备 B的的安全能力。 该实施例中, 用户 设备 B不具备任何安全能力。  Step 303: The P-CSCF checks the security capability of the user equipment B. In this embodiment, user equipment B does not have any security capabilities.
步骤 304: P-CSCF返回 SDP Answer给 S-CSCF, 该消息中表明用户设 备 B不具备任何安全能力。  Step 304: The P-CSCF returns an SDP Answer to the S-CSCF, where the message indicates that the user device B does not have any security capabilities.
步骤 305: S-CSCF将收到的 SDP Answer在相应 SIP消息中返回给呼叫 方网络。  Step 305: The S-CSCF returns the received SDP Answer to the calling party network in the corresponding SIP message.
图 4和图 5是在 e2ae安全场景下, 对端终端支持 SDES e2e安全能力 的端到接入网关的场景, 其中图 4为呼叫流程, 具体步骤为:  Figure 4 and Figure 5 show the scenario of the end-to-end access gateway supporting the SDES e2e security capability in the e2ae security scenario. Figure 4 shows the call flow. The specific steps are as follows:
步骤 401至步骤 404: 用户设备 A向被叫方网络发起 SDP offer。 步骤 401至步骤 404的操作分别与步骤 201至步骤 204的操作具有类似原理。  Step 401 to step 404: User equipment A initiates an SDP offer to the called party network. The operations of steps 401 through 404 have similar principles to those of steps 201 through 204, respectively.
步骤 405: S-CSCF收到来自被叫方网络的 SDP Answer, 该 SDP Answer 中表明被叫用户设备具有 e2e SDES能力。  Step 405: The S-CSCF receives an SDP Answer from the called party network, where the SDP Answer indicates that the called user equipment has e2e SDES capability.
步骤 406: S-CSCF将收到的 SDP Answer转发给 P-CSCF。  Step 406: The S-CSCF forwards the received SDP Answer to the P-CSCF.
步骤 407: P-CSCF将收到的 SDP Answer转发给用户设备 A。  Step 407: The P-CSCF forwards the received SDP Answer to the user equipment A.
步骤 408:用户设备 A发送新的 SDP Offer给 P— CSCF,该新的 SDP offer 中包含 SDES密钥属性, 该密钥属性包含密钥 Kl。 所述新的 SDP Offer中 表明用户使用 e2e安全。  Step 408: User equipment A sends a new SDP Offer to the P-CSCF, where the new SDP offer includes an SDES key attribute, and the key attribute contains the key K1. The new SDP Offer indicates that the user is using e2e security.
步骤 409: P-CSCF将收到的 SDP Offer转发给 S-CSCF。  Step 409: The P-CSCF forwards the received SDP Offer to the S-CSCF.
步骤 410: S-CSCF将收到的 SDP Offer发送到被叫方网络。  Step 410: The S-CSCF sends the received SDP Offer to the called party network.
步骤 411 : S-CSCF收到来自被叫方网络的 SDP Answer,该 SDP Answer 中表明对方用户也使用 e2e SDES。 该 SDP Answer中携带有密钥 K2。  Step 411: The S-CSCF receives an SDP Answer from the called party network, and the SDP Answer indicates that the other party also uses the e2e SDES. The SDP Answer carries the key K2.
步骤 412: S-CSCF将收到的 SDP Answer转发给 P-CSCF。  Step 412: The S-CSCF forwards the received SDP Answer to the P-CSCF.
步骤 413: P-CSCF将收到的 SDP Answer转发给用户设备 A。 在此之后, 用户设备 Α可以向被叫方网络发送经 K1加密的媒体流, 也可以接收来自被叫方网络的经 K2加密的媒体流。 Step 413: The P-CSCF forwards the received SDP Answer to the user equipment A. After that, the user equipment Α can send the K1 encrypted media stream to the called party network, and can also receive the K2 encrypted media stream from the called party network.
图 5描述了在 e2ae安全场景下, 对端终端支持 SDES e2e安全能力的 端到接入网关的被叫流程, 具体步骤为:  Figure 5 illustrates the called process of the end-to-end gateway supporting the SDES e2e security capability in the e2ae security scenario. The specific steps are as follows:
步骤 501: 被叫方网络的 S-CSCF收到来自呼叫方网络的 RTP的 SDP Step 501: The S-CSCF of the called party network receives the SDP of the RTP from the calling party network.
Offer。 Offer.
步骤 502: S-CSCF将收到的 RTP的 SDP Offer转发给 P-CSCF。  Step 502: The S-CSCF forwards the received SDP Offer of the RTP to the P-CSCF.
步骤 503: P-CSCF检查用户设备 B的安全能力。 该实施例中, 用户设 备 B具备 SDES e2e安全能力。  Step 503: The P-CSCF checks the security capability of the user equipment B. In this embodiment, the user device B has the SDES e2e security capability.
步骤 504: P-CSCF返回 SDP Answer给 S-CSCF, 该 SDP Answer中表 明用户设备 B使用 SDES e2e安全。  Step 504: The P-CSCF returns an SDP Answer to the S-CSCF, where the SDP Answer indicates that the user equipment B uses the SDES e2e security.
步骤 505: S-CSCF将收到的 SDP Answer发送到呼叫方网络。  Step 505: The S-CSCF sends the received SDP Answer to the calling party network.
步骤 506:被叫方网络的 S-CSCF收到来自呼叫方网络的表明使用 SDES e2e安全的 SDP Offer, 该 SDP Offer中携带有密钥 Kl。  Step 506: The S-CSCF of the called party network receives an SDP Offer from the calling party network indicating that the SDES e2e security is used, and the SDP Offer carries the key K1.
步骤 507: S-CSCF将收到的 SDP Offer转发给 P-CSCF。  Step 507: The S-CSCF forwards the received SDP Offer to the P-CSCF.
步骤 508: P-CSCF将收到的 SDP Offer转发给用户设备 B。  Step 508: The P-CSCF forwards the received SDP Offer to the user equipment B.
步骤 509: 用户设备 B返回 SDP Answer消息, 该 SDP Answer中携带 有密钥 K2。  Step 509: User equipment B returns an SDP Answer message, and the SDP Answer carries the key K2.
步骤 510: P-CSCF将收到的 SDP Answer消息转发给 S-CSCF。  Step 510: The P-CSCF forwards the received SDP Answer message to the S-CSCF.
步骤 511 : S-CSCF将收到的 SDP Answer消息发送给呼叫方网络。 在此之后,用户设备 B可以接收来自呼叫方网络的经 K1加密的媒体流, 也可以向呼叫方网络发送经 K2加密的媒体流。  Step 511: The S-CSCF sends the received SDP Answer message to the calling party network. After that, user equipment B can receive the K1 encrypted media stream from the calling party network, and can also send the K2 encrypted media stream to the calling party network.
图 6和图 7是在 e2ae安全场景下,对端终端仅支持 KMS e2e安全能力 的端到接入网关的场景, 其中图 6为呼叫流程, 具体步骤为:  Figure 6 and Figure 7 show the scenario where the peer terminal only supports the KMS e2e security capability from the end to the access gateway in the e2ae security scenario. Figure 6 shows the call flow. The specific steps are as follows:
步骤 601 : 用户设备 A发送 SDP offer给 P— CSCF, 该 SDP offer中包含 SDES密钥属性, 该密钥属性包含密钥 Kl l。 所述 SDP Offer中表明用户需 要 e2ae的安全能力。 Step 601: User equipment A sends an SDP offer to P-CSCF, where the SDP offer includes SDES key attribute, which contains the key Kl l. The SDP Offer indicates that the user needs the security capability of e2ae.
步骤 602: P— CSCF和媒体面的 IMS接入网关交互, 分配需要的资源。 步骤 603: P-CSCF改变收到的 SDP Offer, 把传输方式从 SRTP变为 RTP , 同时删除 SDES 的安全属性, 之后将已改变的 SDP Offer发送给 Step 602: The P-CSCF interacts with the IMS access gateway of the media plane to allocate the required resources. Step 603: The P-CSCF changes the received SDP Offer, changes the transmission mode from SRTP to RTP, deletes the security attribute of the SDES, and then sends the changed SDP Offer to
S-CSCF。 S-CSCF.
步骤 604: S-CSCF将收到的 SDP Offer转发给被叫方网络。  Step 604: The S-CSCF forwards the received SDP Offer to the called party network.
步骤 605: S-CSCF收到来自被叫方网络的 SDP Answer, 该 SDP Answer 中表明对端终端使用更高等级的 e2e KMS安全。  Step 605: The S-CSCF receives an SDP Answer from the called party network, and the SDP Answer indicates that the peer terminal uses a higher level of e2e KMS security.
步骤 606: S-CSCF将收到的 SDP Answer转发给 P-CSCF。  Step 606: The S-CSCF forwards the received SDP Answer to the P-CSCF.
步骤 607: P-CSCF将收到的 SDP Answer转发给用户设备 A。  Step 607: The P-CSCF forwards the received SDP Answer to the user equipment A.
步骤 608: 用户设备 A根据自身安全能力和策略选择使用与对端终端 相同的更高等级安全方案、 接受对端设备釆用不加密通信而自身釆用 e2ae 继续通信或者终止通信。 如果釆用不加密通信方式, 则需要通知对端终端。  Step 608: User equipment A selects to use the same higher-level security scheme as the peer terminal according to its own security capabilities and policies, accepts the peer device to use unencrypted communication, and uses e2ae to continue communication or terminate communication. If the unencrypted communication method is used, the peer terminal needs to be notified.
图 7描述了在 e2ae安全场景下,对端终端仅支持 KMS e2e安全能力的 端到接入网关的被叫流程, 具体步骤为:  Figure 7 shows the process of the called end to the access gateway of the KMS e2e security capability in the e2ae security scenario. The specific steps are as follows:
步骤 701: 被叫方网络的 S-CSCF收到来自呼叫方网络的 RTP的 SDP Step 701: The S-CSCF of the called party network receives the SDP of the RTP from the calling party network.
Offer。 Offer.
步骤 702: S-CSCF将收到的 RTP的 SDP Offer转发给 P-CSCF。  Step 702: The S-CSCF forwards the received SDP Offer of the RTP to the P-CSCF.
步骤 703: P-CSCF检查用户设备 B的的安全能力。 该实施例中, 用户 设备 B只具备更高安全能力: e2e KMS安全。  Step 703: The P-CSCF checks the security capability of the user equipment B. In this embodiment, user equipment B only has higher security capabilities: e2e KMS security.
步骤 704: P-CSCF返回 SDP Answer给 S-CSCF, 该 SDP Answer中表 明用户设备 B具备 e2e KMS安全能力。  Step 704: The P-CSCF returns an SDP Answer to the S-CSCF, where the SDP Answer indicates that the user equipment B has the e2e KMS security capability.
步骤 705: S-CSCF将收到的 SDP Answer在相应 SIP消息中返回给呼叫 方网络。 如果从呼叫方网络所返回的信息中指明使用与用户设备 B相同的安全 保护, 即 e2e KMS, 则之后的通信过程釆用与现有 KMS方案相同的过程, 不再赘述。 如果从呼叫方网络返回的信息中指明不使用加密保护, 那么用 户设备 B可以根据策略决定是否继续通信。 Step 705: The S-CSCF returns the received SDP Answer to the calling party network in the corresponding SIP message. If the information returned from the calling party network indicates that the same security protection as the user equipment B is used, that is, e2e KMS, the subsequent communication process uses the same process as the existing KMS scheme, and will not be described again. If the information returned from the calling party network indicates that encryption protection is not used, the user equipment B can decide whether to continue communication according to the policy.
在实际应用中, 可以将主叫用户设备和被叫用户设备分别简称为主叫、 被叫。  In actual applications, the calling user equipment and the called user equipment may be referred to as calling and called, respectively.
由以上所述流程图可见,当被叫或其所在网络不支持 e2ae安全能力时, 主、 被叫可以进行媒体面安全协商, 并根据协商后的密钥进行通信。 具体 而言, 上述安全通信方式协商思路可以表示如图 8所示的流程。 参见图 8 , 图 8为本发明一实施例的安全通信方式协商流程简图, 该流程包括以下步 骤:  It can be seen from the above-mentioned flowchart that when the called party or its network does not support the e2ae security capability, the master and the called party can perform media plane security negotiation and perform communication according to the negotiated key. Specifically, the above-mentioned secure communication mode negotiation idea can represent the flow shown in FIG. 8. Referring to FIG. 8, FIG. 8 is a schematic diagram of a negotiation process of a secure communication mode according to an embodiment of the present invention, where the process includes the following steps:
步骤 810: 主、被叫用户设备基于自身安全能力进行安全通信方式的协 商。  Step 810: The primary and called user equipments negotiate a secure communication manner based on their own security capabilities.
步骤 820: 主、 被叫用户设备根据协商所得结果确定通信方式。  Step 820: The primary and the called user equipment determine the communication mode according to the result of the negotiation.
综上所述可见, 当被叫用户设备不支持任何媒体面安全能力, 即不支 持 e2ae和 e2e时, 被叫方网络中的 P-CSCF在接收到要求 e2ae安全的消息 后,在 SDP Answer消息中携带被叫方不具备任何安全能力的指示并返回给 呼叫方网络, 呼叫方网络需通知呼叫方该通信无法实现媒体面安全, 是否 继续使用不加密的通信方式或者终止通信则根据策略或用户选择决定。  In summary, when the called user equipment does not support any media plane security capability, that is, does not support e2ae and e2e, the P-CSCF in the called party network receives the message requesting e2ae security, and then the SDP Answer message. The caller carries the indication that the called party does not have any security capability and returns to the calling party network. The calling party network needs to notify the calling party that the communication cannot achieve media plane security, whether to continue to use the unencrypted communication mode or terminate the communication according to the policy or the user. Choose the decision.
当被叫方网络不支持 e2ae安全, 而被叫用户设备支持 e2e安全时, 如 果被叫用户设备支持 SDES e2e安全能力,则仍在 SDP消息中携带密钥 K2 , 并携带 e2e安全指示, 再将该 SDP消息返回给呼叫方网络以表明被叫方支 持 e2e安全, 则后续通信釆用 SDES e2e安全方式。 如果被叫用户设备不支 持 SDES e2e安全,则选择 KMS e2e安全等更高级别的安全方案,并在返回 消息中携带支持相应安全能力的指示; 呼叫方则根据自身的安全能力, 即 是否支持被叫方返回的安全能力, 以及根据安全策略决定釆用更高等级的 安全方式通信或者不使用媒体面安全方式通信或者终止通信。 If the called party network does not support e2ae security, and the called user equipment supports e2e security, if the called user equipment supports the SDES e2e security capability, the SDP message carries the key K2 and carries the e2e security indication. The SDP message is returned to the calling party network to indicate that the called party supports e2e security, and the subsequent communication uses the SDES e2e security mode. If the called user equipment does not support SDES e2e security, select a higher-level security scheme such as KMS e2e security, and carry an indication that the corresponding security capability is supported in the return message; the calling party according to its own security capability, ie Whether to support the security capabilities returned by the called party, and according to the security policy to decide to use a higher level of security to communicate or not to use media side security to communicate or terminate communication.
需要说明的是, 由以上描述可知, 在协商过程中, 除了考虑用户设备 自身的安全能力以外, 还可以进一步考虑通信网络的安全能力; 在实际应 用中, 可以根据不同的应用场景考虑相应的用户设备安全能力和 /或通信网 络安全能力, 以确定后续通信过程中需要使用的通信方式。 再有, 用户设 备交互过程中, 用户设备所在的网络也可以参与其中, 如: 表明需要的安 全能力、 返回指示以表明所支持的安全能力等。  It should be noted that, in the above description, in addition to considering the security capabilities of the user equipment, the security capability of the communication network may be further considered in the negotiation process; in actual applications, the corresponding users may be considered according to different application scenarios. Equipment security capabilities and/or communication network security capabilities to determine the communication methods that need to be used in subsequent communications. In addition, during the interaction of the user equipment, the network where the user equipment is located may also participate, such as: indicating the required security capability, returning an indication to indicate the supported security capabilities, and the like.
另外, 除了可以应用于 IMS以外, 本发明技术还可以应用于其它使用 SIP协议的通信环境中。  In addition, the present technology can be applied to other communication environments using the SIP protocol, in addition to being applicable to IMS.
可见, 本发明的安全通信方式协商方法, 能够实现通信参与方之间的 安全通信方式协商, 能够提高用户满意度。  It can be seen that the secure communication method negotiation method of the present invention can realize the secure communication mode negotiation between the communication participants, and can improve user satisfaction.
为了保证以上所述操作能够正常实施, 可以设置如图 9 所示的装置。 参见图 9, 图 9为本发明一实施例的安全通信方式协商装置图, 该装置包括 可以两两相连的安全能力维护单元、 安全能力协商单元、 安全能力决策单 元, 这些功能单元可以合设或分设于用户设备、 CSCF等装置中, 该 CSCF 可以是 P-CSCF和 /或 S-CSCF。  In order to ensure that the above operations can be performed normally, a device as shown in Fig. 9 can be provided. Referring to FIG. 9, FIG. 9 is a diagram of a secure communication mode negotiating device according to an embodiment of the present invention. The device includes a security capability maintenance unit, a security capability negotiation unit, and a security capability decision unit that can be connected in pairs. The functional units can be combined or It is divided into devices such as user equipment, CSCF, etc., and the CSCF may be a P-CSCF and/or an S-CSCF.
在具体应用时, 安全能力维护单元可以通过检查用户设备的安全能力 等方式获得用户设备的安全能力, 并针对用户设备安全能力进行包括保存、 提供在内的维护操作。  In a specific application, the security capability maintenance unit can obtain the security capability of the user equipment by checking the security capability of the user equipment, and perform maintenance operations including saving and providing for the security capability of the user equipment.
安全能力协商单元用于基于用户设备进行包括请求、 应答等在内的协 商交互操作, 并最终得到用户设备的协商所得结果, 如: 被叫用户设备所 能实现的安全能力等。 另外, 安全能力协商单元可以通过作为协商中转单 元的 S-CSCF、 P-CSCF等传输请求、 应答等协商内容, 以保证协商过程能 够顺利完成。 安全能力决策单元能够以主动获取或被动接受等方式得到安全能力协 商单元的协商所得结果(如密钥等), 并根据得到的协商所得结果确定后续 通信过程中应使用的通信方式以支持通信, 如: 应用安全能力协商单元协 商后的密钥支持通信。 The security capability negotiation unit is configured to perform a negotiation interaction operation including a request, a response, and the like according to the user equipment, and finally obtain a result obtained by the negotiation of the user equipment, for example, a security capability that can be implemented by the called user equipment. In addition, the security capability negotiation unit can transmit the content of the negotiation, the response, and the like through the S-CSCF, the P-CSCF, and the like as the negotiation transit unit, so as to ensure that the negotiation process can be successfully completed. The security capability decision-making unit can obtain the result of negotiation (such as a key) of the security capability negotiation unit by means of active acquisition or passive acceptance, and determine the communication mode to be used in the subsequent communication process to support communication according to the obtained result of the negotiation. For example, the key supported by the application security capability negotiation unit supports communication.
上述功能单元所能实现的具体操作以在前述的流程中具体描述, 在此 不再赘述。 总体而言, 安全能力维护单元能够保存并维护获得的主、 被叫 的安全能力; 安全能力协商单元则能够进行所述主、 被叫之间的媒体面安 全协商; 安全能力决策单元能够应用安全能力协商单元协商后的密钥支持 通信。  The specific operations that can be implemented by the above functional units are specifically described in the foregoing process, and are not described herein again. In general, the security capability maintenance unit can save and maintain the acquired security capabilities of the primary and the called; the security capability negotiation unit can perform media surface security negotiation between the primary and the called; the security capability decision unit can apply security. The key negotiation communication after negotiation by the capability negotiation unit.
综上所述可见, 无论是方法还是装置, 本发明的安全通信方式协商方 法, 均能实现通信参与方之间的安全通信方式协商, 能够提高用户满意度。  In summary, it can be seen that both the method and the device, the secure communication method negotiation method of the present invention can realize the secure communication mode negotiation between the communication participants, and can improve user satisfaction.
以上所述, 仅为本发明的较佳实施例而已, 并非用于限定本发明的保 护范围, 凡在本发明的精神和原则之内所作的任何修改、 等同替换和改进 等, 均应包含在本发明的保护范围之内。  The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included. Within the scope of protection of the present invention.

Claims

权利要求书 Claim
1、 一种安全通信协商方法, 其特征在于, 该方法包括:  A secure communication negotiation method, the method comprising:
被叫用户设备或其所在网络不支持端到接入侧边缘 e2ae安全能力时, 主、 被叫用户设备进行媒体面安全协商, 并根据协商后的密钥进行通信。  When the called user equipment or its network does not support the e2ae security capability of the access side edge, the primary and the called user equipments perform media plane security negotiation and communicate according to the negotiated key.
2、 根据权利要求 1所述的方法, 其特征在于, 所述媒体面安全协商在 e2ae安全场景下进行, 包括:  The method according to claim 1, wherein the media plane security negotiation is performed in an e2ae security scenario, including:
主叫用户设备在会话发起请求中携带安全能力参数, 该安全能力参数 指所述主叫用户设备需要的安全能力;  The calling user equipment carries the security capability parameter in the session initiation request, where the security capability parameter refers to the security capability required by the calling user equipment;
被叫用户设备或其所在网络返回会话应答消息, 所述会话应答消息携 带安全能力参数, 该安全能力参数指所述被叫用户设备或其所在网络所支 持的安全能力。  The called user equipment or its network returns a session response message, and the session response message carries a security capability parameter, which refers to the security capability supported by the called user equipment or its network.
3、 根据权利要求 2所述的方法, 其特征在于, 被叫用户设备或其所在 网络返回会话应答消息的方法包括:  3. The method according to claim 2, wherein the method for the called user equipment or the network in which the network response message is returned comprises:
被叫用户设备所在网络不支持端到接入侧边缘 e2ae安全能力时, 若被 叫用户设备不支持端到接入侧边缘 e2ae安全能力, 而仅支持端到端 e2e安 全能力, 所述被叫用户设备在所述会话应答消息中携带 e2e安全能力参数; 若被叫用户设备支持端到接入侧边缘 e2ae安全能力, 所述被叫用户设备在 所述会话应答消息中携带具有会话描述协议安全密钥属性 SDES e2e安全能 力参数。  If the network where the called user equipment is located does not support the e2ae security capability of the access side edge, if the called user equipment does not support the e2ae security capability from the end to the access side edge, but only supports the end-to-end e2e security capability, the called party is called. The user equipment carries the e2e security capability parameter in the session response message; if the called user equipment supports the access side edge e2ae security capability, the called user equipment carries the session description protocol security in the session response message. Key attribute SDES e2e security capability parameter.
4、 根据权利要求 3所述的方法, 其特征在于,  4. The method of claim 3, wherein
被叫用户设备或其所在网络返回会话应答消息的方法包括: 若被叫用 户设备支持端到接入侧边缘 e2ae安全能力, 所述被叫用户设备在所述会话 应答消息中携带具有 SDES e2e安全能力参数;  The method for the called user equipment or the network to return the session response message includes: if the called user equipment supports the access side edge e2ae security capability, the called user equipment carries the SDES e2e security in the session response message. Capability parameter
所述协商的结果为: 所述主、 被叫用户设备根据 SDES e2e安全方式进 行安全通信。 The result of the negotiation is: The primary and the called user equipment perform secure communication according to the SDES e2e security mode.
5、 根据权利要求 3所述的方法, 其特征在于, 若被叫用户设备不支持 端到接入侧边缘 e2ae安全能力, 而仅支持端到端 e2e安全能力, 所述协商 的过程包括: The method according to claim 3, wherein, if the called user equipment does not support the security capability of the end-to-end e2ae, but only supports the end-to-end e2e security capability, the negotiation process includes:
所述主叫用户设备根据自身 e2e安全能力及预设策略与所述被叫用户 设备进行安全协商;  The calling user equipment performs security negotiation with the called user equipment according to its e2e security capability and a preset policy.
所述安全协商的结果为至少以下之一: 加密通信、 所述被叫用户设备 使用不加密通信而所述主叫用户设备使用加密通信、 不加密通信、 终止通 信。  The result of the security negotiation is at least one of the following: encrypted communication, the called user equipment uses unencrypted communication and the calling user equipment uses encrypted communication, does not encrypt communication, and terminates communication.
6、 根据权利要求 5所述的方法, 其特征在于, 所述安全协商的结果为 不加密通信时, 所述根据协商后的密钥进行通信的方法为: 所述被叫用户 设备根据预设策略决定是否继续通信。  The method according to claim 5, wherein, when the result of the security negotiation is that the communication is not encrypted, the method for performing communication according to the negotiated key is: the called user equipment is preset according to the preset The strategy determines whether to continue communicating.
7、 根据权利要求 2所述的方法, 其特征在于, 若所述被叫用户设备不 支持端到接入侧边缘 e2ae安全能力, 也不支持端到端 e2e安全能力时, 所 述被叫用户设备所在网络返回的会话应答消息中携带有所述被叫用户设备 不支持加密通信的指示。  The method according to claim 2, wherein, if the called user equipment does not support the end-to-end e2ae security capability and does not support the end-to-end e2e security capability, the called user The session response message returned by the network where the device is located carries an indication that the called user equipment does not support encrypted communication.
8、 一种安全通信协商装置, 其特征在于, 该装置包括安全能力维护单 元、 安全能力协商单元、 安全能力决策单元; 其中,  A secure communication negotiation device, comprising: a security capability maintenance unit, a security capability negotiation unit, and a security capability decision unit;
所述安全能力维护单元, 用于保存并维护获得的主、 被叫用户设备的 安全能力;  The security capability maintenance unit is configured to save and maintain security capabilities of the obtained primary and called user equipments;
所述安全能力协商单元, 用于所述主、 被叫用户设备进行媒体面安全 协商;  The security capability negotiation unit is configured to perform media plane security negotiation on the primary and called user equipments;
所述安全能力决策单元, 用于应用协商后的密钥支持通信。  The security capability decision unit is configured to apply the negotiated key support communication.
9、 根据权利要求 8所述的装置, 其特征在于, 该装置所包含的各单元 合设或分设于至少以下之一:  9. The device according to claim 8, wherein each unit included in the device is combined or divided into at least one of the following:
所述主叫用户设备、 被叫用户设备、 代理 -呼叫会话控制功能 P-CSCF、 服务 -呼叫会话控制功能 S-CSCF。 The calling user equipment, the called user equipment, the proxy-call session control function P-CSCF, Service-Call Session Control Function S-CSCF.
10、 根据权利要求 8或 9所述的装置, 其特征在于, 所述安全能力协 商单元所进行的所述媒体面安全协商是在 e2ae安全场景下进行的, 所述安 全能力协商单元进行媒体面安全协商时用于: The apparatus according to claim 8 or 9, wherein the media plane security negotiation performed by the security capability negotiation unit is performed in an e2ae security scenario, and the security capability negotiation unit performs a media plane. Used during security negotiation:
在主叫用户设备所发起的会话发起请求中携带安全能力参数, 该安全 能力参数指所述主叫用户设备需要的安全能力;  The security capability parameter is carried in the session initiation request initiated by the calling user equipment, where the security capability parameter refers to the security capability required by the calling user equipment;
在被叫用户设备或其所在网络返回的会话应答消息中携带安全能力参 数, 该安全能力参数指所述被叫用户设备或其所在网络所支持的安全能力。  The security response parameter is carried in the session response message returned by the called user equipment or the network it is in. The security capability parameter refers to the security capability supported by the called user equipment or the network where it is located.
PCT/CN2011/071028 2010-04-19 2011-02-16 Method and device for security communication negotiation WO2011131051A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010150809.4 2010-04-19
CN201010150809.4A CN102223355B (en) 2010-04-19 2010-04-19 A kind of secure communication machinery of consultation and device

Publications (1)

Publication Number Publication Date
WO2011131051A1 true WO2011131051A1 (en) 2011-10-27

Family

ID=44779786

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/071028 WO2011131051A1 (en) 2010-04-19 2011-02-16 Method and device for security communication negotiation

Country Status (2)

Country Link
CN (1) CN102223355B (en)
WO (1) WO2011131051A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018231109A1 (en) 2017-06-16 2018-12-20 Telefonaktiebolaget Lm Ericsson (Publ) Media protection within the core network of an ims network

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103841082B (en) * 2012-11-22 2017-05-31 中国电信股份有限公司 Safety ability consultation method and system, service server, user terminal
CN103475639A (en) * 2013-08-09 2013-12-25 杭州华三通信技术有限公司 RTP (Real-time Transport Protocol) backspacing method and apparatus
CN103475640A (en) * 2013-08-09 2013-12-25 杭州华三通信技术有限公司 Method and apparatus for realizing RTP (Real-time Transport Protocol) backspacing
CN106161376B (en) * 2015-04-13 2020-01-14 中国移动通信集团公司 End-to-end encrypted communication negotiation method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2350261A (en) * 1999-05-17 2000-11-22 Ericsson Telefon Ab L M Capability negotiation in a telecommunications network
CN101232368A (en) * 2007-01-23 2008-07-30 华为技术有限公司 Method for distributing media stream cryptographic key and multimedia subsystem
CN101273571A (en) * 2006-02-16 2008-09-24 中兴通讯股份有限公司 Implementing method for field-crossing multi-network packet network cryptographic key negotiation safety strategy

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101192922B (en) * 2006-11-17 2010-05-19 中兴通讯股份有限公司 A method for establishing secure channel between both communication parties
CA2706335C (en) * 2007-11-29 2017-06-20 Telefonaktiebolaget L M Ericsson (Publ) Method and apparatuses for end-to-edge media protection in an ims system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2350261A (en) * 1999-05-17 2000-11-22 Ericsson Telefon Ab L M Capability negotiation in a telecommunications network
CN101273571A (en) * 2006-02-16 2008-09-24 中兴通讯股份有限公司 Implementing method for field-crossing multi-network packet network cryptographic key negotiation safety strategy
CN101232368A (en) * 2007-01-23 2008-07-30 华为技术有限公司 Method for distributing media stream cryptographic key and multimedia subsystem

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"3rd Generation Partnership Project; Technical Specification Group Services and System Aspects; IP Multimedia Subsystem (IMS) media plane security (Release 9)", 3GPP TR 33.828 V9.0.0, March 2010 (2010-03-01) *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018231109A1 (en) 2017-06-16 2018-12-20 Telefonaktiebolaget Lm Ericsson (Publ) Media protection within the core network of an ims network
EP3639495A4 (en) * 2017-06-16 2021-01-13 Telefonaktiebolaget LM Ericsson (PUBL) Media protection within the core network of an ims network
US11218515B2 (en) 2017-06-16 2022-01-04 Telefonaktiebolaget Lm Ericsson (Publ) Media protection within the core network of an IMS network

Also Published As

Publication number Publication date
CN102223355A (en) 2011-10-19
CN102223355B (en) 2015-09-16

Similar Documents

Publication Publication Date Title
US9537837B2 (en) Method for ensuring media stream security in IP multimedia sub-system
CA2706335C (en) Method and apparatuses for end-to-edge media protection in an ims system
US20060116150A1 (en) Push-to-talk apparatus and method for communication between an application server and media resource function processor
WO2011022999A1 (en) Method and system for encrypting video conference data by terminal
JP4856723B2 (en) Method, apparatus and / or computer program product for encrypting and transmitting media data between a media server and a subscriber device
US20060288423A1 (en) Method, system and network elements for establishing media protection over networks
JP5265584B2 (en) Session control in SIP-based media services
CN101227272A (en) System and method for obtaining media stream protection cryptographic key
CN104683098A (en) Implementation method, equipment and system of secure communication service
CN108833943A (en) The encrypted negotiation method, apparatus and conference terminal of code stream
WO2011131051A1 (en) Method and device for security communication negotiation
WO2008040213A1 (en) Message encryption and signature method, system and device in communication system
WO2017045407A1 (en) Method of implementing end-to-end conversation encryption, terminal and network element of network side
US20150150076A1 (en) Method and device for instructing and implementing communication monitoring
WO2007048301A1 (en) A encryption method for ngn service
WO2007095855A1 (en) A method and network entity for negotiating media type parameter
WO2011020332A1 (en) Method and system for encrypting media data of ip multimedia subsystem session
WO2008083607A1 (en) Method and system of safely transferring media stream
US11218515B2 (en) Media protection within the core network of an IMS network
US11089561B2 (en) Signal plane protection within a communications network
KR20110119972A (en) Sip base voip service protection system and the method
WO2012174945A1 (en) Media content interception method and device in ip multimedia subsystem
KR100924162B1 (en) Control Method of Media Channel at SIP Server and The Communication System with Said Method
KR100652768B1 (en) Method for terminating a ip connection between mobile terminals in a ims network
WO2008083620A1 (en) A method, a system and an apparatus for media flow security context negotiation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11771504

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11771504

Country of ref document: EP

Kind code of ref document: A1